Documente Academic
Documente Profesional
Documente Cultură
Pre-Requisites for use of this Instruction: As this lab doesnt teach you how to set up the infrastructure required for this lab, you need to already possess the necessary knowledge needed to setup the lab. Lab instructions are provided as-is, Microsoft is not responsible to providing any support. For help and suggestions, send email to i-dchung@microsoft.com Useful Information: All Passwords in this lab uses P@ssw0rd
Network Configuration of all VMs used in this HOL. Name DC1 Server1 Server2 RODC Vista IP 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 Subnet 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 DNS 127.0.0.1 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.1 Roles DC/TS/TSRA/TS Lic/IIS7 NPS/IIS7/TS/TSWA RODC NAP / TS Client
Page 1
You have just completed installing Hyper Visor into your 64bit machine. You are ready for Virtualization.
Windows Server 2008 (Pre-Release) Hands On Lab Instructions a. Path to share: \\Server1\Backup (Create this share on Server1) 10. On the Specify advanced option page, select VSS copy backup and then click Next 11. On the Summary page, review your selections, and then click Backup 12. When the Backup Once Wizard is complete, click Close
4. On the Start menu, click Command Prompt. 5. In the Command Prompt window type the following commands, pressing ENTER after each one. This will perform an offline defragmentation of the Active Directory database.
ntdsutil Activate Instance NTDS Files Compact to C:\
Note: This will create a compacted version of the NTDS.dit file. This process will take approximately two minutes.
quit quit Del C:\Windows\NTDS\*.log Copy /y C:\ntds.dit C:\Windows\NTDS\ntds.dit ntdsutil Activate Instance ntds files integrity quit semantic database analysis go fixup
Note: The go fixup command will run the database checker and fix any errors it encounters.
Page 3
6. In the Server Manager window, click Start to start the Active Directory Domain Services service.
Installing RODC
1. Logon to RODC as Administrator@Insiders.com using the password P@ssw0rd. 2. On RODC, on the Start menu click Run. 3. Type DCPROMO and then click OK.
NOTE: This will start the Active Directory Domain Services Installation Wizard. It may take a few minutes for the Active Directory Domain Services binaries to install.
4. On the Welcome page, click Use advanced mode installation and then click Next. 5. On the Choose a Deployment Configuration page, select Existing forest and then click Next. 6. On the Network Credentials page, click Next. 7. On the Select a Domain page, click Next. 8. On the Select a Site page, click Next. 9. In the Additional Domain Controller Options page, check Read-only domain Controller (RODC) and then click Next.
Note: As a best practice, your RODC should also be a DNS server, so the branch office clients will have name resolution even in the event of a WAN problem.
10. On the Specify the Password Replication Policy page, accept the defaults and then click Next.
NOTE: We will specify a Password Replication Policy later in the lab.
11. On the Delegation of RODC Installation and Administration page, click Set. 12. In the Select User or Group dialog box, in Enter the object name to select, type Branch Office Admins (Create this in DC1) and then click OK. 13. On the Install from Media page, accept the default and click Next.
NOTE: An Administrator at the Main office could Backup Active Directory and then send the backup media to you at the Branch office. Then you can restore the System State to an alternate location and point to that location on this page. This will save Bandwidth over a slow WAN link.
Page 4
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 14. On the Source Domain Controller page, accept the default and click Next. 15. On the Location for Database, Log Files, and SYSVOL page accept all defaults and click Next. 16. On the Directory Services Restore Mode Administrator Password page, set the password to P@ssw0rd and then click Next. 17. On the Summary page click Next.
NOTE: If you wanted to save these settings to an Unattended answer file instead of installing AD, you would click Export Settings.
18. On the Active Directory Domain Services Installation Wizard page, click the Reboot on completion checkbox.
NOTE: The installation of Active Directory will take approximately five minutes and the computer will reboot when complete.
19. When the machine reboots, log on as Insiders\administrator with a password of P@ssw0rd.
Page 5
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 5. In the Select Users, Contacts, Computers, or Groups dialog box, type BenSmith;DonHall, (Create these 2 users in DC1) click Check Names and then click OK. 6. In the Sales Users Properties dialog box, click OK. 7. In the Navigation Pane, click Domain Controllers, and then in the contents pane, click RODC, and then on the Action menu, click Properties. 8. In the RODC Properties dialog box, click Password Replication Policy and then click Add. 9. In the Add Groups, Users and Computers dialog box, click Allow and then click OK. 10. In the Select Users, Computers, or Groups dialog box, type Sales Users, click Check Names, and then click OK. 11. In the RODC Properties dialog box, click Apply
2. Type BenSmith, click Check Names, and then click OK. 3. In the Prepopulate Passwords dialog box, click Yes. 4. In the Prepopulate Password Success dialog box click OK and then click Close. 5. In the RODC Properties dialog box click OK.
Note: By default, no local administrator role is defined on RODC after AD DS has been installed. To add the Local Administrator role, you need to use the ADD parameter.
Add BenSmith@Insiders.com administrators Quit Quit
Page 6
4. In the Delete Domain Controller dialog box, read the warnings and then click Cancel.
4. At the command prompt, type the following commands and then press ENTER after each one.
appcmd stop site default web site
5. At the command prompt, type the following command and then press ENTER.
appcmd list site
Page 7
7. Click OK to close the Edit Site Binding dialog box, and then click Close to close the Site Bindings dialog box. 8. In the Actions pane, under Edit Site click Basic Settings. Review the settings and make any changes as required.
Setting Application Pool Physical Path Values DefaultAppPool %systemdrive%\inetpub\wwwroot
9. Click Cancel to close the Edit Web Site dialog box. 10. In the Actions pane, click Advanced Settings. 11. In the Advanced Settings dialog box, review the following settings.
(General) Setting ID Physical Path Physical Path Credentials Physical Path Credentials Logon Type Start Automatically Values 1 % systemdrive%\inetpub\wwwroot Ensure it is blank ClearText
True
Page 8
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 12. Click Cancel to close the Advanced Settings dialog box. 13. Leave Internet Information Services (IIS) Manager open
3. At the command prompt, type the following command and then press ENTER.
md employeedata
4. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv
5. At the command prompt, type the following command and then press ENTER.
appcmd add vdir /app.name:Default Web Site/ /path:/EmployeeData /physicalpath:c:\inetpub\wwwroot\employeedata
6. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 and then click Default Web Site. 7. Verify that the Employee Data virtual directory is present
2. At the command prompt, type the following command and then press ENTER.
appcmd start site /site.name:Default Web Site
3. At the command prompt, type the following command and then press ENTER.
appcmd list site
Note: To verify that the site has been started, examine the state value at the right of the output. If the site has started the state value will be shown as Started.
Windows Server 2008 (Pre-Release) Hands On Lab Instructions physical directories and files of that web site. You can right-click an object in the content list, click Switch to Features view to go to the objects home page. From the home page, you can configure features for the object, such as authentication settings for a virtual directory. Perform this task on Server1 as Administrator@Insiders.com 1. In Internet Information Services (IIS) Manager, in the Connections pane, expand Server1, click Web Sites, and then click Default Web Site. 2. Right-click Default Web Site and then click Switch to Content View 3. In the Default Web Site Content pane, notice the new virtual directory you created earlier and the default.htm file. 4. In the Connections pane, right-click Default Web Site and select Features View
Perform this task on Server1 as Administrator@Insiders.Com The IIS 7.0 command-line tools reside in the %windir%\system32\inetsrv directory, which is available only to the Administrators or to users who are members of the Administrators group on the computer. In addition, members of the Administrators group must start the IIS 7.0 command-line tools with elevated permissions. Users who view or change Web.config files in sites or application directories must have access to read and write to files in those directories. 1. On the Start menu, click Command Prompt. 2. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv.
3. At the command prompt, type the following command and then press ENTER.
appcmd add apppool /name:NewIntranet
Page 10
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 4. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 and then click Application Pools. In Application Pools and verify that NewIntranet is listed.
Page 11
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools and then click DefaultAppPool. 2. In the Actions pane, click View Applications
4. Minimize the home page for the default Web Site once it has opened. 5. In Internet Information Services (IIS) Manager, in the Connections pane, under Sites, click Default Web Site. 6. In the Actions pane, click Browse 192.168.1.2:80 (http) If you receive the Microsoft Phishing Filter warning, check the Ask me later radio button and click OK to close the warning 7. Once the Default Web Site home page has opened, minimize it. 8. In the Connections pane, click Server1 (Insiders\Administrator) 9. In the Server1 Home pane, under IIS, double-click Worker Processes.
Note: In the Worker Processes pane are listed the active Application Pool Names, Process IDs, State, CPU%, Private Bytes (KB) and Virtual Bytes (KB).
Windows Server 2008 (Pre-Release) Hands On Lab Instructions Web server that will serve as the central configuration store. In this exercise, you are going to use this new feature to create a single configuration file that will affect several web servers.
4. At the command prompt, type the following command and then press ENTER.
appcmd add backup centralConfigBackup
Restore Applicationhost.config
In this task, you are going to replace the current applicationhost.config file with the backup copy. Since you havent made any changes to the file when you made the original copy, this is simply a test of the restore procedure. Perform this task on Server1 as Administrator@Insiders.com 1. At the command prompt, type the following command and then press ENTER.
Appcmd restore backup centralConfigBackup
Page 13
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 2. On the Start menu, navigate to All Programs/Administrative Tools and then click Active Directory Users and Computers. 3. In Active Directory Users and computers, click LabUsers (Create this OU if it doesnt exist), on the Action menu, point to Users and select New and then User. 4. In the New Object User dialog box, in Full Name and User logon name, type Configuser, and click Next. 5. In the New Object User dialog box, type P@ssw0rd in both the Password and Confirm password boxes, clear the User must change password at next logon box, and then click Next. (Note: Please "check the Password Never Expires box"). 6. In the New Object User dialog box, click Finish.
4. At the command prompt, type the following command and then press ENTER.
net share centralconfig$=%SystemDrive%\centralconfig /grant:Users,Read
Give Permissions to the configuser account for the UNC Shares that will host the central configuration file and content
In this task you are going to configure the permissions required by the user to access the central configuration store. This account will be used by IIS to access the UNC share in the same manner it accesses content when a virtual directory is mapped to a UNC share. The read permissions for this account are useful when accessing the configuration share only. After that point, whenever IIS reads the configuration file, it will revert back to the identity that the caller has used to access the configuration share, either the API, the administration tool being used or the user account that is logged at that moment. Perform this task on Server2 as Administrator@Insiders.com 1. On the Start menu, click Computer. 2. In the Computer window navigate to Local Disk (c:)\centralconfig 3. Right-click centralconfig and click share 4. In the File Sharing window click Change sharing permissions 5. In the File Sharing window, click the drop down arrow, select Find 6. In the Select User or Group dialog box type in configuser, then click Check Names, 7. Click OK. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 14
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 8. Click Share. 9. In the File Sharing window, click Share, and when it is finished sharing click Done
6. In the Export Configuration dialog box, click OK. 7. In the Shared Configuration pane, click Enable shared configuration and then in Physical Path type \\Server2\CentralConfig$. 8. In the Shared Configuration pane, click Connect As. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 15
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 9. In the Set Credentials dialog box, type the values in the following table and then click OK.
Value User name Password Confirm password Setting configuser@insiders.com P@ssw0rd P@ssw0rd
10. In the Actions pane, click Apply 11. In the Shared Configuration dialog box, click OK. 12. In the Shared Configuration dialog box, type P@ssw0rd, and then click OK. 13. In the Shared Configuration dialog box, click OK. 14. Close Internet Information Services (IIS) Manager, and then re-open Internet Information Services (IIS) Manager. 15. Repeat steps 1 15 on Server2. Do not repeat steps 4 6 which export the configuration.
Windows Server 2008 (Pre-Release) Hands On Lab Instructions Perform this task on Server1 as Administrator 1. On the Start menu, navigate to All Programs/Administrative Tools and then click Internet Information Services (IIS) Manager. 2. In the Connections pane, click Server1 (Insiders\Administrator). 3. In the Server1 home pane, under Management, click Management Service, and then in the Actions pane, click Open Feature. 4. In the Management Service pane, click Enable remote connections. 5. In the Actions pane, click Start, and then in the Management Service dialog box, click Yes.
Page 17
Important: Prior to starting Lab 6, remove IIS7 from Server 1 and Server 2. Reboot when done before commencing Lab 6 Lab 6: Implementing Terminal Services RemoteApps
Machines Needed for this Lab
Name DC1 Server1 Server2 RODC Machine State Running Running Running Saved
RemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if they are running on a user's local computer. Users can run RemoteApp applications side-by-side with their local programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available through a Web site. In this exercise, you will configure DC1 to be able to publish remote applications. In addition you will create packages for deploying remote applications to the client machines and then distribute these packages. You will also test the connection of the remote program application from a client machine. In order to test these RemoteApp, you will also modify the allow list to allow an application to be accessed remotely.
Page 18
1. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager. 2. In Server Manager, Add Terminal Services. 3. In the Add Role Services dialog box, click Install Terminal Services anyway (not recommended). 4. In the Add Role Services dialog box, in the Uninstall and Reinstall Applications for Compatibility page, click Next. 5. In the Add Role Services dialog box, in the Specify Authentication for Terminal Services page, select Require Network Level Authentication then click Next. 6. In the Add Role Services dialog box, in the Specify Licensing Mode page, select Configure later then click Next. 7. In the Add Role Services dialog box, in the Select User Groups Allowed Access to This Terminal Server page, click Next. 8. In the Add Role Services dialog box, in the Confirm Installation Selections screen, click Install.
Note: On the Confirm Installation Selections screen, there is one warning. The warning is advising that you may need to reinstall applications. In the lab it is safe to ignore, however in a production environment it is important to remember that applications may need to be reinstalled. The reason for the need to reinstall the applications is that on a Terminal Server applications are installed into a different section of the registry. This is so that the applications can be safely accessed by multiple users simultaneously. The installation process will take approximately 3 minutes. After this you will need to restart DC1.
9. In the Add Role Services dialog box, in the Installation Results screen, click Close. 10. In the Add Role Services dialog box, click Yes to begin the restart. 11. After the restart, log on to DC1 as Administrator using the password P@ssw0rd.
Note: After completing the log in the Post-Reboot Configuration Wizard will appear to confirm that the Terminal Services role has been installed successfully.
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 5. In the Choose programs to add to the RemoteApps list, check the box next to WordPad and then click Next. 6. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 8. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created installation file. The created file is named wordpad.msi
1. Log on to VISTA as Administrator with the password of P@ssw0rd 2. On the Start menu, in Start Search, type \\DC1\Public and then press ENTER. 3. In Windows Explorer, double click Wordpad.RDP. 4. In the Windows Security dialog box, enter the following values:
Setting User Name: Password: Value Administrator@Insiders.Com P@ssw0rd
5. Check Remember my credentials and then click OK. 6. In the RemoteApp dialog box, check Dont prompt me again for connections to this computer, and then click Yes.
Note: The application now launches. When the application launches successfully it will display on the screen as On The Server. This is the remote application running on the server.
7. Close the On The Server remote program. 8. In Windows Explorer, double click WordPad.msi.
Note: The remote WordPad application now installs. Observe the name of the application matches the name that was entered during the creation of the MSI file.
9. After the application has completed installation, on the Start menu, navigate to All Programs RemoteApp WordPad.
Note: The application now launches. When the application launches successfully it will display on the screen as WordPad.
10. In the remote WordPad application, in the File menu, click Exit to close.
Page 21
Windows Server 2008 (Pre-Release) Hands On Lab Instructions TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the Web. The Web page consists of a frame and a customizable Web Part, where the list of RemoteApp application is displayed. In this exercise, you will configure the terminal server to support Terminal Services Web Access and then configure an application to be made unavailable via the web interface.
1. Log on to DC1 using the username Administrator and the password P@ssw0rd. 2. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager. 3. In the Explorer pane, navigate to Roles/Terminal Services. 4. In the Contents pane, in Role Services, click Add Roles Services. 5. In the Select Role Services dialog box, check TS Web Access. 6. In the Add Role Services dialog box, select Add Required Role Services. 7. In the Add Role Services dialog box, in the Select Role Services page, click Next. 8. In the Add Role Services dialog box, in the Web Server (IIS) page, click Next. 9. In the Add Role Services dialog box, in the Select Role Services page, click Next. 10. In the Add Role Services dialog box, in the Confirm Installation Selections page, click Install.
1. On the Start menu, click Internet Explorer. 2. In the address bar, enter the address http://DC1/ts and then press ENTER.
3. In the Connect to dc1 dialog box, enter the User name insiders\Administrator and the password P@ssw0rd.
Note: The TS Web Access page is now displayed. There is two programs displayed the Demo Application and the WordPad that you published in an earlier task.
4. Click Demo Application in the TS Web Access webpage. 5. In the Trust Warning pop-up, click Yes. 6. In the RemoteApp dialog box, click Yes 7. In the Windows Security dialog box, enter the username Insiders\Adminisrator and the password P@ssw0rd, and then press ENTER. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 22
Network Access Protection (NAP) is a new technology introduced in Windows Vista and Windows Server 2008. NAP includes client components and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unrestricted network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network. In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software vendors to integrate their solutions into the NAP framework. NAP enforcement occurs at the moment when client computers attempt to access the network through network access servers, such as a VPN server running Routing and Remote Access Service, or when clients attempt to communicate with other network resources. The way that NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:
Internet Protocol security (IPsec)-protected communications Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections Virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration
The step-by-step instructions in this paper will show you how to deploy a NAP DHCP enforcement test lab so that you can better understand how DHCP enforcement works. NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:
Allow full network access. This is the default setting. Clients that match the policy conditions are deemed compliant with network health requirements, and are granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged. Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network health requirements, and are placed on the restricted network.
Page 23
Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant. This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy, which will cause Windows Firewall to be turned on without user intervention. Ongoing monitoring to ensure compliance NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Client computers are monitored when their health state changes, and when they initiate requests for network resources. This test lab includes a demonstration of ongoing monitoring when the client's DHCP-issued address is renewed. The NAP client computer sends a statement of health (SoH) with the DHCP address request, and is granted full or restricted access based on its current health state.
Page 24
Configure remediation server groups Remediation server groups are lists of computers that noncompliant NAP clients can access to help them update their configuration. For the test lab, DC1 will be added to a remediation server group so that VISTA will have access to DNS when it is noncompliant.
To configure a remediation server group 1. In the console tree, under Network Access Protection, right-click Remediation Server Groups, and then click New. 2. Under Group Name, type Rem1. 3. Next to Remediation Servers, click Add. 4. In the Add New Server dialog box, under IP address or DNS name, type 192.168.1.1, and then click OK twice.
Configure health policies Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. This test lab defines two health policies: one that corresponds to a compliant health state and one that corresponds to a noncompliant health state.
To configure health policies 1. Double-click Polices. 2. Right-click Health Policies, and then click New. 3. In the Create New Health Policy dialog box, under Policy Name, type Compliant. 4. Under Client SHV checks, verify that Client passes all SHV checks is selected. 5. Under SHVs used in this health policy, select the Windows Security Health Validator check box. 6. Click OK. 7. Right-click Health Policies, and then click New.
Page 25
Configure a network policy for noncompliant client computers Next, create a network policy to match network access requests made by noncompliant client computers.
To configure a network policy for noncompliant client computers 1. Right-click Network Policies, and then click New. 2. In the Specify Network Policy Name and Connection Type window, under Policy name,
Page 26
3. In the Specify Conditions window, click Add. 4. In the Select condition dialog box, double-click Health Polices. 5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. 6. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next. 7. In the Specify Access Permission window, verify that Access granted is selected, and then click Next. Important A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that clients matching these conditions will be granted an access level determined by the policy. 8. In the Configure Authentication Methods window, select Perform machine health check only. Clear all other check boxes, and then click Next. 9. Click No in the pop-up window warning you about authentication methods. 10. In the Configure Constraints window, click Next. 11. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and verify that Enable auto-remediation of client computers is selected. 12. Click Next, and then click Finish. This completes configuration of your NAP network policies.
Verify the default NAP profile First, verify that the default NAP profile is being used on the DHCP server.
To verify the default NAP profile is being used 1. In the DHCP console, double-click server1.insiders.com, and then double-click IPv4. 2. Right-click Scope, and then click Properties. 3. On the Network Access Protection tab, verify that Use default Network Access Protection profile is selected, and then click OK.
Configure the default user class Next, configure scope options for the default user class. These server options are used when a compliant client computer attempts to access the network and obtain an IP address from the DHCP server.
To configure default user class scope options 1. In the DHCP console, double-click Scope, right-click Scope Options, and then click Configure Options.
Page 27
Configure the default NAP class Next, configure scope options for the default network access protection class. These server options are used when a noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.
To configure default NAP class scope options 1. In the DHCP console, right-click Scope Options, and then click Configure Options. 2. On the Advanced tab, next to User class, choose Default Network Access Protection Class. 3. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add. 4. Select the 015 DNS Domain Name check box, type restricted.insiders.com in String value, and then click OK. The restricted.contoso.com domain is a restricted-access network assigned to noncompliant NAP clients.
Enable and start the NAP agent service By default, the Network Access Protection Agent service on computers running Windows Vista is configured with a startup type of Manual. VISTA must be configured so that the Network Access Protection Agent service starts automatically, and the service must be started.
To enable and start the NAP agent service 1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools. 2. Double-click Services. 3. In the services list, double-click Network Access Protection Agent. 4. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start. 5. Wait for the NAP agent service to start, and then click OK. 6. Close the Services console, Administrative Tools, and System and Maintenance windows.
Page 28
Windows Server 2008 (Pre-Release) Hands On Lab Instructions Verify network connectivity for VISTA Run the ping command from VISTA to confirm network communication between VISTA and DC1. Because the Network Access Protection Agent service and DHCP enforcement client are running, VISTA is considered NAPcapable by the DHCP server and is issued an IP address on the 192.168.0.0/24 subnet. This is required to join VISTA to the Contoso.com domain.
To use the ping command to check network connectivity 1. Click Start, click All Programs, click Accessories, and then click Command Prompt. 2. In the command window, type ping DC1. 3. Verify that the response reads Reply from 192.168.1.1". 4. Close the command window.
Verification of NAP auto-remediation The Noncompliant-Restricted authorization policy specifies that noncompliant computers should be automatically remediated. Use the following procedure to verify that VISTA is automatically remediated to a compliant state when Windows Firewall is turned off.
To verify that VISTA is auto-remediated when Windows Firewall is turned off 1. On VISTA, click Start, and then click Control Panel. 2. Click Security Center, and then click Windows Firewall. 3. In the Windows Firewall dialog box, click Change settings. 4. In the Windows Firewall Settings dialog box, click Off (not recommended), and then click OK. 5. Watch Windows Security Center and you will see that Windows Firewall is displayed as off and is then displayed as on. 6. You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more information about the health status of VISTA. See the following example. 7. The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network.
Because auto-remediation occurs rapidly, you might not see one or both of these messages.
Page 29