OFFICIAL MICROSOFT LEARNING PRODUCT

6421A
Lab Instructions and Answer Key:
Configuring and Troubleshooting a
Windows Server® 2008 Network
Infrastructure
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Access, Active Directory, ActiveX, BitLocker, ESP, Hyper-V, Internet Explorer, MS-DOS,
Outlook, PowerPoint, SharePoint, SQL Server, Windows, Windows Server and Windows Vista are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.

All other trademarks are property of their respective owners.

Technical Reviewer: Stan Reimer

Product Number: 6421A

Part Number: X14-69052

Released: 05/2008
 Lab Instructions: Installing and Configuring Servers 1

Module 1
Lab Instructions: Installing and Configuring
Servers
Contents:
Exercise 1: Identifying Server Types 4
Exercise 2: Installing and Configuring Server Roles
and Features 5
Exercise 3: Configuring Server Core and Performing
Basic Management Tasks 8
2 Lab Instructions: Installing and Configuring Servers

Lab: Installing and Configuring Servers and

Server Roles

Objectives
After completing this lab, you will be able to:
• Describe the appropriate server type needed for a usage scenario
• Install and configure server roles and features
• Configure Server Core and perform basic management tasks
 Lab Instructions: Installing and Configuring Servers 3

Scenario
You must install two new servers for your corporate infrastructure in the
WoodgroveBank.com domain. The new servers are needed to increase DNS name-
resolution services for a newly acquired company, Contoso.com, and to provide
Terminal Services for some line-of-business applications that will be available to
employees from their desktop computers and from their homes after hours. You
also need to install backup capacity for the Terminal Services server in case it is
necessary for disaster recovery purposes.
For security purposes, the DNS service should be available on only one of the new
servers and will be administered completely through remote management tools
after initial configuration. You need to ensure that the firewall configuration on the
DNS server is correct for the ports required to respond to DNS name-resolution
requests and for remote administration.
4 Lab Instructions: Installing and Configuring Servers

Exercise 1: Identifying Server Types

Exercise Overview
In this exercise, you will analyze the scenario and answer the following questions
related to a possible server type and role deployment.

Question: After reading the scenario, which installation type, Core or Standard,
would be suitable for Terminal Services? Why?

Question: Would the Core installation be suitable for the DNS server? If so, are
there any shortcomings to configuring the server to host this role?

Question: What benefits would you realize by using the Core installation option
for the DNS server role?

Question: What roles and features are needed on the servers to meet the given
scenario’s requirements?
 Lab Instructions: Installing and Configuring Servers 5

Exercise 2: Installing and Configuring Server Roles and

Features
In this exercise, you will install the Terminal Services role and Server Backup
feature by using the Server Manager administrative tool.
The main tasks are as follows:
1. Start the virtual machines, and log on.
2. Ensure that you have completed the steps in the Lab Setup.
3. Start the Server Manager console.
4. From Server Manager, install the Terminal Services role.
5. View the installation results.
6. Install the Server Backup feature from the Server Manager console.
7. Verify the Terminal Services and Windows Server Backup tools are installed.

f Task 1: Start the virtual machines, and log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Start the Server Manager console

• On NYC-SVR1, start the Server Manager console.
6 Lab Instructions: Installing and Configuring Servers

f Task 3: From Server Manager, install the Terminal Services role

1. Install the Terminal Services role using the following options:
• Server Roles: Terminal Services
• Role Services: Terminal Server
• Authentication method: Do not require Network Level Authentication
• Licensing Mode: Configure later
• User Groups: Administrators
2. Restart as required.

f Task 4: View the Installation Results

1. Log on to NYC-SVR1 with the user name Woodgrovebank\administrator
and the password Pa$$w0rd.
Upon successful logon, Server Manager opens, and the Terminal Services
configuration resumes.
2. Once complete, Installation succeeded appears in the details pane. Click
Close to exit the Installation Results page. Do not close Server Manager.

f Task 5: Install the Server Backup feature from the Server Manager
console
1. In the Server Manager list pane, right-click Features, and then click Add
Features. The Add Features Wizard appears.
2. Install the Windows Server Backup Features option.
3. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close. Do not close Server Manager.
The Windows Server Backup feature is installed.
 Lab Instructions: Installing and Configuring Servers 7

f Task 6: Verify the Terminal Services and Windows Server Backup tools
are installed
1. In the list pane of Server Manager, verify that Server Manager (NYC-SVR1) is
selected.
2. Using the scroll bar in the details pane, scroll down until the Roles Summary
is visible, and verify that Terminal Services is listed.
3. Scroll down to Features Summary, and verify that Windows Server Backup
appears.
4. Close Server Manager.
8 Lab Instructions: Installing and Configuring Servers

Exercise 3: Configuring Server Core and Performing Basic

Management Tasks
In this exercise, you will configure a Core installation of Windows Server 2008 and
install the DNS server role using command-line tools. You then will connect to the
Core server from a remote Windows Server 2008 computer using a custom MMC
to configure the DNS server role.
The 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual machines must be running to
complete the exercise. Be sure to start the virtual machines prior to beginning this
exercise.
The main tasks are as follows:
1. Start the 6421A-NYC-SVR2 virtual machine.
2. Log on to the Server Core installation.
3. Use command-line tools to set parameters in the Server Core virtual machine.
4. Connect the server to the WoodgroveBank.com domain.
5. Log on to the Server Core installation.
6. Verify the firewall configuration.
7. Use the netsh command to open ports.
8. View the current status of roles, and install the DNS server role.
9. Manage the server by using DNS Manager from a remote computer.
10. Close all virtual machines, and delete the changes.

f Task 1: Start the 6421A-NYC-SVR2 virtual machine

1. Restore the Lab Launcher window.
2. In the Lab Launcher, next to 6421A-NYC-SVR2, click Launch.
3. Minimize the Lab Launcher window.

f Task 2: Log on to the Server Core installation

• Log on to NYC-SVR2 as Administrator with a password of Pa$$w0rd.
 Lab Instructions: Installing and Configuring Servers 9

f Task 3: Use command line tools to set parameters in the Server Core
virtual machine
• Computername=NYC-DNSSVR2
• IP address=10.10.0.12
• Mask=255.255.0
• Gateway=10.10.0.1
• DNS=10.10.0.10
1. To determine the current default assigned computer name, type set in the
command window.
2. Locate the computer name attribute, and write it down.
3. To change the computer name, type the following command, and then press
ENTER:
Netdom renamecomputer NYC-SVR2 /NewName:NYC-DNSSVR2
4. When prompted, type y for yes, and then press ENTER.
5. In the command window, type the following command to set the static IP
address: Netsh interface ipv4 set address name= “local area connection”
source=static address=10.10.0.12 mask=255.255.0.0 gateway=10.10.0.1
and then press ENTER.
6. In the command window, type the following command to set the primary DNS
server, and then press ENTER:
Netsh interface ip set dns “local area connection” static 10.10.0.10 primary
7. At the command prompt, type ipconfig /all and then press ENTER to verify
the IP address assignment.
8. On the keyboard, press RIGHT-ALT+DELETE.
9. Choose to restart the computer by clicking Shutdown options in the lower
right-hand pane of the window, and then click Restart.
10. In the Shutdown Event Tracker window, click Operating System:
Reconfiguration (Planned), and then click OK. The server restarts.
11. Log on to the server with the user name Administrator and a password of
Pa$$w0rd.
10 Lab Instructions: Installing and Configuring Servers

f Task 4: Connect the server to the WoodgroveBank.com domain

1. In the command window type the following command, and then press
ENTER.
netdom join NYC-DNSSVR2 /domain:WoodgroveBank.com
/Userd:Administrator /passwordD:*
2. At the command prompt, type the following command, and then press
ENTER:
Pa$$w0rd

Note: Your keystrokes will not be reflected on the screen. You will receive a message
that the command completed successfully and that the computer needs to be
restarted.

3. At the command prompt, press RIGHT-ALT+DELETE, click the Shut down

options icon, and then click Restart. The Shut Down Windows dialog box
appears.
4. In the Option box of the Shut Down Windows dialog box, click Operating
System: Reconfiguration (Planned), and then click OK.

f Task 5: Log on to the Server Core installation

• Log on to the server with the user name Administrator and a password of
Pa$$w0rd.

f Task 6: Verify the firewall configuration

• Use the netsh command to view the current firewall configuration. Type the
following command in the command window, and then press ENTER:
Netsh firewall show state

Note: Notice that the Firewall status shows that the Operational mode is set to
Enable This means that the Windows Firewall is enabled but no specific ports have
been opened.
 Lab Instructions: Installing and Configuring Servers 11

f Task 7: Use the Netsh command to open ports

1. At the command prompt, type the following command, and then press
ENTER:
netsh firewall add portopening ALL 53 DNS-server
2. At the command prompt, type the following command, and then press
ENTER:
netsh firewall add portopening TCP 135 remote-admin
3. At the command prompt, type the following command, and then press
ENTER:
netsh firewall add portopening UDP 137 netbios-ns
4. At the command prompt, type the following command, and then press
ENTER:
netsh firewall add portopening UDP 138 netbios-dgm
5. At the command prompt, type the following command, and then press
ENTER:
netsh firewall add portopening TCP 139 netbios-ssn
6. At the command prompt, type the following command, and then press
ENTER:
netsh firewall add portopening TCP 445 netbios-ns
7. At the command prompt, type the following command, and then press
ENTER:
netsh firewall show config

Note: Notice that in the Service configuration for Domain profile, File and Printer
Sharing and Remote Desktop services are set to enable, and both TCP and UDP port
53 are open for the DNS server.
12 Lab Instructions: Installing and Configuring Servers

f Task 8: View the current status of roles, and install the DNS server role
1. In the command prompt window, at the command prompt, type the following
command, and then press ENTER:
oclist

Note: Verify that no server roles are installed.

2. Use the Ocsetup.exe and oclist commands to install the DNS server. To do
this, type the following at the command prompt, and then press ENTER:
start /w ocsetup DNS-Server-Core-Role

Note: The server role name is case sensitive.

3. At the command prompt, type the following command, and then press
ENTER:
oclist

Note: Verify that the DNS-Server-Core-Role is installed.

 Lab Instructions: Installing and Configuring Servers 13

f Task 9: Manage the server by using DNS Manager from a remote

computer
1. On NYC-DC1, open the DNS Manager console.
2. From the DNS console, connect to NYC-DNSSVR2.
3. Use the DNS console to create a forward lookup zone for Contoso.com:
a. In the Console Root tree pane of the DNS Manager, expand
NYC-DNSSVR2, and then click Forward Lookup Zones.
b. Right-click Forward Lookup Zones, and then click New Zone.
c. Click Next in the Welcome to the New Zone wizard.
d. Click Next in the Zone Type dialog box, using the defaults to create a
Primary zone.
e. In the Zone Name window, type Contoso.com, and then click Next.
f. Click Next to accept the default name for the DNS zone file.
g. In the Dynamic Update window, click Next to accept the defaults.
h. In the Completing the New Zone Wizard dialog box, click Finish to
create the new zone.
i. Close the DNS Manager console.

f Task 10: Close all virtual machines, and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring and Troubleshooting DNS 1

Module 2
Lab Instructions: Configuring and
Troubleshooting DNS
Contents:
Exercise 1: Configuring a DNS Infrastructure 3
Exercise 2: Monitoring and Troubleshooting DNS 6
2 Lab Instructions: Configuring and Troubleshooting DNS

Lab: Configuring and Verifying a DNS Solution

Objectives
• Configure a DNS Infrastructure to include a secondary zone, stub zone, and
secure zone transfers
• Monitor DNS
 Lab Instructions: Configuring and Troubleshooting DNS 3

Exercise 1: Configuring a DNS Infrastructure

Scenario
You are the primary DNS administrator for Woodgrove Bank. You have received a
request to create two new DNS zones. The Nwtraders.msft zone is for a division in
the bank that requires its own DNS domain. This division will also have a group of
administrators that administer the zone’s resource records. Contoso is a company
that Woodgrove Bank recently acquired. To begin integration testing, you must
define a DNS domain called contoso.msft and test different zone configurations.
You also need to test the zone to ensure it is resilient to failure.

Exercise Overview:
In this exercise, you will configure the DNS server role on a member server, and
configure the contoso.msft and nwtraders.msft zones. You then will create
secondary zones for each domain and create a stub zone for Nwtraders.msft.
The main tasks are as follows:
1. Start the virtual machines and log on.
2. Configure the DNS Server role on NYC-SVR1.
3. Configure the Contoso.msft zone on NYC-SVR1.
4. Configure the Nwtraders.msft zone on NYC-DC1.
5. Configure zone transfer security.
6. Configure secondary zones for each domain on NYC-SVR1 and NYC-DC1.
7. Configure a stub zone for Nwtraders.msft on NYC-SVR2.
8. Configure administrative options for the Nwtradters.msft domain.

f Task 1: Start the virtual machines, and log on

1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.
4 Lab Instructions: Configuring and Troubleshooting DNS

f Task 2: Configure the DNS Server role on NYC-SVR1

• On NYC-SVR1, in the Server Manager console, add the DNS Server role.

f Task 3: Configure the Contoso.msft zone on NYC-SVR1

1. On NYC-SVR1, open the DNS console (found in Administrative Tools).
2. Create a primary forward lookup zone named Contoso.msft.
3. Use the default options in the New Zone Wizard.

f Task 4: Configure the nwtraders.msft zone on NYC-DC1

1. On NYC-DC1, open the DNS console (found in Administrative Tools).
2. Create an Active Directory-integrated primary forward lookup zone named
nwtraders.msft.
3. Use the default options in the New Zone Wizard.

f Task 5: Configure zone transfers

1. On NYC-DC1 configure nwtraders.msft to allow zone transfers to NYC-SVR1:
• NYC-SVR1 IP address is 10.10.0.24.
2. On NYC-SVR1 configure contoso.msft to allow zone transfers to NYC-DC1.
• NYC-DC1 IP address is 10.10.0.10.
3. Answer the following question:

Question: Why do you need to configure zone transfers?

 Lab Instructions: Configuring and Troubleshooting DNS 5

f Task 6: Configure secondary zones for each domain

1. On NYC-DC1, use the DNS console to configure a secondary forward zone for
Contoso.msft:
• The address of the primary zone server for Contoso.msft is 10.10.0.24.
2. On NYC-SVR1, use the DNS console to configure a secondary forward zone
for nwtraders.msft:
• The address of the primary zone server for nwtraders.com is 10.10.0.10.

f Task 7: Configure a stub zone for WoodgroveBank.com

1. On NYC-SVR1, use the DNS console to configure a stub zone for
WoodgroveBank.com:
• The address of the primary zone server for WoodgroveBank.com is
10.10.0.10.
2. Click WoodgroveBank.com and take note of the records listed.
3. On NYC-DC1, in the DNS console, click WoodgroveBank.com, and verify that
there are additional records that are not included in a stub zone.
4. Answer the following question:

Question: Why use a stub zone instead of conditional forwarders?

f Task 8: Configure administrative options for the nwtradters.msft

domain
1. On NYC-DC1, use the DNS console to add the DL Nwtraders DNS Admins
group to the nwtraders.msft access control list.
2. Grant the Read, Write, Create all Child objects, and Delete all child objects
permissions to the DL Nwtraders DNS Admins group.
6 Lab Instructions: Configuring and Troubleshooting DNS

Exercise 2: Monitoring and Troubleshooting DNS

Scenario
Some users have complained that they are having trouble resolving domain names.
You have to analyze the DNS infrastructure to ensure that there are no problems.

Exercise Overview
In this exercise, you will perform several tests to ensure the DNS infrastructure is
working properly. You will use several DNS troubleshooting tools to validate DNS
configuration and responses.
The main tasks are as follows:
1. Test simple and recursive queries.
2. Verify SOA records by using Nslookup.
3. Use the Dnslint command to verify name server records.
4. View performance statistics by using the Performance console.
5. Verify DNS replication.
6. Close all virtual machines and discard undo disks.

f Task 1: Test simple and recursive queries

• On NYC-DC1, in the DNS console, use the DNS Server Monitoring function to
perform A simple query against this DNS Server.

f Task 2: Verify SOA records by using Nslookup

1. On NYC-DC1, open a command prompt, and type nslookup.exe.
2. Configure a query type of SOA (Start of Authority).
3. Look up the SOA resource records for nwtraders.msft and contoso.msft.
 Lab Instructions: Configuring and Troubleshooting DNS 7

f Task 3: Use the Dnslint command to verify name server records

1. On NYC-DC1, open a command prompt, and run the dnslint.exe command
for the nwtraders.msft domain on the 10.10.0.10 IP address:
• The dnslint.exe file is located in d:\Labfiles\dnslint.
2. Generate a Dnslint report html file:
• The /s switch specifies that Dnslint will not refer to the Internet for the
specified domain.
• The /d switch specifies the domain to be searched.

Note: Consult the Help documentation if you need guidance.

f Task 4: View performance statistics by using the Performance console

1. On NYC-DC1, use the Computer Management console to open Performance
Monitor.
2. Add the A simple query against this DNS Server and A recursive query
against this DNS Server DNS counters.
3. Use the Monitoring feature in the DNS Server properties to generate requests
to the DNS server.
4. Review the data that the requests generate in Performance Monitor. Alternate
between the graph and report views.
8 Lab Instructions: Configuring and Troubleshooting DNS

f Task 5: Verify DNS replication

1. On NYC-DC1, use the DNS console to add an A resource record called Test to
the nwtraders.msft zone. Use the IP address of 10.10.0.15.
2. Verify that the A resource record created on NYC-DC1 has replicated on NYC-
SVR1.
3. If the A resource record does not appear, manually force replication to occur.

f Task 6: Close all virtual machines and discard undo disks

Note: Do not turn off the virtual machines until you have completed the Lab Review
questions.

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring and Managing WINS 1

Module 3
Lab Instructions: Configuring and Managing
WINS
Contents:
Exercise 1: Installing WINS 4
Exercise 2: Configuring WINS Burst Handling 6
Exercise 3: Configuring WINS Replication 8
Exercise 4: Migrating from WINS to DNS 9
2 Lab Instructions: Configuring and Managing WINS

Lab: Configuring a WINS Infrastructure

Objectives
• Install WINS
• Configure WINS burst handling
• Configure WINS replication
• Migrate from WINS to DNS

Scenario
You are tasked with installing a second WINS server for the Woodgrovebank
domain for fault tolerance and use as a secondary WINS server resolver for domain
clients. The database consistency and convergence speed are of the utmost
importance. Replication must be set up to make sure records replicate on change
vector or time vector, whichever happens to occur first.
 Lab Instructions: Configuring and Managing WINS 3

After successfully implementing the secondary WINS server, management

wants you to test the new GlobalNames zone use in Windows Server 2008 DNS
to help retire WINS servers that the Woodgrovebank domain uses. IT staff are
finding the task of maintaining the domain name suffix-search list difficult, and
Woodgrovebank domains still use single-label names for internal web server
names. Install and verify that this new option in DNS will help in decommissioning
the existing WINS servers.
4 Lab Instructions: Configuring and Managing WINS

Exercise 1: Installing WINS

Exercise Overview:
In this exercise, you will install the WINS feature on 6421A-NYC-SVR1.
The main tasks are as follows:
1. Start the virtual machines, and log on.
2. Open the Server Manager console.
3. Install the WINS feature.

f Task 1: Start the virtual machines, and log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: On 6421A-NYC-SVR1, launch the Server Manager console

1. Open Administrative Tools.
2. Launch Server Manager.

Result: The Server Manager console opens.

 Lab Instructions: Configuring and Managing WINS 5

f Task 3: From the Server Manager console, install the WINS feature
1. In Server Manager, use the Add Features Wizard to install the WINS feature
on 6421A-NYC-SVR1.
2. On the Installation Results page, verify that the installation succeeded before
closing the wizard.

Result: The WINS feature is installed on 6421A-NYC-SVR1.

Important: Do not log off or shut down the virtual machines at this point.
6 Lab Instructions: Configuring and Managing WINS

Exercise 2: Configuring WINS Burst Handling

Exercise Overview:
In this exercise, you will configure burst handling, create a static record, configure
scavenging intervals, and configure clients to use the WINS servers for NetBIOS
resolution.
The main tasks are as follows:
1. Configure the WINS server for burst handling.
2. Create a static entry in the WINS database.
3. Configure scavenging on the WINS server.
4. Configure NYC-DC1 to use the WINS server for NetBIOS resolution.
5. Test NetBIOS name resolution.

f Task 1: Configure the WINS server for burst handling

1. On NYC-SVR1, start the WINS console.
2. Configure Burst Handling with the option of Low.

f Task 2: Create a static entry in the WINS database

1. In the WINS console, create a New Static Mapping with the following
properties:
• Computer name of HRWEB
• IP address of 10.10.0.10
2. Use Active Registrations to verify the new static entry exists.

Note: Do not close the WINS console.

 Lab Instructions: Configuring and Managing WINS 7

f Task 3: Configure scavenging on the WINS server to take place once

every seven days
• In the WINS Properties dialog box for NYC-SVR1, use the Intervals tab to set
the Extinction timeout value to 7 Days.

f Task 4: Configure 6421A-NYC-DC1 to use the WINS server for

NetBIOS resolution
1. On NYC-DC1, open Network Connections and open the properties of the
Local Area Connection.
2. In the Local Area Connection Properties dialog box, under This Connection
Uses the Following Items, open the properties of TCP/IPv4.
3. Click Advanced and configure the computer to use the WINS server (IP
address of 10.10.0.24).

f Task 5: Test the NetBIOS name resolution capabilities

• On NYC-DC1, in a command window, type ping hrweb.
The name resolution should be successful and resolve to 10.10.0.10.
8 Lab Instructions: Configuring and Managing WINS

Exercise 3: Configuring WINS Replication

Exercise Overview:
In this exercise, you will configure the WINS feature on 6421A-NYC-SVR1 and
6421A-NYC-DC1 to be push/pull replication partners to maintain consistency of
WINS records.
The main tasks are as follows:
1. Configure push and pull replication on NYC-DC1.
2. Configure push and pull replication on NYC-SVR1.
3. Verify replication.

f Task 1: Configure push and pull replication on NYC-DC1

1. Open WINS from the Administrative Tools menu.
2. In the WINS Administrative Tool window, use Replication Partners to select
a new replication partner with the IP address of 10.10.0.24.
The Replication Partners details pane lists NYC-SVR1 as a Push/Pull partner.

f Task 2: Configure push and pull replication on NYC-SVR1

1. Open WINS from the Administrative Tools menu.
2. In the WINS Administrative Tool window, use Replication Partners to select
a new replication partner with the IP address of 10.10.0.10.
The Replication Partners details pane lists NYC-DC1 as a Push/Pull partner.

f Task 3: Verify replication

1. On NYC-SVR1, force replication, and then verify that records appear from both
10.10.0.10 and 10.10.0.24 as owners.
2. On NYC-DC1, force replication, and then verify that records appear from both
10.10.0.10 and 10.10.0.24 as owners.
 Lab Instructions: Configuring and Managing WINS 9

Exercise 4: Migrating from WINS to DNS

Exercise Overview:
In this exercise, you will migrate single-label name resolution from WINS to the
GlobalNames zone in DNS.
The main tasks are as follows:
1. Create a GlobalNames zone, and enable GNZ functionality.
2. Create an Alias record for a single-label name resource.
3. Decommission WINS.
4. Verify GlobalNames single-label name resolution.
5. Close all virtual machines, and discard undo disks.

f Task 1: Create a GlobalNames zone, and enable GNZ functionality

1. On NYC-DC1, open the DNS console from the Administrative Tools menu.
2. Create a new forward lookup zone with a name of GlobalNames, a replication
scope that is forest wide and do not allow dynamic updates.
3. Open an administrative command prompt.
4. Type Dnscmd NYC-DC1 /config /Enableglobalnamessupport 1 and then
press ENTER.

f Task 2: Create the Alias record for the single-label name resource
1. In the DNS Manager console, create a New Alias (CNAME) record in the
GlobalNames forward lookup zone with an alias name of HRWEB and a
FQDN of NYC-DC1.Woodgrovebank.com.
2. Close the DNS Manager console.
10 Lab Instructions: Configuring and Managing WINS

f Task 3: Decommission WINS on NYC-DC1 and NYC-SVR1

1. On both NYC-DC1 and NYC-SVR1, launch the Server Manager console from
the Administrative Tools menu.
2. Remove the WINS feature from both NYC-DC1 and NYC-SVR1. Restart as
necessary.

f Task 4: Verify GlobalNames single-label name resolution

1. Log on to NYC-DC1 as administrator with the password Pa$$w0rd.
2. Log on to NYC-SVR1 as administrator with the password Pa$$w0rd.
3. Complete the WINS removal as required on both servers.
4. On NYC-DC1, open a command prompt, and then type ping hrweb.
The ping command is successful and resolves to nyc-dc1.woodgrovebank.com.

f Task 5: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring and Troubleshooting DHCP 1

Module 4
Lab Instructions: Configuring and
Troubleshooting DHCP
Contents:
Exercise 1: Installing and Authorizing the DHCP Server Role 3
Exercise 2: Configuring a DHCP Scope 5
Exercise 3: Troubleshooting Common DHCP Issues 7
2 Lab Instructions: Configuring and Troubleshooting DHCP

Lab: Configuring and Troubleshooting the

DHCP Server Role
 Lab Instructions: Configuring and Troubleshooting DHCP 3

Exercise 1: Installing and Authorizing the DHCP Server Role

Scenario
You are the Network Administrator at Woodgrove Bank, which recently opened a
new division that needs a DHCP service configured for approximately 200 clients.
You must configure a DHCP server for the new division.

Exercise Overview
In this exercise, you will install the DHCP role and then authorize the server in the
woodgrovebank.com domain.
The main tasks are as follows:
1. Start the 6421A-NYC-DC1 and 6421A-NYC-CL1 Virtual Machines, and log on
as Administrator.
2. Configure the DHCP Server role on NYC-DC1.
3. Authorize the DHCP Server role on NYC-DC1.

f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-CL1 Virtual

Machines, and log on as Administrator
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.
4 Lab Instructions: Configuring and Troubleshooting DHCP

f Task 2: Configure the DHCP Server Role on NYC-DC1

• On NYC-DC1, use Server Manager to add the DHCP Server role:
• Bind the DHCP service to the IP: 10.10.0.10.
• Use default values for all steps except Disable DHCPv6 for Applications
on this network.
• Make sure to Skip Authorization of this DHCP server in AD DS.

f Task 3: Authorize the DHCP Server Role on NYC-DC1

• On NYC-DC1, use the DHCP console to authorize the NYC-
DC1.woodgrovebank.com DHCP server.
 Lab Instructions: Configuring and Troubleshooting DHCP 5

Exercise 2: Configuring a DHCP Scope

Scenario
You need to configure a DHCP scope for approximately 200 clients. The scope
must provide information concerning the DNS server and the default gateway as
part of the information that clients receive when they request a DHCP address.

Exercise Overview
In this exercise, you will configure a new DHCP scope, activate the scope, and
configure scope options so that clients receive the correct information when they
lease an IP address.
The main tasks are as follows:
1. Configure a DHCP scope.
2. Configure DHCP scope options.
3. Test the scope using a client workstation.

f Task 1: Configure a DHCP scope

1. On NYC-DC1, use the Server Manager console to create a new DHCP IPv4
scope:
• Name of the scope: Head Office Network Scope
• The IP address range for the scope: 10.10.0.1 - 10.10.0.254 using a
subnet mask of 255.255.0.0
• An exclusions range of 10.10.0.1 - 10.10.0.30 should be added for servers
and other devices that use a static IP address
• Lease duration of one hour
• Do not configure any additional scope options
6 Lab Instructions: Configuring and Troubleshooting DHCP

2. On NYC-CL1, set the Local Area Connection properties for DHCP

configuration on IPv4 properties for both IP address and DNS resolver
configuration. Restart NYC-CL1 and then log on as Administrator with the
password of Pa$$w0rd.
3. Make sure the client computer can obtain an IP address. Verify that the client
is configured with a default gateway.

Question: Why does the DHCP-configured Local Area Connection not have a
default gateway?

f Task 2: Configure DHCP scope options

• On NYC-DC1, use the DHCP console to configure the 003 Router DHCP
scope option to point to 10.10.0.1.

Note: Make sure to configure the scope options and not the server options.

f Task 3: Test the scope using a client workstation

• On NYC-CL1, use the command prompt and the ipconfig utility to test
whether the client is able to obtain an IP address and a default gateway, as the
previous task specifies.
 Lab Instructions: Configuring and Troubleshooting DHCP 7

Exercise 3: Troubleshooting Common DHCP Issues

Scenario
The DHCP server now is configured. To ensure minimal downtime, your
department has requested that the DHCP administration team troubleshoot several
potential configuration problem scenarios.

Exercise Overview
You will run a script that will configure the DHCP server so that it will not work
properly. Using the available information, you then will fix the configuration
problems that the script caused.
The main tasks are as follows:
1. Verify DHCP lease information.
2. Modify DHCP Server configuration using scripts to simulate configuration
issues.
3. Check the client’s ability to lease an IP address.
4. Determine why the DHCP server is not allocating IP addresses.
5. Identify information that has been changed.
6. Configure the DHCP server with the correct router information.
7. Configure the DHCP server with the correct DNS server information.
8. Configure the DHCP with the proper lease period.
9. Verify the information being leased to the client.
10. Close all virtual machines and discard undo disks.

f Task 1: Verify DHCP lease information

• On NYC-CL1, verify lease information, and note the following settings:
• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration
8 Lab Instructions: Configuring and Troubleshooting DHCP

f Task 2: Modify DHCP Server configuration using scripts to simulate

configuration issues
• At a command prompt, run the D:\Labfiles\Module4\DHCP.vbs script.

f Task 3: Check the client’s ability to lease an IP address

• On NYC-CL1, use ipconfig to determine the most critical issue affecting the
DHCP server.

f Task 4: Determine why the DHCP server is not allocating IP addresses

• On NYC-DC1, determine if the DHCP scope is activated.

f Task5: Identify information that has changed

• On NYC-CL1, identify the information that has changed. Compare settings to
those noted before running the DHCP.VBS script.

f Task 6: Configure the DHCP server with the correct router information
• On NYC-DC1, verify the router information configured in the scope options.

f Task 7: Configure the DHCP server with the correct DNS server
information
• On NYC-DC1, verify the DNS server information configured in the scope
options.

f Task 8: Configure the DHCP with the proper lease period

• On NYC-DC1, check that the lease period configured in the scope properties is
correct.
 Lab Instructions: Configuring and Troubleshooting DHCP 9

f Task 9: Verify the information being leased to the client

• On NYC-CL1, use ipconfig to ensure that the client is configured as it was
before running the DHCP.VBS script.

f Task 10: Close all virtual machines, and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 1

Module 5
Lab Instructions: Configuring and
Troubleshooting IPv6 TCP/IP
Contents:
Lab A: Configuring an ISATAP Router
Exercise 1: Configuring a New IPv6 Network and Client 4
Exercise 2: Configuring an ISATAP Router to
Enable Communications Between an IPv4 Network and an
IPv6 Network 7
Lab B: Converting the Network
Exercise 1: Transitioning to an IPv6-Only Network 10
2 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP

Lab A: Configuring an ISATAP Router

Objectives
• Configure a new IPv6 network and client
• Configure an ISATAP router to enable communications between the IPv4
network and the IPv6 network
 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 3

Before you begin:

To be able to simulate multiple networks, you must configure the following before
starting the virtual machines:
1. On the host machine, open the Virtual Server Administration Web site.
2. In the left pane, under Virtual Networks, click Add. In the details pane, next to
Existing configuration (.vnc) file, type the following: C:\Program Files
\Microsoft Learning\6421\Drives\6421A-NYC-VN2_IPv6, and then click
Add again.
3. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-SVR1.
4. Under “6421A-NYC-SVR1” Configuration, click Network adapters.
5. Under Virtual network adapter 2, click the drop-down arrow, select 6421A-
NYC-VN2_IPv6, and then click OK.
6. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-CL1.
7. Under “6421A-NYC-CL1” Configuration, click Network adapters.
8. Under Virtual network adapter 1, click the drop-down arrow, select 6421A-
NYC-VN2_IPv6, and then click OK.

Logon Information
For this lab, you will log on to the 6421A-NYC-DC1, 6421A-NYC-SVR1, and
6421A-NYC-CL1 virtual machines using the following information:
• User Name: Administrator
• Password: Pa$$w0rd
4 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP

Exercise 1: Configuring a New IPv6 Network and Client

Scenario
You must design and implement an IPv6 network. For your initial proof of
concept, you must deploy only one client.

Exercise Overview
In this exercise, you will prepare the current environment to work with IPv6, and
deploy an IPv6 client and IPv6 subnet.
The main tasks are as follows:
1. Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1 virtual
machines.
2. Configure IPv4 routing.
3. Enable IP Routing on NYC-SVR1 and confirm IPv4 Connectivity.
4. Disable IPv6 on NYC-DC1.
5. Disable IPv4 on NYC-CL1.
6. Check the IP configuration on NYC-CL1, and ensure that it is not configured
with an IPv4 IP address.
7. Configure an IPv6 router advertisement for the global address
2001:db8:0:1::/64 network on NYC-SVR1.
8. Check the IP configuration on NYC-CL1 to ensure it is configured with an IPv6
global address in the 2001:db8:0:1::/64 network.
 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 5

f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-

CL1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Configure IPv4 routing

1. On NYC-CL1, in the Network Connections window, configure the following:
• IP Address: 192.168.1.20
• Subnet Mask: 255.255.255.0
• Default Gateway: 192.168.1.10
2. On NYC-DC1, in the Network Connections window, configure the following:
• Default Gateway: 10.10.0.24

f Task 3: Enable IP Routing on NYC-SVR1, and confirm IPv4 connectivity

1. On NYC-SVR1, use the Registry Editor (Regedit.exe) to configure the
following:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters
• IPEnableRouter=1
2. Restart NYC-SVR1, and log on as Administrator with the password
Pa$$w0rd.
3. On NYC-CL1, use the ping command for NYC-DC1 to verify connectivity.
4. On NYC-DC1, use the ping command for 192.168.1.20 to verify connectivity.
6 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP

Note: At this point, only IPv4 traffic is routed through the IPv4 routing
infrastructure.

f Task 4: Disable IPv6 on NYC-DC1

• On NYC-DC1, in the Network Connections window, disable IPv6
connectivity.

f Task 5: Disable IPv4 on NYC-CL1

• On NYC-CL1, in the Network Connections window, disable IPv4
connectivity.

f Task 6: Check the IP configuration on NYC-CL1, and ensure that it is

not configured with an IPv4 IP address
• Validate that the IP address on NYC-CL1 is a valid link-local IP address that
starts with fe80.

f Task 7: Configure an IPv6 router advertisement for the global address

2001:db8:0:1::/64 network on NYC-SVR1
1. On NYC-SVR1, using the command line and the netsh command, configure
Local Area Connection 2 to forward packets and to advertise subnet prefixes.
2. Add an IPv6 route to Local Area connection 2 of 2001:db8:0:1::/64. Make
sure to publish this route.

f Task 8: Check the IP configuration on NYC-CL1 to ensure it is

configured with an IPv6 global address in the 2001:db8:0:1::/64
network
• Validate that NYC-CL1 has configured itself using the global prefix assigned to
the network.
 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 7

Exercise 2: Configuring an ISATAP Router to Enable

Communications Between an IPv4 Network and an IPv6
Network
Scenario
Now that you have configured your IPv6 client, you must enable IPv4 client
connectivity to the IPv6 network. Your evaluation of current IPv6 tunneling
technologies has led you to choose to implement an ISATAP router.

Exercise Overview
In this exercise, you will enable and configure an ISATAP router interface that will
allow two-way communications between the IPv4 and IPv6 networks.
The main tasks are as follows:
1. Add the ISATAP entry in the DNS zone.
2. Configure the ISATAP router on NYC-SVR1.
3. Enable the ISATAP interface on NYC-DC1.
4. Test connectivity with the IPv6 client.

f Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1

• On NYC-SVR1, in the Woodgrovebank.com zone, create a new host record
called ISATAP, and configure it with the IPv4 address of NYC-SVR1
(10.10.0.24).

f Task 2: Configure the ISATAP router on NYC-SVR1

1. On NYC-SVR1, using the netsh command, enable the isatap router set as
10.10.0.24.
2. Using the netsh command, enable forwarding and prefix advertise for the
ISATAP interface. (Hint: Local Area Connection* 8)
3. Using the netsh command, publish a new route for the ISATAP subnet using
2001:db8:0:10:/64.
8 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP

4. Restart NYC-SVR1 and log on as Administrator with the password Pa$$w0rd.

5. Open a command prompt, and use the ipconfig command to verify that the
tunnel adapter Local Area Connection* 8 displays an IPv6 address in the
2001:db8:0:10 range.

f Task 3: Enable the ISATAP interface on NYC-DC1

1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type the following commands:
• Netsh interface isatap set router 10.10.0.24
• Ipconfig

Note: Notice that the tunnel adapter Local Area Connection 8 (which is the ISATAP
adapter) has received an IPv6 address automatically from the ISATAP router.

f Task 4: Test connectivity with the IPv6 client

• Verify that you can ping NYC-DC1 from NYC-CL1 and that you can ping NYC-
SVR1. Finally, verify that you can ping NYC-CL1 from NYC-DC1.

Note: If the IP addresses do not resolve, reboot the servers, starting with NYC-DC1,
NYC-SVR1, and then NYC-CL1.

Important: Do not turn off the virtual machines at this time because you need them
to complete the next lab.
 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 9

Lab B: Converting the Network

Objective
• Transition the network into an IPv6-only network.

Scenario
You are responsible for testing the IPv6 transition plan. To accomplish this, you
will transition the computers from the previous network that uses both IPv4 and
IPv6, and transition them to an IPv6-only network.
10 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP

Exercise 1: Transitioning to an IPv6-Only Network

Exercise Overview
In this exercise, you will migrate the IPv4 network to be a fully capable IPv6
network.
The main tasks are as follows:
1. Disable the ISATAP router on NYC-SVR1.
2. Configure the native IPv6 router on NYC-SVR1.
3. Disable IPv4 connectivity.
4. Test connectivity between each IPv6 subnet.

f Task 1: Disable the ISATP router on NYC-SVR1

• On NYC-SVR1, disable the ISATAP router, and delete the static route subnet
prefix that was defined previously for the ISATAP subnet.

f Task 2: Configure the native IPv6 router on NYC-SVR1

• Configure an IPv6 router in the Local Area Connection interface on NYC-
SVR1. Make sure that forwarding and prefix advertising are enabled. Also add
and publish the subnet prefix: 2001:db8:0:0::/64.

f Task 3: Disable IPv4 connectivity

1. On NYC-SVR1, disable all remaining IPv4 interfaces.
2. On NYC-DC1, enable the IPv6 interface, and then disable the IPv4 interface.

f Task 4: Test connectivity between each IPv6 subnet

• Make sure you can ping between NYC-DC1 and NYC-CL1. Also make sure that
NYC-SVR1 is able to ping both servers.

Note: If the IP addresses do not resolve, reboot the servers starting with NYC-DC1,
NYC-SVR1, and then NYC-CL1.
 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 11

f Task 5: Reconfigure the Network Adapters

To have the appropriate setup for future labs, you must configure the following
before starting the virtual machines:
1. On the host machine, open the Virtual Server Administration Web site.
2. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-SVR1.
3. Under “6421A-NYC-SVR1” Configuration, click Network adapters.
4. Under Virtual network adapter 2, click the drop-down arrow, select Internal
Network, and then click OK.
5. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-CL1.
6. Under “6421A-NYC-CL1” Configuration, click Network adapters.
7. Under Virtual network adapter 1, click the drop-down arrow, select Internal
Network, and then click OK.

f Task 6: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 1

Module 6
Lab Instructions: Configuring and
Troubleshooting Routing and Remote Access
Contents:
Exercise 1: Configuring Routing and Remote Access
as a VPN Remote Access Solution 4
Exercise 2: Configuring a Custom Network Policy 7
Exercise 3: Configuring Logging 8
Exercise 4: Configuring a Connection Profile 10
2 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access

Lab: Configuring and Managing Network

Access

Objectives
After completing this lab, you will be able to:
• Configure the Routing and Remote Access service as a VPN remote access
solution.
• Configure a custom Network Policy.
• Configure logging.
• Configure a connection profile.
 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 3

Scenario
Woodgrove Bank would like to implement a remote access solution for its
employees so they can connect to the corporate network while away from the
office. Woodgrove Bank requires a network policy that mandates that VPN
connections are encrypted for security reasons.
The IT department of Woodgrove Bank does not want the Remote Access solution
to cause a dramatic increase in support calls to the Help Desk for configuration
issues regarding VPN connection objects that need to be created on the client
computer.
4 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access

Exercise 1: Configuring Routing and Remote Access as a

VPN Remote Access Solution
Exercise Overview
In this exercise, you will configure the Routing and Remote Access Service role as a
VPN Remote Access solution. The VPN server should use IP address allocation for
clients from a static pool of IP addresses that is configured on the Remote Access
server. The Remote Access server should only accept PPTP and L2TP connections,
with 25 connections allowed for each.
The main tasks are as follows:
1. Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1 virtual
machines.
2. Install the Network Policy and Access Services role.
3. Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for
Remote Access clients.
4. Configure available VPN ports on the Routing and Remote Access Service
server to allow 25 PPTP and 25 L2TP connections.

f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-

CL1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.
 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 5

f Task 2: Install the Network Policy and Access Services role on 6421A-
NYC-SVR1
1. Open Server Manager on NYC-SVR1, and click Add Roles.
2. In Server Manager, on the Server Roles page, scroll down, select Network
Policy and Access Services, and then click Next.
3. On the Select Role Services page, select Network Policy Server and Routing
and Remote Access Services, and then click Next.
4. On the Confirm Installation Selections page, click Install.
5. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close.
The Network Policy and Routing and Remote Access Services roles are
installed on NYC-SVR1.

Note: Do not log off or shut down the virtual machines at this point.

f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static

address pool for Remote Access clients
1. From Administrative Tools, open Routing and Remote Access.
2. In the list pane, select and right-click NYC-SVR1 (Local), and then click
Configure and Enable Routing and Remote Access.
3. Ensure that the default setting, Remote Access (dial-up or VPN), is selected,
and then on the Remote Access page, select the VPN option.
4. On the VPN Connection page, select the Local Area Connection 2 interface.
5. On the IP Address Assignment page, select From a specified range of
addresses.
6. Use the range of 192.168.1.100 with 75 available addresses for the static pool.
7. Accept the default settings for the remainder of the configuration process.
6 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access

f Task 4: Configure available VPN ports on the Routing and Remote

Access Service server to allow 25 PPTP and 25 L2TP connections
1. In the Routing and Remote Access administrative tool interface, right-click
Ports, and then click Properties.
2. In the Ports Properties dialog box, configure L2TP and PPTP to have 25
available connectors. Specify 0 for SSTP.
3. In the Ports Properties dialog box, click OK.
4. Close the Routing and Remote Access administrative tool.
 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 7

Exercise 2: Configuring a Custom Network Policy

Exercise Overview
In this exercise, you will create a network policy to allow secure connections to the
Routing and Remote Access Service server.
The main tasks are as follows:
1. Open the Network Policy Server administrative tool on 6421A-NYC-SVR1.
2. Create a new network policy for Routing and Remote Access Service clients.

f Task 1: Open the Network Policy Server management tool on 6421A-

NYC-SVR1
• From the Administrative Tools menu, click Network Policy Server.
The Network Policy Server administrative tool appears.

f Task 2: Create a new network policy for Routing and Remote Access
Service clients
1. In the list pane of the Network Policy Server administrative tool, expand
Policies, right-click Network Policies, and then click New.
2. In the New Network Policy wizard, specify the following settings, and accept
the default values for all other settings:
• Network Policy Name: Secure VPN
• Type of network access server: Remote Access Server (VPN-Dial up)
• Specify Conditions: Tunnel Type: PPTP and L2TP
• Configure Authentication Methods: Deselect MS-CHAP
• Configure Constraints: Day and Time: deny access Mon thru Fri 11PM to
6AM
• Configure Settings: Under Encryption, clear all settings except Strongest
encryption
3. Close the Network Policy Server administrative tool.
8 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access

Exercise 3: Configuring Logging

Exercise Overview
In this exercise, you will enable logging in Routing and Remote Access.
The main tasks are as follows:
1. Configure Routing and Remote Access Service logging on 6421A-NYC-SVR1 to
log all events to the system log.
2. Test logging levels.

f Task 1: Configure Routing and Remote Access Service Logging on

6421A-NYC-SVR1 to log all events to the System log
1. Click Start, point to Administrative Tools, and then click Routing and
Remote Access.
2. Right-click NYC-SVR1, and then click Properties.
3. In the NYC-SVR1 (local) Properties dialog box, click the Logging tab, click
Log all events, and then click OK.

f Task 2: Test logging levels

1. Log on to NYC-CL1 with a user name of administrator and the password
Pa$$w0rd.
2. Click Start, click Network, and then in the Network window, click Network
and Sharing Center.
3. Under Tasks, click Set up a connection or network to create a new VPN
connection object.
4. In the Type the Internet address to connect to dialog box, specify an Internet
address of 10.10.0.24 and a Destination Name of Woodgrovebank VPN.
5. Accept the defaults for the remainder of the wizard settings.
6. After the VPN connection object is created, connect to WoodgroveBank VPN
from the Network Connections page.
 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 9

7. Use the following information in the Connect Woodgrovebank VPN text

boxes:
• User name: Administrator
• Password: Pa$$w0rd
• Domain: Woodgrovebank
The VPN connects successfully.
8. Right-click Woodgrovebank VPN, and then click Disconnect. The VPN
disconnects.
9. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Event Viewer.
10. Use Event Viewer on NYC-SVR1, and review the entries from the
RemoteAccess source in the System log to see the logged data.
11. Close Event Viewer.
10 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access

Exercise 4: Configuring a Connection Profile

Exercise Overview
In this exercise, you will configure a Connection Profile by using the CMAK tool to
create connection objects for mobile computer users.
The main tasks are as follows:
1. Install the Connection Manager Administration Kit.
2. Use the CMAK to create a distributable executable that automates creation of
connection objects for users.
3. Install and test the CMAK profile.
4. Close all virtual machines, and delete the changes.

f Task 1: Install the Connection Manager Administration Kit

1. On NYC-SVR1, click Start, and then click Server Manager.
2. Select the Connection Manager Administration Kit feature, and then click
Install.
3. Close Server Manager on 6421A-NYC-SVR1.

f Task 2: Use the CMAK to create a distributable executable that

automates creation of connection objects for users
1. Click Start, point to Administrative Tools, and then click Connection
Manager Administration Kit.
2. On the Welcome page of the Connection Manager Administration Kit wizard,
click Next. Specify the following settings in the wizard interface, and accept
the default values for the other settings:
• On the Specify the Service Name and the File Name page, use
WOODGROVEBANK VPN for the Service name and CORP_VPN for the
File name.
 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 11

• In Add Support for VPN Connections, select Phone book from this
profile, and specify to always use the same VPN server with an IP
address of 10.10.0.24.
• In Add a custom Phone Book, deselect Automatically download phone
book updates.
3. On the Your Connection Manager Profile is Complete and Ready to
Distribute page, click Finish.
4. From NYC-SVR1, copy the CORP_VPN folder from the C:\Program
Files\CMAK\Profiles\Vista\ location to the \\NYC-DC1\Module6 location.

f Task 3: Install and test the CMAK profile

1. On 6421A-NYC-CL1, in the \\NYC-DC1\module6\ share, run
CORP_VPN.exe to create the VPN connection object.
The WOODGROVEBANK VPN connection object opens.
2. In the WOODGROVEBANK VPN connection object, type the following
credentials and then click Connect:
• User name: Administrator
• Password: Pa$$w0rd
• Logon Domain: Woodgrovebank
3. Set the Network Location to Work.
4. Verify the VPN connects successfully in Network Connections. Right-click the
connection icon, and then click Disconnect.

f Task 4: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 1

Module 7
Lab Instructions: Installing, Configuring, and
Troubleshooting the Network Policy Server Role
Service
Contents:
Exercise 1: Installing and Configuring the Network
Policy Server Role Service 4
Exercise 2: Configuring a RADIUS Client 6
Exercise 3: Configuring Certificate Auto-Enrollment 8
2 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Lab: Configuring and Managing Network

Policy Server

Objectives
After completing this lab, you will be able to:
• Install the Network Policy Server role service and configure Network Policy
Server settings
• Configure a RADIUS client
• Configure certificate autoenrollment
 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 3

Scenario
Woodgrove Bank is expanding its remote-access solution to all its branch office
employees. This will require multiple Routing and Remote Access servers located
at different points to provide connectivity for its employees. You will use RADIUS
to centralize authentication and accounting for the remote-access solution.
The Windows Infrastructure Services Technology Specialist has been tasked with
installing and configuring Network Policy Server into an existing infrastructure to
be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy.
4 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Exercise 1: Installing and Configuring the Network Policy

Server Role Service
Exercise Overview
In this exercise, you will install and configure the Network Policy Server role.
The main tasks are as follows:
1. Start the virtual machines, and log on.
2. Open the Server Manager tool on 6421A-NYC-DC1.
3. Install the Network Policy and Access Services role.
4. Register NPS in Active Directory.
5. Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up or VPN
connections.

f Task 1: Start the virtual machines, and log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Install the Network Policy and Access Services role

1. On NYC-DC1, in the Server Manager list pane, right-click Roles, and then
click Add Roles.
2. Install the Network Policy Server role service from the Network Policy and
Access Services role.
3. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close.
The Network Policy Server role is installed on 6421A-NYC-DC1.
4. Do not log off or shut down the virtual PCs at this point.
 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 5

f Task 3: Register NPS in Active Directory

1. Open Network Policy Server from the Administrative Tools menu.
2. Using the NPS tool, register NPS in Active Directory.
The Network Policy server is registered in Active Directory.

f Task 4: Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up

or VPN connections
1. In the Network Policy Server management tool list pane, click NPS (Local).
2. In the details pane under Standard Configuration, click RADIUS server for
Dial-Up or VPN Connections.
3. Under Radius server for Dial-Up or VPN Connections, click Configure VPN
or Dial-Up, specify Virtual Private Network (VPN) Connections, and accept
the default name.
4. In the RADIUS clients dialog box, add NYC-SVR1 as a RADIUS client with an
address of 10.10.0.24.
5. In the New RADIUS Client dialog box, specify and confirm the shared secret
of Pa$$w0rd, and then click OK.
6. In the Specify Dial-Up or VPN Server dialog box, accept the default setting.
7. In the Configure Authentication Methods dialog box, select Extensible
Authentication Protocol and MS-CHAPv2.
8. On the Specify User Groups page, accept the default settings.
9. On the Specify IP Filters page, accept the default settings.
10. On the Specify Encryption Settings page, deselect Basic encryption and
Strong encryption.
11. On the Specify a Realm Name page, accept the default settings and finish the
wizard.
12. Close the Network Policy Server administrative tool.
6 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Exercise 2: Configuring a RADIUS Client

Exercise Overview
In this exercise, you will configure 6421A-NYC-SVR1 to host Routing and Remote
Access Services and configure 6421A-NYC-SVR1 as a RADIUS client.
The main tasks are as follows:
1. Open the Server Manager tool on 6421A-NYC-SVR1.
2. Install the Routing and Remote Access Services role.
3. Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for
Remote Access clients, and specify RADIUS authentication and accounting.

f Task 1: Open the Server Manager tool on 6421A-NYC-SVR1

• On 6421A-NYC-SVR1, open Server Manager from the Administrative Tools
menu.

f Task 2: Install the Routing and Remote Access Services role on 6421A-
NYC-SVR1
1. Using Server Manager, install the Network Policy and Access Services role
with the role service of Routing and Remote Access.
2. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close.
The Routing and Remote Access Services role is installed on 6421A-NYC-
SVR1.
3. Do not log off or shut down the virtual PCs at this point.
 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7

f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static

address pool for Remote Access clients, and specify RADIUS
authentication and accounting
1. Open the Routing and Remote Access Services administrative tool, and click
Configure and Enable Routing and Remote Access.
2. Configure the default Remote Access (dial-up or VPN), and on the Remote
Access page, select the VPN option.
3. On the VPN Connection page, select the Local Area Connection 2 interface.
4. On the IP Address Assignment page, select From a specified range of
addresses.
5. Use the range of 192.168.1.100 with 75 available addresses for the static pool.
6. On the Managing Multiple Remote Access Servers page, select Yes, set up
this server to work with a RADIUS server, and then click Next.
7. Configure the following settings:
• Primary RADIUS server: NYC-DC1
• Shared secret for the RADIUS server: Pa$$w0rd
• Accept the default settings for the remainder of the configuration process
8. Close the Routing and Remote Access Services administrative tool.
8 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Exercise 3: Configuring Certificate Auto-Enrollment

Exercise Overview
In this exercise, you will configure Certificate Auto-Enrollment for computers to
use advanced authentication.
The main tasks are as follows:
1. Install and configure Certificate Services on NYC-DC1.
2. Open the Group Policy Management tool on 6421A-NYC-DC1 and configure
automatic certificate enrollment.
3. Close all virtual machines, and delete changes.

f Task 1: Install and Configure Certificate services on NYC-DC1

1. On NYC-DC1, start Server Manager from the Administrative Tools menu.
2. Install the Active Directory Certificate Services role using the defaults except
for the following:
• CA Name = WoodGroveBank-CA
3. On the Installation Results page, click Close.
4. From the Administrative Tools menu, open the Certification Authority
management tool.
5. Right-click Certificate Templates, and then select Manage from the context
menu.
6. Change the security on the Computer template to allow Authenticated Users
the Enroll permission.
7. Close the Certificate Template and certsrv management consoles.
 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 9

f Task 2: Open the Group Policy Management tool on 6421A-NYC-DC1,

and configure automatic certificate enrollment
1. On 6421A-NYC-DC1, open Group Policy Management from the
Administrative Tools menu.
2. In the Group Policy Management tool, expand Forest: WoodgroveBank.com,
expand Domains, and expand WoodgroveBank.com.
3. Right-click Default Domain Policy, and then click Edit.
4. Expand Computer Configuration, expand Policies, expand Window
Settings, expand Security Settings, and then expand Public Key Policies.
5. Right-click Automatic Certificate Request Settings, click New, and then click
Automatic Certificate Request.
6. Accept the default settings throughout the wizard.
7. Close the Group Policy Management Editor.
8. Close the Group Policy Management tool.
Automatic certificate enrollment now is configured for the WoodgroveBank
domain’s computers.
9. Start 6421A-NYC-CL1 and log on as Administrator with the password
Pa$$w0rd.
10. Create a new MMC console with the Certificates snap-in. Focus the snap-in to
the Computer Account.
11. In the MMC console, verify that the computer account has enrolled the
certificate from WoodGroveBank-CA.

f Task 3: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring Network Access Protection 1

Module 8
Lab Instructions: Configuring Network Access
Protection
Contents:
Exercise 1: Configuring NAP for DHCP Clients 3
Exercise 2: Configuring NAP for VPN Clients 11
2 Lab Instructions: Configuring Network Access Protection

Lab: Configuring NAP for DHCP and VPN

Objectives
• Configure NAP for DHCP clients
• Configure NAP for VPN clients

Scenario
As the Woodgrove Bank technology specialist, you need to establish a way to bring
client computers automatically into compliance. You will do this by using Network
Policy Server, creating client compliance policies, and configuring a NAP server to
check the current health of computers.
 Lab Instructions: Configuring Network Access Protection 3

Exercise 1: Configuring NAP for DHCP Clients

In this exercise, you will configure and test NAP for DHCP clients.
The main tasks are as follows:
1. Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1 virtual
machines.
2. Open the Server Manager tool on 6421A-NYC-SVR1.
3. Install the DHCP and NPS server roles.
4. Configure NYC-SVR1 as a NAP health policy server.
5. Configure DHCP service for NAP enforcement.
6. Configure NYC-CL1 as a DHCP and NAP client.
7. Test NAP enforcement.
8. Shut down the virtual machines, and do not save changes.

f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-

CL1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Server Manager tool on 6421A-NYC-SVR1

• On 6421A-NYC-SVR1, open Server Manager from the Administrative Tools
menu.
4 Lab Instructions: Configuring Network Access Protection

f Task 3: Install the NPS and DHCP server roles

1. On NYC-SVR1, open Server Manager.
2. Right-click Roles, and then click Add Roles.
3. On the Select Server Roles page, select the DHCP Server and Network Policy
and Access Services check boxes.
4. On the Select Role Services page, select the Network Policy Server.
5. On the Select Network Connection Bindings page, verify that 10.10.0.24 is
selected. Remove the check mark next to 192.168.1.10.
6. On the Specify DNS Server Settings page, verify that woodgrovebank.com is
listed under Parent domain.
7. Type 10.10.0.10 under Preferred DNS server IP address, and click Validate.
Verify that the result returned is Valid.
8. On the Specify WINS Server Settings page, accept the default setting.
9. On the Add or Edit DHCP Scopes page, click Add.
10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to
Starting IP Address, type 10.10.0.50; next to Ending IP Address, type
10.10.0.199; and next to Subnet Mask, type 255.255.0.0.
11. Select the Activate this scope check box, and then click OK.
12. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6
stateless mode for this server.
13. On the Authorize DHCP Server page, select Use current credentials. Verify
that Woodgrovebank\administrator is displayed next to Username, and
then click Next.
14. On the Confirm Installation Selections page, click Install.
15. Verify the installation was successful, and then click Close.
16. Close the Server Manager window.
 Lab Instructions: Configuring Network Access Protection 5

f Task 4: Configure NYC-SVR1 as a NAP health policy server

1. Open the Network Policy Server administrative tool from the Start Menu,
Administrative Tools location.
2. Configure SHVs:
a. Expand Network Access Protection, and then click System Health
Validators.
b. Configure the System Health Validator. On the Windows Vista tab, clear
all check boxes except A firewall is enabled for all network connections.
3. Configure remediation server groups:
a. In the console tree, under Network Access Protection, right-click
Remediation Server Groups, and then click New.
b. Create a new remediation group with a group name of Rem1, and add the
IP address of 10.10.0.10.
4. Configure health policies:
a. Expand Policies.
b. Right-click Health Policies, and then click New.
c. Create a new health policy called Compliant that specifies the Client
passes all SHV checks and uses the Windows Security Health Validator.
d. Right-click Health Policies, and then click New.
e. Create a new health policy called NonCompliant that specifies the Client
fails one or more SHV checks and uses the Windows Security Health
Validator.
5. Configure a network policy for compliant computers:
a. In the console tree, under Policies, click Network Policies.
b. Disable the two default policies under Policy Name.
c. Create a new Network Policy called Compliant-Full-Access.
d. In the Specify Conditions window, click Add.
e. In the Select condition dialog box, double-click Health Policies, select
Compliant, and then click OK.
6 Lab Instructions: Configuring Network Access Protection

f. In the Specify Access Permission window, verify that Access granted is

selected.
g. In the Configure Authentication Methods window, select the Perform
machine health check only check box. Clear all other check boxes.
h. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected.
i. In the Completing New Network Policy window, click Finish to
complete configuration of your network policy for compliant client
computers.
6. Configure a network policy for Noncompliant computers:
a. Right-click Network Policies, and then click New.
b. Create a new Network Policy called NonCompliant-Restricted.
c. In the Specify Conditions window, click Add.
d. In the Select condition dialog box, double-click Health Policies, select
Noncompliant, and then click OK.
e. In the Specify Access Permission window, verify that Access granted is
selected, and then click Next.

Important: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that clients matching these conditions
will be granted an access level that the policy determines.

f. In the Configure Authentication Methods window, select the Perform

machine health check only check box. Clear all other check boxes.
g. In the Configure Constraints window, click Next.
h. In the Configure Settings window, click NAP Enforcement. Select Allow
limited access and verify that Enable auto-remediation of client
computers is selected.
i. Click Next, and then click Finish. This completes configuration of your
NAP network policies. Close the Network Policy Server console.
 Lab Instructions: Configuring Network Access Protection 7

f Task 5: Configure DHCP service for NAP enforcement

1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
DHCP.
2. In the DHCP Management console, expand NYC-SVR1.woodgrovebank.com,
and then expand IPv4.
3. Open the Properties for the Scope. On the Network Access Protection tab,
verify Use default Network Access Protection profile is selected, and then
click OK.
4. In the DHCP Management console, configure Scope Options.
5. On the Advanced tab, verify that Default User Class is chosen next to User
class.
6. Under Available Options, select the 003 Router check box, type 10.10.0.1 in
IP Address, select the 015 DNS Domain Name check box, type
Woodgrovebank.com in String value, and then click OK. The
Woodgrovebank.com domain is a full-access network assigned to compliant
NAP clients.
7. In the DHCP Management console, configure Scope Options.
8. On the Advanced tab, next to User class, choose Default Network Access
Protection Class.
9. Select the 006 DNS Servers check box, type 10.10.0.10 in IP Address, select
the 015 DNS Domain Name check box, type
restricted.Woodgrovebank.com in String value, and then click OK. The
restricted.woodgrovebank.com domain is a restricted-access network assigned
to noncompliant NAP clients.
8 Lab Instructions: Configuring Network Access Protection

f Task 6: Configure NYC-CL1 as a DHCP and NAP client

1. On NYC-CL1, enable Security Center:
a. Click Start, point to All Programs, click Accessories, and then click Run.
b. Type gpedit.msc, and then press ENTER.
c. In the console tree, open Local Computer Policy/Computer
Configuration/Administrative Templates/Windows
Components/Security Center.
d. Double-click Turn on Security Center (Domain PCs only), click
Enabled, and then click OK.
e. Close the console window. When prompted to save settings, click No.
2. Enable the DHCP enforcement client:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type napclcfg.msc, and then press ENTER.
c. In the console tree, click Enforcement Clients.
d. Enable the DHCP Quarantine Enforcement Client.
e. Close the NAP Client Configuration console.
3. Enable and start the NAP agent service:
a. Click Start, point to All Programs, click Accessories, and then click Run.
b. Type services.msc, and then press ENTER.
c. In the services list, set Network Access Protection Agent Startup type to
Automatic, and start the service.
d. Wait for the NAP agent service to start, and then click OK.
e. Close the Services console.
 Lab Instructions: Configuring Network Access Protection 9

4. Configure NYC-CL1 for DHCP address assignment:

a. Click Start, and then click Control Panel.
b. Click Network and Internet, click Network and Sharing Center, and
then click Manage network connections.
c. Configure Local Area Connection properties with the following:
• Clear the Internet Protocol Version 6 (TCP/IPv6) check box.
• Set properties of Internet Protocol Version 4 (TCP/IPv4) to Obtain
an IP address automatically and Obtain DNS server address
automatically.
d. Click OK, and then click Close to close the Local Area Connection
Properties dialog box.
5. Close the Network Connections and Network and Sharing Center windows.
6. Restart NYC-CL1. After the computer restarts, log on as Administrator with
the password Pa$$w0rd.

f Task 7: Test NAP Enforcement

1. Verify the DHCP assigned address and current Quarantine State:
a. On NYC-CL1, open an administrative command prompt using the Run As
Administrator command.
b. At the command prompt, type ipconfig /all.
c. Verify that the connection-specific DNS suffix is Woodgrovebank.com
and the Quarantine State is Not Restricted.
2. Configure the System Health Validator policy to require antivirus software:
a. On NYC-SVR1, in the Network Policy Server console, open NPS (Local),
open Network Access Protection, and then open System Health
Validators.
b. Configure Windows Security Health Validator so that Virus Protection is
set to An antivirus application is on.
c. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
10 Lab Instructions: Configuring Network Access Protection

3. Verify the restricted network on NYC-CL1:

a. On NYC-CL1, open an administrative command prompt using the Run As
Administrator command.
b. At the command prompt, type ipconfig /release.
c. At the command prompt, type ipconfig /renew.
d. Verify the connection-specific DNS suffix is now
restricted.woodgrovebank.com.
e. Close the command window, and double-click the Network Access
Protection icon in the system tray. Notice it tells you the computer is not
compliant with the network’s requirements.
f. Click Close.

f Task 8: Shutdown virtual machines and do not save any changes

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. For Exercise 2, start 6421A-NYC-DC1 and 6421A-NYC-CL1.
4. Log on to each as WoodgroveBank\administrator with the password
Pa$$w0rd.
 Lab Instructions: Configuring Network Access Protection 11

Exercise 2: Configuring NAP for VPN Clients

In this exercise, you will configure NAP for VPN Clients. This exercise uses the
Windows Security Health Agent and Windows Security Health Validator to require
that client computers have Windows Firewall enabled and have an antivirus
application installed.
You will create two network policies in this exercise. A compliant policy grants full
network access to an intranet network segment. A noncompliant policy
demonstrates network restriction by applying IP filters to the VPN tunnel interface
that only allow client access to a single remediation server.
The main tasks are as follows:
1. Configure NYC-DC1 as an Enterprise Root CA.
2. Configure NYC-SVR1 with NPS functioning as a health policy server.
3. Configure NYC-SVR1 with the Routing and Remote Access service configured
as a VPN server.
4. Allow ping on NYC-SVR1.
5. Configure NYC-CL1 as a VPN client and a NAP client.
6. Close all virtual machines, and discard undo disks.

f Task 1: Configure NYC-DC1 as an Enterprise Root CA

1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Server Manager.
2. Under Roles Summary, click Add Roles.
3. On the Before you Begin page, click Next.
4. Select the Active Directory Certificate Services check box, and configure the
wizard with the following:
a. On the Specify Setup Type page, select Enterprise.
b. On the Configure CA Name page, specify a name of Root CA.
c. On the Confirm Installation Selections page, click Install.
5. On the Installation Results page, verify the installation succeeded, and then
click Close.
6. Close the Server Manager window.
12 Lab Instructions: Configuring Network Access Protection

7. From the Administrative Tools menu, open the Certification Authority

management tool.
8. Right-click Certificate Templates, and then choose Manage from the context
menu.
9. Change the security on the Computer template to allow Authenticated Users
the Enroll permission.
10. Close the Certificate Template and certsrv management consoles.

f Task 2: Configure NYC-SVR1 with NPS functioning as a health policy

server
1. Start 6421A-NYC-SVR1, and then log on as Woodgrovebank\administrator
with the password Pa$$w0rd.
2. Obtain a computer certificate on NYC-SVR1 for server-side PEAP
authentication:
a. Create a custom MMC console that includes the Certificates snap-in for
Computer Account.
b. In the console tree, double-click Certificates, right-click Personal, point to
All Tasks, and then click Request New Certificate.
c. The Certificate Enrollment dialog box opens. Click Next.
d. Select the Computer check box, and then click Enroll.
e. Verify the status of certificate installation as Succeeded, and then click
Finish.
f. Close the Console1 window.
g. Click No when prompted to save console settings.
3. Install the NPS Server role:
a. On NYC-SVR1, click Start, click Administrative Tools, and then click
Server Manager.
b. Use Add Roles to install Network Policy and Access Services.
c. Verify the installation was successful, and then click Close.
d. Close the Server Manager window.
 Lab Instructions: Configuring Network Access Protection 13

4. Configure NPS as a NAP health policy server:

a. Click Start, click Run, type nps.msc, and then press ENTER.
b. Expand Network Access Protection, and then click System Health
Validators.
c. In the middle pane under Name, double-click Windows Security Health
Validator.
d. Configure the Windows Security Health Validator properties so all check
boxes except A firewall is enabled for all network connections are
cleared.
e. Click OK to close the Windows Security Health Validator dialog box,
and then click OK to close the Windows Security Health Validator
Properties dialog box.
5. Configure health policies:
a. Expand Policies.
b. Create a new health policy called Compliant.
c. Under Client SHV checks, verify that the Client passes all SHV checks
check box is selected.
d. Under SHVs used in this health policy, select the Windows Security
Health Validator check box.
e. Click OK.
f. Create a new health policy called Noncompliant.
g. Under Client SHV checks, select Client fails one or more SHV checks.
h. Under SHVs used in this health policy, select the Windows Security
Health Validator check box.
i. Click OK.
6. Configure network policies for compliant computers:
a. Expand Policies.
b. Click Network Policies.
c. Disable the two default policies under Policy Name.
d. Create a new network policy called Compliant-Full-Access.
e. In the Specify Conditions window, click Add.
14 Lab Instructions: Configuring Network Access Protection

f. In the Select condition dialog box, double-click Health Policies.

g. In the Health Policies dialog box, under Health policies, select
Compliant.
h. In the Specify Access Permission window, verify that Access granted is
selected.
i. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected.
j. In the Completing New Network Policy window, click Finish.
7. Configure network policies for noncompliant computers:
a. Create a new network policy called Noncompliant-Restricted.
b. In the Specify Conditions window, click Add.
c. In the Select condition dialog box, double-click Health Policies.
d. In the Health Policies dialog box, under Health policies, select
Noncompliant, and then click OK.
e. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Noncompliant, and then click Next.
f. In the Specify Access Permission window, verify that Access granted is
selected.

Important: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that the policy should continue to
evaluate clients matching these conditions.

g. In the Configure Settings window, click NAP Enforcement. Select Allow

limited access and select Enable auto-remediation of client computers.
h. In the Configure Settings window, click IP Filters.
i. Under IPv4, create a new input filter for Destination network with the
following values:
• IP address: 10.10.0.10
• Subnet mask: 255.255.255.255
This step ensures that traffic from noncompliant clients can reach only
DC1.
 Lab Instructions: Configuring Network Access Protection 15

j. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Inbound Filters dialog box.
k. Under IPv4, create a new outbound filter with the following source
network values:
• IP address: 10.10.0.10
• Subnet mask: 255.255.255.255
l. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Outbound Filters dialog box. This
ensures that only traffic from DC1 can be sent to noncompliant clients.
m. In the Completing New Network Policy window, click Finish.
8. Configure connection request policies:
a. Click Connection Request Policies.
b. Disable the default Connection Request policy found under Policy Name.
c. Create a new Connection Request policy called VPN connections.
d. Under Type of network access server, select Remote Access Server
(VPN-Dial up).
e. In the Specify Conditions window, click Add.
f. In the Select Condition window, double-click Tunnel Type, select PPTP
and L2TP, and then click OK.
g. In the Specify Connection Request Forwarding window, verify that
Authenticate requests on this server is selected.
h. In the Specify Authentication Methods window, select Override network
policy authentication settings.
i. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Protected EAP (PEAP).
j. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Secured password (EAP-
MSCHAP v2).
k. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click
Edit.
l. Verify that Enable Quarantine checks is selected, and then click OK.
m. Click Next twice, and then click Finish.
16 Lab Instructions: Configuring Network Access Protection

f Task 3: Configure NYC-SVR1 with the Routing and Remote Access

service configured as a VPN server
1. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
2. In the Routing and Remote Access management console, configure and
enable Routing and Remote Access with the role Remote access (dial-up or
VPN).
3. Select the VPN check box, and then click Next.
4. Click the network interface with an IP address of 192.168.1.10. Clear the
Enable security on the selected interface by setting up static packet filters
check box, and then click Next. This ensures that NYC-SVR1 will be able to
ping NYC-DC1 when attached to the Internet subnet without having to
configure additional packet filters for ICMP traffic.
5. On the IP Address Assignment page, select From a specified range of
addresses, and on the Address Range Assignment page, specify a range of
10.10.0.100 to 10.10.0.110.
6. On the Managing Multiple Remote Access Servers page, select No, use
Routing and Remote Access to authenticate connection requests.
7. Click Next, and then click Finish.
8. Click OK, and wait for the Routing and Remote Access service to start.
9. Open the Network Policy Server console from the Administrative Tools
menu, expand Policies, select Connection Request Policies, and then disable
the Microsoft Routing and Remote Access Service Policy by right-clicking the
policy and choosing Disable.
10. Close the Network Policy Server management console.

f Task 4: Allow ping on NYC-SVR1

1. Click Start, click Administrative Tools, and then click Windows Firewall
with Advanced Security.
2. Create a custom inbound rule for All Programs with the protocol type of
ICMPv4 and ICMP type of Echo Request for the default scope options.
3. In the Action window, verify that Allow the connection is selected, and then
click Next.
 Lab Instructions: Configuring Network Access Protection 17

4. Click Next to accept the default profile.

5. In the Name window, under Name, type ICMPv4 echo request, and then click
Finish.

f Task 5: Configure NYC-CL1 as a VPN client and a NAP client

1. Configure NYC-CL1 so that Security Center is always enabled:
a. Open the Local Group Policy Object Editor using the Run command with
gpedit.msc.
b. In the console tree, open Local Computer Policy/Computer
Configuration/Administrative Templates/Windows
Components/Security Center.
c. Double-click Turn on Security Center (Domain PCs only), click
Enabled, and then click OK.
d. Close the Local Group Policy Object Editor console.
2. Enable the remote access quarantine enforcement client:
a. Launch the NAP Client Configuration tool using the Run command with
napclcfg.msc.
b. Enable the Remote Access Quarantine Enforcement Client.
c. Close the NAP Client Configuration window.
3. Enable and start the NAP agent service:
a. Open the Services console using services.msc in the Run command.
b. In the Services list, double-click Network Access Protection Agent.
c. Change the startup type to Automatic, and then click Start.
d. Wait for the NAP agent service to start, and then click OK.
e. Close the Services console.
18 Lab Instructions: Configuring Network Access Protection

4. Configure NYC-CL1 for the Internet network segment:

a. Configure Local Area Connection Properties with Internet Protocol
Version 4 (TCP/IPv4) set for the following:
• IP address: 192.168.1.20
• Subnet mask: 255.255.255.0
• Remove Preferred DNS server setting of 10.10.0.10
b. Click OK, and then click Close to close the Local Area Connection
Properties dialog box.
c. Close the Network Connections window.
5. Verify network connectivity for NYC-CL1:
a. Open a command prompt and type ping 192.168.1.10.
b. Verify that the response reads “Reply from 192.168. 1.10”.
c. Close the command window.
6. Configure a VPN connection:
a. Using the Network and Sharing Center, create a new Connect to a
workplace with the Use my Internet Connection (VPN) option.
b. Click I’ll set up an Internet connection later.
c. On the Type the Internet address to connect to page, next to Internet
address, type 192.168. 1.10. Next to Destination name, type
Woodgrovebank. Select the Allow other people to use this connection
check box, and then click Next.
d. On the Type your user name and password page, type administrator
next to User name, and type the password for the administrator account
next to Password. Select the Remember this password check box, type
Woodgrovebank next to Domain (optional), and then click Create.
e. In the Network and Sharing Center window, click Manage Network
Connections.
f. Under Virtual Private Network, right-click the Contoso connection, click
Properties, and then click the Security tab.
g. Select Advanced (custom settings), and then click Settings.
h. Under Logon security, select Use Extensible Authentication Protocol
(EAP), and then choose Protected EAP (PEAP) (encryption enabled).
 Lab Instructions: Configuring Network Access Protection 19

i. Click Properties.
j. Select the Validate server certificate check box. Clear the Connect to
these servers check box, and then select Secured Password (EAP-
MSCHAP v2) under Select Authentication Method. Clear the Enable
Fast Reconnect check box, and then select the Enable Quarantine
checks check box.
k. Click OK three times to accept these settings.
7. Test the VPN connection:
a. In the Network Connections window, use the Woodgrovebank
connection object to initiate the VPN connection.
b. Verify that administrator account credentials are entered and that the Save
this user name and password for future use check box is selected, and
then click OK.
c. You are presented with a Validate Server Certificate window the first
time this VPN connection is used. Click View Server Certificate, and
verify Certificate Information states that the certificate was issued to
NYC-SVR1.Woodgrovebank.com by Root CA. Click OK to close the
Certificate window, and then click OK again.
d. Wait for the VPN connection to be made. Because NYC-CL1 is compliant,
it should have unlimited access to the intranet subnet.
e. Open a command prompt and type ipconfig /all to view the
configuration.
f. View the IP configuration. System Quarantine State should be Not
Restricted.
The client now meets the requirement for VPN full connectivity.
g. Disconnect from the Woodgrovebank VPN.
8. Configure Windows Security Health Validator to require an antivirus
application:
a. On NYC-SVR1, open Network Policy Server.
b. Expand Network Access Protection, and then click System Health
Validators.
20 Lab Instructions: Configuring Network Access Protection

c. Configure the Windows Security Health Validator to require virus

protection by selecting the check box next to An antivirus application is
on.
d. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
9. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click the
Woodgrovebank connection, and then click Connect.
b. Wait for the VPN connection to be made. You might see a message in the
notification area that indicates the computer does not meet health
requirements. This message is displayed because antivirus software has
not been installed.
c. Open a command prompt and type ipconfig /all to view the IP
Configuration. System Quarantine State should be Restricted.
The client does not meet the requirements for the network and therefore
is placed on the restricted network.
Try to ping 10.10.0.24. This should be unsuccessful.
Try to ping 10.10.0.10. This is the only server to which the policy allows
access.
d. Disconnect from Woodgrovebank VPN.

f Task 6: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring IPsec 1

Module 9
Lab Instructions: Configuring IPsec
Contents:
Exercise 1: Preparing the Network Environment
for IPsec NAP Enforcement 3
Exercise 2: Configuring and Testing IPsec NAP
Enforcement 9
2 Lab Instructions: Configuring IPsec

Lab: Configuring IPsec NAP Enforcement

Objectives:
• Prepare the network environment for IPsec NAP enforcement
• Configure and test IPsec enforcement

Scenario
Due to recent security related incidents on the internal network, Woodgrove Bank
wants to implement IPsec policies to mitigate security risks through encryption,
and use Network Access Protection to verify the health of communicating parties
prior to data transmission. The Woodgrove Bank Information Services (IS)
Manager wants you to configure an IPsec Network Access Protection enforcement
environment to mitigate any related future network security issues.
 Lab Instructions: Configuring IPsec 3

Exercise 1: Preparing the Network Environment for IPsec

NAP Enforcement
Exercise Overview
In this exercise, you will prepare the environment for IPsec NAP enforcement.
The main tasks are as follows:
1. Start the 6421A-NYC-DC1, 6421A-NYC-CL1, and 6421A-NYC-CL2 virtual
machines.
2. Open the Server Manager tool on 6421A-NYC-DC1.
3. Install the NPS, HRA, and CA server roles.
4. Configure HRA with permissions.
5. Configure CA properties on HRA.
6. Configure NPS as a NAP health policy server.
7. Configure system health validators.
8. Configure Certificate AutoEnrollment in Default Domain Group Policy.
9. Configure NYC-CL1 and NYC-CL2 so that Security Center always is enabled.
10. Enable the IPsec enforcement client and configure client health registration
settings.
11. Configure and start the NAP Agent service.
12. Allow ICMP through Windows Firewall.

f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-CL1, and 6421A-NYC-

CL2 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
4 Lab Instructions: Configuring IPsec

4. In the Lab Launcher, next to 6421A-NYC-CL2, click Launch.

5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Server Manager tool on 6421A-NYC-DC1

• If necessary, on NYC-DC1, open Server Manager from the Administrative
Tools menu.

f Task 3: Install the NPS, HRA, and CA server roles

1. In Server Manager, add the Network Policy and Access Services role.
2. On the Select Role Services page, select the Health Registration Authority
check box, and then click Add Required Role Services.
3. Select Install a local CA to issue health certificates for this HRA server with
the No, allow anonymous requests for health certificates option.
4. Select Don’t use SSL or Choose a certificate for SSL encryption later.
5. On the Select Role Services page, verify that only the Certification Authority
check box is selected.
6. Install Certificate Services as a Standalone Root CA.
7. Accept the default private key and cryptographic settings.
8. Name the CA Woodgrovebank-RootCA,
9. Accept the default settings for the remainder of the settings and then click
Install.
10. On the Installation Results page, notice that the Network Policy and Access
Services installation succeeded with errors. This is because the CA was
installed after the role was installed, so it could not be reached. Verify that all
other installations were successful, and then click Close.
 Lab Instructions: Configuring IPsec 5

f Task 4: Configure HRA with permissions

1. Open the Certification Authority administrative tool.
2. Open the properties of the WoodgroveBank-RootCA from the list pane.
3. Click the Security tab, click to add the Network Service account, and select
the Allow check boxes for Issue and Manage Certificates, Manage CA, and
Request Certificates.
4. On the Policy Module tab, click Properties, and select Follow the settings in
the certificate template, if applicable. Otherwise, automatically issue the
certificate.
5. Restart the Certification Authority.
6. Close the Certification Authority console.

f Task 5: Configure CA properties on HRA

1. On NYC-DC1, create a custom MMC and add the Health Registration
Authority snap-in.
2. In the Health Registration console, right-click Certificate Authority, and add
WoodGroveBank-RootCA by clicking Add Certificate authority.
3. Click Certificate Authority, and verify that \\NYC-
DC1.Woodgrovebank.com\Woodgrovebank-RootCA is displayed in the
details pane.
4. Right-click Certification Authority in the list pane and open the Properties to
verify that Use standalone certification authority is selected.
5. Close the Health Registration Authority console.

f Task 6: Configure NPS as a NAP health policy server

1. On NYC-DC1, open the Network Policy Server console.
2. Under Standard Configuration, click Configure NAP.
3. On the Select Network Connection Method for Use with NAP page, select
IPsec with Health Registration Authority (HRA).
4. On the Specify NAP Enforcement Servers Running HRA page and Configure
User Groups and Machine Groups pages, accept the defaults.
6 Lab Instructions: Configuring IPsec

5. On the Define NAP Health Policy page, verify that the Windows Security
Health Validator and Enable auto-remediation of client computers check
boxes are selected, and then click Finish on the Completing New Network
Access Protection Policies and RADIUS clients page.
6. Leave the NPS console open for the following task.

f Task 7: Configure system health validators

1. In the NPS console tree, click Network Access Protection, and then click
Configure System Health Validators in the details pane.
2. In the details pane, under Name, double-click Windows Security Health
Validator.
3. Click Configure.
4. Clear all check boxes except A firewall is enabled for all network
connections.
5. Click OK twice to close the Windows Security Health Validator and the
Windows Security Health Validator Properties dialog boxes.
6. Close the NPS console.

f Task 8: Configure Certificate AutoEnrollment in Default Domain Group

Policy
1. On NYC-DC1, open the Group Policy Management console.
2. Edit the Default Domain Policy.
3. Under Computer Configuration, Windows Settings, Security Settings, select
Public Key Policies.
4. Double-click Certificate Services Client – Auto-Enrollment.
 Lab Instructions: Configuring IPsec 7

5. In the Define Policy Settings dialog box set the following:

• Configuration Model: Enabled
• Select Renew expired certificates, update pending certificates, and
remove revoked certificates
• Select Update certificates that use certificate templates
6. Click OK, and close the Group Policy Management Editor.
7. Close the Group Policy Management console.

f Task 9: Configure NYC-CL1 and NYC-CL2 so that Security Center is

always enabled
1. Log on to NYC-CL1 as Woodgrovebank\administrator with the password
Pa$$w0rd.
2. Open the Local Group Policy Editor by typing gpedit.msc in the Start Search
text box.
3. Using the Group Policy Object Editor, open Local Computer
Policy/Computer Configuration/Administrative Templates/Windows
Components/Security Center.
4. Double-click Turn on Security Center (Domain PCs only), click Enabled,
and then click OK.
5. Close the Local Group Policy Object Editor console.
6. Repeat steps 1 through 5 on NYC-CL2.

f Task 10: Enable the IPsec enforcement client and configure client
health registration settings
1. On NYC-CL1, open the NAP Client Configuration console by typing
napclcfg.msc in the Start Search text box.
2. Enable IPsec Relying Party in the Enforcement Clients details pane.
3. In the NAP Client Configuration console tree, double-click Health
Registration Settings.
4. Add two new Trusted Server Groups, select do not require server
verification, and then click New.
8 Lab Instructions: Configuring IPsec

5. Under Add URLs of the health registration authority that you want the
client to trust, type http://nyc-
dc1.woodgrovebank.com/domainhra/hcsrvext.dll, and then click Add. Type
http://nyc-dc1.woodgrovebank.com /nondomainhra/hcsrvext.dll, click
Add, and then Finish.
6. In the console tree, click Trusted Server Groups, and verify that the URLs are
entered correctly.
7. Close the NAP Client Configuration window.
8. Repeat steps 1 through 7 on NYC-CL2.

f Task 11: Configure and start the NAP Agent service

1. On NYC-CL1, open the Services console, set the startup properties of
Network Access Protection Agent Properties to Automatic, and then start
the service.
2. Wait for the NAP agent service to start, and then click OK.
3. Close the Services console.
4. Repeat steps 1 through 3 for NYC-CL2.

f Task 12: Allow ICMP through the Windows Firewall

1. On NYC-CL1, click Start and in the Start Search text box, type wf.msc and
then press ENTER.
2. Create a new Custom Inbound Rule for All programs that specifies ICMPv4
Echo Request that uses the default scope with the Action of Allow the
connection. Accept the default profile and name the rule ICMPv4 Echo
Request.
3. Close the Windows Firewall with Advanced Security console.
4. Repeat steps 1 through 3 on NYC-CL2.
 Lab Instructions: Configuring IPsec 9

Exercise 2: Configuring and Testing IPsec NAP Enforcement

Exercise Overview
In this exercise, you will configure and test IPsec NAP Enforcement.
The main tasks are as follows:
1. Create an IPsec Secure Organizational Unit in Active Directory.
2. Create IPsec policies for secure health enforcement.
3. Move NYC-CL1 and NYC-CL2 to the IPsec Secure OU.
4. Apply group policies.
5. Verify health certificate status.
6. Verify clients can communicate securely.
7. Demonstrate Network Restriction.
8. Close all virtual machines, and discard undo disks.

f Task 1: Create an IPsec Secure Organizational Unit in Active Directory

1. On NYC-DC1, open Active Directory Users and Computers and create a new
root-level OU named IPsec Secure.
2. Leave the Active Directory Users and Computers console open.

f Task 2: Create IPsec policies for the IPsec Secure OU

1. On NYC-DC1, open the Group Policy Management console.
2. Create and link a new Group Policy Object for the IPsec Secure OU and name
the policy Secure Policy.
10 Lab Instructions: Configuring IPsec

3. Edit the Secure Policy to create IPsec policies for all profile states.
a. Open Secure Policy [nyc-dc1.woodgrovebank.com] Policy\Computer
Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security, and open the properties of Windows
Firewall with Advanced Security – LDAP.
b. On the Domain Profile tab, next to Firewall state, select On
(recommended). Next to Inbound connections, select Block (default).
Next to Outbound connections, select Allow (default). The same settings
will be used for the private and public profiles.
4. In the Group Policy Management Editor console tree, under Windows
Firewall with Advanced Security - LDAP, right-click Connection Security
Rules, and create a new rule that has Isolation and Require authentication
for inbound connections and request authentication for outbound
connections selected.
5. On the Authentication Method page, select Computer certificate, select the
Only accept health certificates check box, and specify WoodgroveBank-
RootCA.
6. On the Profile page, verify that the Private, Public, and Domain check boxes
are selected. On the Name page type Secure Rule, and then click Finish.
7. Right-click Inbound Rules, and then create a new rule using the predefined
File and Printer Sharing rule with only the Allow the connection if it is
secure option.
8. Close the Group Policy Management Editor console.

f Task 3: Move NYC-CL1 and NYC-CL2 into the IPsec Secure OU

1. On NYC-DC1, open Active Directory Users and Computers.
2. Open the Computers container, select NYC-CL1 and NYC-CL2 and drag and
drop into the IPsec Secure OU.
3. Close the Active Directory Users and Computers console.
 Lab Instructions: Configuring IPsec 11

f Task 4: Apply group policies

1. On NYC-CL1 and NYC-CL2, use gpupdate /force to reapply the changed
Group Policy settings.
2. Verify that the response reads User Policy update has completed
successfully and Computer Policy update has completed successfully.
3. Leave the command windows open for the following procedures.

f Task 5: Verify Health certificate status

1. On NYC-CL1, create a custom MMC tool that includes the Certificates snap-in
with Computer account certificates specified for the Local Computer.
2. In the MMC console tree, double-click Certificates (Local Computer),
double-click Personal, and then click Certificates. In the details pane, under
Issued By, verify that WoodGroveBank-RootCA is displayed. Verify that
Intended Purposes shows System Health Authentication.
3. Close the MMC console, and do not save changes.

f Task 6: Verify clients can communicate securely

1. On NYC-CL1, click Start, and in the Start Search text box, type \\NYC-CL2\
and then press ENTER.
2. Confirm that the command completed successfully.
3. Verify that you can view the contents of the share.
4. Open Windows Firewall with Advanced Security on NYC-CL1.
5. In the Windows Firewall with Advanced Security console list pane, expand
Monitoring, expand Security Associations and select Main Mode.
6. In the details pane, you should see an entry for secure communications
between NYC-CL1 and NYC-CL2. Double-click the entry and review at the
contents of the General tab. You should see Computer certificate for First
Authentication, Encryption using AES-128 and Integrity accomplished
using SHA1.
7. Close the dialog box, and close Windows Firewall with Advanced Security.
12 Lab Instructions: Configuring IPsec

f Task 7: Demonstrate Network Restriction

Note: Automatic updates will be required for NAP compliance by enabling this
system health check in the Windows Security Health Validator.

1. On NYC-DC1, open Network Access Protection, and then click System

Health Validators.
2. Configure the Windows Security Health Validator, under Automatic
Updating, select the Automatic updating is enabled check box, and then
click OK twice.

Note: To demonstrate network restriction of noncompliant clients, auto-remediation

of client computers must be disabled in the noncompliant network policy.

3. In the Network Policy Server console tree, click Network Policies.

4. In the details pane, double-click NAP IPsec with HRA Noncompliant.
5. Click the Settings tab, click NAP Enforcement, clear the Enable auto-
remediation of client computers check box, and then click OK.
6. Close the Network Policy Server console.
7. On NYC-CL1, in the command window, type ping -t NYC-CL2, and then press
ENTER. A continuous ping will run from NYC-CL1 to NYC-CL2. This should
be successful.
8. On NYC-CL2, on the Security control panel, select Turn automatic updating
on or off, select Never check for updates (not recommended), and then click
OK. This setting causes NYC-CL2 to be noncompliant with network health
policy. Because auto-remediation has been disabled, NYC-CL2 will remain in a
noncompliant state and will be placed on the restricted network.

Note: Do not close the Security control panel on NYC-CL2. You will use it to
reenable Windows Update in a future step.
 Lab Instructions: Configuring IPsec 13

9. On NYC-CL1, verify that the response in the command window has changed
to Request timed out.
10. On NYC-CL1, click Start, and in the Start Search text box, type \\NYC-CL2\
and verify the share is inaccessible.
11. On NYC-CL2, in the Security control panel under Windows Update, click
Turn automatic updating on or off, select Install updates automatically
(recommended), and then click OK. This setting will cause NYC-CL2 to send
a new SoH that indicates it is compliant with network health requirements,
and NYC-CL2 will be granted full network access.
12. On NYC-CL1, verify that the response in the command window changes to
Reply from 10.10.0.60. It might take a minute before you see the change in
status.
13. Verify that you can browse the share of NYC-CL2 (\\NYC-CL2\).
14. Close all open windows.

f Task 8: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Monitoring and Troubleshooting IPSec 1

Module 10
Lab Instructions: Monitoring and
Troubleshooting IPSec
Contents:
Exercise 1: Monitoring IPSec Connectivity 3
Exercise 2: Configuring Connection Security 5
Exercise 3: Troubleshooting IPSec 7
2 Lab Instructions: Monitoring and Troubleshooting IPSec

Lab: Monitoring and Troubleshooting IPSec

Objectives
• Monitor IPsec connectivity
• Configure connection security
• Troubleshoot IPsec

Scenario:
The Windows Infrastructure Services Technology Specialist has been tasked with
extending an existing network infrastructure to include the IPsec functionality.
Using the IP Security Monitor and Windows Firewall with Advanced Security snap-
ins, you can view IP security statistics and policies, determine if IPsec is failing
negotiations, and monitor IPsec statistics. Troubleshooting escalations are being
sent to you.
 Lab Instructions: Monitoring and Troubleshooting IPSec 3

Exercise 1: Monitoring IPSec Connectivity

Exercise Overview
In this exercise, you will enable an IPsec policy and then view the connection using
IP Security Monitor.
The main tasks are as follows:
1. Start the 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual machines.
2. Create an IPsec negotiation policy on NYC-DC1.
3. Export the policy from NYC-DC1.
4. Import the security policy to NYC-SVR1.
5. Use IP Security Monitor to validate that the negotiation policy is working.

f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual

machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Create an IPSec negotiation policy on NYC-DC1

1. Configure a couple of IPsec policies that secures TCP and UDP traffic by using
the Local Security Policy MMC found in Administrative Tools.
• Source Port: 445
• Destination Port: Any
2. Filter for IP traffic coming from any IP address going to any IP address.
4 Lab Instructions: Monitoring and Troubleshooting IPSec

f Task 3: Export the policy from NYC-DC1

• In the Local Security Policy MMC console, export the IPSec policies to a file on
NYC-SVR1 (save to D:\LabFiles\Module10\IPSecurityPolicy.ipsec).

f Task 4: Import the security policy to NYC-SVR1

• On NYC-SVR1, import the IPSec policies using the Local Security Policy MMC.

f Task 5: Use IP Security Monitor to validate that the negotiation policy

is working
1. Enable the IP Security Policies on both computers.
2. Using the Run command, load a blank console and add the IP Security
Monitor snap-in.
3. Establish a file connection share between NYC-SVR1 and NYC-DC1.
4. Monitor the secure connection information in the IP Security Monitor console.
 Lab Instructions: Monitoring and Troubleshooting IPSec 5

Exercise 2: Configuring Connection Security

Exercise Overview
In this exercise, you will configure a connection security rule in Windows Firewall
and Advanced Security, and then use the Security Associations mode to monitor
the connection.
The main tasks are as follows:
1. Disable the IP Security Policy that you created in the previous exercise.
2. Configure a Security Association rule in the Windows Firewall with Advanced
Security MMC.
3. Monitor the connection using the Security Association node.
4. Close all virtual machines, and discard undo disks.

f Task 1: Disable the IP Security Policy that you created in the previous
exercise
1. Disable the IP Security Policy on NYC-DC1.
2. Disable the IP Security Policy on NYC-SVR1.

f Task 2: Configure a Security Association rule in the Windows Firewall

with Advanced Security MMC
1. On NYC-DC1, open Windows Firewall with Advanced Security.
2. Create a new rule in Connection Security Rules.
3. Select a Server-to-Server rule with Any IP Address for Endpoints.
4. Select Require authentication for inbound and outbound connections.
5. Select PreShared Key with a password of Pa$$w0rd.
6. Apply the rule to the Domain, Private, and Public profiles.
7. Create the same rule on NYC-SVR1 and use the same Preshared Key.
6 Lab Instructions: Monitoring and Troubleshooting IPSec

f Task3: Monitor the connection using the Security Association node.

1. Establish communication between NYC-SVR1 and NYC-DC1.
2. Review the Main Mode and Quick Mode nodes to view the status of the
Connection Security rule.

f Task 4: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Monitoring and Troubleshooting IPSec 7

Exercise 3: Troubleshooting IPSec

Exercise Overview
In this exercise, you will review scenarios outlining common issues that can occur
when troubleshooting IPsec, and then you will discuss possible solutions.

Scenario 1
An administrator is attempting to connect to a remote computer and monitor its
IPsec connectivity. The administrator reports that he is unable to monitor the
remote server. You ask him use the Event Viewer to identify the problem, and in
doing so, the administrator notes the following error: “The IPsec server is
unavailable or incompatible with the IPsec monitor.”

Question: What can you do to resolve this issue?

Scenario 2
An administrator has configured and enabled an IPsec Security policy on a file
server that stores sensitive data files. The administrator also has created an Active
Directory-based policy and applied it to the organizational unit (OU) of clients that
are permitted access to the secure server. The next day, the Backup Administrator,
who must back up the secure server, reports that he was unable to access the
secure server from the backup server. The backup server’s computer account is
stored in an administrative OU separate from the client’s OU.

Question: Based on the information provided, why is the backup server unable to
access the secure server?
 Lab Instructions: Configuring and Managing Distributed File System 1

Module 11
Lab Instructions: Configuring and Managing
Distributed File System
Contents:
Exercise 1: Installing the Distributed File
System Role Service 4
Exercise 2: Creating a DFS Namespace 6
Exercise 3: Configuring Folder Targets and Folder
Replication 8
Exercise 4: Viewing Diagnostic Reports for
Replicated Folders 12
2 Lab Instructions: Configuring and Managing Distributed File System

Lab: Configuring DFS

Objectives
• Install the Distributed File System Role Service
• Create a DFS Namespace
• Configure Folder Targets and Folder Replication
• View Diagnostic Reports

Logon Information
• Virtual Machines: 6421A-NYC-DC1 and 6421A-NYC-SVR1
• User Name: WoodgroveBank\Administrator
• Password: Pa$$w0rd
 Lab Instructions: Configuring and Managing Distributed File System 3

Scenario
You are a Windows Infrastructure Services Technology Specialist for Woodgrove
Bank. To simplify file access for users and provide high availability and
redundancy, you will implement a DFS solution for a number of disparate file
shares. For this project, you must complete the following tasks:
• Install the Distributed Files System role service to include DFS namespaces
and DFS replication.
• Create a domain-based DFS namespace called CorpDocs with NYC-DC1 and
NYC-SVR1 as host namespace servers.
• Add the following Folders to the CorpDocs namespace:
• HRTemplates - folder target located on NYC-DC1
• PolicyFiles - folder target located on NYC-SVR1
• Configure availability and redundancy by adding additional folder targets and
replicating the folder targets in the CorpDocs namespace.
• Provide reports on the health of the CorpDocs folder replication.
4 Lab Instructions: Configuring and Managing Distributed File System

Exercise 1: Installing the Distributed File System Role

Service
In this exercise, you will install the Distributed File System Role Service on both
NYC-DC1 and NYC-SVR1. This will provide redundancy for the CorpDocs
namespace and allow clients to contact the namespace server within their own site.
The main tasks for this exercise are as follows:
1. Start each virtual machine and log on.
2. Disable Local Area Connection 2 on NYC-SVR1.
3. Install the Distributed File System Role Service on NYC-DC1.
4. Install the Distributed File System Role Service on NYC-SVR1.

f Task 1: Start each virtual machine and log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Disable Local Area Connection 2 on NYC-SVR1

• On NYC-SVR1, disable the network adapter named Local Area Connection 2.
 Lab Instructions: Configuring and Managing Distributed File System 5

f Task 3: Install the Distributed File System Role Service on NYC-DC1

1. On NYC-DC1, start Server Manager.
2. Use the Add Roles Wizard to add the Distributed File System Role Service
including the DFS Namespaces and DFS Replication options.
3. Using the Server Manager Roles pane, verify that File Server, Distributed File
System, DFS Namespaces, and DFS Replication are installed.

f Task 4: Install the Distributed File System Role Service on NYC-SVR1

1. On NYC-SVR1, start Server Manager.
2. Use the Add Roles Wizard to add the Distributed File System Role Service
including the DFS Namespaces and DFS Replication options.
3. Using the Server Manager Roles pane, verify that File Server, Distributed File
System, DFS Namespaces, and DFS Replication are all installed.
6 Lab Instructions: Configuring and Managing Distributed File System

Exercise 2: Creating a DFS Namespace

In this exercise, you will create the CorpDocs DFS namespace. You also will
configure both NYC-DC1 and NYC-SVR1 to host the CorpDocs namespace to
provide redundancy.
The main tasks for this exercise are as follows:
1. Raise the domain functional level.
2. Use the New Namespace Wizard to create a new namespace.
3. Add an additional namespace server to host the namespace.

f Task 1: Raise the domain functional level

• On NYC-DC1, open Active Directory Users and Computers, and raise the
domain functional level to Windows Server 2008.

f Task 2: Use the New Namespace Wizard to create a new namespace

1. On NYC-DC1, start the DFS Management console.
2. Use the New Namespaces Wizard to create a namespace with the following
options:
• Namespace Server: NYC-DC1
• Namespace Name and Settings: CorpDocs
• Namespace Type: Domain-based namespace
3. In the left pane, click the plus sign next to Namespaces, and then click
\\WoodgroveBank.com\CorpDocs.
4. Verify that the CorpDocs namespace has been created on NYC-DC1.
 Lab Instructions: Configuring and Managing Distributed File System 7

f Task 3: Add an additional namespace server to host the namespace

1. On NYC-DC1, in the DFS Management console, use the Add Namespace
Server Wizard to add a new namespace server with the following options:
• Namespace server: NYC-SVR1
• Click Yes to start the Distributed File System service
2. In the left pane, click the plus sign next to Namespaces, and then click
\\WoodgroveBank.com\CorpDocs.
8 Lab Instructions: Configuring and Managing Distributed File System

Exercise 3: Configuring Folder Targets and Folder

Replication
In this exercise, you initially will create folder targets on two separate servers and
then verify that the CorpDocs namespace functions correctly. You then will add
availability and redundancy by creating additional folder targets and configuring
replication.
The main tasks for this exercise are as follows:
1. Create the HRTemplates folder, and configure a folder target on NYC-DC1.
2. Create the PolicyFiles folder, and configure a folder target on NYC-SVR1.
3. Verify the CorpDocs namespace functionality.
4. Create additional folder targets for the HRTemplates folder, and then
configure folder replication.
5. Create additional folder targets for the PolicyFiles folder, and then configure
folder replication.

f Task 1: Create the HRTemplates folder, and configure a folder target

on NYC-DC1
1. On NYC-DC1, in the DFS Management console, right-click
\\WoodgroveBank.com\CorpDocs.
2. Create a new folder called HRTemplates.
3. Add a new folder target called HRTemplateFiles using the following options:
• Click the New Shared Folder button.
• Share Name: HRTemplateFiles
• Local path of shared folder: C:\HRTemplateFiles
• Shared Folder Permissions: Administrators have full access; other users
have read-only permissions
4. In the console tree, click \\WoodgroveBank.com\CorpDocs.
5. In the details pane, click the Namespace tab. Notice that HRTemplates is
listed as an entry in the namespace.
 Lab Instructions: Configuring and Managing Distributed File System 9

6. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then

click HRTemplates. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.
7. Click the Replication tab, and notice that replication is not configured.

f Task 2: Create the PolicyFiles folder, and configure a folder target on

NYC-SVR1
1. On NYC-DC1, in the DFS Management console, right-click
\\WoodgroveBank.com\CorpDocs.
2. Create a new folder called PolicyFiles.
3. Add a new Folder target called PolicyFiles using the following options:
• Click the New Shared Folder button.
• Share Name: PolicyFiles
• Local path of shared folder: C:\Policyfiles
• Shared Folder Permissions: Administrators have full access; other users
have read-only permissions
4. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then
click PolicyFiles. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.

f Task 3: Verify the CorpDocs namespace functionality

1. On NYC-DC1, click Start and then click Run.
2. Access the \\WoodgroveBank\CorpDocs namespace, and verify that both
HRTemplates and PolicyFiles are visible. (If they are not visible, wait for
approximately five minutes to complete.)
3. In the HRTemplates folder, create a new Rich Text Document file called
VacationRequest.
4. In the PolicyFiles folder, create a new Rich Text Document file called
OrderPolicies.
10 Lab Instructions: Configuring and Managing Distributed File System

f Task 4: Create additional folder targets for the HRTemplates folder,

and then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
• Path to folder target: \\NYC-SVR1\HRTemplates
• Create share: Yes
• Local Path of shared folder: C:\HRTemplates
• Shared folder permissions: Administrators have full access; other users
have read-only permissions
• Replication group: Yes
• Replication Group name: woodgrovebank.com\corpdocs\hrtemplates
• Replicated folder name: HRTemplates
• Primary member: NYC-DC1
• Topology: Full mesh
• Replication schedule: default
2. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\hrtemplates.
3. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.
 Lab Instructions: Configuring and Managing Distributed File System 11

f Task 5: Create additional folder targets for the PolicyFiles folder, and
then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
• Path to folder target: \\NYC-DC1\PolicyFiles
• Create share: Yes
• Local Path of shared folder: C:\PolicyFiles
• Shared folder permissions: Administrators have full access; other users
have read-only permissions
• Replication group: Yes
• Replication Group name: woodgrovebank.com\corpdocs\policyfiles
• Replicated folder name: PolicyFiles
• Primary member: NYC-SVR1
• Topology: Full mesh
• Replication schedule: default
2. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\PolicyFiles.
3. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.
12 Lab Instructions: Configuring and Managing Distributed File System

Exercise 4: Viewing Diagnostic Reports for Replicated

Folders
In this exercise, you will generate a diagnostic report to view the folder replication
status.
The main tasks for this exercise are as follows:
1. Create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates.
2. Close all virtual machines, and discard undo disks.

f Task 1: Create a diagnostic report for

woodgrovebank.com\corpdocs\hrtemplates
1. On NYC-DC1, create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates based upon the following
options:
• Type of Diagnostic Report or Test: health report
• Path and Name: default
• Members to include: NYC-DC1 and NYC-SVR1
• Options: Backlogged files enabled; Count replicated files enabled
2. Read through the report and take note of any errors or warnings. When you
are finished, close the Microsoft Internet Explorer® window.
3. Create a diagnostic report for the policyfiles replication group. Read through
the report and take note of any errors or warnings. When you are finished,
close the Internet Explorer window. Note that there may be errors reported if
replication has not yet begun or finished.

f Task 2: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring and Managing Storage Technologies 1

Module 12
Lab Instructions: Configuring and Managing
Storage Technologies
Contents:
Exercise 1: Installing the FSRM Role Service 4
Exercise 2: Configuring Storage Quotas 5
Exercise 3: Configuring File Screening 7
Exercise 4: Generating Storage Reports 8
2 Lab Instructions: Configuring and Managing Storage Technologies

Lab: Configuring and Managing Storage

Technologies

Objectives
• Install the FSRM role service
• Configure storage quotas
• Configure file screening
• Generate storage reports using FSRM
 Lab Instructions: Configuring and Managing Storage Technologies 3

Logon Information
• Virtual Machines: 6421A-NYC-DC1 and 6421A-NYC-SVR1
• User Name: Administrator
• Password: Pa$$w0rd

Scenario
As the Windows Infrastructure Services (WIS) Technology Specialist, you have
been tasked with configuring storage on a server to comply with corporate
standards. You must create the storage with minimal long-term management by
utilizing file screening and quota management.
4 Lab Instructions: Configuring and Managing Storage Technologies

Exercise 1: Installing the FSRM Role Service

In this exercise, you will install the FSRM role service.
The main tasks for this exercise are as follows:
1. Start the NYC-DC1 and NYC-SVR1 virtual machines.
2. Install the FSRM server role on NYC-SVR1.

f Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Install the FSRM server role on NYC-SVR1

• Using Server Manager, install the File System Resource Manager role service.
The role service is located under the File Services role.
 Lab Instructions: Configuring and Managing Storage Technologies 5

Exercise 2: Configuring Storage Quotas

In this exercise, you must configure a quota template that allows users a maximum
of 100 MB of data in their user folders. When users exceed 85 percent of the quota,
or when they attempt to add files larger than 100 MB, an event should be logged to
the Event Viewer on the server.
The main tasks for this exercise are as follows:
1. Create a quota template.
2. Configure a quota based on the quota template.
3. Test that the quota is working by generating several large files.

f Task 1: Create a quota template

• In the File Server Resource Manager console, use the Quota Templates node
to configure a template that sets a hard limit of 100 MB on the maximum
folder size. Make sure this template also notifies the Event Viewer when the
folder reaches 85 percent and 100 percent capacity.

f Task 2: Configure a quota based on the quota template

1. Use the File Server Resource Manager console and the Quotas node to create
a quota in the D:\Labfiles\Module12\Users folder by using the quota
template that you created in Task 1.
2. Create an additional folder named User4 in the D:\Labfiles\Module12\Users
folder, and ensure that the new folder is listed in the quotas list.
6 Lab Instructions: Configuring and Managing Storage Technologies

f Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt and use the fsutil file createnew file1.txt
89400000 command to create a file in the
D:\Labfiles\Module12\Users\User1 folder.
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000
bytes, and then press ENTER.
4. Enable NTFS folder compression for the D:\Labfiles\Module12\Users folder.
Check to see what effect this has in the Quota console. Try again to create a
file that is 16,400,000 bytes.
 Lab Instructions: Configuring and Managing Storage Technologies 7

Exercise 3: Configuring File Screening

In this exercise, you will configure file screening to monitor executable files.
The main tasks for this exercise are as follows:
1. Create a file screen.
2. Test the file screen.

f Task 1: Create a file screen

1. On NYC-SVR1, in the File Server Resource Manager console, use the File
Screens node to create a file screen that monitors executable files in the
D:\Labfiles\Module12\Users folder. When an executable is dropped into the
folder, the file screen will log an 8215 event in the Event Viewer.
2. Test the file screen by copying example.bat from D:\Labfiles\Module12 to
the D:\Labfiles\Module12\Users\User1 folder. Verify that the file screen is
working in the Event Viewer.

f Task 2: Test the file screen

1. Copy and paste D:\Labfiles\Module12\example.bat to
D:\Labfiles\Module12\Users\user1.
2. Open the Event Viewer and check the application log for Event ID 8215.
8 Lab Instructions: Configuring and Managing Storage Technologies

Exercise 4: Generating Storage Reports

In this exercise, you will generate an on-demand storage report.
The main tasks for this exercise are as follows:
1. Generate an on-demand storage report.
2. Close all virtual machines, and discard undo disks.

f Task 1: Generate an on-demand storage report

• In the File Server Resource Manager console, use the Generate reports now
option in the Reports node to generate a File Screening Audit and Quota
Usage report on the D:\Labfiles\Module12\Users folder.

f Task 2: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring Availability of Network Resources and Content 1

Module 13
Lab Instructions: Configuring Availability of
Network Resources and Content
Contents:
Exercise 1: Configuring Windows Server Backup and
Restore 3
Exercise 2: Configuring Shadow Copying 6
Exercise 3: Configuring Network Load Balancing 8
2 Lab Instructions: Configuring Availability of Network Resources and Content

Lab: Configuring Availability of Network

Resources

Objectives
• Configure Windows Server Backup and Restore
• Configure shadow copies
• Configure and test Network Load Balancing

Scenario
The Windows Infrastructure Services (WIS) Technology Specialist has been tasked
with configuring disaster recovery restore and availability for all critical services.
 Lab Instructions: Configuring Availability of Network Resources and Content 3

Exercise 1: Configuring Windows Server Backup and

Restore
In this exercise, you will configure Windows Server Backup.
The main tasks are as follows:
1. Start the virtual machines, and then log on.
2. Open the Server Manager tool on 6421A-NYC-DC1.
3. Install the Windows Server Backup feature.
4. Create a share on 6421A-NYC-SVR.
5. Manually back up files to a network location.
6. Restore files from a network location.

f Task 1: Start the virtual machines, and then log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Server Manager tool on 6421A-NYC-DC1

• If necessary, on 6421A-NYC-DC1, open Server Manager from the
Administrative Tools menu.
4 Lab Instructions: Configuring Availability of Network Resources and Content

f Task 3: Install the Windows Server Backup feature

1. On NYC-DC1, open Server Manager.
2. Using Server Manager, install the Windows Server Backup feature.
3. On the Installation Results page, verify that the Windows Server Backup
installation succeeded, and then click Close.
4. Close Server Manager.

f Task 4: Create a share on 6421A-NYC-SVR1

1. On NYC-SVR1, open the Computer Management administrative tool.
2. In the Computer Management list pane, expand Shared Folders, and then
right-click Shares.
3. In the context menu that appears, click New Share.
4. Using the New Share Wizard, create a new share on the C:\ drive called
NetBackup.
5. On the Shared Folder Permissions page, select Administrators have full
access; other users have no access, and then click Finish.

f Task 5: Manually back up files to a network location

1. On NYC-DC1, open the Windows Server Backup administrative tool from the
Start menu, Administrative Tools location.
2. On the Actions pane of the Windows Server Backup (Local) window, select
Backup Once.
3. On the Backup Options page of the Backup Once Wizard, click Next.
4. On the Specify backup type page, select Custom, and then click Next.
5. On the Select backup items page, clear the Enable system recovery and
Local Disk (C:), checkboxes, select Allfiles (D:), and then click Next.
6. On the Specify destination type page, select Remote Shared Folder, and then
click Next.
7. On the Specify Remote Folder page, type the path \\NYC-SVR1\NetBackup,
and then click Next.
 Lab Instructions: Configuring Availability of Network Resources and Content 5

8. On the Specify VSS backup type page, select VSS full backup, and then click
Next.
9. On the Confirmation page, click Backup.
10. On the Backup Progress page, verify the status is Backup Completed, and
then click Close.

f Task 6: Restore files from a network location

1. Click Start, click Computer, and then double-click Allfiles (D:).
2. In the details pane of the Allfiles (D:) window, delete the AllFiles directory,
and then close the Allfiles (D:) window.
3. On the Windows Server Backup page, under Actions, select Recover.
4. On the Recovery Wizard, Getting started page, select Another server, and
then click Next.
5. On the Specify Location Type page, select Remote shared folder, and then
click Next.
6. On the Specify remote folder page, type \\NYC-SVR1\NetBackup, and then
click Next.
7. On the Select backup date page, click today’s date (in bold), and then click
Next.
8. On the Select recovery type page, accept the default of Files and folders, and
then click Next.
9. On the Select Items to Recover page, expand NYC-DC1, expand Allfiles (D:),
select Labfiles, and then click Next.
10. On the Specify recovery options page, accept the default settings, and then
click Next.
11. On the Confirmation page, click Recover.
12. In the Recovery Progress window, verify the status is Restore of Files
completed, and then click Close.
13. Close the Windows Server Backup tool.
6 Lab Instructions: Configuring Availability of Network Resources and Content

Exercise 2: Configuring Shadow Copying

In this exercise, you will configure and test shadow copies.
The main tasks are as follows:
1. Enable shadow copies on a volume.
2. Change a file in a share location.
3. Manually create a shadow copy.
4. View the file previous versions, and restore to a previous version.

f Task 1: Enable shadow copies on a volume

1. On NYC-DC1, open the Computer Management console.
2. In the Computer Management window console tree, right-click Shared
Folders, point to All Tasks, and then click Configure Shadow Copies.
3. In the Shadow Copies dialog box, select volume D:\, and then click Enable.
4. In the Enable Shadow Copies dialog box that appears, click Yes, and then
click OK.
5. Do not close the Computer Management console.

f Task 2: Change a file in a share location

1. On NYC-CL1, click Start, and in the search text box type \\NYC-
DC1\shadow.
A window will open with the Shadow share contents visible.
2. Open the shadowtest.txt file.
3. Add the following text to the end of the text file:
This is my text that I am adding to the file.
4. Save and close the shadowtest.txt file.
 Lab Instructions: Configuring Availability of Network Resources and Content 7

f Task 3: Manually create a shadow copy

1. On NYC-DC1, in the Computer Management console, right-click Shared
Folders, point to All Tasks, and then click Configure Shadow Copies.
2. In the Shadow Copies dialog box, select volume D:\, and then click Create
Now.
The shadow copies of the selected volume should have two entries listed.
3. Close the Computer Management console.

f Task 4: View the previous file versions, and restore to a previous

version
1. On NYC-CL1, click Start, type \\NYC-DC1\shadow in the Search text box,
and then press ENTER.
2. Right-click shadowtest.txt and select Properties from the context menu.
3. In the shadowtest Properties dialog box, click the Previous Versions tab.
4. Under File Versions, you will see the last shadow copy that you created. Click
Open to view the file contents. The file you are viewing should be the previous
file version that you modified with text.
5. Close the file and select Restore from the Previous Versions window to
restore the file to its previous state before any changes were made.
6. In the Previous Versions dialog box, click OK.
7. Click OK to close the shadowtest Properties dialog box.
8 Lab Instructions: Configuring Availability of Network Resources and Content

Exercise 3: Configuring Network Load Balancing

In this exercise, you will configure Network Load Balancing.
The main tasks are as follows:
1. Install the Network Load Balancing feature on NYC-DC1 and NYC-SVR1.
2. Configure Network Load Balancing on NYC-DC1 and NYC-SVR1.
3. Install and share an IP-based printer on both NYC-DC1 and NYC-SVR1.
4. Use NYC-CL1 to connect to the NLB virtual IP address.
5. Close all virtual machines, and discard undo disks.

f Task 1: Install the Network Load Balancing feature on NYC-DC1 and

NYC-SVR1
1. On NYC-DC1, open Server Manager.
2. In the Server Manager list pane, right-click Features, and install Network
Load Balancing.
3. On the Results page, verify the installation succeeded, and then close the Add
Features Wizard.
4. Repeat steps 1 through 3 for NYC-SVR1.
5. Close Server Manager on both NYC-DC1 and NYC-SVR1.

f Task 2: Configure Network Load Balancing on NYC-DC1 and NYC-

SVR1
1. On NYC-DC1, open Network Load Balancing Manager.
2. In the Network Load Balancing Manager console, right-click Network Load
Balancing Clusters in the list pane, and then click New Cluster.
3. In the New Cluster: Connect dialog box, type the hostname NYC-DC1, and
then click Connect. You should see the Interface Name section populate with
that interface’s Local Area Connection and IP address. Click Next.
4. In the New Cluster: Host Parameters dialog box, verify the default state is
Started, and then click Next.
 Lab Instructions: Configuring Availability of Network Resources and Content 9

5. In the New Cluster: Cluster IP Addresses dialog box, click Add, and specify
an IPv4 cluster IP of 10.10.0.100 with a Subnet Mask of 255.255.0.0, and
then click OK.
6. In the New Cluster: Cluster Parameters dialog box, type a Full Internet
Name of printSVR.woodgrovebank.com. Specify a cluster operation mode of
Multicast, and then click Next.
7. In the New Cluster: Port Rules dialog box, click Finish.
8. In the Network Load Balancing Manager console list pane, right-click
printSVR.woodgroovebank.com, and then click Add Host to Cluster from
the context menu.
9. In the Add Host to Cluster: Connect dialog box, specify the host as NYC-
SVR1, and then click Connect.
10. In the Interfaces available for configuring the cluster, click Local Area
Connection, and then click Next.
11. In the Add Host to Cluster: Host Parameters dialog box, accept the default
settings, and then click Next.
12. In the Add Host to Cluster: Port Rules, accept the default settings, and then
click Finish.
13. Close the Network Load Balancing Manager console window.

f Task 3: Install and share an IP-based printer on both NYC-DC1 and

NYC-SVR1
1. On NYC-DC1, click Start, click Control Panel, and then double-click the
Printers applet.
2. In the Printers console details pane, double-click Add Printer.
3. Add a local printer with a Standard TCP/IP Port with an address of
10.10.0.80. Clear the Query the printer and automatically select the driver
to use check box, and then click Next.
4. Wait for the detection of the TCP/IP port to complete, and then in the
Additional Port information Required dialog box, click Next.
5. In the Install the printer driver dialog box, specify the manufacturer of HP
and the printer model of LaserJet 6MP, and then click Next.
10 Lab Instructions: Configuring Availability of Network Resources and Content

6. In the Type a printer name dialog box, accept the default settings, and then
click Next.
7. In the Printer Sharing dialog box, accept the default name, and then click
Next.
8. In the You’ve successfully added HP LaserJet 6MP dialog box, click Finish.
9. Close the Printers control panel applet.
10. Repeat steps 1 through 9 on NYC-SVR1.

f Task 4: Use NYC-CL1 to connect to the NLB virtual IP address

1. On NYC-CL1, click Start, type \\10.10.0.100 in the Start Search text box,
and then press ENTER.
2. Take note of the available NLB cluster resources.

f Task 5: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Instructions: Configuring Server Security Compliance 1

Module 14
Lab Instructions: Configuring Server Security
Compliance
Contents:
Exercise 1: Configuring and Analyzing Security 3
Exercise 2: Analyzing Security Templates 5
Exercise 3: Configuring Windows Software Update
Services 7
2 Lab Instructions: Configuring Server Security Compliance

Lab: Configuring Server Security Compliance

Objectives
• Configure and analyze security using the Security Configuration Wizard
(SCW).
• Use the Security Configuration and Analysis Wizard to analyze security
templates.
• Configure Windows Software Update Services (WSUS).

Scenario
As the Windows Infrastructure Services Technology Specialist, you have been
tasked with configuring and managing server and client security patch compliance.
You must ensure systems maintain compliance with corporate standards.
 Lab Instructions: Configuring Server Security Compliance 3

Exercise 1: Configuring and Analyzing Security

In this exercise, you will configure and analyze security using the Security
Configuration Wizard.
The main tasks are as follows:
1. Start the virtual machines, and then log on.
2. Open the Security Configuration Wizard on 6421A-NYC-SVR1, and use the
wizard to configure security for a particular server role.

f Task 1: Start the virtual machines, and then log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL2, click Launch.
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Security Configuration Wizard on NYC-SVR1

1. On NYC-SVR1, open the Security Configuration Wizard from the
Administrative Tools menu.
2. On the Welcome to the Security Configuration Wizard page, click Next.
3. On the Configuration Action page, under Select the action you want to
perform, ensure that Create a new security policy is selected, and then click
Next.
4. On the Select Server page, verify the server specified in the Server text box is
NYC-SVR1, and then click Next.
5. On the Processing Security Configuration Database page, wait for the
process to complete, and then select View Configuration Database.
4 Lab Instructions: Configuring Server Security Compliance

6. When the Security Configuration Wizard (SCW) Viewer opens, a Microsoft

Internet Explorer® message box may appear asking for permission to allow an
Active X control. Click Yes in this message box.
7. Scroll through and read the list of Server Roles, Client Features,
Administration and Other Options, Services and Windows Firewall.
8. Close SCW Viewer, and then click Next.
9. On the Role-Based Service Configuration, Select Server Roles, Select Client
Features, Select Administration and Other Options, and Select Additional
Services pages, accept the default settings, and then click Next.
10. On the Handling Unspecified Services page, verify that Do not change the
startup mode of the service is selected, and then click Next.
11. On the Confirm Service Changes page, scroll through the list and note which
ones are being disabled, and then click Next.
12. On the Network Security page, click Next to start configuring network
security.
13. On the Network Security Rules page, scroll through the list of ports that will
be opened, and then click Next.
14. On the Registry Settings and Audit Policy pages, select Skip this section, and
then click Next.
15. On the Save Security Policy page, click Next.
16. On the Security Policy File Name page, specify a name of
NewMemberSVR.xml at the end of the
C:\Windows\Security\msscw\Policies path that is listed, and then click
Next.
17. On the Apply Security Policy page, select Apply Now, and then click Next.
The Applying Security Policy page appears, and the wizard prepares and
applies the policy.
19. When Application Complete appears above the status bar, click Next.
20. On the Completing the Security Configuration Wizard page, click Finish.
 Lab Instructions: Configuring Server Security Compliance 5

Exercise 2: Analyzing Security Templates

In this exercise, you will analyze security templates.
The main tasks are as follows:
1. Create a customized Microsoft Management Console (MMC).
2. Analyze current computer settings against secure template settings.
3. Configure the computer with the secure template settings.

f Task 1: Create a customized Microsoft Management Console (MMC)

1. On NYC-SVR1, create a custom MMC with the Security Templates and
Security Configuration and Analysis snap-ins.
2. Using the Console1 MMC created above, create a new template with a name of
Secure.
3. Expand the Secure policy, expand Local Policies, and then select Security
Options.
4. Double-click Interactive Logon: Do not display last user name.
5. Select the Define this policy setting in the template check box, click
Enabled, and then click OK.
6. Save the Secure template.
7. Leave the Console1 MMC open for the next task.

f Task 2: Analyze current settings against secure template settings

1. In the Console1 MMC list pane, right-click Security Configuration and
Analysis, and then click Open Database.
2. In the Open Database dialog box, type a file name of Secure, and then click
Open.
3. In the Import Template dialog box, select the Secure template, and then click
Open.
4. In the Console1 MMC list pane, right-click Security Configuration and
Analysis, and then click Analyze Computer Now.
5. In the Perform Analysis dialog box, click OK to accept the default log name.
6 Lab Instructions: Configuring Server Security Compliance

6. When the analysis is complete, in the list pane, expand Security

Configuration and Analysis, expand Local Policies, and then select Security
Options.
7. Scroll down to Interactive Logon: Do not display last user name and
compare the database setting to the computer setting. You should see a red “x”
on the item, which indicates that the settings are different between the
computer and database settings.
8. Leave the Console1 MMC open for the next task.

f Task 3: Configure the computer with the secure template settings

1. In the Console1 MMC window list pane, right-click Security Configuration
and Analysis, and then select Configure Computer Now from the available
options.
The template is applied to the computer.
2. From the list pane of the Console1 MMC, right-click Security Configuration
and Analysis, and then select Analyze Computer Now.
3. In the Perform Analysis dialog box, click OK to accept the default log.
4. When the analysis is complete, expand Local Policies, and then select
Security Options.
5. Scroll down to Interactive Logon: Do not display last user name, and verify
that a check mark appears indicating that the database and computer settings
are the same.
6. Close the Console1 MMC window.
 Lab Instructions: Configuring Server Security Compliance 7

Exercise 3: Configuring Windows Software Update Services

In this exercise, you will configure WSUS.
The main tasks are as follows:
1. Use the Group Policy Management Console to create and link a GPO to the
domain to configure client updates.
2. Use the WSUS administration tool to configure WSUS properties.
3. Create a computer group, and add NYC-CL2 to the new group.
4. Approve an update for Windows Vista clients.
5. Close all virtual machines, and discard undo disks.

f Task 1: Use the Group Policy Management Console to create and link
a GPO to the domain to configure client updates
1. On NYC-DC1, open Group Policy Management from the Administrative
Tools menu.
2. In the list pane, right-click WoodGroveBank.com, click Create a GPO in this
domain, and Link it here, and name the GPO WSUS.
3. Right-click the WSUS GPO link under WoodGroveBank.com, and then click
Edit.
4. In the Group Policy Management Editor window, expand Computer
Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
5. In the details pane, double-click Configure Automatic Updates.
6. In the Configure Automatic Updates Properties dialog box, on the Settings
tab, select Enabled. In the Configure automatic updating drop-down list,
click 4 - Auto download and schedule the install, and then click Next
Setting.
7. On the Specify intranet Microsoft update service location Properties page,
on the Settings tab, select Enabled. Under Set the intranet update service for
detecting updates and under Set the intranet statistics server, type
http://NYC-SVR1 in the text boxes, and then click Next Setting.
8. On the Automatic Updates detection frequency Properties page, select
Enabled, and then click OK.
8 Lab Instructions: Configuring Server Security Compliance

9. Close the Group Policy Management Editor, and then close the Group Policy
Management tool.
10. On NYC-CL2, open a command prompt.
11. At the command prompt, type gpupdate /force, and then press ENTER.
12. At the command prompt, type wuauclt /detectnow, and then press ENTER.
13. Close the command window on NYC-CL2.

f Task 2: Use the WSUS administration tool to configure WSUS

properties
1. On NYC-SVR1, open Microsoft Windows Server Update Services 3.0 SP1 from
the Administrative Tools menu.
2. In the Update Services administrative tool window, in the list pane under
NYC-SVR1, click Options.
3. Using the details pane, view the configuration settings available in WSUS, and
click Cancel for each item when complete.

f Task 3: Create a computer group, and add NYC-CL2 to the new group
1. In the list pane, expand Computers, and then select All Computers.
2. In the Actions pane, click Add Computer Group, and name the group HO
Computers.
3. Change membership of the nyc-cl2.woodgrovebank.com computer object so
that it is a part of the HO Computers group.
 Lab Instructions: Configuring Server Security Compliance 9

f Task 4: Approve an update for Vista clients

1. In the Update Services administrative tool, in the list pane, expand Updates,
and then click Critical Updates.
2. In the details pane, change both the Approval and Status filters to Any, and
then click Refresh. Notice all of the updates available.
3. In the Critical Updates details pane, right-click Update for Windows Vista
(KB936357), and then select Approve from the context menu.
4. In the Approve Updates window that appears, click the arrow next to All
Computers, select Approved for Install, and then click OK.
5. On the Approval Progress page, when the process is complete, click Close.

Note: Notice that a message appears stating that the update is approved, but must
be downloaded to complete.

6. In the Update Services console, click Reports.

7. View the various WSUS reports available, and determine how many updates
NYC-CL2 requires.

f Task 5: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
 Lab Answer Key: Installing and Configuring Servers 1

Module 1
Lab Answer Key: Installing and Configuring
Servers
Contents:
Exercise 1: Identifying Server Types 2
Exercise 2: Installing and Configuring Server Roles
and Features 3
Exercise 3: Configuring Server Core and Performing
Basic Management Tasks 5
2 Lab Answer Key: Installing and Configuring Servers

Lab: Installing and Configuring

Servers and Server Roles
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Identifying Server Types

Question: After reading the scenario, which installation type best suits Terminal
Services--Core or Standard? Why?
Answer: The Standard install is the only suitable choice since there is no graphical
user interface (GUI) available when you install Terminal Services on a Core
installation.
Question: Would the Core installation be suitable for the Domain Name System
(DNS) server? If so, are there any shortcomings to configuring the server to host
this role?
Answer: Yes, given the scenario where remote administration will be used and
security is a concern, the Core installation offers both requirements. The
shortcomings would be that the administrators need to be command-line savvy to
install, configure, and maintain the installed Roles and Features on a Core
installation.
Question: What benefits would you realize by using the Core installation option
for the DNS server role?
Answer: Benefits could include reduced administrative effort, reduced
maintenance because only a portion of the operating system is installed, and lastly,
a very small attack footprint would exist for the Core installation.
Question: What roles and features are needed on the servers to meet the given
scenario’s requirements?
Answer: For the Standard install, you need to install the Terminal Services Role
and the Windows Server Backup feature. For the Core install, the DNS Server Core
role needs to be installed. Exercise 1: Title.

Note: You also must configure the server for remote administration and open the
ports necessary for the installed Roles and Features.
 Lab Answer Key: Installing and Configuring Servers 3

Exercise 2: Installing and Configuring Server Roles and

Features
f Task 1: Start the virtual machines, and log on
1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Start the Server Manager console

• On NYC-SVR1, click Start, point to Administrative Tools, and then click
Server Manager.

f Task 3: From Server Manager, install the Terminal Services role.

1. In the Server Manager list pane, right-click Roles, and click Add Roles from
the context menu. The Add Roles Wizard starts.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
4. On the Terminal Services page, click Next.
5. On the Select Role Services page, select the Terminal Server check box, and
then click Next.
6. On the Uninstall and Reinstall Applications for Compatibility page, click
Next.
7. On the Specify Authentication Method for Terminal Server page, click Do
not require Network Level Authentication, and then click Next.
8. On the Specify Licensing Mode page, click Next to accept the default setting
to configure later.
4 Lab Answer Key: Installing and Configuring Servers

9. On the Select User Groups Allowed Access To This Terminal Server, click
Next.
10. On the Confirm Installation Selections page, click Install.
The Terminal Services Role installation begins.
11. On the Installation Results page, click Close, and then click Yes in the Do
you want to restart now? dialog box.

f Task 4: View the Installation Results

1. Log on to NYC-SVR1 with the user name Woodgrovebank\administrator
and the password Pa$$w0rd.
Upon successful logon, Server Manager opens, and the Terminal Services
configuration resumes.
2. Once complete, Installation succeeded appears in the details pane. Click
Close to exit the Installation Results page. Do not close Server Manager.

f Task 5: Install the Server Backup feature from the Server Manager
console
1. In the Server Manager list pane, right-click Features, and then click Add
Features. The Add Features Wizard appears.
2. On the Select Features page, select the Windows Server Backup Features
check box, and then click Next.
3. On the Confirm Installation Selections page of the wizard, click Install.
Installation of the chosen feature begins.
4. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close. Do not close Server Manager.
The Windows Server Backup feature is installed.
 Lab Answer Key: Installing and Configuring Servers 5

f Task 6: Verify the Terminal Services and Windows Server Backup tools
are installed by using the Roles Summary and Features Summary in
Server Manager
1. In the list pane of Server Manager, verify that Server Manager (NYC-SVR1) is
selected.
2. Using the scroll bar in the details pane, scroll down until the Roles Summary
is visible, and verify that Terminal Services is listed.
3. Scroll down to Features Summary, and verify that Windows Server Backup
appears.
4. Close Server Manager.

Exercise 3: Configuring Server Core and Performing Basic

Management Tasks
f Task 1: Start the 6421A-NYC-SVR2 virtual machine
1. Restore the Lab Launcher window.
2. In the Lab Launcher, next to 6421A-NYC-SVR2, click Launch.
3. Minimize the Lab Launcher window.

f Task 2: Log on to the Server Core installation

1. On the keyboard, press RIGHT-ALT+DELETE.
2. In the Password text box, type Pa$$w0rd, and then click the arrow.

f Task 3: Use command-line tools to set parameters in the Server Core

virtual machine
• Computername=NYC-DNSSVR2
• IP address=10.10.0.12
• Mask=255.255.0.0
• Gateway=10.10.0.1
• DNS=10.10.0.10
6 Lab Answer Key: Installing and Configuring Servers

1. To determine the current default assigned computer name, type set in the
command window.
2. Locate the computer name attribute, and write it down.
3. To change the computer name, type the following command, and then press
ENTER: Netdom renamecomputer NYC-SVR2 /NewName:NYC-DNSSVR2
4. When prompted, type y for yes, and then press ENTER.
5. In the command window, type the following command to set the static IP
address: Netsh interface ipv4 set address name= “local area connection”
source=static address=10.10.0.12 mask=255.255.0.0 gateway=10.10.0.1,
and then press ENTER.
6. In the command window, type the following command to set the primary DNS
server, and then press ENTER: Netsh interface ip set dns “local area
connection” static 10.10.0.10 primary.
7. At the command prompt, type ipconfig /all, and then press ENTER to verify
the IP address assignment.
8. On the keyboard press RIGHT-ALT+DELETE
9. Choose to restart the computer by clicking Shutdown options in the lower
right-hand pane of the window, and click Restart.
10. In the Shutdown Event Tracker window, click Operating System:
Reconfiguration (Planned), and then click OK. The server restarts.
11. Log on to the server with the user name Administrator and a password of
Pa$$w0rd.

f Task 4: Connect the server to the WoodgroveBank.com domain

1. In the command prompt window, at the command prompt, type the following
command, and then press ENTER: netdom join NYC-DNSSVR2
/domain:WoodgroveBank.com /Userd:Administrator /passwordD:*
2. At the command prompt, type the following command, and then press
ENTER: Pa$$w0rd

Note: Your keystrokes will not be reflected on the screen. You will receive a
message that the command completed successfully and that you need to restart
the computer.
 Lab Answer Key: Installing and Configuring Servers 7

3. At the command prompt, press RIGHT-ALT+DELETE, click the Shut down

options icon, and then click Restart. The Shut Down Windows dialog box
appears.
4. In the Option box of the Shut Down Windows dialog box, click Operating
System: Reconfiguration (Planned), and then click OK.

f Task 5: Log in to the Server Core installation

1. Press RIGHT-ALT+DELETE.
2. Specify the password Pa$$w0rd for the administrator, and then click
Forward.
3. You are now logged on.

f Task 6: Verify the firewall configuration

• Use the netsh command to view the current firewall configuration. Type the
following command in the command window, and then press ENTER: Netsh
firewall show state

Note: Notice that the Firewall status shows that the Operational mode is set to
Enable. This means that the Windows Firewall is enabled, but no specific ports are
open.

f Task 7: Use the Netsh command to open ports

1. At the command prompt, type the following command, and then press
ENTER: netsh firewall add portopening ALL 53 DNS-server
2. At the command prompt, type the following command, and then press
ENTER: netsh firewall add portopening TCP 135 remote-admin
3. At the command prompt, type the following command, and then press
ENTER: netsh firewall add portopening UDP 137 netbios-ns
4. At the command prompt, type the following command, and then press
ENTER: netsh firewall add portopening UDP 138 netbios-dgm
8 Lab Answer Key: Installing and Configuring Servers

5. At the command prompt, type the following command, and then press
ENTER: netsh firewall add portopening TCP 139 netbios-ssn
6. At the command prompt, type the following command, and then press
ENTER: netsh firewall add portopening TCP 445 netbios-ns
7. At the command prompt, type the following command, and then press
ENTER: netsh firewall show config

Note: Notice that in the Service configuration for Domain profile, File and Printer
Sharing and Remote Desktop services are set to enable, and both TCP and UDP
port 53 are open for the DNS server.

f Task 8: View the current status of roles, and install the DNS server role
1. In the command prompt window, at the command prompt, type the following
command, and then press ENTER: oclist

Note: Verify that no server roles are installed.

2. Use the Ocsetup.exe and oclist commands to install the DNS server by typing
the following at the command prompt and then press ENTER: start /w
ocsetup DNS-Server-Core-Role

Note: The server role name is case sensitive.

3. At the command prompt, type the following command, and then press
ENTER: oclist

Note: Verify that the DNS-Server-Core-Role is installed.

 Lab Answer Key: Installing and Configuring Servers 9

f Task 9: Manage the server by using DNS Manager from a remote

computer
1. On NYC-DC1, click Start, point to Administrative Tools, and then click DNS.
2. Right-click DNS, and then click Connect to DNS Server.
3. On the Connect to DNS Server box, select the option next to The following
computer, and then type NYC-DNSSVR2. Click OK.
4. Use the DNS console to create a forward lookup zone for Contoso.com:

f Task 10: Close all virtual machines, and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring and Troubleshooting DNS 1

Module 2
Lab Answer Key: Configuring and
Troubleshooting DNS
Contents:
Exercise 1: Configuring a DNS Infrastructure 2
Exercise 2: Monitoring and Troubleshooting DNS 6
2 Lab Answer Key: Configuring and Troubleshooting DNS

Lab: Configuring and Verifying a

DNS Solution
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Configuring a DNS Infrastructure

f Task 1: Start the virtual machines and log on
1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Configure the DNS Server role on NYC-SVR1

1. On NYC-SVR1, click Start, and then click Server Manager.
2. In the Server Manager console, click Roles.
3. In the details pane, click Add Roles.
4. In the Add Roles Wizard, click Next.
5. On the Select Server Roles page, select the DNS Server check box, and then
click Next.
6. Click Next, and then click Install.
7. After the installation procedure is complete, click Close.
8. Close the Server Manager console.
 Lab Answer Key: Configuring and Troubleshooting DNS 3

f Task 3: Configure the Contoso.msft zone on NYC-SVR1

1. On NYC-SVR1, click Start, point to Administrative tools, and then click DNS.
2. In the list pane, expand NYC-SVR1, and then click Forward Lookup Zones.
3. Right-click Forward Lookup Zones, and then click New Zone.
4. In the New Zone Wizard, click Next.
5. Ensure that Primary zone is selected, and then click Next.
6. Type Contoso.msft in the Zone name text box, and then click Next.
7. Leave the default options in the Zone File dialog box, and then click Next.
8. Leave the default options in the Dynamic Update dialog box, and then click
Next.
9. Review the settings, and then click Finish.

f Task 4: Configure the Nwtraders.msft zone on NYC-DC1

1. On NYC-DC1, If Server Manager console is already open, then close the Server
Manager console.
2. Click Start, point to Administrative tools, and then click DNS.
3. In the list pane, ensure NYC-DC1 is expanded, and ensure that Forward
Lookup Zones is already clicked.
4. Right-click Forward Lookup Zones, and then click New Zone.
5. In the New Zone Wizard, click Next.
6. Ensure Primary Zone is selected, ensure that Store the zone in Active
directory is selected, and then click Next.
7. Leave the default options in the Active Directory Zone Replication Scope
dialog box, and then click Next.
8. Type nwtraders.msft in the Zone name text box, and then click Next.
9. Leave the default options in the Dynamic Update dialog box, and then click
Next.
10. Review the settings, and then click Finish.
4 Lab Answer Key: Configuring and Troubleshooting DNS

f Task 5: Configure zone transfer security

1. On NYC-DC1, in the DNS console, expand NYC-DC1, and then expand
Forward Lookup Zones.
2. Click nwtraders.msft.
3. Right-click nwtraders.msft, and then click Properties.
4. In the nwtraders.msft properties dialog box, click Zone Transfers.
5. Select Allow zone transfers, and then select Only to the following servers.
6. Click the Edit button, and in the Allow Zone Transfers dialog box, click Click
here to add, type: 10.10.0.24, and then press ENTER. Click OK.
7. Click OK to close the nwtraders.msft Properties dialog box.
8. On NYC-SVR1, click Start, point to Administrative tools, and then click DNS.
9. In the left-hand pane, expand NYC-SVR1, and then expand Forward Lookup
Zones. Click Contoso.msft.
10. Right-click Contoso.msft, and then click Properties.
11. In the Contoso.msft Properties dialog box, click Zone Transfers.
12. Ensure Allow zone transfers is selected, and then select Only to the
following servers.
13. Click Edit, and in the Allow Zone Transfers dialog box, click Click Here to
add, type: 10.10.0.10, and then press ENTER. Click OK.
14. Click OK to close the Contoso.msft Properties dialog box.

f Task 6: Configure secondary zones for each domain

1. On NYC-DC1, in the DNS console, click Forward Lookup Zones.
2. Right-click Forward Lookup Zones, and then click New Zone.
3. In the New Zone Wizard, click Next.
4. Select Secondary zone, and then click Next.
5. Type Contoso.msft in the text box, and then click Next.
6. Type 10.10.0.24, the address of the primary zone server for contoso.msft,
press ENTER, and then click Next.
 Lab Answer Key: Configuring and Troubleshooting DNS 5

7. On the last page of the New Zone Wizard, click Finish.

8. Click Contoso.msft, and verify that records appear in the details pane. Notice
that NYC-SVR1 is shown as the Start of Authority.
9. On NYC-SVR1, in the DNS console, click Forward Lookup Zones.
10. Right-click Forward Lookup Zones, and then click New Zone.
11. In the New Zone Wizard, click Next.
12. Select Secondary zone, and click Next.
13. Type nwtraders.msft in the text box, and then click Next.
14. Type 10.10.0.10, the address of the primary zone server for nwtraders.msft,
press ENTER, and then click Next.
15. On the last page of the New Zone Wizard, click Finish.
16. Click nwtraders.msft, and verify that records appear in the details pane.
Notice that NYC-DC1 is shown as the Start of Authority.

f Task 7: Configure a stub zone for WoodgroveBank.com

1. On NYC-SVR1, in the DNS console, click Forward Lookup Zones.
2. Right-click Forward Lookup Zones, and then click New Zone.
3. In the New Zone Wizard, click Next.
4. Select Stub zone, and then click Next.
5. Type WoodgroveBank.com in the text box, and then click Next.
6. Leave the default options in the Zone File dialog box, and then click Next.
7. Type 10.10.0.10, the address of the DNS server for WoodgroveBank.com,
press ENTER, and then click Next.
8. On the last page of the New Zone Wizard, click Finish.

f Task 8: Configure administrative options for the Nwtraders.msft

domain
1. On NYC-DC1, in the DNS console, click Forward Lookup Zones.
2. In the list pane, ensure Forward Lookup Zones is already expanded.
6 Lab Answer Key: Configuring and Troubleshooting DNS

3. Right-click on nwtraders.msft, and then click Properties.

4. In the nwtraders.msft Properties dialog box, click Security, and then click
Add.
5. In the Select Users, Computers, or Groups dialog box, type DL Nwtraders
DNS Admins, and then click OK.
6. Select DL Nwtraders DNS Admins in the top pane. In the lower pane, select
Read, Write, Create all Child objects, and Delete all child objects, and then
click OK.
7. Close the DNS Manager console on NYC-DC1.

Exercise 2: Monitoring and troubleshooting DNS

f Task 1: Test simple and recursive queries
1. On NYC-DC1, click Start, click Administrative tools, and then click DNS.
2. In the list pane, right-click NYC-DC1, and then click Properties.
3. Click the Monitoring tab.
4. On the Monitoring tab, select A simple query against this DNS Server, and
then click Test Now.
5. On the Monitoring tab, ensure A recursive query to other DNS servers is
selected, and then click Test Now. Notice the Recursive test fails for NYC-DC1,
which is normal given that there are no forwarders configured for this DNS
server to use.
6. Click Start, click Run, type: sc stop dns, and then click OK.
7. On the Monitoring tab, click Test Now. Now, both Simple and Recursive tests
fail.
8. Click Start, click run, type: sc start dns, and then click OK.
9. On the Monitoring tab, click Test Now. The Simple test completes
successfully.
10. Close the NYC-DC1 Properties dialog box.
 Lab Answer Key: Configuring and Troubleshooting DNS 7

f Task 2: Verify SOA records by using Nslookup

1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type nslookup.exe, and then press ENTER.
3. In the command window, at the nslookup prompt, type set querytype=SOA,
and then press ENTER.
4. In the command window, at the nslookup prompt, type nwtraders.msft, and
then press ENTER.
5. In the command window, at the nslookup prompt, type contoso.msft, and
then press ENTER.
6. Close the command prompt.

f Task 3: Use Dnslint to verify name server records

1. On NYC-DC1 click Start, and then click Command Prompt.
2. At the command prompt, type D:, and then press ENTER.
3. At the command prompt, type CD Labfiles, and then press ENTER.
4. At the command prompt, type dnslint, and then press ENTER. Notice the
command-line help associated with dnslint.
5. At the command prompt, type dnslint /s 10.10.0.10 /d nwtraders.msft, and
then press ENTER.
6. Read through the report results, and then close the report window.
7. Close the command prompt.

f Task 4: View performance statistics by using the Performance console

1. On NYC-DC1, click Start, right-click Computer, and then click Manage.
2. In the list pane of the Server Manager window, expand Diagnostics, expand
Reliability and Performance, expand Monitoring Tools, and then click
Performance Monitor.
3. In the center pane, click the green plus icon.
4. In the Available counters list, double-click DNS.
8 Lab Answer Key: Configuring and Troubleshooting DNS

5. Select Total Query Received, and then click Add.

6. Select Total Query Received/sec, click Add, and then click OK.
7. Click Start, click Administrative tools, and then click DNS.
8. In the left pane, right-click NYC-DC1, and then click Properties.
9. Click the Monitoring tab.
10. On the Monitoring tab, select A simple query against this DNS Server and A
recursive query to other DNS servers, and click Test Now several times.
11. Clear the Simple and Recursive test check boxes, and then click OK. Close the
DNS management tool.
12. Return to the Server Manager console. The graph reflects the queries on the
server.
13. In the Server Manager console, type CTRL-G and then type CTRL-G again.
This report lists the total number of queries the server has received.
14. Close the Server Manager console.

f Task 5: Verify DNS replication

1. On NYC-DC1, click Start, click Administrative tools, and then click DNS.
2. In the left pane, ensure NYC-DC1 is expanded, and then expand Forward
Lookup Zones.
3. Select and right-click nwtraders.msft, and then click New host (A or AAAA).
4. In the New Host dialog box, type test in the Name text box. Type 10.10.0.15
in the IP Address text box, and then click Add Host. Click OK, and then click
Done.
5. In the left pane ,click nwtraders.msft,and then right click nwtraders.msft and
click
Properties and then click zone Transfers in the nwtraders.msft Properties.
6. In the Zone Transfers click Notify in that Click here to add an IP Adress or
DNS
Name type NYC-SVR1 press Enter and click OK.
7. On NYC-SVR1, click Start, point to Administrative tools, and then click DNS.
 Lab Answer Key: Configuring and Troubleshooting DNS 9

8. In the left pane, ensure NYC-SVR1 is expanded, and then expand Forward
Lookup Zones.
9. Click the nwtraders.msft secondary zone. Verify that the new A record has
been replicated.
10. If the record does not appear, right-click nwtraders.msft, and then click
Refresh.

f Task 6: Close all virtual machines and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring and Managing WINS 1

Module 3
Lab Answer Key: Configuring and Managing
WINS
Contents:
Exercise 1: Installing WINS 2
Exercise 2: Configuring WINS Burst Handling 3
Exercise 3: Configuring WINS Replication 5
Exercise 4: Migrating from WINS to DNS 6
2 Lab Answer Key: Configuring and Managing WINS

Lab: Configuring a WINS

Infrastructure
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Installing WINS

f Task 1: Start the virtual machines, and then log on
1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: On 6421A-NYC-SVR1, launch the Server Manager console

1. Click Start, and then point to Administrative Tools.
2. On the Administrative Tools menu, click Server Manager.
3. The Server Manager console opens.

f Task 3: From the Server Manager console, install the WINS feature
1. In the Server Manager list pane, right-click Features, and then click Add
Features on the context menu. The Add Features Wizard opens.
2. On the Select Features page, scroll down and click the check box next to
WINS Server, and then click Next.
3. On the Confirm Installation Selections page, click Install.
 Lab Answer Key: Configuring and Managing WINS 3

4. On the Installation Results page, verify that Installation succeeded appears

in the details pane, and then click Close.
5. Close the Server Manager console.
The Windows Internet Name Service (WINS) feature is installed on 6421A-
NYC-SVR1.

Important: Do not log off or shut down the virtual machines at this point.

Exercise 2: Configuring WINS Burst Handling

f Task 1: Configure the WINS server on 6421A-NYC-SVR1 for burst
handling
1. On NYC-SVR1, click Start, and then point to Administrative Tools.
2. On the Administrative Tools menu, click WINS.
The WINS console opens.
3. In the list pane, select and then right-click NYC-SVR1 [10.10.0.24]. Click
Properties.
4. On the NYC-SVR1 [10.10.0.24] Properties dialog box, click the Advanced
tab.
5. In the Enable burst handling section, select the Low option, and then click
OK.

f Task 2: Create a static entry in the WINS database

1. In the WINS console list pane, right-click Active Registrations, and then click
New Static Mapping.
2. In the New Static Mapping dialog box, configure the following, and then click
OK:
a. Computer name: HRWEB
b. Type: Unique
c. IP address: 10.10.0.10
4 Lab Answer Key: Configuring and Managing WINS

3. Right-click Active Registrations, click Display Records.

4. In the Display Records dialog box, click Find Now. If necessary, click the
Active Registrations node to view the results.
5. Verify that the static record for HRWEB exists. Do not close the WINS console.

f Task 3: Configure scavenging on the WINS server to take place once

every seven days
1. In the WINS console list pane, right-click NYC-SVR1 [10.10.0.24], and then
click Properties.
2. In the Properties dialog box, click the Intervals tab.
3. Set the Extinction timeout value to 7 in Days text box, and then click OK.

f Task 4: Configure NYC-DC1 to use the WINS server for NetBIOS

resolution
1. On NYC-DC1, click Start, right-click Network, and then click Properties.
2. In the Network and Sharing Center window, click Manage network
connections from the Tasks list.
3. Right-click Local Area Connection, and then click Properties.
4. In the Local Area Connection Properties dialog box, under This connection
uses the following items, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
5. In the Internet Protocol Version 4 Properties dialog box, click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the WINS tab, and under
WINS addresses, in order of use section, click Add.
7. Specify the WINS server address (IP address of 10.10.0.24), and then click
Add.
8. In the Advanced TCP/IP Settings dialog box, click OK.
9. In the Internet Protocol Version 4 Properties dialog box, click OK, and then
close the Local Area Connection Properties dialog box.
10. Close the Network Connections window.
11. Close the Network and Sharing Center window.
 Lab Answer Key: Configuring and Managing WINS 5

f Task 5: Test the NetBIOS name resolution capabilities

1. On NYC-DC1, click Start, and then click Command Prompt.
2. In a command window, type ping hrweb, and then press ENTER
3. The name resolution should be successful and resolve to 10.10.0.10.
4. Close the command window.

Exercise 3: Configuring WINS Replication

f Task 1: Configure Push and Pull replication on NYC-DC1
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
WINS.
2. In the WINS console list pane, expand NYC-DC1 [10.10.0.10].
3. Right-click Replication Partners, and then click New Replication Partner.
4. In the New Replication Partner dialog box, specify the IP address of NYC-
SVR1 (10.10.0.24), and then click OK.
The Replication Partners details pane lists NYC-SVR1 as a Push/Pull partner.

f Task 2: Configure Push and Pull replication on NYC-SVR1

1. On NYC-SVR1, in the WINS console list pane, right-click Replication
Partners, and then click New Replication Partner.
2. In the New Replication Partner dialog box, specify the IP address of NYC-
DC1 (10.10.0.10), and then click OK.
The Replication Partners details pane lists NYC-DC1 as a Push/Pull partner.

f Task 3: Verify Replication

1. On NYC-SVR1, in the WINS console right-click Replication Partners, and
then click Replicate Now. Click Yes to start replication now, and then click
OK.
2. In the WINS console, right-click Active Registrations, and then click Refresh.
3. Click the Active Registrations node. Notice that records from both 10.10.0.10
and 10.10.0.24 are listed as owners.
6 Lab Answer Key: Configuring and Managing WINS

4. On NYC-DC1, in the WINS console right-click Replication Partners, and then

click Replicate Now. Click Yes to start replication now, and then click OK.
5. Right-click Active Registrations, and then click Display Records.
6. In the Display Records dialog box, click Find Now.
7. Click the Active Registrations node. Notice that records from both 10.10.0.10
and 10.10.0.24 are listed as owners.
8. Close the WINS console on both NYC-DC1 and NYC-SVR1.

Exercise 4: Migrating from WINS to DNS

f Task 1: Create the GlobalNames zone in Domain Name System (DNS)
1. On NYC-DC1, Start, point to Administrative Tools, and then click DNS.
2. In the list pane, right-click NYC-DC1, and then click New Zone on the context
menu.
3. On the Welcome to the New Zone Wizard page, click Next.
4. On the Zone Type page, accept the defaults, and then click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS
servers in this forest: WoodgroveBank.com, and then click Next.
6. On the Forward or Reverse Lookup Zone page, accept the defaults, and then
click Next.
7. In the Zone name text box, type GlobalNames, and then click Next.
8. On the Dynamic Update page, select Do not allow dynamic updates, and
then click Next.
9. On the Completing the New Zone Wizard page, click Finish.
10. Click Start, right-click Command Prompt, and then click Run As
administrator.
11. Type Dnscmd NYC-DC1 /config /Enableglobalnamessupport 1, and then
press ENTER.
12. Close the command prompt.
 Lab Answer Key: Configuring and Managing WINS 7

f Task 2: Create the Alias record for the single-label name resource
1. In the DNS Manager console, ensure NYC-DC1 is expanded, expand Forward
Lookup Zones, and then select GlobalNames from the list.
2. Right-click GlobalNames, and select New Alias (CNAME) from the context
menu.
3. In the New Resource Record dialog box, specify an Alias name of HRWEB
and fully qualified domain name (FQDN) for target host of
NYC-DC1.Woodgrovebank.com, and then click OK.
4. Close the DNS Manager console.

f Task 3: Decommission WINS on NYC-DC1 and NYC-SVR1

1. On NYC-SVR1, click Start, and then click Server Manager.
2. In the list pane, right-click Features, and then click Remove Features from the
context menu.
3. On the Select Features page, scroll down and remove the check mark next to
WINS Server, and then click Next.
4. On the Confirm Removal Selections page, click Remove.
5. On the Removal Results page, click Close, and then click Yes when prompted
to restart the computer.
6. Repeat steps 1-5, and remove the WINS feature from NYC-DC1.

f Task 4: Verify GlobalNames single-label name resolution

1. Log on to NYC-DC1 as administrator with the password Pa$$w0rd. The
WINS removal continues. Click Close.
2. Log on to NYC-SVR1 as administrator with the password Pa$$w0rd. The
WINS removal continues. Click Close.
3. On NYC-DC1, close the Server Manager.
4. On NYC-DC1, click Start, and then click Command Prompt.
5. At the command prompt, type ping hrweb, and then press ENTER.
The ping command is successful, and resolves to
nyc-dc1.woodgrovebank.com.
8 Lab Answer Key: Configuring and Managing WINS

f Task 5: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring and Troubleshooting DHCP 1

Module 4
Lab Answer Key: Configuring and
Troubleshooting DHCP
Contents:
Exercise 1: Installing and Authorizing the DHCP Server Role 2
Exercise 2: Configuring a DHCP Scope 3
Exercise 3: Troubleshooting Common DHCP Issues 6
2 Lab Answer Key: Configuring and Troubleshooting DHCP

Lab: Configuring and

Troubleshooting the DHCP Server
Role
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Installing and Authorizing the Dynamic Host

Configuration Protocol (DHCP) Server Role
f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-CL1 virtual
machines, and log on as Administrator
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Configure the DHCP Server Role on NYC-DC1

1. On NYC-DC1, if the Server Manager console is not showing, click Start.
2. Click Server Manager.
3. In the Server Manager console, click Roles.
4. Click Add Roles.
5. In the Add Roles Wizard, click Next.
6. Select the DHCP Server check box, and then click Next.
7. Read the information concerning the installation of the DHCP Server role, and
then click Next.
 Lab Answer Key: Configuring and Troubleshooting DHCP 3

8. In the Select Network Connection Bindings dialog box, make sure that the
static IP address 10.10.0.10 is selected, and then click Next.
9. In the Specify IPv4 DNS Server Settings dialog box, accept the default values,
and click Next.
10. In the Specify IPv4 WINS Server Settings, ensure WINS is not required for
applications on this network is selected and then click Next.
11. In Add or Edit DHCP Scopes, click Next.
12. In Configure DHCPv6 Stateless Mode, select Disable DHCPv6 stateless
mode for this server, and then click Next.
13. In Authorize DHCP Server, select Skip authorization of this DHCP server in
AD DS.
14. Click Next, and then click Install.
15. After the installation procedure is complete, click Close.
16. Close Server Manager on NYC-DC1.

f Task 3: Authorize the DHCP Server Role on NYC-DC1

1. On NYC-DC1, click Start, point to Administrative tools, and then click
DHCP.
2. In the list pane, expand and then right-click NYC-DC1.woodgrovebank.com.
3. Click Authorize.
4. In the list pane, expand IPv4. The IPv4 server icon should have a green “up”
arrow.

Exercise 2: Configuring a DHCP Scope

f Task 1: Configure a DHCP scope
1. On NYC-DC1, the DHCP management console should still be open. If not,
click Start, point to Administrative Tools, and then click DHCP.
2. In the left pane, ensure NYC-DC1.woodgrovebank.com is expanded.
3. Right-click the IPv4 server icon, and click New Scope.
4. In the New Scope Wizard, on the Welcome page, click Next.
4 Lab Answer Key: Configuring and Troubleshooting DHCP

5. In the Scope Name dialog box, type a name and description for the scope. For
example, Name: Head Office Network Scope and Description: WoodGrove
Bank employee scope. Click Next.
6. In the IP Address Range dialog box, type 10.10.0.1 for the Start IP address
and type 10.10.0.254 for the End IP address. Type 16 in the Length text box.
This will cause the Subnet mask text box to display 255.255.0.0.
7. Click Next.
8. In the Add Exclusions dialog box, type 10.10.0.1 for the Start IP address and
type 10.10.0.30 for the End IP address, click Add, and then click Next.
9. In the Lease Duration dialog box, change the value to 1 hour, and then click
Next.
10. In the Configure DHCP Scope Options dialog box, select No, I will configure
these options later, and then click Next.
11. Click Finish.
12. A new scope will appear under IPv4. The scope appears with a red “down”
arrow. Select and then right-click [10.10.0.0] Head Office Network Scope,
and then click Activate.
13. Close the DHCP console.
14. On NYC-CL1, click Start, right-click Network, and then click Properties. The
Network and Sharing Center window appears.
15. Under Tasks, click Manage network connections. The Network Connections
window appears.
16. Right-click Local Area Connection, and choose Properties from the context
menu.
17. In the Local Area Connection Properties dialog box, click Internet Protocol
Version 4 (TCP/IPv4), and click Properties.
18. In the Internet Protocol Version 4(TCP/IPv4) Properties box, select Obtain
an IP address automatically and Obtain DNS server address automatically,
and then click OK.
19. In the Local Area Connection Properties dialog box, click Close.
20. Close the Network Connections window, and then close the Network and
Sharing Center window.
21. Restart NYC-CL1. After the computer is restarted, log on as Administrator
with the password of Pa$$w0rd.
 Lab Answer Key: Configuring and Troubleshooting DHCP 5

22. On NYC-CL1, click Start, point to All Programs, point to Accessories, right-
click Command Prompt, and then click Run as Administrator.
23. At the command prompt, type ipconfig, and then press ENTER.
24. At the command prompt, type ipconfig /release, and then press ENTER
25. At the command prompt, type ipconfig /renew, and then press ENTER.
26. At the command prompt, type ipconfig /all, and then press ENTER. Notice
that along with other information, the IP address of the DHCP Server is
displayed.
27. Under Ethernet adapter Local Area Connection, notice that the connection
does not have a default gateway.
Question: Why does the DHCP configured Local Area Connection not have a
default gateway?
Answer: Because the ROUTER DHCP option has not been configured on the
DHCP server. There is no default gateway option in DHCP..
.
28. Close the command prompt.

f Task 2: Configure DHCP scope options

1. On NYC-DC1, click Start, point to Administrative tools, and then click
DHCP.
2. In the list pane, expand NYC-DC1.woodgrovebank.com, and then expand
IPv4.
3. Expand Scope [10.10.0.0].
4. Select and then right-click Scope Options, and then click Configure Options.
5. In the Scope Options dialog box, select 003 Router.
6. In the Scope Options dialog box, type 10.10.0.1 in the IP Address text box,
click Add, and then click OK.
6 Lab Answer Key: Configuring and Troubleshooting DHCP

f Task 3: Test the scope using a client workstation

1. On NYC-CL1, click Start, point to All Programs, point to Accessories, right-
click Command Prompt, and then click Run as Administrator.
2. At the command prompt, type ipconfig /release, and then press ENTER.
3. At the command prompt, type ipconfig /renew, and then press ENTER.
4. At the command prompt, type ipconfig /all, and then press ENTER. Notice
the default gateway is now listed.

Exercise 3: Troubleshooting Common DHCP Issues

f Task 1: Verify DHCP lease information
1. If necessary, on NYC-CL1, click Start, point to All Programs, point to
Accessories, right-click Command Prompt, and then click Run as
Administrator.
2. At the command prompt, type ipconfig /all, and then press ENTER.
3. Take note of the following items:
• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration

f Task 2: Modify DHCP Server configuration using scripts to simulate

configuration issues
1. On NYC-DC1, click Start, point to All Programs, point to Accessories, right-
click Command Prompt, and then click Run as Administrator.
2. At a command prompt, type D:\Labfiles\Module4\DHCP.vbs, and then
press ENTER.
3. Close the command prompt window.
 Lab Answer Key: Configuring and Troubleshooting DHCP 7

f Task 3: Check the client’s ability to lease an IP address

1. On NYC-CL1, at the command prompt, type ipconfig /release, and then press
ENTER.
2. At the command prompt, type ipconfig /renew, and then press ENTER.
3. At the command prompt, type ipconfig /all, and then press ENTER. Notice
the client is not receiving an IP address, and you have been allocated a
169.254 address.

f Task 4: Determine why the DHCP server is not allocating IP addresses

1. On NYC-DC1, determine whether the DHCP scope is activated.
2. To activate the DHCP scope, expand the nyc-dc1.woodgrovebank.com node,
expand the IPv4 node, select and then right-click the 10.10.0.0 scope, and
then click Activate.

f Task 5: Identify information that has been changed

1. On NYC-CL1, click Start, point to All Programs, point to Accessories, right-
click Command Prompt, and then click Run as Administrator.
2. At the command prompt, type ipconfig /release, and then press ENTER.
3. At the command prompt, type ipconfig /renew, and then press ENTER.
4. At the command prompt, type ipconfig /all, and then press ENTER.
5. Take note of the following items:
• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration
8 Lab Answer Key: Configuring and Troubleshooting DHCP

f Task 6: Configure the DHCP server with the correct router information
1. On NYC-DC1, verify the router information that is configured in the scope
options.
2. Expand the nyc-dc1.woodgrovebank.com node, expand the IPv4 node,
expand the 10.10.0.0 scope node, click Scope Options, and then in the right
pane, double-click 003 Router.
3. In the Scope Options dialog box, click the invalid router address
192.168.10.3, and then click Remove.
4. In the Scope Options dialog box, click in the IP address text box. Replace
192.168.10.3 with 10.10.0.1, click Add, and then click OK

f Task 7: Configure the DHCP server with the correct DNS server
information
1. On NYC-DC1, verify the DNS information that is configured in the scope
options.
2. Expand the nyc-dc1.woodgrovebank.com node, expand the IPv4 node,
expand the 10.10.0.0 scope node, right-click Scope Options, and then click
Configure Options.
3. In the Available Options window, select 006 DNS Servers.
4. In the Scope Options dialog box, click in the IP address text box, type
10.10.0.10, and then click Add. Again, in the IP address text box, type
10.10.0.21, click Add, and then click OK.

f Task 8: Configure the DHCP with the proper lease period

1. On NYC-DC1, verify the router information that is configured in the scope
options is correct. (It should be 1 hour.)
2. Expand the nyc-dc1.woodgrovebank.com node, expand the IPv4 node, right-
click the 10.10.0.0 scope, and then click Properties.
3. In the Scope Properties dialog box, in the Lease duration for DHCP clients
section, change the lease to 1 hour instead of 8 days, and then click OK.
 Lab Answer Key: Configuring and Troubleshooting DHCP 9

f Task 9: Verify the information being leased to the client

1. On NYC-CL1, click Start, point to All Programs, point to Accessories, right-
click Command Prompt, and then click Run as Administrator.
2. At the command prompt, type ipconfig /release, and then press ENTER.
3. At the command prompt, type ipconfig /renew, and then press ENTER.
4. At the command prompt, type ipconfig /all, and then press ENTER.
5. Take note of the following items:
• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration

f Task 10: Close all virtual machines, and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 1

Module 5
Lab Answer Key: Configuring and
Troubleshooting IPv6 TCP/IP
Contents:
Lab A: Configuring an ISATAP Router
Exercise 1: Configuring a New IPv6 Network and Client 3
Exercise 2: Configuring an ISATAP Router to
Enable Communications Between an IPv4 Network and an
IPv6 Network 7
Lab B: Converting the Network
Exercise 1: Transitioning to an IPv6-Only Network 10
2 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

Lab A: Configuring an ISATAP

Router
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Before you begin:

To be able to simulate multiple networks, you must configure the following before
starting the virtual machines:
1. On the host machine, open the Virtual Server Administration Web site.
2. In the left pane, under Virtual Networks, click Add. In the details pane, next
to Existing configuration (.vnc) file type the following: C:\Program
Files\Microsoft Learning\6421\Drives\6421A-NYC-VN2_IPv6, and then
click Add again.
3. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-SVR1.
4. Under “6421A-NYC-SVR1” Configuration, click Network adapters.
5. Under Virtual network adapter 2, click the drop-down arrow, select 6421A-
NYC-VN2_IPv6, and then click OK.
6. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-CL1.
7. Under “6421A-NYC-CL1” Configuration, click Network adapters.
8. Under Virtual network adapter 1, click the drop-down arrow, select 6421A-
NYC-VN2_IPv6, and then click OK.

Logon Information:
• Virtual Machines: 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1
• User Name: Administrator
• Password: Pa$$w0rd

Estimated time: 60 minutes

 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 3

Exercise 1: Configuring a New IPv6 Network and Client

Scenario
You must design and implement an IPv6 network. For your initial proof of
concept, you must deploy only one client.

Exercise Overview
In this exercise, you will prepare the current environment to work with IPv6, and
deploy an IPv6 client and an IPv6 subnet.

The main tasks are as follows:

1. Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1 virtual
machines.
2. Configure IPv4 Routing.
3. Enable IP Routing on NYC-SVR1 and Confirm IPv4 Connectivity.
4. Disable IPv6 on NYC-DC1.
5. Disable IPv4 on NYC-CL1.
6. Check the IP configuration on NYC-CL1 and ensure that it is not configured
with an IPv4 IP address.
7. Configure an IPv6 router advertisement for the global address
2001:db8:0:1::/64 network on NYC-SVR1.
8. Check the IP configuration on NYC-CL1 to ensure it is configured with an IPv6
global address in the 2001:db8:0:1::/64 network

f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-

CL1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch

5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Configure IPv4 Routing

1. On NYC-CL1, click Start, and then click Control Panel.
2. In Control Panel, click Network and Internet, and then click View network
status and tasks.
3. In the left pane, click Manage network connections.
4. In the Network Connections window, right-click Local Area Connection, and
then click Properties.
5. Select Internet Protocol Version 4 (TCP/IPv4) , and then click Properties.
6. Change the IP settings to the following and then click OK:
• IP Address: 192.168.1.20
• Subnet Mask: 255.255.255.0
• Default Gateway: 192.168.1.10
7. In the Local Area Connection Properties box, click Close.
8. When the Set Network Location box opens, click Work, and then click Close.
9. Close all open windows on NYC-CL1.
10. On NYC-DC1, in the Server Manager, click View Network Connections.
11. In the Network Connections window, right-click Local Area Connection, and
then click Properties.
12. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
13. Change the IP settings to the following, and then click OK:
• Default Gateway: 10.10.0.24
14. In the Local Area Connection Properties box, click Close, and then close all
open windows on NYC-DC1.
 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 5

f Task 3: Enable IP Routing on NYC-SVR1 and Confirm IPv4 Connectivity

1. On NYC-SVR1, click Start, and then in the Start Search box, type Regedit,
and then press ENTER.
2. Browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters
3. Double-click IPEnableRouter and then in the Value data box type 1. Click
OK.
4. Close the Registry Editor and then restart NYC-SVR1.
5. After NYC-SVR1 restarts, log on as Administrator with the password of
Pa$$w0rd.
6. On NYC-CL1, click Start, type cmd, and then press ENTER.
7. At the command prompt, type ping NYC-DC1, and then press ENTER. You
should have four successful replies from 10.10.0.10, which is NYC-DC1.
8. On NYC-DC1, click Start, click Command Prompt and then type ping
192.168.1.20. Press ENTER. You should have four successful replies from
192.168.1.20 which is NYC-CL1.

Note: At this point, only IPv4 traffic is routed through the IPv4 routing
infrastructure.

f Task 4: Disable IPv6 on NYC-DC1

1. On NYC-DC1, click Start, and then click Control Panel.
2. In Control Panel, double-click Network and Sharing Center.
3. In the left pane, click Manage network connections.
4. In the Network Connections window, right-click Local Area Connection, and
then click Properties.
5. Clear the Internet Protocol Version 6 (TCP/IPv6) check box and then click
OK.
6. Close all open windows on NYC-DC1.
6 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

f Task 5: Disable IPv4 on NYC-CL1

1. On NYC-CL1, click Start, and then click Control Panel.
2. In Control Panel, click Network and Internet, and then click View network
status and tasks.
3. In the left pane, click Manage network connections.
4. In the Network Connections window, right-click Local Area Connection, and
then click Properties.
5. Clear the Internet Protocol Version 4 (TCP/IPv4) check box and then click
OK.
6. Close all open windows on NYC-CL1.

f Task 6: Check the IP configuration on NYC-CL1 and ensure that it is

not configured with an IPv4 IP address
1. Click Start, click All Programs, click Accessories, and then click Command
prompt.
2. At the command prompt, type ipconfig and then press ENTER. The output
should be a link-local IPv6 address that starts with fe80.
3. Close the Command Prompt window.

f Task 7: Configure an IPv6 router advertisement for the global address

2001:db8:0:1::/64 network on NYC-SVR1
1. On NYC-SVR1, click Start and then click Command Prompt.
2. At the command prompt, type the following commands, and then press
ENTER:
• netsh interface ipv6 set interface "Local Area Connection 2"
forwarding=enabled advertise=enabled
• netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area
Connection 2" publish=yes
 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 7

f Task 8: Check the IP configuration on NYC-CL1 to ensure it is

configured with an IPv6 global address in the 2001:db8:0:1::/64
network
1. On NYC-CL1, click Start, click All Programs, click Accessories, and then click
Command prompt.
2. At the command prompt, type: ipconfig and then press ENTER. The output
should be a link-local IPv6 address that starts with fe80. Two global IP
addresses starting with 2001:db8:0:1: should also be included in the output.
3. Close the Command Prompt window.

Exercise 2: Configuring an ISATAP Router to Enable

Communication Between an IPv4 Network and an IPv6
Network
Scenario
Now that you have configured your IPv6 client, you must enable IPv4 client
connectivity to the IPv6 network. You have evaluated current IPv6 tunneling
technologies and have decided to implement an ISATAP router.

Exercise Overview
In this exercise, you will enable and configure an ISATAP router interface that will
allow two-way communication between the IPv4 and IPv6 networks.

The main tasks are as follows:

1. Add the ISATAP entry in the Domain Name System (DNS) zone.
2. Configure the ISATAP router on NYC-SVR1.
3. Enable the ISATAP interface on NYC-DC1.
4. Test connectivity.
8 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

f Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1

1. On NYC-DC1, click Start, click Administrative Tools, and then click DNS.
2. In the left pane, expand NYC-DC1.
3. Expand Forward Lookup Zones, select and then right-click
Woodgrovebank.com, and then click New host (A or AAAA).
4. In the New Host dialog box, type ISATAP in the Name text box, and then type
the IP address 10.10.0.24 (for NYC-SVR1).
5. Click Add Host and then click OK.
6. Click Done and then close the DNS Manager.

f Task 2: Configure the ISATAP router on NYC-SVR1

1. On NYC-SVR1, click Start and then click Command Prompt.
2. At the command prompt, type the following commands, and then press
ENTER:
• Netsh interface ipv6 isatap set router 10.10.0.24
• netsh interface ipv6 set interface “Local Area Connection* 8”
forwarding=enabled advertise=enabled
• netsh interface ipv6 add route 2001:db8:0:10::/64 “Local Area
Connection* 8” publish=yes
(This represents the route for the logical ISATAP network.)
3. Restart NYC-SVR1 and then log on as Administrator with the password of
Pa$$w0rd.
4. Click Start and then click Command Prompt.
5. At the command prompt, type ipconfig and then press ENTER. The Tunnel
adapter Local Area Connection* 8 will display an IPv6 address in the
2001:db8:0:10 range.
 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 9

f Task 3: Enable the ISATAP interface on NYC-DC1

1. On NYC-DC1, click Start, and then click Command prompt.
2. At the command prompt, type the following commands:
• Netsh interface isatap set router 10.10.0.24
• Ipconfig
Notice that the Tunnel adapter Local Area Connection 8 (which is the ISATAP
adapter) has automatically received an IPv6 address from the ISATAP router.

f Task 4: Test connectivity

1. On NYC-CL1, click Start, click All Programs, click Accessories, and then click
Command prompt.
2. At the command prompt, type the following commands:
• Ping 2001:db8:0:10:0:5efe:10.10.0.10
• IPconfig
Note the IPv6 address (global address begins with 2001:)

3. On NYC-SVR!,click Start,,click Control Panel,and then double click

Networking and Sharing,in left pane click Manage Network Connections in
that Network Connection,click Local Area Connection and right click
Properties in that Properties window enable Internet Protocol Version
6(TCP/IPv6) and click OK.
4. In the Network Connections click Local Area Connection 2 and Right click
and click Properties in that Local Area Connection Properties window enable
Internet
Protocol version 4(TCP/IPv4)and click OK.
5. On NYC-DC1, click Start, click All Programs, click Accessories, and then
click Command prompt.
6. At the command prompt, type the following command:
• Ping IPv6 address
(Where IPv6 address is the IPv6 address that was noted in Step 2.)
10 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

Note: If the IP addresses do not resolve, reboot the servers starting with NYC-
DC1, NYC-SVR1, and then NYC-CL1.

Important: Do not turn off the virtual machines at this time because you will
need them to complete the next lab.

Lab B: Converting the Network

Exercise 1: Transitioning to an IPv6-Only Network
Scenario
You are responsible for performing a test of the IPv6 transition plan. To
accomplish this, you will transition computers from the previous network, which
uses both IPv4 and IPv6, to an IPv6-only network.

Exercise Overview
In this exercise, you will migrate the IPv4 network to be fully IPv6 capable.

The main tasks are as follows:

1. Disable the ISATAP router on NYC-SVR1.
2. Configure the native IPv6 router on NYC-SVR1.
3. Disable IPv4 connectivity.
4. Test connectivity between each IPv6 subnet.
5. Reconfigure the network adapters.
6. Close all virtual machines and discard undo disks.

f Task 1: Disable the ISATAP router on NYC-SVR1

1. On NYC-SVR1, click Start and then click Command Prompt.
2. At the command prompt, type the following commands:
 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 11

• netsh interface ipv6 set interface “Local Area Connection* 8”

forwarding=disabled advertise=disabled
• netsh interface ipv6 delete route 2001:db8:0:10::/64 “ Local Area
Connection* 8”

f Task 2: Configure the native IPv6 router on NYC-SVR1

• On NYC-SVR1, at the command prompt, type the following commands:
• netsh interface ipv6 set interface “Local Area Connection”
forwarding=enabled advertise=enabled
• netsh interface ipv6 add route 2001:db8:0:0::/64 “Local Area
Connection” publish=yes

f Task 3: Disable IPv4 connectivity

1. On NYC-SVR1, click Start and then click Control Panel.
2. In Control Panel, double-click Network and Sharing Center.
3. In the left pane, click Manage network connections.
4. In the Network Connections box, right-click Local Area Connection and
then click Properties.
5. Clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click
OK. Close all open windows.
6. On NYC-DC1, click Start, and then click Control Panel.
7. In Control Panel, double-click Network and Sharing Center.
8. In the left pane, click Manage network connections.
9. In the Network Connections box, right-click Local Area Connection, and
then click Properties.
10. Enable the check box next to Internet Protocol Version 6 (TCP/IPv6).
11. Clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click
OK. Close all open windows.
12 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

f Task 4: Test connectivity between each IPv6 subnet

1. On NYC-DC1, click Start, click All Programs, click Accessories, and then
click Command prompt.
2. At the command prompt, type the following command:
• IPconfig/all
Note the new IPv6 address (global address begins with 2001:) assigned to the
local area connection. Write down the IPv6 address in the space below:
NYC-DC1 IPv6 address: _____________________________________________
3. On NYC-CL1, click Start, click All Programs, click Accessories, and then click
Command prompt.
4. At the command prompt, type the following commands:
• Ping global IP address
(Where global IP address is the global IP address that was noted in Step
2.)
• IPconfig/all
Note the IPv6 address (global address begins with 2001:) assigned to the local
area connection. Write down the IPv6 address in the space below:
NYC-CL1 IPv6 address: _____________________________________________
5. On NYC-DC1, click Start, click All Programs, click Accessories, and then
click Command prompt.
6. At the command prompt, type the following command:
• Ping global IP address
(Where global IP address is the global IPv6 address that was noted in
Step 4.)

Note: If the IP addresses do not resolve, reboot the servers starting with NYC-
DC1, NYC-SVR1, and then NYC-CL1.
 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 13

f Task 5: Reconfigure the Network Adapters

1. To have the appropriate setup for future labs, you must configure the
following before starting the virtual machines:
2. On the host machine, open the Virtual Server Administration Web site.
3. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-SVR1.
4. Under “6421A-NYC-SVR1” Configuration, click Network adapters.
5. Under Virtual network adapter 2, click the drop-down arrow, select Internal
Network, and then click OK.
6. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-CL1.
7. Under “6421A-NYC-CL1” Configuration, click Network adapters.
8. Under Virtual network adapter 1, click the drop-down arrow, select Internal
Network, and then click OK.

f Task 6: Close all virtual machines and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 1

Module 6
Lab Answer Key: Configuring and
Troubleshooting Routing and Remote Access
Contents:
Exercise 1: Configuring Routing and Remote Access
as a VPN Remote Access Solution 2
Exercise 2: Configuring a Custom Network Policy 4
Exercise 3: Configuring Logging 6
Exercise 4: Configuring a Connection Profile 7
2 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

Lab: Configuring and Managing

Network Access
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Configuring Routing and Remote Access as a

VPN Remote Access Solution
f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-
CL1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Install the Network Policy and Access Services role on 6421A-
NYC-SVR1
1. On NYC-SVR1, click Start, and then click Administrative Tools.
2. From the Administrative Tools menu, click Server Manager. The Server
Manager opens.
3. In the Server Manager (NYC-SVR1) list pane, right-click Roles and click Add
Roles from the context menu. The Add Roles Wizard appears. Click Next.
4. On the Select Server Roles page, select Network Policy and Access Services
and then click Next.
5. On the Network Policy and Access Service introduction page, click Next.
 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 3

6. On the Select Role Services page, select Network Policy Server and Routing
and Remote Access Services, and then click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close.
9. Close the Server Manager. The Network Policy and Routing and Remote
Access Services roles are installed on 6421A-NYC-SVR1.

Important: Do not log off or shut down the virtual machines at this point.

f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static

address pool for Remote Access clients
1. On NYC-SVR1, click Start, and then click Administrative Tools.
2. From the Administrative Tools menu, click Routing and Remote Access. The
Routing and Remote Access administrative tool appears.
3. In the list pane, select and right-click NYC-SVR1 (Local), and then click
Configure and Enable Routing and Remote Access.
4. Click Next on the wizard Welcome page.
5. On the Configuration page, leave the default Remote Access (dial-up or
VPN) selected, and click Next.
6. On the Remote Access page, select the VPN option, and click Next.
7. On the VPN Connection page, select the Local Area Connection 2 interface,
and then click Next.
8. On the IP Address Assignment page, select From a specified range of
addresses, and then click Next.
9. On the Address Range Assignment page, click New, and in the Start IP
address box, type the following value 192.168.1.100. In the Number of
addresses box, type the value of 75, and click OK. Click Next.
10. On the Managing Multiple Remote Access Servers page, leave the default
selection No, use Routing and Remote Access to authenticate connection
requests, and click Next. Click Finish.
4 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

11. In the Routing and Remote Access dialog box, click OK.
12. In the Routing and Remote Access dialog box regarding the DHCP Relay
agent, click OK. The Routing and Remote Access service starts.

f Task 4: Configure available VPN ports on the (RRAS) server to allow 25

PPTP and 25 L2TP connections
1. In the Routing and Remote Access management tool interface, expand NYC-
SVR1, select and then right-click Ports, and then click Properties.
2. In the Ports Properties dialog box, double-click WAN Miniport (SSTP).
3. In the Configure Device – WAN Miniport (SSTP) dialog box, assign a value
of 0 in the Maximum ports box, and then click OK.
4. In the Routing and Remote Access dialog box, click Yes to continue.
5. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and
in the Configure Device – WAN Miniport (PPTP) dialog box, assign a value
of 25 in the Maximum ports box, and then click OK.
6. In the Routing and Remote Access dialog box, click Yes to continue.
7. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP).
8. Click OK in the Ports Properties dialog box.
9. Refresh the details pane to view the results.
10. Close the Routing and Remote Access administrative tool.

Exercise 2: Configuring a Custom Network Policy

f Task 1: Open the Network Policy Server management tool on 6421A-
NYC-SVR1
1. On NYC-SVR1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Network Policy Server. The
Network Policy Server administrative tool appears.
 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 5

f Task 2: Create a new network policy for RRAS clients

1. In the list pane, expand Policies, right-click Network Policies, and then click
New.
2. On the New Network Policy – Specify Network Policy Name and
Connection Type page, type Secure VPN in the Policy Name text box, and in
the Type of network access server drop-down list, click Remote Access
Server (VPN-Dial up), and then click Next.
3. On the Specify Conditions page, click Add. On the Select Condition dialog
box, scroll down and double-click Tunnel Type. In the Tunnel Type dialog
box, select L2TP and PPTP, click OK, and then click Next.
4. On the Specify Access Permission page, leave the default of Access Granted,
and click Next.
5. On the Configure Authentication Methods page, deselect Microsoft
Encrypted Authentication (MS-CHAP), and then click Next.
6. On the Configure Constraints page, under Constraints, select Day and time
restrictions, and in the details pane, select Allow access only on these days
and at these times, and click Edit. Change the Time of day constraints to
deny access from 11PM to 6AM Monday thru Friday, click OK, and then
click Next.
7. In the Configure Settings dialog box, under Settings, click Encryption, and in
the details pane, deselect all settings except Strongest encryption (MPPE 128-
bit). Click Next, and then click Finish.
8. In the list pane of the Network Policy Server tool, click the Network Policies
node.
9. Right-click the Secure VPN policy, and then click Move Up. Repeat this step to
make the policy the first in the list.
10. Close the Network Policy Server tool.
6 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

Exercise 3: Configuring Logging

f Task 1: Configure RRAS Logging on 6421A-NYC-SVR1 to log all events
to the System log
1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Routing and Remote Access.
2. In the Routing and Remote Access window list pane, right-click NYC-SVR1,
and then click Properties.
3. In the NYC-SVR1 (local) Properties dialog box, click the Logging tab.
4. On the Logging tab, click Log all events, and then click OK.
5. Close the Routing and Remote Access console.

f Task 2: Test logging levels

1. Log on to NYC-CL1 with a user name of Woodgrovebank\administrator and
the password Pa$$w0rd.
2. Click Start, and then click Network.
3. In the Network window, click Network and Sharing Center.
4. In the Network and Sharing Center window, under Tasks, click Set up a
connection or network. In the Choose a connection option dialog box, click
Connect to a workplace, and then click Next.
5. In the Connect to a workplace dialog box, select the Use my Internet
connection (VPN) option. When prompted, select I’ll set up an Internet
connection later.
6. In the Type the Internet address to connect to dialog box, specify an Internet
address of 10.10.0.24 and a Destination Name of Woodgrovebank VPN, and
then click Next.
7. On the Type your user name and password page, leave the user name and
password blank, and then click Create.
8. Click Close in the Connect to a Workplace dialog box.
9. Under Tasks in the Network and Sharing Center window, click Manage
network connections.
 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 7

10. On the Network Connections page, under Virtual Private Network, right-
click WoodgroveBank VPN, and then click Connect.
11. Use the following information in the Connect Woodgrovebank VPN text
boxes, and then click Connect:
• User name: Administrator
• Password: Pa$$w0rd
• Domain: Woodgrovebank
The VPN connects successfully.
12. Right-click Woodgrovebank VPN, and click Disconnect. The VPN
disconnects.
13. Close all open windows on NYC-CL1.
14. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Event Viewer.
15. In Event Viewer, expand Windows Logs, and select System from the list pane.
Review the entries from the source RemoteAccess to see the logged data.
16. Close Event Viewer on NYC-SVR1.

Exercise 4: Configuring a Connection Profile

f Task 1: Install the Connection Manager Administration Kit
1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Server Manager.
2. In the list pane of Server Manager, right-click Features, and click Add
Features.
3. On the Select Features page, select Connection Manager Administration Kit,
and click Next.
4. On the Confirm Installation Selections page, click Install.
5. On the Installation Results page, click Close.
6. Close Server Manager on NYC-SVR1.
8 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

f Task 2: Use the CMAK to create a distributable executable to

automate creation of connection objects for users
1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Connection Manager Administration Kit.
2. On the Welcome page of the Connection Manager Administration Kit wizard,
click Next.
3. On the Select the Target Operating System page, leave the default setting of
Windows Vista, and then click Next.
4. On the Create or Modify a Connection Manager profile page, click Next.
5. On the Specify the Service Name and the File Name page, use
WOODGROVEBANK VPN for the Service name and CORP_VPN for the File
name. Click Next.
6. On the Specify a Realm Name page, click Next.
7. On the Merge Information from Other Profiles page, click Next.
8. On the Add Support for VPN Connections page, select Phone book from
this profile, and specify to Always use the same VPN server with an IP
address of 10.10.0.24, and then click Next.
9. On the Create or Modify a VPN Entry page, click Next.
10. On the Add a custom Phone Book page, deselect Automatically download
phone book updates, and then click Next.
11. On the Configure Dial-up Networking Entries page, click Next.
12. On the Specify Routing Table Updates page, click Next.
13. On the Configure Proxy Settings for Internet Explorer page, click Next.
14. On the Add Custom Actions page, click Next.
15. On the Display a Custom Logon Bitmap page, click Next.
16. On the Display a Custom Phone Book Bitmap, click Next.
17. On the Display Custom Icons page, click Next.
18. On the Include a Custom Help File page, click Next.
19. On the Display Custom Support Information page, click Next.
20. On the Display a Custom License Agreement page, click Next.
 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 9

21. On the Install Additional Files with the Connection Manager profile page,
click Next.
22. On the Build the Connection Manager Profile and its Installation Program
page, click Next.
23. On the Your Connection Manager Profile is Complete and Ready to
Distribute page, click Finish.
24. On NYC-SVR1, copy the CORP_VPN folder from the
C:\Program Files\CMAK\Profiles\Vista\ location to the \\NYC-
DC1\Module6 location.
       To do this On NYC‐SVR1 goto, Start/Computer/Local Disk (C:)/   
Program Files/CMAK/Profiles/Vista/ CORP_VPN and  select 
CORP_VPN folder, and right‐click select copy and then Click Start, in 
the Start Search box type \\NYC‐DC1\Module6  and press Enter. In the 
Module6(\\NYC‐DC1) page right‐click and select paste 

f Task 3: Install and test the CMAK profile

1. On NYC-CL1, click Start, point to All Programs, point to Accessories, and
then click Run. In the Run dialog box, type \\NYC-DC1\Module6\, and then
click OK.
2. In the CORP_VPN folder, double-click CORP_VPN.exe.
3. In the Do you wish to install WOODGROVEBANK VPN? dialog box, click
Yes.
4. In the WOODGROVEBANK VPN dialog box, select All users and Add a
shortcut on the desktop, and then click OK. The WOODGROVEBANK VPN
connection object opens.
5. In the WOODGROVEBANK VPN connection object, use the following
criteria, and then click Connect:
• User name: Administrator
• Password: Pa$$w0rd
• Logon Domain: Woodgrovebank
6. On the Set Network Location page, click Work, and then click Close.
7. Verify that the VPN connects successfully in Network Connections. After the
connection is successful, right-click the network icon, and then click
Disconnect.
10 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

f Task 4: Close all virtual machines and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 1

Module 7
Lab Answer Key: Installing, Configuring, and
Troubleshooting the Network Policy Server Role
Service
Contents:
Exercise 1: Installing and Configuring the Network
Policy Server Role Service 2
Exercise 2: Configuring a RADIUS Client 4
Exercise 3: Configuring Certificate Auto-Enrollment 6
2 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Lab: Configuring and Managing

Network Policy Server
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Installing and Configuring the Network Policy

Server Role Service
f Task 1: Start the virtual machines, and log on
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Install the Network Policy and Access Services role

1. On NYC-DC1, in the Server Manager list pane, right-click Roles, and select
Add Roles from the context menu. The Add Roles Wizard appears. Click Next.
2. On the Select Server Roles page, select Network Policy and Access Services,
and then click Next.
3. On the Network Policy and Access Services welcome page, click Next.
4. On the Select Role Services page, select Network Policy Server, and then
click Next.
5. On the Confirm Installation Selections page, click Install.
6. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close. The Network Policy Server role is installed
on NYC-DC1.
7. Close the Server Manager.
 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 3

8. Do not log off or shut down the virtual PCs at this point.

f Task 3: Register NPS in Active Directory®

1. On NYC-DC1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Network Policy Server. The
Network Policy Server administrative tool appears.
3. In the list pane, select and right-click NPS (Local), and then click Register
server in Active Directory.
4. Click OK in the Network Policy Server message box.
5. Click OK again in the Network Policy Server message box. The Network
Policy server is registered in Active Directory.

f Task 4: Configure 6421A-NYC-DC1 to be a Remote Authentication

Dial-In User Service (RADIUS) server for dial-up or VPN connections
1. In the Network Policy Server management tool list pane, click NPS (Local).
2. In the Getting Started details pane, open the drop-down list under Standard
Configuration, and then click RADIUS server for Dial-Up or VPN
Connections.
3. Under Radius server for Dial-Up or VPN Connections, click Configure VPN
or Dial-Up.
4. In the Configure VPN or Dial-Up dialog box, select Virtual Private Network
(VPN) Connections, accept the default name, and then click Next.
5. In the RADIUS clients dialog box, click Add.
6. In the New RADIUS Client dialog box, type NYC-SVR1 in the Friendly Name
text box, and then click Verify.
7. In the Verify Client dialog box, type the address NYC-SVR1, click Resolve,
and then click OK.
8. In the New RADIUS Client dialog box, specify and confirm the shared secret
of Pa$$w0rd, and then click OK.
9. In the Specify Dial-Up or VPN Server dialog box, click Next.
10. In the Configure Authentication Methods dialog box, select Extensible
Authentication Protocol and MS-CHAPv2, and then click Next.
4 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

11. On the Specify User Groups page, click Next.

12. On the Specify IP Filters page, click Next.
13. On the Specify Encryption Settings page, deselect Basic encryption and
Strong encryption, and then click Next.
14. On the Specify a Realm Name page, click Next.
15. On the Completing New Dial-Up or Virtual Private Connections and
RADIUS clients page, click Finish.
16. Close the Network Policy Server administrative tool.

Exercise 2: Configuring a RADIUS Client

f Task 1: Open the Server Manager tool on 6421A-NYC-SVR1
1. On NYC-SVR1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Server Manager. The Server
Manager tool appears.

f Task 2: Install the Routing and Remote Access Services (RRAS) role
1. In the Server Manager list pane, click Roles, and then click Add Roles. The
Add Roles Wizard appears.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select Network Policy and Access Services,
and then click Next.
4. On the Network Policy and Access Services page, click Next.
5. On the Select Role Services page, select Routing and Remote Access
Services, and then click Next.
6. On the Confirm Installation Selections page, click Install.
7. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close. The Routing and Remote Access Services
role is installed on NYC-SVR1.
8. Close the Server Manager window.
9. Do not log off or shut down the virtual PCs at this point.
 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 5

f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static

address pool for Remote Access clients, and specify RADIUS
authentication and accounting
1. On NYC-SVR1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Routing and Remote Access. The
Routing and Remote Access tool appears.
3. In the list pane, select and right-click NYC-SVR1, and then click Configure
and Enable Routing and Remote Access.
4. On the Welcome page of the wizard, click Next.
5. On the Configuration page, leave the default Remote access (dial-up or
VPN) selected, and click Next.
6. On the Remote Access page, select the VPN option, and then click Next.
7. On the VPN Connection page, select the Local Area Connection 2 interface,
and then click Next.
8. On the IP Address Assignment page, select From a specified range of
addresses, and then click Next.
9. On the Address Range Assignment page, click New, and in the Start IP
address box, type 192.168.1.100. In the Number of addresses box, type 75.
Click OK, and then click Next.
10. On the Managing Multiple Remote Access Servers page, select Yes, set up
this server to work with a RADIUS server, and then click Next.
11. On the RADIUS Server Selection page, specify NYC-DC1 for the Primary
RADIUS server, specify Pa$$w0rd as the shared secret for the RADIUS server,
and then click Next.
12. On the Completing the Routing and Remote Access Server Setup Wizard
page, click Finish.
13. In the Routing and Remote Access message box, click OK. The Routing and
Remote Access service starts. NYC-SVR1 is configured as a VPN server with
RADIUS configured.
14. Close the Routing and Remote Access administrative tool.
6 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Exercise 3: Configuring Certificate Auto-Enrollment

f Task 1: Install and Configure Certificate Services on NYC-DC1
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Server Manager.
2. In Server Manager, right-click Roles, and then click Add Roles from the
context menu.
3. In the Add Roles Wizard window, click Next.
4. On the Select Server Roles page, select Active Directory Certificate Services,
and then click Next.
5. On the Introduction to Active Directory Certificate Services page, click Next.
6. On the Select Role Services page, click Next.
7. On the Specify Setup Type page, click Next.
8. On the Specify CA Type page, click Next.
9. On the Set Up Private Key page, click Next.
10. On the Configure Cryptography for CA page, click Next.
11. On the Configure CA Name page, specify a name of WoodGroveBank-CA,
and then click Next.
12. On the Set Validity Period page, click Next.
13. On the Configure Certificate Database page, click Next.
14. On the Confirm Installation Selections page, click Install.
15. On the Installation Results page, click Close.
16. Close Server Manager.
17. On NYC-DC1, click Start, point to Administrative Tools, and then click
Certification Authority.
18. In the certsrv management console, expand WoodGroveBank-CA.
19. Right-click Certificate Templates, and then select Manage from the context
menu.
20. In the Certificate Templates Console details pane, right-click Computer, and
then choose Properties from the context menu.
 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7

21. In the Computer Properties dialog box, click the Security tab, and then select
Authenticated Users.
22. In the Permissions for Authenticated Users, select the Allow check box for
the Enroll permission, and then click OK.
23. Close the Certificate Template console, and then close the certsrv
management console.

f Task 2: Open the Group Policy Management tool on 6421A-NYC-DC1

and configure automatic certificate enrollment
1. On NYC-DC1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Group Policy Management. The
Group Policy Management tool appears.
3. In the Group Policy Management list pane, expand Forest:
WoodgroveBank.com, expand Domains, and then expand
WoodgroveBank.com.
4. In the list pane, under WoodgroveBank.com, right-click Default Domain
Policy and then click Edit.
5. On the Group Policy Management Editor page, under Computer
Configuration, expand Policies, expand Windows Settings, expand Security
Settings, and then expand Public Key Policies.
6. Right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
7. In the Welcome to the Automatic Certificate Request Setup Wizard dialog
box, click Next.
8. On the Certificate Template page, accept the default setting of Computer,
and then click Next.
9. On the Completing the Automatic Certificate Request Setup Wizard page,
click Finish.
10. Close the Group Policy Management Editor.
11. Close the Group Policy Management tool. Automatic certificate enrollment
now is configured for domain computers in the WoodgroveBank domain.
12. To verify automatic certificate enrollment, restart the 6421A-NYC-CL1 virtual
computer.
8 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

13. Log on as Administrator with the password Pa$$w0rd.

14. Click Start, type MMC in the Search box, and then press ENTER.
15. In the Console1 window, click File, and then click Add/Remove Snap-in.
16. In the Add or Remove Snap-ins box, select Certificates, and then click Add.
17. In the Certificates snap-in box, select Computer account, and then click
Next.
18. In the Select Computer box, select Local computer, and then click Finish.
19. Click OK to close the Add or Remove Snap-ins box.
20. In the Console1 window, expand Certificates (Local Computer).
21. Expand Personal, and then click Certificates. Notice that NYC-
CL1.WoodgroveBank.com is displayed. Also notice that WoodGroveBank-
CA issued the certificate. You now can use this certificate as an authentication
mechanism.

f Task 3: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring Network Access Protection 1

Module 8
Lab Answer Key: Configuring Network Access
Protection
Contents:
Exercise 1: Configuring NAP for DHCP Clients 2
Exercise 2: Configuring NAP for VPN Clients 10
2 Lab Answer Key: Configuring Network Access Protection

Lab: Configuring NAP for DHCP

and VPN
Note: If you have already logged on to a virtual machine,

skip the logon task for that particular virtual machine.

Exercise 1: Configuring Network Access Protocol (NAP) for

Dynamic Host Configuration Protocol (DHCP) Clients
f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-
CL1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Server Manager tool on 6421A-NYC-SVR1

• On 6421A-NYC-SVR1, open Server Manager from the Administrative Tools
menu.

f Task 3: Install the Network Policy Server (NPS) and Dynamic Host
Configuration Protocol (DHCP) server roles
1. On NYC-SVR1, in Server Manager, right-click Roles, and then select Add Roles
from the context menu.
2. On the Before you Begin page, click Next.
3. On the Select Server Roles page, select the DHCP Server and Network Policy
and Access Services check boxes, and then click Next twice.
 Lab Answer Key: Configuring Network Access Protection 3

4. On the Select Role Services page, select the Network Policy Server check
box, and then click Next twice.
5. On the Select Network Connection Bindings page, verify that 10.10.0.24 is
selected, remove the check mark next to 192.168.1.10, and then click Next.
6. On the Specify DNS Server Settings page, verify that WoodGroveBank.com is
listed under Parent domain.
7. Type 10.10.0.10 under Preferred DNS server IP address, and then click
Validate. Verify that the result returned is Valid, and then click Next.
8. On the Specify IPv4 WINS Server Settingspage, accept the default setting of
WINS is not required for applications on this network, and then click Next.
9. On the Add or Edit DHCP Scopes page, click Add.
10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to
Starting IP Address, type 10.10.0.50; next to Ending IP Address, type
10.10.0.199; and next to Subnet Mask, type 255.255.0.0.
11. Select the Activate this scope check box, click OK, and then click Next.
12. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6
stateless mode for this server, and then click Next.
13. On the Authorize DHCP Server page, select Use current credentials. Verify
that WOODGROVEBANK\Administrator is displayed next to Username,
and then click Next.
14. On the Confirm Installation Selections page, click Install.
15. Verify the installation was successful, and then click Close.
16. Close the Server Manager window.

f Task 4: Configure NYC-SVR1 as a NAP health policy server

1. On NYC-SVR1, open the Network Policy Server Management console from
the Start Menu, Administrative Tools location.
2. Configure SHVs:
a. Expand Network Access Protection, and then click System Health
Validators.
b. In the middle pane under Name, double-click Windows Security Health
Validator.
4 Lab Answer Key: Configuring Network Access Protection

c. In the Windows Security Health Validator Properties dialog box, click

Configure.
d. On the Windows Vista™ tab, clear all check boxes except A firewall is
enabled for all network connections.
e. Click OK to close the Windows Security Health Validator dialog box,
and then click OK to close the Windows Security Health Validator
Properties dialog box.
3. Configure remediation server groups:
a. In the console tree, under Network Access Protection, right-click
Remediation Server Groups, and then click New.
b. Under Group Name, type Rem1.
c. Next to Remediation Servers, click Add.
d. In the Add New Server dialog box, under IP address or DNS name, type
10.10.0.10, and then click OK twice.
4. Configure health policies:
a. Expand Policies.
b. Right-click Health Policies, and then click New.
c. In the Create New Health Policy dialog box, under Policy Name, type
Compliant.
d. Under Client SHV checks, verify that Client passes all SHV checks is
selected.
e. Under SHVs used in this health policy, select the Windows Security
Health Validator check box, and then click OK.
f. Right-click Health Policies, and then click New.
g. In the Create New Health Policy dialog box, under Policy Name, type
Noncompliant.
h. Under Client SHV checks, select Client fails one or more SHV checks.
i. Under SHVs used in this health policy, select the Windows Security
Health Validator check box, and then click OK.
5. Configure a network policy for compliant computers:
a. In the console tree, under Policies, click Network Policies.
 Lab Answer Key: Configuring Network Access Protection 5

b. Disable the two default policies under Policy Name by right-clicking the
policies, and then clicking Disable for each.
c. Right-click Network Policies, and then click New.
d. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Compliant-Full-Access, and then click Next.
e. In the Specify Conditions window, click Add.
f. In the Select condition dialog box, double-click Health Policies.
g. In the Health Policies dialog box, under Health Policies, select
Compliant, and then click OK.
h. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Compliant, and then click Next.
i. In the Specify Access Permission window, verify that Access granted is
selected, and then click Next.
j. In the Configure Authentication Methods window, select Perform
machine health check only. Clear all other check boxes, and then click
Next.
k. In the Configure Constraints window, click Next.
l. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish to
complete configuration of your network policy for compliant client
computers.
6. Configure a network policy for noncompliant computers:
a. Right-click Network Policies, and then click New.
b. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Noncompliant-Restricted, and then click Next.
c. In the Specify Conditions window, click Add.
d. In the Select condition dialog box, double-click Health Policies.
e. In the Health Policies dialog box, under Health policies, select
Noncompliant, and then click OK.
6 Lab Answer Key: Configuring Network Access Protection

f. In the Specify Conditions window, verify that Health Policy is specified

under Conditions with a value of Noncompliant, and then click Next.
g. In the Specify Access Permission window, verify that Access granted is
selected, and then click Next.

Note: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that clients matching these
conditions will be granted an access level that the policy determines.

h. In the Configure Authentication Methods window, select Perform

machine health check only. Clear all other check boxes, and then click
Next.
i. In the Configure Constraints window, click Next.
j. In the Configure Settings window, click NAP Enforcement. Select Allow
limited access, and verify that Enable auto-remediation of client
computers is selected.
k. Click Next, and then click Finish. This completes configuration of your
NAP network policies. Close the Network Policy Server console.

f Task 5: Configure DHCP service for NAP enforcement

1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
DHCP.
2. In the DHCP console, expand nyc-svr1.woodgrovebank.com, and then
expand IPv4.
3. Select and then right-click Scope[10.10.0.0]NAP Scope, and then click
Properties.
4. On the Network Access Protection tab, select Enable for this scope, and
verify that Use default Network Access Protection profile is selected, and
then click OK.
5. In the DHCP console, expand Scope[10.10.0.0]NAP Scope, select and right-
click Scope Options, and then click Configure Options.
6. On the Advanced tab, next to User class, verify that Default User Class is
selected.
 Lab Answer Key: Configuring Network Access Protection 7

7. Under Available Options, select the 003 Router check box, type 10.10.0.1 in
IP Address, and then click Add.
8. Select the 015 DNS Domain Name check box, type Woodgrovebank.com in
String value, and then click OK. The Woodgrovebank.com domain is a full-
access network assigned to compliant NAP clients.
9. In the DHCP console, right-click Scope Options, and then click Configure
Options.
10. On the Advanced tab, next to User class, select Default Network Access
Protection Class.
11. Select the 006 DNS Servers check box, type 10.10.0.10 in IP Address, and
then click Add.
12. Select the 015 DNS Domain Name check box, type
restricted.Woodgrovebank.com in String value, and then click OK. The
restricted.woodgrovebank.com domain is a restricted-access network assigned
to noncompliant NAP clients.
13. Close the DHCP console.

f Task 6: Configure NYC-CL1 as DHCP and NAP client

1. On NYC-CL1, enable Security Center:
a. Click Start, point to All Programs, click Accessories, and then click Run.
b. Type mmc, and then press ENTER.
c. On the File menu, click Add/Remove Snap-in.
d. In the Add or Remove Snap-ins dialog box, under Available snap-ins,
click Group Policy Object Editor, and then click Add.
e. In the Select Group Policy Object dialog box, click Finish, and then click
OK.
f. In the console tree, expand Local Computer Policy/Computer
Configuration/Administrative Templates/Windows
Components/Security Center.
g. Double-click Turn on Security Center (Domain PCs only), click
Enabled, and then click OK.
h. Close the console window. When prompted to save settings, click No.
8 Lab Answer Key: Configuring Network Access Protection

2. Enable the DHCP enforcement client:

a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type napclcfg.msc, and then press ENTER
c. In the console tree, click Enforcement Clients.
d. In the details pane, right-click DHCP Quarantine Enforcement Client,
and then click Enable.
e. Close the NAP Client Configuration console.
3. Enable and start the NAP agent service:
a. Click Start, click Control Panel, click System and Maintenance, and then
click Administrative Tools.
b. Double-click Services.
c. In the services list, double-click Network Access Protection Agent.
d. In the Network Access Protection Agent Properties(Local Computer)
dialog box, change the Startup type to Automatic, and then click Start.
e. Wait for the NAP agent service to start, and then click OK.
f. Close the Services console, and then close the Administrative Tools and
System and Maintenance windows.
4. Configure NYC-CL1 for DHCP address assignment:
a. Click Start, and then click Control Panel.
b. Click Network and Internet, click Network and Sharing Center, and
then click Manage network connections.
c. Right-click Local Area Connection, and then click Properties.
d. In the Local Area Connection Properties dialog box, clear the Internet
Protocol Version 6 (TCP/IPv6) check box. This reduces the lab’s
complexity, particularly for those who are not familiar with IPv6.
e. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
f. Verify that Obtain an IP address automatically and Obtain DNS server
address automatically are selected.
g. Click OK, and then click Close to close the Local Area Connection
Properties dialog box.
 Lab Answer Key: Configuring Network Access Protection 9

h. Close the Network Connections and Network and Sharing Center

windows.
i. Restart NYC-CL1. After the computer restarts, log on as Administrator
with the password of Pa$$w0rd.

f Task 7: Test NAP Enforcement

1. Verify DHCP assigned address and current Quarantine State:
a. On NYC-CL1, click Start, click All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator.
b. At the command prompt, type ipconfig /all, and then press ENTER.
c. Verify the connection-specific DNS suffix of Woodgrovebank.com and a
Quarantine State of Not Restricted.
2. Configure the System Health Validator policy to require antivirus software:
a. On NYC-SVR1, open the Network Policy Server console.
b. Expand Network Access Protection, and then click System Health
Validators.
c. Under Name, in the details pane, double-click Windows Security Health
Validator.
d. In the Windows Security Health Validator Properties dialog box, click
Configure.
e. In the Windows Security Health Validator dialog box, under Virus
Protection, select the An antivirus application is on check box.
f. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
3. Verify the restricted network on NYC-CL1:
a. On NYC-CL1, click Start, click All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator.
b. At the command prompt, type ipconfig /release.
c. At the command prompt, type ipconfig /renew.
d. Verify the Connection-specific DNS suffix is now
restricted.woodgrovebank.com.
10 Lab Answer Key: Configuring Network Access Protection

e. Close the command window, and double-click the Network Access

Protection icon in the system tray. Notice it tells you the computer is not
compliant with requirements of the network.
f. Click Close.

Note: Click the Reset button before starting Exercise 2 and Log on to each
virtual machine as Woodgrovebank\Administrator with the password
Pa$$w0rd

Exercise 2: Configuring NAP for VPN Clients

f Task 1: Configure NYC-DC1 as an Enterprise Root CA
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Server Manager.
2. Under Roles Summary, click Add Roles.
3. On the Before you Begin page, click Next.
4. Select the Active Directory Certificate Services check box, and then click
Next twice.
5. On the Select Role Services page, click Next.
6. On the Specify Setup Type page, select Enterprise, and then click Next.
7. On the Specify CA Type page, select Root CA, and then click Next.
8. On the Set Up Private Key page, click Next.
9. On the Configure Cryptography for CA page, click Next.
10. On the Configure CA Name page, specify a name of Root CA, and then click
Next.
11. On the Set Validity Period page, click Next.
 Lab Answer Key: Configuring Network Access Protection 11

12. On the Configure Certificate Database page, click Next.

13. On the Confirm Installation Selections page, click Install.
14. On the Installation Results page, verify the installation succeeded, and then
click Close.
15. Close the Server Manager window.
16. On NYC-DC1, click Start, point to Administrative Tools, and then click
Certification Authority.
17. In the certsrv management console, expand Root CA, right-click Certificate
Templates, and then select Manage from the context menu.
18. In the Certificate Templates console details pane, right-click Computer, and
then choose Properties from the context menu.
19. Click on the Security tab in the Computer Properties dialog box, and then
select Authenticated Users.
20. In the permissions for Authenticated Users, select the Allow check box for
the Enroll permission, and then click OK.
21. Close the Certificate Template Console, and then close the certsrv
management console.

f Task 2: Configure NYC-SVR1 with NPS functioning as a health policy

server
1. Restart NYC-SVR1 and logon as Woodgrovebank\administrator with the
password Pa$$w0rd.
2. Obtain computer certificate on NYC-SVR1 for server-side PEAP authentication:
a. Click Start, click Run, type mmc, and then press ENTER.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, click Certificates, click Add,
select Computer account, click Next, and then click Finish.
d. Click OK to close the Add or Remove Snap-ins dialog box.
e. In the console tree, expand Certificates, right-click Personal, point to All
Tasks, and then click Request New Certificate.
f. The Certificate Enrollment dialog box opens. Click Next.
12 Lab Answer Key: Configuring Network Access Protection

g. Select the Computer check box, and then click Enroll.

h. Verify the status of certificate installation as Succeeded, and then click
Finish.
i. Close the Console1 window.
j. Click No when prompted to save console settings.
3. Install the NPS Server role:
a. On NYC-SVR1, click Start, click Administrative Tools, and then click
Server Manager.
b. Under Roles Summary, click Add Roles, and then click Next.
c. Select the Network Policy and Access Services check box, and then click
Next twice.
d. Select the Network Policy Server and Remote Access Service check
boxes, click Next, and then click Install.
e. Verify the installation was successful, and then click Close.
f. Close the Server Manager window.
4. Configure NPS as a NAP health policy server:
a. Click Start, click Run, type nps.msc, and then press ENTER.
b. Expand Network Access Protection, and then click System Health
Validators.
c. In the middle pane under Name, double-click Windows Security Health
Validator.
d. In the Windows Security Health Validator Properties dialog box, click
Configure.
e. On the Windows Vista tab, clear all check boxes except A firewall is
enabled for all network connections.
f. Click OK to close the Windows Security Health Validator dialog box,
and then click OK to close the Windows Security Health Validator
Properties dialog box.
 Lab Answer Key: Configuring Network Access Protection 13

5. Configure health policies:

a. Expand Policies.
b. Right-click Health Policies, and then click New.
c. In the Create New Health Policy dialog box, under Policy Name, type
Compliant.
d. Under Client SHV checks, verify that Client passes all SHV checks is
selected.
e. Under SHVs used in this health policy, select the Windows Security
Health Validator check box.
f. Click OK.
g. Right-click Health Policies, and then click New.
h. In the Create New Health Policy dialog box, under Policy Name, type
Noncompliant.
i. Under Client SHV checks, select Client fails one or more SHV checks.
j. Under SHVs used in this health policy, select the Windows Security
Health Validator check box.
k. Click OK.
6. Configure network policies for compliant computers:
a. Ensure Policies is expanded.
b. Click Network Policies.
c. Disable the two default policies found under Policy Name by right-
clicking the policies, and then clicking Disable.
d. Right-click Network Policies, and then click New.
e. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Compliant-Full-Access, and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition dialog box, double-click Health Policies.
h. In the Health Policies dialog box, under Health policies, select
Compliant, and then click OK.
i. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Compliant, and then click Next.
14 Lab Answer Key: Configuring Network Access Protection

j. In the Specify Access Permission window, verify that Access granted is

selected.
k. Click Next three times.
l. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish.
7. Configure network policies for noncompliant computers:
a. Right-click Network Policies, and then click New.
b. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Noncompliant-Restricted, and then click Next.
c. In the Specify Conditions window, click Add.
d. In the Select condition dialog box, double-click Health Policies.
e. In the Health Policies dialog box, under Health policies, select
Noncompliant, and then click OK.
f. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Noncompliant, and then click Next.
g. In the Specify Access Permission window, verify that Access granted is
selected.

Note: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that the policy should continue to
evaluate the clients matching these conditions.

h. Click Next three times.

i. In the Configure Settings window, click NAP Enforcement. Select Allow
limited access, and ensure Enable auto-remediation of client computers
is already selected.
j. In the Configure Settings window, click IP Filters.
k. Under IPv4, click Input Filters, and then click New.
l. In the Add IP Filter dialog box, select Destination network. Type
10.10.0.10 next to IP address, and then type 255.255.255.255 next to
 Lab Answer Key: Configuring Network Access Protection 15

Subnet mask. This step ensures that traffic from noncompliant clients can
reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Inbound Filters dialog box.
n. Click OK to close the Inbound Filters dialog box.
o. Under IPv4, click Output Filters, and then click New.
p. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10
next to IP address, and then type 255.255.255.255 next to Subnet mask.
q. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Outbound Filters dialog box. This
step ensures that only traffic from NYC-DC1 can be sent to noncompliant
clients.
r. Click OK to close the Outbound Filters dialog box.
s. In the Configure Settings window, click Next.
t. In the Completing New Network Policy window, click Finish.
8. Configure connection request policies:
a. Click Connection Request Policies.
b. Disable the default Connection Request policy found under Policy Name
by right-clicking the policy, and then clicking Disable.
c. Right-click Connection Request Policies, and then click New.
d. In the Specify Connection Request Policy Name and Connection Type
window, under Policy name, type VPN connections.
e. Under Type of network access server, select Remote Access Server
(VPN-Dial up), and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition window, double-click Tunnel Type, select PPTP
and L2TP, click OK, and then click Next.
h. In the Specify Connection Request Forwarding window, verify that
Authenticate requests on this server is selected, and then click Next.
i. In the Specify Authentication Methods window, select Override network
policy authentication settings.
16 Lab Answer Key: Configuring Network Access Protection

j. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Protected EAP (PEAP), and
then click OK.
k. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Secured password (EAP-
MSCHAP v2), and then click OK.
l. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click
Edit.
m. Verify that Enable Quarantine checks is selected, and then click OK.
n. Click Next twice, and then click Finish.
9. Close the Network Policy Server console.

f Task 3: Configure NYC-SVR1 with the Routing and Remote Access

Service (RRAS) configured as a VPN server
1. On NYC-SVR1, click Start, click Run, type rrasmgmt.msc, and then press
ENTER.
2. In the Routing and Remote Access console, right-click NYC-SVR1, and then
click Configure and Enable Routing and Remote Access. This starts the
Routing and Remote Access Server Setup Wizard.
3. Click Next, select Remote access (dial-up or VPN), and then click Next.
4. Select the VPN check box, and then click Next.
5. Click the network interface with an IP address of 192.168.1.10. Clear the
Enable security on the selected interface by setting up static packet filters
check box, and then click Next. This ensures that NYC-SVR1 will be able to
ping NYC-DC1 when attached to the Internet subnet without requiring that
you configure additional packet filters for Internet Control Message Protocol
(ICMP) traffic.
6. On the IP Address Assignment page, select From a specified range of
addresses, and then click Next.
7. On the Address Range Assignment page, click New. Type 10.10.0.100 next
to Start IP address and 10.10.0.110 next to End IP address, and then click
OK. Verify that 11 IP addresses were assigned for remote clients, and then
click Next.
 Lab Answer Key: Configuring Network Access Protection 17

8. On the Managing Multiple Remote Access Servers page, ensure No, use
Routing and Remote Access to authenticate connection requests is already
selected and then click Next.
9. And then click Finish.
10. Click OK twice, and wait for the Routing and Remote Access Service to start.
11. Open the Network Policy Server console from the Administrative Tools
menu, ensure Policies is expanded select Connection Request Policies, and
then disable the Microsoft Routing and Remote Access Service Policy by
right-clicking the policy and choosing Disable.
12. Close the Network Policy Server management console.
13. Close Routing and Remote Access.

f Task 4: Allow ping on NYC-SVR1

1. Click Start, click Administrative Tools, and then click Windows Firewall
with Advanced Security.
2. Click on Inbound Rules and then Right-click Inbound Rules, and then click
New Rule.
3. Select Custom, and then click Next.
4. Select All programs, and then click Next.
5. Next to Protocol type, select ICMPv4, and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and
then click Next.
7. Click Next to accept the default scope.
8. In the Action window, verify that Allow the connection is selected, and then
click Next.
9. Click Next to accept the default profile.
10. In the Name window, under Name, type ICMPv4 echo request, and then click
Finish.
11. Close the Windows Firewall with Advanced Security console.
18 Lab Answer Key: Configuring Network Access Protection

f Task 5: Configure NYC-CL1 as a VPN and NAP client

1. Configure NYC-CL1 so that Security Center is always enabled:
a. Click Start, point to All Programs, click Accessories, and then click Run.
b. Type gpedit.msc, and then press ENTER.
c. In the console tree, click Local Computer Policy/Computer
Configuration/Administrative Templates/Windows
Components/Security Center.
d. Double-click Turn on Security Center (Domain PCs only), click
Enabled, and then click OK.
e. Close the Local Group Policy Object Editor console.
2. Enable the remote-access, quarantine-enforcement client:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type napclcfg.msc, and then press ENTER.
c. In the console tree, click Enforcement Clients.
d. In the details pane, right-click Remote Access Quarantine Enforcement
Client, and then click Enable.
e. Close the NAP Client Configuration window.
3. Enable and start the NAP agent service:
a. Click Start, click Control Panel, click System and Maintenance, and then
click Administrative Tools.
b. Double-click Services.
c. In the Services list, double-click Network Access Protection Agent.
d. In the Network Access Protection Agent Properties dialog box, change
the Startup type to Automatic, and then click Start.
e. Wait for the NAP Agent service to start, and then click OK.
f. Close the Services console, and then close the Administrative Tools, and
System and Maintenance windows.
 Lab Answer Key: Configuring Network Access Protection 19

4. Configure NYC-CL1 for the Internet network segment:

a. Click Start, right-click Network, and then click Properties.
b. Click Manage Network Connections.
c. Right-click Local Area Connection, and then click Properties.
d. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
e. Ensure Use the following IP address is already clicked. Next to IP
address, type 192.168.1.20. Next to Subnet mask, type 255.255.255.0.
Remove the Default gateway.
f. Next to Preferred DNS server, remove 10.10.0.10.
g. Click OK, and then click Close to close the Local Area Connection
Properties dialog box.
h. Close the Network Connections window.
5. Verify network connectivity for NYC-CL1:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type cmd, and then press ENTER.
c. At the command prompt, type ping 192.168.1.10
d. Verify that the response reads “Reply from 192.168.1.10”
e. Close the command window.
6. Configure a VPN connection:
a. Click Start, click Control Panel, click Network and Internet, and then
click Network and Sharing Center.
b. Click Set up a connection or network.
c. On the Choose a connection option page, click Connect to a workplace,
and then click Next.
d. On the How do you want to connect page, click Use my Internet
connection (VPN).
e. Click I’ll set up an Internet connection later.
f. On the Type the Internet address to connect to page, next to Internet
address, type 192.168.1.10. Next to Destination name, type
Woodgrovebank. Select the Allow other people to use this connection
check box, and then click Next.
20 Lab Answer Key: Configuring Network Access Protection

g. On the Type your user name and password page, type administrator
next to User name, and type Pa$$w0rd next to Password. Select the
Remember this password check box, type Woodgrovebank next to
Domain (optional), and then click Create.
h. On The connection is ready to use page, click Close.
i. In the Network and Sharing Center window, click Manage Network
Connections.
j. Under Virtual Private Network, right-click the WoodGroveBank
connection, click Properties, and then click the Security tab.
k. Select Advanced (custom settings), and then click Settings.
l. Under Logon security, select Use Extensible Authentication Protocol
(EAP), and then select Protected EAP (PEAP) (encryption enabled).
m. Click Properties.
n. Ensure that Validate server certificate check box is already selected.
Clear the Connect to these servers check box, and then Ensure that
Secured Password (EAP-MSCHAP v2) is already selected, under Select
Authentication Method. Clear the Enable Fast Reconnect check box, and
then select the Enable Quarantine checks check box.
o. Click OK three times to accept these settings.
7. Test the VPN connection:
a. In the Network Connections window, right-click the Woodgrovebank
connection, and then click Connect.
b. In the Connect Woodgrovebank window, click Connect.
c. Verify that the administrator account credentials are entered and that the
Save this user name and password for future use check box is selected,
and then click OK.
d. You are presented with a Validate Server Certificate window the first
time this VPN connection is used. Click View Server Certificate, and
verify that Certificate Information states that the certificate was issued to
NYC-SVR1.Woodgrovebank.com by Root CA. Click OK to close the
Certificate window, and then click OK.
e. Wait for the VPN connection to be made. Because NYC-CL1 is compliant,
it should have unlimited access to the intranet subnet.
 Lab Answer Key: Configuring Network Access Protection 21

f. Click Start, click All Programs, click Accessories, and then click
Command Prompt.
g. Type ipconfig /all, and view the IP configuration. System Quarantine
State should be Not Restricted.
h. In the Command window, type ping 10.10.0.10. This should be
successful. Type ping 10.10.0.24. This also should be successful. The
client now meets the requirement for VPN full connectivity.
i. Disconnect from the Woodgrovebank VPN.
8. Configure Windows Security Health Validator to require an antivirus
application:
a. On NYC-SVR1, open Network Policy Server.
b. Expand Network Access Protection, and then click System Health
Validators.
c. Double-click Windows Security Health Validator, and then click
Configure.
d. In the Windows Security Health Validator dialog box, under Virus
Protection, select the An antivirus application is on check box.
e. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
9. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click the
WoodGroveBank connection, and then click Connect.
b. Click Connect, and then click OK.
c. Wait for the VPN connection to be made. You might see a message in the
notification area that indicates the computer does not meet health
requirements. This message is displayed because antivirus software has
not been installed.
d. Click Start, click All Programs, click Accessories, and then click
Command Prompt.
22 Lab Answer Key: Configuring Network Access Protection

e. Type ipconfig /all, and view the IP configuration. System Quarantine

State should be Restricted.
The client does not meet the requirements for the network, and therefore
is placed on the restricted network.
Try to ping 10.10.0.24. This should be unsuccessful.
Try to ping 10.10.0.10. This is the only server to which the policy allows
access.
f. Disconnect from Woodgrovebank VPN.

f Task 6: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring IPsec 1

Module 9
Lab Answer Key: Configuring IPsec
Contents:
Exercise 1: Preparing the Network Environment
for IPsec NAP Enforcement 2
Exercise 2: Configuring and Testing IPsec NAP
Enforcement 9
2 Lab Answer Key: Configuring IPsec

Lab: Configuring IPsec NAP

Enforcement
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Preparing the Network Environment for Internet

Protocol security (IPsec) Network Access Protection (NAP)
Enforcement
f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-CL1, and 6421A-NYC-
CL2 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL2, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Server Manager tool on 6421A-NYC-DC1

• If necessary, on NYC-DC1, open Server Manager from the Administrative
Tools menu.

f Task 3: Install the Network Policy Services (NPS), Health Registration

Authority (HRA), and Certificate Authority (CA) server roles
1. In Server Manager, right-click Roles, and then click Add Roles on the context
menu.
 Lab Answer Key: Configuring IPsec 3

2. Click Next on the Before you Begin page, and on the Select Server Roles
page, select the Network Policy and Access Services check box. Then click
Next twice.
3. On the Select Role Services page, select the Health Registration Authority
check box, click Add Required Role Services in the Add Roles Wizard
window that appears, and then click Next.
4. Select Install a local CA to issue health certificates for this HRA server, and
then click Next.
5. Select No, allow anonymous requests for health certificates, and then click
Next. This choice allows computers to be enrolled with health certificates in a
workgroup environment.
6. Select Don’t use SSL or Choose a certificate for SSL encryption later, and
then click Next twice. We recommend Secure Sockets Layer (SSL), but it is not
required for HRA to function.
7. On the Select Role Services page, verify that only the Certification Authority
check box is selected, and then click Next.
8. On the Specify Setup Type page, select Standalone, and then click Next.
9. On the Specify CA Type page, select Root CA, and then click Next.
10. Click Next twice to accept the default private key and cryptographic settings.
11. On the Configure CA Name page, under Common name for this CA, type
Woodgrovebank-RootCA, and then click Next.
12. On the Set Validity Period page, click Next.
13. In the Configure Certificate Database window, click Next twice.
14. On the Select Role Services page for the Web Server, click Next.
15. On the Confirm Installation Selections page, click Install.
16. On the Installation Results page, notice that the Network Policy and Access
Services installation succeeded with errors. This is because you installed the
CA after the HRA role, so it could not be reached. Verify that all other
installations were successful, and then click Close.
17. Close Server Manager.
4 Lab Answer Key: Configuring IPsec

f Task 4: Configure HRA with permissions

1. Open the Certification Authority administrative tool from the Start Menu,
Administrative Tools location.
2. In the Certification Authority console tree, right-click WoodgroveBank-
RootCA, and then click Properties.
3. Click the Security tab, and then click Add.
4. Under Enter the object names to select (examples), type Network Service,
and then click OK.
5. Click Network Service, and select the Allow checkboxes for Issue and
Manage Certificates, Manage CA, and Request Certificates.
6. Click the Policy Module tab, and then click Properties. Select Follow the
settings in the certificate template, if applicable. Otherwise, automatically
issue the certificate, and then click OK.
7. At the message prompt, click OK to restart Active Directory® Certificate
Services.
8. Click OK to close the Properties dialog box.
9. In the list pane of the Certification Authority tool, right-click WoodgroveBank-
RootCA, point to All Tasks, and then click Stop Service. After it stops, restart
the service by clicking Start Service.
10. Close the Certification Authority console.

f Task 5: Configure CA properties on HRA

1. On NYC-DC1, click Start, click Run, type MMC, and then click OK.
2. In the Console1 Microsoft Management Console (MMC) window, click File,
and then click Add/Remove Snap-in. From the available snap-ins, select
Health Registration Authority, and then click Add. In the Health
Registration Authority dialog box, click OK to accept the default Local
Computer.
3. Click OK to close the Add or Remove Snap-ins window.
4. In the Health Registration Authority console tree, select and then right-click
Certification Authority, and then click Add certification authority.
5. Click Browse, click WoodGroveBank-RootCA, and then click OK.
 Lab Answer Key: Configuring IPsec 5

6. Click OK, and then verify that \\NYC-

DC1.Woodgrovebank.com\Woodgrovebank-RootCA is displayed in the
details pane.
7. In the list pane, right-click Certification Authority, and select Properties from
the context menu.
8. Verify that Use standalone certification authority is selected, and then click
OK.
9. Close the Health Registration Authority console. Do not save changes to the
console.

f Task 6: Configure NPS as a NAP health-policy server

1. Click Start, click Run, type nps.msc, and then press ENTER.
2. In the details pane, under Standard Configuration, click Configure NAP.
3. On the Select Network Connection Method for Use with NAP page, under
Network connection method, select IPsec with Health Registration
Authority (HRA), and then click Next.
4. On the Specify NAP Enforcement Servers Running HRA page, click Next.
Because this NAP health policy server has HRA installed locally, you do not
need to add Remote Authentication Dial-In User Service (RADIUS) clients.
5. On the Configure User Groups and Machine Groups page, click Next.
6. On the Define NAP Health Policy page, verify that the Windows Security
Health Validator and Enable auto-remediation of client computers check
boxes are selected, and then click Next.
7. On the Completing NAP Enforcement Policy and RADIUS Client
Configuration page, click Finish.
8. Leave the Network Policy Server console open for the following task.

f Task 7: Configure system health validators

1. In the NPS console tree, click Network Access Protection, and then in the
details pane, click Configure System Health Validators.
2. In the details pane, under Name, double-click Windows Security Health
Validator.
6 Lab Answer Key: Configuring IPsec

3. In the Windows Security Health Validator Properties dialog box, click

Configure.
4. On the Windows Vista tab, clear all check boxes, except A firewall is enabled
for all network connections.
5. Click OK to close the Windows Security Health Validator dialog box, and
then click OK to close the Windows Security Health Validator Properties
dialog box.
6. Close the Network Policy Server console.

f Task 8: Configure Computer Certificate AutoEnrollment in Group

Policy
1. On NYC-DC1, click Start and in the Start Search text box, type GPMC.msc,
and then press ENTER.
2. In the Group Policy Management console, expand Forest, expand Domains,
and then expand Woodgrovebank.com.
3. Right-click the Default Domain Policy, and then click Edit.
4. Under Computer Configuration, expand Policies, expand Windows
Settings, expand Security Settings, and select Public Key Policies.
5. In the details pane, double-click Certificate Services Client – Auto-
Enrollment.
6. In the Define Policy Settings dialog box, set the following:
a. Configuration Model: Enabled
b. Select Renew expired certificates, update pending certificates, and
remove revoked certificates
c. Select Update certificates that use certificate templates
7. Click OK, and close the Group Policy Management Editor.
8. Close the Group Policy Management console.

f Task 9: Configure NYC-CL1 and NYC-CL2 so that Security Center

always is enabled
1. Log on to NYC-CL1 as Woodgrovebank\administrator with the password
Pa$$w0rd.
 Lab Answer Key: Configuring IPsec 7

2. Click Start and in the Search text box, type gpedit.msc, and then press
ENTER.
3. In the Local Group Policy Object Editor console tree, expand Local
Computer Policy/Computer Configuration/Administrative
Templates/Windows Components/Security Center.
4. In the details pane, double-click Turn on Security Center (Domain PCs
only), click Enabled, and then click OK.
5. Close the Local Group Policy Object Editor console.
6. Repeat steps 1 through 5 on NYC-CL2.

f Task 10: Enable the IPsec enforcement client, and configure client
health-registration settings
1. On NYC-CL1, click Start and in the Start Search text box, type napclcfg.msc,
and then press ENTER.
2. In the NAP Client Configuration console tree, click Enforcement Clients.
3. In the details pane, right-click IPsec Relying Party, and then click Enable.
4. In the NAP Client Configuration console tree, double-click Health
Registration Settings.
5. Right-click Trusted Server Groups, and then click New.
6. Under Group Name, type Trusted HRA Servers, and then click Next.
7. Clear the Require server verification (https) for all servers in this group
check box.
8. Under Add URLs of the health registration authority that you want the
client to trust, type http://nyc-
dc1.woodgrovebank.com/domainhra/hcsrvext.dll, and then click Add.
9. Under Add URLs of the health registration authority that you want the
client to trust, type http://nyc-dc1.woodgrovebank.com
/nondomainhra/hcsrvext.dll, and then click Add.
10. Click Finish to complete the process of adding HRA trusted server groups.
11. In the console tree, click Trusted Server Groups, and then in the details pane,
click Trusted HRA Servers.
8 Lab Answer Key: Configuring IPsec

12. Verify that the URLs you typed are entered correctly in the details pane under
Properties. You must enter the URLs correctly or the client computer will be
unable to obtain a health certificate, and it will be denied access to the IPsec-
protected network.
13. Close the NAP Client Configuration window.
14. Repeat steps 1 through 13 on NYC-CL2.

f Task 11: Configure and start the NAP Agent service

1. On NYC-CL1, click Start, and in the Start Search text box, type services.msc,
and then press ENTER.
2. In the list of services, double-click Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, change the
value of Startup type from Manual to Automatic.
4. Under Service status, click Start.
5. Wait for the NAP agent service to start, and then click OK.
6. Close the Services console.
7. Repeat steps 1 through 6 for NYC-CL2.

f Task 12: Allow ICMP through the Windows Firewall

1. On NYC-CL1, click Start and in the Start Search text box, type wf.msc, and
then press ENTER.
2. In the console tree, select and right-click Inbound Rules, and then click New
Rule.
3. Select Custom, and then click Next.
4. Select All programs, and then click Next.
5. Next to Protocol type, select ICMPv4, and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and
then click Next.
7. Click Next to accept the default scope.
8. On the Action page, verify that Allow the connection is chosen, and then click
Next.
 Lab Answer Key: Configuring IPsec 9

9. Click Next to accept the default profile.

10. In the Name window, under Name, type ICMPv4 echo request, and then click
Finish.
11. Close the Windows Firewall with Advanced Security console.
12. Repeat steps 1 through 11 on NYC-CL2.

Exercise 2: Configuring and Testing IPsec NAP Enforcement

f Task 1: Create an IPsec Secure Organizational Unit in Active Directory
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In the console tree, right-click WoodgroveBank.com, point to New, and then
click Organizational Unit.
3. Under Name, type IPsec Secure, and then click OK.
4. Leave the Active Directory Users and Computers console open.

f Task 2: Create IPsec policies for the IPsec Secure OU

1. On NYC-DC1, click Start, and then click Run.
2. Type gpmc.msc, and then press ENTER.
3. Expand Forest, expand Domains, expand Woodgrovebank.com, and right-
click the IPsec Secure organizational unit.
4. From the context menu, select Create a GPO in this domain, and Link it
here.
5. In the New GPO dialog box, in the Name text box, type Secure Policy, and
then click OK.
6. Expand IPsec Secure in the list pane, right-click Secure Policy, and then click
Edit.
7. The Group Policy Management Editor console opens. In the console tree,
open Secure Policy [nyc-dc1.woodgrovebank.com] Policy\Computer
Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security – LDAP.
10 Lab Answer Key: Configuring IPsec

8. Right-click Windows Firewall with Advanced Security - LDAP, and then click
Properties.
9. On the Domain Profile tab, next to Firewall state, select On
(recommended). Next to Inbound connections, select Block (default). Next
to Outbound connections, select Allow (default). The private and public
profiles will use the same settings.
10. Click the Private Profile tab. Next to Firewall state, select On
(recommended). Next to Inbound connections, select Block (default). Next
to Outbound connections, select Allow (default).
11. Click the Public Profile tab. Next to Firewall state, select On
(recommended). Next to Inbound connections, select Block (default). Next
to Outbound connections, select Allow (default), and then click OK.
12. In the Group Policy Management Editor console tree, under Windows
Firewall with Advanced Security - LDAP, select and then right-click
Connection Security Rules, and then click New Rule.
13. In the New Connection Security Rule Wizard, on the Rule Type page, verify
that Isolation is selected, and then click Next.
14. On the Requirements page, select Require authentication for inbound
connections and request authentication for outbound connections, and
then click Next.
15. On the Authentication Method page, select Computer certificate, select the
Only accept health certificates check box, and then click Browse.
16. Click WoodGroveBank-RootCA, click OK, and then click Next.
17. On the Profile page, verify that the Private, Public, and Domain check boxes
are selected, and then click Next.
18. On the Name page, under Name, type Secure Rule, and then click Finish.
19. In the Group Policy Management Editor console tree, under Windows
Firewall with Advanced Security - LDAP, select and then right-click Inbound
Rules, and then click New Rule.
20. Choose Predefined, select File and Printer Sharing from the list of rules, and
then click Next twice.
21. On the Action page, select Allow the connection if it is secure, click Next,
and then click Finish.
22. Close the Group Policy Management Editor console.
 Lab Answer Key: Configuring IPsec 11

f Task 3: Move NYC-CL1 and NYC-CL2 into the IPsec Secure OU

1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, open
Woodgrovebank.com, and then click Computers.
3. Right-click NYC-CL1, and then click Move.
4. In the Move dialog box, click IPsec Secure, and then click OK.
5. Right-click NYC-CL2, and then click Move.
6. In the Move dialog box, click IPsec Secure, and then click OK.
7. Close the Active Directory Users and Computers console.

f Task 4: Apply Group Policies

1. On NYC-CL1 and NYC-CL2, click Start, point to All Programs, point to
Accessories, and then click Command Prompt.
2. In the command window, type gpupdate /force, and then press ENTER.
3. Verify that the response reads User Policy update has completed
successfully and Computer Policy update has completed successfully.
4. Leave the command windows open for the following tasks.

f Task 5: Verify health certificate status

1. On NYC-CL1, click Start, in the Start Search text box, type MMC, and then
press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, and then click Next.
4. Verify that Local computer: (the computer this console is running on) is
selected, click Finish, and then click OK.
5. In the console tree, double-click Certificates (Local Computer), double-click
Personal, and then click Certificates.
12 Lab Answer Key: Configuring IPsec

6. In the details pane, under Issued By, verify Woodgrovebank-RootCA is

displayed. Verify that Intended Purposes shows System Health
Authentication.
7. Close the MMC console, and do not save changes.

f Task 6: Verify clients can communicate securely

1. On NYC-CL1, click Start, and in the Start Search text box, type \\NYC-CL2\,
and then press ENTER.
2. Verify that the share’s contents appear in the window.
3. Click Start, in the Start Search text box, type wf.msc, and then press ENTER.
4. In the Windows Firewall with Advanced Security console list pane, expand
Monitoring, expand Security Associations, and select Main Mode.
5. In the details pane, you should see an entry for secure communications
between NYC-CL1 and NYC-CL2. Double-click the entry, and review the
contents of the General tab. You should see Computer certificate for First
Authentication, Encryption using AES-128 and Integrity accomplished
using SHA1.
6. Close the dialog box, and then close Windows Firewall with Advanced
Security.
7. Close the nyc-cl2 window.

f Task 7: Demonstrate Network Restriction

Note: NAP compliance will require automatic updates by enabling this system
health check in the Windows Security Health Validator.

1. On NYC-DC1, click Start, click Run, type nps.msc, and then press ENTER.
2. In the console tree, open Network Access Protection, and then click System
Health Validators.
3. In the details pane, double-click Windows Security Health Validator, and
then click Configure.
 Lab Answer Key: Configuring IPsec 13

4. In the Windows Security Health Validator dialog box, under Automatic

Updating, select the Automatic updating is enabled check box, and then
click OK twice.

Note: To demonstrate network restriction of noncompliant clients, you must

disable auto remediation of client computers in the noncompliant network policy.

5. In the Network Policy Server console tree, expand Policies, and then click
Network Policies.
6. In the details pane, double-click NAP IPsec with HRA Noncompliant.
7. Click the Settings tab, click NAP Enforcement, clear the Enable auto-
remediation of client computers check box, and then click OK.
8. Close the Network Policy Server console.
9. On NYC-CL1, in the command window, type ping -t NYC-CL2, and then press
ENTER. A continuous ping will run from NYC-CL1 to NYC-CL2. This should
be successful
10. On NYC-CL2, click Start, click Control Panel, and then click Security.
11. Under Windows Update, click Turn automatic updating on or off.
12. Select Never check for updates (not recommended), and then click OK.

Note: If it is already selected, select Check for updates, click OK, and then select
Never check for updates.

This setting causes NYC-CL2 to be noncompliant with network health policy.

Because auto remediation has been disabled, NYC-CL2 will remain in a
noncompliant state and will be placed on the restricted network.
13. Do not close the Security control panel on NYC-CL2. It will be used to re-
enable Windows Update.
14. On NYC-CL1, verify that the response in the command window has changed
to Request timed out.
15. On NYC-CL1, click Start, and in the Start Search text box, type \\NYC-CL2\
and verify that the share is inaccessible.
14 Lab Answer Key: Configuring IPsec

16. On NYC-CL2, in the Security control panel under Windows Update, click
Turn automatic updating on or off.
17. Select Install updates automatically (recommended), and then click OK.
This setting will cause NYC-CL2 to send a new Statement of Health (SoH) that
indicates it is compliant with network health requirements, and NYC-CL2 will
be granted full network access.
18. On NYC-CL1, verify that the response in the command window changes to
Reply from 10.10.0.60. It might take a minute before you see the change in
status.
19. Verify that you can browse the share of NYC-CL2 (\\NYC-CL2\).
20. Close all open windows.

f Task 8: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Monitoring and Troubleshooting IPSec 1

Module 10
Lab Answer Key: Monitoring and
Troubleshooting IPSec
Contents:
Exercise 1: Monitoring IPSec Connectivity 2
Exercise 2: Configuring Connection Security 6
Exercise 3: Troubleshooting IPSec 8
2 Lab Answer Key: Monitoring and Troubleshooting IPSec

Lab: Monitoring and

Troubleshooting IPsec
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Monitoring Internet Protocol security (IPsec)

Connectivity
f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual
machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Create an IPsec Negotiation policy on NYC-DC1

1. On NYC-DC1, click Start, click All Programs, click Administrative Tools, and
then click Local Security Policy.
2. Right-click the IP Security Policies on Local Computer node, and then click
Create IP Security Policy.
3. On the Welcome screen of the IP Security Policy Wizard, click Next.
4. In the Name box, type SecureFileSharing. In the Description field, type
Policy to encrypt SMB, and then click Next.
5. Ensure that Activate the default response rule is not selected, and then click
Next.
6. In the Completing the IP Security Policy Wizard dialog box, ensure that Edit
properties is selected, and then click Finish.
 Lab Answer Key: Monitoring and Troubleshooting IPSec 3

7. In the SecureFileSharing Properties dialog box, click Add.

8. In the Welcome to the Create IP Security Rule Wizard, click Next.
9. In the Tunnel Endpoint dialog box, ensure that This rule does not specify a
tunnel is clicked. Click Next.
10. In the Network Type dialog box, click All network connections, and then
click Next.
11. In the IP Filter List dialog box, click Add.
12. A new dialog box that also is called IP Filter List appears. Type
SecureSMBTCP, and then Add.
13. On the Welcome screen of the IP Filter Wizard, click Next.
14. In the Description text box, type SMB IPsec Filter. Click Next.
15. In the IP Traffic Source dialog box, ensure that Any IP Address is clicked, and
then click Next.
16. In the IP Traffic Destination dialog box, ensure that Any IP Address is
clicked, and then click Next.
17. In the IP Protocol Type dialog box, click TCP in the drop-down list, and then
click Next.
18. In the IP Protocol Port dialog box, select From this port, type 445 in the text
box, ensure that To Any port is selected, and then click Next.
19. On the Completing the IP Filter Wizard screen, click Finish, and then click
OK.
20. In the IP Filter List dialog box, click Add.
21. A new dialog box that also is called IP Filter List appears. Type
SecureSMBUDP, and then click Add.
22. On the Welcome screen of the IP Filter Wizard, click Next.
23. In the Description text box, type SMB IPsec Filter, and then click Next.
24. In the IP Traffic Source dialog box, ensure that Any IP Address is clicked, and
then click Next.
25. In the IP Traffic Destination dialog box, ensure that Any IP Address is
clicked, and then click Next.
26. In the IP Protocol Type dialog box, click UDP in the drop-down list, and then
click Next.
4 Lab Answer Key: Monitoring and Troubleshooting IPSec

27. In the IP Protocol Port dialog box, select From this port, type 445 in the text
box, ensure that To Any port is selected, and then click Next.
28. On the Completing the IP Filter Wizard screen, click Finish, and then click
OK.
29. In the IP Filter list, select SecureSMBTCP, and then click Next.
30. In the Filter Action dialog box, click Add.
31. In the Filter Action Wizard dialog box, click Next.
32. In the Filter Action Name dialog box, type SecureTransmissionFilter, and
then click Next.
33. In the Filter Action General Options dialog box, ensure Negotiate Security is
selected, and then click Next.
34. In the Communicating with computers that do not support IPsec dialog
box, ensure Do not allow unsecured communication is selected, and then
click Next.
35. In the IP Traffic Security dialog box, ensure that Integrity and encryption is
selected, and then click Next.
36. On the Completing the IP Security Filter Action Wizard screen, click Finish.
37. In the Filter Action dialog box, select SecureTransmissionFilter, and then
click Next.
38. In the Authentication Method dialog box, ensure Active Directory default
(Kerberos V5 protocol) is selected, and then click Next.
39. On the Completing the Security Rule Wizard screen, click Finish.
40. In the SecureFileSharing Properties dialog box, click OK.

f Task 3: Export the policy from NYC-DC1

1. In the Local Security Policy Microsoft Management Console (MMC) console,
right-click IP Security Policies on Local Computer, click All Tasks, and then
click Export Policies.
2. In the Save As dialog box, type
D:\LabFiles\Module10\IPsecurityPolicy.ipsec, and then click Save.
 Lab Answer Key: Monitoring and Troubleshooting IPSec 5

f Task 4: Import the security policy to NYC-SVR1

1. On NYC-SVR1, open the local security policy. To do this, click Start, click
Administrative Tools, and then click Local Security Policy.
2. Right-click IP Security Policies on Local Computer, click All Tasks, and then
click Import Policies.
3. Read the IP Security Import warning, and then click Yes.
4. In the Open dialog box, navigate to \\NYC-DC1\Module10, and then double-
click IPsecurityPolicy.ipsec.

f Task 5: Use the IP Security Monitor to validate that the negotiation

policy is working
1. On NYC-SVR1, click IP Security Policies on Local Computer.
2. In the details pane, right-click SecureFileSharing, and then click Assign.
3. Repeat steps 1 and 2 on NYC-DC1.
4. On NYC-DC1, click Start, and then click Run.
5. In the Run dialog box, type MMC, and then press ENTER.
6. In the blank MMC window, click File, and then click Add/Remove Snap-in.
7. In the Available snap-ins list, scroll down the list, and select IP Security
Monitor.
8. Click Add, and then click OK.
9. The blank MMC window now will include an IP Security Monitor node.
10. Expand the IP Security Monitor node, and then expand the NYC-DC1 node.
Notice the Main Mode and Quick Mode nodes. Browse through both nodes,
and note the different statistics and information.
11. On NYC-SVR1, establish a network file-share session by accessing a share on
NYC-DC1. To do this, click Start, click Run, type \\NYC-DC1\Module10, and
then press ENTER.
12. After the connection is established, review the updated statistics in the IP
Security Monitoring node, which is open on NYC-DC1.
6 Lab Answer Key: Monitoring and Troubleshooting IPSec

Exercise 2: Configuring Connection Security

f Task 1: Disable the IP Security Policy that you created in the previous
exercise
1. On NYC-DC1, open the local security policy. To do this, click Start, click
Administrative Tools, and then click Local Security Policy.
2. Click IP Security Policies on Local Computer.
3. In the details pane, right-click SecureFileSharing, and then click Un-assign.
4. Repeat steps 1 through 3 on NYC-SVR1.
5. Close all windows on both NYC-DC1 and NYC-SVR1 and do not save changes
to the console.

f Task 2: Configure a Security Association rule in the Windows Firewall

with Advanced Security MMC
1. On NYC-DC1, click Start, click Administrative Tools, and then click
Windows Firewall with Advanced Security.
2. Select and then right-click Connection Security Rules, and then click New
Rule.
3. In the New Connection Security Rule Wizard, select Server-to-server, and
then click Next.
4. In the Endpoints dialog box, ensure that Any IP Address is selected for both
options, and then click Next.
5. In the Requirements dialog box, select Require authentication for inbound
and outbound connections, and then click Next.
6. In the Authentication Method dialog box, select Preshared key, type
Pa$$w0rd in the text box, and then click Next.
7. On the Profile page, verify that the Domain, Private, and Public options are
selected, and then click Next.
8. In the Name box, type SecureServerAuthenticationRule, and then click
Finish.
9. Perform steps 1 through 8 on NYC-SVR1.
 Lab Answer Key: Monitoring and Troubleshooting IPSec 7

f Task 3: Monitor the connection using the Security Association node

1. On NYC-SVR1, establish a file-connection share session to NYC-DC1. To do
this, click Start, click Run, and then ensure that \\NYC‐DC1\Module10 is 
typed. Click OK.
2. In the Windows Firewall with Advanced Security console, expand the
Monitoring node, and then expand the Security Associations node.
3. Review the Main Mode and Quick Mode nodes to view the status of the
Connection Security Rule.

f Task 4: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
8 Lab Answer Key: Monitoring and Troubleshooting IPSec

Exercise 3: Troubleshooting IPsec

Exercise Overview
In this exercise, you will review scenarios outlining common issues that can occur
when you troubleshoot IPsec, and then you will discuss possible solutions.

Scenario 1
An administrator is attempting to connect to a remote computer and monitor its
IPsec connectivity. The administrator reports that he is unable to monitor the
remote server. You ask him use the Event Viewer to identify the problem. In doing
so, the administrator notes the following error: “The IPsec server is unavailable or
incompatible with the IPsec monitor.”
Question: What can you do to resolve this issue?
Answer: The Administrator has not enabled remote IPsec monitoring on the
computer he wants to monitor. You can enable remote monitoring by configuring
the enableremotemgmt Registry key.

Scenario 2
An administrator has configured and enabled an IPsec Security policy on a file
server that stores sensitive data files. The administrator also created an Active
Directory-based policy and applied it to the organizational unit (OU) of clients that
are permitted access to the secure server. The next day, the Backup Administrator,
who is responsible for backing up the secure server, reports he was unable to
access the server from the backup server. The backup server’s computer account is
stored in an administrative OU separate from the client’s OU.
Question: Based on the information provided, why is the backup server unable to
access the secure server?
Answer: The backup server does not have an IPsec policy defined that allows it to
communicate with the secure server. The clients received an IPsec policy via a
Group Policy object (GPO). However, because the backup server was in a separate
OU, it did not receive the secure policy.
 Lab Answer Key: Configuring and Managing Distributed File System 1

Module 11
Lab Answer Key: Configuring and Managing
Distributed File System
Contents:
Exercise 1: Installing the Distributed File
System Role Service 2
Exercise 2: Creating a DFS Namespace 4
Exercise 3: Configuring Folder Targets and Folder
Replication 5
Exercise 4: Viewing Diagnostic Reports for
Replicated Folders 10
2 Lab Answer Key: Configuring and Managing Distributed File System

Lab: Configuring DFS

Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Installing the Distributed File System (DFS) Role

Service
f Task 1: Start each virtual machine and log on
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Disable Local Area Connection 2 on NYC-SVR1

1. On NYC-SVR1, click Start, right-click Network, and then click Properties.
2. In the Tasks list, click Manage network connections.
3. Right-click Local Area Connection 2, and then click Disable.
4. Close all open windows on NYC-SVR1.

f Task 3: Install the Distributed File System Role Service on NYC-DC1

1. On NYC-DC1, if necessary, click Start, and then click Server Manager. The
Server Manager opens.
2. In the left pane, click Roles.
3. In the details pane, under Roles Summary, notice that the File Services role
has been installed. You now must add specific role services for this role.
4. Scroll down to the File Services section, and then under Role Services, click
Add Role Services. The Add Role Services wizard starts.
 Lab Answer Key: Configuring and Managing Distributed File System 3

5. On the Select Role Services page, select the Distributed File System check
box. Ensure that the File Server, Distributed File System, DFS Namespaces,
and DFS Replication check boxes all are selected, and then click Next.
6. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
7. On the Confirm Installation Selections page, click Install.
8. After the installation is complete, click Close.
9. In Server Manager, verify that File Server, Distributed File System, DFS
Namespaces, and DFS Replication all are installed.
10. Close Server Manager.

f Task 4: Install the Distributed File System Role Service on NYC-SVR1

1. On NYC-SVR1, click Start, and then click Server Manager. The Server
Manager opens.
2. In the left pane, click Roles.
3. In the details pane, under Roles Summary, notice that the File Services role
has been installed. You now must add specific role services for this role.
4. Scroll down to the File Services section, and then under Role Services, click
Add Role Services. The Add Role Services wizard starts.
5. On the Select Role Services page, select the Distributed File System check
box. Ensure that the File Server, Distributed File System, DFS Namespaces,
and DFS Replication check boxes all are selected, and then click Next.
6. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
7. On the Confirm Installation Selections page, click Install.
8. After the installation is complete, click Close.
9. In Server Manager, verify that File Server, Distributed File System, DFS
Namespaces, and DFS Replication are all installed.
10. Close Server Manager.
4 Lab Answer Key: Configuring and Managing Distributed File System

Exercise 2: Creating a DFS Namespace

f Task 1: Raise the domain functional level
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Click WoodgroveBank.com.
3. Right-click WoodgroveBank.com, and then click Raise domain functional
level. The Raise domain functional level page opens.
4. On the Raise domain functional level page, under Select an available
domain functional level, ensure that Windows Server 2008 is selected, and
then click Raise.
5. In the Raise domain functional level message box, click OK.
6. In the second message box, click OK.
7. Close Active Directory Users and Computers.

f Task 2: Use the New Namespace Wizard to create a new namespace

1. On NYC-DC1, click Start, point to Administrative Tools, and then click DFS
Management.
2. In the left pane, click Namespaces.
3. Right-click Namespaces, and then click New Namespace. The New
Namespace Wizard opens.
4. On the Namespace Server page, under Server, type NYC-DC1, and then click
Next.
5. On the Namespace Name and Settings page, under Name, type CorpDocs,
and then click Next.
6. On the Namespace Type page, ensure that Domain-based namespace is
selected, and then click Next.
7. On the Review Settings and Create Namespace page, review the settings, and
then click Create.
8. On the Confirmation page, ensure that the Status column shows Success,
and then click Close. The CorpDocs namespace has now been created.
9. In the left pane, click the plus sign next to Namespaces, and then click
\\WoodgroveBank.com\CorpDocs.
 Lab Answer Key: Configuring and Managing Distributed File System 5

10. In the details pane, click the Namespace Servers tab. Notice that the
CorpDocs namespace is hosted on a single namespace server (NYC-DC1).

f Task 3: Add an additional namespace server to host the namespace

1. On NYC-DC1, in the DFS Management console tree, right-click
\\WoodgroveBank.com\CorpDocs, and then click Add Namespace Server.
2. In the Add Namespace Server box, under Namespace server, type NYC-
SVR1, and then click OK. A progress message is displayed.
3. In the warning box, click Yes to start the Distributed File System service and
to set the service start state to Automatic.
4. In the left pane, click the plus sign next to Namespaces, and then ensue that
\\WoodgroveBank.com\CorpDocs is already clicked.
5. In the details pane, ensure Namespace Servers tab is selected. Notice that the
CorpDocs namespace is now hosted on both NYC-DC1 and NYC-SVR1.

Exercise 3: Configuring Folder Targets and Folder

Replication
f Task 1: Create the HRTemplates folder, and configure a folder target
on NYC-DC1
1. On NYC-DC1, in the DFS Management console tree, right-click
\\WoodgroveBank.com\CorpDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type HRTemplates.
3. To add a new folder target, click Add.
4. In the Add Folder Target box, click Browse.
5. In the Browse for Shared Folders box, click New Shared Folder.
6. In the Create Share box, under Share name, type HRTemplateFiles.
7. Under Local path of shared folder, type C:\HRTemplateFiles.
8. Under Shared folder permissions, select Administrators have full access;
other users have read-only permissions, and then click OK.
9. In the Warning box, click Yes to create the C:\HRTemplateFiles folder.
10. In the Browse for Shared Folders box, click OK.
6 Lab Answer Key: Configuring and Managing Distributed File System

11. In the Add Folder Target box, ensure that the path shows \\NYC-
DC1\HRTemplateFiles, and then click OK.
12. In the New Folder box, ensure that HRTemplates is listed for the Name and
\\NYC-DC1\HRTemplateFiles is listed for the Folder targets, and then click
OK.
13. In the console tree, click \\WoodgroveBank.com\CorpDocs.
14. In the details pane, click the Namespace tab. Notice that HRTemplates is
listed as an entry in the namespace.
15. In the console tree, expand \\WoodgroveBank.com\CorpDocs, and then
click HRTemplates. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.
16. Click the Replication tab, and notice that replication is not configured.

f Task 2: Create the PolicyFiles folder, and configure a folder target on

NYC-SVR1
1. On NYC-DC1, in the DFS Management console tree, right-click
\\WoodgroveBank.com\CorpDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type PolicyFiles.
3. To add a new folder target, click Add.
4. In the Add Folder Target box, click Browse.
5. In the Browse for Shared Folders box, under Server, type NYC-SVR1, and
then click Show Shared Folders.
6. Click New Shared Folder.
7. In the Create Share box, under Share name, type PolicyFiles.
8. Under Local path of shared folder, type C:\PolicyFiles.
9. Under Shared folder permissions, select Administrators have full access;
other users have read-only permissions, and then click OK.
10. In the Warning box, click Yes to create the C:\PolicyFiles folder.
11. In the Browse for Shared Folders box, click OK.
12. In the Add Folder Target box, ensure that the path shows \\NYC-
SVR1\PolicyFiles, and then click OK.
 Lab Answer Key: Configuring and Managing Distributed File System 7

13. In the New Folder box, ensure that PolicyFiles is listed for the Name and
\\NYC-SVR1\PolicyFiles is listed for the Folder targets, and then click OK.
14. In the tree pane, ensure that \\WoodgroveBank.com\CorpDocs is expanded,
and then click PolicyFiles. In the details pane, notice that on the Folder
Targets tab, one folder target is configured.

f Task 3: Verify the functionality of the CorpDocs namespace

1. On NYC-DC1, click Start, and then click Run.
2. In the Run box, type \\WoodgroveBank.com\CorpDocs, and then click OK.
Notice that the HRTemplates and PolicyFiles folders both are visible. (If they
are not visible, wait approximately five minutes to complete.)
3. Double-click the HRTemplates folder.
4. Right-click within the HRTemplates folder, point to New, and then click Rich
Text Document.
5. Name the document VacationRequest.
6. In the Navigation bar, click the Back button.
7. Double-click the PolicyFiles folder.
8. Right-click within the PolicyFiles folder, point to New, and then click Rich
Text Document.
9. Name the document OrderPolicies.
10. Close the PolicyFiles window.
11. On NYC-SVR1, click Start, and then click Run.
12. In the Run box, type \\WoodgroveBank.com\CorpDocs, and then click OK.
Notice that the HRTemplates and PolicyFiles folders both are visible.
13. Browse both folders and verify that you can access the files. Close the window
when complete.
8 Lab Answer Key: Configuring and Managing Distributed File System

f Task 4: Create additional folder targets for the HRTemplates folder,

and configure folder replication
1. On NYC-DC1, in the DFS Management console tree, right-click HRTemplates,
and then click Add Folder Target.
2. In the New Folder Target box, under Path to folder target, type \\NYC-
SVR1\HRTemplates, and then click OK.
3. In the Warning box, click Yes to create the \\NYC-SVR1\HRTemplates
shared folder.
4. In the Create Share box, under Local path of shared folder, type
C:\HRTemplates.
5. Under Shared folder permissions, select Administrators have full access;
other users have read-only permissions, and then click OK.
6. In the Warning box, click Yes to create the C:\HRTemplates folder.
7. In the Replication message box, click Yes to create a replication group. A
progress bar appears followed by the Replicate Folder Wizard.
8. In the Replicate Folder Wizard, on the Replication Group and Replicated
Folder Name page, ensure that woodgrovebank.com\corpdocs\hrtemplates
is listed as the Replication group name and that HRTemplates is listed as the
Replicated folder name, and then click Next.
9. On the Replication Eligibility page, ensure that both NYC-DC1 and NYC-
SVR1 are listed, and then click Next.
10. On the Primary Member page, select NYC-DC1, and then click Next.
11. On the Topology Selection page, ensure Full mesh is selected, and then click
Next.
12. On the Replication Group Schedule and Bandwidth page, ensure that
Replicate continuously is selected with Full Bandwidth, and then click Next.
13. On the Review Settings and Create Replication Group page, review the
settings, and then click Create.
14. On the Confirmation page, ensure that all tasks are successful, and then click
Close.
15. Read the Replication Delay message, and then click OK.
 Lab Answer Key: Configuring and Managing Distributed File System 9

16. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\hrtemplates.
17. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.

f Task 5: Create additional folder targets for the PolicyFiles folder, and
configure folder replication
1. On NYC-DC1, in the DFS Management console tree, right-click PolicyFiles,
and then click Add Folder Target.
2. In the New Folder Target box, under Path to folder target, type \\NYC-
DC1\PolicyFiles, and then click OK.
3. In the Warning box, click Yes to create the \\NYC-DC1\PolicyFiles shared
folder.
4. In the Create Share box, under Local path of shared folder, type
C:\PolicyFiles.
5. Under Shared folder permissions, select Administrators have full access;
other users have read-only permissions, and then click OK.
6. In the Warning box, click Yes to create the C:\PolicyFiles folder.
7. In the Replication message box, click Yes to create a replication group. A
progress bar appears, followed by the Replicate Folder Wizard.
8. In the Replicate Folder Wizard, on the Replication Group and Replicated
Folder Name page, ensure that woodgrovebank.com\corpdocs\policyfiles is
listed as the Replication group name and that PolicyFiles is listed as the
Replicated folder name, and then click Next.
9. On the Replication Eligibility page, ensure that both NYC-DC1 and NYC-
SVR1 are listed, and then click Next.
10. On the Primary Member page, select NYC-SVR1, and then click Next.
11. On the Topology Selection page, select Full mesh, and then click Next.
12. On the Replication Group Schedule and Bandwidth page ensure that
Replicate continuously using the specified bandwidth is selected, with Full
Bandwidth, and then click Next.
13. On the Review Settings and Create Replication Group page, review the
settings, and then click Create.
10 Lab Answer Key: Configuring and Managing Distributed File System

14. On the Confirmation page, ensure that all tasks are successful, and then click
Close.
15. Read the Replication Delay message, and then click OK.
16. In the tree pane, ensure that the Replication node is expanded, and then click
woodgrovebank.com\corpdocs\policyfiles.
17. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.

Exercise 4: Viewing Diagnostic Reports for Replicated

Folders
f Task 1: Create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates
1. On NYC-DC1, in the DFS Management console tree, under the Replication
node, right-click woodgrovebank.com\corpdocs\hrtemplates, and then click
Create Diagnostic Report. The Diagnostic Report Wizard starts.
2. On the Type of Diagnostic Report or Test page, ensure that health report is
selected, and then click Next.
3. On the Path and Name page, accept the default entries, and then click Next.
4. On the Members to include page, ensure that both NYC-DC1 and NYC-SVR1
are listed in the Included members column, and then click Next.
5. On the Options page, ensure that Yes, count backlogged files in this report
is selected, select the Count the replicated files and their sizes on each
member check box, and then click Next.
6. On the Review Settings and Create Report page, review the settings, and then
click Create.
7. In the Internet Explorer message, click Add. In the Trusted site box, click
Add again, and then click Close.
The DFS Replication Health Report Web page opens.
 Lab Answer Key: Configuring and Managing Distributed File System 11

8. Read through the report and take note of any errors or warnings. Errors will
appear if replication is still in process or has not taken place yet. When you are
finished, close the Microsoft® Internet Explorer® window.
9. Create a diagnostic report for the policyfiles replication group. Read through
the report, and take note of any errors or warnings. When you are finished,
close the Internet Explorer window. Note that there may be errors reported if
replication has not begun or finished yet.

f Task 2: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring and Managing Storage Technologies 1

Module 12
Lab Answer Key: Configuring and Managing
Storage Technologies
Contents:
Exercise 1: Installing the FSRM Role Service 2
Exercise 2: Configuring Storage Quotas 3
Exercise 3: Configuring File Screening 5
Exercise 4: Generating Storage Reports 6
2 Lab Answer Key: Configuring and Managing Storage Technologies

Lab: Configuring and Managing

Storage Technologies
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Installing the File Server Resource Manager

(FSRM) Role Service
f Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.

f Task 2: Install the FSRM role service on NYC-SVR1

1. On NYC-SVR1, click Start, and then click Server Manager.
2. In the Server Manager console, click Roles. The File Services role already has
been installed.
3. Under the File Services section, next to Role Services, click Add Role
Services.
4. In the Select Role Services dialog box, select File Server Resource Manager,
and then click Next.
5. In the Configure Storage Usage Monitoring dialog box, select the
AllFiles(D:) drive, and then click Next.
6. In the Set Report Options dialog box, accept the default options, and then
click Next.
7. In the Confirm Installation Selections dialog box, click Install.
 Lab Answer Key: Configuring and Managing Storage Technologies 3

8. After the installation is complete, click Close.

9. Close the Server Manager.

Exercise 2: Configuring Storage Quotas

f Task 1: Create a quota template
1. On NYC-SVR1, open the File Server Resource Manager. To do this, click Start,
click Administrative tools, and then click File Server Resource Manager.
2. In the File Server Resource Manager console, expand Quota Management,
and then click the Quota Templates node.
3. Right-click the Quota Templates node, and then click Create Quota
Template.
4. In the Template Name box, type 100 MB Limit Log to Event Viewer.
5. Under Notifications Thresholds, click Add.
6. In the Add Threshold dialog box, click Event log. Select the Send warning to
event log option, and then click OK.
7. Click Add again. Type 100 in the Generate notification when the usages
reaches(%) text box, and then repeat Step 6 to enable the warning to be sent
to the event log.
8. In the Add Threshold dialog box, click OK. Click OK again to save the
template.

f Task 2: Configure a quota based on the quota template

1. In the File Server Resource Manager console, click the Quotas node.
2. Right-click the Quotas node, and then click Create Quota.
3. In the Create Quota dialog box, in the Quota path box, type
D:\Labfiles\Module12\Users click Auto apply template and create quotas
on existing and new subfolders, under How do you want to configure quota
properties?, in the Derive properties from this quota template
(recommended) box, click 100 MB Limit Log to Event Viewer, and then
click Create.
4 Lab Answer Key: Configuring and Managing Storage Technologies

4. Verify that each subfolder under D:\Labfiles\Module12\Users has been

configured with its own quota entry. You may have to refresh the Quotas
folder to view the changes.
5. In Windows Explorer, create a new subfolder under
D:\Labfiles\Module12\Users named User4.
6. In the File Server Resource Manager console, refresh the view in the Quotas
tab. The newly created folder will appear in the list.

f Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt. To do this, click Start, and then click Command
Prompt.
2. Change to the Users folder by typing D:, and then pressing ENTER. Type
cd \labfiles\module12\users\user1, and then press ENTER.
3. At the D:\labfiles\module12\users\user1 prompt, type: fsutil file createnew
file1.txt 89400000, and then press ENTER. This creates a file that is over 85
megabytes (MB), which generates a warning in Event Viewer.
4. Check the Event Viewer. To do this, click Start, click Administrative tools,
and then click Event Viewer. Expand Windows Logs, and then click on
Application. Note the event with Event ID of 12325.
5. Switch to the command prompt. Type fsutil file createnew file2.txt
16400000, and then press ENTER. The file cannot be created because it
would surpass the quota limit.
6. In Windows Explorer, navigate to the D:\Labfiles\Module12\Users folder.
Right-click the folder, and then click Properties.
7. In the Users Properties dialog box, click Advanced. Select Compress
contents to save disk space, click OK, and then click OK again. At the
Confirm Attribute Changes box, ensure that Apply changes to this folder,
subfolders and files is selected and then click OK.
8. In the File Server Resource Manager console, in the Quotas node, click
Refresh. Notice that the amount of used space is reduced significantly.
9. Switch to the command prompt. Type fsutil file createnew file2.txt
16400000, and then press ENTER. The file now is created.
10. Close the command prompt window.
 Lab Answer Key: Configuring and Managing Storage Technologies 5

Important: When creating files, you are specifying the number of bytes they will be.
This is why they are not exactly 85000000, because a byte is only eight bits.

Important: In Step 7, when the Users folder is compressed, you reduced the file’s
actual space. If you were to specify this using NTFS file system quotas, the actual file
size would be calculated and not the compressed size.

Exercise 3: Configuring File Screening

f Task 1: Create a File screen
1. On NYC-SVR1, in the File Server Resource Manager console, expand the File
Screening Management node.
2. Select and then right-click the File Screens node, and then click Create File
Screen.
3. In the Create File Screen dialog box, click Browse and navigate to the
D:\Labfiles\Module12\Users folder, and then click OK.
4. Select Define custom file screen properties, and then click Custom
Properties.
5. In the File Screen Properties D:\Labfiles\Module12\Users dialog box, select
Passive screening, and then select Executable files from the list.
6. Click the Event Log tab, select the Send warning to event log check box, and
then click OK.
7. In the Create File Screen dialog box, click Create.
8. The Save Custom Properties as a Template dialog box appears. Type
Monitor Executables, and then click OK.
6 Lab Answer Key: Configuring and Managing Storage Technologies

f Task 2: Test the file screen

1. Open Windows Explorer, and navigate to the D:\Labfiles\Module12 folder.
2. Right-click the example.bat file, and then click Copy.
3. Browse to the D:\Labfiles\Module12\Users\user1 folder. Right-click in the
right pane of the Windows Explorer window, and then click Paste.
4. Check the Event Viewer. To do this, click Start, click Administrative tools,
and then click Event Viewer. Expand Windows Logs, and then click
Application. Note the event with Event ID of 8215.
5. Close the Event Viewer, and then close Windows Explorer.

Exercise 4: Generating Storage Reports

f Task 1: Generate an on-demand storage report
1. In the File Server Resource Manager console, click Storage Reports
Management.
2. Right-click and then click Generate Reports Now.
3. In the Storage Reports Task Properties dialog box, in the Scope section, click
Add.
4. Navigate to the D:\Labfiles\Module12\Users folder, and then click OK.
5. In the Report data section, select File Screening Audit, select Quota Usage,
and then click OK.
6. In the dialog box that appears and asks how you want to proceed, keep Wait
for reports to be generated and then display them selected, and then click
OK.
7. Review the generated reports.
 Lab Answer Key: Configuring and Managing Storage Technologies 7

f Task 2: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring Availability of Network Resources and Content 1

Module 13
Lab Answer Key: Configuring Availability of
Network Resources and Content
Contents:
Exercise 1: Configuring Windows Server Backup and
Restore 2
Exercise 2: Configuring Shadow Copying 5
Exercise 3: Configuring Network Load Balancing 7
2 Lab Answer Key: Configuring Availability of Network Resources and Content

Lab: Configuring Availability of

Network Resources
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Configuring Windows Server Backup and

Restore
f Task 1: Start the virtual machines, and log on
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Server Manager tool on 6421A-NYC-DC1

• If necessary, on NYC-DC1, open Server Manager from the Administrative
Tools menu.
              To do this On NYC-DC1, click Start, and click Server Manager.

f Task 3: Install the Windows Server Backup feature

1. In Server Manager, right-click Features, and then in the context menu, click
Add Features.
2. On the Select Features page, select the Windows Server Backup Features
check box.
 Lab Answer Key: Configuring Availability of Network Resources and Content 3

3. Click Next.
4. On the Confirm Installation Selections page, click Install.
5. On the Installation Results page, verify that the Windows Server Backup
installation succeeded, and then click Close.
6. Close Server Manager.

f Task 4: Create a share on 6421A-NYC-SVR1

1. On NYC-SVR1, click Start, point to Administrative Tools, and click
Computer Management.
2. In the Computer Management list pane, expand Shared Folders, and then
right-click Shares.
3. From the context menu that appears, click New Share.
4. On the Welcome to the Create a Shared Folder Wizard, click Next.
5. On the Folder path page, click the Browse button.
6. On the Browse for Folder page, select Local Disk (C:), click Make New
Folder, name the folder NetBackup, click OK, and then click Next.
7. On the Name, Description, and Settings page, click Next.
8. On the Shared Folder Permissions page, select Administrators have full
access; other users have no access, and then click Finish.
9. In the Create a Shared folder Wizard box, click Finish.
10. Close the Computer Management console.

f Task 5: Manually back up files to a network location

1. On NYC-DC1, click Start, point to Administrative Tools, and click Windows
Server Backup.
2. On the Actions pane of the Windows Server Backup (Local) window, select
Backup Once.
3. On the Backup Options page of the Backup Once Wizard, click Next.
4 Lab Answer Key: Configuring Availability of Network Resources and Content

4. On the Select backup configuration page, select Custom, and then click
Next.
5. On the Select backup items page, clear the Enable system recovery
checkbox, select Allfiles (D:), and then click Next.
6. On the Specify destination type page, select Remote Shared Folder, and then
click Next.
7. On the Specify remote folder page, type the path
\\NYC-SVR1\NetBackup on the text path and then click Next.
8. On the Specify advanced option page, select VSS full backup, and then click
Next.
9. On the Confirmation page, click Backup.
10. On the Backup Progress page, verify the status is Backup Completed, and
then click Close.

f Task 6: Restore files from a network location

1. On NYC-DC1, click Start, click Computer, and then double-click Allfiles (D:).
2. In the details pane of the Allfiles (D:) window, delete the Labfiles directory,
and then close the Allfiles (D:) window.
3. On the Windows Server Backup page, under Actions, select Recover.
4. On the Recovery Wizard, Getting started page, select Another server, and
then click Next.
5. On the Specify location type page, select Remote shared folder, and then
click Next.
6. On the Specify remote folder page, type \\NYC-SVR1\NetBackup, and then
click Next.
7. On the Select backup date page, click today’s date (in bold), and then click
Next.
8. On the Select recovery type page, accept the default of Files and folders, and
then click Next.
9. On the Select items to recover page, expand NYC-DC1, expand Allfiles (D:),
select Labfiles, and then click Next.
10. On the Specify recovery options page, accept the default settings, and then
click Next.
 Lab Answer Key: Configuring Availability of Network Resources and Content 5

11. On the Confirmation page, click Recover.

12. In the Recovery progress window, verify the status is Restore of Files
completed, and then click Close.
13. Close the Windows Server Backup tool.

Exercise 2: Configuring Shadow Copying

f Task 1: Enable shadow copies on a volume
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Computer Management.
2. In the Computer Management window console tree, right-click Shared
Folders, point to All Tasks, and then click Configure Shadow Copies.
3. In the Shadow Copies dialog box, select Volume D:\, and then click Enable.
In the Enable Shadow Copies dialog box that appears, click Yes, and then
click OK.
4. Leave the Computer Management console open.

f Task 2: Change a file in a share location

1. On NYC-CL1, click Start, and in the search text box, type \\NYC-
DC1\shadow, and then press ENTER.
A window will open with the Shadow share contents visible.
2. Double-click the shadowTest.txt file.
3. Add the following line of text to the end of the text file:
• This is my text that I am adding to the file.
4. Save and close the shadowTest.txt file.
5. Close the shadow window.
6 Lab Answer Key: Configuring Availability of Network Resources and Content

f Task 3: Manually create a shadow copy

1. On NYC-DC1, in the Computer Management console, right-click Shared
Folders, point to All Tasks, and then click Configure Shadow Copies.
2. In the Shadow Copies dialog box, select volume D:\, and then click Create
Now.
The shadow copies of selected volume should have two entries listed. Click
OK.
3. Close the Computer Management console.

f Task 4: View the previous file versions, and restore to a previous

version
1. On NYC-CL1, click Start, type \\NYC-DC1\shadow in the Search text box,
and then press ENTER.
2. Right-click shadowTest.txt, and select Properties from the context menu.
3. In the shadowTest Properties dialog box, click the Previous Versions tab.
4. Under File versions, you should see the last shadow copy that was created.
Click Open to view the file contents. The file you are viewing should be the
version previous to the file you modified with text.
5. Close the file, and select Restore from the Previous Versions window to
restore the file to its previous state, before any changes were made.
6. In the Previous Versions dialog box, click Restore, and then click OK.
7. Click OK to close the ShadowTest Properties dialog box.
8. Close the shadow window.
 Lab Answer Key: Configuring Availability of Network Resources and Content 7

Exercise 3: Configuring Network Load Balancing

f Task 1: Install the Network Load Balancing (NLB) feature on NYC-DC1
and NYC-SVR1
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Server Manager.
2. In the Server Manager list pane, right-click Features, and then click Add
Features.
3. On the Select Features page, select Network Load Balancing, and then click
Next.
4. On the Confirm Installation Selections page, click Install.
5. On the Results page, verify that the installation succeeded, and then close the
Add Features Wizard.
6. Repeat steps 1 through 5 for NYC-SVR1.
7. Close Server Manager on both NYC-DC1 and NYC-SVR1.

f Task 2: Configure Network Load Balancing on NYC-DC1 and NYC-

SVR1
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Network Load Balancing Manager.
2. In the Network Load Balancing Manager console, right-click Network Load
Balancing Clusters in the list pane, and then click New Cluster.
3. In the New Cluster: Connect dialog box, type the hostname NYC-DC1, and
then click Connect. Verify that the Interface name section is populated with
that interface’s Local Area Connection and IP address, and click Next.
4. In the New Cluster: Host Parameters dialog box, verify the default state is
Started, and then click Next.
5. In the New Cluster: Cluster IP Addresses dialog box, click Add and specify
an IPv4 cluster IP of 10.10.0.100 with a Subnet Mask of 255.255.0.0, click
OK, and then click Next.
6. In the New Cluster: Cluster Parameters dialog box, type a Full Internet
name of printsrv.woodgrovebank.com. Specify a Cluster operation mode of
Multicast, and then click Next.
8 Lab Answer Key: Configuring Availability of Network Resources and Content

7. In the New Cluster: Port Rules dialog box, click Finish.

8. In the Network Load Balancing Manager console list pane, right-click
printsrv.woodgrovebank.com, and then from the context menu, click Add
Host to Cluster.
9. In the Add Host to Cluster: Connect dialog box, specify the host as NYC-
SVR1, and then click Connect.
10. In the Interfaces available for configuring the cluster, click Local Area
Connection, and then click Next.
11. In the Add Host to Cluster: Host Parameters dialog box, accept the default
settings, and then click Next.
12. In the Add Host to Cluster: Port Rules, accept the default settings, and then
click Finish. After a few moments NYC-SVR1 will come online.
13. Close the Network Load Balancing Manager console window.

f Task 3: Install and share an IP-based printer on both NYC-DC1 and

NYC-SVR1
1. On NYC-DC1, click Start, click Control Panel, and then double-click the
Printers applet.
2. In the Printers console details pane, double-click Add Printer.
3. In the Add Printer dialog box, select Add a local printer.
4. In the Choose a printer port dialog box, select Create a new port, select
Standard TCP/IP Port from the drop-down list, and then click Next.
5. In the Type a printer hostname or IP Address dialog box, for Device type,
select TCP/IP device from the drop-down list, and specify the Hostname or IP
Address of 10.10.0.80.
6. Clear the Query the printer and automatically select the driver to use check
box, and then click Next.
7. Wait for the detection of the TCP/IP port to complete, and then click Next in
the Additional Port information Required dialog box.
8. In the Install the printer driver dialog box, specify the manufacturer of HP
and the printer model of HP LaserJet 6MP, and then click Next.
9. In the Type a printer name dialog box, accept the default settings, and then
click Next.
 Lab Answer Key: Configuring Availability of Network Resources and Content 9

10. In the Printer Sharing dialog box, accept the default name, and then click
Next.
11. In the You’ve successfully added HP LaserJet 6MP dialog box, click Finish.
12. Close the Printers control panel applet.
13. Repeat steps 1 through 11 on NYC-SVR1.

f Task 4: Use NYC-CL1 to connect to the NLB virtual IP address

1. On NYC-CL1, click Start, type \\10.10.0.100 in the Start Search text box,
and then press ENTER.
2. Take note of the available NLB cluster resources.

f Task 5: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.

Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
 Lab Answer Key: Configuring Server Security Compliance 1

Module 14
Lab Answer Key: Configuring Server Security
Compliance
Contents:
Exercise 1: Configuring and Analyzing Security 2
Exercise 2: Analyzing Security Templates 4
Exercise 3: Configuring Windows Software Update
Services 6
2 Lab Answer Key: Configuring Server Security Compliance

Lab: Configuring Server Security

Compliance
Note: If you have already logged on to a virtual machine, skip the

logon task for that particular virtual machine.

Exercise 1: Configuring and Analyzing Security

f Task 1: Start the virtual machines, and log on
1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6421A-NYC-CL2, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
6. Minimize the Lab Launcher window.

f Task 2: Open the Security Configuration Wizard (SCW) on NYC-SVR1

1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Security Configuration Wizard.
2. On the Welcome to the Security Configuration Wizard page, click Next.
3. On the Configuration Action page, under Select the action you want to
perform, ensure that Create a new security policy is selected, and then click
Next.
4. On the Select Server page, verify the server specified in the Server text box is
NYC-SVR1, and then click Next.
5. On the Processing Security Configuration Database page, wait for the
process to complete, and then click View Configuration Database.
 Lab Answer Key: Configuring Server Security Compliance 3

6. When the SCW Viewer opens, a Microsoft® Internet Explorer® message box
may appear asking for permission to allow an ActiveX® control. Click Yes in
this message box.
7. Scroll through and read the list of Server Roles, Client Features,
Administration and Other Options, Services, and Windows Firewall.
8. Close SCW Viewer, and then click Next.
9. On the Role-Based Service Configuration page, click Next.
10. On the Select Server Roles page, click Next.
11. On the Select Client Features page, click Next.
12. On the Select Administration and Other Options page, click Next.
13. On the Select Additional Services page, click Next.
14. On the Handling Unspecified Services page, verify that Do not change the
startup mode of the service is selected, and then click Next.
15. On the Confirm Service Changes page, scroll through the list and note which
ones are being disabled, and then click Next.
16. On the Network Security page, click Next to start configuring network
security.
17. On the Network Security Rules page, scroll through the list of ports that will
be opened, and then click Next.
18. On the Registry Settings page, select Skip this section, and then click Next.
19. On the Audit Policy page, select Skip this section, and then click Next.
20. On the Save Security Policy page, click Next.
21. On the Security Policy File Name page, specify a name of
NewMemberSrv.xml at the end of the
C:\Windows\Security\msscw\Policies path that is listed, and then click
Next.
22. On the Apply Security Policy page, select Apply now, and then click Next.
23. The Applying Security Policy page appears, and the wizard prepares and
applies the policy.
24. When Application Complete appears above the status bar, click Next.
25. On the Completing the Security Configuration Wizard page, click Finish.
4 Lab Answer Key: Configuring Server Security Compliance

Exercise 2: Analyzing Security Templates

f Task 1: Create a customized Microsoft Management Console (MMC)
1. On NYC-SVR1, click Start, click Run, type MMC in the Open text box, and
then press ENTER.
2. In the Console1 MMC window, click File on the menu bar, and then click
Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, under Available snap-ins, scroll
down and select Security Templates, and then click Add.
4. In the Add or Remove Snap-ins window, under Available snap-ins, scroll
down and select Security Configuration and Analysis, click Add, and then
click OK.
5. In the Console1 MMC list pane, expand Security Templates, right-click the
template path displayed in the list pane, and then click New Template.
6. In the template dialog box that appears, specify a template name of Secure,
and then click OK.
7. In the list pane, expand the Secure policy, expand Local Policies, and then
click Security Options.
8. In the details pane, scroll down and double-click Interactive Logon: Do not
display last user name.
9. Select the Define this policy setting in the template check box, click
Enabled, and then click OK.
10. Right-click the Secure template, and then click Save.
11. Leave the Console1 MMC open for the next task.

f Task 2: Analyze current settings against secure template settings

1. In the list pane, right-click Security Configuration and Analysis, and then
click Open Database.
2. In the Open Database dialog box, type a file name of Secure, and then click
Open.
3. In the Import Template dialog box, select the Secure.inf template, and then
click Open.
 Lab Answer Key: Configuring Server Security Compliance 5

4. In the list pane, right-click Security Configuration and Analysis, and then
click Analyze Computer Now.
5. In the Perform Analysis dialog box, click OK to accept the default log name.
6. When the analysis is complete, in the list pane, expand Security
Configuration and Analysis, expand Local Policies, and then select Security
Options.
7. Scroll down to Interactive Logon: Do not display last user name, and
compare the database setting to the computer setting. You should see a red “x”
on the item, which indicates that the settings are different between the
computer and database settings.
8. Leave the Console1 MMC open for the next task.

f Task 3: Configure the computer with the secure template settings

1. In the list pane, right-click Security Configuration and Analysis, and then
select Configure Computer Now from the available options. Click OK in the
Configure System box.
The template is applied to the computer.
2. From the list pane, right-click Security Configuration and Analysis, and then
select Analyze Computer Now.
3. In the Perform Analysis dialog box, click OK to accept the default log.
4. When the analysis is complete, expand Local Policies, and then select
Security Options.
5. Scroll down to Interactive Logon: Do not display last user name, and verify
that a check mark appears indicating that the database setting and computer
setting are the same.
6. Close the Console1 MMC window. Do not save changes.
6 Lab Answer Key: Configuring Server Security Compliance

Exercise 3: Configuring Windows Software Update Services

(WSUS)
f Task 1: Use the Group Policy Management Console to create and link
a Group Policy Object (GPO) to the domain to configure client
updates
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Group Policy Management.
2. In the Group Policy Management MMC list pane, expand Forest:
woodgrovebank.com, expand Domains, and then expand
WoodGroveBank.com.
3. Right-click WoodGroveBank.com in the list pane, and then click Create a
GPO in this domain, and Link it here.
4. In the New GPO dialog box, specify a name of WSUS, and then click OK.
5. Right-click the WSUS GPO link under WoodGroveBank.com, and then click
Edit.
6. In the Group Policy Management Editor window, ensure Computer
Configuration is expanded, expand Policies, expand Administrative
Templates, expand Windows Components, and then click Windows Update.
7. In the details pane, double-click Configure Automatic Updates.
8. In the Configure Automatic Updates Properties dialog box, on the Setting
tab, select Enabled. In the Configure automatic updating drop-down list,
click 4 - Auto download and schedule the install, and then click Next
Setting.
9. On the Specify intranet Microsoft update service location Properties page,
on the Settings tab, select Enabled. Under Set the intranet update service for
detecting updates and under Set the intranet statistics server, type
http://NYC-SVR1 in the text boxes, and then click Next Setting.
10. On the Automatic Updates detection frequency Properties page, select
Enabled, and then click OK.
11. Close the Group Policy Management Editor, and then close the Group Policy
Management tool.
12. On NYC-CL2, click Start, click All Programs, click Accessories, and then
click Run.
 Lab Answer Key: Configuring Server Security Compliance 7

13. In the Run dialog box, type cmd, and then press ENTER.
14. At the command prompt, type gpupdate /force, and then press ENTER.
15. At the command prompt, type wuauclt /detectnow, and then press ENTER.
16. Close the command window on NYC-CL2.

f Task 2: Use the WSUS administration tool to configure WSUS

properties
1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Microsoft Windows Server Update Services 3.0 SP1.
2. In the Update Services administrative tool window, in the list pane under
NYC-SVR1, click Options.
3. In the details pane, click Update Source and Proxy Server.
4. View the options on both tabs, and then click Cancel.
5. In the details pane, click Products and Classifications.
6. View the options for product support and update classifications, and then
click Cancel.
7. In the details pane, click Update Files and Languages.
8. View the options for downloading updates and support for languages, and
then click Cancel.
9. In the details pane, click Synchronization Schedule, view the options for
synchronizing content, and then click Cancel.

f Task 3: Create a computer group, and add NYC-CL2 to the new group
1. In the list pane, expand Computers, and then select All Computers.
2. In the Actions pane, click Add Computer Group.
3. In the Add Computer Group dialog box, specify a computer group name of
HO Computers, and then click Add.
4. In the Update Services list pane, under Computers and All Computers, click
Unassigned Computers.
5. In the Unassigned Computers details pane, specify Any in the Status drop-
down list, and then click Refresh.
8 Lab Answer Key: Configuring Server Security Compliance

6. Right-click nyc-cl2.woodgrovebank.com, and then click Change

Membership.
7. In the Set Computer Group Membership dialog box, select the HO
Computers check box, and then click OK.

f Task 4: Approve an update for Microsoft Vista™ clients

1. In the Update Services administrative tool, in the list pane, expand Updates,
and then click Critical Updates.
2. In the details pane, change the Approval filter to Any Except Declined and
Status filters to Any, and then click Refresh. Notice all of the updates
available.
3. In the Critical Updates details pane, right-click Update for Windows Vista
(KB936357), and then select Approve from the context menu.
4. In the Approve Updates window that appears, click the arrow next to All
Computers, select Approved for Install, and then click OK.
5. On the Approval Progress page, when the process is complete, click Close.

Important: Notice that a message appears stating that the update is approved,
but must be downloaded to complete.

6. In the Update Services console, click Reports.

7. View the various reports available in WSUS. Determine how many updates
NYC-CL2 requires.

f Task 5: Close all virtual machines, and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control (VMRC) window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.