MCSA Lab Scenario - A.

Datum Corp – Part 6 Erfan Taheri

Scenario
A. Datum Corporation has grown rapidly over the last few years. The company has deployed
several new branch offices, and it has increased significantly the number of users in the
organization. Additionally, it has expanded the number of partner organizations and customers
that access A. Datum websites and applications. Because of this expansion, the network
infrastructure complexity has increased, and the organization now needs to be much more
aware of network-level security.
As one of the senior network administrators at A. Datum, you are responsible for implementing
some of the advanced networking features in Windows Server 2012 R2 to manage the
networking infrastructure. You need to implement new features in DHCP and DNS, with the
primary goal of providing higher levels of availability while increasing the security of these
services. You also need to implement IPAM so that you can simplify and centralize the IP address
usage and configuration management in an increasingly complex network.
LAB Setup

Virtual Machines Lon-DC1.Adatum.local

SRV1.Adatum.local
SRV2.Adatum.local
CL1.Adatum.local
Username Adatum\Administrator
Password Pa$$w0rd
Lon-DC1.Adatum.local is a promoted writable domain controllers in the London domain
Adatum.local.
Exercise 1: Configuring Advanced DHCP Settings
With the expansion of the network, and the increased availability and security requirements at A.
Datum Corporation, you need to implement additional DHCP features. Because of the recent
business expansion, the main office DHCP scope is almost completely utilized, which means that
you need to configure a superscope. Additionally, you need to configure DHCP Name Protection
and DHCP failover.
Task 1: Configure a superscope
1. On LON-DC1, configure a scope named Scope1, with a range of 192.168.0.50 – 192.168.0.100,
and with the following settings:
• Subnet mask: 255.255.255.0
• Router: 192.168.0.1
• DNS Suffix: Adatum.com
• Choose to activate the scope later.

1
MCSA Lab Scenario - A. Datum Corp – Part 6 Erfan Taheri

2. Configure a second scope named Scope2 with a range of 192.168.1.50 – 192.168.1.100, and
with the following settings:
• Subnet mask: 255.255.255.0
• Router: 192.168.1.1
• DNS Suffix: Adatum.com
• Choose to activate the scope later.
3. Create a superscope called AdatumSuper that has Scope1 and Scope2 as members.
4. Activate the AdatumSuper superscope.
Task 2: Configure DHCP name protection
• Switch to the DHCP console on LON-DC1, and enable DHCP Name Protection found on the DNS
tab of the IPv4 node.
Task 3: Configure and verify DHCP failover
1. On LON-SVR1, start the DHCP console and observe the current state of DHCP. Note that the
server is authorized, but that no scopes are configured.
2. On LON-DC1, in the DHCP console, launch the Configure Failover Wizard.
3. Configure failover replication with the following settings:
• Partner server: 172.16.0.21
• Relationship Name: Adatum
• Maximum Client Lead Time: 15 minutes
• Mode: Load balance
• Load Balance Percentage: 50%
• State Switchover Interval: 60 minutes
• Message authentication shared secret: Pa$$w0rd
4. Complete the Configure Failover Wizard.
5. On LON-SVR1, refresh the IPv4 node. Notice that the IPv4 node is active, and that Scope
Adatum is configured.
6. Start 20412D-LON-CL1, and sign in as Adatum\Administrator.
7. Configure LON-CL1 to obtain an IP address from the DHCP server.

2
MCSA Lab Scenario - A. Datum Corp – Part 6 Erfan Taheri

8. Open a command prompt window, and record the IP address.

9. Switch to LON-DC1, and stop the DHCP server service.
10. Switch back to LON-CL1, and renew the IP address.
11. On LON-DC1, in the Services console, start the DHCP server service.
12. Close the Services console.
Exercise 2: Configuring Advanced DNS Settings
To increase the security level for the DNS zones at A. Datum, you need configure DNS security
settings such as DNSSEC, DNS socket pool, and cache locking. A. Datum has a business
relationship with Contoso, Ltd., and will host the Contoso.com DNS zone. A. Datum clients use an
application that accesses a server named App1 in the Contoso.com zone by using its NetBIOS
name. You need to ensure that these applications can resolve the names of the required servers
correctly. You will employ a GlobalNames zone to achieve this.
The main tasks for this exercise are as follows:
1. Configure DNSSEC.
2. Configure the DNS socket pool.
3. Configure DNS cache locking.
4. Configure a GlobalNames zone.
Task 1: Configure DNSSEC
1. On LON-DC1, start the DNS Manager.
2. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone.
3. Choose to customize zone-signing parameters.
4. Ensure that DNS server LON-DC1 is the Key Master.
5. Add the Key Signing Key by accepting the default values for the new key.
6. Add the Zone Signing Key by accepting the default values for the new key.
7. Choose to use NSCE3 with the default values.
DNS socket pool
1. On LON-DC1, start Windows PowerShell.
2. Run the following command to view the current size of the socket pool:
Get-DNSServer

3
MCSA Lab Scenario - A. Datum Corp – Part 6 Erfan Taheri

3. Run the following command to change the socket pool size to 3,000:
dnscmd /config /socketpoolsize 3000
4. Restart the DNS service.
5. Run the following command to confirm the new socket pool size:
Get-DnsServer
Task 3: Configure DNS cache locking
1. Run the following command to view the current cache lock size:
Get-DnsServer
2. Run the following command to change the cache lock value to 75 percent:
Set-DnsServerCache –LockingPercent 75
3. Restart the DNS service.
4. Run the following command to confirm the new cache lock value:
Get-DnsServer
Task 4: Configure a GlobalNames zone
1. Create an Active Directory-integrated forward lookup zone named Contoso.com, by running
the following command:
Add-DnsServerPrimaryZone –Name Contoso.com –ReplicationScope Forest
2. Run the following command to enable support for GlobalName zones:
Set-DnsServerGlobalNameZone –AlwaysQueryServer $true
3. Create an Active Directory-integrated forward lookup zone named GlobalNames by running
the following command:
Add-DnsServerPrimaryZone –Name GlobalNames –ReplicationScope Forest
4. Open the DNS Manager console, and add a new host record to the Contoso.com domain
named App1 with the IP address of 192.168.1.200.
5. In the GlobalNames zone, create a new alias named App1 using the FQDN of
App1.Contoso.com.
6. Close DNS Manager, and close the Windows PowerShell window.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool,
DNS cache locking, and the GlobalName zone.

4
MCSA Lab Scenario - A. Datum Corp – Part 6 Erfan Taheri

Exercise 3: Configuring IPAM

A. Datum Corporation is evaluating solutions for simplifying IP address management. Since you
implemented Windows Server 2012, you have decided to implement IPAM.
The main tasks for this exercise are as follows:
1. Install the IPAM feature.
2. Configure IPAM–related GPOs.
3. Configure IP management server discovery.
4. Configure managed servers.
5. Configure and verify a new DHCP scope with IPAM.
6. Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS
records.
7. To prepare for the next module.
Task 1: Install the IPAM feature
• On LON-SVR2, install the IP Address Management (IPAM) Server feature by using the Add Roles
and Features Wizard in Server Manager.
Task 2: Configure IPAM–related GPOs
1. On LON-SVR2, in the Server Manager, in the IPAM Overview pane, provision the IPAM server
using Group Policy.
2. Enter IPAM as the GPO name prefix, and provision IPAM using the Provision IPAM Wizard.
Task 3: Configure IP management server discovery
1. In the IPAM Overview pane, configure server discovery for the Adatum domain.
2. In the IPAM Overview pane, start the server discovery process. Discovery may take five to 10
minutes to run. The yellow bar will indicate when discovery is complete.
Task 4: Configure managed servers
1. In the IPAM Overview pane, add the servers that you need to manage. Verify that IPAM access
is currently blocked for both LON-DC1 and LON-SVR1.
2. Use Windows PowerShell to grant the IPAM server permission to manage by running the
following command:
Invoke-IpamGpoProvisioning –Domain Adatum.com –GpoPrefixName IPAM –IpamServerFqdn
LON-SVR2.adatum.com –DelegatedGpoUser Administrator

5
MCSA Lab Scenario - A. Datum Corp – Part 6 Erfan Taheri

3. For both LON-DC1 and LON-SVR1, set the manageability status to Managed.
4. Switch to LON-DC1, and force the update of Group Policy using gpupdate /force.
5. Switch to LON-SVR1, and force the update of Group Policy by using gpupdate /force.
6. Return to LON-SVR2, and refresh the server access status for LON-DC1 and LON-SVR1 and the
Server Manager console view. It may take up to 10 minutes for the status to change. If
necessary, repeat both refresh tasks as needed until a green check mark displays next to LON-
DC1 and the IPAM Access Status displays as Unblocked.
7. In the IPAM Overview pane, right click LON-SVR1 and Retrieve All Server Data.
8. In the IPAM Overview pane, right-click LON-DC1 and Retrieve All Server Data.
Task 5: Configure and verify a new DHCP scope with IPAM
1. On LON-SVR2, use IPAM to create a new DHCP scope with the following parameters:
• Scope Name: TestScope
• Scope start address: 10.0.0.50
• Scope end address: 10.0.0.100
• Subnet mask: 255.0.0.0
• Default gateway: 10.0.0.1
2. Use IPAM to configure failover for the TestScope on LON-DC1 with the following parameters:
• Partner server: LON-SVR1.adatum.com
• Relationship name: TestFailover
• Shared secret: Pa$$w0rd
• Maximum client lead time: 15 minutes
• Mode: Load balance
• Load balance percentage: 50%
• State Switchover Interval: 60 minutes
3. On LON-DC1, verify the scope in the DHCP MMC.
4. On LON-SVR1, verify the scope in the DHCP MMC.
Task 6: Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS
records

6
MCSA Lab Scenario - A. Datum Corp – Part 6 Erfan Taheri

1. On LON-SVR2, add an IP address block in the IPAM console with the following parameters:
• Network ID: 172.16.0.0
• Prefix length: 16
• Description: Head Office
2. Add IP addresses for the network router by adding to the IP Address Inventory with the
following parameters:
• IP address: 172.16.0.1
• MAC address: 112233445566
• Device type: Routers
• Description: Head Office Router
3. Use the IPAM console to create a DHCP reservation as follows:
• IP address: 172.16.0.10
• MAC address: 223344556677
• Device type: Host
• Client ID: Associate MAC to Client ID checkbox
• Reservation server name: LON-DC1.Adatum.com
• Reservation name: Webserver
• Reservation type: Both
4. Use the IPAM console to create the DNS host record as follows:
• Device name: Webserver
• Forward lookup zone: Adatum.com
• Forward lookup primary server: LON-DC1.adatum.com
• Automatically create DNS records for this IP address
5. On LON-DC1, open the DHCP console and confirm that the reservation was created in the
172.16.0.0 scope.
6. On LON-DC1, open the DNS Manager console and confirm that the DNS host record was
created.