31-Dec-07 Windows 2008 RC1 HOL Instructions
-
Upload
benjamin-gajadar -
Category
Documents
-
view
219 -
download
0
Transcript of 31-Dec-07 Windows 2008 RC1 HOL Instructions
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
1/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 1
Windows Server 2008 (RC0) Hands on Lab Instructions
Setup InformationThis lab has been designed to be used in either Microsoft Innovation Labs in Singapore, or participants own set up in their own
environment. This section serves to provide information that will allow a participant to reproduce the lab setup and have the
instructions work.
You are encouraged to use Virtualization; however, it is entirely up to you. 5 Virtual machines are used in this lab. You may
either use 5 Virtual machines or 5 physical computers networked together.
Operating Systems and Notes:
Name IP OS Install Order Remarks
DC1 192.168.1.1 Windows 2008 RC1 1 Install as Domain Controller with DNS.
Use Insiders.Com as the Forest.
Server1 192.168.1.2 Windows 2008 RC1 2 Join Insiders.Com as Member Server
Server2 192.168.1.3 Windows 2008 RC1 2 Join Insiders.Com as Member Server
RODC 192.168.1.4 Windows 2008 RC1 2 Join Insiders.Com as Member Server
Vista 192.168.1.5 Vista Ultimate SP1 (RC) 2 Join Insiders.Com as Member Machine
Pre-Requisites for use of this Instruction:
As this lab doesnt teach you how to set up the infrastructure required for this lab, you need to already possess the necessary
knowledge needed to setup the lab. Lab instructions are provided as-is, Microsoft is not responsible to providing any support.
For help and suggestions, send email [email protected]
Useful Information:
All Passwords in this lab uses P@ssw0rd
Network Configuration of all VMs used in this HOL.
Name IP Subnet DNS Roles
DC1 192.168.1.1 255.255.255.0 127.0.0.1 DC/TS/TSRA/TS Lic/IIS7
Server1 192.168.1.2 255.255.255.0 192.168.1.1 NPS/IIS7/TS/TSWA
Server2 192.168.1.3 255.255.255.0 192.168.1.1
RODC 192.168.1.4 255.255.255.0 192.168.1.1 RODC
Vista 192.168.1.5 255.255.255.0 192.168.1.1 NAP / TS Client
Who is this for?
This document is intended to provide a quick hands-on to IT Pros interested in Windows Server 2008, which is
currently at RC1, as at time of releasing this.
It is intended for any IT Pros. Its initial intention is meant for members of Windows Insiders Group and Singapore
Windows Group in Singapore.
This set of instructions has been used and updated by members of the Windows Insiders and Singapore Windows
Group in 3 separate lab sessions
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
2/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 2
Lab 1: Install Virtualization
Installing HyperV (Perform on LHS)Pre-requisite of Hyper-V:
- Windows Server 2008 RC0/1 x64
- CPU with virtualization support (Intel-VT or AMD-V)
- Sufficient Memory (This lab instructions was designed for a machine with 2GB of ram)
1. Logon with Administrator account
2. Execute the 2 files found in c:\windows\wsv (These 2 files are the update files to add Hyper-V Role into Server
Manager
3. Launch Server Manager and select a role called Hyper-V. (If you do not the see Hyper-V role, reboot)
4. When prompted for Virtual Networks, select Local Area Connection and click Next.
5. After installation you will reboot.
You have just completed installing Hyper Visor into your 64bit machine. You are ready for Virtualization.
Lab 2: Active Directory Backup and Restore
Machines Needed for this Lab
Name Machine State
DC1 Running
Server1 Running
Server2 Saved
RODC Saved
Installing Windows Server Backup (Done on DC1)1. Click Start, and then click Server Manager
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then
click Continue.
3. In Features Summary, click Add Features
4. In the list of features, double-click Windows Server Backup Features, click Windows Server Backup and click
Command-line tools, and then click Next
5. If necessary, click Add Required Features
6. On the Confirmation Installation page, click Install
7. Click Close
Perform unscheduled backup of critical volumes by GUI
1. Click Start, point to Administrative Tools, and then click Backup
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then
click Continue
3. On the Action menu, click Backup once
4. In the Backup Once Wizard, on the Backup options page, click Different options, and then click Next
5. If you are creating the first backup of the domain controller, click Yes to confirm that this is the first backup
6. On the Select backup configuration page, click Custom, and then click Next
7. On the Select backup items page, select the Enable system recovery check box
8. On the Specify destination type page, Remote shared folder, and then click Next
9. On the Select backup destination page, type the path to the share, and then click Next
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
3/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 3
a. Path to share:\\Server1\Backup(Create this share on Server1)
10.On the Specify advanced option page, select VSS copy backup and then click Next
11.On the Summary page, review your selections, and then click Backup
12.When the Backup Once Wizard is complete, click Close
Lab 3: Using Restartable Active DirectoryMachines Needed for this Lab
Name Machine State
DC1 Running
Server1 Saved
Server2 Saved
RODC Saved
Performing an Offline Defragmentation of the Directory Database
Like other services in Server Manager, the Active Directory Domain Services can be stopped and restarted, without
the need to shut down the server. In this task, you will stop the Domain Controller service and do a routine
maintenance task on the Domain Controller.
1. Log on to DC1 as [email protected]
2. In the Server Manager window, select Active Directory Services, clickStop.
3. In the Stop Other Services dialog box, clickYes.
Note: Before stopping this service, all dependant services will also be stopped.
4. On theStart menu, clickCommand Prompt.
5. In the Command Prompt window type the following commands, pressing ENTER after each one. This
will perform an offline defragmentation of the Active Directory database.
ntdsutil
Activate Instance NTDS
Files
Compact to C:\
Note: This will create a compacted version of the NTDS.dit file. This process will take approximatelytwo minutes.
quit
quit
Del C:\Windows\NTDS\*.log
Copy /y C:\ntds.dit C:\Windows\NTDS\ntds.dit
ntdsutil
Activate Instance ntds
files
integrity
quit
semantic database analysis
go fixup
Note: The go fixup command will run the database checker and fix any errors it encounters.
http://server1/Backuphttp://server1/Backuphttp://server1/Backuphttp://server1/Backup -
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
4/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 4
quit
quit
exit
6. In the Server Manager window, clickStart to start the Active Directory Domain Services service.
Lab 4: Implementing RODC
Machines Needed for this Lab
Name Machine State
DC1 Running
Server1 Saved
Server2 Saved
RODC Running
Installing RODC
1. Logon to RODC as [email protected] using the password P@ssw0rd.
2. On RODC, on the Start menu clickRun.
3. Type DCPROMO and then clickOK.
NOTE: This will start the Active Directory Domain Services Installation Wizard. It may take a fewminutes for the Active Directory Domain Services binaries to install.
4. On the Welcome page, clickUse advanced mode installation and then clickNext.
5. On the Choose a Deployment Configuration page, select Existing forest and then clickNext.
6. On the Network Credentials page, clickNext.
7. On the Select a Domain page, clickNext.
8. On the Select a Site page, clickNext.
9. In the Additional Domain Controller Options page, checkRead-only domain Controller (RODC) and
then clickNext.
Note: As a best practice, your RODC should also be a DNS server, so the branch office clients willhave name resolution even in the event of a WAN problem.
10.On the Specify the Password Replication Policy page, accept the defaults and then clickNext.
NOTE: We will specify a Password Replication Policy later in the lab.
11.On the Delegation of RODC Installation and Administration page, click Set.
12.In the Select User or Group dialog box, in Enter the object name to select, type Branch Office
Admins (Create this in DC1) and then clickOK.
13.On the Install from Media page, accept the default and clickNext.
NOTE: An Administrator at the Main office could Backup Active Directory and then send the backupmedia to you at the Branch office. Then you can restore the System State to an alternate location andpoint to that location on this page. This will save Bandwidth over a slow WAN link.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
5/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 5
14.On the Source Domain Controller page, accept the default and clickNext.
15.On the Location for Database, Log Files, and SYSVOL page accept all defaults and clickNext.
16.On the Directory Services Restore Mode Administrator Password page, set the password to
P@ssw0rd and then clickNext.
17.On the Summary page clickNext.
NOTE: If you wanted to save these settings to an Unattended answer file instead of installing AD, youwould click Export Settings.
18.On the Active Directory Domain Services Installation Wizard page, click the Reboot on completion
checkbox.
NOTE: The installation of Active Directory will take approximately five minutes and the computer willreboot when complete.
19.When the machine reboots, log on as Insiders\administrator with a password ofP@ssw0rd.
Review Allowed and Denied Groups
The RODC Allowed Groups and Denied Groups specify which groups, if any, will have their passwords cached on the
RODC. Caching passwords makes authentication possible, even in the event of a WAN link failure. In this task, you
will review the default Password Replication policy settings.
1. Log on to DC1 as Administrator with a password ofP@ssw0rd.
2. On the Start menu navigate to Administrative Tools, and then clickActive Directory Users and
Computers.
3. In Active Directory Users and Computers, clickDomain Controllers.
4. ClickRODC and then on the Action menu, clickProperties.
5. In the RODC Properties dialog box, clickPassword Replication Policy and review the policy settings.
NOTE: The Password Replication Policy defines which groups will have their passwords cached on theRODC. By default, if any member of the Administrators group logs on in the branch office, theirpassword will not be cached on the RODC, making it less vulnerable to attacks.
6. In the RODC Properties dialog box clickCancel.
Create a New Active Directory Group and add to Allow Group
Now that you have reviewed the default Password Replication policy settings, you will create a new Active Directory
group, add members to the group, and add them to the Allowed list in the Password replication policy.
1. In the Navigation pane, clickUsers, on the Action menu, point to New and then clickGroup.
2. In the New Object-Group dialog box, in the Group Name field type Sales Users and then clickOK.
3. In Active Directory Users and Computers, ensure Sales Users is selected, and then on the Action
menu, clickProperties.
4. In the Sales Users Properties dialog box, clickMembers and then clickAdd.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
6/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 6
5. In the Select Users, Contacts, Computers, or Groups dialog box, type BenSmith;DonHall, (Create
these 2 users in DC1) clickCheck Names and then clickOK.
6. In the Sales Users Properties dialog box, clickOK.
7. In the Navigation Pane, clickDomain Controllers, and then in the contents pane, clickRODC, and then
on the Action menu, clickProperties.
8. In the RODC Properties dialog box, clickPassword Replication Policy and then clickAdd.
9. In the Add Groups, Users and Computers dialog box, clickAllow and then clickOK.
10. In the Select Users, Computers, or Groups dialog box, type Sales Users, clickCheck Names, and then
clickOK.
11. In the RODC Properties dialog box, clickApply
View and Add cached credentials to a RODC
Not only is it possible for the RODC to cache passwords of users that have logged on, but an administrator can pre-
populate the RODC Password cache, to make authentication more efficient from the first logon. In this task you will
pre-populate the RODC Password cache.
1. In the RODC Properties dialog box, clickAdvanced and then clickPrepopulate Passwords.
NOTE: This is a listing of all passwords that are cached on this RODC
2. Type BenSmith, clickCheck Names, and then clickOK.
3. In the Prepopulate Passwords dialog box, clickYes.
4. In the Prepopulate Password Success dialog box clickOK and then clickClose.
5. In the RODC Properties dialog box clickOK.
Configure Administrator Role Separation for a RODC
Administrator Role Separation specifies that any user can be delegated to be the local administrator of an RODC
without granting that user rights for the domain or other domain controllers. Therefore, a local branch user can
logon to the RODC to perform general maintenance on the server, but could not log onto any other domain
controller to perform a similar task. In this task you will configure Administrator Role Separation on the RODC.
1. On RODC, on the Start menu clickCommand Prompt.
2. In the Command Prompt window, type the following commands, pressing ENTER at the end of each line.
dsmgmt
Local Roles
List Roles
Note: By default, no local administrator role is defined on RODC after AD DS has been installed. Toadd the Local Administrator role, you need to use the ADD parameter.
Add [email protected] administrators
Quit
Quit
Close the Command Prompt window.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
7/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 7
Reset all cache credentials on the RODC
In the event that an RODC has been stolen, to ensure the user accounts whose passwords have been cached on the
RODC to not become compromised, you must reset all passwords for all of the users that have had their passwords
cached. In this task you will reset the passwords of all of the users who have had their passwords cached on the
RODC.
1. On DC1, in the Active Directory Domain Controllerwindow, clickRODC and on the Action menu,clickDelete.
2. In the Active Directory Domain Services box, clickYes.
3. In the Deleting Domain Controller dialog box, ensure Reset all passwords for user accounts that were
cached on this Read-only Domain Controller is selected, and uncheckExport the list of accounts that
were cached on this Read-only Domain Controller to this file check box.
Note: In the production environment, do not uncheck this box. Always export the list and archive it forfuture reference, as the list of users is not available after the Domain Controller object has beendeleted.
4. In the Delete Domain Controller dialog box, read the warnings and then clickCancel.
Lab 5: Managing IIS 7
Machines Needed for this Lab
Name Machine State
DC1 Running
Server1 Running
Server2 RunningRODC Saved
Installing IIS 7 (Perform on Server 1 & Server 2)
1. Click Start, point to Administrative Tools, and then click Server Manager
2. In Roles Summary, click Add Roles
3. Use the Add Roles Wizard to add the Web Server role
4. Select all modules to install
Stopping a Website using Appcmd
In this exercise, you will use the appcmd to stop a website in preparation for making changes to the site
1. Log on to Server1 as [email protected]
2. On the Start menu, clickCommand Prompt.
3. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv
4. At the command prompt, type the following commands and then press ENTER after each one.
appcmd stop site default web site
5. At the command prompt, type the following command and then press ENTER.
appcmd list site
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
8/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 8
Note: To verify that the site has been stopped or started, examine the state value at the right of theoutput. If the site has stopped the state value will be shown as Stopped.
Explore the Configuration of an existing site
In this task you will review the configuration of using IIS Manager.
Perform this task on Server1 as [email protected]
1. On the Start menu, navigate to All Programs/Administrative Tools and then click Internet Information
Services (IIS) Manager.
2. In the Connections pane, expand Server1, and then clickSites.
3. Under Sites, clickDefault Web Site.
4. In the Actions pane clickBindings.
5. In the Web Site Bindings dialog box, clickhttp and then clickEdit.
6. In the Edit Web Site Binding window verify the settings and make any changes as required shown in thetable below:
Setting Values
IP Address 192.168.1.2
Port 80
7. ClickOK to close the Edit Site Binding dialog box, and then clickClose to close the Site Bindings
dialog box.
8. In the Actions pane, under Edit Site clickBasic Settings. Review the settings and make any changes as
required.
Setting Values
Application Pool DefaultAppPool
Physical Path %systemdrive%\inetpub\wwwroot
9. ClickCancel to close the Edit Web Site dialog box.
10. In the Actions pane, clickAdvanced Settings.
11. In the Advanced Settings dialog box, review the following settings.
(General) Setting Values
ID 1
Physical Path % systemdrive%\inetpub\wwwroot
Physical Path Credentials Ensure it is blank
Physical Path CredentialsLogon Type
ClearText
Start Automatically True
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
9/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 9
12.ClickCancel to close the Advanced Settings dialog box.
13.Leave Internet Information Services (IIS) Manager open
Creating a Virtual Directory
In this task you will create a virtual directory in the Default Web Site that will hold employee information that can be
accessed by other personnel in the organization. This virtual directory will be used at a later time. You will use the
APPCMD command line tool to create this virtual directory. The commands used in this exercise could be placed in a
batch file or script to automate the creation of virtual directories.
Perform this task on the Server1 as [email protected]
1. On the Start menu, clickCommand Prompt.
2. At the command prompt, type the following command and then press ENTER.
cd \inetpub\wwwroot
3. At the command prompt, type the following command and then press ENTER.
md employeedata
4. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv
5. At the command prompt, type the following command and then press ENTER.
appcmd add vdir /app.name:Default Web Site/ /path:/EmployeeData
/physicalpath:c:\inetpub\wwwroot\employeedata
6. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1 and then click
Default Web Site.
7. Verify that the Employee Data virtual directory is present
Starting a Web Site using Appcmd
In this exercise, you will use the appcmd to start the Default Web site after having made changes to the site.
1. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv
2. At the command prompt, type the following command and then press ENTER.
appcmd start site /site.name:Default Web Site
3. At the command prompt, type the following command and then press ENTER.
appcmd list site
Note: To verify that the site has been started, examine the state value at the right of the output. If thesite has started the state value will be shown as Started.
4. Close the Command Prompt window
Displaying Website Information with Content View
In this task, you will use the display Content View tab to view the contents of the Default Web Site. The Content
View page displays the contents of the website or virtual directory selected in the Connections pane. For example, if
you click on a Web site and select the Content View, IIS Manager displays a list of the applications, virtual directories,
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
10/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 10
physical directories and files of that web site. You can right-click an object in the content list, click Switch to
Featuresview to go to the objects home page. From the home page, you can configure features for the object, such
as authentication settings for a virtual directory.
Perform this task on Server1 as [email protected]
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand Server1, clickWeb
Sites, and then clickDefault Web Site.
2. Right-clickDefault Web Site and then clickSwitch to Content View
3. In the Default Web Site Content pane, notice the new virtual directory you created earlier and the
default.htm file.
4. In the Connections pane, right-clickDefault Web Site and select Features View
Create a new Application pool using Command Line
In this task you will create a new application pool. An application pool is a group of one or more applications that are
served by a worker process or a set of worker processes. Application pools set boundaries for the applications they
contain, which means that any applications running outside of a given application pool cannot affect the applications
within the application pool. Application pools are used to isolate web sites and web applications to address
reliability, availability, and security issues. You should consider creating application pools for any of the following
reasons:
To group sites and applications that run with the same configuration settings
To isolate sites and applications that run with unique configuration settings
To increase security by using a custom identity to run an application
To improve performance by separating unstable applications from well-behaved applications
To prevent resources in one application from accessing resources in another application. For example,
ISPs might create individual application pools for each customers sites and web applications. Separating
customer content on this way can prevent one customers resources from accessing resources on another
customers web site, even though both customers sites are on the same web server
Perform this task on Server1 as [email protected]
The IIS 7.0 command-line tools reside in the %windir%\system32\inetsrv directory, which is available only to the
Administrators or to users who are members of the Administrators group on the computer. In addition, members of
the Administrators group must start the IIS 7.0 command-line tools with elevated permissions. Users who view orchange Web.config files in sites or application directories must have access to read and write to files in those
directories.
1. On the Start menu, clickCommand Prompt.
2. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv.
3. At the command prompt, type the following command and then press ENTER.
appcmd add apppool /name:NewIntranet
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
11/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 11
4. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1 and then click
Application Pools.
In Application Pools and verify that NewIntranet is listed.
Change an Application Pool assigned to a Web Site
In this exercise, you are going to assign the Default Web Site to the new application pool you created.
1. Internet Information Services (IIS) Manager, in the Connections pane clickSites and then click
Default Web Site.
2. In the Actions pane, clickAdvanced Settings.
3. In the Advanced Settings window clickDefaultAppPool, and then click the ellipses button ().
4. In the Select Application Pool dialog box, in Application pool, select NewIntranet and then clickOK.
5. ClickOK to close the Advanced Settings dialog box
Starting and Stopping Application Pools
In this task, you are going to manage application pools. When you stop an application pool, this causes the WWW
service to shut down all running worker processes serving that application pool. The WWW service does not
restart these worker processes. An administrator must restart all stopped application pools. All applications
routed to a stopped application pool receive 503 Service Unavailable errors.
Perform this task on Server1 as [email protected]
1. In Internet Information Services (IIS) Manager, in the Connections pane, clickApplication Pools and
then clickNewIntranet.
2. In the Actions pane clickStop.
3. In the Actions pane, clickStart to restart the application pool
Recycling Application Pools
In this task, you are going to force the recycle of an application pool. Occasionally, you may need to immediately
recycle an unhealthy worker process instead of waiting for the next configured recycle. Rather than abruptly
stopping the worker process, which can cause service interruptions, you can use on-demand recycling.
Overlapping recycling, the default, allows an unhealthy worker process to be marked for recycling, but to continue
handling requests that it already received. It does not accept new requests from HTTP.sys. When all existing
requests are handled, the unhealthy worker process shuts down.
Perform this task on Server1 as [email protected]
1. In the Connections pane, clickApplication Pools and then clickNewIntranet.
2. In the Actions pane clickrecycle
Viewing Applications in an Application Pool
In this task you are going to view the Applications that are assigned to the DefaultAppPool. You may want to see all
of the applications assigned to a given application pool to verify that applications are correctly assigned or to assess
whether you should move some applications to another application pool.
Perform this task on Server1 as [email protected]
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
12/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 12
1. In Internet Information Services (IIS) Manager, in the Connections pane, clickApplication Pools and
then clickDefaultAppPool.
2. In the Actions pane, clickView Applications
View Information about Worker Processes and Application Pool Settings
In this exercise, you are going to examine the worker processes that are running on the web server. You can view
performance information about worker processes running on your web server. This information can help you narrow
down applications that cause problems on your web server, and help you make decisions about how to fix these
issues. IIS 7.0 lists worker processes with associated application pool names and provides information for each
worker process.
Perform this task on Server1 as [email protected]
1. In Internet Information Services (IIS) Manager, in the Connections pane, clickWeb Sites and click
Default Web Site.
2. In Action Pane, under Manage Web Site ClickStart
3. In the Actions pane, clickBrowse *:80 (http).
Note:You may need to add this site to the trusted site list.
4. Minimize the home page for the default Web Site once it has opened.
5. In Internet Information Services (IIS) Manager, in the Connections pane, under Sites, clickDefault
Web Site.
6. In the Actions pane, clickBrowse 192.168.1.2:80 (http)
If you receive the Microsoft Phishing Filter warning, check the Ask me later radio button and click OK to close thewarning
7. Once the Default Web Site home page has opened, minimize it.
8. In the Connections pane, clickServer1 (Insiders\Administrator)
9. In the Server1 Home pane, under IIS, double-clickWorker Processes.
Note: In the Worker Processes pane are listed the active Application Pool Names, Process IDs, State,CPU%, Private Bytes (KB) and Virtual Bytes (KB).
10.Close the Internet Information Services (IIS) Manager console
Shared Web Server Configuration
Introduction
In this exercise, you are the web administer at your company. You want to implement the shared web farm
configuration in IIS 7.0. To do this you will designate a single shared master IIS configuration file on a
central server that can be accessed through a Universal Naming Convention (UNC) share on either a local or
remote server. This shared configuration file can be used across multiple front-end Web servers, avoiding
costly and error-prone replication and manual synchronization issues. Web site and application settings are no
longer explicitly tied to a centralized configuration store on each local machine. Configuration files cansimply be copied from the developers workstation to a test server and from the test server to the production
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
13/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 13
Web server that will serve as the central configuration store. In this exercise, you are going to use this new
feature to create a single configuration file that will affect several web servers.
Backing up the Current applicationhost.config
It is always a good practice backing up the current applicationHost.config file when changing multiple settings. In
this task, you are going to back up the applicationHost.config file before making any changes to the server or
configurations. You are going to backup the applicationHost.config file by creating a backup object using theAPPCMD command-line tool. The configuration files are stored in the %windir%\InetSrv\Config directory. This will
create a backup object which will include the applicationHost.config file and the legacy metabase file (for SMTP and
other non-web server settings) into a backup folder. You are able to perform a list on this backup object and make
sure it is present
1. Log on to Server1 as [email protected] with a password ofP@ssw0rd.
2. On the Start menu, clickCommand Prompt.
3. At the command prompt, type the following command and then press ENTER.
cd %windir%\system32\inetsrv
4. At the command prompt, type the following command and then press ENTER.
appcmd add backup centralConfigBackup
Verifying Backup of Applicationhost.config
In this task, you are going to verify that the backup of the applicationHost.config took place and there is a file
present.
Perform this task on Server1 as [email protected]
1. At the command prompt, type the following command and then press ENTER.Appcmd list backup
Restore Applicationhost.config
In this task, you are going to replace the current applicationhost.config file with the backup copy. Since you
havent made any changes to the file when you made the original copy, this is simply a test of the restore
procedure.
Perform this task on Server1 as [email protected]
1. At the command prompt, type the following command and then press ENTER.
Appcmd restore backup centralConfigBackup
Creating a user account for accessing the UNC Share
In this task, you are going to create a domain user account that will be used for creating the share folder required for
the Shared Web Farm. You will create a domain user called ConfigUser with a password of P@ssw0rd. You will use
this account to access the web server machine (the front-end machine, Server1, where the IIS7 server is installed),
and also on the file server machine (the back-end machine, Server2, where the central configuration will reside).
Perform this task on DC1
1. Log on to DC1 as [email protected] with the password P@ssw0rd.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
14/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 14
2. On the Start menu, navigate to All Programs/Administrative Tools and then clickActive Directory
Users and Computers.
3. In Active Directory Users and computers, clickLabUsers (Create this OU if it doesnt exist), on the
Action menu, point to Users and select New and then User.
4. In the New ObjectUser dialog box, in Full Name and User logon name, type Configuser, and click
Next.
5. In the New ObjectUser dialog box, type P@ssw0rd in both the Password and Confirm password
boxes, clear the User must change password at next logon box, and then clickNext. (Note:
Please "check the Password Never Expires box").
6. In the New ObjectUser dialog box, clickFinish.
Create the UNC Shares for central configuration and content
In this task you are going to create a shared directory that will hold the configuration file. As part of this procedure,
you need to ensure that the users who will access this directory have read and write permissions. The UNC share
for configuration will host the applicationHost.config file for the web servers to pickup the shared configuration file
from the centralized location.
1. Ensure you are logged on to Server2 as Administrator using the password P@ssw0rd.
2. On the Start menu, clickCommand Prompt.
3. At the command prompt, type the following command and then press ENTER.
md c:\centralconfig
4. At the command prompt, type the following command and then press ENTER.
net share centralconfig$=%SystemDrive%\centralconfig /grant:Users,Read
Give Permissions to the configuser account for the UNC Shares that will host the central
configuration file and content
In this task you are going to configure the permissions required by the user to access the central configuration store.
This account will be used by IIS to access the UNC share in the same manner it accesses content when a virtual
directory is mapped to a UNC share. The read permissions for this account are useful when accessing the
configuration share only. After that point, whenever IIS reads the configuration file, it will revert back to the identity
that the caller has used to access the configuration share, either the API, the administration tool being used or the
user account that is logged at that moment.
Perform this task on Server2 as [email protected]
1. On the Start menu, clickComputer.
2. In the Computer window navigate to Local Disk (c:)\centralconfig
3. Right-clickcentralconfig and clickshare
4. In the File Sharing window clickChange sharing permissions
5. In the File Sharing window, click the drop down arrow, select Find
6. In the Select User or Group dialog box type in configuser, then clickCheck Names,
7. ClickOK.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
15/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 15
8. ClickShare.
9. In the File Sharing window, clickShare, and when it is finished sharing clickDone
Creating Logon Batch Configuration for User Accounts
In this task you are going to enable logon batch configuration. When creating the web share configuration in
either a domain or non-domain scenario, the username will have to include logon batch job configuration.
This is not a default setting in Windows Server 2008, so it will have to be added manually to the computer
holding the shared configuration.
Perform this task on Server2 as [email protected]
1. Click on the Start menu, navigate to All Programs/Administrative Tools and then clickLocal Security
Policy.
2. In Local Security Policy, expand Local Policies and then clickUser Rights Assignment.
3. In the contents pane, clickLogon as a batch job and then on the Action menu, clickProperties.
4. In the Logon as a batch job Properties dialog box, clickAdd User or Group.
5. In the Select Users, Computers or Groups window type [email protected] in the Enter the
object names to select window and clickOK
6. ClickOK to close the Logon as a batch job Properties dialog box.
7. Close Local Security Policy.
Enable Shared Configuration
The new IIS 7 administration user interface includes support for setting up configuration redirection. The user
interface provides support for exporting configuration files and any necessary encryption keys to a specified path
and also provides for easy modification of the redirection.config file.
Perform this task on Server1 as Administrator (Steps at this section may vary a little)
1. On the Start menu, navigate to All Programs/Administrative Tools and then clickInternet
Information Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1
(Insiders\Administrator), and then in the Server1 Home pane, clickShared Configuration.
3. In the Actions pane, clickOpen Feature.
4. In the Actions pane, clickExport Configuration.
5. In the Export Configuration dialog box, type the values in the following table, and then click OK.
Setting Value
Physical Path \\Server2\CentralConfig$
Encryption keys password P@ssw0rd
Confirm Password P@ssw0rd
6. In the Export Configuration dialog box, clickOK.
7. In the Shared Configuration pane, clickEnable shared configuration and then in Physical Path type
\\Server2\CentralConfig$.
8. In the Shared Configuration pane, clickConnect As.
http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$ -
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
16/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 16
9. In the Set Credentials dialog box, type the values in the following table and then clickOK.
Value Setting
User name [email protected]
Password P@ssw0rd
Confirm password P@ssw0rd
10. In the Actions pane, clickApply
11. In the Shared Configuration dialog box, clickOK.
12. In the Shared Configuration dialog box, type P@ssw0rd, and then clickOK.
13. In the Shared Configuration dialog box, clickOK.
14.Close Internet Information Services (IIS) Manager, and then re-open Internet Information Services
(IIS) Manager.
15.Repeat steps 115 on Server2. Do not repeat steps 46 which export the configuration.
Testing the Shared Configuration FileIn this task you will test the use of the shared configuration file by making a change to the applicationHost.config file
and observe the changes on the web servers.
Perform this task on Server2 as Administrator
1. In Internet Information Services (IIS) Manager, expand Server2(Insiders\Administrator) and then
clickApplication Pools.
2. In the Actions pane, clickAdd Application Pool.
3. In the Add Application Pool dialog box, type Test Applications Pool and then clickOK.
4. Switch to the Server1computer, ensuring you are logged on as Insiders\administrator using the
password P@ssw0rd.
5. Open Internet Information Services (IIS) Manager.
6. In Internet Information Services (IIS) Manager, expand Server1(Insiders\Administrator) and then
clickApplication Pools.
7. Verify that Test Applications Pool is listed.
Managing an IIS 7 Server
Introduction
In this exercise you will configure an IIS 7 server to allow a remote administrator the ability to manage a
subset of the features on one web site. You will first enable remote administration so that the administrator
can manage the web server using IIS Manager over HTTP. You will then configure delegation to restrict
modifications of some site settings to only the administrator of the web server. Finally, you will create an IIS
account and grant that account permission to administer a web site.
Configure Management Service Page
In this task, you are going to configure the management service page to accept remote connections. The
management service enables computer and domain administrators to remotely manage a web server that uses
IIS Manager. The service also enables delegated administrators to locally and remotely manage delegated
features if web sites and web applications on the web server.
mailto:[email protected]:[email protected]:[email protected] -
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
17/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 17
Perform this task on Server1 as Administrator
1. On the Start menu, navigate to All Programs/Administrative Tools and then clickInternet
Information Services (IIS) Manager.
2. In the Connections pane, clickServer1 (Insiders\Administrator).
3. In the Server1 home pane, under Management, clickManagement Service, and then in the Actions
pane, clickOpen Feature.
4. In the Management Service pane, clickEnable remote connections.
5. In the Actions pane, clickStart, and then in the Management Service dialog box, clickYes.
Configure Feature Delegation
In this task, you will configure feature delegation to ensure that some settings are only configurable at the server
level, and not at the individual web site level.
Perform this task on Server1 as Administrator
1. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1
(Insiders\Administrator).
2. In the Server1 Home pane, clickFeature Delegation and then in the Actions pane, clickOpen Feature.
3. In the Feature Delegation pane, clickLogging and then in the Actions pane, clickRead Only.
Enable IIS Users and Create a User
In this task you will configure the Management Service to allow connections from IIS users. You will then create a
new IIS user account for an administrator that does not have a windows user account with administrative permission
on the IIS 7 server.
Perform this task on Server1 as Administrator
1. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1
(Insiders\Administrator).
2. In the Server1 home pane, under Management, clickManagement Service, and then in the Actions
pane, clickOpen Feature.
3. In the Actions pane, clickStop.
4. In the Management Service pane, clickWindows credentials or IIS Manager Credentials.
5. In the Actions pane, clickStart, and then in the Management Service dialog box, clickYes.
6. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1
(Insiders\Administrator).
7. In the Server1 home pane, under Management, clickIIS Manager Users, and then in the Actions pane,
clickOpen Feature.
8. In the IIS Manager Users pane, in the Actions pane, clickAdd User.
9. In the Add User dialog box, enter the values in the following table and then clickOK.
Setting Value
User name IntranetAdmin
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
18/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 18
Setting Value
Password P@ssw0rd
Confirm password P@ssw0rd
Delegate Control of Default Web Site
In this task you will grant the IntranetAdmin user account control over the Insiders Intranet Web Site.
7. In InternetInformation Services (IIS) Manager, in the Connections pane, expand Server1
(Insiders\Administrator), expand Sites, and then clickDefault Web Site
5. In the Default Web Home pane, under Management, clickIIS Manager Permissions and then in the
Actions pane clickOpen Feature.
6. In the Actions pane, clickAllow User
7. In the Allow User dialog box, clickIIS Manager and then clickSelect.
8. In the Users dialog box, clickIntranetAdmin and then clickOK.
Click OK to close the Allow User dialog box.
Important: Prior to starting Lab 6, remove IIS7 from Server 1 and Server 2.
Reboot when done before commencing Lab 6
Lab 6: Implementing Terminal Services RemoteApps
Machines Needed for this LabName Machine State
DC1 Running
Server1 Running
Server2 Running
RODC Saved
RemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if they
are running on a user's local computer. Users can run RemoteApp applications side-by-side with their local
programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share
the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available through a
Web site.
In this exercise, you will configure DC1 to be able to publish remote applications. In addition you will create packages
for deploying remote applications to the client machines and then distribute these packages.
You will also test the connection of the remote program application from a client machine. In order to test these
RemoteApp, you will also modify the allow list to allow an application to be accessed remotely.
Install Terminal Server Role Service
In this task you will add the Terminal Server role to DC1.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
19/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 19
Note: This task uses the following computer: DC1
1. On the Start menu, navigate to AllPrograms/AdministrativeTools/Server Manager.
2. In Server Manager, Add Terminal Services.
3. In the Add Role Services dialog box, click Install Terminal Services anyway (not recommended).
4. In the Add Role Services dialog box, in the Uninstall and Reinstall Applications for Compatibility page,
click Next.
5. In the Add Role Services dialog box, in the Specify Authentication for Terminal Services page, select
RequireNetwork Level Authentication then click Next.
6. In the Add Role Services dialog box, in the Specify Licensing Mode page, select Configure later then click
Next.
7. In the Add Role Services dialog box, in the Select User Groups Allowed Access to This Terminal Server
page, click Next.
8. In the Add Role Services dialog box, in the Confirm Installation Selections screen, click Install.
Note: On the Confirm Installation Selections screen, there is one warning. The warning is advising thatyou may need to reinstall applications. In the lab it is safe to ignore, however in a productionenvironment it is important to remember that applications may need to be reinstalled. The reason for theneed to reinstall the applications is that on a Terminal Server applications are installed into a differentsection of the registry. This is so that the applications can be safely accessed by multiple userssimultaneously.
The installation process will take approximately 3 minutes. After this you will need to restart DC1.
9. In the Add Role Services dialog box, in the Installation Results screen, click Close.10. In the Add Role Services dialog box, click Yes to begin the restart.
11.After the restart, log on to DC1 as Administrator using the password P@ssw0rd.
Note: After completing the log in the Post-Reboot Configuration Wizard will appear to confirm that theTerminal Services role has been installed successfully.
12. In the Post-Reboot Configuration Wizard dialog box, click Close.
Add a program to the Allow List
In this task you will add two existing program to the Allow list for Terminal Services RemoteApp. In order for a user
to be able to access a program with RemoteApp the application must be on the Allow List. The Allow List settings
also includes the ability to change settings for the remote applications, such as additional command line arguments
and changes to the default icons. You will add WordPad to the Allow List.
1. Log on to DC1 as Administrator with the password ofP@ssw0rd.
2. On the Start menu, navigate to All Programs/Administrative Tools/Terminal Services/TS RemoteApp
Manager.
3. In RemoteApp, in the Action menu, click AddRemoteApps.
4. In the RemoteApp Wizard, click Next.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
20/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 20
5. In the Choose programs to add to the RemoteApps list, check the box next to WordPad and then click
Next.
6. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Create a RDP file that publishes a connection to an application
In this task you will create a RDP file that can then be distributed to clients either via e-email or USB Flash Disk (UFD).
This will then enable users to connect remotely to the remote program that was added to the allow list. Any settings
that have been added to the application in the allow list will also be added to the RDP file.
1. In TS RemoteApp Manager, select Wordpad in the Contents pane,
2. In TS RemoteApp Manager, in the Actions pane, click Create .rdp File.
3. In the RemoteApp Wizard, click Next.
4. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the location for saving the
package to C:\Public\ (Create this Folder)
5.
In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click
Change.
6. In the Configure TS Gateway Settings dialog box, select AUTO.
7. In the RemoteApp Wizard, in the Specify Packages Settings page, click Next.
8. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created RDP file. The created file is namedWordpad.rdp
Create an MSI file that installs an applicationIn this task you will create a MSI file that can be distributed as an installation package. This package could be
distributed for users to manually install or installed as part of a Group Policy Object. As part of the configuration of
an MSI package it is possible to define where the remote program will appear in the Users environment and also to
associate the remote program with client file associations. An example of using this would be to publish Microsoft
Wordto be integrated into the users Start Menu and to be opened when they click on a Word Document. This
gives a seamless integration for the users to the remote program. Any settings that have been added to the
application in the allow list will also be added to the MSI file.
1. In TS RemoteApp Manager, in the Contents pane, select WordPad
2. In the Actions pane, click CreateWindows InstallerPackage.
3. In the RemoteAppWizard, click Next.
4. In the RemoteApp Wizard, in the SpecifyPackagesSettings page, modify the location for saving the
package to C:\Users\Public\
5. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click
Change.
6. In the Configure TS Gateway Settings dialog box, select Auto
7. In the RemoteApp Wizard, in the Configure Distribution Package page, accept the default settings by
clicking Next.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
21/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 21
8. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created installation file. The created file isnamed wordpad.msi
Using RemoteApp Access
In this task, you will use the RDP file and the MSI file that you created in the previous tasks. This will be achieved byaccessing the files on the Public share on DC1.
Note: This task uses the following computer: DC1
1. Log on to VISTA as Administrator with the password ofP@ssw0rd
2. On the Start menu, in StartSearch, type\\DC1\Publicand then press ENTER.
3. In Windows Explorer, double click Wordpad.RDP.
4. In the Windows Security dialog box, enter the following values:
Setting Value
User Name: [email protected]
Password: P@ssw0rd
5. Check Remember my credentials and then click OK.
6. In the RemoteApp dialog box, check Dont prompt me again for connections to this computer, and then
click Yes.
Note: The application now launches. When the application launches successfully it will display on thescreen as On The Server. This is the remote application running on the server.
7. Close the On The Server remote program.
8. In WindowsExplorer, double click WordPad.msi.
Note: The remote WordPad application now installs. Observe the name of the application matches thename that was entered during the creation of the MSI file.
9. After the application has completed installation, on the Start menu, navigate to All Programs
RemoteApp WordPad.
Note: The application now launches. When the application launches successfully it will display on thescreen as WordPad.
10. In the remote WordPad application, in the File menu, click Exit to close.
Implementing Terminal Services Web Access
TS Web Access is a feature that makes RemoteApp available to users from a Web browser. With TS Web
Access, a user can visit a Web siteeither from the Internet or from an intranetto access a list of available
RemoteApp applications. When a user starts a RemoteApp applicaion, a Terminal Services session is started
on the terminal server that hosts the Remote Program.
http://dc1/Publichttp://dc1/Publichttp://dc1/Publichttp://dc1/Public -
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
22/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 22
TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the
Web. The Web page consists of a frame and a customizable Web Part, where the list of RemoteApp
application is displayed.
In this exercise, you will configure the terminal server to support Terminal Services Web Access and then
configure an application to be made unavailable via the web interface.
Install Terminal Server Web Access Role Service
In this task you will modify DC1 to include the Terminal Server Web Access role. This will then extend our Terminal
Server to now be able to provide Remote Applications via a web interface.
Note: This task uses the following computer: DC1
1. Log on to DC1 using the username Administrator and the password P@ssw0rd.
2. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager.
3. In the Explorer pane, navigate to Roles/TerminalServices.4. In the Contents pane, in Role Services, click Add Roles Services.
5. In the Select Role Services dialog box, check TS Web Access.
6. In the Add Role Services dialog box, select Add Required Role Services.
7. In the Add Role Services dialog box, in the Select Role Services page, click Next.
8. In the Add Role Services dialog box, in the Web Server (IIS) page, click Next.
9. In the Add Role Services dialog box, in the Select Role Services page, click Next.
10. In the Add Role Services dialog box, in the ConfirmInstallationSelections page, click Install.
Connect to Terminal Server Web Access and launch application
In this task, use the Terminal Server Web Access to access to the applications that you have previously published.
Note: This task uses the following computer: VISTA
1. On the Start menu, click InternetExplorer.
2. In the address bar, enter the addresshttp://DC1/tsand then press ENTER.
3. In the Connect to dc1 dialog box, enter the User name insiders\Administrator and the password
P@ssw0rd.
Note: The TS Web Access page is now displayed. There is two programs displayed the DemoApplication and the WordPad that you published in an earlier task.
4. Click Demo Application in the TS Web Access webpage.
5. In the Trust Warning pop-up, click Yes.
6. In the RemoteApp dialog box, click Yes
7. In the Windows Security dialog box, enter the username Insiders\Adminisrator and the password
P@ssw0rd, and then press ENTER.
http://dc1/tshttp://dc1/tshttp://dc1/tshttp://dc1/ts -
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
23/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 23
Note: The application now launches. When the application launches successfully it will display on thescreen as On The Server.
Lab 7: Network Access Protection
Machines Needed for this LabName Machine State
DC1 Running
Server1 Running
Server2 Saved
RODC Saved
Network Access Protection (NAP) is a new technology introduced in Windows Vista and Windows Server 2008.
NAP includes client components and server components that allow you to create and enforce health requirement
policies that define the required software and system configurations for computers that connect to your network.
NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network
access when client computers are deemed noncompliant, and remediating noncompliant client computers for
unrestricted network access. NAP enforces health requirements on client computers that are attempting to connect
to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is
connected to a network.
In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software
vendors to integrate their solutions into the NAP framework.
NAP enforcement occurs at the moment when client computers attempt to access the network through network
access servers, such as a VPN server running Routing and Remote Access Service, or when clients attempt tocommunicate with other network resources. The way that NAP is enforced depends on the enforcement method you
choose.
NAP enforces health requirements for the following:
Internet Protocol security (IPsec)-protected communications
Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
Virtual private network (VPN) connections
Dynamic Host Configuration Protocol (DHCP) configuration
The step-by-step instructions in this paper will show you how to deploy a NAP DHCP enforcement test lab so that
you can better understand how DHCP enforcement works.
NAP enforcement and network restriction
NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer
restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The
following settings are available:
Allow full network access. This is the default setting. Clients that match the policy conditions are deemed
compliant with network health requirements, and are granted unrestricted access to the network if the connection
request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged.
Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network
health requirements, and are placed on the restricted network.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
24/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 24
Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full
network access. NAP enforcement is delayed until the specified date and time.
Remediation
Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is
the process of updating a client computer so that it meets current health requirements. If additional resources are
required for a noncompliant computer to update its health state, these resources must be provided on the restricted
network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current
virus signatures so that noncompliant client computers can update their outdated signatures.
You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components
automatically attempt to update the client computer when it is noncompliant.
This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers
setting will be enabled in the noncompliant network policy, which will cause Windows Firewall to be turned on
without user intervention.
Ongoing monitoring to ensure complianceNAP can enforce health compliance on compliant client computers that are already connected to the network. This
functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health
of client computers change. Client computers are monitored when their health state changes, and when they initiate
requests for network resources. This test lab includes a demonstration of ongoing monitoring when the client's
DHCP-issued address is renewed. The NAP client computer sends a statement of health (SoH) with the DHCP address
request, and is granted full or restricted access based on its current health state.
Install the NPS and DHCP server roles on Server1
To install the NPS and DHCP server roles (Login in Insiders\Administrator)
1. Click Start, and then click Server Manager.
2. Under Roles Summary, click Add roles, and then click Next.
3. On the Select Server Roles page, select the DHCP Server and Network Policy and Access
Services check boxes, and then click Next twice.
4. On the Select Role Services page, select the Network Policy Server check box, and then
click Next twice.
5. On the Select Network Connection Bindings page, verify that 192.168.1.2 is selected, and
then click Next.
6. On the Specify DNS Server Settings page, verify that insiders.com is listed under Parent
domain.
7. Type 192.168.1.1 under Preferred DNS server IP address, and click Validate. Verify that the
result returned is Valid, and then click Next.
8. On the Specify WINS Server Settings page, accept the default setting of WINS is not
required on this network, and then click Next.
9. On the Add or Edit DHCP Scopes page, click Add.
10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to Starting IP
Address, type 192.168.1.150, next to Ending IP Address type 192.168.1.200, and next to
Subnet Mask type 255.255.255.0.
11. Select the Activate this scope check box, click OK, and then click Next.12. On the Select IPv6 DHCP Server Operation Mode page, select Disable DHCPv6, and then
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
25/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 25
click Next.
13. On the Authorize DHCP Server page, select Use current credentials. Verify that
Insiders\Administrator is displayed next to Username, and then click Next.
14. On the Confirm Installation Selections page, click Install.
15. Verify the installation was successful, and then click Close.
16. Close the Server Manager window.
Configure Server 1 as a NAP health policy server
To configure SHVs
1. Double-click Network Access Protection, and then click System Health Validators.
2. In the middle pane under Name, double-click Windows Security Health Validator.
3. In the Windows Security Health Validator Properties dialog box, click Configure.
4. Clear all check boxes except A firewall is enabled for all network connections. You do not
have to clear the Windows Update check box.
5. Click OK to close the Windows Security Health Validator dialog box, and then click OK toclose the Windows Security Health Validator Properties dialog box.
Configure remediation server groups
Remediation server groups are lists of computers that noncompliant NAP clients can access to help them update
their configuration. For the test lab, DC1 will be added to a remediation server group so that VISTA will have access
to DNS when it is noncompliant.
To configure a remediation server group
1. In the console tree, under Network Access Protection, right-click Remediation Server
Groups, and then click New.2. Under Group Name, type Rem1.
3. Next to Remediation Servers, click Add.
4. In the Add New Server dialog box, under IP address or DNS name, type 192.168.1.1, and
then click OK twice.
Configure health policies
Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers
that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health
status. This test lab defines two health policies: one that corresponds to a compliant health state and one that
corresponds to a noncompliant health state.
To configure health policies
1. Double-click Polices.
2. Right-click Health Policies, and then click New.
3. In the Create New Health Policy dialog box, under Policy Name, type Compliant.
4. Under Client SHV checks, verify that Client passes all SHV checks is selected.
5. Under SHVs used in this health policy, select the Windows Security Health Validator check
box.
6. Click OK.7. Right-click Health Policies, and then click New.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
26/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 26
8. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
9. Under Client SHV checks, select Client fails one or more SHV checks.
10. Under SHVs used in this health policy, select the Windows Security Health Validator check
box, as shown in the following example.
Configure network policiesNetwork policies use conditions, settings, and constraints to determine who can connect to the
network. There must be a network policy that will be applied to computers that are compliant withhealth requirements, and a network policy that will be applied to computers that are noncompliant.For this test lab, compliant client computers will be allowed unrestricted network access. Clientsdetermined to be noncompliant with health requirements will be have their access restricted.Noncompliant clients will also be optionally updated to a compliant state and subsequently grantedunrestricted network access.
Configure a network policy for compliant client computersFirst, create a network policy to match network access requests made by compliant clientcomputers.
To configure a network policy for compliant client computers
1. In the console tree, under Policies, click Network Policies.
2. Disable the two default policies under Policy Name by right-clicking the policies, and then
clicking Disable for each.
3. Right-click Network Policies, and then click New.
4. In the Specify Network Policy Name and Connection Type window, under Policy name,
type Compliant-Full-Access, and then click Next.
5. In the Specify Conditions window, click Add.
6. In the Select condition dialog box, double-click Health Polices.
7. In the Health Policies dialog box, under Health policies, select Compliant, and then click
OK.8. In the Specify Conditions window, verify that Health Policy is specified under Conditions
with a value of Compliant, and then click Next.
9. In the Specify Access Permission window, verify that Access granted is selected, and
then click Next.
10. In the Configure Authentication Methods window, select Perform machine health
check only. Clear all other check boxes, and then click Next.
11. Click No in the pop-up window warning you about authentication methods.
12. In the Configure Constraints window, click Next.
13. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network
access is selected, and then click Next. See the following example.
14. In the Completing New Network Policy window, click Finish to complete configuration of
your network policy for compliant client computers.
15. Click OK
Configure a network policy for noncompliant client computers
Next, create a network policy to match network access requests made by noncompliant client computers.
To configure a network policy for noncompliant client computers
1. Right-click Network Policies, and then click New.2. In the Specify Network Policy Name and Connection Type window, under Policy name,
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
27/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 27
type Noncompliant-Restricted, and then click Next.
3. In the Specify Conditions window, click Add.
4. In the Select condition dialog box, double-click Health Polices.
5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click
OK.6. In the Specify Conditions window, verify that Health Policy is specified under Conditions
with a value of Noncompliant, and then click Next.
7. In the Specify Access Permission window, verify that Access granted is selected, and then
click Next.
Important
A setting of Access granted does not mean that noncompliant clients are granted full
network access. It specifies that clients matching these conditions will be granted an
access level determined by the policy.
8. In the Configure Authentication Methods window, select Perform machine health check
only. Clear all other check boxes, and then click Next.
9. Click No in the pop-up window warning you about authentication methods.
10. In the Configure Constraints window, click Next.
11. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and
verify that Enable auto-remediation of client computers is selected.
12. Click Next, and then click Finish. This completes configuration of your NAP network policies.
Configure DHCP on Server1
Open the DHCP console
To open the DHCP console
1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER.
2. Leave this window open for all DHCP configuration tasks.
Verify the default NAP profile
First, verify that the default NAP profile is being used on the DHCP server.
To verify the default NAP profile is being used
1. In the DHCP console, double-click server1.insiders.com, and then double-click IPv4.
2. Right-click Scope, and then click Properties.
3. On the Network Access Protection tab, verify that Use default Network Access Protection
profile is selected, and then click OK.
Configure the default user class
Next, configure scope options for the default user class. These server options are used when a compliant client
computer attempts to access the network and obtain an IP address from the DHCP server.
To configure default user class scope options
1. In the DHCP console, double-click Scope, right-click Scope Options, and then click Configure
Options.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
28/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 28
2. On the Advanced tab, verify that Default User Class is chosen next to User class.
3. Under Available Options, select the 003 Router check box, type 192.168.1.1 in IP Address,
and click Add.
4. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add.
5. Select the 015 DNS Domain Name check box, type insiders.com in String value, and then
click OK. The contoso.com domain is a full-access network assigned to compliant NAP clients.
Configure the default NAP class
Next, configure scope options for the default network access protection class. These server options are used when a
noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.
To configure default NAP class scope options
1. In the DHCP console, right-click Scope Options, and then click Configure Options.
2. On the Advanced tab, next to User class, choose Default Network Access Protection Class.
3. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add.
4. Select the 015 DNS Domain Name check box, type restricted.insiders.com in String value,and then click OK. The restricted.contoso.com domain is a restricted-access network assigned
to noncompliant NAP clients.
Configuring the VISTA
Enable the DHCP enforcement client
The NAP DHCP enforcement method requires that the DHCP enforcement client is enabled on NAP client computers.
To enable the DHCP enforcement client
1. Click Start, click All Programs, click Accessories, and then click Run.
2. Type napclcfg.msc, and then press ENTER.
3. In the console tree, click Enforcement Clients.
4. In the details pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.
5. Close the NAP Client Configuration console.
Enable and start the NAP agent service
By default, the Network Access Protection Agent service on computers running Windows Vista is configured with a
startup type ofManual. VISTA must be configured so that the Network Access Protection Agent service starts
automatically, and the service must be started.
To enable and start the NAP agent service
1. Click Start, click Control Panel, click System and Maintenance, and then click
Administrative Tools.
2. Double-click Services.
3. In the services list, double-click Network Access Protection Agent.
4. In the Network Access Protection Agent Properties dialog box, change the Startup type to
Automatic, and then click Start.
5. Wait for the NAP agent service to start, and then click OK.
6. Close the Services console, Administrative Tools, and System and Maintenance windows.
-
8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions
29/29
Windows Server 2008 (Pre-Release) Hands On Lab Instructions
Verify network connectivity for VISTA
Run the ping command from VISTA to confirm network communication between VISTA and DC1. Because the
Network Access Protection Agent service and DHCP enforcement client are running, VISTA is considered NAP-
capable by the DHCP server and is issued an IP address on the 192.168.0.0/24 subnet. This is required to join VISTA
to the Contoso.com domain.
To use the ping command to check network connectivity
1. Click Start, click All Programs, click Accessories, and then click Command Prompt.
2. In the command window, type ping DC1.
3. Verify that the response reads Reply from 192.168.1.1".
4. Close the command window.
Verification of NAP auto-remediation
The Noncompliant-Restricted authorization policy specifies that noncompliant computers should be automatically
remediated. Use the following procedure to verify that VISTA is automatically remediated to a compliant state when
Windows Firewall is turned off.
To verify that VISTA is auto-remediated when Windows Firewall is turned off
1. On VISTA, click Start, and then click Control Panel.
2. Click Security Center, and then click Windows Firewall.
3. In the Windows Firewall dialog box, click Change settings.
4. In the Windows Firewall Settings dialog box, click Off (not recommended), and then click
OK.
5. Watch Windows Security Center and you will see that Windows Firewall is displayed as off
and is then displayed as on.
6. You might see a message in the notification area that indicates the computer does not meet
health requirements. This message is displayed because Windows Firewall has been turned off.
Click this message for more information about the health status of VISTA. See the following
example.
7. The NAP client will automatically turn Windows Firewall on to become compliant with network
health requirements. The following message will appear in the notification area: This computer
meets the requirements of this network.
Because auto-remediation occurs rapidly, you might not see one or both of these messages.
Thats it for todays HOL