Creating Alias

( Pages 213 216; 225 226)

Conditional Fowarding
Pages 223 224
DNS - ACTIVE DIRECTORY INTEGRATED ZONES
Pages 218 219
1. Hint: Ensure you are logged into DC2 or managing DC2s DNS Server as an
Enterprise Administrator.
2. Hint: Ensure replication is complete by running the following commands on both
DCs:
a. Repadmin /kcc
b. Repadmin /Syncall /APed (/APed is case sensitive)
3. Hint: To replicate Active Directory Integrated Zones do one of the following:
a. Repadmin /replicate DC=Forest,DC=lastname,DC=ca (Replace Forest with your
forest root domain name), (Replace ca as appropriate)
b. Repadmin /replicate DC=Domain,DC=domain,DC=ca (Replace domain with your
domain name), (Replace ca as appropriate)
DELEGATING A DNS DOMAIN
Pages 219 220
ROUND ROBIN AND TTL
1. Open DNS Manager on MS1. Expand and select the fanco.com forward lookup
zone.
2. Create a host record for web in the fanco.com forward lookup zone with the IP
address of 192.168.100.60. Create 2 more records named web with the IP address
of 192.168.100.61 and 192.168.100.62
3. In DNS Manager, click on View and check Advanced
4. Edit each host record for web and set the time to live (TTL) to 2 days.
5. In the command prompt on MS1, ping web.fanco.com, note the IP Address
returned. Do the same on DC1 and DC2 noting the IP addresses returned.
6. Open DNS Manager on MS1, right click on the server and choose properties.
7. Click the Advanced tab, note you can enable/disable round robin here. Do not
make any changes and close the dialog box
DYNAMIC DNS

1. Open DNS Manager on MS1.

2. Right click on fanco.com forward lookup zone and choose properties
3. Under Dynamic updates, select the most secure option for dynamic DNS possible.
4. Click OK to close the dialog box.
5. Repeat 1 4 on DC2 for the ajax.com forward lookup zone
TROUBLESHOOTING DNS
1. On DC1, open a command prompt.
2. Ping fanco.com and take note of the IP address resolved.
3. On MS1, open DNS Manager.
4. Edit the host record for fanco.com changing the IP address to 192.168.100.55
5. On DC1, Ping fanco.com and take note of the IP address resolved.
6. On DC1, run NSLookup fanco.com and take note of the IP address resolved.
7. Run IPConfig /flushdns on DC1 and ping fanco.com again, take note of the IP
address resolved.
8. On DC1, open DNS Manager, click View and check Advanced
9. Right click on Cached Lookups and choose Clear Cache
10. From DC1, Ping fanco.com again, take note of the IP address resolved.
11. From DC1, run IPConfig /flushdns and ping fanco.com again, take note of the IP
address resolved.
CONFIGURING VPN CONNECTIONS
3. On your Router server, add the Remote Access server role. Include the Routing
role service.
4. Open Routing and Remote Access console on the Router Server.
5. Right click on the server and choose Configure and Enable Routing and Remote
Access.
6. On the Configuration page, select Remote access (dial-up or VPN)
7. On the Remote Access page, select VPN
8. On the VPN Connection page, choose the second network adapter connected to
the Router LAN Segment.
9. On the IP Address Assignment page, select From a specified range of addresses a.
Add the range from 192.168.100.80 192.168.100.99

10. On the Manage Multiple Remote Access Servers page, choose No, use Routing
and Remote Access to authenticate connection requests

CREATING A VPN CONNECTION

4. Open Active Directory Users and Computers, locate your test user object and
open the users Properties.
5. Under the Dial-in tab, select Allow Access under Network Access Permission and
click OK.
6. On C1, open Network and Sharing Center.
7. Choose Set up a new connection or network.
8. On the Set up a Connection or Network page, choose Connect to a workplace.
9. On the Connect to a Workplace page, choose Ill set up an internet connection
later.
10. When asked to Type the Internet address to connect to, enter 192.168.101.254
and click Create.
11. Open Network Connections, you should now see VPN Connection
12. Open the Properties of the VPN Connection and select the Security tab.
13. Under Data Encryption select Require encryption (disconnect if server declines)
14. Under Authentication select Use Extensible Authentication Protocol (EAP) and
click OK to close the dialog box.
15. Right click on VPN Connection and choose Connect.
16. Click on VPN Connection from the right pane and click Connect.
17. Enter a username and password of your dial-in enabled user account.
18. Run IPConfig/ all and view the network settings. 19. Join the client machine to
the domain
ROUTING/NAT AND DHCP RELAY
7. On your Router server, open Routing and Remote Access
8. Right click on your server name and chose Disable Routing and Remote Access
9. Right click on your server name and choose Configure and Enable Routing and
Remote Access
10. On the Configuration page, select Custom Configuration
11. On the Custom Configuration page, select VPN, NAT and LAN routing

12. Start Services.

13. Expand IPv4 and right click on NAT and choose New Interface
a. Select Ethernet2 (The NAT LAN Segment).
b. Select Public interface connected to the Internet and check Enable NAT on this
interface
14. Create a DHCP scope on DC1 for named Remote with a pool range of
192.168.101.100 192.168.101.199. Remember to specify a gateway and DNS
options.
15. On your Router server, open Routing and Remote Access, expand IPv4 and right
click on General and choose New Routing Protocol
16. Select DHCP Relay Agent
17. Right click on DHCP Relay Agent under IPv4 and select New Interface
a. Select Ethernet1 (Your Remote LAN Segment adapter)
b. Once complete, right click on DHCP Relay Agent and select Properties
c. Enter the IP address of your DHCP Server 192.168.100.10
18. Configure C1 to Obtain an IP address Automatically and to Obtain DNS Server
Address Automatically.
19. Check IP address information on the client machine. Test pinging servers and
public networks.
- SERVER SCAVENGING
Pages 243 244
Connections
1. There are no explicit instructions for this task, but here are some hints to help
you solve this challenge: a. Enable IPv4 Remote access server
2. b. Ensure WAN Miniport (PPTP) is configured for Remote access connections
(inbound only)
3. Hint: Page 264

CONFIGURE DNS SERVERS AND NAT

8. Add two public IP addresses on your Router Server:
a. Edit your IPv4 settings on Ethernet2 adapter (your NAT adapter)
b. In the IPv4 Properties click Advanced
c. Click Add and enter in the IP address of 200.1.0.1/24

d. Click Add and enter in the IP address of 200.1.0.2/24

9. Configure NAT forwards:
a. Open Routing and Remote Access console
b. Expand the IPv4 node and select the NAT node.
c. Right click on Ethernet2 and select Properties
d. Click on the Address Pool tab and Add the IP Pool of 200.1.0.1 200.1.0.254.
e. Click on the Services and Ports tab and Add each of the following entries:
10. Open UDP Port 53 Inbound Traffic on the Router Firewall
a. On the Router Server, run GPedit.msc to edit the local policy and add the firewall
rule for UDP Port 53 Inbound Traffic. Computer Configuration\Policies\Windows
Settings\Security Settings\Windows Firewall with Advanced Security\Windows
Firewall with Advanced Security\Inbound Rules
READY MS1 FOR DIRECT ACCESS
1. On MS1, install the Remote Access Server Role and include DirectAccess and VPN
(RAS) role services. Note, this will also install Web Server (IIS) Server Role.
2. Open IIS Manager Console on MS1, expand and select the Default Web Site node.
3. Right click on Default Web Site and select Add a Virtual Directory:
a. Set the alias to: crld
b. For the Physical Path, enter in C:\CRLD (Make new folder)
4. Click on Configuration Editor, and under Selection choose
system.webServer/security/RequestFiltering.
5. Change allowDoubleEscaping to True. Click on Default Web Site and Save
settings.
6. Select the crld virtual directory then select Directory Browsing
7. From the Actions pane on the right, select Enable
8. In file explorer, open the properties of your CRL folder and configure as follows: a.
Share the folder as CRLdist$ with everyone full control.
b. Under Security tab, add the computer object yourlastname-DC1 (Note, you will
have to select Computers under Object Types to locate your computer object in AD).
c. Grant yourlastname-DC1 Full Control.
CONFIGURE CERTIFICATES FOR DA
1. Create a certificate template for your DirectAccess server:

a. On DC1, open the Certificate Authority console via Server Manager, right click
Certificate Template and click Manage.
b. Right click the Web Server template and select Duplicate Template. Select the
General tab on the properties dialog box.
c. Type yourlastname DA Server Certificate in the Template Display Name.
d. Select the Request Handling tab and select Allow Private key to be exported.
e. Select the Security tab and ensure Authenticated Users is selected and click
Enroll and Autoenroll under the allow column.
f. Click OK to close the Properties dialog box.
g. Issue a certificate:
i. In the Certificate Authority console, right click Certificate Templates and select
New -> Certificate Template to issue and select yourlastname DA Server Certificate
and click OK.
2. Configure machines for Automatic Certificate Requests:
a. Edit the default domain policy in Group Policy Management Console.
b. Navigate to Computer Configuration\Policies\Windows Settings\Security
Settings\Public Key Policies
c. Right click Automatic Certificate Request Settings and select New -> Automatic
Certificate Request.
d. On the Certificate Template page, select the Computer certificate template.
3. Enroll the certificate on MS1.
a. Run gpupdate /force to update the policies
b. Open mmc and add the Certificates snap-in.
c. Select Computer account and click finish.
d. Navigate to \Personal\Certificates, you should see your computer certificate
shown.
e. Right click Certificates and select All Tasks -> Request New Certificate.
f. On the Request Certificates page select yourlastname DA Server Certificate.
g. Click More information is required to enroll for this certificate. Click here to
configure settings.
h. Select Common name for the subject name type.
i. In the value text box, type in directaccess.yourlastname.ca and click Add.
j. Click OK to close the dialog box.

k. On the Request Certificates page click Enroll.

l. Repeat steps 3.e to 3.k with a common name of directaccessnls.yourlastname.ca.
Configure publishing the revoke list to your CRL site on MS1:
a. On DC1, open Certificate Authority within Server Manager.
b. Add Locations: i. Right click on the server and select Properties and select the
Extensions tab.
1. Click Add and type in http://crl.yourlastname.ca/crld/ in the location text box.
2. Under Variable: a. Select ca name and click insert
b. Select crl name suffix and click insert
c. Select delta crl allowed and click insert
d. Add .crl after . delta crl allowed
3. Click OK to add the location
ii. Select Include in CRLs. Clients use this to find Delta CRL locations option and
Include in the CDP extensions of issued certificates.
iii. Click Add type in \\crl.yourlastname.ca\crldist$\ in the location text box.
1. Select the ca name variable and click Insert, repeat for crl name suffix and
delta crl allowed variables.
2. Add .crl after . delta crl allowed
iv. Select Publish CRLs to this Location and Publish Delta CRLs to this location.
v. Click OK to close the dialog boxes, click Yes to restart Active Directory Certificate
Services.
5. Under your Certificate Authority console, right click on Revoke Certificates -> All
Tasks and Publish. You should see 2 crl files in your CRL folder on MS1.
ENABLE DIRECTACCESS
1. On each server, ensure IPv6 is enabled on each network adapter.
2. Create a security group in Active Directory named DA-Clients.
3. On MS1, open Remote Access Management Console from Server Manager.
4. On the left pane, select DirectAccess and VPN node.
5. Click on Run the Getting Started Wizard.
a. Select Deploy DirectAccess only

b. On the Remote Access Server Setup page, ensure Behind an edge device (with a
single
network adapter) is selected. Enter in directaccess.yourlastname.ca under Type the
public
name or IPv4 address used by clients to connect to the Remote Access server.
6. Under Step 1 Remote Clients, click Edit
a. Select Deploy full DirectAccess for client access and remote management
b. Under the Select Groups page, remove Domain Computers and Add DA-Clients
security
group. Uncheck Enable DirectAccess for mobile computers only.
7. Under Step 2 Remote Access Server, click Edit
a. On the Network Adapters page, under select the certificate used to authenticate
IP-HTTPS
connections, choose Browse
b. Ensure directaccess.lastname.ca certificate is selected.
8. Under Step 3 Infrastructure Servers, click Edit
a. On the Network location Server page, Browse for the certificate
directaccess-nls.yourlastname.ca (if you receive an error, ensure your host record
for
directaccess-nls.yourlastname.ca resolves to your MS1 IP, flush DNS cache and try
again.)
b. On the DNS page, ensure lastname.ca has the DNS Server Address of
192.168.100.20.
c. Ensure directaccess-nls.lastname.ca does not have a DNS Server Address
d. Ensure directaccess.lastname.ca does not have a DNS Server Address
9. On the Remote Access Management Console click Finish, review the settings and
click Apply
10. Restart the Remote Access Management Service for changes to take effect.
11. Take note of Group Policies created and resource records created in DNS on DC1.

CONFIGURE DIRECTACCESS CLIENT DNS AND FIREWALL RULES.

1. Open DNS Manager on MS1, edit the properties of MS1 server and add
192.168.100.10 in the list of

forwarders.
2. Run IPConfig on MS1 and collect the IPv6 addresses (first 2) for our
IPHTTPSInterface. (Should end
in ::1 and ::2). Record these IP addresses as you will need them later.
3. In PowerShell, run Set-NetDnsTransitionConfiguration AcceptInterface
IPHTTPSInterface.
4. Run Get-NetDnsTransitionConfiguration and verify the AcceptINterface is set to
IPHTTPSInterface
5. Edit the Group Policy object DirectAccess Client Settings and navigate to
Computer
Configuration\Policies\Windows Settings\Name Resolution Policy.
6. Locate in the Name Resolution Policy Table the namespace .yourlastname.ca.
Select this record
and click on Edit Rule below the table.
7. Scroll up and select DNS Settings for DirectAccess tab under Create Rules
8. In the DNS settings for DirectAccess remove all existing IP addresses and add the
two IP addresses
recorded in Task #5 Step 2. Click Update and Apply. Tip: Edit the same rule to verify
your settings
were saved properly.
9. Edit the DirectAccess Server Settings group policy object and navigate to
Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced
Security\Windows Firewall with Advanced Security\Inbound Rules and Edit the two
following
rules and add the IPv6 addresses for your IPHTTPS Interface recorded earlier.
Rule Name Scope Tab Local IP Address
Domain Name Server (TCP-In) Remove Current address and add
IPHTTPS (2 IPv6 Addresses)
Domain Name Server (UDP-In) Remove Current address and add
IPHTTPS (2 IPv6 Addresses)
10. Update your policies on MS1.

INSTALL NPS SERVER AND CONFIGURE RADIUS CLIENTS

1. Create a security group in AD named VPN Users.
2. On MS1, install Network Policy and Access Services Role.
3. Open Network Policy Server console via Server Manager.
4. Under Standard Configuration drop down, select RADIUS server for Dial-Up or VPN
Connections.
5. Select Configure VPN or Dial-Up
a. On the Select Dial-up or Virtual Private Network Connections page, select Virtual
Private
Network (VPN) Connections
b. On the Specify Dial-Up or VPN Server page, click Add
i. Enter the friendly name: VPN Connections
ii. Enter the IP address of our Router Server: 192.168.100.254
iii. Enter in a shared secrete, remember this shared secrete as we will need it later.
iv. Click OK to close this dialog box.
c. On the Configure Authentication Methods page, check Extensible Authentication
Protocol
and choose Microsoft: Protected EAP (PEAP) from the drop down menu.
d. On the Specify User Groups page, click Add and add VPN Users group.
e. Click next until finished.
6. Configure RRAS to use RADIUS.
a. Open Routing and Remote Access on your Router Server.
b. Right click on the server name and select Properties
i. Change Authentication provider drop down to RADIUS Authentication and click on
Configure
1. Add a server named yourlastname-MS1 and set the shared secrete.
2. Click OK until back at the properties dialog box.
ii. Repeat the last steps again for Accounting Provider.
iii. Click OK to close the properties dialog box

CONNECT A CLIENT TO YOUR NETWORK USING DIRECT ACCESSis unique to our lab
environment.
a. Create a Server 2012 R2 linked clone to use as a client. Name the client
yourlastname-C2 (We
only have Windows 8 Professional, required Enterprise for a DirectAccess Client to
work,
DirectAccess client is included in Server 2012 R2).
b. Since we will be moving this client between the Office and NAT networks, it is
helpful to
create a second network adapter. One configured for the Office LAN Segment and
one for the
NAT interface. Disable the NIC you are not using.
c. Configure the virtual NIC connected to the Office LAN Segment to obtain an IP
address and DNS
information automatically.
d. Configure the virtual NIC connected to the NAT interface as follows:
i. Static IP: 192.168.99.200/24
ii. Default Gateway: 192.168.99.254 (Needs to detect for internet access)
iii. Preferred DNS: 200.1.0.2 (Your public DNS Server)
iv. Add a second IP address on this interface for 200.1.0.200
e. Disable the NAT interface virtual adapter.
f. Join the client to the domain
g. Ensure the client machine is a member of the DA-Clients Security Group and
reboot client.
h. Update the policies on the client machine.
i. Disable the Office LAN Segment Adapter and connect the NAT interface adapter.
j. Run: Netsh int httpstunnel show interfaces to view HTTPS connections. Should say
Active, takes
about 15 20 seconds typically. Troubleshoot as necessary.
k. Once httpstunnel is active, run Get-DAConnectionStatus from PowerShell. You
should see your
status as Remotely Connected. Troubleshoot as necessary.

1. Task Hints:
a. Add a test user to your VPN Users security group.
b. Ensure your test users Dial-in properties is set back to Control access through
NPS Network Policy (User properties).
c. Change the authenticating protocol for the client connection to match what we
configured on NPS.
(On the Configure Authentication Methods page, check Extensible Authentication
Protocol and choose Microsoft: Protected EAP (PEAP) from the drop down menu.)
CONFIGURE NETWORK POLICIES
Pages 344 350
EXPORT NPS CONFIGURATION
Pages 352 353
INSTALL NAP AND CONFIGURE NAP ENFORCEMENT FOR VPN
Pages 361 362; 370 371
CONFIGURE SYSTEM HEALTH VALIDATORS
Pages 371 374
CONFIGURE ISOLATION AND REMEDIATION
Pages 375 376
CONNECT VPN CLIENT USING NAP
Pages 376 377
1. Tips not covered in the text book.
a. Under Connection Request Policies in NAP VPN properties, ensure Authentication
Methods
is set to Overide and only EAP Types is selected with Microsoft: Protected EAP
(PEAP). Edit
the properties of EAP (PEAP) and ensure Enforce Network Access Protection is
checked.
b. On the client machine, run napclcfg.msc and enable EAP Quarantine Enforcement
Client.
c. On the clients VPN connection Properties, go to the properties for EAP and check
the
following two items:
i. Under Trusted Root Certificate Authorities, check yourlastname-DC1-CA

ii. Check Enforce Network Access Protection.

2. Screen Capture F:
a. Add an additional slide to your PowerPoint slide deck, then collect the following
screen
capture and paste into your slide deck. Run Netsh nap client show state and show
the