6435AD-ENU-LabManual

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

6435ALab Instructions and Lab Answer Key: Designing a Windows Server 2008 Network Infrastructure

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Product Number: 6435A Part Number: X17-47384 Released: 08/2008

Lab Instructions: Overview of Network Infrastructure

1

Module 1Lab Instructions: Overview of Network InfrastructureContentsExercise 1: Preparing for a Network Infrastructure Design Exercise 2: Designing the Network Topology Exercise 3: Designing Network Infrastructure for Virtualization Exercise 4: Designing a Change Management Plan Exercise 5: Lab Discussion 4 5 6 7 8

2


Lab: Designing Network Infrastructure in Windows Server 2008

ScenarioWoodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are asked to design the network infrastructure for the new locations. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies. In North America, there are two major changes. Two new Canadian Branches are opening that will be connected to the Toronto hub site. Also, a regional bank in Washington State has been purchased and must be integrated into the rest of the network. Each region operates independently most of the time. All user applications and data are self-contained within each region. Batch transfers of data from each region to New York City are performed daily. The batch transfers are approximately 1GB and must be completed within 2 hours during average usage times. Network utilization between regions averages 500 Kbps when the batch transfer is not being performed. The failure of one WAN link between regions should not affect other regions. The main applications used by Woodgrove bank are located in the network hub locations. Users in the branches use terminal services to run applications on servers in the network hub locations. Approximately 10 Kbps of WAN connectivity is required for each user at a branch location for optimal performance. Communication between hub site locations averages 2 Mbps and peaks at 6 Mbps.


3

The implementation of a Voice over IP system is being considered to lower telecommunication costs. If implemented, this system will use approximately 250 Kbps between each branch office and hub site. Approximately 500 Kbps will be used between hub sites within regions and between regions. Within a hub site, traffic should be tiered to increase manageability. The connectivity of the newly acquired regional bank in Washington State uses Seattle as a hub site for the other four locations. Also review the following documents: M1_Locations.doc M1_Physical.vsd M1_VirtualMachines.doc

4


Exercise 1: Preparing for a Network Infrastructure DesignThe main tasks for this exercise are: 1. 2. Read the scenario and supporting documents. Discuss whether additional information is required.

Task 1: Read the scenario and supporting documents1. 2. Read the scenario above. Open a read the following documents from the Labdocs folder on your student CD: M1_Locations.doc. M1_Physical.png M1_VirtualMachines.doc

Task 2: Discuss whether additional information is required1. 2. With your instructor, discuss what additional information, if any, is required to create a network infrastructure design. With your instructor, determine what data can be assumed for completing the remainder of the lab.


5

Exercise 2: Designing the Network TopologyThe existing network topology for Woodgrove Bank grew over time in an unplanned manner. This has resulted in the current network not meeting requirements. You need to create a new network topology that meets the requirements listed in the scenario and supporting documentation. The main tasks for this exercise are: 1. 2. 3. 4. 5. Design the WAN links between regions. Design the WAN links between hub sites in North America. Design the WAN links to the new Canadian branches. Design the connectivity for the new purchased Washington state regional bank. Design the tiers for the network within a hub site.

Task 1: Design the WAN links between regions1. 2. 3. Determine what WAN links will be created between regions. Determine which hub site in each region should be connected to other regions. Determine how fast the WAN links.

Task 2: Design the WAN links between hub sites in North America1. 2. Determine what WAN links will be created between hub sites in North America. Determine how fast the WAN links will be between hub sites in North America.

Task 3: Design the WAN links to the new Canadian branches Determine how fast the WAN links will be between the new Canadian branches and the Toronto hub site.

Task 4: Design the connectivity for the new purchased Washington State regional bank Determine how Seattle and other branches will be connected to Woodgrove Bank.

Task 5: Design the tiers for the network within a hub site1. 2. Determine the number of tiers that should be used. Determine the resources that will be placed in each tier.

6


Exercise 3: Designing Network Infrastructure for VirtualizationWoodgrove Bank is planning to virtualize several of its servers to optimize hardware utilization. You must determine how to design the network infrastructure to support the virtualized servers. The main tasks in this exercise are: 1. 2. 3. 4. Start the virtual machines, and then log on. Review the MAC addresses used for virtualization. Close all virtual machines and discard undo disks Determine the network connectivity required for each host server.

Task 1: Start the virtual machines, and then log on1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Review the MAC addresses used for virtualization1. 2. 3. Open the Virtual Server administration Web site Edit the configuration of 6135-NYC-DC1 and note the current MAC address: __________________________ View the Network adapter properties and review the available configuration options.

Task 3: Close all virtual machines and discard undo disks1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Task 4: Determine the network connectivity required for each host server1. 2. 3. Determine the network connectivity required for NYC-HOST1. Determine the network connectivity required for NYC-HOST2. Determine the network connectivity required for NYC-HOST3.


7

Exercise 4: Designing a Change Management PlanThe existing change management system at Woodgrove Bank is very informal. When technical staff want to make a change, they seek approval from their immediate supervisor. However, supervisors often do not understand all the implications of a change. This has led to several outages. To reduce the chances of outages in the future, you need to design a formal change management process. The main tasks in this exercise are: 1. 2. 3. Determine stakeholders who should be involved in the change management process Determine the process for submitting and approving a change Design a change request form.

Task 1: Determine stakeholders who should be involved in the change managementprocess1. 2. Determine which IT roles should be part of the change management process. Determine which non-IT roles should be part of the change management process.

Task 2: Determine the process for submitting and approving a change1. 2. 3. 4. 5. Determine who should submit a change request. Determine when changes can be implemented. Determine who can approve change requests. Determine an alternate process for emergency changes. Determine who can approve emergency changes.

Task 3: Design a change request form Determine what information should be included in a change request.

8


Exercise 5: Lab DiscussionA discussion with the entire class allows you to learn from the experience of other students in the class. They may have different ideas of how an appropriate design can be implemented. The main task in this exercise is to participate in a group discussion about your design decisions.

Task 1: Participate in a group discussion about your design decisions1. 2. 3. As a group, discuss why you made the design decisions you did, for the network topology. As a group, discuss the specific concerns for virtualization and how they can be addressed. As a group, discuss how the change management plan will be implemented.

Lab Instructions: Designing Network Security

1

Module 2Lab Instructions: Designing Network SecurityContents:Exercise 1: Identifying a Team for the Security Plan Scenario Exercise 2: Identifying Threats Exercise 3: Analyzing Risk Exercise 4: Implementing Password Policies 3 4 5 6

2


Lab: Designing a Network Security Plan

ScenarioWoodgrove Bank is a large multinational corporation with office locations located in multiple countries. Until now security planning for IT resources has been handled by individual areas responsible for network infrastructure and applications. For example, the network team was responsible for all network related security with not formal process for involving application support or functional areas within the business. There is concern within Woodgrove Bank at the executive level that the current structure for security is not efficient for allocating resources. A new centralized system for managing security is being implemented. This process will include creating a security design team and performing formal risk analysis to allocate resources. Use the following documents to help create your design: M2_ITSupport.doc M2_NANetwork.png M2_NetworkConnectivity.doc M2_OrgChart.png M2_OrgStructure.doc


3

Exercise 1: Identifying a Team for the Security Plan ScenarioWoodgrove Bank is a large multinational corporation with office locations located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. The main tasks for this exercise are: Start the virtual machines, and then log on. Design a security design process. Design a team for the security plan.


Task 2: Design a security design process1. What steps need to be performed when designing network security?

Task 3: Design a team for the security plan1. 2. 3. 4. 5. 6. 7. What are the necessary roles for a security design team? Which person should be the sponsor for this project? Which people should be involved from product management? Which person should be the project manager? Which people should be involved in development of security measures? Which people should be involved in testing? Which people should be involved in user experience?

4


Exercise 2: Identifying ThreatsThe main tasks for this exercise are: Identify risks to resources.

Task 1: Identify risks to resources1. Use the STRIDE model to identify risks to resources in the perimeter network. Example Risk STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 2. Use the STRIDE model to identify risks to resources on the internal network Example Risk

STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 3.

Use the defense-in-depth model to identify risks to resources on the network. Example Risk

Layer Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness


5

Exercise 3: Analyzing RiskAfter identifying potential risks, it has been determined that the risks to resources in the perimeter networks are those that are most important to address. You must now calculate the risk impact for risks to resource in the perimeter network to determine which projects to implement. You budget for implementing new security measures this year is $500,000. The document M2_RiskFigures.doc in the Labdocs folder on the student CD contains additional information about risk probability and costs. The main tasks in this exercise are: 1. 2. Determining risk impact. Determine how to allocate your security budget.

Task 1: Determining risk impact1. 2. 3. What is the risk impact for a denial of service attack on the Web application for investors? What is the risk impact for a password attack on the Web application for customer service accounts? What is the risk impact for an attack on the Web server with general information for customers that puts false information on the Web site?

Task 2: Determine how to allocate your security budget1. 2. Which projects will you fund based on your budget? Can you make an effective argument to management for more security funding?

6


Exercise 4: Implementing Password PoliciesNow that all domain controllers have been upgraded to Windows Server 2008, you would like to take advantage of the fine grained password policies that are available. Fine-grained password policies allow you to vary the password policy for various groups of users. A password policy is required for Customer Service staff. The main tasks in this exercise are: 1. 2. 3. 4. 5. Raise the domain functional level to Windows Server 2008. Create a fine grained password policy for customer service staff. Associate the new fine grained password policy with Customer Service groups. Verify resultant PSO for a user. Close all virtual machines and discard undo disks

Task 1: Raise the domain functional level to Windows Server 20081. On NYC-DC1, use Active Directory Users and Computers to raise the domain functional level to Windows Server 2008.

Task 2: Create a fine grained password policy for customer service staff1. 2. 3. On NYC-DC1, open ADSI Edit. Connect to the Default naming context and browse to CN=Password Settings Container,CN=System,DC=WoodgroveBank,DC=com. Create a new msDS-PasswordSettings object in the Password Settings Container with the following settings: Common-Name: CustomerService Password Settings Precendence: 1 Password reversible encryption status for user accounts: FALSE Password History Length for user accounts: 5 Password complexity status for user accounts: TRUE. Minimum Password Length for user accounts: 6 Minimum Password Age for user accounts: 1:00:00:00 Maximum Password Age for user accounts: 60:00:00:00 Lockout threshold for lockout of user accounts: 10 Observation Windows for lockout of user accounts: 0:00:30:00 Lockout duration for locked out user accounts: 0:00:45:00

Task 3: Associate the new fine grained password policy with Customer Service groups1. 2. 3. 4. On NYC-DC1, open Active Directory Users and Computers and enable viewing of Advanced Features. Browse to the Password Settings Container in the System container. In the properties of the CustomerService object, edit the msDC-PSOAppliesTo attribute. Add the following windows groups: NYC_CustomerServiceGG MIA_CustomerServiceGG TOR_CustomerServiceGG


7

Task 4: Verify resultant PSO for a user1. 2. 3. On NYC-DC1, use Active Directory Users and Computers, to view the properties of Matt Berg in the Toronto Customer Service OU. On the Attribute Editor tab, enable viewing of Constructed attributes. Verify that the msDC-ResultantPSO attribute shows the CustomerService PSO.


Lab Instructions: Designing IP Addressing

1

Module 3Lab Instructions: Designing IP AddressingContents:Exercise 1: Designing an IPv4 Addressing Scheme Exercise 2: Designing a DHCP Implementation. Exercise 3: Designing an IPv6 Addressing Scheme 3 4 5

2


Lab: Designing IP Addressing in Windows Server 2008

ScenarioWoodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the IP addressing for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are re-evaluating IP addressing for the entire organization. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies.


3

Exercise 1: Designing an IPv4 Addressing SchemeYou must design an IPv4 addressing scheme for Woodgrove Bank that takes into account the number of hosts in each location. The following documents provide the information you need to complete the design: M3_NANetwork.png M3_NetworkConnectivity.doc M3_LocationDetails.doc

The main tasks for this exercise are: 1. 2. Determine the number of external addresses required. Determine an internal IPv4 addressing scheme for locations.

Task 1 Determine the number of external addresses required.1. 2. 3. Which resources require public IPv4 addresses? How many public IPv4 addresses are required? How will you obtain the necessary public IP addresses?

Task 2: Determine an internal IPv4 addressing scheme for locations.1. 2. 3. 4. 5. 6. Which internal network address will you use? Which subnet mask will you use for branch offices? Which subnet mask will you use for hub sites? Which subnet mask will you use for the North America division? List the networks and subnet masks used by each hub site. List the networks and subnet masks by the New York hub site internally, and for branches.

4


Exercise 2: Designing a DHCP Implementation.You must design a DHCP implementation that meets the needs of Woodgrove Bank in North America. Use the following criteria for your planning: Hub sites must have some form of high availability for DHCP. The number of DHCP servers should be minimized to simplify administration. All client applications are centralized in hub sites by using Terminal Services.

The main task for this exercise is: Design a DHCP implementation.

Task 1: Design a DHCP implementation.1. 2. 3. How should DHCP clients in branch offices obtain an IP address? How will you provide high availability for DHCP in the hub sites? How many scopes need to be configured on the DHCP servers in the hub site?


5

Exercise 3: Designing an IPv6 Addressing SchemeWoodgrove Bank is implementing a new Voice-over-IP (VoIP) phone system that will integrate with the messaging system to provide unified communications. The selected phone system uses IPv6 rather than IPv4. You must design an IPv6 addressing scheme and determine how IPv6 will be implemented. The main tasks for this exercise are: 1. 2. Design an IPv6 addressing scheme. Design an IPv6 implementation.

Task 1: Design an IPv6 addressing scheme.1. 2. 3. 4. Which internal network address will you use? Which network address will you use for the North America division? Which network addresses will you use for hub sites? Which network addresses will you use for branch offices?

Task 2: Design an IPv6 implementation.1. 2. What IPv6 transition method will you use? What process will you follow when implementing IPv6?

Lab Instructions: Designing Routing and Switching Requirements

1

Module 4Lab Instructions: Designing Routing and Switching RequirementsContentsExercise 1: Designing Internal Infrastructure Exercise 2: Designing a Perimeter Network Exercise 3: Evaluating Network Performance Exercise 4: Monitoring Network Performance 3 4 5 6

2


Lab: Designing Routing and Switching

ScenarioWoodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network routing topology within the enterprise. Woodgrove Bank has purchased a regional bank located in Washington State. This bank must be integrated into the existing network. You are evaluating and redesigning the network infrastructure and routing of the newly purchased regional bank.


3

Exercise 1: Designing Internal InfrastructureUse the following documents when designing internal infrastructure: M3_NANetwork.png M4_WashingtonNetwork.png M4_RoutingRequirements.doc The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Design the routing between locations. Design the routing within the Seattle hub site.

Task 1: Start the virtual machines, and then log on1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Design the routing between locations.1. 2. 3. 4. 5. What type of WAN link will you use between Seattle and the New York hub site? What type of WAN link will you use between Seattle and the branch offices? What routing protocol should be used to control routing? Will you place any filters on communication between Seattle and the branch offices? On a piece of paper, draw how the new bank will integrate with the existing network infrastructure.

Task 3: Design the routing within the Seattle hub site.1. 2. 3. 4. Which networks will you create within the Seattle hub site? Will you perform routing within the Seattle hub site by using routers or layer 3 switches? If switches are used, how will you define VLANs? On a piece of paper, draw the logical networks of the Seattle hub site?

4


Exercise 2: Designing a Perimeter NetworkThe perimeter network for Woodgrove Bank is currently configured with a multi-homed firewall. The firewall is running on an x86 server with specialized firewall software. However, the vendor that provided the software is no longer in business. As a consequence, the perimeter network is being redesigned. Woodgrove Bank has recently partnered with Humongous Insurance to provide new services. As part of the agreement, Humongous Insurance agents will have access to a private customer database through a Web-based interface. Use the following documents when designing the perimeter network: M4_InternetConnectivity.doc. The main tasks for this exercise are: 1. 2. 3. Design extranet communication. Design firewall configuration. Design Internet access.

Task 1: Design extranet communication.1. 2. 3. What are the requirements for extranet communication with Humongous Insurance? Which type of WAN link will you use for the extranet? How will you limit partner access to your network?

Task 2: Design firewall configuration.1. 2. 3. What criteria will you consider when purchasing a new firewall? Which firewall design will you use? Which filtering rules will be in place?

Task 3: Design Internet AccessHow will users be provided with Internet Access? You should implement a proxy server to provide internal users with Internet access. To provide user based logging, the users must be authenticated, which cannot be provided by NAT. To reduce the impact of Internet access on the WAN links, a hierarchy of proxy servers can be configured. In this way a cache of commonly accessed Internet Web sites can be maintained at each hub site.


5

Exercise 3: Evaluating Network PerformanceThe Toronto hub site has added several new applications including a streaming media server for training videos. After adding these new servers, network performance has been inconsistent with some users complaining about slow access to network services. You must determine how to adjust the existing network infrastructure for better performance. You will use Network Monitor to view network utilization statistics. Use the following documents when designing the perimeter network: M4_TorontoPerformance.doc M4_TorontoNetwork.png. The main task in this exercise is: 1. Adjust the network design.

Task 1: Adjust the network design.1. 2. 3. 4. Why is the problem only occurring when a live broadcast is being streamed? What appears to be the bottleneck on the network? How can you eliminate the bottleneck? Is there any way to adjust the application to resolve this problem?

6


Exercise 4: Monitoring Network PerformanceIn this exercise, you will use Microsoft tools to monitor network performance on a server. Network Monitor can be used to view the network traffic generated by any computer on a network. The main tasks in this exercise are: 1. 2. 3. 4. 5. Enable file sharing on NYC-WEB Use Windows Task Manager to view network statistics. Use Reliability and Performance Monitor to view network statistics. Use Network Monitor to view network statistics. Close all virtual machines and discard undo disks.

Task 1: Enable file sharing on NYC-WEB1. Use Network and Sharing Center in Control panel to turn on network discovery and file sharing.

Task 2: Use Windows Task Manager to view network statistics.1. 2. Run D:\Mod04\Labfiles\copyloop.bat. Open Windows Task Manager and review the statistics on the Networking tab.

Task 3: Use Reliability and Performance Monitor to view network statistics.1. 2. 3. On NYC-DC1, open Reliability and Performance Monitor. On the Resource Overview page, expand the Network section and review the available statistics. Start the process of adding a new counter and view the counters available for the following objects: ICMP ICMPv6 IPv4 IPv6 Network Interface Redirector

Task 4: Use Network Monitor to view network statistics.1. 2. 3. 4. 5. On NYC-DC1, start Network Monitor. Create a new capture tab. Start a new capture. Review the information in the Frame Summary pane. Stop the capture.


Lab Instructions: Designing Security for Internal Networks

1

Module 5Lab Instructions: Designing Security for Internal NetworksContentsExercise 1: Designing a Windows Firewall Implementation Exercise 2: Designing an IPsec Implementation 3 4

2


Lab: Designing a Secure Internal Network

ScenarioWoodgrove Bank has completed a redesign of the physical network infrastructure. This included all WAN links, routing, and switching. The next project assigned to the network infrastructure team is securing the internal network. This involves analyzing how to implement Windows Firewall and IPsec to protect network resources. The first location to analyze is the Toronto hub site. The design developed for the Toronto hub site will be used as a template for other hub sites.


3

Exercise 1: Designing a Windows Firewall ImplementationAfter analyzing security on the Woodgrove Bank network by using the defense-in-depth model. The network infrastructure team has realized that internal security can be improved by implementing Windows Firewall. To maximize security outbound rules will also be implemented on workstations and servers. Use the following documents to help create your design: M5_TorontoApplications.doc

The main tasks for this exercise are: 1. 2. 3. 4. Start the virtual machines, and then log on. Determine what rules to create on each computer. Determine how to configure Windows firewall on each computer. Implement a Windows Firewall rule by using Group Policy.


Task 2: Determine what rules to create on each computer.1. 2. 3. 4. 5. What inbound rules should be implemented on servers? What outbound rules should be implemented on servers? What inbound rules should be implemented on Vista workstations? What outbound rules should be implemented on Vista workstations? What concerns do you have about operating systems other than Windows Server 2008 and Windows Vista?

Task 3: Determine how to configure Windows firewall on each computer.1. 2. How will Windows Firewall be deployed on servers? How will Windows Firewall be deployed on workstations?

Task 4: Implement a Windows Firewall rule by using Group Policy.1. 2. 3. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Use the Group Policy Management administrative tool to link a new GPO to the Toronto OU. Name: Firewall Rules Edit the Firewall Rules GPO and add a new Windows Firewall outbound rule under Computer Configuration. Rule type: Program Program path: C:\Program Files\Internet Explorer\Iexplore.exe Action: Allow the connection Profile: Domain, Private, and Public Name: Allow IE

4


Exercise 2: Designing an IPsec ImplementationTo further secure network communication, the network infrastructure team has decided to secure communication between all users in the investments group. This will prevent non-investments users from accessing investments data or applications. Use the following documents to help create your design: M5_IPsecRequirements.doc

The main tasks for this exercise are: 1. 2. 3. 4. 5. Determine connection security rules. Determine how to configure connection security rules on each computer. Implement connection security rules. Create a firewall rule for a specific user. Close all virtual machines and discard undo disks.

Task 1: Determine connection security rules.1. What authentication requirements should be used? All of the computers in the investments group should require authentication for inbound connections and request authentication for outbound connections. In this way, all communication to investments servers and workstations must be authenticated. However, investments workstations can initiate communication with servers that are not part of the investments area and those will not be authenticated. What authentication method should be used? Using Kerberos authentication (user and computer) provides the flexibility to create firewall rules that are specific to particular computer accounts or user accounts. This is the best way to control communication. It also requires no additional configuration on the computers because they are part of a domain already and therefore participate in Kerberos authentication. What type of connection security rule should be used? An Isolation rule should be used. This type of rule uses Kerberos authentication. After authentication is established, firewall rules can be created based on the specific users and computers you want to allow. This type of rule does not designate endpoints by IP address.

2.

3.

Task 2: Determine how to configure connection security rules on each computer.1. 2. How will connection security rules be deployed to servers? All Investments servers can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments servers have the same configuration. How will connection security rules be deployed to workstations? All Investments workstations can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments workstations have the same configuration. How will you address Windows XP clients? Based on the conditions presented in the scenario, the best solution is to upgrade the few remaining XP computers to Windows Vista. Other alternatives will be relatively complex. In the short term, an exemption rule can be used for the Windows XP computers, to prevent the need for IPsec authentication from those computers. Exemption rules are based on computer IP address and the XP computers must be given static IP addresses or reservations in DHCP.

3.


5

Other alternatives are: Use both IPsec policies and connection security rules on the servers. This is not recommended because the results are difficult to predict. Use IPsec policies only. Windows Server 2008 and Windows Vista are both capable of using IPsec policies. However, if IPsec policies are used, then you cannot control authentication based on computer and user accounts.

Task 3: Implement connection security rules.1. 2. 3. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Use the Group Policy Management administrative tool to link a new GPO to the Toronto Investments OU. Name: Connection Security Rules Edit the Connection Security Rules GPO and add a new Windows Firewall outbound rule under Computer Configuration. Rule type: Isolation Requirements: Require authentication for inbound connections and request authentication for outbound connections. Authentication method: Computer and user (Kerberos V5) Profile: Domain, Private, and Public Name: Secure Communication

Task 4: Create a Firewall Rule for a specific user1. On NYC-DC1, use the Windows Firewall with Advanced Security administrative tool to create a new inbound security rule to authenticate Web traffic on port 80 and restrict access to Administrator. Rule type: Port Protocol: TCP Port: 80 Action: Allow the connection if it is secure Only allow connections from: Administrator Profiles: All Name: Administrator Access to Web site


Lab Instructions: Designing Name Resolution

1

Module 6Lab Instructions: Designing Name ResolutionContentsExercise 1: Designing a DNS Namespace Exercise 2: Designing a DNS Server Strategy Exercise 3: Designing a DNS Zone and Replication Strategy Exercise 4: Discuss the Design of Name Resolution Exercise 5: Implement a DNS and Zone Replication Strategy 3 4 5 6 7

2


Lab: Designing a Name Resolution Strategy in Windows Server 2008

ScenarioWoodgrove Bank has experienced significant growth and needs to re-evaluate the current name resolution structure to verify that it is appropriate. This involves selecting locations for DNS servers, designing the DNS namespace, and determining a zone replication strategy.


3

Exercise 1: Designing a DNS NamespaceWoodgrove Bank has three Active Directory domains. The forest root domain is WoodgroveBank.com and contains information about North American resources. The EMEA.WoodgroveBank.com domain is used by European operations and the Asia.WoodgroveBank.com domain is used by Asian operations. The following guidelines have been given for evaluating the current DNS structure: The namespace for Active Directory should simplify maintenance if possible. Changes to the existing system should be avoided if they will cause a significant amount of change.

Woodgrove Bank has external DNS records that are manually synchronized with the internal DNS structure. These records change on average less than once per year.

External DNS Recordswww.woodgrovebank.com Customer.woodgrovebank.com Invest.woodgrovebank.com Vpn.woodgrovebank.com Mail.woodgrovebank.com Dns1.woodgrovebank.com Dns2.woodgrovebank.com The main tasks for this exercise are: 1. 2.

PurposePublic Web site Secure Web site for customers Secure Web site for investments customers VPN server used by roaming staff Internet mail server External DNS server External DNS server

Start the virtual machines, and then log on. Select a DNS namespace for Active Directory.

Task 1: Start the virtual machines, and then log on.1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a DNS namespace for Active Directory1. 2. 3. What would be your preferred namespace for Active Directory if creating a new design? What additional considerations must be taken into account when modifying an existing design? What DNS namespace do you recommend that Woodgrove Bank use for Active Directory?

4


Exercise 2: Designing a DNS Server StrategyThe placement of DNS servers is important to minimize WAN traffic and ensure availability. You must determine which locations will have DNS servers, based on the network infrastructure and number of users. In addition, the failure of a WAN link between hub sites should not cause a failure in name resolution. Individual branch locations do not have servers. All branches access applications by using terminal servers at their hub site. Use the following documents to create your design: M6_Physical.png M6_LocationDetails.doc

Task 1: Determine a DNS server location.1. 2. 3. Are DNS servers required at the branch locations? Are DNS servers required at each hub site? How many DNS servers should be located at each hub site?


5

Exercise 3: Designing a DNS Zone and Replication StrategyAfter determining the location of DNS servers, you must now determine how to divide the DNS namespace and how replication will be performed. DNS for each of the three domains should be managed separately. Each DNS zone should be capable of performing secure dynamic updates for computers in the local domain.

Task 1: Determine DNS Zone requirements1. 2. 3. 4. Which zones need to be created on internal DNS servers? Which zones need to be created on external DNS servers? In which hub sites will each DNS zone be placed? How will replication/zone transfers be configured for each zone?

6


Exercise 4: Discuss the Design of Name ResolutionNow that you have completed your name resolution strategy, participate in a discussion with your instructor and the class.

Task 1: Discuss your design for name resolution with the instructor and other students.1. 2. 3. With your instructor, discuss the namespace design that is appropriate for Woodgrove Bank. With your instructor, discuss the DNS server strategy that is appropriate for Woodgrove Bank. With you instructor, discuss the DNS zone and replication strategy that is appropriate for Woodgrove Bank.


7

Exercise 5: Implement a DNS and Zone Replication StrategyAfter completing your name resolution strategy, you must take steps to implement it. Some of the name resolution strategy is already in place. However, you must verify the components that are in place and implement others. The main tasks for this exercise are: 1. 2. 3. 4. 5. Review the configuration of zones in North America. Review the configuration of zones in Europe. Configure zone transfers for EMEA.WoodgroveBank.com. Configure a secondary zone for EMEA. WoodgroveBank.com. Close all virtual machines and discard undo disks.

Task 1: Review the configuration of zones in North America.1. 2. On NYC-DC1, use the DNS administrative tools to view the type and replication configuration of the WoodgroveBank.com zone. View the type and replication configuration of the _msdcs.WoodgroveBank.com zone.

Task 2: Review the configuration of zones in Europe.1. 2. On LON-DC1, use the DNS administrative tools to view the type and replication configuration of the EMEA.WoodgroveBank.com zone. View the type and replication configuration of the _msdcs.WoodgroveBank.com zone.

Task 3: Configure zone transfers for EMEA.WoodgroveBank.com On LON-DC1, use the DNS administrative tool to configure the EMEA.WoodgroveBank.com zone to allow zone transfers to 10.10.0.10.

Task 4: Configure a secondary zone for EMEA. WoodgroveBank.com1. On NYC-DC1, use the DNS administrative tool to create a new secondary zone for EMEA.WoodgroveBank.com. 2. Type: Secondary zone Zone name: EMEA.WoodgroveBank.com Master server: 10.10.0.110

View the replicated records for EMEA.WoodgroveBank.com.

Task 5: Close all virtual machines and discard undo disks1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes, and then click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Advanced Name Resolution

1

Module 7Lab Instructions: Designing Advanced Name ResolutionContentsExercise 1: Optimizing DNS Servers Exercise 2: Designing High Availability for Name Resolution Exercise 3: Designing WINS Exercise 4: Implementing a GlobalNames Zone 3 4 5 6

2


Lab: Designing Advanced Name Resolution

ScenarioYou have recently completed the high level design for DNS name resolution at Woodgrove Bank. You now need to create some detailed configuration information for DNS servers to optimize name resolution and secure the DNS servers appropriately. You also need to design name resolution for NetBIOS names to support older applications.


3

Exercise 1: Optimizing DNS ServersThe high level design of DNS zones and their locations has been completed. You now need to determine the detailed configuration that is required on each DNS server to support that design. Considerations include root hints and forwarding. The requirements for the implementation are: DNS servers are located only at hub sites. Only DNS servers in the New York hub site can resolve Internet DNS names. The DNS servers in the New York hub site must be protected from the Internet. The server responsible for the external WoodgroveBank.com domain should be protected from denial-of-service attacks based on recursive queries.

All DNS servers should cache resolved names to reduce network traffic. Use the following documents to complete your design: M6_Physical.png M7_DNSConfiguration.doc

The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine configuration for internal DNS servers. Determine configuration for external DNS servers.

Task 1: Start the virtual machines, and then log on1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A -LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine configuration for internal DNS servers1. 2. 3. 4. 5. Which DNS servers should be able to perform to perform recursive lookups? Which DNS servers should use forwarding and how is it configured? Which DNS servers should use root hints to lookup names? How will DNS servers in New York performing external lookups be protected from the Internet? How should caching be configured on the DNS servers?

Task 3: Determine configuration for external DNS servers1. 2. What configuration should be performed on external servers hosting the WoodgroveBank.com domain to prevent denial-of-service attacks? How should root hints be configured on the external DNS servers performing external lookups?

4


Exercise 2: Designing High Availability for Name ResolutionMost services on the Woodgrove Bank network rely on DNS name resolution for full functionality. It is critical that DNS is highly available. Each hub site has at least two domain controllers that can be configured as DNS servers

Task 1: Determining high availability methods for external DNS servers1. 2. How will you configure high availability for the external DNS servers hosting WoodgroveBank.com? Will DNS servers be hosted in multiple locations?

Task 2: Determining high availability methods for internal DNS servers1. 2. 3. How many DNS servers will be located at each hub site? What method will you use to configure DNS servers as highly available? How will clients be configured to support high availability of DNS?


5

Exercise 3: Designing WINSThere are a few older applications that rely on NetBIOS name resolution for proper functionality. You must determine how WINS will be implemented to support those applications. The requirements for NetBIOS name resolution are: Applications requiring NetBIOS name resolution support are in New York, London, and Tokyo. Users for the applications are located in all areas of the organization, but access the applications through terminal services. Registered NetBIOS names must be replicated and synchronized between all WINS servers. Failure of WAN links should not affect NetBIOS name resolution.

Task 1: Determine the requirements for NetBIOS name resolution1. 2. 3. Which computers need to register and resolve NetBIOS names? Where should WINS servers be located? How would your plan change if NetBIOS applications were installed on all computers?

Task 2: Determine how WINS replication will be configured1. 2. What type of replication should be used between WINS servers? What replication topology should be used between WINS servers?

Task 3: Determine how WINS will be integrated with DNS1. 2. Is there a need for WINS integration with DNS? How can a GlobalNames DNS zone reduce the need for WINS?

6


Exercise 4: Implementing a GlobalNames ZoneYou would like to test whether one of your applications requiring NetBIOS name resolution can be supported by using a GlobalNames zone. To do this you will configure an application client and server without WINS and test them. In the following steps you implement the GlobalNames zone that they will use.

Task 1: Create a GlobalNames zoneOn NYC-DC1, create a GlobalNames forward lookup zone by using DNS Manager. Primary zone Store the zone in Active Directory Replication: To all DNS servers in the forest Zone name: GlobalNames Do not allow dynamic updates

Task 2: Enable support for a GlobalNames zone1. 2. On NYC-DC1, run the command dnscmd nyc-dc1 /config /enableglobalnamessupport 1. On LON-DC1, run the command dnscmd lon-dc1 /config /enableglobalnamessupport 1.

Task 3: Configure records in a GlobalNames zone On NYC-DC1, use DNS Manager to add a new CNAME record in the GlobalNames zone. Alias name: NBSrv Target host: NYC-DC1.WoodgroveBank.com

Task 4: Verify replication to LON-DC1 On LON-DC1, use DNS Manager to verify that the NBSrv record exists in the GlobalNames zone. You may need to wait several minutes for the record to appear.

Task 5: Test resolution of records in a GlobalNames zone On LON-DC1, ping NBSrv to verify name resolution.


Lab Instructions: Designing Network Access Solutions

1

Module 8Lab Instructions: Designing Network Access SolutionsContentsExercise 1: Designing a Network Access Solution Exercise 2: Designing Network Policy Services Exercise 3: Designing a Wireless Connection Solution Exercise 4: Discuss the Design of Network Access Exercise 5: Deploying an SSTP VPN Solution 3 4 5 6 7

2


Lab: Designing a Remote Access Solution

ScenarioWoodgrove Bank is evaluating the network access needs for roaming users within the organization. At this time a VPN server is in place, but no wireless LANs have been implemented due to security concerns. You must design a remote access solution and a wireless connection solution based on user and business requirements. The current VPN deployment consists of a single VPN server. Clients use PPTP connections and are given connectivity to the entire network when connected.


3

Exercise 1: Designing a Network Access SolutionWoodgrove Bank is facing increasing demand from users for remote access. Many of the hub site management staff travel to remote locations and need access to organizational data from hotel rooms. Also, executives want the ability to work from home or while on vacation. The following information has been gathered: Some travelling users do not have Internet access in their hotel rooms. Security of data is very important Woodgrove Bank has an infrastructure in place for deploying certificates and smart cards. Some executives have had problems with VPN connections being blocked by hotel firewalls. Users from non-North America sites have complained about slow access to data over the VPN. Some roaming clients use Windows XP and there are no plans to upgrade those clients to Windows Vista until new laptops are purchased. There is only a single Internet connection for Woodgrove Bank. It is located in the New York hub site. The current service provider for Internet access provides no guarantees for availability. Availability guarantees are required for disaster recovery planning.

The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine remote access methods. Determine physical infrastructure for remote access.

Task 1: Start the virtual machines, and then log on1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-RAS, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determining remote access methods1. 2. 3. Is dial-up access required? Which authentication method should be used for VPN connections? Which VPN tunneling protocol should be used?

Task 3: Determining physical infrastructure for remote access1. 2. 3. 4. Where should VPN servers be located? How will you address the concerns of non-North American users about slow access to data over the VPN? How will clients be configured with dial-up and VPN connections? How will you address concerns about availability for the Internet connection?

4


Exercise 2: Designing Network Policy ServicesIt has been determined that the most effective way to provide dial-up access for remote users is by outsourcing dial-up access to an ISP with a world-wide presence. The requirements for network policies are as follows: Executives are allowed remote access to network resources and are not restricted. Branch management staff is allowed remote access only to resources in their hub site. For example, branch managers in Toronto are allowed access only to Toronto resources. Customer Service staff are not allowed remote access. Investments staff are allowed remote access to all Investments resources in their hub site. Marketing staff are allowed remote access only for e-mail.

The main tasks for this exercise are: 1. 2. Determine the infrastructure requirements for RADIUS. Determine network policies.

Task 1: Determining the infrastructure requirements for RADIUS1. 2. 3. 4. How will RADIUS allow the Woodgrove Bank help desk to control passwords? What configuration needs are to be performed at the ISP and which is a RADIUS server? What configuration needs to be performed at Woodgrove Bank? How does the implementation of RADIUS affect the local VPN server?

Task 2: Determining network policies1. 2. What network policies should be created? How does the processing order affect your network policies?


5

Exercise 3: Designing a Wireless Connection SolutionWoodgrove Bank does not have any wireless infrastructure in place to support roaming users throughout the buildings. The Investments department staff in particular, would like the ability to move from office to office with their laptops for spontaneous meetings. This will be piloted first in the Toronto hub site and then deployed at other hub sites. The requirements for a wireless network design are as follows: Only laptops that are members of the domain can connect to the wireless network. The highest possible level of security must be used. Users must be able to roam throughout the building. The highest possible speed is required.

The main tasks for this exercise are: 1. 2. Selecting wireless standards. Designing the physical implementation.

Task 1: Selecting wireless standards1. 2. 3. Which wireless networking standard is preferred for your implementation? Which encryption standard is preferred for your implementation? How will computers be authenticated?

Task 2: Designing the physical implementation1. 2. 3. How will you provide power to the WAPs? How will you ensure that users can roam throughout the building? How will you ensure that signal strength is acceptable in all areas of the building?

6


Exercise 4: Discuss the Design of Network AccessNow that you have completed your design for network access, participate in a discussion with your instructor and the class. The main task for this exercise is: Discuss your design for network access with the instructor and other students.

Task 1: Discuss your design for name resolution with the instructor and other students1. 2. 3. With your instructor, discuss the remote access solution that is appropriate for Woodgrove Bank. With your instructor, discuss the Network Policy Services design that is appropriate for Woodgrove Bank. With you instructor, discuss the wireless connection solution that is appropriate for Woodgrove Bank.


7

Exercise 5: Deploying an SSTP VPN SolutionWoodgrove Bank has determined that an SSTP VPN will meet the requirements for roaming users. In this exercise, you install an SSTP VPN Server and connect to it. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Install Active Directory Certificate Services and Web server. Create an SSL certificate. Configure RRAS. Create a Network Policy to allow VPN access. Configure the client with a trusted root certificate. Configure and test an SSTP VPN connection. Close all virtual machines and discard undo disks.

Task 1: Install Active Directory Certificate Services and Web server1. 2. On NYC-RAS, use Server Manager to add the Active Directory Certificate Services and Web Server (IIS) roles. Install the following configuration for Active Directory Certificate Services: 3. Role services: Certification Authority and Certification Authority Web Enrollment CA type: Enterprise Root CA Create a new private key Cryptography: default CA name: default Validity period: default Database and log locations: default

Accept default settings for the Web Server (IIS) role.

Task 2: Create an SSL certificateOn NYC-RAS, use Internet Information Services Manager to request a new server certificate for NYC-RAS. Create Domain Certificate Common name: NYC-RAS.WoodgroveBank.com Organization: Woodgrove Bank Organizational unit: IT City/locality: New York State/province: New York Country/region: US Online Certification Authority: WoodgroveBank-NYC-RAS-CA\NYC-RAS.WoodgroveBank.com

Friendly name: WebSSL

Task 3: Configure RRASOn NYC-RAS, Use the Routing and Remote Access administrative tool to enable Routing and Remote Access. Configuration: Remote access (dial-up or VPN)

8


Remote access: VPN Network interface: Local Area Connection Do not enable security on the selected interface by setting up static packet filters. IP address assignment: From a specified range of IP addresses IP address range: 10.11.0.200 to 10.11.0.225 Use Routing and Remote Access to authenticate connection requests

Task 4: Create a Network Policy to allow VPN access.1. On NYC-RAS, use Network Policy Server to create a new network policy Policy name: Allow Domain Admins Condition: Windows Groups WoodgroveBank\Domain Admins Access permission: Access Granted Authentication type: default Constraints: default Settings: default

Task 5: Configure the client with a trusted root certificate1. 2. 3. 4. 5. 6. On NYC-CL1, use Internet Explorer to open the Certificate Services Web site at http://NYCRAS.WoodgroveBank.com/certsrv. Log on as WoodgroveBank\Administrator with a password of Pa$$w0rd. Download a CA certificate, open it, and install it. Automatically select the certificate store based on the type of certificate. Open an empty MMC console and add: The certificates snap-in focused on My user account. The certificates snap-in focused on Local computer. Click Start, type mmc, and press Enter. Copy the WoodgroveBank-NYC-RAS-CA certificate from Certificates Current User > Intermediate Certification Authorities > Certificates to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.

Task 6: Configure and test an SSTP VPN connection1. 2. 3. On NYC-CL1, open Connect To from the Start menu. Set up a new connection. Connect to a workplace Use my Internet connection (VPN) Ill set up and Internet connection later Internet address: NYC-RAS.WoodgroveBank.com Destination name: NYC VPN Leave the username and password blank Open Connect To from the Start menu.


9

4. 5. 6.

Open the properties of the NYC VPN connection and select SSTP as the type of VPN on the Networking tab. Connect the NYC VPN. Open Connect To from the Start menu and verify that the NYC VPN connection is connected.

Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting up the SSTP listener and verifying it in the Routing and Remote Access Blog at http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstplistener-and-verification.aspx. In particular, you must manually remove and replace the certificate used by SSTP if you want to replace it.


Lab Instructions: Designing Network Access Protection

1

Module 9Lab Instructions: Designing Network Access ProtectionContentsExercise 1: Analyzing Enforcement Methods Exercise 2: Designing DHCP Enforcement Exercise 3: Designing IPsec Enforcement Exercise 4: Implementing DHCP Enforcement 3 4 5 6

2


Lab: Designing Network Access Protection

ScenarioWoodgrove Bank has recently experienced problems with malware being introduced to the network at the New York hub site. The introduction of malware has been a result of computers not being compliant with corporate security and maintenance policies. None of the lapses has been a result of malicious users attempting to bypass security guidelines. The following are examples of recent lapses: A user working from home did not have antivirus software enabled. A virus was introduced to the network over the corporate VPN connection. Windows Firewall was disabled on a desktop computer by a technician during application troubleshooting. The technician forgot to re-enable the firewall and the computer was subsequently infected with a worm. A visiting consultant connected a laptop to the corporate network and introduced a virus.

The New York hub site provides services for all bank branches in the northeastern United States. NAP is being implemented in New York as a trial for the rest of Woodgrove Bank. Varying scenarios need to be considered and tested. The infrastructure in place at the New York hub site and branches have the following characteristics: A VPN server running Windows Server 2008 RRAS Most, but not all, switches and WAPs support 802.1X authentication All client computers have been upgraded to Windows Vista No additional products with an SHA/SHV have been installed. All clients use dynamic IP addresses The DHCP server in Windows Server 2008 is used to lease IP addresses


3

Exercise 1: Analyzing Enforcement MethodsThe first step in designing a NAP implementation is determining which enforcement methods are appropriate. You must determine the appropriate enforcement methods for Woodgrove Bank. The main tasks for this exercise are: 1. 2. 3. 4. 5. Start the virtual machines, and then log on. Analyze DHCP Enforcement. Analyze VPN Enforcement. Analyze 802.1X Enforcement. Analyze IPSec enforcement.

Task 1: Start the virtual machines, and then log on1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Analyze DHCP Enforcement1. 2. 3. 4. 5. Which components are required for DHCP enforcement? Are the necessary components in place for DHCP enforcement? What are the benefits of using DHCP enforcement? What are the drawbacks of using DHCP enforcement? Is DHCP enforcement suitable for Woodgrove Bank?

Task 3: Analyze VPN Enforcement1. 2. 3. 4. 5. Which components are required for VPN enforcement? Are the necessary components in place for VPN enforcement? What are the benefits of using VPN enforcement? What are the drawbacks of using VPN enforcement? Is VPN enforcement suitable for Woodgrove Bank?

Task 4: Analyze 802.1X Enforcement1. 2. 3. 4. 5. Which components are required for 802.1X enforcement? Are the necessary components in place for 802.1X enforcement? What are the benefits of using 802.1X enforcement? What are the drawbacks of using 802.1X enforcement? Is 802.1X enforcement suitable for Woodgrove Bank?

Task 5: Analyze IPSec enforcement1. 2. 3. 4. 5. Which components are required for IPSec enforcement? Are the necessary components in place for IPSec enforcement? What are the benefits of using IPSec enforcement? What are the drawbacks of using IPSec enforcement? Is IPSec enforcement suitable for Woodgrove Bank?

4


Exercise 2: Designing DHCP EnforcementWoodgrove Bank would like to see a design of DHCP enforcement before selecting enforcement methods for NAP. The following steps are required when configuring DHCP enforcement: 1. 2. 3. 4. 5. 6. NAP clients must be configured with appropriate settings. NAP must be enabled for the DHCP scope DHCP options must be configured for noncompliant computers Configure NPS as a health policy server Configure SHVs Configure remediation servers in NPS

The main tasks for this exercise are: 1. 2. 3. 4. Design client configuration. Design SHV configuration. Design DHCP implementation. Design remediation servers.

Task 1: Design client configuration1. 2. What is the simplest way to apply the necessary client configuration to many computers at once? How will you ensure that only the client computers are configured and not servers?

Task 2: Design SHV configuration1. 2. How are the options available for checking client status determined? How can these options be expanded?

Task 3: Design DHCP implementation1. 2. 3. Where will DHCP servers be located? How will client communicate with the DHCP servers? Is additional configuration necessary on the DHCP server?

Task 4: Design remediation servers1. 2. How are remediation servers accessed by noncompliant computers? Which servers should be configured as remediation servers?


5

Exercise 3: Designing IPsec EnforcementWoodgrove Bank would like to see a design of IPSec enforcement before selecting enforcement methods for NAP. IPSec enforcement uses IPSec policies to create a restricted network, a boundary network, and a secure network. The same client and SHV configuration steps must be performed for IPSec enforcement as for DHCP enforcement. The main tasks for this exercise are: 1. 2. 3. Design IPSec enforcement networks. Design the IPSec implementation. Design the CA implementation.

Task 1: Design IPSec enforcement networks1. 2. 3. 4. What computers are on the restricted network? What computers are on the boundary network? What computers are on the secure network? What communication is allowed between the IPSec networks?

Task 2: Design the IPSec implementation1. 2. 3. 4. 5. Why are IPSec policies required? What configuration is used for IPSec configured in the restricted network? What configuration is used for IPSec configured in the boundary network? What configuration is used for IPSec configured in the secure network? How are remediation servers configured?

Task 3: Design the CA implementation1. 2. What type of CA must be installed and why? How long will you make health certificates be valid?

6


Exercise 4: Implementing DHCP EnforcementWoodgrove Bank has decided to implement DHCP enforcement. In this exercise DHCP enforcement is configured and tested. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. Install necessary components. Configure NPS. Configure DHCP. Configure NAP Client by using Group Policy. Configure networking on the client. Configure the SHV. Test compliance and auto-remediation on the client. Close all virtual machines and discard undo disks

Task 1: Install necessary components1. 2. 3. On NYC-DC1, use Server Manager to add the DHCP Server and Network Policy and Access Services server roles. For the Network Policy and Access Services server role, include the Network Policy Server role service. For the DHCP server role, use the following settings: Network connection: 10.10.0.10 Parent Domain: WoodgroveBank.com Preferred DNS Server Ipv4 Address: 10.10.0.10 WINS is not required for applications on the network Add a DHCP scope Scope Name: New York Scope Starting IP Address: 10.10.1.0 Ending IP Address: 10.10.9.254 Subnet Mask: 255.255.0.0 Default Gateway (optional): 10.10.0.1 Subnet Type: Wired (lease duration will be 6 days) Activate this scope

Disable DHCPv6 stateless mode for this server Use current credentials

Task 2: Configure NPS1. On NYC-DC1, use the Network Policy Server Administrative tool to select the Network Access Protection (NAP) standard configuration and then configure NAP. Connection method: Dynamic Host Configuration Protocol (DHCP) Policy name: NAP DHCP Radius clients: None DHCP scopes: None User and machines groups: None


7

2. 3. 4.

Remediation server groups: None Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers

Review the connection request policies created by the wizard. Review the network policies created by the wizard. Review the health policies created by the wizard.

Task 3: Configure DHCP1. 2. On NYC-DC1, use the DHCP administrative tool to enable Network Access Protection for the New York Scope and use the Default Network Access Protection profile. On the Advanced tab of Scope Options, for the Default Network Access Protection Class, configure the following: 006 DNS Servers: 10.10.0.10 015 DNS Domain Name: restricted.woodgrovebank.com

Task 4: Configure NAP Client by using Group Policy1. 2. 3. On NYC-DC1, use Active Directory Users and Computers to create a new organizational unit, named NYC NAP Clients, in the NYC organizational unit. Move the NYC-CL1 computer object into the NYC NAP Clients organizational unit. Use the Group Policy Management administrative tool to create a new group policy object, named DHCP NAP Client, linked to the NYC NAP Clients organizational unit with the following settings: Computer Configuration/Policies/Windows Settings/Security Settings/System Services/Network Access Protection Agent: Automatic Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Enforcement Clients/DHCP Quarantine Enforcement Client: Enable Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration: Apply from context menu Computer Configuration/Policies/Administrative Templates/Windows Components/Security Center/ Turn on Security Center (Domain PCs only): Enabled.

Task 5: Configure networking on the client1. 2. Restart NYC-CL1, and log on as Administrator with a password or Pa$$w0rd. On NYC-CL1, open a command prompt and use the following command to update group policy settings. 3. 4. gpupdate

Reconfigure Local Area Connection to use DHCP to obtain an IP address and DNS server. Open a command prompt and use the following command to view the configured IP address. ipconfig /all

5. 6. 7.

Notice that an IPv4 address has been configured, but the subnet mask is 255.255.255.255 and the Connection-specific DNS Suffix is restricted.woodgrovebank.com. Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com fails.

8


Task 6: Configure the SHV On NYC-DC1, use the Network Policy Server administrative tools to configure the Windows Security Health Validator in Network Access Protection. Test only for an enabled firewall.

Task 7: Test compliance and auto-remediation on the client1. 2. 3. 4. 5. 6. On NYC-CL1, renew the IP address by using the command ipconfig /renew. Notice that NYC-CL1 now has a default gateway, a subnet mask of 255.255.0.0, and the Connectionspecific DNS suffix is WoodgroveBank.com Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com is successful. In the Control Panel Security settings, turn off Windows Firewall. Notice that Windows Firewall status is off only briefly, before being turned back on by the NAP client


Lab Instructions: Designing Operating System Deployment and Maintenance

1

Module 10Lab Instructions: Designing Operating System Deployment and MaintenanceContentsExercise 1: Designing an Operating System Deployment Solution Exercise 2: Designing WDS Deployment Exercise 3: Designing WDS Images Exercise 4: Designing a WSUS Deployment Exercise 5: Discussing Operating System Deployment and Maintenance Exercise 6: Implementing Multicast Transmissions for Images 4 5 6 7 8 9

2


Lab: Designing Operating System Deployment and Maintenance

ScenarioWoodgrove Bank would like to design and implement an effective solution for the deployment of operating systems. They would like you to evaluate their requirements and determine the best solution to use within their organization. You are designing a solution for North America that will be used as a template for other regions. Client machines are running Windows 2000, Windows XP SP2, and Windows Vista. A number of applications, including Microsoft Office 2007 Professional are installed. Data is stored only in the hub sites and documents are accessed from file servers in the hub sites over WAN links. Updating desktops with the Microsoft updates is performed using a number of outdated in-house tools. The update process is very time consuming and some of the client machines are not properly patched for an extended period. The current process involves downloading large amounts of data by each client computer. You want the new solution to be less bandwidth consuming. The company would like you to design and implement a better update management solution that supports all Microsoft Windows operating systems and Microsoft Office 2007 applications deployed at the bank. You should be able to control the updates that are available for download to clients. All servers and desktop computers are joined as member servers to the banks Active Directory Directory Services (AD DS) domain. Servers are located in data centers in each hub site and connected to the corporate Ethernet using Gigabit network access cards (NICs). Only the hub site in New York is configured with a perimeter network protected by a firewall. All other branches are connected to a hub site by T1 lines. The hub sites are connected to New York with 10 Mbps WAN links. All routers can support multicasting but are currently using the default configuration. The user desktops are all connected using 100 MB NICs and they acquire their addresses from Microsoft DHCP servers at each location. AD DS utilizes Microsoft DNS.


3

The company would like you to design and implement an effective and secure deployment solution for operating systems. The bank wants to replace 2500 computers at the New York location and 1000 computers in Toronto with x86-based computers that run Windows Vista. You also want to upgrade your remaining Windows 2003 Server infrastructure to Windows 2008 Server Standard and Enterprise editions that run on an x86 hardware platform. All servers have been provided with sufficient hard drive space for an upgrade and have been formatted with NTFS file system. If possible, you should be able to control the schedule of the deployment though you have not yet decided on the exact dates. Currently, operating system deployments are done using RIS that run on Windows Server 2003 servers, and you want to ensure that the existing processes for computer building are preserved. Users are concerned that some of their data and personalized settings may be lost during the migration. They are also concerned with their data being exposed to unauthorized users. The security group at the bank is concerned with some machines not being patched in a timely fashion. They also demand that the new deployment design for operating systems considers the privacy of the users and ensures that security is maintained during and after the migration. Access to the images store needs to be secured to prevent unauthorized users from reading and mounting images.

4


Exercise 1: Designing an Operating System Deployment SolutionIn this exercise, you will review the business and technical requirements for the deployment and maintenance of operating systems and select an appropriate method to deploy operating systems. The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Review information about the current business requirements. Select a deployment solution for the operating system.


Task 2: Review information about the current business requirements1. 2. What are the business requirements described in the scenario? What are the requirements to choose the appropriate deployment solution for operating systems for the Woodgrove Bank design?

Task 3: Select a deployment solution for operating systems What deployment solution for operating systems do you recommend and why?


5

Exercise 2: Designing WDS DeploymentWDS will be used for both deploying new operating systems and ad hoc reimaging of failed workstations. When a single computer is reimaged, the target time for completion is 30 minutes or less. When new batches of computers are imaged, the impact on network performance must be minimized. User profile information should be migrated from the old computers and applied to the new computers. The main tasks for this exercise are: 1. 2. Design WDS infrastructure. Design the deployment process.

Task 1: Design WDS infrastructure1. 2. 3. Where will WDS servers be located? What types of data need to be stored on each WDS server? How will the impact on network performance be minimized during the deployment of new computers. What are the requirements for this solution?

Task 2: Design the deployment process1. 2. 3. How will user data be captured from existing workstations and applied to new workstations? What process will be used when deploying new workstations? How will this process vary for reimaging existing workstations?

6


Exercise 3: Designing WDS ImagesIt has been determined that each workgroup in Woodgrove Bank requires a different image to accommodate the varying applications required by each group. Four images will be created for executives, investments, customer services, and branch managers. Within each workgroup, there are varying types of hardware. The imaging process needs to be completely automated so that desktop support staffs do not need to provide any input during or after the imaging process. The main task for this exercise is: Design the images and imaging process.

Task 1: Design the images and imaging process1. 2. 3. 4. 5. How will you accommodate varying types of hardware within each workgroup? What process will you use for image creation? How can you automate the imaging process to ensure that user input is not required? What are the requirements for the boot image? Is there a need to convert existing RIS images to WIM images?


7

Exercise 4: Designing a WSUS DeploymentWoodgrove Bank has determined that Windows Server Update Services (WSUS) will meet the needs for applying updates to Windows workstations. A deployment of WSUS for Woodgrove Bank needs to be designed. Each hub site has 1000 or more computers. While each bank branch has 50 computers or less. The main task for this exercise is: Design a WSUS Deployment.

Task 1: Design a WSUS Deployment1. 2. 3. 4. 5. What process will be used to approve updates? Which updates should be downloaded and applied? Which deployment scenario should be used for WSUS servers? Where should WSUS servers be located? What client configuration is necessary?

8


Exercise 5: Discussing Operating System Deployment and MaintenanceNow that you have completed your design for the deployment and maintenance of operating systems, participate in a discussion with your instructor and the class. The main task for this exercise is: 1. Discuss your design for the deployment and maintenance of operating systems with the instructor and other students.

Task 1: Discuss your design for the deployment and maintenance of operating with theinstructor and other students1. 2. 3. With your instructor, discuss the WDS deployment design that is appropriate for Woodgrove Bank. With your instructor, discuss the WDS images design that is appropriate for Woodgrove Bank. With you instructor, discuss the WSUS deployment design that is appropriate for Woodgrove Bank.


9

Exercise 6: Implementing Multicast Transmissions for ImagesThe first batch of five new servers has arrived at Woodgrove Bank. A scheduled multicast must be configured to complete imaging these servers with Windows Server 2008. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install the WDS server role. Configure the WDS server. Add images to the WDS server. Configure a multicast. Close all virtual machines and discard undo disks.

Task 1: Install the WDS server role On NYC-DC1, use Server Manager to install the Windows Deployment Services server role. Service roles: Deployment Server and Transport Server

Task 2: Configure the WDS server On NYC-DC1, use the Windows Deployment Services administrative tool to configure WDS on NYCDC1. Folder of operating system images: Accept default location Respond only to know client computers Do not add images to Windows Deployment Server now

Task 3: Add images to the WDS server1. 2. 3. On NYC-DC1, use the Windows Deployment Services administrative tool to add an install image. Image group name: WindowsServer2008 File location: D:\sources\install.wim Deselect Windows Longhorn SERVERDATACENTER Deselect Windows Longhorn SERVERDATACENTERCORE Use the default name and description for each selected image. Wait while the images are imported into the WindowsServer2008 image group. This can take 10 minutes or more. The process is much faster after the first image is imported. Use the Windows Deployment Services administrative tool to add a boot image. File location: D:\sources\boot.wim Image description: From Windows Server 2008 DVD

Task 4: Configure a multicast On NYC-DC1, use the Windows Deployment Services administrative tool to create a multicast transmission. Friendly name: First Batch Image: Windows Longhorn SERVERENTERPRISE Scheduled-Cast that waits for 5 clients

10


Task 5: Close all virtual machines and discard undo disks1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote C

6435AD-ENU-LabManual

Documents

program files internet explorer iexplore

mod04 labfiles copyloop

fs1 customer mia

fs1 customer sea

fs1 customer tor

fs3 managers sea

fs3 managers mia

minimum password length