You are on page 1of 181

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

6435A
Lab Instructions and Lab Answer Key: Designing a Windows Server 2008 Network Infrastructure

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Product Number: 6435A Part Number: X17-47384 Released: 08/2008

Lab Instructions: Overview of Network Infrastructure

Module 1
Lab Instructions: Overview of Network Infrastructure
Contents
Exercise 1: Preparing for a Network Infrastructure Design Exercise 2: Designing the Network Topology Exercise 3: Designing Network Infrastructure for Virtualization Exercise 4: Designing a Change Management Plan Exercise 5: Lab Discussion 4 5 6 7 8

Lab Instructions: Overview of Network Infrastructure

Lab: Designing Network Infrastructure in Windows Server 2008

Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are asked to design the network infrastructure for the new locations. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies. In North America, there are two major changes. Two new Canadian Branches are opening that will be connected to the Toronto hub site. Also, a regional bank in Washington State has been purchased and must be integrated into the rest of the network. Each region operates independently most of the time. All user applications and data are self-contained within each region. Batch transfers of data from each region to New York City are performed daily. The batch transfers are approximately 1GB and must be completed within 2 hours during average usage times. Network utilization between regions averages 500 Kbps when the batch transfer is not being performed. The failure of one WAN link between regions should not affect other regions. The main applications used by Woodgrove bank are located in the network hub locations. Users in the branches use terminal services to run applications on servers in the network hub locations. Approximately 10 Kbps of WAN connectivity is required for each user at a branch location for optimal performance. Communication between hub site locations averages 2 Mbps and peaks at 6 Mbps.

Lab Instructions: Overview of Network Infrastructure

The implementation of a Voice over IP system is being considered to lower telecommunication costs. If implemented, this system will use approximately 250 Kbps between each branch office and hub site. Approximately 500 Kbps will be used between hub sites within regions and between regions. Within a hub site, traffic should be tiered to increase manageability. The connectivity of the newly acquired regional bank in Washington State uses Seattle as a hub site for the other four locations. Also review the following documents: M1_Locations.doc M1_Physical.vsd M1_VirtualMachines.doc

Lab Instructions: Overview of Network Infrastructure

Exercise 1: Preparing for a Network Infrastructure Design


The main tasks for this exercise are: 1. 2. Read the scenario and supporting documents. Discuss whether additional information is required.

Task 1: Read the scenario and supporting documents


1. 2. Read the scenario above. Open a read the following documents from the Labdocs folder on your student CD: M1_Locations.doc. M1_Physical.png M1_VirtualMachines.doc

Task 2: Discuss whether additional information is required


1. 2. With your instructor, discuss what additional information, if any, is required to create a network infrastructure design. With your instructor, determine what data can be assumed for completing the remainder of the lab.

Lab Instructions: Overview of Network Infrastructure

Exercise 2: Designing the Network Topology


The existing network topology for Woodgrove Bank grew over time in an unplanned manner. This has resulted in the current network not meeting requirements. You need to create a new network topology that meets the requirements listed in the scenario and supporting documentation. The main tasks for this exercise are: 1. 2. 3. 4. 5. Design the WAN links between regions. Design the WAN links between hub sites in North America. Design the WAN links to the new Canadian branches. Design the connectivity for the new purchased Washington state regional bank. Design the tiers for the network within a hub site.

Task 1: Design the WAN links between regions


1. 2. 3. Determine what WAN links will be created between regions. Determine which hub site in each region should be connected to other regions. Determine how fast the WAN links.

Task 2: Design the WAN links between hub sites in North America
1. 2. Determine what WAN links will be created between hub sites in North America. Determine how fast the WAN links will be between hub sites in North America.

Task 3: Design the WAN links to the new Canadian branches


Determine how fast the WAN links will be between the new Canadian branches and the Toronto hub site.

Task 4: Design the connectivity for the new purchased Washington State regional bank
Determine how Seattle and other branches will be connected to Woodgrove Bank.

Task 5: Design the tiers for the network within a hub site
1. 2. Determine the number of tiers that should be used. Determine the resources that will be placed in each tier.

Lab Instructions: Overview of Network Infrastructure

Exercise 3: Designing Network Infrastructure for Virtualization


Woodgrove Bank is planning to virtualize several of its servers to optimize hardware utilization. You must determine how to design the network infrastructure to support the virtualized servers. The main tasks in this exercise are: 1. 2. 3. 4. Start the virtual machines, and then log on. Review the MAC addresses used for virtualization. Close all virtual machines and discard undo disks Determine the network connectivity required for each host server.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Review the MAC addresses used for virtualization


1. 2. 3. Open the Virtual Server administration Web site Edit the configuration of 6135-NYC-DC1 and note the current MAC address: __________________________ View the Network adapter properties and review the available configuration options.

Task 3: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Task 4: Determine the network connectivity required for each host server
1. 2. 3. Determine the network connectivity required for NYC-HOST1. Determine the network connectivity required for NYC-HOST2. Determine the network connectivity required for NYC-HOST3.

Lab Instructions: Overview of Network Infrastructure

Exercise 4: Designing a Change Management Plan


The existing change management system at Woodgrove Bank is very informal. When technical staff want to make a change, they seek approval from their immediate supervisor. However, supervisors often do not understand all the implications of a change. This has led to several outages. To reduce the chances of outages in the future, you need to design a formal change management process. The main tasks in this exercise are: 1. 2. 3. Determine stakeholders who should be involved in the change management process Determine the process for submitting and approving a change Design a change request form.

Task 1: Determine stakeholders who should be involved in the change management


process
1. 2. Determine which IT roles should be part of the change management process. Determine which non-IT roles should be part of the change management process.

Task 2: Determine the process for submitting and approving a change


1. 2. 3. 4. 5. Determine who should submit a change request. Determine when changes can be implemented. Determine who can approve change requests. Determine an alternate process for emergency changes. Determine who can approve emergency changes.

Task 3: Design a change request form


Determine what information should be included in a change request.

Lab Instructions: Overview of Network Infrastructure

Exercise 5: Lab Discussion


A discussion with the entire class allows you to learn from the experience of other students in the class. They may have different ideas of how an appropriate design can be implemented. The main task in this exercise is to participate in a group discussion about your design decisions.

Task 1: Participate in a group discussion about your design decisions


1. 2. 3. As a group, discuss why you made the design decisions you did, for the network topology. As a group, discuss the specific concerns for virtualization and how they can be addressed. As a group, discuss how the change management plan will be implemented.

Lab Instructions: Designing Network Security

Module 2
Lab Instructions: Designing Network Security
Contents:
Exercise 1: Identifying a Team for the Security Plan Scenario Exercise 2: Identifying Threats Exercise 3: Analyzing Risk Exercise 4: Implementing Password Policies 3 4 5 6

Lab Instructions: Designing Network Security

Lab: Designing a Network Security Plan

Scenario
Woodgrove Bank is a large multinational corporation with office locations located in multiple countries. Until now security planning for IT resources has been handled by individual areas responsible for network infrastructure and applications. For example, the network team was responsible for all network related security with not formal process for involving application support or functional areas within the business. There is concern within Woodgrove Bank at the executive level that the current structure for security is not efficient for allocating resources. A new centralized system for managing security is being implemented. This process will include creating a security design team and performing formal risk analysis to allocate resources. Use the following documents to help create your design: M2_ITSupport.doc M2_NANetwork.png M2_NetworkConnectivity.doc M2_OrgChart.png M2_OrgStructure.doc

Lab Instructions: Designing Network Security

Exercise 1: Identifying a Team for the Security Plan Scenario


Woodgrove Bank is a large multinational corporation with office locations located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. The main tasks for this exercise are: Start the virtual machines, and then log on. Design a security design process. Design a team for the security plan.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Design a security design process


1. What steps need to be performed when designing network security?

Task 3: Design a team for the security plan


1. 2. 3. 4. 5. 6. 7. What are the necessary roles for a security design team? Which person should be the sponsor for this project? Which people should be involved from product management? Which person should be the project manager? Which people should be involved in development of security measures? Which people should be involved in testing? Which people should be involved in user experience?

Lab Instructions: Designing Network Security

Exercise 2: Identifying Threats


The main tasks for this exercise are: Identify risks to resources.

Task 1: Identify risks to resources


1. Use the STRIDE model to identify risks to resources in the perimeter network. Example Risk STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 2. Use the STRIDE model to identify risks to resources on the internal network Example Risk

STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 3.

Use the defense-in-depth model to identify risks to resources on the network. Example Risk

Layer Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness

Lab Instructions: Designing Network Security

Exercise 3: Analyzing Risk


After identifying potential risks, it has been determined that the risks to resources in the perimeter networks are those that are most important to address. You must now calculate the risk impact for risks to resource in the perimeter network to determine which projects to implement. You budget for implementing new security measures this year is $500,000. The document M2_RiskFigures.doc in the Labdocs folder on the student CD contains additional information about risk probability and costs. The main tasks in this exercise are: 1. 2. Determining risk impact. Determine how to allocate your security budget.

Task 1: Determining risk impact


1. 2. 3. What is the risk impact for a denial of service attack on the Web application for investors? What is the risk impact for a password attack on the Web application for customer service accounts? What is the risk impact for an attack on the Web server with general information for customers that puts false information on the Web site?

Task 2: Determine how to allocate your security budget


1. 2. Which projects will you fund based on your budget? Can you make an effective argument to management for more security funding?

Lab Instructions: Designing Network Security

Exercise 4: Implementing Password Policies


Now that all domain controllers have been upgraded to Windows Server 2008, you would like to take advantage of the fine grained password policies that are available. Fine-grained password policies allow you to vary the password policy for various groups of users. A password policy is required for Customer Service staff. The main tasks in this exercise are: 1. 2. 3. 4. 5. Raise the domain functional level to Windows Server 2008. Create a fine grained password policy for customer service staff. Associate the new fine grained password policy with Customer Service groups. Verify resultant PSO for a user. Close all virtual machines and discard undo disks

Task 1: Raise the domain functional level to Windows Server 2008


1. On NYC-DC1, use Active Directory Users and Computers to raise the domain functional level to Windows Server 2008.

Task 2: Create a fine grained password policy for customer service staff
1. 2. 3. On NYC-DC1, open ADSI Edit. Connect to the Default naming context and browse to CN=Password Settings Container,CN=System,DC=WoodgroveBank,DC=com. Create a new msDS-PasswordSettings object in the Password Settings Container with the following settings: Common-Name: CustomerService Password Settings Precendence: 1 Password reversible encryption status for user accounts: FALSE Password History Length for user accounts: 5 Password complexity status for user accounts: TRUE. Minimum Password Length for user accounts: 6 Minimum Password Age for user accounts: 1:00:00:00 Maximum Password Age for user accounts: 60:00:00:00 Lockout threshold for lockout of user accounts: 10 Observation Windows for lockout of user accounts: 0:00:30:00 Lockout duration for locked out user accounts: 0:00:45:00

Task 3: Associate the new fine grained password policy with Customer Service groups
1. 2. 3. 4. On NYC-DC1, open Active Directory Users and Computers and enable viewing of Advanced Features. Browse to the Password Settings Container in the System container. In the properties of the CustomerService object, edit the msDC-PSOAppliesTo attribute. Add the following windows groups: NYC_CustomerServiceGG MIA_CustomerServiceGG TOR_CustomerServiceGG

Lab Instructions: Designing Network Security

Task 4: Verify resultant PSO for a user


1. 2. 3. On NYC-DC1, use Active Directory Users and Computers, to view the properties of Matt Berg in the Toronto Customer Service OU. On the Attribute Editor tab, enable viewing of Constructed attributes. Verify that the msDC-ResultantPSO attribute shows the CustomerService PSO.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing IP Addressing

Module 3
Lab Instructions: Designing IP Addressing
Contents:
Exercise 1: Designing an IPv4 Addressing Scheme Exercise 2: Designing a DHCP Implementation. Exercise 3: Designing an IPv6 Addressing Scheme 3 4 5

Lab Instructions: Designing IP Addressing

Lab: Designing IP Addressing in Windows Server 2008

Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the IP addressing for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are re-evaluating IP addressing for the entire organization. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies.

Lab Instructions: Designing IP Addressing

Exercise 1: Designing an IPv4 Addressing Scheme


You must design an IPv4 addressing scheme for Woodgrove Bank that takes into account the number of hosts in each location. The following documents provide the information you need to complete the design: M3_NANetwork.png M3_NetworkConnectivity.doc M3_LocationDetails.doc

The main tasks for this exercise are: 1. 2. Determine the number of external addresses required. Determine an internal IPv4 addressing scheme for locations.

Task 1 Determine the number of external addresses required.


1. 2. 3. Which resources require public IPv4 addresses? How many public IPv4 addresses are required? How will you obtain the necessary public IP addresses?

Task 2: Determine an internal IPv4 addressing scheme for locations.


1. 2. 3. 4. 5. 6. Which internal network address will you use? Which subnet mask will you use for branch offices? Which subnet mask will you use for hub sites? Which subnet mask will you use for the North America division? List the networks and subnet masks used by each hub site. List the networks and subnet masks by the New York hub site internally, and for branches.

Lab Instructions: Designing IP Addressing

Exercise 2: Designing a DHCP Implementation.


You must design a DHCP implementation that meets the needs of Woodgrove Bank in North America. Use the following criteria for your planning: Hub sites must have some form of high availability for DHCP. The number of DHCP servers should be minimized to simplify administration. All client applications are centralized in hub sites by using Terminal Services.

The main task for this exercise is: Design a DHCP implementation.

Task 1: Design a DHCP implementation.


1. 2. 3. How should DHCP clients in branch offices obtain an IP address? How will you provide high availability for DHCP in the hub sites? How many scopes need to be configured on the DHCP servers in the hub site?

Lab Instructions: Designing IP Addressing

Exercise 3: Designing an IPv6 Addressing Scheme


Woodgrove Bank is implementing a new Voice-over-IP (VoIP) phone system that will integrate with the messaging system to provide unified communications. The selected phone system uses IPv6 rather than IPv4. You must design an IPv6 addressing scheme and determine how IPv6 will be implemented. The main tasks for this exercise are: 1. 2. Design an IPv6 addressing scheme. Design an IPv6 implementation.

Task 1: Design an IPv6 addressing scheme.


1. 2. 3. 4. Which internal network address will you use? Which network address will you use for the North America division? Which network addresses will you use for hub sites? Which network addresses will you use for branch offices?

Task 2: Design an IPv6 implementation.


1. 2. What IPv6 transition method will you use? What process will you follow when implementing IPv6?

Lab Instructions: Designing Routing and Switching Requirements

Module 4
Lab Instructions: Designing Routing and Switching Requirements
Contents
Exercise 1: Designing Internal Infrastructure Exercise 2: Designing a Perimeter Network Exercise 3: Evaluating Network Performance Exercise 4: Monitoring Network Performance 3 4 5 6

Lab Instructions: Designing Routing and Switching Requirements

Lab: Designing Routing and Switching

Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network routing topology within the enterprise. Woodgrove Bank has purchased a regional bank located in Washington State. This bank must be integrated into the existing network. You are evaluating and redesigning the network infrastructure and routing of the newly purchased regional bank.

Lab Instructions: Designing Routing and Switching Requirements

Exercise 1: Designing Internal Infrastructure


Use the following documents when designing internal infrastructure: M3_NANetwork.png M4_WashingtonNetwork.png M4_RoutingRequirements.doc The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Design the routing between locations. Design the routing within the Seattle hub site.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Design the routing between locations.


1. 2. 3. 4. 5. What type of WAN link will you use between Seattle and the New York hub site? What type of WAN link will you use between Seattle and the branch offices? What routing protocol should be used to control routing? Will you place any filters on communication between Seattle and the branch offices? On a piece of paper, draw how the new bank will integrate with the existing network infrastructure.

Task 3: Design the routing within the Seattle hub site.


1. 2. 3. 4. Which networks will you create within the Seattle hub site? Will you perform routing within the Seattle hub site by using routers or layer 3 switches? If switches are used, how will you define VLANs? On a piece of paper, draw the logical networks of the Seattle hub site?

Lab Instructions: Designing Routing and Switching Requirements

Exercise 2: Designing a Perimeter Network


The perimeter network for Woodgrove Bank is currently configured with a multi-homed firewall. The firewall is running on an x86 server with specialized firewall software. However, the vendor that provided the software is no longer in business. As a consequence, the perimeter network is being redesigned. Woodgrove Bank has recently partnered with Humongous Insurance to provide new services. As part of the agreement, Humongous Insurance agents will have access to a private customer database through a Web-based interface. Use the following documents when designing the perimeter network: M4_InternetConnectivity.doc. The main tasks for this exercise are: 1. 2. 3. Design extranet communication. Design firewall configuration. Design Internet access.

Task 1: Design extranet communication.


1. 2. 3. What are the requirements for extranet communication with Humongous Insurance? Which type of WAN link will you use for the extranet? How will you limit partner access to your network?

Task 2: Design firewall configuration.


1. 2. 3. What criteria will you consider when purchasing a new firewall? Which firewall design will you use? Which filtering rules will be in place?

Task 3: Design Internet Access


How will users be provided with Internet Access? You should implement a proxy server to provide internal users with Internet access. To provide user based logging, the users must be authenticated, which cannot be provided by NAT. To reduce the impact of Internet access on the WAN links, a hierarchy of proxy servers can be configured. In this way a cache of commonly accessed Internet Web sites can be maintained at each hub site.

Lab Instructions: Designing Routing and Switching Requirements

Exercise 3: Evaluating Network Performance


The Toronto hub site has added several new applications including a streaming media server for training videos. After adding these new servers, network performance has been inconsistent with some users complaining about slow access to network services. You must determine how to adjust the existing network infrastructure for better performance. You will use Network Monitor to view network utilization statistics. Use the following documents when designing the perimeter network: M4_TorontoPerformance.doc M4_TorontoNetwork.png. The main task in this exercise is: 1. Adjust the network design.

Task 1: Adjust the network design.


1. 2. 3. 4. Why is the problem only occurring when a live broadcast is being streamed? What appears to be the bottleneck on the network? How can you eliminate the bottleneck? Is there any way to adjust the application to resolve this problem?

Lab Instructions: Designing Routing and Switching Requirements

Exercise 4: Monitoring Network Performance


In this exercise, you will use Microsoft tools to monitor network performance on a server. Network Monitor can be used to view the network traffic generated by any computer on a network. The main tasks in this exercise are: 1. 2. 3. 4. 5. Enable file sharing on NYC-WEB Use Windows Task Manager to view network statistics. Use Reliability and Performance Monitor to view network statistics. Use Network Monitor to view network statistics. Close all virtual machines and discard undo disks.

Task 1: Enable file sharing on NYC-WEB


1. Use Network and Sharing Center in Control panel to turn on network discovery and file sharing.

Task 2: Use Windows Task Manager to view network statistics.


1. 2. Run D:\Mod04\Labfiles\copyloop.bat. Open Windows Task Manager and review the statistics on the Networking tab.

Task 3: Use Reliability and Performance Monitor to view network statistics.


1. 2. 3. On NYC-DC1, open Reliability and Performance Monitor. On the Resource Overview page, expand the Network section and review the available statistics. Start the process of adding a new counter and view the counters available for the following objects: ICMP ICMPv6 IPv4 IPv6 Network Interface Redirector

Task 4: Use Network Monitor to view network statistics.


1. 2. 3. 4. 5. On NYC-DC1, start Network Monitor. Create a new capture tab. Start a new capture. Review the information in the Frame Summary pane. Stop the capture.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Security for Internal Networks

Module 5
Lab Instructions: Designing Security for Internal Networks
Contents
Exercise 1: Designing a Windows Firewall Implementation Exercise 2: Designing an IPsec Implementation 3 4

Lab Instructions: Designing Security for Internal Networks

Lab: Designing a Secure Internal Network

Scenario
Woodgrove Bank has completed a redesign of the physical network infrastructure. This included all WAN links, routing, and switching. The next project assigned to the network infrastructure team is securing the internal network. This involves analyzing how to implement Windows Firewall and IPsec to protect network resources. The first location to analyze is the Toronto hub site. The design developed for the Toronto hub site will be used as a template for other hub sites.

Lab Instructions: Designing Security for Internal Networks

Exercise 1: Designing a Windows Firewall Implementation


After analyzing security on the Woodgrove Bank network by using the defense-in-depth model. The network infrastructure team has realized that internal security can be improved by implementing Windows Firewall. To maximize security outbound rules will also be implemented on workstations and servers. Use the following documents to help create your design: M5_TorontoApplications.doc

The main tasks for this exercise are: 1. 2. 3. 4. Start the virtual machines, and then log on. Determine what rules to create on each computer. Determine how to configure Windows firewall on each computer. Implement a Windows Firewall rule by using Group Policy.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine what rules to create on each computer.


1. 2. 3. 4. 5. What inbound rules should be implemented on servers? What outbound rules should be implemented on servers? What inbound rules should be implemented on Vista workstations? What outbound rules should be implemented on Vista workstations? What concerns do you have about operating systems other than Windows Server 2008 and Windows Vista?

Task 3: Determine how to configure Windows firewall on each computer.


1. 2. How will Windows Firewall be deployed on servers? How will Windows Firewall be deployed on workstations?

Task 4: Implement a Windows Firewall rule by using Group Policy.


1. 2. 3. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Use the Group Policy Management administrative tool to link a new GPO to the Toronto OU. Name: Firewall Rules Edit the Firewall Rules GPO and add a new Windows Firewall outbound rule under Computer Configuration. Rule type: Program Program path: C:\Program Files\Internet Explorer\Iexplore.exe Action: Allow the connection Profile: Domain, Private, and Public Name: Allow IE

Lab Instructions: Designing Security for Internal Networks

Exercise 2: Designing an IPsec Implementation


To further secure network communication, the network infrastructure team has decided to secure communication between all users in the investments group. This will prevent non-investments users from accessing investments data or applications. Use the following documents to help create your design: M5_IPsecRequirements.doc

The main tasks for this exercise are: 1. 2. 3. 4. 5. Determine connection security rules. Determine how to configure connection security rules on each computer. Implement connection security rules. Create a firewall rule for a specific user. Close all virtual machines and discard undo disks.

Task 1: Determine connection security rules.


1. What authentication requirements should be used? All of the computers in the investments group should require authentication for inbound connections and request authentication for outbound connections. In this way, all communication to investments servers and workstations must be authenticated. However, investments workstations can initiate communication with servers that are not part of the investments area and those will not be authenticated. What authentication method should be used? Using Kerberos authentication (user and computer) provides the flexibility to create firewall rules that are specific to particular computer accounts or user accounts. This is the best way to control communication. It also requires no additional configuration on the computers because they are part of a domain already and therefore participate in Kerberos authentication. What type of connection security rule should be used? An Isolation rule should be used. This type of rule uses Kerberos authentication. After authentication is established, firewall rules can be created based on the specific users and computers you want to allow. This type of rule does not designate endpoints by IP address.

2.

3.

Task 2: Determine how to configure connection security rules on each computer.


1. 2. How will connection security rules be deployed to servers? All Investments servers can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments servers have the same configuration. How will connection security rules be deployed to workstations? All Investments workstations can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments workstations have the same configuration. How will you address Windows XP clients? Based on the conditions presented in the scenario, the best solution is to upgrade the few remaining XP computers to Windows Vista. Other alternatives will be relatively complex. In the short term, an exemption rule can be used for the Windows XP computers, to prevent the need for IPsec authentication from those computers. Exemption rules are based on computer IP address and the XP computers must be given static IP addresses or reservations in DHCP.

3.

Lab Instructions: Designing Security for Internal Networks

Other alternatives are: Use both IPsec policies and connection security rules on the servers. This is not recommended because the results are difficult to predict. Use IPsec policies only. Windows Server 2008 and Windows Vista are both capable of using IPsec policies. However, if IPsec policies are used, then you cannot control authentication based on computer and user accounts.

Task 3: Implement connection security rules.


1. 2. 3. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Use the Group Policy Management administrative tool to link a new GPO to the Toronto Investments OU. Name: Connection Security Rules Edit the Connection Security Rules GPO and add a new Windows Firewall outbound rule under Computer Configuration. Rule type: Isolation Requirements: Require authentication for inbound connections and request authentication for outbound connections. Authentication method: Computer and user (Kerberos V5) Profile: Domain, Private, and Public Name: Secure Communication

Task 4: Create a Firewall Rule for a specific user


1. On NYC-DC1, use the Windows Firewall with Advanced Security administrative tool to create a new inbound security rule to authenticate Web traffic on port 80 and restrict access to Administrator. Rule type: Port Protocol: TCP Port: 80 Action: Allow the connection if it is secure Only allow connections from: Administrator Profiles: All Name: Administrator Access to Web site

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Name Resolution

Module 6
Lab Instructions: Designing Name Resolution
Contents
Exercise 1: Designing a DNS Namespace Exercise 2: Designing a DNS Server Strategy Exercise 3: Designing a DNS Zone and Replication Strategy Exercise 4: Discuss the Design of Name Resolution Exercise 5: Implement a DNS and Zone Replication Strategy 3 4 5 6 7

Lab Instructions: Designing Name Resolution

Lab: Designing a Name Resolution Strategy in Windows Server 2008

Scenario
Woodgrove Bank has experienced significant growth and needs to re-evaluate the current name resolution structure to verify that it is appropriate. This involves selecting locations for DNS servers, designing the DNS namespace, and determining a zone replication strategy.

Lab Instructions: Designing Name Resolution

Exercise 1: Designing a DNS Namespace


Woodgrove Bank has three Active Directory domains. The forest root domain is WoodgroveBank.com and contains information about North American resources. The EMEA.WoodgroveBank.com domain is used by European operations and the Asia.WoodgroveBank.com domain is used by Asian operations. The following guidelines have been given for evaluating the current DNS structure: The namespace for Active Directory should simplify maintenance if possible. Changes to the existing system should be avoided if they will cause a significant amount of change.

Woodgrove Bank has external DNS records that are manually synchronized with the internal DNS structure. These records change on average less than once per year.

External DNS Records


www.woodgrovebank.com Customer.woodgrovebank.com Invest.woodgrovebank.com Vpn.woodgrovebank.com Mail.woodgrovebank.com Dns1.woodgrovebank.com Dns2.woodgrovebank.com The main tasks for this exercise are: 1. 2.

Purpose
Public Web site Secure Web site for customers Secure Web site for investments customers VPN server used by roaming staff Internet mail server External DNS server External DNS server

Start the virtual machines, and then log on. Select a DNS namespace for Active Directory.

Task 1: Start the virtual machines, and then log on.


1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a DNS namespace for Active Directory


1. 2. 3. What would be your preferred namespace for Active Directory if creating a new design? What additional considerations must be taken into account when modifying an existing design? What DNS namespace do you recommend that Woodgrove Bank use for Active Directory?

Lab Instructions: Designing Name Resolution

Exercise 2: Designing a DNS Server Strategy


The placement of DNS servers is important to minimize WAN traffic and ensure availability. You must determine which locations will have DNS servers, based on the network infrastructure and number of users. In addition, the failure of a WAN link between hub sites should not cause a failure in name resolution. Individual branch locations do not have servers. All branches access applications by using terminal servers at their hub site. Use the following documents to create your design: M6_Physical.png M6_LocationDetails.doc

Task 1: Determine a DNS server location.


1. 2. 3. Are DNS servers required at the branch locations? Are DNS servers required at each hub site? How many DNS servers should be located at each hub site?

Lab Instructions: Designing Name Resolution

Exercise 3: Designing a DNS Zone and Replication Strategy


After determining the location of DNS servers, you must now determine how to divide the DNS namespace and how replication will be performed. DNS for each of the three domains should be managed separately. Each DNS zone should be capable of performing secure dynamic updates for computers in the local domain.

Task 1: Determine DNS Zone requirements


1. 2. 3. 4. Which zones need to be created on internal DNS servers? Which zones need to be created on external DNS servers? In which hub sites will each DNS zone be placed? How will replication/zone transfers be configured for each zone?

Lab Instructions: Designing Name Resolution

Exercise 4: Discuss the Design of Name Resolution


Now that you have completed your name resolution strategy, participate in a discussion with your instructor and the class.

Task 1: Discuss your design for name resolution with the instructor and other students.
1. 2. 3. With your instructor, discuss the namespace design that is appropriate for Woodgrove Bank. With your instructor, discuss the DNS server strategy that is appropriate for Woodgrove Bank. With you instructor, discuss the DNS zone and replication strategy that is appropriate for Woodgrove Bank.

Lab Instructions: Designing Name Resolution

Exercise 5: Implement a DNS and Zone Replication Strategy


After completing your name resolution strategy, you must take steps to implement it. Some of the name resolution strategy is already in place. However, you must verify the components that are in place and implement others. The main tasks for this exercise are: 1. 2. 3. 4. 5. Review the configuration of zones in North America. Review the configuration of zones in Europe. Configure zone transfers for EMEA.WoodgroveBank.com. Configure a secondary zone for EMEA. WoodgroveBank.com. Close all virtual machines and discard undo disks.

Task 1: Review the configuration of zones in North America.


1. 2. On NYC-DC1, use the DNS administrative tools to view the type and replication configuration of the WoodgroveBank.com zone. View the type and replication configuration of the _msdcs.WoodgroveBank.com zone.

Task 2: Review the configuration of zones in Europe.


1. 2. On LON-DC1, use the DNS administrative tools to view the type and replication configuration of the EMEA.WoodgroveBank.com zone. View the type and replication configuration of the _msdcs.WoodgroveBank.com zone.

Task 3: Configure zone transfers for EMEA.WoodgroveBank.com


On LON-DC1, use the DNS administrative tool to configure the EMEA.WoodgroveBank.com zone to allow zone transfers to 10.10.0.10.

Task 4: Configure a secondary zone for EMEA. WoodgroveBank.com


1. On NYC-DC1, use the DNS administrative tool to create a new secondary zone for EMEA.WoodgroveBank.com. 2. Type: Secondary zone Zone name: EMEA.WoodgroveBank.com Master server: 10.10.0.110

View the replicated records for EMEA.WoodgroveBank.com.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes, and then click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Advanced Name Resolution

Module 7
Lab Instructions: Designing Advanced Name Resolution
Contents
Exercise 1: Optimizing DNS Servers Exercise 2: Designing High Availability for Name Resolution Exercise 3: Designing WINS Exercise 4: Implementing a GlobalNames Zone 3 4 5 6

Lab Instructions: Designing Advanced Name Resolution

Lab: Designing Advanced Name Resolution

Scenario
You have recently completed the high level design for DNS name resolution at Woodgrove Bank. You now need to create some detailed configuration information for DNS servers to optimize name resolution and secure the DNS servers appropriately. You also need to design name resolution for NetBIOS names to support older applications.

Lab Instructions: Designing Advanced Name Resolution

Exercise 1: Optimizing DNS Servers


The high level design of DNS zones and their locations has been completed. You now need to determine the detailed configuration that is required on each DNS server to support that design. Considerations include root hints and forwarding. The requirements for the implementation are: DNS servers are located only at hub sites. Only DNS servers in the New York hub site can resolve Internet DNS names. The DNS servers in the New York hub site must be protected from the Internet. The server responsible for the external WoodgroveBank.com domain should be protected from denial-of-service attacks based on recursive queries.

All DNS servers should cache resolved names to reduce network traffic. Use the following documents to complete your design: M6_Physical.png M7_DNSConfiguration.doc

The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine configuration for internal DNS servers. Determine configuration for external DNS servers.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A -LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine configuration for internal DNS servers


1. 2. 3. 4. 5. Which DNS servers should be able to perform to perform recursive lookups? Which DNS servers should use forwarding and how is it configured? Which DNS servers should use root hints to lookup names? How will DNS servers in New York performing external lookups be protected from the Internet? How should caching be configured on the DNS servers?

Task 3: Determine configuration for external DNS servers


1. 2. What configuration should be performed on external servers hosting the WoodgroveBank.com domain to prevent denial-of-service attacks? How should root hints be configured on the external DNS servers performing external lookups?

Lab Instructions: Designing Advanced Name Resolution

Exercise 2: Designing High Availability for Name Resolution


Most services on the Woodgrove Bank network rely on DNS name resolution for full functionality. It is critical that DNS is highly available. Each hub site has at least two domain controllers that can be configured as DNS servers

Task 1: Determining high availability methods for external DNS servers


1. 2. How will you configure high availability for the external DNS servers hosting WoodgroveBank.com? Will DNS servers be hosted in multiple locations?

Task 2: Determining high availability methods for internal DNS servers


1. 2. 3. How many DNS servers will be located at each hub site? What method will you use to configure DNS servers as highly available? How will clients be configured to support high availability of DNS?

Lab Instructions: Designing Advanced Name Resolution

Exercise 3: Designing WINS


There are a few older applications that rely on NetBIOS name resolution for proper functionality. You must determine how WINS will be implemented to support those applications. The requirements for NetBIOS name resolution are: Applications requiring NetBIOS name resolution support are in New York, London, and Tokyo. Users for the applications are located in all areas of the organization, but access the applications through terminal services. Registered NetBIOS names must be replicated and synchronized between all WINS servers. Failure of WAN links should not affect NetBIOS name resolution.

Task 1: Determine the requirements for NetBIOS name resolution


1. 2. 3. Which computers need to register and resolve NetBIOS names? Where should WINS servers be located? How would your plan change if NetBIOS applications were installed on all computers?

Task 2: Determine how WINS replication will be configured


1. 2. What type of replication should be used between WINS servers? What replication topology should be used between WINS servers?

Task 3: Determine how WINS will be integrated with DNS


1. 2. Is there a need for WINS integration with DNS? How can a GlobalNames DNS zone reduce the need for WINS?

Lab Instructions: Designing Advanced Name Resolution

Exercise 4: Implementing a GlobalNames Zone


You would like to test whether one of your applications requiring NetBIOS name resolution can be supported by using a GlobalNames zone. To do this you will configure an application client and server without WINS and test them. In the following steps you implement the GlobalNames zone that they will use.

Task 1: Create a GlobalNames zone


On NYC-DC1, create a GlobalNames forward lookup zone by using DNS Manager. Primary zone Store the zone in Active Directory Replication: To all DNS servers in the forest Zone name: GlobalNames Do not allow dynamic updates

Task 2: Enable support for a GlobalNames zone


1. 2. On NYC-DC1, run the command dnscmd nyc-dc1 /config /enableglobalnamessupport 1. On LON-DC1, run the command dnscmd lon-dc1 /config /enableglobalnamessupport 1.

Task 3: Configure records in a GlobalNames zone


On NYC-DC1, use DNS Manager to add a new CNAME record in the GlobalNames zone. Alias name: NBSrv Target host: NYC-DC1.WoodgroveBank.com

Task 4: Verify replication to LON-DC1


On LON-DC1, use DNS Manager to verify that the NBSrv record exists in the GlobalNames zone. You may need to wait several minutes for the record to appear.

Task 5: Test resolution of records in a GlobalNames zone


On LON-DC1, ping NBSrv to verify name resolution.

Task 6: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Network Access Solutions

Module 8
Lab Instructions: Designing Network Access Solutions
Contents
Exercise 1: Designing a Network Access Solution Exercise 2: Designing Network Policy Services Exercise 3: Designing a Wireless Connection Solution Exercise 4: Discuss the Design of Network Access Exercise 5: Deploying an SSTP VPN Solution 3 4 5 6 7

Lab Instructions: Designing Network Access Solutions

Lab: Designing a Remote Access Solution

Scenario
Woodgrove Bank is evaluating the network access needs for roaming users within the organization. At this time a VPN server is in place, but no wireless LANs have been implemented due to security concerns. You must design a remote access solution and a wireless connection solution based on user and business requirements. The current VPN deployment consists of a single VPN server. Clients use PPTP connections and are given connectivity to the entire network when connected.

Lab Instructions: Designing Network Access Solutions

Exercise 1: Designing a Network Access Solution


Woodgrove Bank is facing increasing demand from users for remote access. Many of the hub site management staff travel to remote locations and need access to organizational data from hotel rooms. Also, executives want the ability to work from home or while on vacation. The following information has been gathered: Some travelling users do not have Internet access in their hotel rooms. Security of data is very important Woodgrove Bank has an infrastructure in place for deploying certificates and smart cards. Some executives have had problems with VPN connections being blocked by hotel firewalls. Users from non-North America sites have complained about slow access to data over the VPN. Some roaming clients use Windows XP and there are no plans to upgrade those clients to Windows Vista until new laptops are purchased. There is only a single Internet connection for Woodgrove Bank. It is located in the New York hub site. The current service provider for Internet access provides no guarantees for availability. Availability guarantees are required for disaster recovery planning.

The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine remote access methods. Determine physical infrastructure for remote access.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-RAS, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determining remote access methods


1. 2. 3. Is dial-up access required? Which authentication method should be used for VPN connections? Which VPN tunneling protocol should be used?

Task 3: Determining physical infrastructure for remote access


1. 2. 3. 4. Where should VPN servers be located? How will you address the concerns of non-North American users about slow access to data over the VPN? How will clients be configured with dial-up and VPN connections? How will you address concerns about availability for the Internet connection?

Lab Instructions: Designing Network Access Solutions

Exercise 2: Designing Network Policy Services


It has been determined that the most effective way to provide dial-up access for remote users is by outsourcing dial-up access to an ISP with a world-wide presence. The requirements for network policies are as follows: Executives are allowed remote access to network resources and are not restricted. Branch management staff is allowed remote access only to resources in their hub site. For example, branch managers in Toronto are allowed access only to Toronto resources. Customer Service staff are not allowed remote access. Investments staff are allowed remote access to all Investments resources in their hub site. Marketing staff are allowed remote access only for e-mail.

The main tasks for this exercise are: 1. 2. Determine the infrastructure requirements for RADIUS. Determine network policies.

Task 1: Determining the infrastructure requirements for RADIUS


1. 2. 3. 4. How will RADIUS allow the Woodgrove Bank help desk to control passwords? What configuration needs are to be performed at the ISP and which is a RADIUS server? What configuration needs to be performed at Woodgrove Bank? How does the implementation of RADIUS affect the local VPN server?

Task 2: Determining network policies


1. 2. What network policies should be created? How does the processing order affect your network policies?

Lab Instructions: Designing Network Access Solutions

Exercise 3: Designing a Wireless Connection Solution


Woodgrove Bank does not have any wireless infrastructure in place to support roaming users throughout the buildings. The Investments department staff in particular, would like the ability to move from office to office with their laptops for spontaneous meetings. This will be piloted first in the Toronto hub site and then deployed at other hub sites. The requirements for a wireless network design are as follows: Only laptops that are members of the domain can connect to the wireless network. The highest possible level of security must be used. Users must be able to roam throughout the building. The highest possible speed is required.

The main tasks for this exercise are: 1. 2. Selecting wireless standards. Designing the physical implementation.

Task 1: Selecting wireless standards


1. 2. 3. Which wireless networking standard is preferred for your implementation? Which encryption standard is preferred for your implementation? How will computers be authenticated?

Task 2: Designing the physical implementation


1. 2. 3. How will you provide power to the WAPs? How will you ensure that users can roam throughout the building? How will you ensure that signal strength is acceptable in all areas of the building?

Lab Instructions: Designing Network Access Solutions

Exercise 4: Discuss the Design of Network Access


Now that you have completed your design for network access, participate in a discussion with your instructor and the class. The main task for this exercise is: Discuss your design for network access with the instructor and other students.

Task 1: Discuss your design for name resolution with the instructor and other students
1. 2. 3. With your instructor, discuss the remote access solution that is appropriate for Woodgrove Bank. With your instructor, discuss the Network Policy Services design that is appropriate for Woodgrove Bank. With you instructor, discuss the wireless connection solution that is appropriate for Woodgrove Bank.

Lab Instructions: Designing Network Access Solutions

Exercise 5: Deploying an SSTP VPN Solution


Woodgrove Bank has determined that an SSTP VPN will meet the requirements for roaming users. In this exercise, you install an SSTP VPN Server and connect to it. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Install Active Directory Certificate Services and Web server. Create an SSL certificate. Configure RRAS. Create a Network Policy to allow VPN access. Configure the client with a trusted root certificate. Configure and test an SSTP VPN connection. Close all virtual machines and discard undo disks.

Task 1: Install Active Directory Certificate Services and Web server


1. 2. On NYC-RAS, use Server Manager to add the Active Directory Certificate Services and Web Server (IIS) roles. Install the following configuration for Active Directory Certificate Services: 3. Role services: Certification Authority and Certification Authority Web Enrollment CA type: Enterprise Root CA Create a new private key Cryptography: default CA name: default Validity period: default Database and log locations: default

Accept default settings for the Web Server (IIS) role.

Task 2: Create an SSL certificate


On NYC-RAS, use Internet Information Services Manager to request a new server certificate for NYC-RAS. Create Domain Certificate Common name: NYC-RAS.WoodgroveBank.com Organization: Woodgrove Bank Organizational unit: IT City/locality: New York State/province: New York Country/region: US Online Certification Authority: WoodgroveBank-NYC-RAS-CA\NYC-RAS.WoodgroveBank.com

Friendly name: WebSSL

Task 3: Configure RRAS


On NYC-RAS, Use the Routing and Remote Access administrative tool to enable Routing and Remote Access. Configuration: Remote access (dial-up or VPN)

Lab Instructions: Designing Network Access Solutions

Remote access: VPN Network interface: Local Area Connection Do not enable security on the selected interface by setting up static packet filters. IP address assignment: From a specified range of IP addresses IP address range: 10.11.0.200 to 10.11.0.225 Use Routing and Remote Access to authenticate connection requests

Task 4: Create a Network Policy to allow VPN access.


1. On NYC-RAS, use Network Policy Server to create a new network policy Policy name: Allow Domain Admins Condition: Windows Groups WoodgroveBank\Domain Admins Access permission: Access Granted Authentication type: default Constraints: default Settings: default

Task 5: Configure the client with a trusted root certificate


1. 2. 3. 4. 5. 6. On NYC-CL1, use Internet Explorer to open the Certificate Services Web site at http://NYCRAS.WoodgroveBank.com/certsrv. Log on as WoodgroveBank\Administrator with a password of Pa$$w0rd. Download a CA certificate, open it, and install it. Automatically select the certificate store based on the type of certificate. Open an empty MMC console and add: The certificates snap-in focused on My user account. The certificates snap-in focused on Local computer. Click Start, type mmc, and press Enter. Copy the WoodgroveBank-NYC-RAS-CA certificate from Certificates Current User > Intermediate Certification Authorities > Certificates to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.

Task 6: Configure and test an SSTP VPN connection


1. 2. 3. On NYC-CL1, open Connect To from the Start menu. Set up a new connection. Connect to a workplace Use my Internet connection (VPN) Ill set up and Internet connection later Internet address: NYC-RAS.WoodgroveBank.com Destination name: NYC VPN Leave the username and password blank Open Connect To from the Start menu.

Lab Instructions: Designing Network Access Solutions

4. 5. 6.

Open the properties of the NYC VPN connection and select SSTP as the type of VPN on the Networking tab. Connect the NYC VPN. Open Connect To from the Start menu and verify that the NYC VPN connection is connected.

Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting up the SSTP listener and verifying it in the Routing and Remote Access Blog at http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstplistener-and-verification.aspx. In particular, you must manually remove and replace the certificate used by SSTP if you want to replace it.

Task 7: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Network Access Protection

Module 9
Lab Instructions: Designing Network Access Protection
Contents
Exercise 1: Analyzing Enforcement Methods Exercise 2: Designing DHCP Enforcement Exercise 3: Designing IPsec Enforcement Exercise 4: Implementing DHCP Enforcement 3 4 5 6

Lab Instructions: Designing Network Access Protection

Lab: Designing Network Access Protection

Scenario
Woodgrove Bank has recently experienced problems with malware being introduced to the network at the New York hub site. The introduction of malware has been a result of computers not being compliant with corporate security and maintenance policies. None of the lapses has been a result of malicious users attempting to bypass security guidelines. The following are examples of recent lapses: A user working from home did not have antivirus software enabled. A virus was introduced to the network over the corporate VPN connection. Windows Firewall was disabled on a desktop computer by a technician during application troubleshooting. The technician forgot to re-enable the firewall and the computer was subsequently infected with a worm. A visiting consultant connected a laptop to the corporate network and introduced a virus.

The New York hub site provides services for all bank branches in the northeastern United States. NAP is being implemented in New York as a trial for the rest of Woodgrove Bank. Varying scenarios need to be considered and tested. The infrastructure in place at the New York hub site and branches have the following characteristics: A VPN server running Windows Server 2008 RRAS Most, but not all, switches and WAPs support 802.1X authentication All client computers have been upgraded to Windows Vista No additional products with an SHA/SHV have been installed. All clients use dynamic IP addresses The DHCP server in Windows Server 2008 is used to lease IP addresses

Lab Instructions: Designing Network Access Protection

Exercise 1: Analyzing Enforcement Methods


The first step in designing a NAP implementation is determining which enforcement methods are appropriate. You must determine the appropriate enforcement methods for Woodgrove Bank. The main tasks for this exercise are: 1. 2. 3. 4. 5. Start the virtual machines, and then log on. Analyze DHCP Enforcement. Analyze VPN Enforcement. Analyze 802.1X Enforcement. Analyze IPSec enforcement.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Analyze DHCP Enforcement


1. 2. 3. 4. 5. Which components are required for DHCP enforcement? Are the necessary components in place for DHCP enforcement? What are the benefits of using DHCP enforcement? What are the drawbacks of using DHCP enforcement? Is DHCP enforcement suitable for Woodgrove Bank?

Task 3: Analyze VPN Enforcement


1. 2. 3. 4. 5. Which components are required for VPN enforcement? Are the necessary components in place for VPN enforcement? What are the benefits of using VPN enforcement? What are the drawbacks of using VPN enforcement? Is VPN enforcement suitable for Woodgrove Bank?

Task 4: Analyze 802.1X Enforcement


1. 2. 3. 4. 5. Which components are required for 802.1X enforcement? Are the necessary components in place for 802.1X enforcement? What are the benefits of using 802.1X enforcement? What are the drawbacks of using 802.1X enforcement? Is 802.1X enforcement suitable for Woodgrove Bank?

Task 5: Analyze IPSec enforcement


1. 2. 3. 4. 5. Which components are required for IPSec enforcement? Are the necessary components in place for IPSec enforcement? What are the benefits of using IPSec enforcement? What are the drawbacks of using IPSec enforcement? Is IPSec enforcement suitable for Woodgrove Bank?

Lab Instructions: Designing Network Access Protection

Exercise 2: Designing DHCP Enforcement


Woodgrove Bank would like to see a design of DHCP enforcement before selecting enforcement methods for NAP. The following steps are required when configuring DHCP enforcement: 1. 2. 3. 4. 5. 6. NAP clients must be configured with appropriate settings. NAP must be enabled for the DHCP scope DHCP options must be configured for noncompliant computers Configure NPS as a health policy server Configure SHVs Configure remediation servers in NPS

The main tasks for this exercise are: 1. 2. 3. 4. Design client configuration. Design SHV configuration. Design DHCP implementation. Design remediation servers.

Task 1: Design client configuration


1. 2. What is the simplest way to apply the necessary client configuration to many computers at once? How will you ensure that only the client computers are configured and not servers?

Task 2: Design SHV configuration


1. 2. How are the options available for checking client status determined? How can these options be expanded?

Task 3: Design DHCP implementation


1. 2. 3. Where will DHCP servers be located? How will client communicate with the DHCP servers? Is additional configuration necessary on the DHCP server?

Task 4: Design remediation servers


1. 2. How are remediation servers accessed by noncompliant computers? Which servers should be configured as remediation servers?

Lab Instructions: Designing Network Access Protection

Exercise 3: Designing IPsec Enforcement


Woodgrove Bank would like to see a design of IPSec enforcement before selecting enforcement methods for NAP. IPSec enforcement uses IPSec policies to create a restricted network, a boundary network, and a secure network. The same client and SHV configuration steps must be performed for IPSec enforcement as for DHCP enforcement. The main tasks for this exercise are: 1. 2. 3. Design IPSec enforcement networks. Design the IPSec implementation. Design the CA implementation.

Task 1: Design IPSec enforcement networks


1. 2. 3. 4. What computers are on the restricted network? What computers are on the boundary network? What computers are on the secure network? What communication is allowed between the IPSec networks?

Task 2: Design the IPSec implementation


1. 2. 3. 4. 5. Why are IPSec policies required? What configuration is used for IPSec configured in the restricted network? What configuration is used for IPSec configured in the boundary network? What configuration is used for IPSec configured in the secure network? How are remediation servers configured?

Task 3: Design the CA implementation


1. 2. What type of CA must be installed and why? How long will you make health certificates be valid?

Lab Instructions: Designing Network Access Protection

Exercise 4: Implementing DHCP Enforcement


Woodgrove Bank has decided to implement DHCP enforcement. In this exercise DHCP enforcement is configured and tested. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. Install necessary components. Configure NPS. Configure DHCP. Configure NAP Client by using Group Policy. Configure networking on the client. Configure the SHV. Test compliance and auto-remediation on the client. Close all virtual machines and discard undo disks

Task 1: Install necessary components


1. 2. 3. On NYC-DC1, use Server Manager to add the DHCP Server and Network Policy and Access Services server roles. For the Network Policy and Access Services server role, include the Network Policy Server role service. For the DHCP server role, use the following settings: Network connection: 10.10.0.10 Parent Domain: WoodgroveBank.com Preferred DNS Server Ipv4 Address: 10.10.0.10 WINS is not required for applications on the network Add a DHCP scope Scope Name: New York Scope Starting IP Address: 10.10.1.0 Ending IP Address: 10.10.9.254 Subnet Mask: 255.255.0.0 Default Gateway (optional): 10.10.0.1 Subnet Type: Wired (lease duration will be 6 days) Activate this scope

Disable DHCPv6 stateless mode for this server Use current credentials

Task 2: Configure NPS


1. On NYC-DC1, use the Network Policy Server Administrative tool to select the Network Access Protection (NAP) standard configuration and then configure NAP. Connection method: Dynamic Host Configuration Protocol (DHCP) Policy name: NAP DHCP Radius clients: None DHCP scopes: None User and machines groups: None

Lab Instructions: Designing Network Access Protection

2. 3. 4.

Remediation server groups: None Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers

Review the connection request policies created by the wizard. Review the network policies created by the wizard. Review the health policies created by the wizard.

Task 3: Configure DHCP


1. 2. On NYC-DC1, use the DHCP administrative tool to enable Network Access Protection for the New York Scope and use the Default Network Access Protection profile. On the Advanced tab of Scope Options, for the Default Network Access Protection Class, configure the following: 006 DNS Servers: 10.10.0.10 015 DNS Domain Name: restricted.woodgrovebank.com

Task 4: Configure NAP Client by using Group Policy


1. 2. 3. On NYC-DC1, use Active Directory Users and Computers to create a new organizational unit, named NYC NAP Clients, in the NYC organizational unit. Move the NYC-CL1 computer object into the NYC NAP Clients organizational unit. Use the Group Policy Management administrative tool to create a new group policy object, named DHCP NAP Client, linked to the NYC NAP Clients organizational unit with the following settings: Computer Configuration/Policies/Windows Settings/Security Settings/System Services/Network Access Protection Agent: Automatic Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Enforcement Clients/DHCP Quarantine Enforcement Client: Enable Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration: Apply from context menu Computer Configuration/Policies/Administrative Templates/Windows Components/Security Center/ Turn on Security Center (Domain PCs only): Enabled.

Task 5: Configure networking on the client


1. 2. Restart NYC-CL1, and log on as Administrator with a password or Pa$$w0rd. On NYC-CL1, open a command prompt and use the following command to update group policy settings. 3. 4. gpupdate

Reconfigure Local Area Connection to use DHCP to obtain an IP address and DNS server. Open a command prompt and use the following command to view the configured IP address. ipconfig /all

5. 6. 7.

Notice that an IPv4 address has been configured, but the subnet mask is 255.255.255.255 and the Connection-specific DNS Suffix is restricted.woodgrovebank.com. Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com fails.

Lab Instructions: Designing Network Access Protection

Task 6: Configure the SHV


On NYC-DC1, use the Network Policy Server administrative tools to configure the Windows Security Health Validator in Network Access Protection. Test only for an enabled firewall.

Task 7: Test compliance and auto-remediation on the client


1. 2. 3. 4. 5. 6. On NYC-CL1, renew the IP address by using the command ipconfig /renew. Notice that NYC-CL1 now has a default gateway, a subnet mask of 255.255.0.0, and the Connectionspecific DNS suffix is WoodgroveBank.com Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com is successful. In the Control Panel Security settings, turn off Windows Firewall. Notice that Windows Firewall status is off only briefly, before being turned back on by the NAP client

Task 8: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Operating System Deployment and Maintenance

Module 10
Lab Instructions: Designing Operating System Deployment and Maintenance
Contents
Exercise 1: Designing an Operating System Deployment Solution Exercise 2: Designing WDS Deployment Exercise 3: Designing WDS Images Exercise 4: Designing a WSUS Deployment Exercise 5: Discussing Operating System Deployment and Maintenance Exercise 6: Implementing Multicast Transmissions for Images 4 5 6 7 8 9

Lab Instructions: Designing Operating System Deployment and Maintenance

Lab: Designing Operating System Deployment and Maintenance

Scenario
Woodgrove Bank would like to design and implement an effective solution for the deployment of operating systems. They would like you to evaluate their requirements and determine the best solution to use within their organization. You are designing a solution for North America that will be used as a template for other regions. Client machines are running Windows 2000, Windows XP SP2, and Windows Vista. A number of applications, including Microsoft Office 2007 Professional are installed. Data is stored only in the hub sites and documents are accessed from file servers in the hub sites over WAN links. Updating desktops with the Microsoft updates is performed using a number of outdated in-house tools. The update process is very time consuming and some of the client machines are not properly patched for an extended period. The current process involves downloading large amounts of data by each client computer. You want the new solution to be less bandwidth consuming. The company would like you to design and implement a better update management solution that supports all Microsoft Windows operating systems and Microsoft Office 2007 applications deployed at the bank. You should be able to control the updates that are available for download to clients. All servers and desktop computers are joined as member servers to the banks Active Directory Directory Services (AD DS) domain. Servers are located in data centers in each hub site and connected to the corporate Ethernet using Gigabit network access cards (NICs). Only the hub site in New York is configured with a perimeter network protected by a firewall. All other branches are connected to a hub site by T1 lines. The hub sites are connected to New York with 10 Mbps WAN links. All routers can support multicasting but are currently using the default configuration. The user desktops are all connected using 100 MB NICs and they acquire their addresses from Microsoft DHCP servers at each location. AD DS utilizes Microsoft DNS.

Lab Instructions: Designing Operating System Deployment and Maintenance

The company would like you to design and implement an effective and secure deployment solution for operating systems. The bank wants to replace 2500 computers at the New York location and 1000 computers in Toronto with x86-based computers that run Windows Vista. You also want to upgrade your remaining Windows 2003 Server infrastructure to Windows 2008 Server Standard and Enterprise editions that run on an x86 hardware platform. All servers have been provided with sufficient hard drive space for an upgrade and have been formatted with NTFS file system. If possible, you should be able to control the schedule of the deployment though you have not yet decided on the exact dates. Currently, operating system deployments are done using RIS that run on Windows Server 2003 servers, and you want to ensure that the existing processes for computer building are preserved. Users are concerned that some of their data and personalized settings may be lost during the migration. They are also concerned with their data being exposed to unauthorized users. The security group at the bank is concerned with some machines not being patched in a timely fashion. They also demand that the new deployment design for operating systems considers the privacy of the users and ensures that security is maintained during and after the migration. Access to the images store needs to be secured to prevent unauthorized users from reading and mounting images.

Lab Instructions: Designing Operating System Deployment and Maintenance

Exercise 1: Designing an Operating System Deployment Solution


In this exercise, you will review the business and technical requirements for the deployment and maintenance of operating systems and select an appropriate method to deploy operating systems. The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Review information about the current business requirements. Select a deployment solution for the operating system.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Review information about the current business requirements


1. 2. What are the business requirements described in the scenario? What are the requirements to choose the appropriate deployment solution for operating systems for the Woodgrove Bank design?

Task 3: Select a deployment solution for operating systems


What deployment solution for operating systems do you recommend and why?

Lab Instructions: Designing Operating System Deployment and Maintenance

Exercise 2: Designing WDS Deployment


WDS will be used for both deploying new operating systems and ad hoc reimaging of failed workstations. When a single computer is reimaged, the target time for completion is 30 minutes or less. When new batches of computers are imaged, the impact on network performance must be minimized. User profile information should be migrated from the old computers and applied to the new computers. The main tasks for this exercise are: 1. 2. Design WDS infrastructure. Design the deployment process.

Task 1: Design WDS infrastructure


1. 2. 3. Where will WDS servers be located? What types of data need to be stored on each WDS server? How will the impact on network performance be minimized during the deployment of new computers. What are the requirements for this solution?

Task 2: Design the deployment process


1. 2. 3. How will user data be captured from existing workstations and applied to new workstations? What process will be used when deploying new workstations? How will this process vary for reimaging existing workstations?

Lab Instructions: Designing Operating System Deployment and Maintenance

Exercise 3: Designing WDS Images


It has been determined that each workgroup in Woodgrove Bank requires a different image to accommodate the varying applications required by each group. Four images will be created for executives, investments, customer services, and branch managers. Within each workgroup, there are varying types of hardware. The imaging process needs to be completely automated so that desktop support staffs do not need to provide any input during or after the imaging process. The main task for this exercise is: Design the images and imaging process.

Task 1: Design the images and imaging process


1. 2. 3. 4. 5. How will you accommodate varying types of hardware within each workgroup? What process will you use for image creation? How can you automate the imaging process to ensure that user input is not required? What are the requirements for the boot image? Is there a need to convert existing RIS images to WIM images?

Lab Instructions: Designing Operating System Deployment and Maintenance

Exercise 4: Designing a WSUS Deployment


Woodgrove Bank has determined that Windows Server Update Services (WSUS) will meet the needs for applying updates to Windows workstations. A deployment of WSUS for Woodgrove Bank needs to be designed. Each hub site has 1000 or more computers. While each bank branch has 50 computers or less. The main task for this exercise is: Design a WSUS Deployment.

Task 1: Design a WSUS Deployment


1. 2. 3. 4. 5. What process will be used to approve updates? Which updates should be downloaded and applied? Which deployment scenario should be used for WSUS servers? Where should WSUS servers be located? What client configuration is necessary?

Lab Instructions: Designing Operating System Deployment and Maintenance

Exercise 5: Discussing Operating System Deployment and Maintenance


Now that you have completed your design for the deployment and maintenance of operating systems, participate in a discussion with your instructor and the class. The main task for this exercise is: 1. Discuss your design for the deployment and maintenance of operating systems with the instructor and other students.

Task 1: Discuss your design for the deployment and maintenance of operating with the
instructor and other students
1. 2. 3. With your instructor, discuss the WDS deployment design that is appropriate for Woodgrove Bank. With your instructor, discuss the WDS images design that is appropriate for Woodgrove Bank. With you instructor, discuss the WSUS deployment design that is appropriate for Woodgrove Bank.

Lab Instructions: Designing Operating System Deployment and Maintenance

Exercise 6: Implementing Multicast Transmissions for Images


The first batch of five new servers has arrived at Woodgrove Bank. A scheduled multicast must be configured to complete imaging these servers with Windows Server 2008. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install the WDS server role. Configure the WDS server. Add images to the WDS server. Configure a multicast. Close all virtual machines and discard undo disks.

Task 1: Install the WDS server role


On NYC-DC1, use Server Manager to install the Windows Deployment Services server role. Service roles: Deployment Server and Transport Server

Task 2: Configure the WDS server


On NYC-DC1, use the Windows Deployment Services administrative tool to configure WDS on NYCDC1. Folder of operating system images: Accept default location Respond only to know client computers Do not add images to Windows Deployment Server now

Task 3: Add images to the WDS server


1. 2. 3. On NYC-DC1, use the Windows Deployment Services administrative tool to add an install image. Image group name: WindowsServer2008 File location: D:\sources\install.wim Deselect Windows Longhorn SERVERDATACENTER Deselect Windows Longhorn SERVERDATACENTERCORE Use the default name and description for each selected image. Wait while the images are imported into the WindowsServer2008 image group. This can take 10 minutes or more. The process is much faster after the first image is imported. Use the Windows Deployment Services administrative tool to add a boot image. File location: D:\sources\boot.wim Image description: From Windows Server 2008 DVD

Task 4: Configure a multicast


On NYC-DC1, use the Windows Deployment Services administrative tool to create a multicast transmission. Friendly name: First Batch Image: Windows Longhorn SERVERENTERPRISE Scheduled-Cast that waits for 5 clients

10

Lab Instructions: Designing Operating System Deployment and Maintenance

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Module 11
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Contents
Exercise 1: Selecting File Services Components Exercise 2: Designing DFS Exercise 3: Designing FSRM Exercise 4: Implementing DFS Exercise 5: Implement FSRM 4 5 6 7 9

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Lab: Designing Files Services and DFS in Windows Server 2008

Scenario
Woodgrove Bank has data distributed on files servers in every hub site in the organization. The North America region is being evaluated and changes made there will be used as a template for redesigning file services in other regions. North America has four hub sites with branches connected to each one. A hub and spoke design has been used for the WAN with New York as the hub. The hub sites in North America are: New York Toronto Miami Seattle

File services are organized based on workgroups. There is a single file server for each workgroup in each hub site. Occasionally, users need to access workgroup resources in other hub sites over the WAN links. Bank branches access files in the hub sites over WAN links. There is no local file storage in the branches. The file shares in North America are listed are: \\NYC-FS1\Customer \\NYC-FS2\Investments \\NYC-FS3\Managers \\NYC-FS4\Executives \\TOR-FS1\Customer \\TOR -FS2\Investments

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

\\TOR -FS3\Managers \\MIA-FS1\Customer \\MIA -FS2\Investments \\MIA -FS3\Managers \\SEA-FS1\Customer \\SEA -FS2\Investments \\SEA -FS3\Managers

All file servers use new hardware and run on Windows Server 2008. All storage is local to minimize storage costs. The SAN is used only for application servers.

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Exercise 1: Selecting File Services Components


During the initial design process for file services, you have had meetings with various user and management groups. Based on those meetings, the following concerns have been raised: Access to files between hub sites is slow for users running Windows XP, particularly file browsing. This occurs even over fast links. Within files shares, access to files is limited based on NTFS permissions. However, users are able to see folder to which they do not have access. This is confusing for users and generates help desk calls when users experience an error when trying to access folders to which they do not have access. The outage of a file server in any hub site would cause a significant interruption in services to customers. File shares should be highly available within a hub site. Storage use is difficult to monitor at this time because it is a manual process. This should be automated to ensure that sufficient capacity is available.

The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a file service component.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a file service component


1. 2. 3. 4. How will you address the concern over slow access to files over WAN links? How will you address the concern over users seeing folders to which they do not have permission? How will you implement high availability for file shares? How will you monitor storage utilization?

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Exercise 2: Designing DFS


You have decided to implement DFS for Woodgrove Bank. A single namespace will be used to simplify user access to files. A single new file server has been allocated to each hub site to implement high availability. The following requirements have been determined: Backup for all file servers will be centralized in New York by using DFS replication to centralize data. Executive data must be made available locally in all hub sites. When implementing high availability in each hub site, replication conflicts must be minimized. The namespace for DFS should provide the simplest access to files possible for users.

The main tasks for this exercise are: 1. 2. Design replication. Design the namespace.

Task 1: Design replication


1. 2. Where will files be stored in each hub site? How will centralized backup be accommodated?

Task 2: Design the namespace


1. 2. 3. 4. How many namespace servers should there be? Should a domain-based or stand-alone namespace server be used? List the folders and targets in the DFS namespace. Which options should be used for each folder in the namespace?

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Exercise 3: Designing FSRM


Woodgrove Bank currently has no system in place for controlling and monitoring storage utilization. It has been determined that FSRM should be used to monitor and control storage utilization. The Investments file share in Toronto recently ran out of disk space. After the file share content was analyzed, it was found that unauthorized multimedia files were using over 150 GB of storage. To prevent this from happening again, FSRM will be used. The main task for this exercise is: Design FSRM.

Task 1: Design FSRM


1. 2. 3. 4. Should hard or soft quotas be implemented on the Investments folder? What should occur when the quota is reached? How can FSRM be used to prevent multimedia files from being stored on the server? How can you allow multimedia files to be stored in a single folder in the Investments file share?

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Exercise 4: Implementing DFS


In this exercise, you begin the implementation of DFS for Woodgrove Bank. NYC-WEB will be the primary server for the Investments documents in New York. NYC-DC1 will be the backup server. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install DFS. Configure the Investments file shares. Create a namespace. Create and configure a namespace folder. Verify replication.

Task 1: Install DFS


1. 2. On NYC-DC1, use Server Manager to install the File Services role with the Distributed File System service role. Do not create a namespace. On NYC-WEB, use Server Manager to install the File Services role with the Distributed File System service role. Do not create a namespace.

Task 2: Configure the Investments file shares


1. 2. 3. 4. On NYC-DC1, create the folder C:\Backup\NYCInvestments. Share C:\Backup\NYCInvestments and give the NYC_InvestmentsGG group Contributor permissions. On NYC-WEB, create the folder C:\Investments folder. Share C:\Investments and give the NYC_InvestmentsGG group Contributor permissions.

Task 3: Create a namespace


1. 2. On NYC-WEB, use the DFS Management administrative tool to create a new domain-based namespace. Name: NA. Do not enable Windows Server 2008 mode. Add NYC-DC1 as a second namespace server for the \\WoodgroveBank.com\NA namespace.

Task 4: Create and configure a namespace folder


1. 2. 3. On NYC-WEB in DFS Management, add a new folder inside the \\WoodgroveBank.com\NA namespace. Name: Investments No targets Create a new folder inside \\WoodgroveBank.com\NA\Investments Name: NYCInvestments Target: \\NYC-WEB\Investments Target: \\NYC-DC1\NYCInvestments Replications group name: Use the default provided Replicated folder name: Use the default provided Primary member: NYC-WEB Topology: Full mesh

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

4. 5.

Replicate continuously at up to 8 Mbps Configure the NYC-DC1\NYCInvestments target of the NYCInvestments namespace folder as Last among all targets on the Advanced tab in the properties of the target. Enable client fail back to preferred targets on the Referrals tab in the properties of the NYCInvestments namespace folder.

Task 5: Verify replication


1. 2. 3. 4. On NYC-WEB, create a new text file named InvestmentFile in \\WoodgroveBank.com\NA\Investments\NYCInvestments. Enter some text in InvestmentFile and save the file. Verify that InvestmentsFile exists in C:\Investments. On NYC-DC1, verify that InvestmentsFile exists in C:\Investments\NYCInvestments.

Lab Instructions: Designing Files Services and DFS in Windows Server 2008

Exercise 5: Implement FSRM


In this exercise, you implement FSRM for the Investments file share in New York. The Investments folder on NYC-WEB will be limited and configured with notifications. The investments folder will also be configured with file screening to prevent media from being stored in any folder other than the media folder. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install the FSRM server role Configure a quota Configure file screening Verify file screening Close all virtual machines and discard undo disks

Task 1: Install the FSRM server role


1. On NYC-WEB, use Server Manager to add the File Server Resource Manager role service from the File Services role. Enable on the C: drive Report storage location: Use the default provided

Task 2: Configure a quota


1. On NYC-WEB, use the File Server Resource Manager administrative tool to create a new quota. Quota path: C:\Investments Soft quota 200 GB limit Add a notification that sends email to Administrator@WoodgroveBank.com when 75% of the quota is reached Do not create a template

Task 3: Configure file screening


1. 2. 3. On NYC-WEB, use the File Server Resource Manager administrative tool to create a file screen that prevents audio and video files from being stored. Create the folder C:\Investments\media. Use the File Server Resource Manager administrative tool to create a file screen exception that allows audio and video files.

Task 4: Verify file screening


1. 2. On NYC-WEB, create Video.wmv in the C:\Investments\media folder. Copy Video.wmv to the C:\Investments folder.

Note: Copying Video.wmv to the C:\Investments folder is prevented by file screening.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing High Availability in Windows Server 2008

Module 12
Lab Instructions: Designing High Availability in Windows Server 2008
Contents
Exercise 1: Designing High Availability for a Stateless Application Exercise 2: Designing High Availability for a Stateful Application Exercise 3: Designing a Geographically Dispersed Cluster Exercise 4: Implementing NLB 3 4 5 6

Lab Instructions: Designing High Availability in Windows Server 2008

Lab: Designing High Availability in Windows Server 2008

Scenario
Woodgrove Bank provides several online applications for customers. Some customers recently experienced outages that caused a loss of goodwill among current and potential customers. One outage in the online banking system was of such an extended duration that it was reported on national news in North America. The public Web site and Online banking applications for Woodgrove Bank must now be evaluated and made highly available.

Lab Instructions: Designing High Availability in Windows Server 2008

Exercise 1: Designing High Availability for a Stateless Application


The public Web site for Woodgrove Bank is a stateless application. A recent outage was embarrassing for the company and a new project team has been created to increase the availability of the public Web site. The public Web site is hosted on a Windows Server 2008 server with the Web Server (IIS) role installed. Updates are performed by using a customized content management system on a development server. Users from various departments have been given permissions to modify only the portion of the Web site they are responsible for. Site updates are pushed from the development server to production server once per day. The requirements for the public Web site are: The process for updating content cannot change because it would require too much user training. Maintenance on an individual server must not affect Web site availability. The solution should be scalable to accommodate traffic increases as Woodgrove Bank expands.

The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine how to provide high availability. Determine how to configure NLB.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A -NYC-RAS, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine how to provide high availability


1. 2. 3. 4. 5. How can a Web site be made highly available by using Windows Server 2008? How will the need for availability during maintenance be accommodated? How will the need for scalability be accommodated? What other components need to be considered as part of high availability solution? What should you consider when determining when the application be hosted locally or outsourced?

Task 3: Determine how to configure NLB


1. 2. 3. 4. 5. When configuring a port rule, which ports should be included? How will affinity be configured? How will host priority be configured? How will networking be configured? How will data be synchronized between servers in the NLB cluster?

Lab Instructions: Designing High Availability in Windows Server 2008

Exercise 2: Designing High Availability for a Stateful Application


The online banking application used by bank customers recently experienced an outage that was reported in the media. This causes a significant loss of goodwill and a new project team has been created to increase the availability of the public Web site. The online banking application has a Web front-end and SQL server back-end. Customers log onto the Web frontend server and code on the Web front-end server sends SQL queries to the SQL server backend. The SQL server back-end requires that only a single set of data is used. The SQL server supports using locally attached storage or a SAN. The requirements for the online banking application are: The application must be scalable as the number of customers increases. Maintenance on an individual server must not affect application availability. Client data must be hosted locally.

The main tasks for this exercise are: 1. 2. Determine how to configure NLB for the Web front-end. Determine how to provide high availability for the SQL server back-end.

Task 1: Determine how to configure NLB for the Web front-end


1. 2. 3. When configuring a port rule, which ports should be included? How will affinity be configured? How will data be synchronized between servers in the NLB cluster?

Task 2: Determine how to provide high availability for the SQL server back-end
1. 2. 3. How can the SQL server be made highly available by using Windows Server 2008? How can the SQL server be scaled as capacity increases? How will maintenance be accommodated?

Lab Instructions: Designing High Availability in Windows Server 2008

Exercise 3: Designing a Geographically Dispersed Cluster


Woodgrove Bank has an investments database that hosts all client account information for North America. It is critical that this database is available at all times. Failover clustering has been used for this database, but a disaster planning exercise determined that the company is vulnerable to a disaster at the New York hub site, where this application is based. A new disaster recovery hot site is being rented in Chicago to host critical applications and data. The investments database will be part of a geographically dispersed failover cluster with one active node in New York and a passive node in the Chicago disaster recovery hot site. Requirements for the geographically dispersed failover cluster are: Failover must be automatic if the New York site fails Data integrity is an absolute requirement A small tolerance for data loss due to synchronization between sites during failover Additional information on the physical network is available in M12_NANetwork.png

The main task for this exercise is: Design a geographically dispersed cluster.

Task 1: Design a geographically dispersed cluster


1. 2. 3. What special hardware requirements are there for a geographically dispersed failover cluster? What additional network links are required to provide availability after the New York location fails? What quorum configuration should be used for the failover cluster?

Lab Instructions: Designing High Availability in Windows Server 2008

Exercise 4: Implementing NLB


As the first step in deploying NLB for the public Web site, you need to configure NLB in your test lab. You will need to first configure Web sites on NYC-WEB and NYC-RAS, and then need to add both servers to an NLB cluster. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Prepare the network connections. Create a DNS record for the NLB cluster. Configure Web sites. Verify Web site functionality. Install the Network Load Balancing feature. Create an NLB cluster. Add NYC-RAS to the NLB cluster. Configure a port rule for load balancing. Verify cluster functionality. Close all virtual machines and discard undo disks.

Task 1: Prepare the network connections


1. 2. On NYC-WEB, configure Local Area Connection 2 with an IP address of 10.10.0.201 and subnet mask of 255.255.0.0. On NYC-RAS, configure Local Area Connection 2 with an IP address of 10.10.0.202 and subnet mask of 255.255.0.0.

Task 2: Create a DNS record for the NLB cluster


1. On NYC-DC1, use the DNS administrative tool to create a new host record in the WoodgroveBank.com domain: Name: webapp IP address: 10.10.0.200

Task 3: Configure Web sites


1. 2. 3. On NYC-RAS, use Server Manager to add the Web Server (IIS) server role. Copy the file \\NYC-DC1\e$\Mod12\Labfiles\RAS.txt to C:\Inetpub\wwwroot\default.htm On NYC-WEB, copy the file \\NYC-DC1\e$\Mod12\Labfiles\WEB.txt to C:\Inetpub\wwwroot\default.htm.

Task 4: Verify Web site functionality


On NYC-DC1, use Internet Explorer to view the following Web sites: http://nyc-web.woodgrovebank.com http://nyc-ras.woodgrovebank.com http://webapp.woodgrovebank.com

Note: Access to webapp.woodgrovebank.com will fail because the NLB cluster is not configured yet.

Task 5: Install the Network Load Balancing feature


1. 2. On NYC-WEB, use Server Manager to install the Network Load Balancing Feature. On NYC-RAS, use Server Manager to install the Network Load Balancing Feature.

Lab Instructions: Designing High Availability in Windows Server 2008

Task 6: Create an NLB cluster


On NYC-WEB, use the Network Load Balancing Manager administrative tool to create a new cluster. Connect to NYC-WEB Use the Local Area Connection 2 interface Accept the default host parameters Cluster IP address: 10.10.0.200 Subnet mask: 255.255.0.0 Full Internet name: webapp.woodgrovebank.com Operation mode: Unicast Accept the default port rules

Task 7: Add NYC-RAS to the NLB cluster


On NYC-RAS, use the Network Load Balancing Manager administrative tool to connect to the existing cluster named webapp.woodgrovebank.com on NYC-WEB. Add NYC-RAS as a node to the cluster. Use the Local Area Connection 2 interface. Accept the default host parameters. Accept the default port rules.

Task 8: Configure a port rule for load balancing


1. 2. On NYC-WEB, use the Network Load Balancing Manager administrative tool to open the properties of the cluster. On the Port Rules tab, edit the existing rule with the following settings: Port range: from 80 to 80 Protocols: TCP Filtering mode: Multiple host Affinity: None

Task 9: Verify cluster functionality


On NYC-DC1, use Internet Explorer to view the Web site on the NLB cluster. http://webapp.woodgrovebank.com

Task 10: Close all virtual machines and discard undo disks
1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Instructions: Designing Print Services in Windows Server 2008

Module 13
Lab Instructions: Designing Print Services in Windows Server 2008
Contents
Exercise 1: Selecting a Print Services Design Exercise 2: Designing User Access to Printers Exercise 3: Designing High Availability for Printing Exercise 4: Implementing IPP Exercise 5: Deploying Printers by Using Group Policy 3 4 5 6 7

Lab Instructions: Designing Print Services in Windows Server 2008

Lab: Designing Print Services in Windows Server 2008

Scenario
Woodgrove Bank is reevaluating the design of print service for the organization. You must determine a new print services design, design user access, and design high availability for printing. Then, you will distribute a printer by using group policy and implement IPP.

Lab Instructions: Designing Print Services in Windows Server 2008

Exercise 1: Selecting a Print Services Design


Woodgrove Bank currently uses direct IP printing. This configuration was initially selected when there were many desktop support staff allocated to each department. You must reevaluate the print services design based on the following criteria: The print services design must be cost effective for a large environment. A few users require absolute privacy for their printing. Branch locations use Terminal Services to run applications that print. Administrators must be able to manage all printers from a remote location.

The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a print services design.

Task 1: Start the virtual machines, and then log on


1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a print services design


1. 2. 3. 4. Which print services design is most cost effective in a large network? How will you address the requirement for users that require privacy? How will you address concerns about printing for Terminal services applications in the branches? How will printer management be performed?

Lab Instructions: Designing Print Services in Windows Server 2008

Exercise 2: Designing User Access to Printers


Woodgrove Bank is reevaluating how users access printers and the features available in Windows Server 2008. Use the following to create a design for user access to printers: Users with stationary desktop computers should have printers automatically installed, based on their physical location. Roaming users with laptops should be able to install an appropriate printer, based on the physical location they are in. Printing from over the Internet is not required.

The main task for this exercise is: Design user access to printer.

Task 1: Design user access to printer


1. 2. How will printers be installed on stationary desktop computer? How will printers be installed for roaming users with laptops?

Lab Instructions: Designing Print Services in Windows Server 2008

Exercise 3: Designing High Availability for Printing


Each hub site at Woodgrove Bank has several instances of a customer service application running. Each instance is configured to use a separate but identical printer. If a printer fails, large batch jobs are recreated on another instance of the application. All printers are serviced by a single print server. Woodgrove Bank has estimated that resubmitting jobs is costing several million dollar per year. Improving printing reliability for this application has been added to the current years budget. The main task for this exercise is: Determine a method for increasing availability.

Task 1: Determine a method for increasing availability


1. 2. 3. 4. Which availability method can prevent downtime due to printer failure? Which availability method can prevent downtime due to a server failure? How can you prevent downtime based on both printer failure and server failure? What limitations may prevent you from implementing you plan for increasing availability?

Lab Instructions: Designing Print Services in Windows Server 2008

Exercise 4: Implementing IPP


Woodgrove Bank is planning on implementing web-based maps for users to install printers. It has been decided to use IPP printing for distribution of printer drivers by using hot spots on the maps. The first implementation is installing IPP printing and testing it. The main tasks for this exercise are: 1. 2. 3. Install the Print Services role. Create a new printer. Install a printer by using IPP.

Task 1: Install the Print Services role


1. 2. On NYC-DC1, use Server Manager to install the Print Service role. Add the Internet Printing role service. Add required role services Accept the default options for installation Accept the default options for installation of the Web Server (IIS) role.

Task 2: Create a new printer


1. 2. On NYC-DC1, use the Print Management administrative tool to install a new printer on the NYC-DC1 print server. TCP/IP or Web Services printer Type of device: TCP/IP device IP address: 10.10.0.250 Do not auto detect the printer driver to use Generic network card Install a new driver: Dell 3100cn PS Share the printer with default settings.

Task 3: Install a printer by using IPP


1. 2. 3. 4. 5. 6. On NYC-CL1 in Internet Explorer, add http://NYC-DC1.WoodgroveBank.com as an Intranet site on the Security tab of Internet Options. On the Security tab of Internet Options, disable protected mode to support installation of UNC based printers. Restart Internet Explorer. Open the http://NYC-DC1.WoodgroveBank.com/Printers Web site. View the Dell 3100cn PS printer and connect to it. View the printers folder and read the printer name to verify if it was installed on nycdc1.woodgrovebank.com rather than a URL starting with http.

Lab Instructions: Designing Print Services in Windows Server 2008

Exercise 5: Deploying Printers by Using Group Policy


Woodgrove Bank has decided to distribute printers by using Group Policy. In your test lab you would like to test the process for deploying a printer to an entire domain of users. The main tasks for this exercise are: 1. 2. 3. 4. Create a new printer. Add the printer to a group policy. Test the installation of a printer by using Group Policy. Close all virtual machines and discard undo disks.

Task 1: Create a new printer


1. 2. On NYC-DC1, use the Print Management administrative tool to install a new printer on the NYC-DC1 print server. TCP/IP or Web Services printer Type of device: TCP/IP device IP address: 10.10.0.251 Do not auto detect the printer driver to use Generic network card Install a new driver: Dell 3100cn PCL6 Share the printer with default settings.

Task 2: Add the printer to a Group Policy


1. 2. 3. On NYC-DC1, in the Print Management administrative tool, right-click the Dell 3100cn PCL6 printer and deploy it with the Group Policy. Browse and create a new Group Policy named Domain Printers in WoodgroveBank.com. Apply the printer to users rather than computers.4.

Task 3: Test the installation of a printer by using Group Policy


1. 2. 3. 4. On NYC-CL1, update Group Policy by running gpupdate at a command prompt. Log off NYC-CL1. Log on NYC-CL1 as Woodgrovebank\Administrator with a password of Pa$$w0rd. Verify that the Dell 3100cn PCL6 printer has been installed.

Task 4: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Overview of Network Infrastructure

Module 1
Lab Answer Key: Overview of Network Infrastructure
Contents
Exercise 1: Preparing for a Network Infrastructure Design Exercise 2: Designing the Network Topology Exercise 3: Designing Network Infrastructure for Virtualization Exercise 4: Designing a Change Management Plan Exercise 5: Lab Discussion 2 2 3 4 5

Lab Answer Key: Overview of Network Infrastructure

Lab: Designing Network Infrastructure in Windows Server 2008


Exercise 1: Preparing for a Network Infrastructure Design
Task 1: Read the scenario and supporting documents
1. 2. Read the scenario. Open and read the following documents from the Labdocs folder on your student CD: M1_Locations.doc M1_Physical.png M1_VirtualMachines.doc

Task 2: Discuss whether additional information is required


1. With your instructor, discuss what additional information, if any, is required to create a network infrastructure design. 2. There is no specific information that is required for the completion of this lab other than that provided in the scenario and supporting documentation.

With your instructor, determine what data can be assumed for completing the remainder of the lab. At the discretion of the instructor and students, additional information can be added as an assumption that is used during further exercises. No specific assumptions are required.

Exercise 2: Designing the Network Topology


Task 1: Design the WAN links between regions
1. Determine what WAN links will be created between regions. There should be a ring network between the three regions. This configuration allows a single WAN link to fail, but still provides full connectivity between the regions. If a single region becomes completely unavailable, the two remaining regions are still able to communicate.

2.

Determine which hub site in each region should be connected to other regions. The hub sites generating the most inter-regional communication should serve as the bridgehead for communication with other regions. In this case, the largest hub site in each region should serve as a bridgehead to communicate with other regions.

3.

Determine how fast the WAN links. The speed of WAN links between regions must be sufficient to support the batch transfers and voice over Internet protocol (VoIP) traffic. To move 1 GB of data within two hours, a WAN link must be approximately 1.5 Mbps. The requirements for data (.5 Mbps) and VoIP (.5 Mbps) bring that requirement up to 2.5 Mbps during the bulk transfers.

Task 2: Design the WAN links between hub sites in North America
1. Determine what WAN links will be created between hub sites in North America. There should be a ring network between the three hub sites in North America. This configuration allows a single WAN link to fail, but still provides full connectivity between the hub sites. If a single hub site becomes completely unavailable, the two remaining hub sites are still able to communicate. However, if there were 10 or 15 hub sites, a ring network would result in inefficient communication.

Lab Answer Key: Overview of Network Infrastructure

2.

Determine how fast the WAN links will be between hub sites in North America. The speed of the WAN links between hub sites must support 2 Mbps of general traffic and .5 Mbps of VoIP traffic. This means an overall average requirement of 1.5 Mbps. However, these links should be sized closer to or even beyond peak utilization. Peak utilization is 6.5 Mbps.

Task 3: Design the WAN links to the new Canadian branches


Determine how fast the WAN links will be between the new Canadian branches and the Toronto hub site. The primary concern for the branch locations is ensuring that the WAN links are fast enough to support Terminal Services traffic and VoIP. With 50 users in each location, 500 Kbps of traffic is generated by Terminal Services and 250 Kbps is generated by VoIP for a total of 750 Kbps.

Task 4: Design the connectivity for the new purchased Washington State regional bank
Determine how Seattle and other branches will be connected to Woodgrove Bank. The first determination that must be made is whether Seattle will be a new hub site. This is the simplest for implementation and makes sense at least until those new branches are fully integrated into the applications of Woodgrove Bank. The WAN links between the branches and Seattle will also need to be evaluated to ensure they have enough bandwidth to support any new applications that will be put in place as part of the merger with Woodgrove Bank. Assuming that Seattle is designated as a new hub site, it should be included in the ring network that is used by other North American hub sites.

Task 5: Design the tiers for the network within a hub site
1. Determine the number of tiers that should be used. 2. Within a hub site, traffic should be tiered to increase manageability. There are typically 3-tiers.

Determine the resources that will be placed in each tier. The first tier is the high-speed backbone tier. The second tier should contain network services and servers that are used by multiple workgroups. The third tier should contain workgroup servers, user computers, and devices such as printers

Exercise 3: Designing Network Infrastructure for Virtualization


Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Review the MAC addresses used for virtualization


1. 2. 3. On your host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website. Point to 6435A-NYC-DC1, and then click Edit Configuration. Write down the MAC address listed under Network adapters.

Lab Answer Key: Overview of Network Infrastructure

4.

Click Network adapters. Notice that you can select the network that the virtual adapter is connected to. You can select whether the MAC address for the virtual adapter is assigned dynamically or statically. Close Internet Explorer.

5.

Task 3: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Task 4: Determine the network connectivity required for each host server
1. Determine the network connectivity required for NYC-HOST1. 2. A dedicated 1 Gbps Ethernet adapter for connectivity to the iSCSI SAN for NYC-EX1 A shared 1 Gbps Ethernet adapter for backups on all VMs A shared 1 Gbps Ethernet adapter for client connectivity to the VMs

Determine the network connectivity required for NYC-HOST2. A dedicated 1 Gbps Ethernet adapter for connectivity to the iSCSI SAN for NYC-EX2 A shared 1 Gbps Ethernet adapter for backups on all VMs A shared 1 Gbps Ethernet adapter for client connectivity to the VMs

3.

Determine the network connectivity required for NYC-HOST3. A dedicated Fiber Channel adapter for NYC-APP3 A dedicated 1 Gbps Ethernet adapter for NYC-APP3 A dedicated Fiber Channel adapter for NYC-SQL1 A dedicated 1 Gbps Ethernet adapter for NYC-SQL1 A shared 1 Gbps Ethernet adapter for backups on all VMs

Exercise 4: Designing a Change Management Plan


Task 1: Determine stakeholders who should be involved in the change management
process
1. Determine which IT roles should be part of the change management process. All IT areas should have a representative that is part of the change management process. By having all areas review changes, the chances of unintended consequences for a change are minimized.

2.

Determine which non-IT roles should be part of the change management process. All business areas within the organization should have a representative involved in the change management process. This ensures that outages do not have an impact on business units during critical periods such as year end or a high sales season.

Task 2: Determine the process for submitting and approving a change


1. Determine who should submit a change request.

Lab Answer Key: Overview of Network Infrastructure

In most cases, the person planning a change will be the person submitting a change request. This person is also responsible for responding to any concerns about the change. This person may or may not also implement the change.

2.

Determine when changes can be implemented. Most applications and network infrastructure components are allocated daily, weekly, or monthly outages for maintenance. Changes are typically performed at this time. However, special approval can be made for changes outside of that time period.

3.

Determine who can approve change requests. Change requests are typically approved by a change committee that is composed of representatives from IT and business units. In a large organization, there is usually a meeting of the change committee once per week, and changes must be planned accordingly.

4.

Determine an alternate process for emergency changes. When emergency changes are required to repair a system that is failing, the process will be abbreviated. An emergency change can be submitted at any time, but is typically reviewed only by a subset of the change committee. In some cases, it may be only the change manager who is required to approve the change. However emergency changes must be thoroughly documented after completion.

5.

Determine who can approve emergency changes. The people who approve emergency changes must have a good understanding of the overall IT systems to ensure that they understand the risks created by the emergency change. Often the Change Manager has authority to approve emergency changes, but will confer with other experts to ensure that no unnecessary risks are taken.

Task 3: Design a change request form


Determine what information should be included in a change request. The file M1_ChangeRequestTemplate.doc in the Labdocs folder of the student CD is an example or a change request form.

Exercise 5: Lab Discussion


Task: Participate in a group discussion about your design decisions
1. 2. 3. As a group, discuss why you made the design decisions you did, for the network topology. As a group, discuss the specific concerns for virtualization and how they can be addressed. As a group, discuss how the change management plan will be implemented.

Lab Answer Key: Designing Network Security

Module 2
Lab Answer Key: Designing Network Security
Contents:
Exercise 1: Identifying a Team for the Security Plan Scenario Exercise 2: Identifying Threats Exercise 3: Analyzing Risk Exercise 4: Implementing Password Policies 2 3 4 4

Lab Answer Key: Designing Network Security

Lab: Designing a Network Security Plan


Exercise 1: Identifying a Team for the Security Plan Scenario
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Design a security design process


What steps need to be performed when designing network security? The steps are: a. b. c. d. e. f. Create a security design team Perform thread modeling Perform risk management Design security measures Detect and react Manage and review

Task 3: Design a team for the security plan


1. What are the necessary roles for a security design team? Required roles: sponsor, product management, project management, development, testing, user experience. Optional roles: legal, human resources, managers, end users, auditors. Which person should be the sponsor for this project? A sponsor should be relatively high up in the organization to give the project credibility and access to resources. Claudia Mangel the CIO best meets these objectives. Which people should be involved from product management? It is unlikely that the people with overall responsibility for the Branch Management, Customer Service, Investments, and Marketing would be part of the security design team. However a relatively high level person from each of those departments should be on the team to liase with the departments and make sure that departmental interests are represented. Which person should be the project manager? The project manager should be someone with extensive project management experience. Ideally, this person also has relationships throughout the organization. In most cases, this will be a specialized project manager rather than a person already in the IT department. Which people should be involved in development of security measures? The technical staff will be involved in developing security measures. Depending on the security measure being developed, this could include staff from Active Directory support, Networking, Applications, Server support, and Desktop support. All of these areas should be represented on

2.

3.

4.

5.

Lab Answer Key: Designing Network Security

6.

the security design team. The specific person from each area may be the managers listed in the organizational chart of a highly knowledgeable expert from that area. Which people should be involved in testing? Testing of security measure should involve technical staff that represents each area, similar to those performing the development role. However, those people that are performing development should not also be performing testing. You can also consider having a third party come to perform testing. Which people should be involved in user experience? The people involved in user experience should be a combination of technical staff and business staff so that both points of view are taken into account. Actual end users should be involved in usability testing at some point as well.

7.

Exercise 2: Identifying Threats


Task: Identify risks to resources
1. Use the STRIDE model to identify risks to resources in the perimeter network. STRIDE Spoofing Tampering Repudiation Example Risk Attackers could use password attacks to log on to the VPN servers or customer applications Attackers could modify Web site contents to provide false information Users could deny making account transfers and bill payments

Information disclosure Customer information could be stolen by attackers Denial of service Elevation of privilege 2. Attackers could exploit an application flaw to create a denial of service attack Attackers cold exploit an application flaw to elevate privileges and execute arbitrary code

Use the STRIDE model to indentify risks to resources on the internal network. STRIDE Spoofing Tampering Repudiation Example Risk A staff person could log on by using a co-workers user ID A disgruntles staff person could place incorrect information in documents or delete data Staff could deny making changes to a customer account

Information disclosure Private investment information could be accessed by unauthorized customer service staff Denial of service Elevation of privilege 3. Attackers (internal) could exploit an application flaw to create a denial of service attack Attackers (internal) cold exploit an application flaw to elevate privileges and execute arbitrary code

Use the Defense-in-Depth model to identify risks to resources on the network.

Lab Answer Key: Designing Network Security

Layer Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness

Example Risk Customer account information could be stolen Application flaws can be exploited for denial of service Operating system flaws can be exploited to elevate privileges Unauthorized users could connect to the network and attempt to attack network resources Attackers could attempt to gain access to resources in the perimeter network Lost mobile devices could result in valuable corporate data being lost Employees could take confidential information offsite when it is less secure

Exercise 3: Analyzing Risk


Task 1: Determining risk impact.
1. 2. 3. What is the risk impact for a denial of service attack on the Web application for investors? The risk impact is: .02 x ($50,000,000 + $100,000,000) = $3,000,000 What is the risk impact for a password attack on the Web application for customer service accounts? The risk impact is: .03 x ($2,000,000 + $50,000,000) = $1,560,000 What is the risk impact for an attack on the Web server with general information for customers that puts false information on the Web site? The risk impact is: .05 x ($0 + $20,000,000) = $1,000,000

Task 2: Determine how to allocate your security budget.


1. Which projects will you fund based on your budget? With the current budget of $500,000 not all projects can be funded. The denial of service attack on the investor application has the highest risk impact and should be funded first at a cost of $200,000 for more advanced firewalls. There is only enough budget left to fund additional security measures on the general information Web site at a cost of $100,000. Can you make an effective argument to management for more security funding? An additional $200,000 is required to implement two factor authentication for the customer service application. This additional budget will eliminate $1,560,000 of risk impact. This is an excellent value for the additional costs and can be presented to management for additional budget.

2.

Exercise 4: Implementing Password Policies


Task 1: Raise the domain functional level to Windows Server 2008
1. 2. 3. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click WoodgroveBank.com and then click Raise domain functional level. Click Raise and then click OK in the warning dialog box.

Lab Answer Key: Designing Network Security

4. 5.

In the warning dialog box click OK. Close Active Directory Users and Computers.

Task 2: Create a fine grained password policy for customer service staff
1. 2. 3. 4. 5. On NYC-DC1, click Start, and then click Run. Type adsiedit.msc and then press ENTER. In the left pane, right-click ADSI Edit and then click Connect to. Click OK to connect to the Default naming context. In the left pane, click Default naming context [NYC-DC1.WoodgroveBank.com], expand Default naming context [NYC-DC1.WoodgroveBank.com], click DC=WoodgroveBank,DC=com, expand DC=WoodgroveBank,DC=com, click CN=System, expand CN=System, and then click CN=Password Settings Container. Right-click CN=Password Settings Container, point to New, and then click Object. In the Create Object dialog box, select msDS-PasswordSettings, and then click Next. In the Value box for Common-Name, type CustomerService and then click Next. In the Value box for Password Settings Precedence, type 1 and then click Next.

6. 7. 8. 9.

10. In the Value box for Password reversible encryption status for user accounts, type FALSE and then click Next. 11. In the Value box for Password History Length for user accounts, type 5 and then click Next. 12. In the Value box for Password complexity status for user accounts, type TRUE and then click Next. 13. In the Value box for Minimum Password Length for user accounts, type 6 and then click Next. 14. In the Value box for Minimum Password Age for user accounts, type 1:00:00:00, and then click Next. This is 1 day. 15. In the Value box for Maximum Password Age for user accounts, type 60:00:00:00, and then click Next. This is 60 days. 16. In the Value box for Lockout threshold for lockout of user accounts, type 10 and then click Next. Accounts will be locked after 10 incorrect logon attempts. 17. In the Value box for Observation Window for lockout of user accounts, type 0:00:30:00, and then click Next. Lockouts occur if the incorrect attempts are performed within a 30 minute window. 18. In the Value box for Lockout duration for locked out user accounts, type 0:00:45:00, and then click Next. Accounts are locked out for 45 minutes. 19. Click Finish. 20. Close ADSI Edit.

Task 3: Associate the new fine grained password policy with Customer Service groups
1. 2. 3. 4. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Click the View menu and then click Advanced Features. In the left-pane, Under WoodgroveBank.com, expand System, and then click Password Settings Container. In the Right Pane, Right-click Customer Service and then click Properties.

Lab Answer Key: Designing Network Security

5. 6. 7. 8. 9.

Click the Attribute Editor tab. Scroll down and then double-click the msDS-PSOAppliesTo attribute. Click the Add Windows Account button. Type NYC_CustomerServiceGG; MIA_CustomerServiceGG; TOR_CustomerServiceGG, click Check Names, and then click OK. Click OK to close the Multi-valued Distinguished Name With Security Principal Editor window.

10. Click OK to close the CustomerService Properties window.

Task 4: Verify resultant PSO for a user


1. 2. 3. 4. 5. 6. On NYC-DC1, in the left-pane of Active Directory Users and Computers, expand Toronto, and then click CustomerService. Right-click Matt Berg and then click Properties. Click the Attribute Editor tab. If necessary, click the Filter button and click Constructed to enable viewing of constructed attributes. Scroll down and view the msDS-ResultantPSO attribute. Click Cancel and close Active Directory Users and Computers.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing IP Addressing

Module 3
Lab Answer Key: Designing IP Addressing
Contents:
Exercise 1: Designing an IPv4 Addressing Scheme Exercise 2: Designing a DHCP Implementation Exercise 3: Designing an IPv6 Addressing Scheme 2 3 3

Lab Answer Key: Designing IP Addressing

Lab: Designing IP Addressing In Windows Server 2008


Exercise 1: Designing an IPv4 Addressing Scheme
Task 1: Determine the number of external addresses required
1. Which resources require public IPv4 addresses? Any resource that Internet users communicate with should have a public IP address. Port redirection using a single IP address works well when resources do not use the same port number. However, in this case, several Web servers would share the same port number and require their own public IP address.

2.

How many public IPv4 addresses are required? There are 5 servers in the perimeter network that require an external IP address for direct connectivity to the Internet. A sixth IP address should be provided for NAT or a proxy server to provide Internet access for clients.

3.

How will you obtain the necessary public IP addresses? Public IP addresses are obtained from an ISP.

Task 2: Determine an internal IPv4 Addressing scheme for locations


1. Which internal network address will you use? 2. The 10.0.0.0/8 network provides the most flexibility for allocating IPv4 addresses.

Which subnet mask will you use for branch offices? All branch offices have 200 devices or less. Therefore a class C sized address can be allocated to each one with a subnet mask of 255.255.255.0.

3.

Which subnet mask will you use for hub sites? Hub sites need a sufficient number of addresses allocated for their own use as well as branches that connect to them. Allocating a class B sized address to each hub site with a subnet mask of 255.255.0.0 provides maximum flexibility.

4.

Which subnet mask will you use for the North America division? The simplest method for subnetting allocates equal sized portions of the address space to each of the three regions while allowing enough flexibility for future expansion if required. Using five bits of the second octet to define the hub site allows up to 32 hub sites in each division. Using 3 bits of the second octet to define the division allows future expansion up to 8 divisions. The subnet mask in this case is: 255.224.0.0. North America can be assigned the network 10.32.0.0/11 network.

5.

List the networks and subnet masks used by each hub site. Hub Site NYC Miami Toronto Network 10.32.0.0/16 10.33.0.0/16 10.34.0.0/16 Subnet mask 255.255.0.0 255.255.0.0 255.255.0.0

6.

List the networks and subnet masks used by the NYC hub site internally and for branches.

Lab Answer Key: Designing IP Addressing

The NYC location is allocated approximately 8000 addresses. Which can be further subnetted for internal routing based on security zones and other factors. There are still enough bits available for 224 branches. Network 10.32.0.0/19 10.32.32.0/24 10.32.33.0/24 10.32.34.0/24 Subnet mask 255.255.224.0 255.255.255.0 255.255.255.0 255.255.255.0

Location NYC hub site internal NYC branch 1 NYC branch 2 NYC branch 3

Exercise 2: Designing a DHCP Implementation


Scenario
You must design a DHCP implementation that meets the needs of Woodgrove Bank in North America. The following criteria have been provided for planning: Hub sites must have some form of high availability for DHCP The number of DHCP servers should be minimized to simplify administration All client applications are centralized in Hub sites by using Terminal Services

Task: Design a DHCP implementation


1. How should DHCP clients in branch offices obtain an IP address? Because all client applications are centralized in the hub sites, there are not concerns about DHCP being unavailable when WAN links fail. Therefore, to simplify management DHCP servers should be located only at the hub sites. Routers in the branch locations can be configured as DHCP relays to support this.

2.

How will you provide high availability for DHCP in the hub sites? Because the DHCP servers will be responsible for such a high number of clients. The highest possible availability is preferred. There are not enough spare IP addresses to use a 50-50 split with multiple DHCP servers. So, failover clustering is the best option.

3.

How many scopes need to be configured on the DHCP servers in the hub site? Each DHCP server needs a scope for each subnet that is being serviced. This will include one scope for each branch location and a scope for each subnet in the hub site with DHCP clients.

Exercise 3: Designing an IPv6 Addressing Scheme


Scenario
Woodgrove Bank is implementing a new Voice over IP (VoIP) phone system that will integrate with the messaging system to provide unified communications. The selected phone system uses IPv6 rather than IPv4. You must design an IPv6 addressing scheme and determine how IPv6 will be implemented.

Task 1: Design an IPv6 addressing scheme


1. Which internal network address will you use? A unique local IP address should be used. There is no need for clients to have global unicast addresses. The global ID of the unique local unicast addresses should be randomly selected.

Lab Answer Key: Designing IP Addressing

Example: FD00:1234:ABCD::/48, where 00:1234:ABCD is the global ID portion of the address. 2. Which network address will you use for the North America division? 3. Four bits will be allocated for divisions. This corresponds with a single digit in the address. Therefore North America can be: FD00:1234:ABCD:1000::/52

Which network addresses will you use for hub sites? The next four bits can be allocated to hub sites. This corresponds to another digit in the addresses and allows for 16 hub sites in each division. The hub sites for North America can be: Hub site NYC Miami Toronto Network address FD00:1234:ABCD:1000::/56 FD00:1234:ABCD:1100::/56 FD00:1234:ABCD:1200::/56

4.

Which network address will you use for branch offices? The remaining 8 bits can be allocated for branch offices and internal networks within the hub sites. The table below allows for 16 subnets for NYC internal use. Hub site NYC internal use NYC branch 1 NYC branch 2 Network address FD00:1234:ABCD:1000::/60 FD00:1234:ABCD:1010::/64 FD00:1234:ABCD:1011::/64

Task 2: Design an IPv6 implementation


1. What IPv6 transition method will you use? The simplest transmission method to use is installing both IPv4 and IPv6 on hosts at the same time. This allows hosts to access IPv4 and IPv6 services without any additional transition methods. However, this requires that all routers are able to route IPv4 and IPv6.

2.

What process will you follow when implementing IPv6? At this time there is no specific need to update any applications other than the messaging system to ensure that it can communicate with the IPv6 VoIP phone system. DNS needs to be configured with all necessary IPv6 host records to support integration of the phone system and the messaging system. All routing infrastructure must also be upgraded to support IPv6 routing. You will also have to determine how the IPv6 phones will obtain and IPv6 address and configuration options such as DNS. Over time, as more applications are available for IPv6 computers can have IPv6 installed on them if not already installed by default. Eventually when all applications using IPv4 have retired, you can remove IPv4 from network hosts.

Lab Answer Key: Designing Routing and Switching Requirements

Module 4
Lab Answer Key: Designing Routing and Switching Requirements
Contents
Exercise 1: Designing Internal Infrastructure Exercise 2: Designing a Perimeter Network Exercise 3: Evaluating Network Performance Exercise 4: Monitoring Network Performance 2 3 4 5

Lab Answer Key: Designing Routing and Switching Requirements

Lab: Designing Routing and Switching


Exercise 1: Designing Internal Infrastructure
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Design the routing between locations


1. What type of WAN link will you use between Seattle and the NYC hub site? 2. Due to the requirements for high availability and security, the WAN link between Seattle and NYC should be a leased line.

What type of WAN link will you use between Seattle and the branch offices? It has been determined that a VPN can provide sufficient security for WAN links between the branch offices and the Seattle hub site. However, because there has been no study of the reliability of Internet connections at the branch offices, you should used leased lines at this time. Later you can do a pilot project using a VPN link to a single branch for testing. If performance and reliability is sufficient, then you can migrate the branch WAN links to VPN for cost savings.

3.

What routing protocol should be used to control routing? Woodgrove Bank is a large organization where it is not practical to use static routing. If static routing were used, any small change to the routing table would need to be updated on many routers manually. Dynamic routing should be used instead. In most cases, routing will be performed by dedicated hardware routers. In which case, you should select a dynamic routing protocol supported by your hardware routers. You are only limited to RIP when Windows Server 2008 is used as a router.

4.

Will you place any filters on communication between Seattle and the branch offices? Because there is no direct transfer of files between branch locations, you can implement filters that stop direct branch to branch communication. However, you must allow communication from branch offices to the hub sites so that regional managers can access their files when travelling to the branch offices.

5.

On a piece of paper, draw how the new bank will integrate with the existing network infrastructure. See M4_WashingtonNetwork.in the LabAnswerKey folder of the student CD for an example.

Task 3: Design the routing within the Seattle hub site


1. Which networks will you create within the Seattle hub site? Within the Seattle hub site you should create networks for the various workgroups, network services, and backbone. This is a three-tiered architecture that is flexible and efficient. The backbone network in the Seattle hub site is used to link the various locations. Network services are a second tier that is connected to the backbone. The second tier also includes

Lab Answer Key: Designing Routing and Switching Requirements

applications used by branches. The third tier has workgroups, with each workgroup getting a separate network. Servers specific to a workgroup, such as a file server, are also located in the third tier. 2. Will you perform routing within the Seattle hub site by using routers or layer 3 switches? 3. The routing within a hub site is not complex and can easily be performed by using layer 3 switches. This is a cost advantage and allows you to use VLANs.

If switches are used, how will you define VLANs? VLANs will be based on ports. Each port will be assigned to a VLAN. Then later reorganizations of network will require only that ports be changed to a different VLAN.

4.

On a piece of paper, draw the logical networks of the Seattle hub site? See M4_SeattleNetwork.in the LabAnswerKey folder of the student CD for an example.

Exercise 2: Designing a Perimeter Network


Use the following documents when designing the perimeter network: M4_InternetConnectivity.doc

Task 1: Design extranet communication


1. What are the requirements for extranet communication with Humongous Insurance? 2. The extranet must be secure and cost effective and support multiple locations.

Which type of WAN link will you use for the extranet? A secure VPN tunnel over the Internet is better than leased lines in this case due to lower costs. Because this is a site to site VPN, there is no need to provide user-based authentication, computer-based (router) authentication is sufficient. Therefore and IPSec tunnel should be used rather than PPTP or L2TP/IPSec. The VPN tunnel will encrypt communication as it traverses the Internet, but will not encrypt authentication credentials in transit on either side of the tunnel. The Web front end should use SSL to secure authentication credentials and data from end to end during the communication process.

3.

How will you limit partner access to your network? The Web front end for the customer database should be located in a perimeter network. Appropriate filters should be configured such that users coming in over the VPN tunnel can only access the Web front end for the customer database. The Web front end server will be allowed to communicate with the customer database on the Internal network.

Task 2: Design firewall configuration


1. What criteria will you consider when purchasing a new firewall(s)? 2. Cost Ability to create multiple perimeter networks Ease of configuration Malware filtering ability

Which firewall design will you use?

Lab Answer Key: Designing Routing and Switching Requirements

The requirement for multiple perimeter networks necessitates a multihomed firewall to create the multiple perimeter networks. A port of the multihomed firewall can be designated as a separate perimeter network. Configuring all rules in a single device will simplify management.

3.

Which filtering rules will be in place? On the VPN perimeter network, VPN communication will be allowed from the Internet to the VPN server. Communication from the VPN server to the internal network will be allowed for those resources that are specified such as file servers and applications servers. Some resources may not be available because the security risk is considered too high. On the non-secure perimeter network, ports 25 and 80 will be allowed in to the Exchange Edge Transport server and Web server respectively. Communication from the Exchange Edge Transport server to at least one internal Exchange Hub Transport server will be allowed. Clients on the Internet network must have rules to allow them to update content on the Web server with general information. On the account secure perimeter network, Internet clients will be able to access ports 80 and 443 on the Web server. When port 80 on the Web server is accessed, it will redirect clients to port 443 for secure communication by using SSL. The Web server will be allowed to communicate with the necessary databases and application servers on the Internal network. On the investment secure perimeter network, Internet clients will be able to access ports 80 and 443 on the Web server. When port 80 on the Web server is accessed, it will redirect clients to port 443 for secure communication by using SSL. The Web server will be allowed to communicate with the necessary databases and application servers on the Internal network.

Task 3: Design Internet Access


How will users be provided with Internet Access? You should implement a proxy server to provide internal users with Internet access. To provide user based logging, the users must be authenticated, which cannot be provided by NAT. To reduce the impact of Internet access on the WAN links, a hierarchy of proxy servers can be configured. In this way a cache of commonly accessed Internet Web sites can be maintained at each hub site.

Exercise 3: Evaluating Network Performance


Task 1: Adjust the network design
1. Why is the problem only occurring when a live broadcast is being streamed? 2. When many computers connect to the live broadcast, it creates a surge in network traffic. Unicast connectivity requires packets to be sent to each individual computer.

What appears to be the bottleneck on the network? The 1 Gbps links between the switches are being overloaded by traffic from the streaming media server.

3.

How can you eliminate the bottleneck? The simplest method to eliminate the 1 Gbps links as a bottleneck is to move the streaming media server to the central data center instead of on the 5th floor. Then the only data transfer from the 4th floor during a live broadcast will be a single stream from the encoding computer to the streaming media server. However, the switches on each floor should also be reorganized to connect directly to a central switch. This way a single switch acts as a high speed backbone rather than multiple 1 Gbps links.

Lab Answer Key: Designing Routing and Switching Requirements

4.

See M4_TorontoNetwork.png in the LabAnswerKey folder of the student CD for an example.

Is there any way to adjust the application to resolve this problem? Streaming Media Services supports delivery of live events as multicasts. When multicast packets are used, packets are delivered once to each network rather than once to each workstation. This would eliminate live events as a concern for network performance. As an added benefit, it would allow live events to be streamed to other locations within the organization over WAN links with limit impact on network performance. All routers must be configured to support forwarding of multicasts.

Exercise 4: Monitoring Network Performance


Task 1: Enable file sharing on NYC-WEB
1. 2. 3. 4. 5. On the Start menu of NYC-WEB, click Control Panel, and then double-click Network and Sharing Center. Under Sharing and Discovery, expand Network discovery, click Turn on network discovery, and click Apply. In the Network discovery window, click No, make the network that I am connected to a private network. Under Sharing and Discovery, expand File sharing, ensure File sharing options is turn on, and click Apply. Close Network and Sharing Center.

Task 2: Use Windows Task Manager to view network statistics


1. 2. 3. 4. 5. 6. 7. Log on NYC-DC1 as Administrator with a password of Pa$$w0rd. Click Start and click Run. Type D:\Mod04\Labfiles\copyloop.bat and press Enter. Leave the command prompt open while completing the remaining tasks in this exercise. Press Ctrl+Shift+Esc to open Windows Task Manager. Click the Networking tab and review the network utilization. Close Windows Task Manager.

Task 3: Use Reliability and Performance Monitor to view network statistics


1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and click Reliability and Performance Monitor. Review the information in the network graph. Expand the Network section by clicking the down arrow. Review the information provided in the Network section. In the left pane, click Performance Monitor. Click the + symbol to start adding a new counter to the graph. In the list of available counters, expand ICMP and read the available counters. In the list of available counters, expand ICMPv6 and read the available counters. In the list of available counters, expand IPv4 and read the available counters.

10. In the list of available counters, expand IPv6 and read the available counters.

Lab Answer Key: Designing Routing and Switching Requirements

11. In the list of available counters, expand Network Interface and read the available counters. 12. In the list of available counters, expand Redirector and read the available counters. 13. Click Cancel to close the Add Counters window. 14. Close Reliability and Performance Monitor.

Task 4: Use Network Monitor to view network statistics


1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1, click Start, point to All Programs, click Microsoft Network Monitor 3.1, and click Microsoft Network Monitor 3.1. Click Create a new capture tab. Click the Capture menu and click Start. Review the information appearing in the Frame Summary pane. Press F11 to stop the capture. Close Microsoft Network Monitor 3.1. Click No to saving the capture. Close the window running copyloop.bat

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Security for Internal Networks

Module 5
Lab Answer Key: Designing Security for Internal Networks
Contents
Exercise 1: Designing a Windows Firewall Implementation Exercise 2: Designing an IPsec Implementation 2 3

Lab Answer Key: Designing Security for Internal Networks

Lab: Designing a Secure Internal Network


Exercise 1: Designing a Windows Firewall Implementation
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine what rules to create on each computer


1. What inbound rules should be implemented on servers? On each server, you need to implement rules to allow access to all services that run on a particular server. This includes file and printer sharing, DNS lookups, domain logons, and any other specific applications. For standard windows services, the rules are already configured and do not need to be created. This applies to file and printer sharing, DNS, and domain logons. Rules that should be created to support specific applications are: For the investments custom application, create an incoming program rule that allows the InvestSrv.exe to receive connections. This is more secure than using the port, because malware too could attempt to use the port. For the Email server, create an incoming program rule that allows the Store.exe executable to receive connections. This is necessary, because the port number is not predictable for each connection. For the Customer Service Web application, create an incoming port rule that allows access to port 8080. The default rules for Internet Information Server allow access to ports 80 and port 443, but not 8080. This is because, you cannot create program rules for IIS.

2.

What outbound rules should be implemented on servers? There are no specific requirements for outbound rules listed on the servers. Windows Firewall is a stateful firewall and does not require corresponding outbound rules to be created for communication already established by inbound rules. Outbound rules need to be configured for basic network services, such as DNS lookups, and domain authentication. These are in place by default.

3.

What inbound rules should be implemented on Vista workstations? There are no listed applications on client computers that require inbound communication. However, inbound communication for basic network communication is required. These are in place by default.

4.

What outbound rules should be implemented on Vista workstations? The outbound rules necessary for basic network communication are in place by default. However, outbound rules must be created for other applications. For the investments custom application, a program rule should be created to allow invest.exe to communicate on the network. This is more secure than creating a port rule that allows communication to port 10101.

Lab Answer Key: Designing Security for Internal Networks

For Internet Explorer, you should create a program rule that allows iexplore.exe access to the network. This prevents unsupported Web browsers from being used. After the program rule is created, you can edit it to restrict communication to ports 80, 443, and 8080.

5.

What concerns do you have about operating systems other than Windows Server 2008 and Windows Vista? Windows XP and Windows Server 2003 do not support outbound rules as part of the Windows Firewall configuration. If malware is installed on these operating systems, there is no method to prevent propagation to vulnerable hosts. However, all inbound rules can still be configured.

Task 3: Determine how to configure Windows firewall on each computer


1. How will Windows Firewall be deployed on servers? For the highest level of security, only the necessary rules should be implemented on each server. Therefore each server should be configured individually. In an organization with many servers running the same applications, you could apply rules by using Group Policy.

2.

How will Windows Firewall be deployed on workstations? Workstations should be configured with the necessary Windows Firewall rules by using Group Policy. If desired, customized group policies can be created for various workgroups that include only the necessary applications for each workgroup. To support this, each workgroup should have a separate OU in Active Directory.

Task 4: Implement a Windows Firewall rule by using Group Policy


1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management. In the left pane, under Forest: WoodgroveBank.com, under Domains, expand WoodgroveBank.com, and then click Toronto. Right-click Toronto and click Create a GPO in this domain, and Link it here. In the Name box, type Firewall Rules and click OK. Right-click Firewall Rules and click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and click Outbound Rules. Right-click Outbound Rules and click New Rule. Click Program, in the This program path box, type C:\Program Files\Internet Explorer\iexplore.exe and click Next. Click Allow the connection and click Next.

7. 8. 9.

10. Click Next to apply the rule to the Domain, Private, and Public domains. 11. In the Name box, type Allow IE and then click Finish. 12. Close the Group Policy Management Editor. 13. Close Group Policy Management.

Exercise 2: Designing an IPSec Implementation


Task 1: Determine connection security rules
1. What authentication requirements should be used?

Lab Answer Key: Designing Security for Internal Networks

All of the computers in the Investments group must require authentication for inbound connections and request authentication for outbound connections. Similarly, all communication to Investments servers and workstations must be authenticated. However, Investments workstations can initiate communication with servers that are not part of the Investments area and those will not be authenticated.

2.

What authentication method should be used? Using Kerberos authentication (user and computer) provides the flexibility to create firewall rules that are specific to particular computer accounts or user accounts. This is the best way to control communication. It also requires no additional configuration on the computers, because they are part of a domain already and therefore participate in Kerberos authentication.

3.

What type of connection security rule should be used? An Isolation rule should be used. This type of rule uses Kerberos authentication. After authentication is established, firewall rules can be created based on the specific users and computers you want to allow. This type of rule does not designate endpoints by IP address.

Task 2: Determine how to configure connection security rules on each computer


1. How will connection security rules be deployed to servers? All Investments servers can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments servers have the same configuration.

2.

How will connection security rules be deployed to workstations? All Investments workstations can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments workstations have the same configuration.

3.

How will you address Windows XP clients? Based on the conditions presented in the scenario, the best solution is to upgrade the few remaining XP computers to Windows Vista. Other alternatives will be relatively complex. In the short term, an exemption rule can be used for the Windows XP computers to prevent the need for IPSec authentication from those computers. Exemption rules are based on computer IP address and the XP computers must be given static IP addresses or reservations in DHCP. Other alternatives are: a. b. Use both IPSec policies and connection security rules on the servers. This is not recommended because the results are difficult to predict. Use IPSec policies only. Windows Server 2008 and Windows Vista are both capable of using IPSec policies. However, if IPSec policies are used, then you cannot control authentication based on computer and user accounts.

Task 3: Implement connection security rules


1. 2. 3. 4. 5. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management. In the left pane, under Forest: WoodgroveBank.com, under Domains, expand WoodgroveBank.com, expand Toronto, and click Investments. Right-click Investments and click Create a GPO in this domain, and Link it here. In the Name box, type Connection Security Rules, and then click OK. Right-click Connection Security Rules and click Edit.

Lab Answer Key: Designing Security for Internal Networks

6.

Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Connection Security Rules. Right-click Connection Security Rules, and then click New Rule. Ensure Isolation is selected and click Next. Click Require authentication for inbound connections and request authentication for outbound connections and click Next.

7. 8. 9.

10. Click Computer and user (Kerberos V5) and click Next. 11. Click Next to apply the rule to the Domain, Private, and Public domains. 12. In the Name box, type Secure Communication, and then click Finish. 13. Close the Group Policy Management Editor. 14. Close Group Policy Management.

Task 4: Create a firewall rule for a specific user


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Windows Firewall with Advanced Security. In the left pane, click Inbound Rules, right-click Inbound Rules, and then click New Rule. On the Rule Type page, click Port and click Next. On the Protocols and Ports page, click TCP, click Specific local ports, type 80, and then click Next. On the Action page, click Allow the connection if it is secure and then click Next. On the Users and Computers page, select the Only allow connections from these users check box and then click Add. Ensure Administrator is selected and then click OK. In the Multiple Names Found window, click Administrator and then click OK. Click Next.

10. On the Profile page, ensure that all profiles are selected and then click Next. 11. In the Name box, type Administrator Access to Web site and then click Finish. 12. Close Windows Firewall with Advanced Security.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Name Resolution

Module 6
Lab Answer Key: Designing Name Resolution
Contents
Exercise 1: Designing a DNS Namespace Exercise 2: Designing a DNS Server Strategy Exercise 3: Designing a DNS Zone and Replication Strategy Exercise 4: Discuss the Design of Name Resolution Exercise 5: Implement a DNS and Zone Replication Strategy 2 2 3 5 5

Lab Answer Key: Designing Name Resolution

Lab: Designing a Name Resolution Strategy in Windows Server 2008


Exercise 1: Designing a DNS Namespace
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A- LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a DNS namespace for Active Directory


1. What would be your preferred namespace for Active Directory if creating a new design? In general, it is preferred that the external Domain Name Service (DNS) namespace and internal DNS namespace do not overlap. This avoids the need to manually synchronize records between internal and external DNS servers. A subdomain, if the external namespace, such as corp.woodgrovebank.com, would be recommended if creating a brand new design.

2.

What additional considerations must be taken into account when modifying an existing design? When you are evaluating an existing namespace design, you must take into account the amount of work and risk involved in modifying the namespace. In this case, woodgrovebank.com is the namespace used for both internal and external DNS. Changing the internal namespace to corp.woodgrovebank.com will involve extensive planning and testing to ensure that network services and applications are not interrupted.

3.

What DNS namespace do you recommend that Woodgrove Bank use for Active Directory? It is recommended that Woodgrove Bank continues to use the woodgrovebank.com namespace for both internal and external namespaces. This is due to the work and risk in involved in changing the namespace from woodgrovebank.com to corp.woodgrovebank.com. Also, this will make the manual synchronization of records between the internal and external DNS servers minimal.

Exercise 2: Designing a DNS Server Strategy


Task: Determine a DNS server location
1. Are DNS servers required at the branch locations? No DNS servers are required at the branch locations. All services are provided at the hub sites. If a wide area network wide area network (WAN) link is down, having a local DNS server provides no benefit. Also, WAN traffic generated by DNS lookups will be very small for an individual branch, providing no reason to place a DNS server locally.

2.

Are DNS servers required at each hub site? Yes, DNS servers should be located at each hub site. There are a large number of users for each hub site and performing DNS lookups over the WAN may cause WAN congestion.

Lab Answer Key: Designing Name Resolution

3.

How many DNS servers should be located at each hub site? Two DNS servers should be located at each hub site for redundancy. There are a large number of users for DNS in each hub site, and forcing clients to use the DNS server from an alternate hub site could result in WAN congestion.

Exercise 3: Designing a DNS Zone and Replication Strategy


Task: Determine DNS Zone requirements
1. Which zones need to be created on internal DNS servers? On the internal DNS servers, a zone should be configured that corresponds to each domain. This allows the DNS for each zone to be managed and replicated separately. The zones that need to be configured are: 2. woodgrovebank.com emea.woodgrovebank.com asia.woodgrovebank.com _msdcs.woodgrovebank.com

Which zones need to be created on external DNS servers? Only the woodgrovebank.com zone needs to be created on external DNS servers. This is the only zone that contains external records.

3.

In which hub sites will each DNS zone be placed? Each hub site for a domain should have a copy of the domain DNS zone. In addition, the main hub site in each domain should have a copy of the DNS zones for other domains. The _msdcs should be located in all hub sites because it contains records used to locate other domain controllers and global catalog servers for all domains. This zone will have very few changes and will not cause a lot of replication traffic. Hub site New York Zones WoodgroveBank.com Emea.WoodgroveBank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com Emea.WoodgroveBank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com

Toronto

Miami

Seattle

London

Lab Answer Key: Designing Name Resolution

Hub site Paris

Zones Emea.WoodgroveBank.com _msdcs.woodgrovebank.com Emea.WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com Emea.WoodgroveBank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com

Lisbon

Tokyo

Beijing

4.

How will replication/zone transfers be configured for each zone? Within each domain, the local zone should be configured as Active Directory integrated. This will allow secure dynamic updates to be configured. By default, Active Directory integrated zones are replicated to all domain controllers in the same domain. Since each instance acts as a primary zone, all domain controllers in the domain that are configured as DNS servers can accept dynamic updates. Hub site New York Zones WoodgroveBank.com (AD integrated) Emea.WoodgroveBank.com (secondary) Asia.WoodgroveBank.com (secondary) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (secondary) Emea.WoodgroveBank.com (AD integrated) Asia.WoodgroveBank.com (secondary) _msdcs.woodgrovebank.com (AD integrated) Emea.WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) Emea.WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (secondary) Emea.WoodgroveBank.com (secondary)

Toronto

Miami

Seattle

London

Paris

Lisbon

Tokyo

Lab Answer Key: Designing Name Resolution

Hub site

Zones Asia.WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated)

Beijing

Asia.WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated)

Exercise 4: Discuss the Design of Name Resolution


Task: Discuss your design for name resolution with the instructor and other students
1. 2. 3. With your instructor, discuss the namespace design that is appropriate for Woodgrove Bank. With your instructor, discuss the DNS server strategy that is appropriate for Woodgrove Bank. With you instructor, discuss the DNS zone and replication strategy that is appropriate for Woodgrove Bank.

Exercise 5: Implement a DNS and zone replication strategy


Task 1: Review the configuration of zones in North America
1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1, click Start, point to Administrative Tools, and click DNS. Expand NYC-DC1, expand Forward Lookup Zones, and then click WoodgroveBank.com. Right-click WoodgroveBank.com and then click Properties. Note the type and replication configuration. It is Active Directory-Integrated and replicated within the domain. Click Cancel. Click _msdcs.WoodgroveBank.com, right-click _msdcs.WoodgroveBank.com, and then click Properties. Note the type and replication configuration. It is Active Directory-Integrated and replicated within this forest. Click Cancel.

Task 2: Review the configuration of zones in Europe.


1. 2. 3. 4. 5. 6. 7. 8. On LON-DC1, click Start, point to Administrative Tools, and then click DNS. Expand LON-DC1, expand Forward Lookup Zones, and then click EMEA.WoodgroveBank.com. Right-click EMEA.WoodgroveBank.com and then click Properties. Note the type and replication configuration. It is Active Directory-Integrated and replicated within the domain. Click Cancel. Click _msdcs.WoodgroveBank.com, right-click _msdcs.WoodgroveBank.com, and then click Properties. Note the type and replication configuration. It is Active Directory-Integrated and replicated within the entire forest. Click Cancel.

Lab Answer Key: Designing Name Resolution

Task 3: Configure zone transfers for EMEA.WoodgroveBank.com


1. 2. 3. 4. 5. 6. 7. On LON-DC1, right-click EMEA.WoodgroveBank.com, and then click Properties. Click the Zone Transfers tab. Select the Allow zone transfers checkbox. Click Only to the following servers and then click the Edit button. Ensure IP addresses of the Secondary Server area is selected, type 10.10.0.10, press ENTER, and then click OK. Click OK to close the EMEA.WoodgroveBank.com Properties dialog box. Close DNS Manager.

Task 4: Configure a secondary zone for EMEA. WoodgroveBank.com


1. 2. 3. 4. 5. 6. 7. On NYC-DC1, in the left pane of DNS Manager, click Forward Lookup Zones. Right-click Forward Lookup Zones and then click New Zone. Click Next to start the New Zone Wizard. Click Secondary zone and then click Next. In the Zone name box, type EMEA.WoodgroveBank.com and then click Next. Under Master Servers, type 10.10.0.110, and then press ENTER. Click Next and then click Finish.

Note: You must click Finish as soon as it appears. Else it will automatically change to Next. Then, you will have to click Next again and then click Finish. 8. 9. In the left pane, click EMEA.WoodgroveBank.com. Review the records that have been transferred.

10. Close DNS Manager.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Advanced Name Resolution

Module 7
Lab Answer Key: Designing Advanced Name Resolution
Contents
Exercise 1: Optimizing DNS Servers Exercise 2: Designing High Availability for Name Resolution Exercise 3: Designing WINS Exercise 4: Implementing a GlobalNames Zone 2 3 4 4

Lab Answer Key: Designing Advanced Name Resolution

Lab: Designing Advanced Name Resolution


Exercise 1: Optimizing DNS Servers
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine configuration for internal DNS servers


1. Which DNS servers should be able to perform recursive lookups? All DNS servers must be capable of performing recursive lookups. Otherwise they will only be able to resolve the DNS records that are hosted locally. For example, DNS servers in the Toroto hub site would be able to resolve names in WoodgroveBank.com, but not Asia.WoodgroveBank.com or EMEA.WoodgroveBank.com.

2.

Which DNS servers should use forwarding and how is it configured? Forwarding needs to be configured in all hub sites that do not have secondary zones of the remote domains. Hub Site New York Miami Toronto Seattle London Paris Lisbon Tokyo Beijing Forwarding Configuration To Internet To New York To New York To New York To New York To London To London To New York To Tokyo

3.

Which DNS servers should use root hints to lookup names? Root hints should be removed from all internal DNS servers except the New York DNS servers. Only the New York DNS servers need to be able to perform Internet lookups.

Lab Answer Key: Designing Advanced Name Resolution

4.

How will DNS servers in New York, which perform external lookups, be protected from the Internet? The New York DNS servers can be protected by placing a dedicated server for external DNS lookups in the perimeter network. The New York DNS servers will be configured to forward requests to the dedicated external DNS server.

5.

How should caching be configured on the DNS servers? The DNS servers are configured to cache all DNS lookups by default. The individual records are cached based on the expiry set in the primary zone. Typically a record TTL is 3600 seconds or 1 hour.

Task 3: Determine configuration for external DNS servers


1. What configuration should be performed on external servers hosting the WoodgroveBank.com domain to prevent denial of service attacks? To ensure that the denial of service attack based on recursive lookups cannot be performed on the DNS servers hosting the external WoodgroveBank.com domain, you should disable recursive lookups. This prevents the DNS server from resolving non-local DNS names by using root hints or forwarding.

2.

How should root hints be configured on the external DNS servers performing external lookups? The root hints that allow lookups on the Internet are automatically configured when a DNS server is installed. You can manually update the root hints if required.

Exercise 2: Designing High Availability for Name Resolution


Task 1: Determining high availability methods for external DNS servers
1. How will you configure high availability for the external DNS servers hosting WoodgroveBank.com? When a DNS domain is registered for use on the Internet, two name servers must be provided. This provides a mechanism for high availability because if one name server is unavailable, Internet DNS servers will use the second name server. Therefore, two DNS servers should be configured for external hosting of the WoodgroveBank.com domain.

2.

Will DNS servers be hosted in multiple locations? For best network availability, DNS servers should be hosted in multiple locations to provide fault tolerance for network problems. However, this is only relevant if those network problems do not affect the services Internet clients are attempting to access. In which case, Woodgrove Bank does not need to have multiple data centers to support their Internet services, and hosting external DNS servers in multiple locations has no added benefit.

Task 2 Determining high availability methods for internal DNS servers


1. How many DNS servers will be located at each hub site? 2. Each hub site should be configured with two DNS servers that are hosted on domain controllers to support Active Directory integrated zones.

What method will you use to configure DNS servers to make them highly available? Using clustering would be unnecessarily complex to provide high availability. Simply having two DNS servers in each hub site provides high availability. If one DNS server is unavailable, then clients can use the other DNS server.

3.

How will clients be configured to support high availability of DNS?

Lab Answer Key: Designing Advanced Name Resolution

Clients should be configured to use both local DNS servers in the hub site. If one fails, then the clients will use the other.

Exercise 3: Designing WINS


Task 1: Determine the requirements for NetBIOS name resolution
1. Which computers need to register and resolve NetBIOS names? The computers that need to register NetBIOS names are the servers and clients running the applications that use NetBIOS name resolution. In this case, the clients are the terminal servers. All of these computers must be configured to use WINS servers.

2.

Where should WINS servers be located? Because the failure of a WAN link is a concern, WINS servers should be located in London, New York, and Tokyo.

3.

How would your plans change if NetBIOS applications were installed on all computers? If all computers were running applications that required NetBIOS, then all computers would need to communicate with WINS servers. Also, WINS servers would be configured at each Hub site.

Task 2: Determine how WINS replication will be configured


1. What type of replication should be used between WINS servers? 2. To ensure timely replication of WINS records, both push and pull replication should be configured between replication partners.

What replication topology should be used between WINS servers? A hub and spoke replication topology can be used, with New York acting as the hub. This provides a system that is simple to maintain. The replication partners must be configured manually.

Task 3: Determine how WINS will be integrated with DNS


1. Is there a need for WINS integration with DNS? 2. Based on the scenario, there is no need for WINS integration with DNS. WINS integration with DNS is primarily to support clients that do not support dynamic DNS.

How can a GlobalNames DNS zone reduce the need for WINS? Depending on the application, you may be able to use a DNS GlobalNames zone instead of WINS. However, this must be tested to ensure that all applications will work properly in this configuration. The use of a GlobalNames zone requires the clients to make a DNS query when after NetBIOS name resolution methods, including broadcast, LMHOSTS, and WINS, have failed.

Exercise 4: Implementing a GlobalNames Zone


Task 1: Create a GlobalNames zone
1. 2. 3. 4. 5. On NYC-DC1, click Start, point to Administrative Tools, and click DNS. Expand NYC-DC1 and click Forward Lookup Zones. Right-click Forward Lookup Zones and click New Zone. Click Next to begin the New Zone Wizard. Ensure that Primary zone and Store the zone in Active Directory (available only if DNS server is a writable domain controller) are selected, and then click Next.

Lab Answer Key: Designing Advanced Name Resolution

6. 7. 8. 9.

Click To all DNS servers in this forest: WoodgroveBank.com and click Next. In the Zone name box, type GlobalNames, and then click Next. Select Do not allow dynamic updates and click Next. Click Finish.

10. Close DNS Manager.

Task 2: Enable support for a GlobalNames zone


1. 2. 3. 4. 5. 6. On NYC-DC1, click Start and click Command Prompt. In the command prompt type dnscmd nyc-dc1 /config /enableglobalnamessupport 1 and press Enter. Close the command prompt. On LON-DC1, click Start and click Command Prompt. In the command prompt type dnscmd lon-dc1 /config /enableglobalnamessupport 1 and press Enter. Close the command prompt.

Task 3: Configure records in a GlobalNames zone


1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and click DNS. Expand Forward Lookup Zones and click GlobalNames. Right-click GlobalNames and click New Alias (CNAME). In the Alias name (uses parent domain if left blank) box, type NBSrv. In the Fully qualified domain name (FQDN) for target host box, type NYCDC1.WoodgroveBank.com, and then click OK. Close DNS Manager.

Task 4: Verify replication to LON-DC1


1. 2. On LON-DC1, click Start, point to Administrative Tools, and click DNS. Expand LON-DC1, expand Forward Lookup Zones and click GlobalNames. Note: If GlobalNames is not listed under Forward Lookup Zones, click Refresh. 3. 4. Verify that the NBSrv record exists in the GlobalNames zone. You may need to wait several minutes for the record to appear. Close DNS Manager.

Task 5: Test resolution of records in a GlobalNames zone


1. 2. 3. On LON-DC1, click Start and click Command Prompt. Type ping NBSrv and press Enter. Close the command prompt.

Task 6: Close all virtual machines and discard undo disks


1. For each virtual machine that is running, close the Virtual Machine Remote Control window.

Lab Answer Key: Designing Advanced Name Resolution

2. 3.

In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Network Access Solutions

Module 8
Lab Answer Key: Designing Network Access Solutions
Contents
Exercise 1: Designing a Network Access Solution Exercise 2: Designing Network Policy Services Exercise 3: Designing a Wireless Connection Solution Exercise 4: Discuss the Design of Network Access Exercise 5: Deploying an SSTP VPN Solution 2 3 4 5 5

Lab Answer Key: Designing Network Access Solutions

Lab: Designing Network Access Solutions


Exercise 1: Designing a Network Access Solution
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-RAS, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Woodgrovebank\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determining remote access methods


1. Is dial-up access required? Because some users do not have access to Internet access when travelling, dial-up networking of some type is required. This can be achieved by implementing a dial-up server using RRAS. In many cases, it is better to obtain dial-up access from and Internet Service Provider (ISP). Users can be given accounts with an ISP with world-wide dial-up access. This allows the users to connect with a local call or by using a toll-free long distance number. After users connect to the ISP, they can use a VPN connection to access the corporate network. 2. Which authentication method should be used for VPN connections? To obtain the highest level of security, smart cards should be used. All of the VPN tunnelling protocols supported by Windows Server 2008 and Windows Vista support the use of EAPTLS,which is the authentication method used for smart card authentication.

3.

Which VPN tunnelling protocol should be used? To provide the best level of security, either SSTP or L2TP should be used. L2TP may provide slightly better security for authentication because computers are authenticated in addition to users. However, L2TP VPNs may be blocked by firewalls in some cases. SSTP has similar encryption strength to L2TP/IPSec, but is easier to configure because there is no computer authentication required. SSTP is almost never blocked by firewalls. SSTP should be used for Windows Vista clients. L2TP should be used for Windows XP clients.

Task 3: Determining physical infrastructure for remote access


1. Where should VPN servers be located? For the best security, VPN servers should be located in a perimeter network. This allows the VPN server to be protected from Internet users. It also allows access to the corporate network, by VPN users, to be controlled by firewalls. This configuration requires more complex firewall rules, but is well within the capability of any large organization.

2.

How will you address the concerns of non-North American users about slow access to data over the VPN?

Lab Answer Key: Designing Network Access Solutions

The current physical configuration of the Woodgrove Bank network has only a single Internet connection in New York. To provide faster access to data, you could add more Internet connections in Tokyo and London. However, this will make controlling Internet access more difficult. The simplest solution is to provide terminal servers in Tokyo and London with the necessary applications for EMEA and Asia users. These users can use the VPN to connect to New York and then run their applications on the terminal services in their home site. The terminal servers will have fast access to local data and only screen updates are sent to the remote access clients over the VPN. Screen updates from terminal services typically generate much less traffic over a network connection than accessing data from a workstation does.

3.

How will clients be configured with dial-up and VPN connections? The Connection Manager can be used to generate packages that provide connectivity information for dial-up and VPN connections. Users will need to be trained on which connection to use, depending on their location. Client computers must also be configured with appropriate hardware. Any users that require dialup access must have a modem. Other users requiring Internet connectivity will require either a wireless network adapter or Ethernet adapter.

4.

How will you address concerns about availability for the Internet connection? When planning a disaster recovery and service availability, it is essential for an SLA to be in place with an ISP. If the current ISP is unable to provide an SLA, Woodgrove Bank should investigate other providers of Internet connectivity that can provide an SLA. When evaluating SLAs, you need to balance the guarantee of availability with the cost of service.

Exercise 2: Designing Network Policy Services


Task 1: Determining the infrastructure requirements for RADIUS
1. How will RADIUS allow the Woodgrove Bank help desk to control passwords? When RAIDUS authentication is used with an ISP, all authentication is performed by a directory server on the Woodgrove Bank network. Therefore, when help desk staff at Woodgrove Bank reset a password on an Active Directory account, the password is also reset for dial-up access.

2.

What configuration needs to be performed at the ISP? The ISP has a dial-up server that must be configured as a RADIUS client. This computer will forward authentication requests to a RADIUS proxy at the ISP. The RADIUS proxy must be configured to forward authentication requests for Woodgrove Bank users to the NPS server at Woodgrove Bank, which is a RADIUS server.

3.

What configuration needs to be performed at Woodgrove Bank? At Woodgrove Bank, an NPS server must be configured to accept RADIUS requests from the ISP.

4.

How does the implementation of RADIUS affect the local VPN server? The implementation of RADIUS can be kept separate from the local VPN server and does not necessarily affect it. However, by keeping RADIUS separate from the VPN server, network policies must be maintained on both the VPN server and the NPS server used by RADIUS. To simplify maintenance of network policies, the VPN server should be configured as a RADIUS client of the NPS server. Then, all authentication and logging can be centralized on the NPS server and network policies are maintained only on the NPS server.

Lab Answer Key: Designing Network Access Solutions

Task 2: Determining network policies


1. What network policies should be created? A single network policy for Executives with no restrictions. A network policy for Branch management staff at each hub site. The policy for each hub site will restrict access by using IP filters. A single network policy for Customer Service staff that denies remote access. A network policy for Investments staff at each hub site. The policy for each hub site will restrict access by using IP filters. Marketing staff do not require access to applications or data and can be given Web-based access to their email instead of Terminal Services. Web-based access to email can be secured with SSL. This simplifies client configuration for the Marketing staff.

2.

How does the processing order affect your network policies? Only the first network policy with matching conditions is evaluated. Therefore, you must be sure that the appropriate policy is evaluated first, based on the conditions you have in place. Typically, the largest concern is group memberships that overlap. For example, if an executive is a member of both the Executives group and the Customer Service group, then you must ensure that the Executives network policy that allows access is evaluated before the Customer Service network policy that denies access.

Exercise 3: Designing a Wireless Connection Solution


Task 1: Selecting wireless standards
1. Which wireless networking standard is preferred for your implementation? The 802.11n wireless standard provides the best resistance to interference, and highest data throughput. Therefore the 802.11n standard is preferred. The 802.11n standard is also backward compatible with 802.11a/b/g. This means older laptops will still be able to use the 802.11n WAPs.

2.

Which encryption standard is preferred for your implementation? The WPA2 encryption standard provides the best encryption strength available for wireless LANs. It should be used as far as possible. WPA provides most of the same features and is acceptable for laptops that do not support WPA2. WEP is not acceptable and should not be enabled on the WAPs.

3.

How will computers be authenticated? To provide the highest level of security, 802.1X authentication should be used for wireless computers. This allows computers to be authenticated based on their Active Directory computer accounts. To support this implementation, you must configure a RADIUS server. Windows Server 2008 with NPS installed can perform this role. Network policies must be created to support the authentication. Another common mechanism for authenticating computers is by restricting connections based on MAC address. However, it is relatively easy to spoof MAC addresses on wireless connections. Consequently, this provides minimal security.

Task 2: Designing the physical implementation


1. How will you provide power to the WAPs?

Lab Answer Key: Designing Network Access Solutions

WAPs typically require minimal power. In most cases, you can use Power over Ethernet to provide the necessary power. This means that the same Ethernet cable used for data connectivity to the network backbone can also provide power to the WAP.

2.

How will you ensure that users can roam throughout the building? Multiple access points must be configured with some overlap between their signals to provide roaming access throughout the building. To minimize interference between WAPs, adjoining WAPs should use separate channels that do not overlap. You may need to tune the signal strength of your WAPs to provide the necessary level of overlap.

3.

How will you ensure that signal strength is acceptable in all areas of the building? As part of planning and implementing a wireless design, you should perform a site survey. During implementation, you should have a mobile device that measures signal strength to test the location of WAPs.

Exercise 4: Discuss the Design of Network Access


Task: Discuss your design for name resolution with the instructor and other students
1. 2. 3. With your instructor, discuss the remote access solution that is appropriate for Woodgrove Bank. With your instructor, discuss the Network Policy Services design that is appropriate for Woodgrove Bank. With your instructor, discuss the wireless connection solution that is appropriate for Woodgrove Bank.

Exercise 5: Deploying an SSTP VPN Solution


Task 1: Install Active Directory Certificate Services and Web server
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-RAS, click Start and click Server Manager. In the left pane, click Roles and then click Add Roles. Click Next to begin the Add Roles Wizard. Select the Active Directory Certificate Services checkbox. Select the Web Server (IIS) checkbox, click Add Required Features, and click Next. Click Next on the Introduction to Active Directory Certificate Services page. Ensure that the Certification Authority checkbox is selected. Select the Certification Authority Web Enrollment checkbox, click Add Required Role Services, and click Next. Ensure that Enterprise is selected and click Next.

10. Ensure that Root CA is selected and click Next. 11. Ensure that Create a new private key is selected and click Next. 12. Click Next to accept the default cryptography settings. 13. Click Next to accept the default CA Name of WoodgroveBank-NYC-RAS-CA. 14. Click Next to accept the default validity period of 5 years. 15. Click Next to accept the default database and log locations. 16. Click Next on the Web Server (IIS) page. 17. Click Next on the Select Role Services page.

Lab Answer Key: Designing Network Access Solutions

18. Click Install on the Confirm Installation Selections page. 19. After installation is complete, click Close and close Server Manager.

Task 2: Create an SSL certificate


1. 2. 3. 4. On NYC-RAS, click Start, point to Administrative Tools, and click Internet Information Services (IIS) Manager. In the left pane, click NYC-RAS (WOODGROVEBANK\Administrator) and double-click Server Certificates. In the Actions pane, click Create Domain Certificate. Enter the following and then click Next: 5. 6. 7. Common name: NYC-RAS.WoodgroveBank.com Organization: Woodgrove Bank Organizational unit: IT City/locality: New York State/province: New York Country/region: US

In the Specify Online Certification Authority box, type WoodgroveBank-NYC-RAS-CA\NYCRAS.WoodgroveBank.com. In the Friendly name box, type WebSSL and click Finish. Close Internet Information Services (IIS) Manager.

Task3: Configure RRAS


1. 2. 3. 4. 5. 6. On NYC-RAS, click Start, point to Administrative Tools, and click Routing and Remote Access. Right-click NYC-RAS (local) and click Configure and Enable Routing and Remote Access. Click Next to start the Routing and Remote Access Server Setup Wizard. Ensure Remote access (dial-up or VPN) is selected and click Next. Select the VPN checkbox and click Next. Select Local Area Connection, deselect the Enable security on the selected interface by setting up static packet filters checkbox, and click Next. Note that this checkbox is typically enabled in a production environment. The feature is enabled in this lab due to hardware restrictions. Select From a specified range of addresses and click Next. Click New, enter the following, and click OK. 9. Start IP address: 10.11.0.200 End IP address: 10.11.0.225

7. 8.

Click Next.

10. Click No, use Routing and Remote Access to authenticate connection requests and click Next. 11. Click Finish. 12. Click OK to clear the warning message about DHCP and then close Routing and Remote Access.

Lab Answer Key: Designing Network Access Solutions

Task 4: Create a Network Policy to allow VPN access.


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-RAS, click Start, point to Administrative Tools, and click Network Policy Server. In the left pane, expand Policies and click Network Policies. Right-click Network Policies and click New. In the Policy name box, type Allow Domain Admins and then click Next. In the Specify Conditions window, click Add. Click Windows Groups and click Add. Click Add Groups, type Domain Admins, and click OK. Click OK and click Next. Ensure "Access granted" is selected and click Next.

10. Click Next to accept the default authentication types. 11. Click Next to accept the default constraints. 12. Click Next to accept the default settings. 13. Click Finish and close Network Policy Server.

Task 5: Configure the client with a trusted root certificate


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, click Start and click Internet. In the address bar, type http://NYC-RAS.WoodgroveBank.com/certsrv and press Enter. Log on as WoodgroveBank\Administrator with a password of Pa$$w0rd. Click Download a CA certificate, certificate chain, or CRL. If necessary, click Close to clear the information about the information bar. Click Download CA certificate and click Open. When the Certificate window opens, click Install Certificate. Click Next to start the Certificate Import Wizard. Ensure Automatically select the certificate store based on the type of certificate and click Next.

10. Click Finish. 11. Click OK to close the Certificate Import Wizard dialog box. 12. Click OK to close the Certificate window. 13. Close Internet Explorer. 14. Click Start, in the Start Search box, type mmc, and press ENTER. 15. Click File and click Add/Remove Snap-in. 16. Double-click Certificates, Ensure "My user account" is selected and click Finish. 17. Double-click Certificates, click Computer account, and click Next. 18. Click Local computer: (the computer this console is running on) and click Finish. 19. Click OK. 20. In the left pane, expand Certificates Current User, expand Intermediate Certification Authorities, and click Certificates.

Lab Answer Key: Designing Network Access Solutions

21. Right-click WoodgroveBank-NYC-RAS-CA and click Copy. 22. In the left pane, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 23. Right-click Certificates and click Paste. 24. Close the MMC window. 25. Click No when prompted to save settings.

Task 6: Configure and test an SSTP VPN connection


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, click Start and click Connect To. Click Set up a connection or network. Click Connect to a workplace and click Next. Click Use my Internet connection (VPN). Click Ill set up an Internet connection later. In the Internet address box, type NYC-RAS.WoodgroveBank.com. In the Destination name box, type NYC VPN and then click Next. Click Create without entering a username and password. Click Close.

10. Click Start and click Connect To. 11. Right-click NYC VPN and click Properties. 12. Click the Networking tab. 13. In the Type of VPN box, select Secure Socket Tunneling Protocol (SSTP) and then click OK. 14. Click Connect. 15. Log on as WoodgroveBank\Administrator with a password of Pa$$w0rd. 16. Click Close to close the Connect to a network window. 17. Click Start and click Connect To. 18. Verify that the status of the connection is connected. 19. Close all open windows. Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting up the SSTP listener and verifying it in the Routing and Remote Access Blog at http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstp-listener-andverification.aspx. In particular, you must manually remove and replace the certificate used by SSTP if you want to change it.

Task 7: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Network Access Protection

Module 9
Lab Answer Key: Designing Network Access Protection
Contents
Exercise 1: Analyzing Enforcement Methods Exercise 2: Designing DHCP Enforcement Exercise 3: Designing IPsec Enforcement Exercise 4: Implementing DHCP Enforcement 2 4 5 6

Lab Answer Key: Designing Network Access Protection

Lab: Designing Network Access Protection


Exercise 1: Analyzing Enforcement Methods
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as WoodgroveBank\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Analyze DHCP Enforcement


1. Which components are required for DHCP enforcement? All NAP implementations require an NPS server with polices to act as a health policy server and a supported client. Supported clients for NAP are Windows XP SP3 and Windows Vista. DHCP enforcement requires a NAP integrated DHCP server. A NAP integrated DHCP server is included as part of Windows Server 2008.

2.

Are the necessary components in place for DHCP enforcement? Yes. All necessary components are in place.

3.

What are the benefits of using DHCP enforcement? It is simple to implement because little configuration is required.

4.

What are the drawbacks of using DHCP enforcement? DHCP enforcement is relatively easy to circumvent and does not apply to computers with static IP addresses.

5.

Is DHCP enforcement suitable for Woodgrove Bank? Yes, because malicious users have not been listed as a concern. If there are no concerns about malicious users, then DHCP enforcement is a simple way to implement NAP. DHCP enforcement is well suited to desktop computers and wireless computers within a LAN.

Task 3: Analyze VPN Enforcement


1. Which components are required for VPN enforcement? All NAP implementations require an NPS server with polices to act as a health policy server and a supported client. Supported clients for NAP are Windows XP SP3 and Windows Vista. VPN enforcement requires a NAP integrated VPN server. A NAP integrated VPN server is included as part of Windows Server 2008.

2.

Are the necessary components in place for VPN enforcement? Yes. All necessary components are in place.

3.

What are the benefits of using VPN enforcement?

Lab Answer Key: Designing Network Access Protection

4.

VPN enforcement can be used to control the access of remote users.

What are the drawbacks of using VPN enforcement? VPN enforcement is not well suited for protecting LANs from internal users.

5.

Is VPN enforcement suitable for Woodgrove Bank? Yes. It is well suited for protecting the network from remote users with laptops or home computers.

Task 4: Analyze 802.1X Enforcement


1. Which components are required for 802.1X enforcement? All NAP implementations require an NPS server with polices to act as a health policy server and a supported client. Supported clients for NAP are Windows XP SP3 and Windows Vista. To implement 802.1X enforcement requires network devices capable of 802.1X authentication as enforcement points.

2.

Are the necessary components in place for 802.1X enforcement? No. Not all network devices support 802.1X.

3.

What are the benefits of using 802.1X enforcement? Using 802.1X enforcement is difficult to circumvent because it is enforced by the switch or WAP. If 802.1X authentication is already in place then 802.1X enforcement is relatively easy to implement.

4.

What are the drawbacks of using 802.1X enforcement? All network devices must support 802.1X authentication to be effective. This can be expensive if new devices are required. Also, implementing 802.1X authentication can be time consuming if it is not already in place.

5.

Is 802.1X enforcement suitable for Woodgrove Bank? No. Not all network devices support 802.1X authentication and replacing those devices may be expensive.

Task 5: Analyze IPSec enforcement


1. Which components are required for IPSec enforcement? All NAP implementations require an NPS server with polices to act as a health policy server and a supported client. Supported clients for NAP are Windows XP SP3 and Windows Vista. IPSec also requires a certification authority and health registration authority to be implemented.

2.

Are the necessary components in place for IPSec enforcement? At this time neither a CA or HRA have been implemented.

3.

What are the benefits of using IPSec enforcement? IPSec enforcement provides a very high level of security because it is enforced on each host. No specialized hardware is required for implementation.

4.

What are the drawbacks of using IPSec enforcement? IPSec enforcement requires additional servers when compared with DHCP or VPN enforcement. Also, if Windows XP clients are present on the network, you must use IPSec policies that are compatible with Windows XP clients rather than the security connection rules for Windows Vista clients.

5.

Is IPSec enforcement suitable for Woodgrove Bank?

Lab Answer Key: Designing Network Access Protection

Yes. All clients are using Windows Vista. However, a CA and HRA must be implemented.

Exercise 2: Designing DHCP Enforcement


Task 1: Design client configuration
1. What is the simplest way to apply the necessary client configuration to many computers at once? 2. Enabling the enforcement client for each type of enforcement can be done by using Group Policy. This can be done for any organizational units that contain client computers.

How will you ensure that only the client computers are configured and not servers? If client computers are in separate organizational units, you can link the group policy object only to those organizational units with client computers. Alternatively, if client computers and servers exist in the same organizational unit, you can use security filtering to ensure that only client computers can apply the policy. Create a group for the client computers and ensure that only that group has the necessary permissions to apply the group policy object.

Task 2: Design SHV configuration


1. How are the options available for checking client status determined? The options available for checking client status are determined by the Windows SHA and SHV that are included with Windows Vista and Windows Server 2008. The Windows SHA uses the status that is reported by Windows Security Center. Windows Security Center must be enabled to use the Windows SHA and SHV.

2.

How can these options be expanded? You use additional SHAs and SHVs to expand the monitoring capabilities of NAP. An SHA and SHV are added as a pair, with the SHA on the client side and the SHV on the server side.

Task 3: Design DHCP implementation


1. Where will DHCP servers be located? 2. A single DHCP server will be located in Toronto.

How will the client communicate with the DHCP servers? Routers will be configured as DHCP relays to forward DHCP requests from remote subnets to the DHCP server.

3.

Is additional configuration necessary on the DHCP server? Yes. NAP must be enabled for each scope where NAP is to be enforced. You can also configure different server options for restricted and non-restricted computers. For example, a different DNS server could be assigned to restricted computers. The Default User Class is used for non-restricted clients. The Default Network Access Protection Class is used for restricted clients.

Task 4: Design remediation servers


1. How are remediation servers accessed by noncompliant computers? 2. A non-compliant computer will be given static host routes to remediation servers. This allows remediation servers to be reached even though overall network access is restricted.

Which servers should be configured as remediation servers? All servers necessary to bring a computer into compliance should be configured as remediation servers. This can includes domain controllers, DNS servers, and WSUS servers.

Lab Answer Key: Designing Network Access Protection

Exercise 3: Designing IPSec Enforcement


Task 1: Design IPSec enforcement networks
1. What computers are on the restricted network? 2. The restricted network contains computer that are noncompliant. These computers do not have health certificates.

What computers are on the boundary network? The boundary network contains remediation servers and enforcement points. The HRA is the enforcement point for IPSec enforcement. These computers have health certificates.

3.

What computers are on the secure network? All compliant NAP clients and most servers are on the secure network. The NAP components on the secure network are the CA and NPS server. These computers have health certificates.

4.

What communication is allowed between the IPSec networks? Computers on the restricted network are able to initiate communication with other computers in the restricted network and computers in the boundary network. Computers in the boundary network are able to initiate communication with computers in any network. Computers in the secure network are able to initiate communication with computers on any network.

Task 2: Design the IPSec implementation


1. Why are IPSec policies required? NAP does not push out IPSec configuration to clients or servers. NAP requires that IPSec policies are in place. NAP provides the infrastructure to provide heath certificates, which are required by IPSec policies for authentication.

2.

What configuration is used for IPSec configured in the restricted network? IPSec is not configured on the restricted network. Client computers are configured to use the IPSec configuration for the secure network. If authentication fails because a health certificate is not configured, then clients are placed on the restricted network.

3.

What configuration is used for IPSec configured in the boundary network? Computers in the boundary network must communicate with all computers. Therefore, the computers in the boundary network should be configured with an Isolation rule that requests authentication for inbound and outbound connections.

4.

What configuration is used for IPSec configured in the secure network? Computers in the secure network should not communicate with noncompliant computers. Therefore, the computers in the secure network should be configured with an Isolation rule that requires authentication for inbound connections and requests authentication for outbound connections.

5.

How are remediation servers configured? Remediation servers are configured by placing them in the boundary network. Remediation server groups created in the NPS administrative tools are only relevant for VPN and DHCP enforcement.

Task 3: Design the CA implementation


1. What type of CA must be installed and why? An Enterprise CA must be installed for NAP. This is required to support certificate templates.

Lab Answer Key: Designing Network Access Protection

2.

How long will you configured health certificates to be valid for? There is no specific time-frame for certificate lifetime that must be implemented. However, 24 hours is reasonable. This ensures that health status must be verified every 24 hours. A longer certificate lifetime could result in unhealthy computers on the network with NAP unable to identify them.

Exercise 4: Implementing DHCP Enforcement


Task 1: Install necessary components
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start and click Server Manager. In the left pane, click Roles and click Add Roles. Click Next to start the Add Roles Wizard. Select the DHCP Server and Network Policy and Access Services checkboxes, and then click Next. Read the Introduction to Network Policy and Access Services page, and then click Next. Select the Network Policy Server checkbox and then click Next. Read the Introduction to DHCP Server page and then click Next. In the Network Connections box, ensure that 10.10.0.10 is selected and then click Next. On the Specify IPv4 DNS Server Settings click Next to accept the default configuration. Parent Domain: WoodgroveBank.com Preferred DNS Server IPv4 Address: 10.10.0.10

10. Ensure "WINS is not required for application on this network" and click Next. 11. Click Add to create a DHCP scope. 12. Enter the following: Scope Name: New York Scope Starting IP Address: 10.10.1.0 Ending IP Address: 10.10.9.254 Subnet Mask: 255.255.0.0 Default Gateway (optional): 10.10.0.1 Subnet Type : Wired (lease duration will be 6 days)

13. Ensure that the Activate this scope checkbox is selected and click OK. 14. Click Next. 15. Click Disable DHCPv6 stateless mode for this server and click Next. 16. Ensure "Use current credentials" is selected and then click Next. 17. Click Install. 18. When installation is complete, click Close. 19. Close Server Manager.

Task 2: Configure NPS


1. On NYC-DC1, click Start, point to Administrative Tools, and then click Network Policy Server.

Lab Answer Key: Designing Network Access Protection

2. 3. 4. 5. 6. 7. 8. 9.

In the Standard Configuration area, Ensure Network Access Protection (NAP) is selected and click Configure NAP. In the drop down list box, select Dynamic Host Configuration Protocol (DHCP) as the connection method. Accept NAP DHCP as the policy name and click Next. Click Next to skip the configuration of RADIUS clients. This is not necessary because DHCP is running on the NPS server. On the Specify DHCP Scopes page, click Next. On the Configure User Group and Machine Groups page, click Next. On the Specify a NAP Remediation Server Group and URL page, click Next. On the Define NAP Health Policy page, ensure that the following are selected and then click Next. Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers. Allow access to a restricted network only.

10. Review the settings and click Finish. 11. Expand Policies and click Connection Request Policies. Notice that a NAP DHCP policy has been created by the wizard. 12. Click Network Policies. Notice that several policies for NAP have been created by the wizard. 13. Click Health Policies. Notice that two policies for NAP have been created by the wizard. 14. Close Network Policy Server.

Task 3: Configure DHCP


1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click DHCP. Expand nyc-dc1.woodgrovebank.com, expand IPv4, and then click Scope [10.10.0.0] New York Scope. Right-click Scope [10.10.0.0] New York Scope and click Properties. Click the Network Access Protection tab, click Enable for this scope, Ensure "Use default Network Access Protection profile is selected, and then click OK. Ensure scope [10.10.0.0] New York Scope is expanded, click Scope Options, right-click Scope Options and click Configure Options. Click the Advanced tab, and in the User class box, select Default Network Access Protection Class. Select the 006 DNS Servers check box, in the IP Address box, type 10.10.0.10, and then click Add. Select the 015 DNS Domain Name check box, in the String value box, type restricted.woodgrovebank.com, and click OK. Close DHCP.

Task 4: Configure NAP Client by using Group Policy


1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

Lab Answer Key: Designing Network Access Protection

2. 3. 4. 5. 6. 7. 8. 9.

In the left pane, Ensure "WoodgroveBank.com is expanded, right-click NYC, point to New, and click Organizational Unit. In the Name box, type NYC NAP Clients and click OK. In the left pane, click Computers. Right-click NYC-CL1 and click Move. Expand NYC, click NYC NAP Clients, and click OK. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, and click Group Policy Management. Expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, expand NYC, and then click NYC NAP Clients.

10. Right-click NYC NAP Clients and click Create a GPO in this domain, and Link it here. 11. In the Name box, type DHCP NAP Client and click OK. 12. Right-click DHCP NAP Client and click Edit. 13. In the left pane, browse to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center. 14. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. 15. Browse to Computer Configuration/Policies/Windows Settings/Security Settings/System Services and double-click Network Access Protection Agent. 16. Select the Define this policy setting checkbox, click Automatic, and click OK. 17. In the left pane, in Security Settings, expand Network Access Protection, expand NAP Client Configuration, and then click Enforcement Clients. 18. Right-click DHCP Quarantine Enforcement Client and click Enable. 19. In the left pane, right-click NAP Client Configuration and click Apply. 20. Close the Group Policy Management Editor. 21. Close Group Policy Management.

Task 5: Configure networking on the client


1. 2. 3. 4. 5. 6. 7. 8. 9. Restart NYC-CL1, and log on as Woodgrovebank\Administrator with a password as Pa$$w0rd. Click Start, in the Start Search box, type cmd, and then press Enter. Type gpupdate and press Enter. Close the command prompt Click Start, right-click Network, and click Properties. Under Tasks, click Manage network connections. Right-click Local Area Connection and click Properties. Click Internet Protocol Version 4 (TCP/IPv4) and click the Properties button. Click Obtain an IP address automatically, click Obtain DNS server address automatically, and then click OK.

10. Click Close and close all open windows. 11. Wait a few moments and a warning about limited network access will appear.

Lab Answer Key: Designing Network Access Protection

12. Click Start, in the Start Search box, type cmd, and then press Enter. 13. At the command prompt, type ipconfig /all and press Enter. Notice that an IPv4 address has been configured, but the subnet mask is 255.255.255.255 and the Connection-specific DNS suffix is restricted.woodgrovebank.com. 14. Type ping nyc-web.woodgrovebank.com and press Enter. This is not successful. 15. Close the command prompt.

Task 6: Configure the SHV


1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, point to Administrative Tools, and then click Network Policy Server. In the left pane, expand Network Access Protection and click System Health Validators. Right-click Windows Security Health Validator and click Properties. Click the Configure button. On the Windows Vista tab, deselect all checkboxes except A firewall is enabled for all network connections and then click OK. Click OK to close the Windows Security Health Validator Properties window. Close Network Policy Server.

Task 7: Test compliance and auto-remediation on the client


1. 2. 3. 4. 5. 6. 7. 8. On NYC-CL1, click Start, type cmd, and press Enter. Type ipconfig /renew and press Enter. Notice that NYC-CL1 now has a default gateway, a subnet mask of 255.255.0.0, and the Connection-specific DNS suffix is WoodgroveBank.com. Close the command prompt. Click Start and click Control Panel. Click Security and click Windows Firewall. Click Change settings. Click Off (not recommended) and click OK. Notice that Windows Firewall status is off only briefly before being turned back on by the NAP client. Close all open windows.

Task 8: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Operating System Deployment and Maintenance

Module 10
Lab Answer Key: Designing Operating System Deployment and Maintenance
Contents
Exercise 1: Designing an Operating System Deployment Solution Exercise 2: Designing WDS Deployment Exercise 3: Designing WDS Images Exercise 4: Designing a WSUS Deployment Exercise 5: Discussing Operating System Deployment and Maintenance Exercise 6: Implementing Multicast Transmissions for Images 2 3 4 5 6 6

Lab Answer Key: Designing Operating System Deployment and Maintenance

Lab: Designing Operating System Deployment and Maintenance


Lab Setup
You will use the available virtual machine environment for this lab. Before you begin the lab, you must: Ensure that all virtual machines are shut down. Map the E drive to C:\Program Files\Microsoft Learning\6435\Drives\WindowsServer2008.iso on 6435A-NYCDC1. If the .iso file is not connected, complete the following steps to connect it: a. b. On the host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website. Under Navigation, click Master Status, and then click 6435A-NYC-DC1. In the context menu, click Edit Configuration. In the CD/DVD area, ensure that the line ISO image WindowsServer2008.iso is listed. If it is not, complete the following steps: Under 6435A-NYC-DC1 Configuration, click CD/DVD. On the 6435A-NYC-DC1 CD/DVD Drive Properties page, click Known image files. In the Fully qualified path to file text box, type C:\Program Files\Microsoft Learning\6435\Drives\ WindowsServer2008.iso. Click OK. Note: If you are using a 64 bit host computer, you will need to type c:\Program Files (x86)\Microsoft Learning\6435\Drives\ WindowsServer2008.iso as the path. To start the lab, start the Microsoft Learning Lab Launcher by double-clicking the 6435A shortcut on the desktop, and clicking Launch beside 6435A-NYC-DC1. After the computer starts, log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: WoodgroveBank

Exercise 1: Designing an Operating System Deployment Solution


Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Review information about the current business requirements


1. What are the business requirements described in the scenario? The business requirements are: 2500 client desktops in the US and 1000 desktops in Poland need to be migrated to Windows Vista

Lab Answer Key: Designing Operating System Deployment and Maintenance

2.

User data and personalized settings must be preserved User data must be secured during and after migration Existing Windows Server 2003 infrastructure needs to be upgraded to that of Windows Sever 2008 A more robust and less time-consuming update management solution is required Computer updates must not impact the network performance

What are the requirements to choose the appropriate deployment solution for the operating system in the Woodgrove Bank design? The requirements for the deployment of the operating system are: The existing RIS-based computer building process needs to be preserved The solution must support deployment of Windows Vista and Windows Server 2008 operating systems The operating system deployment solution needs to ensure privacy for the users and their data and ensure that security is maintained during and after the migration The solution should provide the best connectivity to all client computers

Task 3: Select a deployment solution for operating systems


What deployment solution for operating systems do you recommend and why? The best-suited deployment solution for the operating system in the above scenario is Microsoft Windows Deployment Services (WDS). Existing RIS deployment solution can be upgraded to WDS WDS supports deployment of Windows Vista and Windows 2008 Server operating systems WDS provides an ability to transmit data and images using multicast functionality, which preserves the bandwidth during the deployment of operating systems. All required network components are in place, including AD DS, DNS, and DHCP. You also have the necessary administrative privileges on each member server DHCP servers are Microsoft-based so if required WDS can be installed on the DHCP servers without any additional scope considerations

Exercise 2: Designing WDS Deployment


Task 1: Design WDS infrastructure
1. Where will WDS servers be located? WDS servers must be located at each physical location to meet the target time of 30 minutes for imaging. It is not possible to image computers with several gigabytes of information over a T1 line in 30 minutes.

2.

What types of data need to be stored on each WDS server? Each WDS server must store the images that it delivers. This includes boot and install images. When new batches of computers are imaged, there also needs to be a storage location for user profile data. However, user profile data does not need to be stored on the WDS server.

3.

How will the impact on network performance be minimized during the deployment of new computers. What are the requirements for this solution?

Lab Answer Key: Designing Operating System Deployment and Maintenance

The use of multicasting minimizes the amount of data traversing the network during the deployment of new batches of computers. When multicasting is used, an image is transmitted just once over the network to multiple computers. To use multicasting all of the routers must be configured to forward multicast traffic. This may or may not be the case with the default router configuration. Multicast forwarding is required within each physical location.

Task 2: Design the deployment process


1. How will user data be captured from existing workstations and applied to new workstations? The User State Migration Tools (USMT) captures user data from workstations and applies it to new workstations. USMT can capture documents or just user settings. In most cases, user data is stored on file servers and only user settings need to be captured. This will copy the configuration of applications.

2.

What process will be used when deploying new workstations? When deploying new workstations the following process can be used: a. b. c. Capture user data from existing workstations and store it on a file server. You can run USMT in a login script to automate this process for many users. Place the new workstations at user desktops. Create a multicast on the WDS server. This multicast can be schedule or auto-cast. However, a scheduled multicast triggered based on the number of workstations joined would be the most efficient for network traffic. Start the new computers using PXE and select the appropriate image for the multicast. Once the multicast is complete, restart the workstations and log on. Apply the user data captured from the old workstations by using USMT. You can automate this process with login scripts.

d. e. f. 3.

How will this process vary for reimaging existing workstations? When a single workstation is being reimaged, it may not be possible to capture user data before imaging is performed. So, a multicast is not required. Unicast communication will be used.

Exercise 3: Designing WDS Images


Task: Design the images and imaging process
1. How will you accommodate varying types of hardware within each workgroup? When sysprep is used to generalize Windows Vista before imaging, the hardware is autodetected again when the image is applied. Therefore, no process is required to accommodate varying hardware except that the necessary drivers must be available in the image.

2.

What process will you use for image creation? a. b. c. d. The following processes will be used to create each of the four images: Windows Vista will be installed on a computer. Applications for the workgroup will be installed and configured. Sysprep is used to generalize the image. The image is captured and stored on a WDS server.

3.

How can you automate the imaging process to ensure that user input is not required?

Lab Answer Key: Designing Operating System Deployment and Maintenance

You can use Windows System Image Manager (SIM) in the Windows Automated Installation Kit (WAIK) to create an unattended setup file. This file can be used to automate the configuration process after the generalized operating system is applied to a computer.

4.

What are the requirements for the boot image? The boot image used must match the version of the operating system being deployed. As new service packs are released, you should check if a new boot.sim is released too. You should not use the boot.sim from the original Windows Vista DVD because it does not support multicasting.

5.

Is there a need to convert existing RIS images to WIM images? If the current RIS servers are being updated to Windows Server 2008, then the RIS images should be updated to WIM images. This is necessary to support the reimaging of the existing clients until Windows Vista is deployed to all client computers. If current RIS servers are not being updated then the current RIS servers can be used to support the down-level clients and the new WDS servers can be used to support the deployment of Windows Vista and Windows Server 2008.

Exercise 4: Designing a WSUS Deployment


Task 1: Design a WSUS Deployment
1. What process will be used to approve updates? Updates should not be automatically applied to computers. An administrator should first test them. For this purpose, a group of computers should be configured in WSUS. New updates will be approved for the test group first. When testing is complete, the updates can be approved for all computers. This process should be centralized for the organization to avoid duplication of effort. 2. Which updates should be downloaded and applied? An update must be downloaded before it can be applied to clients. To speed up this process, updates can all be downloaded before they are approved. However, you should download updates in only the languages you require. Many languages are supported and downloading these will waste storage space. In most cases, you may want to apply even optional updates only after they are adequately tested. 3. Which deployment scenario should be used for WSUS servers? Since there is only a single Internet connection, it is logical that multiple internally synchronized WSUS servers are used. The WSUS server that downloads updates from Microsoft Update will be located in the perimeter network in New York. Other WSUS servers can download updates from that WSUS server.

4.

Where should WSUS servers be located? A WSUS server should be located in each hub site to minimize network utilization over WAN links, because there are a large number of computers in each hub site. A WSUS server is not required for each branch because the numbers of computers are small so the overall amount of data involved in updates is typically quite small. When you deploy large updates (such as service packs), you can avoid saturating the network by using BITS and IIS throttling and by using computer groups to control the rollout. In addition, WSUS clients can be configured to synchronize more frequently from the WSUS server and

Lab Answer Key: Designing Operating System Deployment and Maintenance

downstream WSUS servers can be configured to synchronize more frequently from their upstream server. 5. What client configuration is necessary? Clients must be configured to obtain automatic updates from the closest WSUS server rather than Microsoft Update. This configuration should be applied by using Group Policy. As well, client computers should be configured to apply updates automatically as they become available. The only updates available to these computers will be those approved on the WSUS server. This configuration should also be applied by using Group Policy.

Exercise 5: Discussing Operating System Deployment and Maintenance


Task: Discuss your design for the deployment and maintenance of operating with the
instructor and other students
1. 2. 3. With your instructor, discuss the WDS deployment design that is appropriate for Woodgrove Bank. With your instructor, discuss the WDS images design that is appropriate for Woodgrove Bank. With you instructor, discuss the WSUS deployment design that is appropriate for Woodgrove Bank.

Exercise 6: Implementing Multicast Transmissions for Images


Note: This lab requires the Windows Server 2008 DVD in the DVD drive of NYC-DC1.

Task 1: Install the WDS server role


1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1, click Start and click Server Manager. In the left pane, click Roles and then click Add Roles. Click Next to begin the Add Roles Wizard. Select the Windows Deployment Services checkbox and click Next. Read the Introduction to Windows Deployment Services and click Next. Select the Deployment Server and Transport Server checkboxes, and then click Next. Click Install. When installation is complete, click Close and close Server Manager.

Task 2: Configure the WDS server


1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, point to Administrative Tools, and click Windows Deployment Services. In the left pane, expand Servers and click NYC-DC1.WoodgroveBank.com. Right-click NYC-DC1.WoodgroveBank.com and click Configure Server. Read the requirements on the Welcome Page and then click Next. Click Next to accept the default folder for operating system images. Read the warning and then click Yes. Read the options available for the PXE server, click Respond only to known client computers, and click Finish.

Lab Answer Key: Designing Operating System Deployment and Maintenance

8.

When configuration is complete, clear the Add images to the Windows Deployment Server now checkbox and click Finish.

Task 3: Add images to the WDS server


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in the left pane of Windows Deployment Services, expand NYCDC1.WoodgroveBank.com and click Install Images. Right-click Install Images and click Add Install Image. In the Create a new image group box, type WindowsServer2008 and click Next. In the File location box, type E:\sources\install.wim and click Next. This is the install.wim for Windows Server 2008 from the Windows Server 2008 installation DVD. In the list of available images, deselect Windows Longhorn SERVERDATACENTER and Windows Longhorn SERVERDATACENTERCORE. Ensure that the Use default name and description for each of the selected image is selected and click Next. On the Summary page, click Next. Wait while the images are imported into the WindowsServer2008 image group. This can take 10 minutes or more. The process is much faster after the first image is imported. After the images are imported, click Finish.

10. In the left pane, click Boot Images. 11. Right-click Boot Images and click Add Boot Image. 12. In the File location box, type E:\sources\boot.wim and then click Next. 13. In the Image description box, type From Windows Server 2008 DVD and click Next. 14. On the Summary page, click Next. 15. When the task is complete, click Finish.

Task 4: Configure a multicast


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in the left pane of Windows Deployment Services, click Multicast Transmissions. Right-click Multicast Transmissions and then click Create Multicast Transmission. In the Type a friendly name for the transmission box, type First Batch and click Next. In the Select the image box, click Windows Longhorn SERVERENTERPRISE and click Next. Click Scheduled-Cast (multicasting starts according to the following criteria). Select the Start automatically when the number of clients ready to receive this image is checkbox. In the Threshold box, type 5 and then click Next. Click Finish. Close the Windows Deployment Services window.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

Module 11
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
Contents
Exercise 1: Selecting File Services Components Exercise 2: Designing DFS Exercise 3: Designing FSRM Exercise 4: Implement DFS Exercise 5: Implement FSRM 2 2 4 5 8

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

Lab: Designing Files Services and DFS in Windows Server 2008


Exercise 1: Selecting File Services Components
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a file service component


1. How will you address the concern over slow access to files over WAN links? Slow file access over WAN links can be improved by using WAN acceleration or SMB 2.0. WAN acceleration requires specialized hardware which is a significant cost to implement throughout the organization. SMB 2.0 is included as part of Windows Server 2008 and Windows Vista. All file shares are hosted on Windows Server 2008. Windows XP users should be upgraded to Windows Vista to begin using SMB 2.0 and speed up file access over WAN links.

2.

How will you address the concern over users seeing folders to which they do not have permissions? Access-based enumeration prevents users from seeing folders that they do not have permission to view the contents. This should be implemented for all file shares.

3.

How will you implement high availability for file shares? High availability can be implemented by using failover clustering or DFS. However, failover clustering requires shared storage that is relatively expensive. Currently the SAN is restricted to application servers only. DFS can be implemented by using existing servers on local storage. Additional storage capacity may be required on the servers. DFS is the most cost-effective solution and eliminates shared storage as a potential single point of failure.

4.

How will you monitor storage utilization? Storage utilization can be monitored by using FSRM. FSRM can generate reports showing storage utilization. As well, FSRM can generate notifications when a percentage of the quota is reached.

Exercise 2: Designing DFS


Task 1: Design replication
1. Where will files be stored in each hub site? The new file server for each hub site should be designated as the backup server for each hub site. File shares from each existing file server in the location will be replicated to file shares on the backup server. A new share can be created at each hub site on an existing file server to accommodate the Executive data. Except for the New York hub site which already hosts the Executive data.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

2.

How will centralized backup be accommodated? The backup server in the New York hub site can be used to hold data for the entire region. Data from all hub sites can be replicated to this server for backup.

Task 2: Design the namespace


1. How many namespace servers should there be? 2. Ideally, there should be at least one namespace server in each site. This ensures that DFS is available in case a WAN link is down.

Should a domain-based or stand-alone namespace server be used? To have multiple namespace servers a domain-based namespace should be used. A stand-alone namespace is required for scalability when more than 5000 folders exist in a namespace. That is not the case for Woodgrove Bank.

3.

List the folders and targets in the DFS namespace. Folder \\WoodgroveBank.com\NA \\WoodgroveBank.com\NA\Customer \\WoodgroveBank.com\NA\Customer\NYC Targets None namespace root None empty folder for organization \\NYC-FS1\Customer \\NYC-BACK\NYCCustomer \\TOR-FS1\Customer \\TOR-BACK\Customer \\NYC-BACK\TORCustomer \\MIA-FS1\Customer \\MIA-BACK\Customer \\NYC-BACK\MIACustomer \\SEA-FS1\Customer \\SEA-BACK\Customer \\NYC-BACK\SEACustomer None empty folder for organization

\\WoodgroveBank.com\NA\Customer\TOR

\\WoodgroveBank.com\NA\Customer\MIA

\\WoodgroveBank.com\NA\Customer\SEA

\\WoodgroveBank.com\NA\Investments

\\WoodgroveBank.com\NA\Investments\NYC \\NYC-FS2\Investments \\NYC-BACK\NYCInvestments \\WoodgroveBank.com\NA\Investments\TOR \\TOR-FS2\Investments \\TOR-BACK\Investments \\NYC-BACK\TORInvestments \\WoodgroveBank.com\NA\Investments\MIA \\MIA-FS2\Investments \\MIA-BACK\Investments \\NYC-BACK\MIAInvestments \\WoodgroveBank.com\NA\Investments\SEA \\SEA-FS2\Investments \\SEA-BACK\Investments \\NYC-BACK\SEAInvestments

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

Folder \\WoodgroveBank.com\NA\Managers \\WoodgroveBank.com\NA\Managers\NYC

Targets None empty folder for organization \\NYC-FS3\Managers \\NYC-BACK\NYCManagers \\TOR-FS3\Managers \\TOR-BACK\Managers \\NYC-BACK\TORManagers \\MIA-FS3\Managers \\MIA-BACK\Managers \\NYC-BACK\MIAManagers \\SEA-FS3\Managers \\SEA-BACK\Managers \\NYC-BACK\SEAManagers \\NYC-FS4\Executives \\TOR-FS3\Executives \\MIA-FS3\Executives \\SEA-FS3\Executives

\\WoodgroveBank.com\NA\Managers\TOR

\\WoodgroveBank.com\NA\Managers\MIA

\\WoodgroveBank.com\NA\Managers\SEA

\\WoodgroveBank.com\NA\Executives

4.

Which options should be used for each folder in the namespace? Each folder should be configured to use lowest cost referral ordering. This directs users in each site to use a local copy of the data before accessing data over WAN links. To minimize replication conflicts, the original file shares should be configured with the First among targets of equal cost target priority. When this is configured, users in a site will all use a single target unless it is unavailable. If the original file share is unavailable, then the file share on the backup server in the site will be used. If the backup server in the local site cannot be contacted, then the backup server in New York will be used. The targets pointing to the backup server in New York should be configured with the target priority of Last among all targets. This ensures that when a user accesses data in another location, the user does not access the backup server in New York as well, unless it is the only target available. Failback should be enabled for all folders to ensure that users begin using the primary data copy again when it is available. Access-based enumeration should be used to simplify the view of the DFS namespace for users. To enable access-based enumeration, DFS must be in Windows Server 2008 mode.

Exercise 3: Designing FSRM


Task 1: Design FSRM
1. Should hard or soft quotas be implemented on the Investments folder? Hard quotas prevent files from being stored when a folder has reached its limit. This can prevent users from performing their jobs effectively and should not typically be used on a departmental file share because it can affect a large number of users. A soft quota should be used instead. Notifications can be triggered when the quota limit is reached.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

2.

What should occur when the quota is reached? A notification should be generated and emailed to an administrator, who can analyze what is causing the growth in data storage, and can then take any necessary actions.

3.

How can FSRM be used to prevent multimedia files from being stored on the server? File screening can be used to prevent storage based on file extensions. A file group can be created for multimedia files and then applied to the Investments file share. This will not stop users who are sophisticated enough to rename files with alternate file extensions, but is sufficient to deter most users.

4.

How can you allow multimedia files to be stored in a single folder in the Investments file share? When file screening is configured for a folder, it also applies to subfolders. However, if file screening is configured directly on a subfolder, those limitations override the file screening configured at the higher level.

Exercise 4: Implement DFS


Task 1: Install DFS
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start and click Server Manager. In the left pane, to expand the Server Manager and click Roles and then click Add Roles. Click Next to start the Add Roles Wizard. Select the File Services checkbox and click Next. Read the Introduction to File Services and click Next. Select the Distributed File System checkbox and click Next. Click Create a namespace later using the DFS Management snap-in in Server Manager and click Next. Click Install. When installation is complete, click Close and close Server Manager.

10. On NYC-WEB, click Start and click Server Manager. 11. In the left pane, to expand the Server Manager and click Roles and then click Add Roles. 12. Click Next to start the Add Roles Wizard. 13. Select the File Services checkbox and click Next. 14. Read the Introduction to File Services and click Next. 15. Select the Distributed File System checkbox and click Next. 16. Click Create a namespace later using the DFS Management snap-in in Server Manager and click Next. 17. Click Install. 18. When installation is complete, click Close and close Server Manager.

Task 2: Configure the Investments file shares


1. 2. 3. On NYC-DC1, click Start and click Computer. Browse to C:\. In the right pane, right-click an open area, point to New, and click Folder.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

4. 5. 6. 7. 8. 9.

Type Backup and press Enter. Browse to C:\Backup. In the right pane, right-click an open area, point to New, and click Folder. Type NYCInvestments and press Enter. Right-click NYCInvestments and click Share. Type NYC_InvestmentsGG and click Add.

10. Change the permission level for NYC_InvestmentsGG to Contributor and click Share. 11. Read the UNC path for the share and click Done. 12. Close the Backup window. 13. On NYC-WEB, click Start and click Computer. 14. Browse to C:\. 15. In the right pane, right-click an open area, point to New, and click Folder. 16. Type Investments and press Enter. 17. Right-click Investments and click Share. 18. Type NYC_InvestmentsGG and click Add. 19. Change the permission level for NYC_InvestmentsGG to Contributor and click Share. 20. Read the UNC path for the share and click Done. 21. Close the Local Disk (C:) window.

Task 3: Create a namespace


1. 2. 3. 4. 5. 6. On NYC-WEB, click Start, point to Administrative Tools, and click DFS Management. In the Actions pane, click New Namespace. In the Server box, type NYC-WEB and click Next. Click Yes to start the Distributed Files System service. In the Name box, type NA and click Next. Ensure "Domain-based namespace" is selected, deselect the Enable Windows Server 2008 mode checkbox, and click Next. The domain must be at the Windows Server 2008 functional mode to support DFS in Windows Server 2008 mode. Review the settings and click Create. After the namespace is created, click Close. In the left pane, expand Namespaces and click \\WoodgroveBank.com\NA.

7. 8. 9.

10. In the Actions pane, click Add Namespace Server. 11. In the Namespace server box, type NYC-DC1 and click OK. 12. In the center pane, click the Namespace Servers tab.

Task 4: Create and configure a namespace folder


1. 2. On NYC-WEB, in the Actions pane, click New Folder. In the Name box, type Investments and click OK.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

3. 4. 5. 6. 7. 8. 9.

In the left pane, expand \\WoodgroveBank.com\NA and click Investments. In the Actions pane, click New Folder. In the Name box, type NYCInvestments. Click the Add button, type \\NYC-WEB\Investments, and click OK. Click the Add button, type \\NYC-DC1\NYCInvestments, and click OK. Click OK to close the New Folder window. Click Yes to create a replication group.

10. Click Next to accept the default replication group name and replicated folder name. 11. Review the replication eligibility information and click Next. 12. In the Primary member box, select NYC-WEB and click Next. 13. On the Topology Selection page, ensure that Full mesh is selected, and click Next. 14. Ensure that Replicate continuously using the specified bandwidth is selected. 15. In the Bandwidth box, select 8 Mbps and then click Next. 16. Review the settings and then click Create. 17. When all tasks are completed, click Close. 18. Click OK to close the message about replication delay. 19. In the left pane, under Namespaces, expand Investments and click NYCInvestments. 20. In the center pane, right-click NYC-DC1\NYCInvestments and click Properties. 21. Click the Advanced tab, select the Override referral ordering checkbox, click Last among all targets, and click OK. 22. Right-click NYCInvestments and click Properties. 23. Click the Referrals tab, select the Clients fail back to preferred targets checkbox, and click OK. 24. Close DFS Management.

Task 5: Verify replication


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB, click Start, in the Start Search box, type \\WoodgroveBank.com\NA\Investments\NYCInvestments and press Enter. In the right pane, right-click an open area, point to New, and click Text Document. Type InvestmentFile and press Enter. Double-click InvestmentFile and enter some text. Close InvestmentFile- Notepad and click Save to save the changes. Close the NYCInvestments window. On NYC-WEB, click Start and click Computer. Browse to C:\Investments and verify that InvestmentFile exists. Close Windows Explorer.

10. On NYC-DC1, click Start and click Computer. 11. Browse to C:\Backup\NYCInvestments and verify that InvestmentFile exists.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

12. Close the NYCInvestments window.

Exercise 5: Implement FSRM


Task 1: Install the FSRM server role.
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB, click Start and click Server Manager. In the left pane, click Roles and then click File Services. Scroll down and click Add Role Services. Select the File Server Resource Manager checkbox and click Next. Select the Local Disk (C:) checkbox and click Next. Click Next to accept the default storage location for reports. Click Install. When installation is complete, click Close and close Server Manager.

Task 2: Configure a quota


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB, click Start, point to Administrative Tools, and click File Server Resource Manager. In the left pane, expand Quota Management and click Quotas. In the Actions pane, click Create Quota. In the Quota path box, type C:\Investments. Ensure "Create quota on path" is selected. Click Define custom quota properties and click the Custom Properties button. In the Space Limit area, configure a 200 GB limit and click Soft quota: Allow users to exceed limit (use for monitoring). In the Notification thresholds area, click Add. In the Generate notifications when usage reaches (%) box, type 75.

10. On the E-mail Message tab, select the Send e-mail to the following administrators checkbox. 11. Enter Administrator@WoodgroveBank.com as the e-mail address and then click OK. 12. Click Yes to continue. 13. Click OK to close the Quota Properties of C:\Investments window. 14. Click Create, click Save the custom quota without creating a template, and click OK.

Task 3: Configure file screening.


1. 2. 3. 4. 5. 6. On NYC-WEB, in the left pane of File Server Resource Manager, expand File Screening Management and click File Screens. In the Actions pane, click Create File Screen. In the File screen path box, type C:\Investments. Ensure Derive properties from this file screen template (recommended)", Ensure Block Audio and Video Files" is selected, and click Create. Click Start and click Command Prompt. Type md C:\Investments\media and press Enter.

Lab Answer Key: Designing Files Services and DFS in Windows Server 2008

7. 8. 9.

Close the command prompt. In the Actions pane, click Create File Screen Exception. In the Exception path box, type C:\Investments\media.

10. In the File groups area, select the Audio and Video Files checkbox, and click OK. 11. Close File Server Resource Manager.

Task 4: Verify file screening


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB, click Start and click Computer. Browse to C:\Investments\media, right-click in an open area, point to New, and click Bitmap Image. Type Video and press Enter. Click Start and click Command Prompt. Type cd \Investments\media and press Enter. Type rename Video.bmp Video.wmv and press Enter. Close the Command Prompt. In Windows Explorer, right-click Video.wmv and click Copy. Browse to C:\Investments, right-click an open area, and click Paste.

10. Click Cancel to clear the error. 11. Close Windows Explorer.

Task 5: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing High Availability in Windows Server 2008

Module 12
Lab Answer Key: Designing High Availability in Windows Server 2008
Contents
Exercise 1: Designing High Availability for a Stateless Application Exercise 2: Designing High Availability for a Stateful Application Exercise 3: Designing a Geographically Dispersed Cluster Exercise 4: Implementing NLB 2 3 4 4

Lab Answer Key: Designing High Availability in Windows Server 2008

Lab: Designing High Availability in Windows Server 2008


Exercise 1: Designing High Availability for a Stateless Application
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A-NYC-RAS, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Determine how to provide high availability


1. How can a Web site be made highly available by using Windows Server 2008? Both NLB and failover clustering can be used to provide high availability. However, only NLB can meet the scalability requirements. Because the application is stateless and the data is not dynamic, NLB is the preferred method for providing high availability.

2.

How will the need for availability during maintenance be accommodated? When a node is removed from an NLB cluster, the remaining nodes continue servicing requests. This makes it easy to perform maintenance, like installing patches, on a single node while the overall NLB cluster continues to service requests.

3.

How will the need for scalability be accommodated? You can scale an NLB cluster by adding additional nodes. A new node automatically begins servicing requests. You can use the weight assigned to a node to control the proportion of requests serviced by a node. This allows you to accommodate nodes with different capacities.

4.

What other components need to be considered as part of high availability solution? High availability for all components in the system need to be considered. This includes the data center infrastructure, network infrastructure, and Internet connectivity.

5.

What should you consider when determining if the application must be hosted locally or outsourced? The most important concerns for determining where a Web site should be located are cost and functionality. If your organization is providing a limited number of applications, it may not be cost-effective to provide the necessary infrastructure for high availability locally. Hosting a Webbased application at a third-party with the necessary infrastructure already in place may be more cost-effective because the infrastructure cost is shared by multiple clients. However, you must ensure that the hosting provider can accommodate all of your needs. For example, can updates from the development server at Woodgrove Bank be pushed to Web servers hosted at a third party.

Lab Answer Key: Designing High Availability in Windows Server 2008

Task 3: Determine how to configure NLB


1. When configuring a port rule, which ports should be included? A port rule should redirect only the ports that are needed for the application. This is in part a security measure, because requests that do not match a port rule will be dropped. In this case, only TCP port 80 is required in the port rule because it is an unsecured Web site.

2.

How will affinity be configured? Affinity can be configured as None because this is a stateless application. Each server will provide exactly the same information. This is done when the filtering mode is configured as multiple hosts.

3.

How will host priority be configured? Host priority is only relevant if the filtering mode is configured as a single host. This is not relevant in this scenario.

4.

How will networking be configured? Networking should be configured as unicast. This provides better options for segmenting network traffic.

5.

How will data be synchronized between servers in the NLB cluster? In the current configuration, data is pushed from the development server to the production server once per day. This process can be modified to push data from the development server to all nodes in the cluster once per day.

Exercise 2: Designing High Availability for a Stateful Application


Task 1: Determine how to configure NLB for the Web front end.
1. When configuring a port rule, which ports should be included? 2. A Web-based online banking application should be secured with SSL. The default configuration for secure Web server used is TCP port 443. TCP port 443 should be configured in the port rule.

How will affinity be configured? Affinity should be configured as Network. This allows all requests from a class C address range to be serviced by a single server. Network affinity accommodates Internet service providers that may use clustered proxy servers.

3.

How will data be synchronized between servers in the NLB cluster? The backend data for online banking does not need to be synchronized because it is stored centrally in the SQL Server database. However, the application configuration on the Web front end servers does need to be synchronized. Nevertheless, the application files cannot be updated while users are connected to the server. To update the applications files on a node, the node should be drained. This prevents new connections but allows existing connections to complete. When all users have disconnected from the server, then the application files can be updated. This process should be repeated for all nodes when the application files are updated.

Task 2: Determine how to provide high availability for the SQL server back end
1. How can the SQL server be made highly available by using Windows Server 2008? There can be only a single instance of SQL Server. Based on this, failover clustering should be used to provide high availability. When a node in the failover cluster fails, the virtual server

Lab Answer Key: Designing High Availability in Windows Server 2008

hosting SQL server will be started on a remaining node. The Web application should be configured to automatically reconnect to the SQL server after failover occurs. 2. How can the SQL server be scaled as capacity increases? Failover clustering does not support scaling by adding additional nodes. Scalability must be performed by increasing hardware capacity. This can mean adding additional processors or memory. These should be taken into account during the purchase of hardware for failover cluster nodes. In particular, 64-bit hardware and operating systems support a larger memory than 32-bit. In addition, multicore processors and multiple processors increase processing power.

3.

How will maintenance be accommodated? You can maintain a passive node in a failover cluster without affecting other nodes. If you need to maintain the active node, you can manually failover virtual servers to another node, and then perform maintenance. After maintenance is complete, the virtual servers can be failed back to the original node.

Exercise 3: Designing a Geographically Dispersed Cluster


Task 1: Design a geographically dispersed cluster
1. What special hardware requirements are there for a geographically dispersed failover cluster? A geographically dispersed failover cluster must use a SAN that provides synchronization over WAN links. The WAN link between Chicago and New York must be fast enough to support this. The tolerance for data loss allows asynchronous replication to be used. This increases overall disk performance. The SAN must support preservation of disk operation order to ensure data integrity.

2.

What additional network links are required to provide availability after the New York location fails? Additional network links must be created from the North American hub sites to Chicago. This is required to provide database access when the New York site fails. It will also be used to establish a quorum.

3.

What quorum configuration should be used for the failover cluster? Only two nodes are required in the failover cluster to host the application. To ensure that a quorum can be negotiated, the node majority with file share quorum should be selected. The file share should be hosted in Toronto, Miami, or Seattle. In this way, when the New York location fails, the cluster node in Chicago will still be able to communicate with the file share. This results in the necessary number of nodes for a quorum and the node in Chicago to start running the investments database.

Exercise 4: Implementing NLB


Task 1: Prepare the network connections
1. 2. 3. 4. 5. 6. 7. On NYC-WEB, click Start and click Server Manager. In the Computer Information area, click View Network Connections. Right-click Local Area Connection 2 and click Properties. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. Click Use the following IP address. In the IP address box, type 10.10.0.201. In the Subnet mask box, type 255.255.0.0 and click OK.

Lab Answer Key: Designing High Availability in Windows Server 2008

8. 9.

Click Close and then close all open windows. On NYC-RAS, click Start and click Server Manager.

10. In the Computer Information area, click View Network Connections. 11. Right-click Local Areas Connection 2 and click Properties. 12. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. 13. Ensure "Use the following IP address" is selected. 14. In the IP address box, type 10.10.0.202. 15. In the Subnet mask box, type 255.255.0.0 and click OK. 16. Click Close and then close all open windows.

Task 2: Create a DNS record for the NLB cluster


1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, point to Administrative Tools, and click DNS. In the left pane, expand NYC-DC1, expand Forward Lookup Zones, and click WoodgroveBank.com. Right-click WoodgroveBank.com and click New Host (A or AAAA). In the Name (uses parent domain name if blank) box, type webapp. In the IP address box, type 10.10.0.200 and then click Add Host. Click OK to clear the message and then click Done. Close DNS Manager.

Task 3: Configure Web sites


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-RAS, click Start and click Server Manager. In the left pane, click Roles and then click Add Roles. Click Next to start the Add Roles Wizard. Select the Web Server (IIS) checkbox, and then click Next. Read the Introduction to Web Server (IIS) page and then click Next. On the Select Role Services page, click Next to accept the default settings. Click Install. When the installation is complete, click Close, and then close Server Manager. Click Start and click Command Prompt.

10. Type copy \\NYC-DC1\d$\Mod12\Labfiles\RAS.txt C:\Inetpub\wwwroot\default.htm and press Enter. 11. Close the command prompt. 12. On NYC-WEB, click Start and click Command Prompt. 13. Type copy \\NYC-DC1\d$\Mod12\Labfiles\WEB.txt C:\Inetpub\wwwroot\default.htm and press Enter. 14. Close the command prompt.

Lab Answer Key: Designing High Availability in Windows Server 2008

Task 4: Verify Web site functionality


1. 2. 3. 4. 5. On NYC-DC1, click Start, point to All Programs, and click Internet Explorer. In the Address bar, type http://nyc-web.woodgrovebank.com and press Enter. In the Address bar, type http://nyc-ras.woodgrovebank.com and press Enter. In the Address bar, type http://webapp.woodgrovebank.com and press Enter. Close Internet Explorer.

Note: Access to webapp.woodgrovebank.com will fail because the NLB cluster is not configured yet.

Task 5: Install the Network Load Balancing feature


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB, click Start and click Server Manager. In the left pane, To Select Features under Server Manager and click Add Features. Select the Network Load Balancing checkbox and click Next. Click Install. When installation is complete, click Close and close Server Manager. On NYC-RAS, click Start and click Server Manager. In the left pane, To Select Features under Server Manager and click Add Features. Select the Network Load Balancing checkbox and click Next. Click Install.

10. When installation is complete, click Close and close Server Manager.

Task 6: Create an NLB cluster


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB, click Start, point to Administrative Tools, and click Network Load Balancing Manager. In the Left pane, Right-click Network Load Balancing Clusters and click New Cluster. In the Host box, type NYC-WEB and then click Connect. Ensure Local Area Connection 2 is selected and then click Next. Click Next to accept the default host parameters. Click Add to add a cluster IP address. In the IPv4 address box, type 10.10.0.200. In the Subnet mask box, type 255.255.0.0, click OK, and then click Next. In the Full Internet name box, type webapp.woodgrovebank.com and click Next.

10. Click Finish.

Task 7: Add NYC-RAS to the NLB cluster


1. 2. 3. On NYC-RAS, click Start, point to Administrative Tools, and click Network Load Balancing Manager. Right-click Network Load Balancing Clusters and click Connect to Existing. In the Host box, type NYC-WEB and click Connect.

Lab Answer Key: Designing High Availability in Windows Server 2008

4. 5. 6. 7. 8.

When webapp.woodgrovebank.com appears in the Clusters box, click Finish. Right-click webapp.woodgrovebank.com (10.10.0.200) and click Add Host to Cluster.In the Host box, type NYC-RAS and click Connect. In the Host box, type NYC-RAS and click Connect. Click Local Area Connection 2 and the click Next. Click Next and then click Finish.

Task 8: Configure a port rule for load balancing


1. 2. 3. 4. 5. 6. 7. 8. In Network Load Balancing Manager on NYC-WEB, click webapp.woodgrovebank.com (10.10.0.200) and press F5 to refresh the view. Both nodes should be visible in the cluster. Right-click webapp.woodgrovebank.com (10.10.0.200) and click Cluster Properties. Click the Port Rules tab and then click Edit. In the Port range area, in the From box, type 80. In the To box, type 80. Click TCP, click None, and click OK. Click OK to close the properties of the cluster. Close all open windows.

Task 9: Verify cluster functionality


1. 2. 3. On NYC-DC1, click Start, point to All Programs, and click Internet Explorer. In the Address bar, type http://webapp.woodgrovebank.com and press Enter. Close Internet Explorer.

Task 10: Close all virtual machines and discard undo disks
1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Print Services in Windows Server 2008

Module 13
Lab Answer Key: Designing Print Services in Windows Server 2008
Contents
Exercise 1: Selecting a Print Services Design Exercise 2: Designing User Access to Printers Exercise 3: Designing High Availability for Printing Exercise 4: Implementing IPP Exercise 5: Deploying Printers by Using Group Policy 2 2 3 3 5

Lab Answer Key: Designing Print Services in Windows Server 2008

Lab: Designing Print Services in Windows Server 2008


Exercise 1: Selecting a Print Services Design
Task 1: Start the virtual machines, and then log on
1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as WoodgroveBank\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.

Task 2: Select a print services design


1. Which print services design is most cost effective in a large network? 2. In a large network, server-based printing is the most cost effective. It allows for centralize management and sharing of printers.

How will you address the requirement for users that require privacy? For the few users requiring absolute privacy, you can configure a local printer. This should be minimized to reduce administrative complexity.

3.

How will you address concerns about printing for Terminal services applications in the branches? The size of print jobs is a concern because the print jobs can be slow to travel across the WAN link. This may be addressed by WAN acceleration hardware. It is also possible that print jobs travelling over WAN links could cause other traffic, such a terminal services applications, to slow down. Implementing Quality of Service (QoS) on the WAN links can help to alleviate this concern.

4.

How will printer management be performed? The Print Management console in Windows Server 2008 can be used to manage all the print servers in the entire organization. Filters can be used to easily monitor the design for printers with a status indicating that there is a problem.

Exercise 2: Designing User Access to Printers


Task 1: Design user access to printer
1. How will printers be installed on stationary desktop computers? Printers for stationary users should be assigned by using Group Policy. This can be done for Windows 2000, Windows XP, and Window Vista clients. The Windows 2000 and Windows XP clients will need to be configured to run pushprinterconnections.exe in a startup or logon script. Printers should be assigned to computer accounts rather than users. In this way, the printers will always match the physical location if users log on at a computer that is not in their office.

Lab Answer Key: Designing Print Services in Windows Server 2008

2.

How will printers be installed for roaming users with laptops? To allow roaming users to install printers, you can implement printer location tracking or graphical maps. Printer location tracking will allow users to select from a list of printers in their current Active Directory site when installing a new printer. This is good, but using a map can be better. When a map is used for printer installation, a graphic of a floor plan is used in a Web page to create clickable hot spots that install a printer. This allows users to see exactly where the printer that they are installing is physically located. In most cases, IPP printing is used in combination with the maps. However, you can have the hotspots run a VB script that installs a printer instead of linking up to an IPP printer.

Exercise 3: Designing high availability for printing


Task 1: Determine a method for increasing availability
1. Which availability method can prevent downtime due to printer failure? 2. A printer pool combines multiple physical printers into a single logical printer. When one physical printer fails, the others continue to process jobs.

Which availability method can prevent downtime due to a server failure? Failover clustering can be used to prevent downtime due to server failure. If one node in the cluster fails, then the virtual server hosting print services starts on another node. Print queues should be located on a shared disk to avoid the loss of print jobs during failover.

3.

How can you prevent downtime based on both printer failure and server failure? A printer pool and failover clustering can be combined. The virtual server hosting print services is configured to failover when the node fails. A printer pool provides availability for the printers.

4.

What limitations may prevent you from implementing your plan for increasing availability? Budget is the primary concern. No new printers are required because the existing printers in each hub site can be configured as a printer pool. The only additional cost will be the configuration of a failover cluster with shared storage. Given that Woodgrove Bank is likely to already have a SAN in place, the additional cost is minimal. Windows Server 2008 Enterprise Edition is required for failover clustering.

Exercise 4: Implementing IPP


Task 1: Install the Print Services role
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start and click Server Manager. In the left pane, click Roles and then click Add Roles. Click Next to start the Add Roles Wizard. Select the Print Services checkbox and then click Next. Read the Introduction to Print Services and then click Next. Select the Internet Printing checkbox, click Add Required Role Services, and click Next. Read the Introduction to Web Server (IIS) and click Next. Click Next to accept the default role services. Click Install.

10. After the installation is complete, click Close and close Server Manager.

Lab Answer Key: Designing Print Services in Windows Server 2008

Task 2: Create a new printer


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Print Management. In the left pane, expand Print Servers, expand NYC-DC1 (local), and then click Printers. Right-click Printers and click Add Printer. Click Add a TCP/IP or Web Services Printer by IP address or hostname and click Next. In the Type of Device box, select TCP/IP Device. In the Printer name or IP address box, type 10.10.0.250. Deselect the Auto detect the printer driver to use box, and click Next. In the Standard box, select Generic Network Card and click Next. Click Install a new driver and click Next.

10. In the Manufacturer box, select Dell. 11. In the Printers box, select Dell 3100cn PS and click Next. 12. Click Next to share the printer with the default share name of Dell 3100cn PS. 13. Click Next to begin installation. 14. Click Finish and close Print Management.

Task 3: Install a printer by using IPP


1. 2. 3. 4. 5. 6. 7. 8. On NYC-CL1, click Start and click Internet. Click Tools and click Internet Options. Click the Security tab and then click Local intranet. Click Sites and click Advanced. In the Add this website to the zone box, Remove the existing text and type http://NYCDC1.WoodgroveBank.com, click Add, and then click Close. Click OK. On the Security tab, deselect Enable Protected Mode (requires restarting Internet Explorer) and click OK. Click OK to close the warning. This is required for IPP to generate a link by using a UNC path instead of a URL.

Note: If Information Bar window appears, click Close. 9. Close Internet Explorer.

10. Click Start and click Internet. 11. In the Information Bar window, select the Dont show this message again checkbox and click Close. 12. In the Address bar, type http://NYC-DC1.WoodgroveBank.com/Printers and press Enter. 13. Click Dell 3100cn PS. 14. Under PRINTER ACTIONS, click Connect. 15. Click Yes to add a printer connection.

Lab Answer Key: Designing Print Services in Windows Server 2008

16. Click Click here to open the printers folder on your machine. 17. Read the printer name to verify if it was installed on nyc-dc1.woodgrovebank.com rather than a URL starting with http. 18. Close all open windows.

Exercise 5: Deploying Printers by Using Group Policy


Task 1: Create a new printer
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Print Management. In the left pane, Ensure Print Server & NYC-DC1 (local) is expanded, and click Printers. Right-click Printers and click Add Printer. Click Add a TCP/IP or Web Services Printer by IP address or hostname and click Next. In the Type of Device box, select TCP/IP Device. In the Printer name or IP address box, type 10.10.0.251. If necessary, deselect the Auto detect the printer driver to use box and click Next. In the Standard box, select Generic Network Card and click Next. Click Install a new driver and click Next.

10. In the Manufacturer box, select Dell. 11. In the Printers box, select Dell 3100cn PCL6 and click Next. 12. Click Next to share the printer with the default share name of Dell 3100cn PCL6. 13. Click Next to begin installation. 14. Click Finish.

Task 2: Add the printer to a group policy


1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1 in Print Management, right-click Dell 3100cn PCL6 and click Deploy with Group Policy. Click the Browse button. Click the Create New Group Policy Object button, type Domain Printers, and press Enter. Click Domain Printers and click OK. Select the The users that this GPO applies to (per user) checkbox. Click the Add button and then click OK. Click OK to clear the success message. Click OK and then close Print Management.

Task 3: Test the installation of a printer by using Group Policy.


1. 2. 3. 4. 5. On NYC-CL1, click Start, in the Start Search box, type cmd, and press Enter. Type gpupdate and press Enter. Close the command prompt. Log off NYC-CL1. Log on NYC-CL1 as Woodgrovebank\Administrator with a password of Pa$$w0rd.

Lab Answer Key: Designing Print Services in Windows Server 2008

6. 7. 8. 9.

Click Start and click Control Panel. Under Hardware and Sound, click Printer. Verify that the Dell 3100cn PCL6 printer has been installed. Close all open windows.

Task 4: Close all virtual machines and discard undo disks


1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.

Lab Answer Key: Designing Print Services in Windows Server 2008