31-Dec-07 Windows 2008 RC1 HOL Instructions

Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Windows Server 2008 (RC0) Hands on Lab Instructions

Setup Information
This lab has been designed to be used in either Microsoft Innovation Labs in Singapore, or participants own set up in their own environment. This section serves to provide information that will allow a participant to reproduce the lab setup and have the instructions work. You are encouraged to use Virtualization; however, it is entirely up to you. 5 Virtual machines are used in this lab. You may either use 5 Virtual machines or 5 physical computers networked together. Operating Systems and Notes: Name DC1 Server1 Server2 RODC Vista IP 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 OS Windows 2008 RC1 Windows 2008 RC1 Windows 2008 RC1 Windows 2008 RC1 Vista Ultimate SP1 (RC) Install Order 1 2 2 2 2 Remarks Install as Domain Controller with DNS. Use Insiders.Com as the Forest. Join Insiders.Com as Member Server Join Insiders.Com as Member Server Join Insiders.Com as Member Server Join Insiders.Com as Member Machine
Pre-Requisites for use of this Instruction: As this lab doesnt teach you how to set up the infrastructure required for this lab, you need to already possess the necessary knowledge needed to setup the lab. Lab instructions are provided as-is, Microsoft is not responsible to providing any support. For help and suggestions, send email to i-dchung@microsoft.com Useful Information: All Passwords in this lab uses P@ssw0rd
Network Configuration of all VMs used in this HOL. Name DC1 Server1 Server2 RODC Vista IP 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 Subnet 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 DNS 127.0.0.1 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.1 Roles DC/TS/TSRA/TS Lic/IIS7 NPS/IIS7/TS/TSWA RODC NAP / TS Client
Who is this for?

This document is intended to provide a quick hands-on to IT Pros interested in Windows Server 2008, which is currently at RC1, as at time of releasing this. It is intended for any IT Pros. Its initial intention is meant for members of Windows Insiders Group and Singapore Windows Group in Singapore. This set of instructions has been used and updated by members of the Windows Insiders and Singapore Windows Group in 3 separate lab sessions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com
Page 1
Lab 1: Install Virtualization

Installing HyperV (Perform on LHS)
Pre-requisite of Hyper-V: Windows Server 2008 RC0/1 x64 CPU with virtualization support (Intel-VT or AMD-V) Sufficient Memory (This lab instructions was designed for a machine with 2GB of ram) 1. 2. 3. 4. 5. Logon with Administrator account Execute the 2 files found in c:\windows\wsv (These 2 files are the update files to add Hyper-V Role into Server Manager Launch Server Manager and select a role called Hyper-V. (If you do not the see Hyper-V role, reboot) When prompted for Virtual Networks, select Local Area Connection and click Next. After installation you will reboot.
You have just completed installing Hyper Visor into your 64bit machine. You are ready for Virtualization.
Lab 2: Active Directory Backup and Restore

Machines Needed for this Lab
Name DC1 Server1 Server2 RODC Machine State Running Running Saved Saved
Installing Windows Server Backup (Done on DC1)

1. Click Start, and then click Server Manager 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3. In Features Summary, click Add Features 4. In the list of features, double-click Windows Server Backup Features, click Windows Server Backup and click Command-line tools, and then click Next 5. If necessary, click Add Required Features 6. On the Confirmation Installation page, click Install 7. Click Close
Perform unscheduled backup of critical volumes by GUI

1. Click Start, point to Administrative Tools, and then click Backup 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue 3. On the Action menu, click Backup once 4. In the Backup Once Wizard, on the Backup options page, click Different options, and then click Next 5. If you are creating the first backup of the domain controller, click Yes to confirm that this is the first backup 6. On the Select backup configuration page, click Custom, and then click Next 7. On the Select backup items page, select the Enable system recovery check box 8. On the Specify destination type page, Remote shared folder, and then click Next 9. On the Select backup destination page, type the path to the share, and then click Next Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 2
Windows Server 2008 (Pre-Release) Hands On Lab Instructions a. Path to share: \\Server1\Backup (Create this share on Server1) 10. On the Specify advanced option page, select VSS copy backup and then click Next 11. On the Summary page, review your selections, and then click Backup 12. When the Backup Once Wizard is complete, click Close
Lab 3: Using Restartable Active Directory

Name DC1 Server1 Server2 RODC Machine State Running Saved Saved Saved
Performing an Offline Defragmentation of the Directory Database

Like other services in Server Manager, the Active Directory Domain Services can be stopped and restarted, without the need to shut down the server. In this task, you will stop the Domain Controller service and do a routine maintenance task on the Domain Controller. 1. Log on to DC1 as Administrator@Insiders.Com 2. In the Server Manager window, select Active Directory Services, click Stop. 3. In the Stop Other Services dialog box, click Yes.
Note: Before stopping this service, all dependant services will also be stopped.
4. On the Start menu, click Command Prompt. 5. In the Command Prompt window type the following commands, pressing ENTER after each one. This will perform an offline defragmentation of the Active Directory database.
ntdsutil Activate Instance NTDS Files Compact to C:\
Note: This will create a compacted version of the NTDS.dit file. This process will take approximately two minutes.
quit quit Del C:\Windows\NTDS\*.log Copy /y C:\ntds.dit C:\Windows\NTDS\ntds.dit ntdsutil Activate Instance ntds files integrity quit semantic database analysis go fixup
Note: The go fixup command will run the database checker and fix any errors it encounters.
Page 3

quit quit exit
6. In the Server Manager window, click Start to start the Active Directory Domain Services service.
Lab 4: Implementing RODC

Name DC1 Server1 Server2 RODC Machine State Running Saved Saved Running
Installing RODC
1. Logon to RODC as Administrator@Insiders.com using the password P@ssw0rd. 2. On RODC, on the Start menu click Run. 3. Type DCPROMO and then click OK.
NOTE: This will start the Active Directory Domain Services Installation Wizard. It may take a few minutes for the Active Directory Domain Services binaries to install.
4. On the Welcome page, click Use advanced mode installation and then click Next. 5. On the Choose a Deployment Configuration page, select Existing forest and then click Next. 6. On the Network Credentials page, click Next. 7. On the Select a Domain page, click Next. 8. On the Select a Site page, click Next. 9. In the Additional Domain Controller Options page, check Read-only domain Controller (RODC) and then click Next.
Note: As a best practice, your RODC should also be a DNS server, so the branch office clients will have name resolution even in the event of a WAN problem.
10. On the Specify the Password Replication Policy page, accept the defaults and then click Next.
NOTE: We will specify a Password Replication Policy later in the lab.
11. On the Delegation of RODC Installation and Administration page, click Set. 12. In the Select User or Group dialog box, in Enter the object name to select, type Branch Office Admins (Create this in DC1) and then click OK. 13. On the Install from Media page, accept the default and click Next.
NOTE: An Administrator at the Main office could Backup Active Directory and then send the backup media to you at the Branch office. Then you can restore the System State to an alternate location and point to that location on this page. This will save Bandwidth over a slow WAN link.
Page 4
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 14. On the Source Domain Controller page, accept the default and click Next. 15. On the Location for Database, Log Files, and SYSVOL page accept all defaults and click Next. 16. On the Directory Services Restore Mode Administrator Password page, set the password to P@ssw0rd and then click Next. 17. On the Summary page click Next.
NOTE: If you wanted to save these settings to an Unattended answer file instead of installing AD, you would click Export Settings.
18. On the Active Directory Domain Services Installation Wizard page, click the Reboot on completion checkbox.
NOTE: The installation of Active Directory will take approximately five minutes and the computer will reboot when complete.
19. When the machine reboots, log on as Insiders\administrator with a password of P@ssw0rd.
Review Allowed and Denied Groups

The RODC Allowed Groups and Denied Groups specify which groups, if any, will have their passwords cached on the RODC. Caching passwords makes authentication possible, even in the event of a WAN link failure. In this task, you will review the default Password Replication policy settings. 1. Log on to DC1 as Administrator with a password of P@ssw0rd. 2. On the Start menu navigate to Administrative Tools, and then click Active Directory Users and Computers. 3. In Active Directory Users and Computers, click Domain Controllers. 4. Click RODC and then on the Action menu, click Properties. 5. In the RODC Properties dialog box, click Password Replication Policy and review the policy settings.
NOTE: The Password Replication Policy defines which groups will have their passwords cached on the RODC. By default, if any member of the Administrators group logs on in the branch office, their password will not be cached on the RODC, making it less vulnerable to attacks.
6. In the RODC Properties dialog box click Cancel.
Create a New Active Directory Group and add to Allow Group

Now that you have reviewed the default Password Replication policy settings, you will create a new Active Directory group, add members to the group, and add them to the Allowed list in the Password replication policy. 1. In the Navigation pane, click Users, on the Action menu, point to New and then click Group. 2. In the New Object-Group dialog box, in the Group Name field type Sales Users and then click OK. 3. In Active Directory Users and Computers, ensure Sales Users is selected, and then on the Action menu, click Properties. 4. In the Sales Users Properties dialog box, click Members and then click Add.
Page 5
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 5. In the Select Users, Contacts, Computers, or Groups dialog box, type BenSmith;DonHall, (Create these 2 users in DC1) click Check Names and then click OK. 6. In the Sales Users Properties dialog box, click OK. 7. In the Navigation Pane, click Domain Controllers, and then in the contents pane, click RODC, and then on the Action menu, click Properties. 8. In the RODC Properties dialog box, click Password Replication Policy and then click Add. 9. In the Add Groups, Users and Computers dialog box, click Allow and then click OK. 10. In the Select Users, Computers, or Groups dialog box, type Sales Users, click Check Names, and then click OK. 11. In the RODC Properties dialog box, click Apply
View and Add cached credentials to a RODC

Not only is it possible for the RODC to cache passwords of users that have logged on, but an administrator can prepopulate the RODC Password cache, to make authentication more efficient from the first logon. In this task you will pre-populate the RODC Password cache. 1. In the RODC Properties dialog box, click Advanced and then click Prepopulate Passwords.
NOTE: This is a listing of all passwords that are cached on this RODC
2. Type BenSmith, click Check Names, and then click OK. 3. In the Prepopulate Passwords dialog box, click Yes. 4. In the Prepopulate Password Success dialog box click OK and then click Close. 5. In the RODC Properties dialog box click OK.
Configure Administrator Role Separation for a RODC

Administrator Role Separation specifies that any user can be delegated to be the local administrator of an RODC without granting that user rights for the domain or other domain controllers. Therefore, a local branch user can logon to the RODC to perform general maintenance on the server, but could not log onto any other domain controller to perform a similar task. In this task you will configure Administrator Role Separation on the RODC. 1. On RODC, on the Start menu click Command Prompt. 2. In the Command Prompt window, type the following commands, pressing ENTER at the end of each line.
dsmgmt Local Roles List Roles
Note: By default, no local administrator role is defined on RODC after AD DS has been installed. To add the Local Administrator role, you need to use the ADD parameter.
Add BenSmith@Insiders.com administrators Quit Quit
Close the Command Prompt window.
Page 6
Reset all cache credentials on the RODC

In the event that an RODC has been stolen, to ensure the user accounts whose passwords have been cached on the RODC to not become compromised, you must reset all passwords for all of the users that have had their passwords cached. In this task you will reset the passwords of all of the users who have had their passwords cached on the RODC. 1. On DC1, in the Active Directory Domain Controller window, click RODC and on the Action menu, click Delete. 2. In the Active Directory Domain Services box, click Yes. 3. In the Deleting Domain Controller dialog box, ensure Reset all passwords for user accounts that were cached on this Read-only Domain Controller is selected, and uncheck Export the list of accounts that were cached on this Read-only Domain Controller to this file check box.
Note: In the production environment, do not uncheck this box. Always export the list and archive it for future reference, as the list of users is not available after the Domain Controller object has been deleted.
4. In the Delete Domain Controller dialog box, read the warnings and then click Cancel.
Lab 5: Managing IIS 7

Name DC1 Server1 Server2 RODC Machine State Running Running Running Saved
Installing IIS 7 (Perform on Server 1 & Server 2)

1. 2. 3. 4. Click Start, point to Administrative Tools, and then click Server Manager In Roles Summary, click Add Roles Use the Add Roles Wizard to add the Web Server role Select all modules to install
Stopping a Website using Appcmd

In this exercise, you will use the appcmd to stop a website in preparation for making changes to the site 1. Log on to Server1 as Administrator@Insiders.com 2. On the Start menu, click Command Prompt. 3. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv
4. At the command prompt, type the following commands and then press ENTER after each one.
appcmd stop site default web site
5. At the command prompt, type the following command and then press ENTER.
appcmd list site
Page 7

Note: To verify that the site has been stopped or started, examine the state value at the right of the output. If the site has stopped the state value will be shown as Stopped.
Explore the Configuration of an existing site

In this task you will review the configuration of using IIS Manager. Perform this task on Server1 as Administrator@Insiders.com 1. On the Start menu, navigate to All Programs/Administrative Tools and then click Internet Information Services (IIS) Manager. 2. In the Connections pane, expand Server1, and then click Sites. 3. Under Sites, click Default Web Site. 4. In the Actions pane click Bindings. 5. In the Web Site Bindings dialog box, click http and then click Edit. 6. In the Edit Web Site Binding window verify the settings and make any changes as required shown in the table below:
Setting IP Address Port Values 192.168.1.2 80
7. Click OK to close the Edit Site Binding dialog box, and then click Close to close the Site Bindings dialog box. 8. In the Actions pane, under Edit Site click Basic Settings. Review the settings and make any changes as required.
Setting Application Pool Physical Path Values DefaultAppPool %systemdrive%\inetpub\wwwroot
9. Click Cancel to close the Edit Web Site dialog box. 10. In the Actions pane, click Advanced Settings. 11. In the Advanced Settings dialog box, review the following settings.
(General) Setting ID Physical Path Physical Path Credentials Physical Path Credentials Logon Type Start Automatically Values 1 % systemdrive%\inetpub\wwwroot Ensure it is blank ClearText
True
Page 8
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 12. Click Cancel to close the Advanced Settings dialog box. 13. Leave Internet Information Services (IIS) Manager open
Creating a Virtual Directory

In this task you will create a virtual directory in the Default Web Site that will hold employee information that can be accessed by other personnel in the organization. This virtual directory will be used at a later time. You will use the APPCMD command line tool to create this virtual directory. The commands used in this exercise could be placed in a batch file or script to automate the creation of virtual directories. Perform this task on the Server1 as Administrator@Insiders.com 1. On the Start menu, click Command Prompt. 2. At the command prompt, type the following command and then press ENTER.
cd \inetpub\wwwroot
md employeedata
appcmd add vdir /app.name:Default Web Site/ /path:/EmployeeData /physicalpath:c:\inetpub\wwwroot\employeedata
6. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 and then click Default Web Site. 7. Verify that the Employee Data virtual directory is present
Starting a Web Site using Appcmd

In this exercise, you will use the appcmd to start the Default Web site after having made changes to the site. 1. At the command prompt, type the following command and then press ENTER.
appcmd start site /site.name:Default Web Site
appcmd list site
Note: To verify that the site has been started, examine the state value at the right of the output. If the site has started the state value will be shown as Started.
4. Close the Command Prompt window
Displaying Website Information with Content View

In this task, you will use the display Content View tab to view the contents of the Default Web Site. The Content View page displays the contents of the website or virtual directory selected in the Connections pane. For example, if you click on a Web site and select the Content View, IIS Manager displays a list of the applications, virtual directories, Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 9
Windows Server 2008 (Pre-Release) Hands On Lab Instructions physical directories and files of that web site. You can right-click an object in the content list, click Switch to Features view to go to the objects home page. From the home page, you can configure features for the object, such as authentication settings for a virtual directory. Perform this task on Server1 as Administrator@Insiders.com 1. In Internet Information Services (IIS) Manager, in the Connections pane, expand Server1, click Web Sites, and then click Default Web Site. 2. Right-click Default Web Site and then click Switch to Content View 3. In the Default Web Site Content pane, notice the new virtual directory you created earlier and the default.htm file. 4. In the Connections pane, right-click Default Web Site and select Features View
Create a new Application pool using Command Line

In this task you will create a new application pool. An application pool is a group of one or more applications that are served by a worker process or a set of worker processes. Application pools set boundaries for the applications they contain, which means that any applications running outside of a given application pool cannot affect the applications within the application pool. Application pools are used to isolate web sites and web applications to address reliability, availability, and security issues. You should consider creating application pools for any of the following reasons: To group sites and applications that run with the same configuration settings To isolate sites and applications that run with unique configuration settings To increase security by using a custom identity to run an application To improve performance by separating unstable applications from well-behaved applications To prevent resources in one application from accessing resources in another application. For example, ISPs might create individual application pools for each customers sites and web applications. Separating customer content on this way can prevent one customers resources from accessing resources on another customers web site, even though both customers sites are on the same web server
Perform this task on Server1 as Administrator@Insiders.Com The IIS 7.0 command-line tools reside in the %windir%\system32\inetsrv directory, which is available only to the Administrators or to users who are members of the Administrators group on the computer. In addition, members of the Administrators group must start the IIS 7.0 command-line tools with elevated permissions. Users who view or change Web.config files in sites or application directories must have access to read and write to files in those directories. 1. On the Start menu, click Command Prompt. 2. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv.
appcmd add apppool /name:NewIntranet
Page 10
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 4. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 and then click Application Pools. In Application Pools and verify that NewIntranet is listed.
Change an Application Pool assigned to a Web Site

In this exercise, you are going to assign the Default Web Site to the new application pool you created. 1. Internet Information Services (IIS) Manager, in the Connections pane click Sites and then click Default Web Site. 2. In the Actions pane, click Advanced Settings. 3. In the Advanced Settings window click DefaultAppPool, and then click the ellipses button (). 4. In the Select Application Pool dialog box, in Application pool, select NewIntranet and then click OK. 5. Click OK to close the Advanced Settings dialog box
Starting and Stopping Application Pools

In this task, you are going to manage application pools. When you stop an application pool, this causes the WWW service to shut down all running worker processes serving that application pool. The WWW service does not restart these worker processes. An administrator must restart all stopped application pools. All applications routed to a stopped application pool receive 503 Service Unavailable errors. Perform this task on Server1 as Administrator@Insiders.com 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools and then click NewIntranet. 2. In the Actions pane click Stop. 3. In the Actions pane, click Start to restart the application pool
Recycling Application Pools

In this task, you are going to force the recycle of an application pool. Occasionally, you may need to immediately recycle an unhealthy worker process instead of waiting for the next configured recycle. Rather than abruptly stopping the worker process, which can cause service interruptions, you can use on-demand recycling. Overlapping recycling, the default, allows an unhealthy worker process to be marked for recycling, but to continue handling requests that it already received. It does not accept new requests from HTTP.sys. When all existing requests are handled, the unhealthy worker process shuts down. Perform this task on Server1 as Administrator@Insiders.com 1. In the Connections pane, click Application Pools and then click NewIntranet. 2. In the Actions pane click recycle
Viewing Applications in an Application Pool

In this task you are going to view the Applications that are assigned to the DefaultAppPool. You may want to see all of the applications assigned to a given application pool to verify that applications are correctly assigned or to assess whether you should move some applications to another application pool. Perform this task on Server1 as Administrator@Insiders.Com
Page 11
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools and then click DefaultAppPool. 2. In the Actions pane, click View Applications
View Information about Worker Processes and Application Pool Settings

In this exercise, you are going to examine the worker processes that are running on the web server. You can view performance information about worker processes running on your web server. This information can help you narrow down applications that cause problems on your web server, and help you make decisions about how to fix these issues. IIS 7.0 lists worker processes with associated application pool names and provides information for each worker process. Perform this task on Server1 as Administrator@Insiders.com 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Web Sites and click Default Web Site. 2. In Action Pane, under Manage Web Site Click Start 3. In the Actions pane, click Browse *:80 (http).
Note:You may need to add this site to the trusted site list.
4. Minimize the home page for the default Web Site once it has opened. 5. In Internet Information Services (IIS) Manager, in the Connections pane, under Sites, click Default Web Site. 6. In the Actions pane, click Browse 192.168.1.2:80 (http) If you receive the Microsoft Phishing Filter warning, check the Ask me later radio button and click OK to close the warning 7. Once the Default Web Site home page has opened, minimize it. 8. In the Connections pane, click Server1 (Insiders\Administrator) 9. In the Server1 Home pane, under IIS, double-click Worker Processes.
Note: In the Worker Processes pane are listed the active Application Pool Names, Process IDs, State, CPU%, Private Bytes (KB) and Virtual Bytes (KB).
10. Close the Internet Information Services (IIS) Manager console
Shared Web Server Configuration

Introduction In this exercise, you are the web administer at your company. You want to implement the shared web farm configuration in IIS 7.0. To do this you will designate a single shared master IIS configuration file on a central server that can be accessed through a Universal Naming Convention (UNC) share on either a local or remote server. This shared configuration file can be used across multiple front-end Web servers, avoiding costly and error-prone replication and manual synchronization issues. Web site and application settings are no longer explicitly tied to a centralized configuration store on each local machine. Configuration files can simply be copied from the developers workstation to a test server and from the test server to the production Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 12
Windows Server 2008 (Pre-Release) Hands On Lab Instructions Web server that will serve as the central configuration store. In this exercise, you are going to use this new feature to create a single configuration file that will affect several web servers.
Backing up the Current applicationhost.config

It is always a good practice backing up the current applicationHost.config file when changing multiple settings. In this task, you are going to back up the applicationHost.config file before making any changes to the server or configurations. You are going to backup the applicationHost.config file by creating a backup object using the APPCMD command-line tool. The configuration files are stored in the %windir%\InetSrv\Config directory. This will create a backup object which will include the applicationHost.config file and the legacy metabase file (for SMTP and other non-web server settings) into a backup folder. You are able to perform a list on this backup object and make sure it is present 1. Log on to Server1 as Administrator@Insiders.Com with a password of P@ssw0rd. 2. On the Start menu, click Command Prompt. 3. At the command prompt, type the following command and then press ENTER.
appcmd add backup centralConfigBackup
Verifying Backup of Applicationhost.config

In this task, you are going to verify that the backup of the applicationHost.config took place and there is a file present. Perform this task on Server1 as Administrator@Insiders.Com 1. At the command prompt, type the following command and then press ENTER.
Appcmd list backup
Restore Applicationhost.config
In this task, you are going to replace the current applicationhost.config file with the backup copy. Since you havent made any changes to the file when you made the original copy, this is simply a test of the restore procedure. Perform this task on Server1 as Administrator@Insiders.com 1. At the command prompt, type the following command and then press ENTER.
Appcmd restore backup centralConfigBackup
Creating a user account for accessing the UNC Share

In this task, you are going to create a domain user account that will be used for creating the share folder required for the Shared Web Farm. You will create a domain user called ConfigUser with a password of P@ssw0rd. You will use this account to access the web server machine (the front-end machine, Server1, where the IIS7 server is installed), and also on the file server machine (the back-end machine, Server2, where the central configuration will reside). Perform this task on DC1 1. Log on to DC1 as Administrator@Insiders.Com with the password P@ssw0rd.
Page 13
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 2. On the Start menu, navigate to All Programs/Administrative Tools and then click Active Directory Users and Computers. 3. In Active Directory Users and computers, click LabUsers (Create this OU if it doesnt exist), on the Action menu, point to Users and select New and then User. 4. In the New Object User dialog box, in Full Name and User logon name, type Configuser, and click Next. 5. In the New Object User dialog box, type P@ssw0rd in both the Password and Confirm password boxes, clear the User must change password at next logon box, and then click Next. (Note: Please "check the Password Never Expires box"). 6. In the New Object User dialog box, click Finish.
Create the UNC Shares for central configuration and content

In this task you are going to create a shared directory that will hold the configuration file. As part of this procedure, you need to ensure that the users who will access this directory have read and write permissions. The UNC share for configuration will host the applicationHost.config file for the web servers to pickup the shared configuration file from the centralized location. 1. Ensure you are logged on to Server2 as Administrator using the password P@ssw0rd. 2. On the Start menu, click Command Prompt. 3. At the command prompt, type the following command and then press ENTER.
md c:\centralconfig
net share centralconfig$=%SystemDrive%\centralconfig /grant:Users,Read
Give Permissions to the configuser account for the UNC Shares that will host the central configuration file and content
In this task you are going to configure the permissions required by the user to access the central configuration store. This account will be used by IIS to access the UNC share in the same manner it accesses content when a virtual directory is mapped to a UNC share. The read permissions for this account are useful when accessing the configuration share only. After that point, whenever IIS reads the configuration file, it will revert back to the identity that the caller has used to access the configuration share, either the API, the administration tool being used or the user account that is logged at that moment. Perform this task on Server2 as Administrator@Insiders.com 1. On the Start menu, click Computer. 2. In the Computer window navigate to Local Disk (c:)\centralconfig 3. Right-click centralconfig and click share 4. In the File Sharing window click Change sharing permissions 5. In the File Sharing window, click the drop down arrow, select Find 6. In the Select User or Group dialog box type in configuser, then click Check Names, 7. Click OK. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 14
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 8. Click Share. 9. In the File Sharing window, click Share, and when it is finished sharing click Done
Creating Logon Batch Configuration for User Accounts

In this task you are going to enable logon batch configuration. When creating the web share configuration in either a domain or non-domain scenario, the username will have to include logon batch job configuration. This is not a default setting in Windows Server 2008, so it will have to be added manually to the computer holding the shared configuration. Perform this task on Server2 as Administrator@Insiders.Com 1. Click on the Start menu, navigate to All Programs/Administrative Tools and then click Local Security Policy. 2. In Local Security Policy, expand Local Policies and then click User Rights Assignment. 3. In the contents pane, click Logon as a batch job and then on the Action menu, click Properties. 4. In the Logon as a batch job Properties dialog box, click Add User or Group. 5. In the Select Users, Computers or Groups window type configuser@insiders.com in the Enter the object names to select window and click OK 6. Click OK to close the Logon as a batch job Properties dialog box. 7. Close Local Security Policy.
Enable Shared Configuration

The new IIS 7 administration user interface includes support for setting up configuration redirection. The user interface provides support for exporting configuration files and any necessary encryption keys to a specified path and also provides for easy modification of the redirection.config file. Perform this task on Server1 as Administrator (Steps at this section may vary a little) 1. On the Start menu, navigate to All Programs/Administrative Tools and then click Internet Information Services (IIS) Manager. 2. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 (Insiders\Administrator), and then in the Server1 Home pane, click Shared Configuration. 3. In the Actions pane, click Open Feature. 4. In the Actions pane, click Export Configuration. 5. In the Export Configuration dialog box, type the values in the following table, and then click OK.
Setting Physical Path Encryption keys password Confirm Password Value \\Server2\CentralConfig$ P@ssw0rd P@ssw0rd
6. In the Export Configuration dialog box, click OK. 7. In the Shared Configuration pane, click Enable shared configuration and then in Physical Path type \\Server2\CentralConfig$. 8. In the Shared Configuration pane, click Connect As. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 15
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 9. In the Set Credentials dialog box, type the values in the following table and then click OK.
Value User name Password Confirm password Setting configuser@insiders.com P@ssw0rd P@ssw0rd
10. In the Actions pane, click Apply 11. In the Shared Configuration dialog box, click OK. 12. In the Shared Configuration dialog box, type P@ssw0rd, and then click OK. 13. In the Shared Configuration dialog box, click OK. 14. Close Internet Information Services (IIS) Manager, and then re-open Internet Information Services (IIS) Manager. 15. Repeat steps 1 15 on Server2. Do not repeat steps 4 6 which export the configuration.
Testing the Shared Configuration File

In this task you will test the use of the shared configuration file by making a change to the applicationHost.config file and observe the changes on the web servers. Perform this task on Server2 as Administrator 1. In Internet Information Services (IIS) Manager, expand Server2 (Insiders\Administrator) and then click Application Pools. 2. In the Actions pane, click Add Application Pool. 3. In the Add Application Pool dialog box, type Test Applications Pool and then click OK. 4. Switch to the Server1 computer, ensuring you are logged on as Insiders\administrator using the password P@ssw0rd. 5. Open Internet Information Services (IIS) Manager. 6. In Internet Information Services (IIS) Manager, expand Server1 (Insiders\Administrator) and then click Application Pools. 7. Verify that Test Applications Pool is listed.
Managing an IIS 7 Server

Introduction In this exercise you will configure an IIS 7 server to allow a remote administrator the ability to manage a subset of the features on one web site. You will first enable remote administration so that the administrator can manage the web server using IIS Manager over HTTP. You will then configure delegation to restrict modifications of some site settings to only the administrator of the web server. Finally, you will create an IIS account and grant that account permission to administer a web site.
Configure Management Service Page

In this task, you are going to configure the management service page to accept remote connections. The management service enables computer and domain administrators to remotely manage a web server that uses IIS Manager. The service also enables delegated administrators to locally and remotely manage delegated features if web sites and web applications on the web server. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 16
Windows Server 2008 (Pre-Release) Hands On Lab Instructions Perform this task on Server1 as Administrator 1. On the Start menu, navigate to All Programs/Administrative Tools and then click Internet Information Services (IIS) Manager. 2. In the Connections pane, click Server1 (Insiders\Administrator). 3. In the Server1 home pane, under Management, click Management Service, and then in the Actions pane, click Open Feature. 4. In the Management Service pane, click Enable remote connections. 5. In the Actions pane, click Start, and then in the Management Service dialog box, click Yes.
Configure Feature Delegation

In this task, you will configure feature delegation to ensure that some settings are only configurable at the server level, and not at the individual web site level. Perform this task on Server1 as Administrator 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 (Insiders\Administrator). 2. In the Server1 Home pane, click Feature Delegation and then in the Actions pane, click Open Feature. 3. In the Feature Delegation pane, click Logging and then in the Actions pane, click Read Only.
Enable IIS Users and Create a User

In this task you will configure the Management Service to allow connections from IIS users. You will then create a new IIS user account for an administrator that does not have a windows user account with administrative permission on the IIS 7 server. Perform this task on Server1 as Administrator 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 (Insiders\Administrator). 2. In the Server1 home pane, under Management, click Management Service, and then in the Actions pane, click Open Feature. 3. In the Actions pane, click Stop. 4. In the Management Service pane, click Windows credentials or IIS Manager Credentials. 5. In the Actions pane, click Start, and then in the Management Service dialog box, click Yes. 6. In Internet Information Services (IIS) Manager, in the Connections pane, click Server1 (Insiders\Administrator). 7. In the Server1 home pane, under Management, click IIS Manager Users, and then in the Actions pane, click Open Feature. 8. In the IIS Manager Users pane, in the Actions pane, click Add User. 9. In the Add User dialog box, enter the values in the following table and then click OK.
Setting User name Value IntranetAdmin
Page 17

Setting Password Confirm password Value P@ssw0rd P@ssw0rd
Delegate Control of Default Web Site

In this task you will grant the IntranetAdmin user account control over the Insiders Intranet Web Site. 7. In Internet Information Services (IIS) Manager, in the Connections pane, expand Server1 (Insiders\Administrator), expand Sites, and then click Default Web Site 5. In the Default Web Home pane, under Management, click IIS Manager Permissions and then in the Actions pane click Open Feature. 6. In the Actions pane, click Allow User 7. In the Allow User dialog box, click IIS Manager and then click Select. 8. In the Users dialog box, click IntranetAdmin and then click OK. Click OK to close the Allow User dialog box.
Important: Prior to starting Lab 6, remove IIS7 from Server 1 and Server 2. Reboot when done before commencing Lab 6 Lab 6: Implementing Terminal Services RemoteApps
Name DC1 Server1 Server2 RODC Machine State Running Running Running Saved
RemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if they are running on a user's local computer. Users can run RemoteApp applications side-by-side with their local programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available through a Web site. In this exercise, you will configure DC1 to be able to publish remote applications. In addition you will create packages for deploying remote applications to the client machines and then distribute these packages. You will also test the connection of the remote program application from a client machine. In order to test these RemoteApp, you will also modify the allow list to allow an application to be accessed remotely.
Install Terminal Server Role Service

In this task you will add the Terminal Server role to DC1.
Page 18

Note: This task uses the following computer: DC1
1. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager. 2. In Server Manager, Add Terminal Services. 3. In the Add Role Services dialog box, click Install Terminal Services anyway (not recommended). 4. In the Add Role Services dialog box, in the Uninstall and Reinstall Applications for Compatibility page, click Next. 5. In the Add Role Services dialog box, in the Specify Authentication for Terminal Services page, select Require Network Level Authentication then click Next. 6. In the Add Role Services dialog box, in the Specify Licensing Mode page, select Configure later then click Next. 7. In the Add Role Services dialog box, in the Select User Groups Allowed Access to This Terminal Server page, click Next. 8. In the Add Role Services dialog box, in the Confirm Installation Selections screen, click Install.
Note: On the Confirm Installation Selections screen, there is one warning. The warning is advising that you may need to reinstall applications. In the lab it is safe to ignore, however in a production environment it is important to remember that applications may need to be reinstalled. The reason for the need to reinstall the applications is that on a Terminal Server applications are installed into a different section of the registry. This is so that the applications can be safely accessed by multiple users simultaneously. The installation process will take approximately 3 minutes. After this you will need to restart DC1.
9. In the Add Role Services dialog box, in the Installation Results screen, click Close. 10. In the Add Role Services dialog box, click Yes to begin the restart. 11. After the restart, log on to DC1 as Administrator using the password P@ssw0rd.
Note: After completing the log in the Post-Reboot Configuration Wizard will appear to confirm that the Terminal Services role has been installed successfully.
12. In the Post-Reboot Configuration Wizard dialog box, click Close.
Add a program to the Allow List

In this task you will add two existing program to the Allow list for Terminal Services RemoteApp. In order for a user to be able to access a program with RemoteApp the application must be on the Allow List. The Allow List settings also includes the ability to change settings for the remote applications, such as additional command line arguments and changes to the default icons. You will add WordPad to the Allow List. 1. Log on to DC1 as Administrator with the password of P@ssw0rd. 2. On the Start menu, navigate to All Programs/Administrative Tools/Terminal Services/TS RemoteApp Manager. 3. In RemoteApp, in the Action menu, click Add RemoteApps. 4. In the RemoteApp Wizard, click Next. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 19
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 5. In the Choose programs to add to the RemoteApps list, check the box next to WordPad and then click Next. 6. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Create a RDP file that publishes a connection to an application

In this task you will create a RDP file that can then be distributed to clients either via e-email or USB Flash Disk (UFD). This will then enable users to connect remotely to the remote program that was added to the allow list. Any settings that have been added to the application in the allow list will also be added to the RDP file. 1. In TS RemoteApp Manager, select Wordpad in the Contents pane, 2. In TS RemoteApp Manager, in the Actions pane, click Create .rdp File. 3. In the RemoteApp Wizard, click Next. 4. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the location for saving the package to C:\Public\ (Create this Folder) 5. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click Change. 6. In the Configure TS Gateway Settings dialog box, select AUTO. 7. In the RemoteApp Wizard, in the Specify Packages Settings page, click Next. 8. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created RDP file. The created file is named Wordpad.rdp
Create an MSI file that installs an application

In this task you will create a MSI file that can be distributed as an installation package. This package could be distributed for users to manually install or installed as part of a Group Policy Object. As part of the configuration of an MSI package it is possible to define where the remote program will appear in the Users environment and also to associate the remote program with client file associations. An example of using this would be to publish Microsoft Word to be integrated into the users Start Menu and to be opened when they click on a Word Document. This gives a seamless integration for the users to the remote program. Any settings that have been added to the application in the allow list will also be added to the MSI file. 1. In TS RemoteApp Manager, in the Contents pane, select WordPad 2. In the Actions pane, click Create Windows Installer Package. 3. In the RemoteApp Wizard, click Next. 4. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the location for saving the package to C:\Users\Public\ 5. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click Change. 6. In the Configure TS Gateway Settings dialog box, select Auto 7. In the RemoteApp Wizard, in the Configure Distribution Package page, accept the default settings by clicking Next. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 20
Windows Server 2008 (Pre-Release) Hands On Lab Instructions 8. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created installation file. The created file is named wordpad.msi
Using RemoteApp Access

In this task, you will use the RDP file and the MSI file that you created in the previous tasks. This will be achieved by accessing the files on the Public share on DC1.
1. Log on to VISTA as Administrator with the password of P@ssw0rd 2. On the Start menu, in Start Search, type \\DC1\Public and then press ENTER. 3. In Windows Explorer, double click Wordpad.RDP. 4. In the Windows Security dialog box, enter the following values:
Setting User Name: Password: Value Administrator@Insiders.Com P@ssw0rd
5. Check Remember my credentials and then click OK. 6. In the RemoteApp dialog box, check Dont prompt me again for connections to this computer, and then click Yes.
Note: The application now launches. When the application launches successfully it will display on the screen as On The Server. This is the remote application running on the server.
7. Close the On The Server remote program. 8. In Windows Explorer, double click WordPad.msi.
Note: The remote WordPad application now installs. Observe the name of the application matches the name that was entered during the creation of the MSI file.
9. After the application has completed installation, on the Start menu, navigate to All Programs RemoteApp WordPad.
Note: The application now launches. When the application launches successfully it will display on the screen as WordPad.
10. In the remote WordPad application, in the File menu, click Exit to close.
Implementing Terminal Services Web Access

TS Web Access is a feature that makes RemoteApp available to users from a Web browser. With TS Web Access, a user can visit a Web siteeither from the Internet or from an intranetto access a list of available RemoteApp applications. When a user starts a RemoteApp applicaion, a Terminal Services session is started on the terminal server that hosts the Remote Program.
Page 21
Windows Server 2008 (Pre-Release) Hands On Lab Instructions TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the Web. The Web page consists of a frame and a customizable Web Part, where the list of RemoteApp application is displayed. In this exercise, you will configure the terminal server to support Terminal Services Web Access and then configure an application to be made unavailable via the web interface.
Install Terminal Server Web Access Role Service

In this task you will modify DC1 to include the Terminal Server Web Access role. This will then extend our Terminal Server to now be able to provide Remote Applications via a web interface.
1. Log on to DC1 using the username Administrator and the password P@ssw0rd. 2. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager. 3. In the Explorer pane, navigate to Roles/Terminal Services. 4. In the Contents pane, in Role Services, click Add Roles Services. 5. In the Select Role Services dialog box, check TS Web Access. 6. In the Add Role Services dialog box, select Add Required Role Services. 7. In the Add Role Services dialog box, in the Select Role Services page, click Next. 8. In the Add Role Services dialog box, in the Web Server (IIS) page, click Next. 9. In the Add Role Services dialog box, in the Select Role Services page, click Next. 10. In the Add Role Services dialog box, in the Confirm Installation Selections page, click Install.
Connect to Terminal Server Web Access and launch application

In this task, use the Terminal Server Web Access to access to the applications that you have previously published.
Note: This task uses the following computer: VISTA
1. On the Start menu, click Internet Explorer. 2. In the address bar, enter the address http://DC1/ts and then press ENTER.
3. In the Connect to dc1 dialog box, enter the User name insiders\Administrator and the password P@ssw0rd.
Note: The TS Web Access page is now displayed. There is two programs displayed the Demo Application and the WordPad that you published in an earlier task.
4. Click Demo Application in the TS Web Access webpage. 5. In the Trust Warning pop-up, click Yes. 6. In the RemoteApp dialog box, click Yes 7. In the Windows Security dialog box, enter the username Insiders\Adminisrator and the password P@ssw0rd, and then press ENTER. Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 22

Note: The application now launches. When the application launches successfully it will display on the screen as On The Server.
Lab 7: Network Access Protection

Name DC1 Server1 Server2 RODC Machine State Running Running Saved Saved
Network Access Protection (NAP) is a new technology introduced in Windows Vista and Windows Server 2008. NAP includes client components and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unrestricted network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network. In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software vendors to integrate their solutions into the NAP framework. NAP enforcement occurs at the moment when client computers attempt to access the network through network access servers, such as a VPN server running Routing and Remote Access Service, or when clients attempt to communicate with other network resources. The way that NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:
Internet Protocol security (IPsec)-protected communications Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections Virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration
The step-by-step instructions in this paper will show you how to deploy a NAP DHCP enforcement test lab so that you can better understand how DHCP enforcement works. NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:
Allow full network access. This is the default setting. Clients that match the policy conditions are deemed compliant with network health requirements, and are granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged. Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network health requirements, and are placed on the restricted network.
Page 23

Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full network access. NAP enforcement is delayed until the specified date and time.
Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant. This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy, which will cause Windows Firewall to be turned on without user intervention. Ongoing monitoring to ensure compliance NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Client computers are monitored when their health state changes, and when they initiate requests for network resources. This test lab includes a demonstration of ongoing monitoring when the client's DHCP-issued address is renewed. The NAP client computer sends a statement of health (SoH) with the DHCP address request, and is granted full or restricted access based on its current health state.
Install the NPS and DHCP server roles on Server1

To install the NPS and DHCP server roles (Login in Insiders\Administrator) 1. Click Start, and then click Server Manager. 2. Under Roles Summary, click Add roles, and then click Next. 3. On the Select Server Roles page, select the DHCP Server and Network Policy and Access Services check boxes, and then click Next twice. 4. On the Select Role Services page, select the Network Policy Server check box, and then click Next twice. 5. On the Select Network Connection Bindings page, verify that 192.168.1.2 is selected, and then click Next. 6. On the Specify DNS Server Settings page, verify that insiders.com is listed under Parent domain. 7. Type 192.168.1.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next. 8. On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next. 9. On the Add or Edit DHCP Scopes page, click Add. 10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to Starting IP Address, type 192.168.1.150, next to Ending IP Address type 192.168.1.200, and next to Subnet Mask type 255.255.255.0. 11. Select the Activate this scope check box, click OK, and then click Next. 12. On the Select IPv6 DHCP Server Operation Mode page, select Disable DHCPv6, and then
Page 24

click Next. 13. On the Authorize DHCP Server page, select Use current credentials. Verify that Insiders\Administrator is displayed next to Username, and then click Next. 14. On the Confirm Installation Selections page, click Install. 15. Verify the installation was successful, and then click Close. 16. Close the Server Manager window.
Configure Server 1 as a NAP health policy server

To configure SHVs
1. Double-click Network Access Protection, and then click System Health Validators. 2. In the middle pane under Name, double-click Windows Security Health Validator. 3. In the Windows Security Health Validator Properties dialog box, click Configure. 4. Clear all check boxes except A firewall is enabled for all network connections. You do not have to clear the Windows Update check box. 5. Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.
Configure remediation server groups Remediation server groups are lists of computers that noncompliant NAP clients can access to help them update their configuration. For the test lab, DC1 will be added to a remediation server group so that VISTA will have access to DNS when it is noncompliant.
To configure a remediation server group 1. In the console tree, under Network Access Protection, right-click Remediation Server Groups, and then click New. 2. Under Group Name, type Rem1. 3. Next to Remediation Servers, click Add. 4. In the Add New Server dialog box, under IP address or DNS name, type 192.168.1.1, and then click OK twice.
Configure health policies Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. This test lab defines two health policies: one that corresponds to a compliant health state and one that corresponds to a noncompliant health state.
To configure health policies 1. Double-click Polices. 2. Right-click Health Policies, and then click New. 3. In the Create New Health Policy dialog box, under Policy Name, type Compliant. 4. Under Client SHV checks, verify that Client passes all SHV checks is selected. 5. Under SHVs used in this health policy, select the Windows Security Health Validator check box. 6. Click OK. 7. Right-click Health Policies, and then click New.
Page 25

8. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant. 9. Under Client SHV checks, select Client fails one or more SHV checks. 10. Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example. Configure network policies Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with health requirements, and a network policy that will be applied to computers that are noncompliant. For this test lab, compliant client computers will be allowed unrestricted network access. Clients determined to be noncompliant with health requirements will be have their access restricted. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access. Configure a network policy for compliant client computers First, create a network policy to match network access requests made by compliant client computers. To configure a network policy for compliant client computers 1. In the console tree, under Policies, click Network Policies. 2. Disable the two default policies under Policy Name by right-clicking the policies, and then clicking Disable for each. 3. Right-click Network Policies, and then click New. 4. In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. 5. In the Specify Conditions window, click Add. 6. In the Select condition dialog box, double-click Health Polices. 7. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. 8. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next. 9. In the Specify Access Permission window, verify that Access granted is selected, and then click Next. 10. In the Configure Authentication Methods window, select Perform machine health check only. Clear all other check boxes, and then click Next. 11. Click No in the pop-up window warning you about authentication methods. 12. In the Configure Constraints window, click Next. 13. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next. See the following example. 14. In the Completing New Network Policy window, click Finish to complete configuration of your network policy for compliant client computers. 15. Click OK
Configure a network policy for noncompliant client computers Next, create a network policy to match network access requests made by noncompliant client computers.
To configure a network policy for noncompliant client computers 1. Right-click Network Policies, and then click New. 2. In the Specify Network Policy Name and Connection Type window, under Policy name,
Page 26

type Noncompliant-Restricted, and then click Next.
3. In the Specify Conditions window, click Add. 4. In the Select condition dialog box, double-click Health Polices. 5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. 6. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next. 7. In the Specify Access Permission window, verify that Access granted is selected, and then click Next. Important A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that clients matching these conditions will be granted an access level determined by the policy. 8. In the Configure Authentication Methods window, select Perform machine health check only. Clear all other check boxes, and then click Next. 9. Click No in the pop-up window warning you about authentication methods. 10. In the Configure Constraints window, click Next. 11. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and verify that Enable auto-remediation of client computers is selected. 12. Click Next, and then click Finish. This completes configuration of your NAP network policies.
Configure DHCP on Server1

Open the DHCP console
To open the DHCP console 1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER. 2. Leave this window open for all DHCP configuration tasks.
Verify the default NAP profile First, verify that the default NAP profile is being used on the DHCP server.
To verify the default NAP profile is being used 1. In the DHCP console, double-click server1.insiders.com, and then double-click IPv4. 2. Right-click Scope, and then click Properties. 3. On the Network Access Protection tab, verify that Use default Network Access Protection profile is selected, and then click OK.
Configure the default user class Next, configure scope options for the default user class. These server options are used when a compliant client computer attempts to access the network and obtain an IP address from the DHCP server.
To configure default user class scope options 1. In the DHCP console, double-click Scope, right-click Scope Options, and then click Configure Options.
Page 27

2. On the Advanced tab, verify that Default User Class is chosen next to User class. 3. Under Available Options, select the 003 Router check box, type 192.168.1.1 in IP Address, and click Add. 4. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add. 5. Select the 015 DNS Domain Name check box, type insiders.com in String value, and then click OK. The contoso.com domain is a full-access network assigned to compliant NAP clients.
Configure the default NAP class Next, configure scope options for the default network access protection class. These server options are used when a noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.
To configure default NAP class scope options 1. In the DHCP console, right-click Scope Options, and then click Configure Options. 2. On the Advanced tab, next to User class, choose Default Network Access Protection Class. 3. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add. 4. Select the 015 DNS Domain Name check box, type restricted.insiders.com in String value, and then click OK. The restricted.contoso.com domain is a restricted-access network assigned to noncompliant NAP clients.
Configuring the VISTA

Enable the DHCP enforcement client The NAP DHCP enforcement method requires that the DHCP enforcement client is enabled on NAP client computers.
To enable the DHCP enforcement client 1. Click Start, click All Programs, click Accessories, and then click Run. 2. Type napclcfg.msc, and then press ENTER. 3. In the console tree, click Enforcement Clients. 4. In the details pane, right-click DHCP Quarantine Enforcement Client, and then click Enable. 5. Close the NAP Client Configuration console.
Enable and start the NAP agent service By default, the Network Access Protection Agent service on computers running Windows Vista is configured with a startup type of Manual. VISTA must be configured so that the Network Access Protection Agent service starts automatically, and the service must be started.
To enable and start the NAP agent service 1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools. 2. Double-click Services. 3. In the services list, double-click Network Access Protection Agent. 4. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start. 5. Wait for the NAP agent service to start, and then click OK. 6. Close the Services console, Administrative Tools, and System and Maintenance windows.
Page 28
Windows Server 2008 (Pre-Release) Hands On Lab Instructions Verify network connectivity for VISTA Run the ping command from VISTA to confirm network communication between VISTA and DC1. Because the Network Access Protection Agent service and DHCP enforcement client are running, VISTA is considered NAPcapable by the DHCP server and is issued an IP address on the 192.168.0.0/24 subnet. This is required to join VISTA to the Contoso.com domain.
To use the ping command to check network connectivity 1. Click Start, click All Programs, click Accessories, and then click Command Prompt. 2. In the command window, type ping DC1. 3. Verify that the response reads Reply from 192.168.1.1". 4. Close the command window.
Verification of NAP auto-remediation The Noncompliant-Restricted authorization policy specifies that noncompliant computers should be automatically remediated. Use the following procedure to verify that VISTA is automatically remediated to a compliant state when Windows Firewall is turned off.
To verify that VISTA is auto-remediated when Windows Firewall is turned off 1. On VISTA, click Start, and then click Control Panel. 2. Click Security Center, and then click Windows Firewall. 3. In the Windows Firewall dialog box, click Change settings. 4. In the Windows Firewall Settings dialog box, click Off (not recommended), and then click OK. 5. Watch Windows Security Center and you will see that Windows Firewall is displayed as off and is then displayed as on. 6. You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more information about the health status of VISTA. See the following example. 7. The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network.
Because auto-remediation occurs rapidly, you might not see one or both of these messages.
Thats it for todays HOL
Page 29

31-Dec-07 Windows 2008 RC1 HOL Instructions

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

31-Dec-07 Windows 2008 RC1 HOL Instructions

Încărcat de

Drepturi de autor:

Formate disponibile

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Windows Server 2008 (RC0) Hands on Lab Instructions

Who is this for?

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Lab 1: Install Virtualization

Lab 2: Active Directory Backup and Restore

Installing Windows Server Backup (Done on DC1)

Perform unscheduled backup of critical volumes by GUI

Lab 3: Using Restartable Active Directory

Performing an Offline Defragmentation of the Directory Database

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Lab 4: Implementing RODC

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Review Allowed and Denied Groups

6. In the RODC Properties dialog box click Cancel.

Create a New Active Directory Group and add to Allow Group

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

View and Add cached credentials to a RODC

Configure Administrator Role Separation for a RODC

Close the Command Prompt window.

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Reset all cache credentials on the RODC

Lab 5: Managing IIS 7

Installing IIS 7 (Perform on Server 1 & Server 2)

Stopping a Website using Appcmd

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Explore the Configuration of an existing site

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Creating a Virtual Directory

Starting a Web Site using Appcmd

4. Close the Command Prompt window

Displaying Website Information with Content View

Create a new Application pool using Command Line

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Change an Application Pool assigned to a Web Site

Starting and Stopping Application Pools

Recycling Application Pools

Viewing Applications in an Application Pool

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

View Information about Worker Processes and Application Pool Settings

10. Close the Internet Information Services (IIS) Manager console

Shared Web Server Configuration

Backing up the Current applicationhost.config

Verifying Backup of Applicationhost.config

Creating a user account for accessing the UNC Share

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Create the UNC Shares for central configuration and content

Creating Logon Batch Configuration for User Accounts

Enable Shared Configuration

Testing the Shared Configuration File

Managing an IIS 7 Server

Configure Management Service Page

Configure Feature Delegation

Enable IIS Users and Create a User

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Delegate Control of Default Web Site

Install Terminal Server Role Service

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com