Mcitp 42 PDF

1.2.1.
1
windows 7 windows Server 2008
* Install Windows Server 2008 R2
We get to read the standard End User License Agreement.
186
Since were doing a base install and not an upgrade, so we choose the Custom
(advanced)option.
187
Weve got a blank 24 GB disk, so were just going to install it there. If you want to
create a partition out of the available drive space or reformat a drive, then choose
Drive options (advanced).
188
Windows will take a little while with your install, and reboot a few times.
189
Once the install is finished, were prompted to change our password before logging
in.
190
Windows requires that you have a strong password, seven characters long with at
least three of the four following: uppercase letter, lowercase letter, numeral, or
symbol. Youll want to make sure you write it down somewhere for now, because
if you forget it later, the entire install will have to be re-done.
191
The Initial Configuration Tasks window pops up as soon as you logon. You could
also type inOobe.exe in the Command Prompt to arrive here.
192
One of the first things we want to correct is the time, so choose Set time zone.
Make sure that you set the time zone first, because the the date and time will shift
after.
193
194
The Server Name
195
In the Computer Name property page, click Change...
Accept or change the name of the server
Click OK
196
A dialog box will ask you to restart your computer. Click OK
Click Close
Click Restart Now
Network Discovery
Click that message and click "Turn on network discovery and file sharing":
197
You should receive a message box presenting you two options:
Click "Yes, turn on network discovery...". If some computers are already installed
and connected to the same router, their names may appear in the Network node in
Windows Explorer.
Windows Updates
198
You should make sure your installation of the operating system can regularly get
its updates from Microsoft. To take care of this:
a. Click Start -> All Programs -> Windows Update
b. A windows will display, asking you to enable automatic updates.
Click Turn On Automatic Updates
You may be asked to install new updates. Do.
Assigning an IP Address to the Server
Every computer on the network needs an IP address so that other computers of the
network can locate it (just like every house needs a physical address so that the
post office and other people can find it).
A computer has two main ways of getting an IP address:
199
A server, called a DHCP server (the word "server" here represents an
application; it doesn't have to be a different server than the one you
installed), can automatically assign (provide) an IP address to each computer
You can manually assign an IP address to each computer. Of course, you
need to know a little bit about something named TCP/IP, which means you
would need to know how to create and assign IP addresses
To assign an IP address to a server (that runs Microsoft Windows Server 2008 R2):
In the Initial Configuration Tasks, click Configure Networking
On the Taskbar, click Start and click Network. In the left frame, right-click
Network and click Properties. Click Local Area Connection. In the Local
Area Connection Status dialog box, click Properties
To assign an IP address to the server:
a. Click Start
200
b. Right-click Network and click Properties
c. Click Local Area Connection

d. Click Details. Make note (on a piece of paper) of the address on the right
side of IPv4 Address:
201
(For our example, we are building a small network and we will just use a
small range of IP addresses. In the real world or for a large network, you
would need to actually know TCP/IP, design a range of IP addresses you
plan to use, then assign those IP addresses, or design a way to assign the IP
addresses to the computers)
e. Click Close
f. In the Local Area Connection Status dialog box, click Properties
202
g. In the checked list box, click Internet Protocol Version 4 (TCP/IPv4)
h. Click Properties
i. Click Use the Following IP Address
j. Type the IP address you want the server to use. For our example, and based
on the above dialog box, we type 192.168.001.001
k. Press Tab
l. Type the subnet mask (normally, it should be added automatically when you
press Tab from the previous IP address text box) and press Tab
m. Type the default gateway address (use the first and the second octets of the
IP address you had provided (such as 192.168) and use 001.001 for the other
two bytes)
n. Provide the Preferred DNS server address (we use 127.0.0.1 for our
example) and the Alternate DNS Server address (we leave ours empty)
203
o. Click Advanced to check the values that were put in the IP Settings and
DNS property pages
p. Click OK
q. Click OK
r. Click Close
s. Click Close
A Domain Name System (DNS)
To make this description possible in your network, you can install an application
named DNS server. To do this:
a. From the Initial Configuration Tasks, click Add Roles
(an alternative is to click Start -> Server Manager, then in the left frame,
right-click Roles and click Add Roles)
b. In the first page of the wizard, titled Before You Begin, read the text and
click Next
204
c. In the second page of the wizard, click the check box of DNS Server
d. Click Next
e. In the third page of the wizard, titled DNS Server, read the text and click
Next
f. Click Install
Creating a Domain Controller
If you are creating a new network, one of your computers should (must) be able to
manage access to the computers and resources that belong to the network. That is,
a central computer, named a server, must be able to allow or deny access (this is
called authentication) of the network and its resources to people. That central
computer, that server, is named a domain controller. The first server you install
usually should (must) be made a domain controller.
To create a domain controller, you must promote your server (to a domain
controller). To do this:
a. Open the Command Prompt (Start -> Command Prompt, or Start -> All
Programs -> Accessories -> Command Prompt
205
i. Type CD\ and press Enter to return to the root of the disc
ii. Type dcpromo (which stands for Promote This Computer to a
Domain Controller) and press Enter
iii. A small window will come up:
A wizard will start:

a.
206
In the first page of the wizard, read the text and click Next
b. In the second page of the wizard, read the text and click Next
207
208
209
c. In the third page of the wizard, click Create a New Domain In a New Forest
d. Click Next
210
e. For our example, we are using functionx.local
f. After specifying the FQDN, click Next. A window will start some
operations:
211
g. When a dialog box comes up, read its text and click Next
h. On the next page, read the text and click Next. A window will come and
start performing some operations:
212
213
i. Click Next
j. Click Next. If you didn't create (assign) an IP address on (to) the server, a
dialog box will come up, about IP address assignment:
214
In you didn't assign an IP address to the server, it means you plan to use a
DHCP server that will automatically assign IP addresses to the computers of
the network. In this case, click Yes, ...
k. A dialog box comes up
215
l. Read the text and click Yes
m. In the next page of the wizard, click Nest
n. The next page asks you to specify the administrator's password. Click the
Password text box and type the password
216
o. Click the Confirm Password text box and type the same password
217
p. After specifying the password, click Next
q. Click Next. A new dialog box will startperforming an operation:
218
This may take a while
219
r. Click Finish
s. A new dialog box will ask you to reboot:
Therefore, click Restart Now

t. When the computer comes up, press CTRL + ALT + DELETE and log in
Assigning an IP Address to a Client
220
The following section is optional, especially if you are working on a small network.
To create the IP address for the server:
a. Click Start
b. Right-click Network and click Properties

d. Click Details. Make note (on a piece of paper) of the address on the right
side of IPv4 Address:
221
(For our example, we are building a small network and we will just use a
small range of IP addresses. In the real world or for a large network, you
would need to actually know TCP/IP, design a range of IP addresses you
plan to use, then assign those IP addresses, or design a way to assign the IP
addresses to the computers)
e. Click Close
f. In the Local Area Connection Status dialog box, click Properties
222
g. In the checked list box, click Internet Protocol Version 4 (TCP/IPv4)
h. Click Properties
i. Click Use the Following IP Address
j. Type the IP address you want the server to use (for our example, and based
on the above dialog box, we type 192.168.001.102) and press Tab
k. Type the subnet mask (normally, it should be added automatically when you
press Tab from the previous IP address text box)
l. Type the default gateway address (use the first and the second octets of the
two bytes)
m. Provide the Preferred DNS server address (we use 127.0.0.1 for our
example) and the Alternate DNS Server address (we leave ours empty)
223
n. Click OK
o. Click Close
p. Click Close
Creating a User Account
To create the primary account to manage the network, on the server:

a. Click Start -> Administrative Tools -> Active Directory Users and
Computers (if a message box comes up, click Continue)
b. If necessary, in the left frame, expand the name of the domain.
Click Users
c. In the left frame, right-click Users -> New -> User
d. Type the first name of the user and press Tab. If you have a middle initial,
type it and press Tab
e. Type the last name
224
f. Click the User Logon Name text box and type a user name. Here is an
example:
g. Click Next
h. In the next page of the wizard, type the password as Password1
i. Press Tab and type the same password. Here is an example:
225
j. Click Next
k. Click Finish
Making a User Account an Administrator
226
o make a user account become an administrator, on the server:
a. Click Start -> Administrative Tools -> Active Directory Users and
Computers
b. In the left frame, expand the domain's node
c. Click Users
d. Double-click the user name whose rights you want to manage (or right-click
that user name and click Properties)
e. Click Member Of
f. Click Add...
g. In the bottom text box (where the caret is blinking), type admin.
h. Click Check Names
i. Make sure Administrators is selected and underlined.
227
Click OK
j. Click OK
Optionally Creating a Computer Account
228
Joining a Domain
Preparing a Workstation
To prepare a workstation to join the domain, on the workstation:

a. Click Start -> Control Panel
b. Click View Network Status and Tasks (or click Network and Internet, then
Network and Sharing Center)
d. Click Properties
e. In the Networking tab of the Local Area Connection Properties, in the
checked list box, click Internet Protocol Version 4 (TCP/IPv4)
229
f. Click Properties
g. Click Use the Following IP Address
h. Type the IP address you want the server to use. For example, add 2 (bits) to
the last byte of the IP address you gave to the server and press Tab
i. Type the subnet mask (it should be added automatically when you press Tab
from the previous text box)
j. Type the default gateway address (use the first and the second bytes of the
two bytes)
230
k. For the Preferred DNS Server, type the same IP address as the server
l. Click OK
m. Click Close
n. Click Close
Joining the Domain
To join a domain using Microsoft Windows 7 Professional, Ultimate, or

Enterprise:
a. On the Taskbar, click Start, right-click My Computer and click Properties...
231
b. Click Change Settings
c. In the System Properties dialog box, click the Computer Name tab and click
the Change... button.
If the computer is running Microsoft Windows 7 Home Premium, the
Domain radio button would be disabled, indicating that the computer cannot
join a domain:
232
d. In the Computer Name text box, enter the desired name of the computer. If
you had already created an account in the domain for this computer, type
that name
e. In the Member Of section, click the Domain radio button
f. Click the Domain text box and enter the name of the domain
233
g. After specifying the name of the computer and the domain to join, click OK
h. You would then be asked to provide a user name and a password for a user
who has the permissions to let a computer join a domain.
Type the name of the domain, followed by \ and followed by the user name
of an account that can allow a computer to join a domain and press Tab
i. Type the account's password
234
j. After entering a user and a password, click OK. If you have the right to add
computers to the domain, you would receive a Welcome message:
Click OK
k. You will be asked to restart the computer
Click OK
235
l. In the System Properties dialog box, click Close
m. When asked to restart the computer, click Restart Now
n. After the computer has restarted, press CTRL + ALT + DELETE to Log On
o. Click Switch User
p. Click Other User
q. Type the user of a user who has an account in the network's domain and
press Tab
r. Type the password
s. Click the green button with the right pointing arrow
: *
)active directory ( AD ) Domain Controller ( DC -
. forest Root Domain DC -
236
: Roles - services features software .services
- DC domain ( global Catalog user forest

) .
- DC . AD
- DC administrator enterprise administrator

. domain
: Quota- . user
* : DHCP

IP DNS
gateway router

)Happy2Dynamic Host Configuration Protocol (DHCP
IP
DHCP
.
* : DNS

: www.yahoo.com 216.109112.135 :
. (Domain Name System (DNS
.1984
237
: Super Scope DHCP *
scope IP scope -
. client
: IP *
169..254.x.x APIPA <== ) ( ALT <== DHCP <== IP Static
.
: DHCP
Windows Server 2008 DHCP Install Environment
For this demo I am going to assume we have the following already setup:
Windows Server 2008 Installed

Active Directory Domain Services Installed
DNS Server Installed
Static IP on DHCP Server
To get started, fire up the Server Manager, right click on roles, and then select add
roles.
238
You will be prompted with the normal Before You Begin screen, and after
clicking Next youll be able to choose DHCP Server.
239
Next youll want to select the network connection to bind the DHCP protocol to.
240
Put in the IP address of your DNS Server, which in this case is the same machine
but be careful not to put the loopback address (127.0.0.1) as this will be the address
your clients will go to for name resolution.
241
Click next again to skip the WINS setup, this will bring you to creating a DHCP
Scope, where you can click the Add button.
242
Now you need to:
Give your scope a name

Enter the first address that you want available to clients to use
Enter the last address that you want available to clients to use
Enter the subnet mask (usually 255.255.255.0)
Enter the IP address of your default gateway (usually your router IP at .1)
243
Once you have clicked on OK, you can click next 4 times to get to the
confirmation screen where you can finally click install.
244
Once the installation is complete your DHCP will be functioning, and you can start
managing your DHCP server right away.
245
2.2.1.1.1
Routing & Remote Services
* : routing
- LAN Network IP network .
- A . B
- switch.
* Unreachable : Ping
- IP . routing Table
* client IP DHCP Packet Discovery
)255.255.255.255 ( IP . Local Broadcast
* : Ping
. replay + Request Time Out -
( + Subnet mask + IP . ) Gateway
- : Network
( ) replay (.)Request Time Out
- : network
Unreachable . Gateway
default Gateway + subnet mask + IP replay +Request Time Out
* : Private IP
- (
)Public IP
10.0.0.0 10.255.255.255
172.16.0.0 172.16.255.255
192.168.0.0 192.168.255.255
169.254.0.0 169.254.255.255
127.0.0.0 127.255.255.255
246
* ): NAT (Network address translation
- Public IP Private IP ( Private IP

Public IP .
- user ( . ) IP + Port number
*
*)VPN ( virtual private network
Remote Access - remote Desktop domain
Login domain .
- remote Access :
Wireless -1 .
: VPN -2 ADSL USB Modem .
: Dial- up -3 .
* Remote Access :
: connection -1 .
247
: authentication -2 (.)Password + Username
: Authorization -3 .
* VPN :
: SSTP -1 windows 2008 .
: PPTP -2 . secure
: L2TP -3 .
- 128 default .
LAN Routing :
On the server, go Server Manager. Right Click on Roles and select Add Roles.
248
Review the information and click Next.
249
Select check box next to Network Policy and Access Services and click Next.
Click Next on Introduction Network Policy and Access Services.
250
Select checkbox next to Routing and Remote Access Services. It will
automatically select necessary services. Click Next.
: VPN :
Configuring VPN on server 2008 R2
Configuring VPN start with adding server role for RRAS.
Just follow next two pictures what to choose
251
Wait for wizard to finish, and then you will get this picture
252
Now you have role installed. You must configure and enable RRAS
When you click on option Configure and Enable RRAS new wizard will start. Just
follow the wizard in next 5 pictures.
253
254
NOTE: You MUST have two NIC configured, one for internal use (LAN) and one
for external use (WWW)
255
I prefer to choose IP address range and number of possible connecting clients son
next picture will shown how to do that
256
If you have AD infrastructure configure your RRAS like this
257
After this you will get this picture and click Finish
Now your Server have successfully configured RRAS.

258
Configuring client on Windows 7 for VPN access
Go to network and sharing center and choose option set up a new connection or
network
259
Choose option Connect to a workplace
For previously described configuration of RRAS option Use my Internet

connection (VPN) will be right choice.
Type your DNS name of RRAS server or public IP address, and follow steps in
next three pictures.
260
261
Additional option as authentication protocols can be founded in properties of your
VPN connection. Most commonly used is already checked.
Configuring client on Windows XP for VPN access
262
On Windows XP go to Network Connections and click Create a new connection
A wizard will start. Follow next three pictures.
263
264
Choose name for your VPN connection
Type DNS name or public IP address of your previously configured RRAS (VPN)
server
265
Well done you are configure client for VPN access. Now you need to type your
username and password before connect.
266
Steps for configuring additional authentication protocols (if needed) is described in
next two pictures. At first you must click Properties.
267
268
: NAT :
Installing the Server Computer
First, Windows Server 2008 was installed on the double-NIC computer and the
IPv4 settings of each NIC was configured as follows:
NIC connected to Test LAN:
IP address = 10.0.0.1
Subnet mask = 255.0.0.0
Default gateway = none
DNS servers = none
NIC connected to Workplace LAN:
IP address = 172.16.11.220
Subnet mask = 255.255.255.0
269
Default gateway = 172.16.11.1
DNS servers = the public IP addresses of my ISP's DNS servers
Note that the NIC connected to the Test LAN (10.0.0.0) should not have a default
gatewaysee KB 157025 here for an explanation of why multihomed computers
(computers connected to multiple networks) should only have one gateway address
assigned.
Note also that the NIC connected to the Test LAN has been configured with the IP
addresses of public DNS servers. This is not needed in order for the clients on the
Test network to access the Internet, but it is needed if you want to be able to access
the Internet from the RRAS server itself.
Installing the Client Computers on the Test LAN
Windows 7 was then installed on the client computers, after which their IPv4
settings were configured as follows:
IP address = 10.0.0.101 (.102, .103, )

Subnet mask = 255.0.0.0
Default gateway = 10.0.0.1 (the near-side interface of the RRAS box)
DNS servers = the public IP addresses of my ISP's DNS servers
At this point all the "wires" are connected, but if we try to ping the DSL router
from a client computer on the Test network, or if we try to traceroute an address on
the public Internet from the same client computer, these attempts will fail
indicating that the Test network does not yet have Internet connectivity (Figure 2):
270
Figure 2: Can not ping a public IP address from a client on the Test network
And naturally, if we try to browse the Web from our client machine, this too will
fail (Figure 3):
271
Figure 3: Can not browse the Web
Installing and Configuring RRAS
To enable the client computers on the Test network to access the Internet, we need
to install the RRAS role on the server and then configure the server as a NAT
router. To install the RRAS role, launch the Add Roles Wizard from Server
Manager or OOBE.exe and add the Network Policy and Access Services role
(Figure 4):
272
Figure 4: Installing RRAS step 1
On the next wizard page, select Routing and Remote Access Services to install two
role services, Remote Access Service and Routing (Figure 5):
273
Figure 5: Installing RRAS step 2
Once the wizard finishes, open the Routing and Remote Access console from
Administrative Tools, right-click on the local server and select Configure and
Enable Routing and remote Access. This launches the Routing and Remote Access
Server Setup Wizard; select Network Address Translation (NAT) on the
Configuration page of this wizard as shown in Figure 6:
274
Figure 6: Configuring RRAS for NAT step 1
Next, on the NAT Internet Connection page, we select the network interface that is
on the Workplace LAN, which is the "public interface" of the NAT router (see
Figure 7)
275
The next page asks us whether the NAT router should also provide DHCP and
DNS services to the computers on the Test network, which is connected to the
"private interface" of the NAT router. Since our client computers all have static IP
addresses assigned, we'll choose not to do this (Figure 8):
276
Once the wizard finishes, the RRAS service starts up and the service is configured
for both IPv4 routing and NAT. To see this, begin by right-clicking on the local
server in the RRAS console and selecting Properties. The General tab shows that
IPv4 routing has been enabled, which means IPv4 packets can be forwarded from
one NIC to the other (Figure 9):
277
Figure 9: Verifying RRAS configuration step 1
Selecting the NAT node in the RRAS console shows that three network interfaces
were created when NAT was configured on the server using the Routing and
Remote Access Server Setup Wizard. Figure 10 shows the properties of Local Area
Connection, which in this scenario is the network connection to the Test (10.0.0.0)
network. Note that NAT considers this network the "private" network, that is, the
network "behind" the NAT router:
278
Figure 11 shows the properties of Local Area Connection 2, which in this scenario
is the network connection to the Workplace (172.16.11.0) network. Note that NAT
considers this network the "public" network, that is, the network "in front of" (on
the Internet side of) the NAT router:
279
The Internal network interface is also added to the NAT configuration as a private
interface.
Testing NAT
At this point NAT has been configured with IP routing, and if I try and ping the
DSL router from a client computer on the Test network, or if I try and traceroute
from the same client to a server on the public Internet, these attempts should now
succeed (Figure 12):
280
Figure 12: Network connectivity verified between the Test network and the
Internet
Likewise, if I try and browse the Web from a client computer on the Test network,
this too should succeed (Figure 13):
281
Figure 13: Computers behind the NAT can browse the Web
I can also monitor NAT activity using the RRAS console. To do this, open the
console and select the NAT node and examine the network statistics for Local Area
Connection 2 (the "public" or Internet-facing NAT interface) as shown in Figure
14:
282
Figure 14: Viewing NAT activity
Finally, by right-clicking on this interface and selecting Show Mappings, you can
open a separate window that lets you view more details concerning what your NAT
router is doing (Figure 15):
283
Figure 15: Viewing detailed NAT activity
284
Click Install on Confirm Installation Selection.
285
Click Close on Installation Results.
286
Go to Start, Administrative Tools, Routing and Remote Access.
287
Right click on your server and select Configure and Enable Routing and Remote
Access.
288
Click Next on the Welcome screen.
289
Select Custom Configuration and click Next.
290
Select LAN Routing and click Next.
291
Click Finish to Complete Routing and Remote Access Setup Wizard.
292
Click Start Service.
Your Routing and Remote Access Server is ready. Your Private Networks
should communicate now.
293
: RIP :
Static Routing in Windows Server 2008
Show the static routing table
Showing the static routing table is easy, just use the route print command, as you
see in Figure 1 below.
294
Add a static route
So how do you add a static route at the command line? The answer is easy- use the
route add command, like this:
route add 1.1.1.0 mask 255.255.255.0 10.0.1.1 if 1
295
As you see in Figure 2, the results of our route add was an affirmative OK!
Figure 2: Using the route add command in Windows 2008
What was important in the route add command was the network we want to add, its
subnet, the destination/gateway, and the interface for that route.
Delete a static route
Deleting a route is even easier than adding a route. All you have to do is to
tell route delete the network that you want to remove, as you see in Figure 3.
Dynamic Routing in Windows Server 2008 using RIPV2
Earlier in the article, I talked about the benefits of configuring dynamic routing.
So, now let me provide you the steps to configuring RIPv2 in Windows 2008:
1. The first step is to install the Routing and Remote Access (RRAS) role in
Windows 2008 Server. If you go into the Add Roles Wizard, the RRAS role can be
difficult to find because what you really need to add is theNetwork Policy and
Access Services role then the Routing and Remote Access Services Role (as you
see in Figure 4 and Figure 5).
296
Figure 4: Adding the RRAS Role through he Network Policy and Access Services
297
Figure 5: The Win 2008 Role Services are part of the Network Policy and Access
Services Role
Once installed you can configure RRAS from the Server Manager application but I
prefer the Routing and Remove Access application.
2. The second part of this is to Configure Routing and Remote Access by opening
the RRAS MMC, right-clicking on the server name, and clicking Configure and
Enable Routing and Remote Access, like this:
298
Figure 6: Configuring and Enabling RRAS
Make sure that you do a Custom Configuration concerning what RRAS protocol
to install. Then, choose to install LAN ROUTING then choose to start the service.
From there, you can see the Network Interfaces controlled by RRAS and specific
configurations for IPV4 and IPV6.
At this point, you can expand IPV4, go to General, then to New Routing
Protocol.
299
Figure 7: Adding a new Routing Protocol
Next, choose to install RIPV2 as your routing protocol.
300
Figure 8: Adding RIP V2
3. Now that you have RIPv2 installed, you can configure it. Configuring it is really as
easy as adding the interfaces that you want to use to exchange RIP routes with. To
do this, go to the RIP section, right click, click on New Interface, select the
interface you want to add under RIP as you see in Figure 9.
301
Figure 9: Adding a new RIP interface
4. After selecting the interface, you have the option to configure a wide variety of
RIP connection properties (as you see in Figure 10). There is more to configuring
RIP than I can go into in this article as RIP configuration can either be very simple
or it can become very complex.
302
3.2.1.1
File Server
: file Server *
. file share By Default services -
:
How to install FSRM
File Server Resource Manager is one of the role services of the File Services
role.
To install it, open the Server Manager tool on your file server, right-click the
File Server node on the tree and select Add Role Services. The Add Role
Services wizard will start, as shown below:
Check the File Server Resource Manager box and click Next. You will then
select the NTFS volumes you want to monitor:
303
Click on Options to see additional options for reports:
304
The screen above shows the standard configuration for a volume, along with the
reports that are generated when that threshold is reached.
Select the reports you want, click OK to close that window, then click Next to
continue. This last window before the confirmation lets you specify the folder
where the reports are saved and also the e-mail reporting details:
Click "Next", review the confirmation and click Install to finish the wizard.
Keep in mind that you can decide not to add any volumes during this install phase
and add them later, after FSRM is already installed.
File Server Resource Manager MMC
Once the FSRM Role Service is properly configured, you will have an additional
item under the Administrative Tools menu.
Click on Administrative Tools and select File Server Resource Manager to

launch the FSRM MMC (Microsoft Management Console). See the screenshot
below, with all the nodes of the tree expanded:
305
Well now examine the individual features exposed by this MMC.
Quota Management
Quotas help you restrict and/or monitor how much space a folder can use.
FSRM can implement both hard Quotas (that actually prevent the users from
adding more files, as if the disk were full) and soft Quotas (which only generate
events and warnings).
You can see the Quotas in the screen below (Quotas node under Quota
Management):
306
Note that this is soft Quota we created during the FSRM installation.
To add more Quota restrictions, click on the Create Quota action (on the
Actions pane on the right):
307
Quotas are always placed on a folder. You have the choice of basing your Quota
on a template or defining a custom one. FSRM ships with a series of sample Quota
templates that you can adapt to your needs.
If you click on Custom Properties, you can provide many details, as shown
below:
In addition to specifying the space limit (hard or soft), you can also create different
thresholds, with different actions. The sample above sends e-mail alerts at
85%/95%/100% and logs events at 95%/100%. If you click on the Add button,
you can see the configuration options for each threshold.
You can even choose to execute a command when a threshold is reached, which is
shown on the screen below. If you are skilled with scripting, you can use this
ability to perform a number of sophisticated tasks.
308
Instead of specifying custom Quotas folder by folder, you can use standard FSRM
Quota templates or define your own templates.
The screen below shows the default templates and also shows the Create Quota
Template action on the right:
309
The power of Quota Templates becomes much more obvious when you use the
option to Auto apply template while creating a Quota:
This option requires that you select a template (not a custom Quota). A Quota is
created based on that template for all folders under the specified path.
Every time you add another subfolder to that folder, the template is automatically
used to create another Quota for it. This allows you much simpler configuration for
certain folder structures like web sites, project folders, etc.
File Screening Management
310
File Screening helps you restrict and/or monitor which file extensions can be used
on your file server. FSRM can provide both active screening (block file with
certain extensions) or passive screening (monitor file extensions without blocking).
File extensions can also be combined in File Groups like Image Files and
Audio and Video Files:
You can see the existing File Screens in the File Screens node under File
Screening Management. None are defined by default.
To add a File Screen, click on the Create File Screen action (on the Actions
pane on the right):
311
As with Quotas, FSRM supplies some predefined File Screen Templates. You can
also opt to define your own File Screening properties, as shown below:
Once you click on Custom Properties, you will see the window below:
312
The basic properties include the path to monitor, the type of monitoring (active or
passive), the file groups to block/monitor and the specific actions to take (e-mail,
event log, command or report).
You will probably want to use a template to define your File Screening. Below is
the list of pre-defined templates included with FSRM:
313
You can also create your own File Screening Templates, just like with Quota
Templates.
FSRM includes a list of pre-defined File Groups, as shown below:
314
You can use those, modify them or create your own File Groups.
Storage Reports Management
One important feature of FSRM is the ability to provide many reports associated
with File Server Management to make your life simpler when managing your file
server. Those reports include Files by Group, Files by Owner, Large Files, Most
Recently Accessed Files and Duplicate Files, just to mention a few (see screen
below).
Reports can be generated manually, on a scheduled or triggered by a Quota or File

Screen. They can also be generated in different formats (see options on the screen
below) and are delivered to a folder defined when you installed the role service.
That folder can also be updated in the FSRM configuration:
315
Below you see a number of those manually generated reports using the HTML
format:
316
Please check the sample below, in HTML format, showing the Files by Owner
report:
317
4.2.1.1
)Distributed File Systems (DFS
* : DFS
- User share domain
.
* : Replication
- DC1 DC2 share folder
.
:
1. Open Server Manager.
2. Go to Roles in the left pane, then click Add Roles in the center pane.
3. Select File Services from the list of roles.
318
You will see a short description of what the File Services role provides in the upper
right corner in case you needed it. Click Next when done.
4. Now you will get an Introduction to File Services information screen; read
through it and move on by clicking Next.
319
5. In Select Service Roles you can click on Distributed File System and it should
also place a check next to DFS Namespaces & DFS Replication; after this
click Next.
NOTE: At the bottom you will see Windows Server 2003 File Services and File
Replication Service. You would only choose this if you were going to be
synchronizing the 2008 server with old servers using the FRS service.
320
6. On the Create a DFS Namespace screen you can choose to create a namespace
now or later.
For this tutorial I am going to create one later as I will have another article going
into greater details. So I am going to choose Create a namespace later using the
DFS Management snap-in in Server Manager and then click Next.
321
7. The next screen allows you to confirm your installation selections, so review and
then click Install.
322
8. After a short interval of loading you will see the Installation Results screen
which will hopefully have Installation succeeded in the top right. Go ahead and
click Close.
323
9. In Server Manager you should now see File Services and under the Role
Services you will see the installed components:
Distributed File System

DFS Namespaces
DFS Replication
324
Lets go ahead and configure a DFS Namespace through the DFS Management
MMC Snap-In.
1. Open DFS Management Snap-in.
325
2. In the left pane click on Namespaces and then in the right column clickNew
Namespace
326
3. In the New Namespace Wizard, the first thing it wants to see is your server that
will host the Namespace. In this case it will be the domain controller that I
installed DFS on, so lets go ahead and enter that name in TESTDOMAIN and
then click Next.
327
4. The next window is Namespace Name and Settings, and it is asking for the
name of the namespace. Depending on if this is a standalone install or a domain,
this is the name that will be after the server or domain name. In this case I am
going to type the namespace Sharedfiles.
Notice when you type in the name the Edit Settings button becomes live. This is
because the wizard will create the shared folder. You can modify the settings it
uses at this time by clicking Edit Settings.
328
5. You can now edit the following settings:
Local path of share folder

Shared folder permissions
I am going to go with Administrators have full access; Other users have read
and write permissions. If you select Custom you can choose specific groups and
users and give them specific rights. Click Ok when you are done choosing
permissions, then click Next.
329
6. Next comes the Namespace Type, there are two choices: Domain-based
namespace or Stand-alone namespace. There are some big difference between
the two so lets take a quick look at them now:
Domain-based namespace Stored on one or more servers and in Active

Directory Domain Services. Increased scalability and access-based enumeration
when used in Server 2008 mode.
Stand-alone namespace It is stored only on a single namespace server, for
redundancy you have to use a failover cluster.
I am going to go with Domain-based namespace in Windows Server 2008
mode and you can see the preview is going to be\\ADExample.com\Sharedfiles,
once your choice is made click on Next.
330
7. The next screen lets you review the choices you just made, if they are correct go
ahead and click Create.
331
8. Next you will see a screen telling you that the namespace is being created. After
a few minutes you should see the status of Success, and then click Ok.
332
9. Now in DFS Management Snap-in you can see the Namespace we just created.
333
10. Lets go ahead and quickly create a folder. Right click on the namespace and
click New Folder.
334
11. Now type the name of the folder you want. In this case I am going to be very
original and type Folder1, but hopefully you will use something more descriptive
when the time comes.
Below the Name field you will see a space that shows you a preview of the
Namespace with this new folder. Also under that you will see Folder Targets.
This allows you to point this folder at a shared folder already on your network.
That way you dont have to migrate files over, but be warned; if you setup these
target folders there is no replication, so if that share goes down for any reason
users will not be able to access that data. Go ahead and click Ok.
335
12 You will now see in the DFS Management Snap-in Folder1 under the
namespace we just created.
Configure DFS Replication on Windows Server 2008

Ok now that we have a Namespace configured and we have placed a folder in that
namespace lets setup replication with another server in the domain to make sure
that users can always get their data and we dont get any complaints!
336
1. Open DFS Management Snap-in.
2. In the left pane go ahead and right click on Replication and then left click
on New Replication Group.
3. Your first choice is: if you want a Multipurpose replication

group orReplication group for data collection.
In most cases you will want the Multipurpose replication group, but in some cases
where you wanted to grab data from a remote server and bring it to a centralized
backup server the group collection would help. In our case we are going to
use Multipurpose replication group, and click Next.
337
4. Next we are going to set the name of the replication group; the only limit is that
the group must be unique for the domain it servers. In our case lets usetestrep for
the group name. After typing it in click Next.
338
5. Next we are going to add the group members. Click Add and enter the name of
the servers that are going to be members of this group. In my case it is going to
be TSTest and TESTDOMAIN; after they are entered click Next.
339
6. In the next page we are going to choose the Topology for the group. Since we
only have two servers we will be defaulted to Full Mesh which will work in this
example. On this page you will also see an explanation of the other topologies if
you need them. Click Next.
340
7. Replication Schedule is next on the list to configure. There are A LOT of option
here for every bandwidth budget and the ability to limit it to certain days and
times. I am going to leave the default since we are just in my virtual lab, but you
may need different settings based on your server locations and connections. Once
set, click Next.
341
8. Primary member is now the next thing to be set. This is to set the authoritative
member for the INITIAL replication. In our case we will useTESTDOMAIN, and
then click Next.
342
9. Now we can setup the folders we want to replicate to the other server.
Click Add and you will be prompted for the folders information. In this case I am
going to choose to replicate the folder we used in the last exampleFolder1. Note
that you can always change permissions on the replication target by
selecting Custom Permissions, or you can leave them as is by leaving it
at Existing Permissions.
I am going to enter all the info, click Ok and then click Next as that is the only
folder I am replicating.
343
344
10. Next you must set the local path for the replicated folder on the other server. It
is by default disabled, so highlight the partner server and click Edit.
Select Enable and then browse and you can navigate to a folder you have already
created or create one in the desired location.
After youre done you can click Ok, and if that is your only partner server
clickNext.
345
346
11. Next you can review your settings and then click Create; after a few seconds
you should go to a Confirmation page where you will see a success messages for
each step. After review click Close.
347
348
12. After that you will see a popup window telling you:
Replication will not begin until the configuration is picked up by the

members of the replication group. The amount of time this takes depends on
Active Directory Domain Services replication latency as well as the polling
interval.
Basically the meaning of this is that if you specified remote servers in different
sites, you will have to wait until Active Directory replicates the data out with their
next sync. Click Ok to get passed this.
349
Now that we have configured the namespace and setup replication lets take a look
at how it would be used by our ever grateful end users.
1. Click start.
2. Type in the domain and namespace, in our case it

was\\ADExample.com\Sharedfiles and hit Enter.
3. You should get an explorer window with the Folder1 in the center pane.
350
Remember this has been the very basic structure of DFS and depending on your
need and environment you can create very robust namespaces and replication.
351
5.2.1.1
)DNS (Domain Name System
* : Name Resolution
- DNS Web site
. IP
Name Resolution - IP
* : Name Resolution
: machine Cache -1 .
: Host File -2 .
: DNS -3 .
* : DNS
Resolve -1 : Name . IP
-2 Resolve IP .
: Server Locater -3 DC client
. Domain
* DNS ( ) : DNS ()
. ISP
:
- DNS Server Web site .
352
* Root hints :
353
: records console DNS zone *
IP V4 domain join A Record 1
IP V6 domain join AAAA Record 2
. Update SOA 3
DNS DC Name Server 4
domain machine Aliases Cname 5
machine
server Mail Exchanger (MX 6
. Priority
: DNS :
Requirements:
Static public IP address

Static private IP assigned to the server (if your server is behind a NAT
device)
A very reliable Internet connection with 100% uptime (not required if youre
just testing)
Server with a capacity to handle DNS requests running Windows Server 2008
A registered domain name, if youre just doing a test setup register a free
dot.tkdomain name.
Check for Static IP address
The IP address assigned to your server (either private or public) must be static else
youll get the following warning message when installing the DNS server role.
354
Youll be presented with this
warning when adding the DNS role if your server has a dynamic IP address
The Preferred and Alternate DNS settings can be anything but NOT the loopback
IP address (127.0.0.1) because were setting up an authoritative only DNS server
and not a recursive one. In the following screenshot Ive set it to the IP address of
my gateway device as it functions as a DNS forwarder also. Since my test server is
behind a NAT device Im using private IP addresses.
My server is is behind a
modem which performs NAT hence Ive assigned a static IP address
355
You may wonder how queries for the authoritative domain were configuring will
be answered, Ill provide an explanation at the end.
Install the DNS server role
Hit [windows] + R to open the Run dialog box and enter servermanager.msc
The server manager can

be opened by going to Run and typing servermanager.msc
Click Add roles, in the wizard that appears click next and choose DNS Server.
356
Click Install in the confirmation page.
357
After installation choose to restart your computer.
358
Once complete you can open the DNS manager in one of the following ways, open
the Run dialog box and enter dnsmgmt.msc
359
or Open Start menu > Administrative tools > DNS
Disabling recursion and root hints
360
As I mentioned earlier were configuring an authoritative server so leaving
recursion to its default (which is enabled) will create a vulnerability for DNS DoS
attacks. Open the DNS Manager, right-click the name of your server and click
properties.
Go to the Advanced tab and check Disable recursion (also disables forwarders)
and click OK.
361
But it isnt done yet, the server still has root DNS servers in its configuration so it
returns the root DNS server details each time it is queried for a non existent
domain name. To prevent this we need to create a forward lookup zone with the
name . you read that right it is just a single dot. Right-click Forward Lookup
Zones and select New Zone.
Proceed with the wizard and choose Primary Zone type.
362
Enter the zone name as . (without quotes) and click next.
Place a dot for

the zone name when creating a root zone for disabling root hints
363
In the Dynamic updates page leave it to the defaults and press Next.
Finally click Finish
364
Now a root zone has been created so this server will return a NXDOMAIN (non
existing domain) answer whenever a recursive query is made.
Creating an authoritative zone
This is similar to the steps followed previously, right-click the Forward lookup
zone, click New Zone
Choose primary zone
365
Now enter your registered domain name, for the purpose of this article Ill be using
afree dot.tk domain name.
Enter your
registered domain name
Leave dynamic updates to its defaults and finish the wizard.
366
In the next few steps well be creating records for this zone, this is where steps for
users with NAT and public IP differ.
Creating DNS records
While creating records for the domain always remember to use only public IP
addresses. First well be editing the NS and SOA records that were automatically
created with this zone. Open the properties of the NS record and edit the name
server entry in it.
367
Modify the NS record of the newly created zone, enter the public IP address of
your server and change the FQDN
If your server has a directly assigned public IP then editing the FQDN alone if
enough, set it to something like dns1.yourdomain.com. For servers behind a NAT
device edit the FQDN as well as the IP address. Remove the private IP address in
the list and enter your public internet facing IP address. When you save this setting
youll be asked whether you want to remove the private IP address, press Yes
At this point DNS manager will automatically create an A record pointing

dns1.yourdomain.com to <Public IP address>. Next modify the SOA record,
change the Primary server to the NS record just edited and enter your email
address under Responsible Person replacing @ with a dot (user@example.com is
entered as user.example.com).
368
Modify the default SOA
record, change the Primary Server and email address
Create an A record for the parent domain name.
369
Create an A record pointing to the server which will handle requests for this
domain (e.g a webserver)
Ive entered the IP address of the web server hosting this blog. Create a CNAME
record for the www part of the domain name.
370
Create a CNAME record to point the www portion of the domain to the parent
domain
After everything is done make sure your firewall allows inbound port 53 both TCP
and UDP, test this be going to the Open port checker
371
Check if port 53 is open using the open port check tool
Login to your domain registrars control panel and configure name servers. You
may also create additional records like MX and TXT if required.
Configure the domain name
Finally the domain names name server must be set to the IP address of the server
weve just configured. Login to your domain registrars control panel and create a
child name server. A child name server also known as a glue record looks like a
subdomain of the major domain but is the authoritative name server for it. For
example, the domain myowndns.tk will have a child name server dns.myowndns.tk
along with the IP address of the server were setting up.
372
Create a child name server for your domain from the domain control panel
The IP address must be the public IP address through which the DNS server is
accessible and query-able (port 53 allowed). Once this is done wait for DNS
propagation to occur, theoretically it may take more than a day for propagation
around the world but you can see the results in 10 minutes. Open an online DNS
lookup tool which gives a lot of detail like network-tools.com. First query the
default DNS server and have a look at the results.
373
Query a public DNS service to check for propagation
Querying a public DNS server returns a recursive response
Then query the authoritative DNS server directly and look at the results.
374
Querying the authoritative DNS server directly
375

NAP (Network Access Protection)
:NAP *
server -
. Network
NPS -
.
remediation Group client -
.
. Firewall + Update Windows + Update + Antivirus :
.Windows Security Health validator
.) Windows 7 / Vista / XP SP3 ( client -
: RADIUS *
user authorization authentication -
)1,2,3 ( ) 1,2,3 ( user
:
This Tutorial will guide you through installing Microsofts Network Policy Server
NPS and configure it to authenticate remote VPN users (via Active Directory
Security Groups) that are connecting via a Cisco ASA Firewall..
1. The first step is to Add the Network Policy Server Role. Open up Server Manager,
right click on Roles and click Add Roles.
376
2. The Add Roles Wizard begins. Click Next.
377
3. Tick the box next to Network Policy and Access Services and click Next.
4. An introduction to Network Policy and Access Services is displayed. Click Next.
378
5. Please a tick in the box next to Network Policy Server and click Next.
379
6. This window displays the conformation of the role to be installed. Click Install.
380
7. The Role has been installed successfully. Click Close.
381
8. To access the Network Policy Server management console click on Start All
Programs Administrative Tools Network Policy Server
382
9. First thing to do when configuring your Network Policy Server is to create a New
Client. The client is the device that will be passing the authentication request through to
your Network Policy Server. Expand RADIUS Clients and Servers, right click on
RADIUS Clients and click on New.
383
10. Give the Client a friendly name, enter in the IP address of the device from which the
authentication request will be coming and lastly enter in the shared secret and click Ok.
The shares secret must be the same on your Network Policy Server and the RADIUS
Client device.
384
11. The RADIUS Client is now listed.
385
12. Next, we will create a Network Policy. The Network Policy is the set of Criteria the
RADIUS client and/or user must meet in order to be authenticated. Expand Policies and
right click on Network Policies and click New.
386
13. Give the Policy a name and leave the network access server selection as
Unspecified.
387
14. Conditions are where you specify the criteria that must be met in order for the
Authentication request to be successful.
388
15. We are going to add a Condition to check if the User is a member of the Windows
Active Directory Security Group called VPN Users. (I have previously created this
security group in Active Directory). Click Add.
389
16. Click on Add Groups.
390
17. Type the name of the Security Group you create for your VPN Users and click Ok.
391
18. The Group is now added. Click Ok.
392
19. As you can see the Windows Group VPN Users is now listed as a condition. Click
Next.
393
20. When the condition is met we would like to Grant Access. Select Access granted.
You can also optionally grant or deny access based on the Dial-In properties of the user
account. Click Next.
394
21. For this install we will select MS-CHAP-v2, Click Next. Normally the Cisco ASA
Firewall will authenticate to RADIUS using PAP, however with a few CLI commands we
can get it using MS-CHAP-v2 (Firstly with tunnel-group tunnel-group-name ppp-
attributes, secondly authentication eap-proxy
Sourcehttps://supportforums.cisco.com/thread/1004126
395
22. You have the option to configure certain constraints on this page. For example you
may wish to restrict authentication between certain times of the day. Click Next.
396
23. On this screen there are more optional settings to configure for the Policy.
397
24. You may wish to change the Encryption settings, make sure the settings match up
on both ends.
398
25. The Network Policy is now completed. Review the settings and Click Finish.
399
26. Last step to do is to move the policy processing order to the top. Right click on the
Policy that you just created and click Move Up until its positioned at the top.
400
27. Your Network Policy Server is now complete.
401
402
:
403
404
405
406
407
408
409
410
411
412
413
414
Configure Cyberoam to use RADIUS Server for Authentication
Scenario
Configure Cyberoam to use RADIUS Server for user authentication.
Configuration
You can configure Cyberoam to use a RADIUS Server by following the steps given below. Configuration
is to be done from Web Admin Console using Administrator profile.
Step 1: Configure Cyberoam to use RADIUS Server
Go to Identity Authentication Authentication Server and click Add to configure RADIUS Server
parameters as shown in the table below.
Parameter Description
Parameters Values Description

Select RADIUS Server. If user is required to
RADIUS authenticate using a RADIUS server, appliance
Server Type
Server needs to communicate with RADIUS server for
authentication.
Server Name CR_RADIUS Specify name to identify the RADIUS Server.
Server IP 172.16.16.18 Specify RADIUS Server IP Address.
Specify Port number through which Server
Authentication Port 1812
communicates. By default, the port is 1812.
Provide share secret, which is to be used to encrypt
Shared Secret Cyberoam
information passed to the appliance.
Select Tight Integration with the appliance if you
Tight want to use vendor specific attribute for setting the
Integration Type
Integration user group membership and specify group name
attribute
Group Name Attribute Filter-Id Group Name Attribute will be vendor specific.
415
Click Test Connection to check if Cyberoam is able to connect to the RADIUS Server. Cyberoam
prompts for administrative credentials to test the connection as shown below. Specify the credentials and
click Test Connection.
If connection is successful, click OK to save the configuration.
416
Step 2: Select RADIUS Server as the Primary Authentication Method
Go to Identity Authentication Firewall and select RADIUS Server as primary authentication server.
Click Apply to save configuration.
Step 3: Test RADIUS Server integration

Go to http://<Cyberoam LAN IP>:8090 to view the Captive Portal (HTTP client) login page. Specify
credentials and login.
If user logs in successfully, the username is displayed on Identity Live Users in Cyberoam Web Admin
Console.
This completes the RADIUS Server configuration.
417
7.2.1.1
IP Security
* : IP Sec
- .
* . NTFS Permission
* . IP Sec
* ( OSI ):
: application -1 .
: Presentation -2 .
: Session -3 :
: Authentication - .
: Authorization - .
: transport -4 :
: TCP - ( check ).
: UDP - ( check ).
- . segment
: Network -5 IP Source . IP Destination
- Packet .
- IP Sec ( ) Authentication - Encryption .
- Authentication )AH (Authentication Header
- Encryption ). ESP (Encryption Security Payload
: data Link -6 Mac address .
: Physical -7 ( . (01010111001
* :
: Tunnel mode -1 .
: Trans Mode -2 .
418
* tunnel
Authentication :
: Pre-shared Key -1
. Password
: Kerberos -2 domain " Active Directory "
: Certificate -3 CA
CA .
- Public Key Private Key ( )
:
:
How to configure L2TP IPSec VPN using Network Policy Server in Windows
Server 2008 R2
419
420
421
422
423
424
425
426
427
Here, you can select VPN+NAT, that will do.
428
429
430
431
432
433
434
435
436
437
438
Here, you have to select tunnel type, Encryption method, NASPort Type. Its
highly important.
439
440
Windows 7: L2TP IPSec VPN dialler
Open control panel>network and sharing centre>setup a new network connection
441
Select use my Internet connection (VPN)
442
Type IP Address of VPN server and VPN dialler name
Type user name and password, domain optional
443
skip connection at this time.
444
Network and sharing centre>connect to a network>dial up and VPN> right
click>property
Click on advanced settings>use certificate for authentication
445
Click on connect.
446
447
:
Deploying IPsec Server and Domain Isolation using Windows

Server 2008 Group Policy
Confirm the Enterprise Root CA Configuration
Verify that certificate requests do not require administrator approval. Perform the
following steps on the domain controller, WIN2008DC:
1. Click Start, point to Administrative Tools, and then click Certification

Authority.
2. In the left pane of the console, right-click the name of the CA, and then
click Properties.
448
Figure 2
3. Click the Policy Module tab, and then click Properties.
449
Figure 3
4. Verify that Follow the settings in the certificate template, if applicable.

Otherwise, automatically issue the certificate is selected.
450
Figure 4
5. Click OK twice, and then close the Certification Authority console.
Create the NAP CLIENTS Group
Next, create a group for use with Group Policy security filtering. What we will do
is create a Group Policy Object that applies to machines that NAP policy will
apply to, and then configure the GPO for use only by members of this group. In
this way, we dont need to create an OU for the NAP clients. All we need to do is
add the NAP clients to the security group. VISTASP1 and VISTASP1-2 will be
added to this group after they are join the domain.
Perform the following steps on WIN2008DC:
1. In the left pane of the Active Directory Users and Computers console, right-
click msfirewall.org, point toNew, and then click Group.
451
Figure 5
2. In the New Object - Group dialog box, under Group name, type NAP Clients.
Under Group scope, chooseGlobal, under Group type, choose Security, and then
click OK.
452
Figure 6
3. Leave the Active Directory Users and Computers console open for the following
procedure.
Create the NAP Exempt Group
There will be machines on your network that need to communicate with members
of the secure network, but who should not be expected to meet NAP security
requirements. These are typically network infrastructure machines, such as domain
controllers, DHCP servers and others that need to communicate with machines on
the secure network.
On our example network, WIN2008SRV1 need to be able to connect to the

members of the secure network in order to give them health certificates, that will
be used to establish secure IPsec communications between members in the secure
network. So, we will place this machine is its own group, and then configure a
health certificate that will be automatically deployed to this machine. The health
certificate will be deployed to this machine by using autoenrollment, so that the
machine issuing the Health Certificates dont need to pass NAP policy first before
receiving the certificate.
453
1. In the Active Directory Users and Computers console, right-
click msfirewall.org, point to New, and then clickGroup.
Figure 7
2. In Group name, type IPsec NAP Exemption. Under Group scope,

choose Global, under Group type, chooseSecurity, and then click OK.
454
Figure 8
3. Leave the Active Directory Users and Computers console open for a procedure that
follows.
Figure 9
Create and Configure a Certificate Template for NAP Exempt Computers
A certificate template must be created for computers that are given exemptions
from NAP health checks. This certificate template will be configured with two
application policies: client authentication and system health authentication. This
certificate template will be configured with the System Health Authentication OID
so that it can be used to communicate with the NAP compliant computers on the
secure network.
After we create the certificate template, we will publish the certificate template so
that its available to the Active Directory to machines that are members of the NAP
455
Exempt group. After publishing the certificate template to the Active Directory,
well configure Group Policy so that the certificate is automatically assigned to
members of the NAP Exempt group using Autoenrollment.
1. Click Start, click Run, type certtmpl.msc, and then press ENTER.
2. In the middle pane of the Certificate Template Console, right-click Workstation
Authentication, and then clickDuplicate Template. This template is used because
it is already configured with the client authentication application policy.
Figure 10
3. In the Duplicate Template dialog box, select the Windows 2003 Server,
Enterprise Edition option and clickOK.
Figure 11
456
4. Under Template display name, type System Health Authentication. Put a
checkmark in the Publish certificate in Active Directory check box.
Figure 12
5. Click the Extensions tab, and then click Application Policies. Then click
the Edit button.
Figure 13
6. In the Edit Application Policies Extension dialog box, click Add.
457
Figure 14
7. In the Add Application Policy dialog box, select the System Health
Authentication policy and click OK.
Figure 15
458
8. Click OK in the Edit Application Policy Extension dialog box.
Figure 16
9. Click the Security tab and click Add. In the Select Users, Computers or
Groups dialog box, enter NAP Exempt in the Enter the object name to
select text box and click Check Names. Then click OK.
459
Figure 17
10.Click IPsec NAP Exemption, and then click the Allow check boxes next
to Enroll and Autoenroll and then clickOK.
460
Figure 18
11.Close the certificate templates console.
Make the Certificate Template Available for Publishing through Group Policy
Perform the following steps to enable the new certificate template to be available
through Active Directory Group Policy. After we do this, well be able to make
this certificate available to members of the NAP Exempt group through
autoenrollment.
1. Click Start, click Run, type certsrv.msc, and then press ENTER.
2. Expand the server name in the left pane of the console, and in the console tree,
right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.
461
Figure 19
3. Click System Health Authentication, and then click OK.
Figure 20
462
4. In the left pane of the console, click Certificate Templates, and in the details pane
under Name, verify thatSystem Health Authentication is displayed.
Figure 21
5. Close the Certification Authority console.
Distribute the NAP Exemption Health Certificate through Group Policy

Autoenrollment
Now that weve published the certificate template, we can make it available to
domain machines that belong to the NAP Exempt group. We do this by using
autoenrollment.
Perform the following steps on WIN2008DC to enable autoenrollment of this

certificate:.
1. Click Start and then click Run. Enter gpmc.msc in the Open text box and
click OK.
2. In the Group Policy Management console, expand the msfirewall.org domain
name and right click the Default Domain Policy and click Edit
463
Figure 22
3. In the left pane of the Group Policy Management Editor, open Computer
Configuration\Windows Settings\Security Settings\Public Key Policies. In the
middle pane of the console, double-click Certificate Services Client Auto-
Enrollment.
464
Figure 23
4. In the Certificate Services Client Auto-Enrollment Properties dialog box,

select the Enable option from theConfiguration Model drop down list box. Put a
checkmark in the Renew Expired certificates, update pending certificates, and
remove revoked certificates and Update certificates that use certificate
templatescheckboxes. Click OK.
465
Figure 24
5. Close the Group Policy Management Editor.

6. Close the Group Policy Management console.
Add the Network Policy Server to the NAP Exempt Group
We need to make the WIN2008SRV1 computer a member of the NAP Exempt

Group so that it autoenrolls the Health Certificate we created for it. This will allow
this computer, which will act as the NAP policy server and Health Registration
Authority to communicate with machines that are in the secure network, even
though this machine isnt subject to NAP requirements.
Perform the following steps on the WIN2008DC domain controller:
1. On WIN2008DC, click Start, point to Administrative Tools, and then

click Active Directory Users and Computers.
466
2. In the left pane of the Active Directory Users and Computers console,
expand msfirewall.org. Click on theUsers node.
3. Double click on the NAP Exempt group in the right pane of the console.
4. Click the Members tab, click Add, click Object Types, select
the Computers check box, and then click OK.
Figure 1
5. Under Enter the object names to select (examples), type WIN2008SRV1, and
then click Check Names. Click OK, and then click OK in the NAP Exempt
Properties dialog box..
467
Figure 2
468
Figure 3
6. Close the Active Directory Users and Computers console.
Restart the Network Policy Server
To activate the new domain membership and security group membership settings,
restart WIN2008SRV1.
1. Restart WIN2008SRV1.
2. After the computer has been restarted, log on as Administrator.
Request a Computer Certificate for the Network Policy Server
The WIN2008SRV1 machine will need a computer certificate to support SSL

connections to the server. The SSL connections will come from NAP clients when
they connect to the Health Registration Authority Web server on the NPS server
machine. Note that in this example the NPS server and the Health Registration
Authority are on the same machine. You dont have to do it that way you can put
469
the Health Registration Authority and the NPS server on different machines. In that
scenario, you would need to install the NPS service on the HRA machine and
configure that machine was a RADIUS proxy, since the HRA is the network access
server in this scenario and the NAS needs to be able to inform the NPS service of
the clients status.
Perform the following steps on the WIN2008SRV1 NPS machine:
1. On WINS2008SRV1, click Start, click Run, type mmc, and then press ENTER.
2. Click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates and then
click Add. In the Certificates snap-indialog box, select the Computer
account option and click Next.
470
Figure 4
4. In the Select Computer dialog box, select the Local Computer option and
click Finish.
471
Figure 5
5. Click OK in the Add or Remove Snap-ins dialog box.
472
Figure 6
6. In the Certificates console, expand the Certificates (Local Computer) node and
then expand the Personalnode. Click on the Certificates node, then right click on
it and point to All Tasks and then click Request New Certificate. .
473
Figure 7
7. Click Next on the Certificate Enrollment page.
On the Request Certificates page, you can see a list of certificate templates
that are available to this computer. Note that while there are many more certificate
templates available, these are the only ones available to this computer, based on the
permissions configured on the certificate templates. Put a checkmark in
the Computer checkbox and click Enroll. Note that you can get full and complete
details of this certificate by clicking on the Properties button.
474
Figure 8
8. Click Finish in the Certificate Installation Result dialog box .
475
Figure 9
9. Leave the console window open for the following procedure.
476
Figure 10
View the Computer and Health Certificate Installed on the Network Policy
Server
Next, verify that WIN2008SRV1 has an SSL certificate and a NAP exemption
certificate.
1. In the left pane of the Certificates console, open Certificates (Local

Computer)\Personal\Certificates.In the right pane, verify that a certificate was
autoenrolled by WIN2008SRV1 with Intended Purposes of System Health
Authentication and Client Authentication. This certificate will be used for NAP
client IPsec exemption.
477
Figure 11
2. In the right pane, verify that a certificate was enrolled with Intended
Purposes of Client Authentication andServer Authentication. This certificate
will be used for server-side SSL authentication.
478
Figure 12
3. Close the Certificates console. If you are prompted to save settings, click No.
Install the Network Policy Server, Health Registration Authority, and

Subordinate Certificate Server roles
Next, install role services to make WIN2008SRV1 a NAP health policy server,
NAP enforcement server, and NAP CA server.
479
Perform the following steps on WIN2008SRV1:
1. In Server Manager, under Roles Summary, click Add Roles, and then
click Next.
Figure 13
2. On the Select Server Roles page, select the Active Directory Certificate
Services and Network Policy and Access Services check boxes, and then
click Next twice.
480
Figure 14
3. On the Select Role Services page, select the Health Registration

Authority check box, click Add Required Role Services in the Add Roles
Wizard window, and then click Next.
481
Figure 15
4. On the Choose the Certification Authority to use with the Health Registration
Authority page, chooseInstall a local CA to issue health certificates for this
HRA server, and then click Next.
482
Figure 16
5. On the Choose Authentication Requirements for the Health Registration

Authority page, choose No, allow anonymous requests for health certificates,
and then click Next. This choice allows computers to be enrolled with health
certificates in a workgroup environment. Well see an example of a workgroup
computer receiving a Health Certificate later.
483
Figure 17
6. On the Choose a Server Authentication Certificate for SSL Encryption page,

choose Choose an existing certificate for SSL encryption (recommended), click
the certificate displayed under this option, and then clickNext.
Note:
You can view the properties of certificates in the local computer certificate store by
clicking a certificate, clickingProperties, and then clicking the Details tab. A
certificate used for SSL authentication must have a Subject field value that
corresponds to the fully qualified domain name of the HRA server (for example,
NPS1.Contoso.com), and anEnhanced Key Usage field value of Server
Authentication. The certificate must also be issued from a root CA that is trusted
by the client computer.
484
Figure 18
7. On the Introduction to Active Directory Certificate Services page, click Next.

8. On the Select Role Services page, verify that the Certification Authority check
box is selected, and then clickNext.
485
Figure 19
9. On the Specify Setup Type page, click Standalone, and then click Next.
486
Figure 20
10.On the Specify CA Type page, click Subordinate CA, and then click Next. We
choose to use a subordinate CA because this is a more secure option, as it gives us
the option to revoke the certificate of the subordinate CA at the root CA level. The
subordinate CA is responsible for issuing certificates, while the job of the root CA
is to sign the certificates of the issuing subordinate CAs. This allows you to have
many subordinate CAs and a single root CA. In a production environment, youll
likely put the root CA offline and bring it online only to sign certificates of new
subordinate CAs.
487
Figure 21
11.On the Set Up Private Key page, click Create a new private key, and then
click Next.
488
Figure 22
12.On the Configure Cryptography for CA page, click Next.

13.On the Configure CA Name page, under Common name for this CA,
type msfirewall-WIN2008SRV1-CA, and then click Next.
489
Figure 23
14.On the Request Certificate from a Parent CA page, choose Send a certificate
request to a parent CA, and then click Browse. In the Select Certification
Authority window, click Root CA, and then click OK.
490
Figure 24
15.Verify that WIN2008DC.msfirewall.org\Root CA is displayed next to Parent

CA, and then click Next.
491
Figure 25
16.Click Next three times to accept the default database, Web server, and role services
settings, and then clickInstall.
492
Figure 26
17.Verify that all installations were successful, and then click Close. Note that the
installation results say thatAttempt to configure Health Registration Authority
failed. Failed to get name of the local Certification Authority. Dont worry
about that. Well configure the Health Registration Authority in the next steps.
493
Figure 27
18.Leave Server Manager open for the next procedure.
Configure the Subordinate CA on the Network Policy Server
The subordinate CA must be configured to automatically issue certificates when

NAP clients who meet NAP policy requirements request a certificate. By default,
standalone CAs wait for administrator approval before the certificate is issued. We
dont want to wait for administrator approval, so well configure the standalone
CA to automatically issue the certificates when the request comes in.
1. On WIN2008SRV1, click Start, click Run, type certsrv.msc, and then press
ENTER.
2. In the Certification Authority console tree, right-click msfirewall-
WIN2008SRV1-CA, and then click Properties.
494
Figure 28
3. Click the Policy Module tab, and then click Properties.
495
Figure 29
4. Choose Follow the settings in the certificate template, if applicable. Otherwise,

automatically issue the certificate, and then click OK.
496
Figure 30
5. When you are prompted that AD CS must be restarted, click OK. Click OK, right-
click msfirewall-WIN2008SRV1-CA, point to All Tasks, and then click Stop
Service.
497
Figure 31
6. Right-click msfirewall-WIN2008SRV1-CA, point to All Tasks, and then

click Start Service.
Figure 32
498
7. Leave the Certification Authority console open for the following procedure.
Enable Permissions for the Health Registration Authority to Request, Issue

and Manage Certificates
The Health Registration Authority must be given security permissions to request,

issue, and manage certificates. It must also be granted permission to manage the
subordinate CA so that it can periodically clear expired certificates from the
certificate store.
When the Health Registration Authority is installed on a computer different from

the issuing CA, permissions must be assigned to the HRA machine name. In this
configuration, HRA and CA are located on the same computer. In this scenario,
permissions must be assigned to Network Service.
1. In the left pane of Certification Authority console, right-click msfirewall-

WIN2008SRV1-CA, and then clickProperties.
2. Click the Security tab, and then click Add.
499
Figure 33
3. Under Enter the object names to select (examples), type Network Service, and
then click OK.
500
Figure 34
4. Click Network Service, and under Allow, select the Issue and Manage
Certificates, Manage CA, andRequest Certificates check boxes, and then
click OK.
501
Figure 35
5. Close the Certification Authority console.
Configure the Health Registration Authority to use the Subordinate CA to

Issue Health Certificates
You must tell the Health Registration Authority which CA to use to issue Health
Certificates. You can use either a standalone or enterprise CA. In this example
network were using the standalone CA installed on the WIN2008SRV1computer.
1. On WIN2008SRV1, click Server Manager.
502
2. In Server Manager, open Roles\Network Policy and Access Services\Health
Registration Authority(WIN2008SRV1)\Certification Authority.
Note:
If Server Manager was open when you installed the HRA server role, you might
need to close it and then open it again to access the HRA console.
3. In the left pane HRA console tree, right-click Certification Authority, and then
click Add certification authority.
Figure 36
4. Click Browse, click msfirewall-WIN2008SRV1-SubCA, and then click OK. See

the following example.
503
Figure 37
5. Click OK, and then click Certification Authority and verify

that \\WIN2008SRV1.msfirewall.org\msfirewall-WIN2008SRV1-CA is
displayed in the details pane. Next, we will configure properties of this standalone
CA.
The Health Registration Authority can be configured to use either a standalone or

enterprise CA. The CA properties (which we will configure next) that are
configured on the Health Registration Authority must correspond to the type of
selected CA.
504
Figure 38
6. Right-click Certification Authority, and then click Properties.
Figure 39
7. Verify that Use standalone certification authority is selected and that the value
under The certificates approved by this Health Registration Authority will be
valid for is 4 hours, and then click OK. See the following example.
505
Figure 40
8. Close Server Manager.
Configure NAP with a wizard
The NAP configuration wizard helps you to set up NPS as a NAP health policy
server. The wizard provides commonly used settings for each NAP enforcement
method, and automatically creates customized NAP policies for use with your
network design. You can access the NAP configuration wizard from the NPS
console.
1. Click Start, click Run, type nps.msc, and then press ENTER.
2. In the left pane of the Network Policy Server console, click NPS (Local).
506
Figure 1
3. In the details pane, under Standard Configuration, click Configure NAP. The
NAP configuration wizard will start. On the Select Network Connection Method
for Use with NAP page, under Network connection method, select IPsec with
Health Registration Authority (HRA), and then click Next.
507
Figure 2
4. On the Specify NAP Enforcement Servers Running HRA page, click Next.
Because this NAP health policy server has HRA installed locally, we do not need
to add RADIUS clients.
508
Figure 3
5. On the Configure User Groups and Machine Groups page, click Next. You do
not need to configure groups for this test lab.
509
Figure 4
6. On the Define NAP Health Policy page, verify that Windows Security Health
Validator and Enable auto-remediation of client computers check boxes are
selected, and then click Next.
510
Figure 5
7. On the Completing NAP Enforcement Policy and RADIUS Client

Configuration page, click Finish.
511
Figure 6
8. Leave the Network Policy Server console open for the following procedure.
512
Figure 7
Configure the Windows Security Health Validator
By default, the Windows SHV is configured to require firewall, virus protection,

spyware protection, and automatic updating. For this test network, we will begin
by requiring only that Windows Firewall is enabled. Then well later play with the
policies to show how machines can be made compliant and non-compliant.
1. In the left pane of the Network Policy Server console, open Network Access
Protection, and then clickSystem Health Validators. In the middle pane of the
console, under Name, double-click Windows Security Health Validator.
513
Figure 8
2. In the Windows Security Health Validator Properties dialog box,

click Configure.
514
Figure 9
3. Clear all check boxes except A firewall is enabled for all network connections.
515
Figure 10
4. Click OK to close the Windows Security Health Validator dialog box, and then
click OK to close the Windows Security Health Validator Properties dialog
box.
5. Close the Network Policy Server console.
Configure the NAP CLIENT Settings in Group Policy
The following NAP client settings will be configured in a new Group Policy object
(GPO) using the Group Policy Management console on WIN2008DC:
NAP enforcement clients This tells the client machines what enforcement
method to use for NAP. In our example were using the HRA/IPsec enforcement
client.
NAP Agent service This is the client side service that allows the client to be NAP
aware
Security Center user interface This allows the NAP client service to provide
information to the users regarding the current security state of the machine
516
After these settings are configured in the GPO, security filters will be added to
enforce the settings on computers you specify. The following section describes
these steps in detail.
Perform the following steps on WIN2008DC to create the Group Policy Object
and the Group Policy settings for the GPO for the NAP Clients:
1. On WIN2008DC, click Start, click Run, type gpme.msc, and then press ENTER.
2. In the Browse for a Group Policy Object dialog box, next to msfirewall.org,
click the icon to create a new GPO, type NAP Client GPO for the name of the
new GPO, and then click OK.
Figure 11
3. The Group Policy Management Editor window will open. Navigate to Computer
Configuration/Policies/Windows Settings/Security Settings/System Services.
4. In the details pane, double-click Network Access Protection Agent.
5. In the Network Access Protection Agent Properties dialog box, select the Define
this policy setting check box, choose Automatic, and then click OK.
517
Figure 12
6. In the left pane of the console, open Network Access Protection\NAP Client
Configuration\Enforcement Clients.
7. In the details pane, right-click IPSec Relying Party, and then click Enable.
518
Figure 13
8. In the left pane of the console, under NAP Client Configuration, open Health
Registration Settings\Trusted Server Groups. Right-click Trusted Server
Groups, and then click New.
519
Figure 14
9. In the Group Name window, type HRA Servers, and then click Next.
520
Figure 15
10.In the Add Servers window, under Add URLs of the health registration
authority that you want the client to trust,
type https://win2008srv1.msfirewall.org/domainhra/hcsrvext.dll, and then
click Add. This is the Web site that will process domain-authenticated requests for
health certificates.
521
Figure 16
11.Click Finish to complete the process of adding HRA trusted server groups.
12.In the console tree, click Trusted Server Groups, and then in the details pane,
click Trusted HRA Servers. Verify the URL you typed in the details pane
under Properties. The URL must be entered correctly, or the client computer will
be unable to obtain a health certificate, and will be denied access to the IPsec-
protected network.
522
Figure 17
13.In the left pane of the console, right-click NAP Client Configuration, and then
click Apply.
14.In the console tree, navigate to Computer
Configuration\Policies\Administrative Templates\Windows
Components\Security Center.
15.In the details pane, double-click Turn on Security Center (Domain PCs only),
choose Enabled, and then clickOK.
523
Figure 18
16.Return to the Network Access Protection\NAP Client

Configuration\Enforcement Clients node. Right clickEnforcement Clients and
then click Refresh. If the IPsec Relying Party status shows as Disabled, right
click it again and click Enable. Then click on the NAP Client
Configuration node again, then right click it and clickApply. .
17.If you are prompted to apply settings, click Yes.
Limit Scope of NAP CLIENT Group Policy Object using Security Group
Filtering
524
Next, configure security filters for the NAP client settings GPO. This prevents
NAP client settings from being applied to server computers in the domain.
1. On WIN2008DC, click Start, click Run, type gpmc.msc, and press ENTER.
2. In the Group Policy Management Console (GPMC) tree, navigate to Forest:
msfirewall.org\Domains\msfirewall.org\Group Policy Objects\NAP Client
GPO. In the details pane, underSecurity Filtering, click Authenticated Users,
and then click Remove.
Figure 19
3. When you are prompted to confirm the removal of delegation privilege, click OK.
4. In the details pane, under Security Filtering, click Add.
5. In the Select User, Computer, or Group dialog box, under Enter the object
name to select (examples), typeNAP client computers, and then click OK.
525
Figure 20
Figure 21
526
6. Close the Group Policy Management console.
Note that at this time, the NAP client security group currently has no
members. VISATASP1 and VISTASP1-2 will be added to this security group
after each is joined to the domain.
Configure VISTASP1 and VISTASP1-2 for Testing
Now we ready to start configuring the client components of the system. In this
section, well do the following:
Join VISTASP1 to the domain

Add VISTASP1 to the NAP CLIENTS Group
Confirm NAP Group Policy Settings on VISTASP1
Export the Enterprise Root CA Certificate from VISTASP1
Import the Root CA Certificate on to VISTASP1-2
Manually Configure NAP Client Settings on VISTASP1-2
Star the NAP Agent on VISTASP1-2
Configure the Windows Firewall with Advanced Security to allow VISTASP1 and
VISTASP1-2 to PING Each Other
Join VISTASP1 to the Domain
When configuring VISTASP1, use the following instructions. When

configuring VISTASP1-2, perform the verification of health certificate enrollment
procedure before you join VISTASP1-2 to
the msfirewall.org domain. VISTASP1-2 is not joined to the domain for the
verification of health certificate enrollment procedure to illustrate that different
health certificates are provisioned on client computers in domain and workgroup
environments.
So, well first look at how domain joined machines receive certificates when we
join VISTASP1 to the domain, and then well manually configure VISTASP1-
2 as a NAP client, and see how non-domain member machines receive health
certificates and network access.
Perform the following steps on VISTASP1 to join the machine to the domain:
527
1. Click Start, right-click Computer, and then click Properties.
2. In the System window, click the Advanced System Settings link.
3. In the System Properties dialog box, click the Computer Name tab, then
click Change.
Figure 22
4. In the Computer Name/Domain Changes dialog box, select Domain, and then
type msfirewall.org.
528
Figure 23
5. Click More, and in Primary DNS suffix of this computer, type msfirewall.org.
Figure 24
6. Click OK twice.
7. When prompted for a user name and password, type the Administrator domain
account, and then click OK.
529
Figure 25
8. When you see a dialog box that welcomes you to the msfirewall.org, click OK.
Figure 26
9. When you see a dialog box that prompts you to restart the computer, click OK.
Figure 27
10.In the System Properties dialog box, click Close.
530
11.In the dialog box that prompts you to restart the computer, click Restart Later.
Before you restart the computer, you must add it to the NAP client computers
security group.
Figure 28
Add VISTASP1 to the NAP CLIENTS Group
After joining the domain, VISTASP1 must be added to the NAP Clients group so
that it can receive NAP client settings from the Group Policy Object that we
configured.
1. On WIN2008DC, click Start, point to Administrative Tools, and then

click Active Directory Users and Computers.
2. In the left pane of the console, click msfirewall.org.
3. In the details pane, double-click NAP Clients.
4. In the NAP Clients Properties dialog box, click the Members tab, and then
click Add.
5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object
Types, select the Computerscheck box, and then click OK.
6. Under Enter the object names to select (examples), type VISTASP1, and then
click OK.
531
Figure 29
7. Verify that VISTASP1 is displayed below Members, and then click OK.
532
Figure 30
8. Close the Active Directory Users and Computers console.

9. Restart VISTASP1.
10.After VISTASP1 has been restarted, log on as the msfirewall.org domain
Administrator.
Confirm NAP Group Policy Settings on VISTASP1
After it has been restarted, VISTASP1 will receive Group Policy settings to enable
the NAP Agent service and IPsec enforcement client. The command line will be
used to verify these settings.
1. On VISTASP1, click Start, click Run, type cmd, and then press ENTER.
2. In the command window, type netsh nap client show grouppolicy, and then press
ENTER.
3. In the command output, under Enforcement clients, verify that the Admin status
of the IPSec Relying Party isEnabled. In the command output, under Trusted
533
server group configuration, verify that Trusted HRA Serversis displayed next
to Group, that Enabled is displayed next to Require Https, and that the Domain
HRA Web site URL you configured in a previous procedure are displayed next
to URL.
Figure 31
4. In the command window, type netsh nap client show state, and then press
ENTER.
5. In the command output, under Enforcement client state, verify that
the Initialized status of the IPSec Relying Party is Yes.
534
Figure 32
535
6. Close the command window.
Export the Enterprise Root CA Certificate from VISTASP1
Because VISTASP1-2 is not joined to the domain and does not trust the
msfirewall.org root CA, it will fail to trust the SSL certificate on WIN2008SRV1.
To allow VISTASP1-2 to access the Health Registration Authority using SSL, you
must import a root CA certificate into the Trusted Root Certification Authorities
container on VISTASP1-2. This is accomplished by exporting the certificate
from VISTASP1 and then importing it on VISTASP1-2.
1. On VISTASP1, click Start, and enter Run in the Search text box and press
ENTER
2. In the Run dialog box, enter mmc and click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Certificates, click Add, select Computer account, and then click Next.
5. Verify that Local computer: (the computer this console is running on) is
selected, click Finish, and then clickOK.
6. In the console tree, open Certificates (Local Computer)\Trusted Root
Certification Authorities\Certificates. In the details pane, right-click Root CA,
point to All Tasks, and then click Export.
536
Figure 33
7. On the Welcome to the Certificate Export Wizard page, click Next.

8. On the Export File Format page, click Next.
537
Figure 34
9. On the File to Export page, type a path and name for the CA certificate file in
the File name text box. In this example well enter c:\cacert. Click Next.
538
Figure 35
10.Click Finish on the Completing the Certificate Export Wizard page.

11.Verify that The export was successful is displayed, and then click OK.
539
Figure 36
12.Copy the CA certificate file to VISTASP1-2
Import the Root CA Certificate on to VISTASP1-2
Now were ready to install the CA certificate on VISTASP1-2. After the certificate
is installed, VISTASP1-2 will trust our CAs so that it can take advantage of our
Health Registration Authority after we manually configure this machine to use
NAP.
Perform the following steps on VISTASP1-2:
1. On VISTASP1-2, click Start, and enter Run in the search box.

2. Enter mmc in the Run dialog box, and then press ENTER.
540
6. In the console tree, open Certificates (Local Computer)\Trusted Root
Certification Authorities\Certificates.
7. Right click Certificates, point to All Tasks, and then click Import.
Figure 37
8. On the Welcome to the Certificate Import Wizard page, click Next.

9. On the File to Import page, click Browse.
10.Browse to the location where you saved the root CA certificate from VISTASP1,
and click Open.
11.On the File to Import page, verify the location of the root CA certificate file is
displayed under File name, and then click Next.
541
Figure 38
12.On the Certificate Store page, select Place all certificates in the following store,
verify that Trusted Root Certification Authorities is displayed under Certificate
store, and then click Next.
542
Figure 39
13.On the Completing the Certificate Import Wizard page, click Finish.
14.Verify that The import was successful is displayed, and then click OK.
543
Figure 40
Manually Configure NAP Client Settings on VISTASP1-2
Because VISTSP1-2 is not joined to the domain, it cant receive NAP settings
from Group Policy. However, we can still configure the machine to receive NAP
settings by manually configuring the machine to work with our NAP architecture.
After we demonstrate that we can make non-domain machines work with NAP,
well join VISTASP1-2 to the domain so that it can receive its NAP settings from
Group Policy.
1. On VISTASP1-2, click Start, and enter Run in the search box.

2. Enter napclcfg.msc, and then press ENTER.
544
Figure 41
3. In the NAP Client Configuration console tree, open Health Registration Settings.
4. Right-click Trusted Server Groups, and then click New.
545
Figure 42
5. Under Group Name, type Trusted HRA Servers, and then click Next.
546
Figure 43
6. Under Add URLs of the health registration authority that you want the client
to trust, typehttps://win2008srv1.msfirewall.org/domainhra/hcsrvext.dll, and
then click Add. This is the Web site that will process domain-authenticated
requests for health certificates. Because this is the first server in the list, client
computers will attempt to obtain a health certificate from this trusted server first.
7. Under Add URLs of the health registration authority that you want the client
to trust, typehttps://win2008srv1.msfirewall.org/nondomainhra/hcsrvext.dll,
and then click Add. This is the Web site that will process anonymous requests for
health certificates. Because this is the second server in the list, clients will not
make requests to this server unless the first server fails to provide a certificate.
8. Click Finish to complete the process of adding HRA trusted server groups.
547
Figure 44
9. In the left pane of the console, click Trusted Server Groups.

10.In the right pane of the console, click HRA Servers.
11.Verify the URLs you typed in the details pane under Properties. The URLs must
be entered correctly, or the client computer will be unable to obtain a health
certificate, and will be denied access to the IPsec-protected network.
548
Figure 45
12.In the NAP Client Configuration console tree, click Enforcement Clients.
13.In the details pane, right-click IPSec Relying Party, and then click Enable.
549
Figure 46
14.Close the NAP Client Configuration window.
550
Figure 47
Start the NAP Agent on VISTASP1-2
Now we need to start the NAP Client Service on VISTASP1-2.
Perform the following steps on VISTASP1-2:
1. On VISTASP1-2, click Start, point to All Programs, click Accessories, right-

click Command Prompt, and then click Run as administrator.
2. In the command window, type net start napagent, and then press ENTER.
3. In the command output, verify that The Network Access Protection Agent
service was started successfullyis displayed.
551
Figure 48
4. Leave the command window open for the following procedure.
Confirm NAP Policy Settings on VISTASP1-2
VISTASP1-2 will receive NAP client settings from local policy. We can verify
these settings from the command line.
Perform the following steps on VISTASP1-2:.
1. In the command prompt, type netsh nap client show configuration, and then
press ENTER.
2. In the command output, under Enforcement clients, verify that the Admin status
of the IPSec Relying Party isEnabled. Under Trusted server group
configuration, verify that Trusted HRA Servers is displayed next toGroup,
that Enabled is displayed next to Require Https, and that the DomainHRA and
NonDomainHRA Web site URLs you configured in the previous procedure are
displayed next to URL.
552
Figure 49
3. In the command window, type netsh nap client show state, and then press
ENTER. In the command output, under Enforcement client state, verify that
the Initialized status of the IPSec Relying Party is Yes.
553
Figure 50
4. Close the command prompt.

554
Configure the Windows Firewall with Advanced Security to allow VISTASP1
and VISTASP1-2 to PING Each Other
Ping will be used to verify the network connectivity

of VISTASP1 and VISTASP1-2. To enable VISTASP1 andVISTASP1-2 to
respond to ping, an exemption rule for ICMPv4 must be configured in Windows
Firewall.
Perform the following steps on VISTASP1 and VISTASP1-2 so that these

machines can ping each other through the Windows Firewall with Advanced
Security:
1. Click Start, enter Run in the search text box and press ENTER. Type wf.msc in
the Run text box, and then press ENTER.
2. In the left pane of the console, right-click Inbound Rules, and then click New
Rule.
Figure 51
555
3. Choose Custom, and then click Next.
Figure 52
4. Choose All programs, and then click Next.
556
Figure 53
5. Next to Protocol type, select ICMPv4, and then click Customize.
557
Figure 54
6. Choose Specific ICMP types, select the Echo Request check box, click OK, and
then click Next.
558
Figure 55
7. Click Next to accept the default scope.
559
Figure 56
8. On the Action page, verify that Allow the connection is chosen, and then
click Next.
560
Figure 57
9. Click Next to accept the default profile.

10.In the Name window, under Name, type Allow Ping Inbound, and then
click Finish.
561
Figure 58
11.Close the Windows Firewall with Advanced Security console.
Confirm that both VISTASP1 and VISTASP1-2 have Health Certificates
Use the following procedure to verify health certificate enrollment

of VISTASP1 in a domain-authenticated environment and VISTASP1-2 in a
workgroup environment.
Perform the following steps on both VISTASP1 and VISTASP1-2:
1. Open the Run dialog box and enter mmc, then press ENTER.
562
5. In the left pane of the console, double-click Certificates (Local Computer),
double-click Personal, and then click Certificates.
6. In the details pane, under Issued By, verify the subordinate CA, msfirewall-
WIN2008SRV1-CA, is displayed. Verify that Intended Purposes shows System
Health Authentication. Because VISTASP1-2 has not yet authenticated to
the msfirewall.org domain, the client name is not displayed under Issued To, and
the certificate purpose of Client Authentication does not appear. Verify that the
certificate on VISTASP1-2 hasIntended Purposes of System Health
Authentication. This is a valid NAP health certificate for client computers in a
workgroup environment. A domain-authenticated health certificate similar to the
certificate obtained on VISTASP1.
563
Figure 1
564
Figure 2
7. Close the Certificates console.
Join VISTASP1-2 to the Domain
Use the same procedure you used earlier to join VISTASP1 to

the msfirewall.org domain to join VISTASP1-2 to themsfirewall.org domain.
Log on as the domain administrator after the machine restarts.
Verify of Auto-remediation on VISTASP1
565
The NAP IPsec with HRA Noncompliant network policy specifies that
noncompliant computers should be automatically remediated. The following
procedure will verify that VISTASP1 is automatically remediated when Windows
Firewall is turned off.
1. On VISTASP1, open the Run dialog box, and enter firewall.cpl, then press
ENTER.
2. In Windows Firewall control panel, click Change settings, click Off (not
recommended), and then click OK.
3. You might see a message in the notification area that indicates the computer does
not meet health requirements. This message is displayed because Windows
Firewall has been turned off. Click this message for more detailed information
about the health status of VISTASP1. See the following example.
Figure 3
4. The NAP client will automatically turn Windows Firewall on to become compliant
with network health requirements. The following message will appear in the
notification area: This computer meets the requirements of this network.
566
Figure 4
5. Because auto-remediation occurs rapidly, you might not see these messages. To
renew the NAP notification icon, type napstat at the command prompt, and then
press ENTER.
Verify NAP policy enforcement on VISTASP1
Now lets see how we can verify that NAP policy enforcement is being applied on
the client systems. Well begin by testing with VISTASP1. To test this, well
perform the following procedures:
Configure the Windows SHV to be more restrictive by requiring that machines

have anti-virus applications installed. Since we dont have any AV software
installed on any of the clients, the clients wont be able to meet the requirements
set forth in the SHV.
567
Refresh the SoH on VISTAP1. This will cause the client to send a new Statement
of Health to the Health Registration Authority and will report that the client is fall
out of compliance
Confirm that the client health certificate is removed. The Health Certificate is
removed because the client has fallen out of compliance.
Restore health policy to a less restrictive state so that the client can be compliant.
We will remove the AV requirement so that the client can become compliant
again.
Refresh the SoH on VISTASP1 show that the machine is now compliant with the
new policy.
Confirm that the client health certificate is restored.
Configure WSHV to require an antivirus application
First, configure NAP policy to require an antivirus application, causing CLIENT1

to be noncompliant.
1. On WIN2008SRV1, click Start, click Run, type nps.msc, and then press ENTER.
2. In the left pane of the console, open Network Access Protection, and then
click System Health Validators.
568
Figure 5
3. In the details pane, double-click Windows Security Health Validator, and then
click Configure.
569
Figure 6
4. In the Windows Security Health Validator dialog box, under Virus Protection,
select the check box next to An antivirus application is on.
570
Figure 7
5. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
6. Leave the NPS console open for the following procedures.
Refresh the SoH on VISTASP1
Because health policies were changed after VISTASP1 received a health

certificate, we need to trigger the sending of a new State of Health
from VISTASP1 that will be evaluated against the more restrictive health policies.
This will occur when the health certificate on VISTASP1 expires, or when a
change in client health status is detected. We can produce a change in health status
by turning off the Windows Firewall.
Perform the following steps on VISTASP1:
1. On VISTASP1, click Start, and then click Control Panel.

2. Click Security, click Windows Firewall, and then click Change settings.
571
3. In the Windows Firewall Settings dialog box, click Off (not recommended), and
then click OK.
572
Figure 8
573
4. Windows Firewall is turned back on automatically because auto-remediation is
enabled. However, because NAP policies now require an antivirus
application, VISTASP1 will remain in a noncompliant state and will be unable to
obtain a health certificate.
Confirm health certificate removal
Next, view computer certificates on CLIENT1 to verify that the health certificate
has been removed.
1. On VISTASP1, open the Run dialog box and type mmc, and then press ENTER.
2. On the File menu, click Add/Remote Snap-in.
5. In the console tree, open Certificates (Local Computer)\Personal.
6. Verify that no health certificate is present.
574
Figure 9
7. Leave the Certificates console open for the following procedures.
Remove the antivirus health requirement so that VISTASP1 can become

compliant
Change NAP policies so that VISTASP1 can become compliant.
1. On WIN2008SRV1, in the left pane of the NPS console, open Network Access
Protection, and then clickSystem Health Validators.
2. Double-click Windows Security Health Validator, and then click Configure.
3. In the Windows Security Health Validator dialog box, under Virus Protection,
clear the check box next to An antivirus application is on.
575
Figure 10
4. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
5. Close the NPS console.
Refresh the SoH on VISTASP1
Perform the preceding procedure to refresh the SoH on VISTASP1 by turning

Windows Firewall off. A new SoH will be triggered, and Windows Firewall will
be turned on. Because VISTASP1 is now compliant with NAP policies, it will be
provisioned with a health certificate.
View computer certificates on VISTASP1 to verify that the health certificate has
been restored.
1. On VISTASP1, in the Certificates console, in the console tree, click Personal.

2. Right-click inside the details pane, and then click Refresh. Verify that a health
certificate is present.
576
Figure 11
577
8.2.1.1
Windows Server Update Services (WSUS)
: WSUS*
software + OS update DC service -

. DC
. -
.window Server 2008 Built-in WSUS -
. WSUS user IIS -
.domain domain cline -
We will be installing WSUS role on a separate server. Our lab requirements are
listed below :
Installing Prerequistes.
Login to WSUS.PRAJWAL.LOCAL with the user account wsusadmin. Launch

the Server Manager, right click Features, click Add Features. On the Select
Features Page click .NET Framework 3.5.1 Features, a window pops up asking
you to install additional role services, click on Add Required Role Services. Click
Next.
578
Click Next.
579
The following IIS services must be installed and running for WSUS to work:
HTTP Static Content

ASP.NET
Windows authentication
Dynamic content compression
IIS Metabase Compatibility
580
Once you have selected the services, click on Install.
581
The selected services have been installed. click Close.
582
Before we start the WSUS installation, we require another software
called Microsoft Report viewer redistributable 2008. The software is available
here :-http://www.microsoft.com/en-in/download/details.aspx?id=6576
The Microsoft Report Viewer 2008 Redistributable Package includes Windows

Forms and ASP.NET Web server controls for viewing reports designed using
Microsoft reporting technology.
Double click the report viewer setup file and click Next.
583
Accept the license terms and click Install.
584
Once the setup is complete. Click Finish.
585
Installing WSUS 3.0 SP2 on Windows Server
Note : You can also install the WSUS 3.0 SP2 by launching the Server
Manager, Roles, Add Roles, Windows Server Update Services. Since we have
already downloaded the setup file we will the setup file to launch the installation of
WSUS.
Double click the file WSUS30-KB972455-x64.exe. On the Setup Wizard page

click Next.
586
Select Full Server installation including Administrator Console. click Next.
587
Read the license terms and click on I accept the terms of the license agreement.
Click Next.
We will store the updates locally and the updates will stored on other drive E. Its
not recommended to store the updates on C drive because if the OS crashes then
the updates are also lost along with it. Click Next.
588
Click on first option, Use the existing IIS Default web site
(recommended). Click Next.
589
It would take close to 2-3 minutes to complete installation. Once completed click
Finish.
590
On completing the WSUS setup, the WSUS configuration Wizard is launched.
Click Next.
591
If you would like to join Microsoft Update Improvement Program, check the
box and click next.
592
Select the first option if you want to synchronize from Microsoft Update. In case
you have a WSUS server existing in your enviroment, choose the second
option Synchronize from another WSUS server providing the server name and
port number. We will be going with first option here. Click Next.
593
We have not configured any Proxy server so leave this page to default and click
Next.
594
Click on Start Connecting. In this step the WSUS server synchronizes and
collects the types of updates available, product categories and languages. It
takes around 4-5 minutes to complete this step. Once completed, click Next.
595
Choose the language as English. Click Next.
596
In the Choose products page, we will choose windows 7 as the client that we have
is installed with Windows 7. Click Next.
597
In the Choose Classifications page we will choose Critical Updates, Security
Updates, Definition Updates. click Next.
598
Set Sync Schedule to Synchronize automatically, set the time for First
Synchronization. Select Synchronizations per day to 1. This means the
Synchronization happens automatically at 2:00 PM everyday. Click Next.
599
click on Next. This will launch the WSUS administrator console and will begin
the initial synchronization.
600
As of now we see from the WSUS console that updates are being synchronized.
601
We will now configure Automatic Approval Rule, with this the updates would
be approved, downloaded and installed on the client computers.
Note-Be careful while you create and deploy the Automatic Approval rule. Once
created and run the rule, the selected updates will be installed automatically on the
client machines. It is recommended that you have a separate set of clients for
testing the updates first and then deploy the updates to client machines that are in
production.
On the WSUS Console, click on Options, click Automatic Approvals.
602
Check the Default Automatic Approval Rule. Lets look at Rule Properties. When
an update is in Critical updates, Security Updates then approve the update for
all computers.
603
By default all the computers that are discovered are placed under All
computers, Unassigned Computers.
604
Click on Automatic Approvals, click Advanced Tab. We see that all the options
are enabled here. Lets understand what they are
WSUS Updates :- Any updates to WSUS product is approved automatically.
Revisions to Updates :- If an approved update has a new revision then the update
is approved automatically. If the new revision of an update is causing old version
update to expire, its declined automatically.
605
On the Automatic Approval window, select the rule and click Edit. Check the
box When an update is in a specific product and in the edit the properties
section, select the product as Windows 7. The update will be approved for all
computers. Click OK.
606
Lets see the Approval status before we run the rule, its clearly shows that All
Updates are Not Approved.
607
Now lets run the default automatic approval rule. Click Run Rule. The Updates
will be approved now.
608
Lets check the WSUS Console for the Approval Status of All Updates. The
Approval Status is now Install.
609
Now we will configure Group policy to deploy the updates to the client machines.
Login to Domain Controller with domain administrator account. Click on Start,
Administrative tools, Group Policy Management. Right click the domain and
click Create a GPO in this domain and link it here.
610
Provide a name to the policy WSUS Update policy and right click and Edit the
policy.
611
Navigate to Computer Configuration, Policies, Administrative
Templates, Windows Components, Windows Update.
612
Double click the policy Specify intranet Microsoft update service
location. click Enabled, and under options set http://wsus.prajwal.local as
the intranet updates service for detecting updates. This way we are forcing the
clients to download the windows updates from WSUS server. Click on Apply and
OK.
613
On the same page, click on the policy configure Automatic
updates. Under options select the 3-Auto Download and notify for install.
Set Schedule Install day as 0- Everyday, set scheduled install time to 10:00.
(you can set these options as per your requirement). This means Windows finds
updates that apply to your computer and downloads these updates in the
background (the user is not notified or interrupted during this process). When the
download is complete, the icon appears in the status area, with notification that the
updates are ready to be installed. Clicking the icon or message provides the option
to select which updates to install. Click Apply and OK. Close the Group policy
management console.
614
After few minutes we can see a windows update notification on client
machine, CLIENT.PRAJWAL.LOCAL.
When you double click the windows update icon, we see that 37 important updates
are available.
615
On the WSUS Server, login with user account wsusadmin, Click Start, click All
Programs, click Administrative Tools, and then click Windows Server Update
Services.
On the left hand side of the console click on Synchronizations. This displays the
number times the Synchronizations has been done ( manually / scheduled).
616
Right click on one of the Synchronization and click Synchronization Report.
617
Note : To view this report properly you will require Microsoft Report Viewer
:- http://www.microsoft.com/en-in/download/details.aspx?id=6576. The report
generated is shown in the below screenshot. In the synchronization report,
under report options we see the start time and end time of
synchronization, report created date and timeand the server used for reporting
data. Under synchronization summary we see that there are 472 new updates that
have been synchronized.
618
Lets now move on to reports. We find lot of options related to reports which
includes Update reports, Computer reports, Synchronization reports.
Update Status summary This report shows the summary of update status
displaying one page per update. The report information includes the update
description,Product category, MSRC Severity Rating, MSRC Number.
Update Detailed Status This report shows the summary of update status
displaying update status of all computers for each update.
Update Tabular Status This report shows the summary of update in tabular
view. The report can be exported to a spreadsheet.
Update Tabular Status for Approved Updates This report is similar to

the Update Tabular Status, the update status is shown only for approved updates.
Computer Status Summary This report shows the summary of computer status
with one page per computer.
619
Computer Detailed Status This report shows details of each computers status
with update status for each update.
Computer Tabular Status This report shows summary of computer update

status in tabular view.
Computer Tabular Status for Approved Updates This report shows summary
of computer update status in tabular view for approved updates.
Synchronization Reports This report shows the results of last synchronization.

the report information includes start time and end time of
synchronization, report created date and time and the server used for reporting
data.
620
Click on Update status summary.
621
We see few options for New report type : Summary Report, Detailed
Report, Tabular Report.
622
Set the report type to Summary Report. For Include updates for these products,
click on any product and select windows 7. Now click on Run Report.
623
The summary report is now generated.
624
Lets move on and see the options in WSUS console. There are many options here
and lets see one by one.
625
Update Proxy Source and Server To synchronize the updates, we have to
choose the upstream server. The updates can be synchronized from microsoft
update or if there is any existing WSUS server, we can choose that WSUS server
as our upstream server.
626
Products and Classifications Includes the list of products for which updates are
required and Classifications include types of updates.
627
Update files and Languages Includes options to download the updates to local
machine, download updates when approved and download the updates
directly from Microsoft Update.
628
Synchronization Schedule You can choose to synchronize the
updates manually or you can select Synchronize automatically. You can set
synchronizations per day to 24and thats the max value.
629
Automatic Approval With this option you can specify to approve the updates
in a particular classification, choose the product category and approve the
update to computer group.
630
Computers There are 2 options here.
Use the Update Services console The new computers will be added to
unassigned computers group.
Use Group Policy or registry settings on computer You can use group
policy/registry settings to classify or group the computers.
631
WSUS Server Cleanup Wizard This wizard will clean up unused updates,
computers that have not contacted wsus server for 30 days or more, unneeded
update files, expired and superseded updates. Click Next.
632
Click finish to close the Wizard.
633
Email Notifications The WSUS administrators can now get the notifications of
new updates and status reports by configuring email notifications. You can
generate the notifications and send it to recipients / group which includes WSUS
administrators.
634
Under Email Server, specify the SMTP server IP, port number 25, under logon
information check My SMTP server requires authentication. provide the user
name and password. Click Test, if you receive the notification to the recipient
address then you are configured it correctly. If you dont get notification mail then
check the SMTP server settings again.
635
Personalization You can personalize the way the server information is
displayed. The information can be computers and status info of all downstream
servers or only thelocal server.
636
WSUS Server Configuration Wizard If you want to reconfigure the above
options you can choose to launch the WSUS server configuration wizard.
637
Managing WSUS 3.0 SP2 from command line You can use
the wsusutil command-line utility that is provided with Windows Server Update
Services (WSUS) 3.0 SP2 to manage WSUS. The wsusutil tool is located in
the WSUSInstallDrive:\WSUSInstallDirectory\Tools folder on WSUS servers.
More information on Managing WSUS 3.0 from command line can be found here.
We will not execute all the wsusutil options here, however we will see few
important commands.
638
wsusutil.exe checkhealth This command checks the health of the WSUS server.
The health check is configured by wsusutil healthmonitoring. The results are
written to the event logs.
Open the Event Viewer, under Server Roles, click Windows Server Update
Services. Double click the first event, we see that the WSUS is working
correctly.
639
wsusutil listinactiveapprovals Returns a list of approved update titles that are in
a permanently inactive state because of a change in server language settings. If you
change language options on an upstream WSUS server, the number of approved
updates on the upstream server may not match the number of approved updates on
a replica server. You can use listinactiveapprovals to see a list of the updates on
the parent upstream server that are permanently inactive. If you find any inactive
approvals you can use wsusutil removeinactiveapprovals to remove the inactive
approvals.
640
641
9.2.1.1
Firewall & back up
: Firewall*
windows ) features Role (Utility -

. monitoring
Inbound ( Profile *
: Profile ) Outbound
. Domain : Domain -1
. share : Private (Home) -2
. : Public -3
:
How to open firewall Port On windows Server 2008 R2
To do so, Click on Start button, then click on Administrative Tools, then click on Windows Firewall With
Advanced Security as below:
642
How to open firewall ports on Windows Server 2008 R2 Enterprise Windows
Firewall With Advanced Security// On Windows Firewall With Advanced
Security wizard , click on Inbound Rules: ( on left panel )
How to open firewall ports on Windows Server 2008 R2 Enterprise Windows

Firewall With Advanced Security
// On Windows Firewall With Advanced Security wizard, Click on New Rule on
your right panel as below:
643
How to open firewall ports on Windows Server 2008 R2 Enterprise Inbound
Rule
// On New Inbound Rule Wizard, Select Port radio button and click Next:
644
How to open firewall ports on Windows Server 2008 R2 Enterprise Rule Type
// On New Inbound Rule Wizard, Select TCP/UDP & also mentioned your rule
will apply to specific local ports OR All local ports & click Next:
645
How to open firewall ports on Windows Server 2008 R2 Enterprise Protocol and
Ports
// On New Inbound Rule Wizard, select your action & click Next:
646
How to open firewall ports on Windows Server 2008 R2 Enterprise Action
// On New Inbound Rule Wizard, click Next:
647
How to open firewall ports on Windows Server 2008 R2 Enterprise Profile
// Provide Name & Description for the newly created rule & click Finish:
648
649
: Back up *
Windows Server widows Server 2003 back up -

back up 2008
.) ( tools
. back up *
:
Limited to only one scheduled task
With WBS, you can only have ONE scheduled task. It may sound incredible, but it
is true. Look at the main window:
650
Setting up the backup job
In this demonstration, I will back up the data residing on a server running Windows
Server 2008 R2. WBS has been installed and a shared network folder is available.
In this case, it is a simple shared folder of an XP machine.
You start by launching WSB from the Administrative Tools folder and by clicking
on Backup Schedule in the Actions pane:
651
This will launch the wizard. Step 1 asks you for the type of backup:
652
In this demo, we choose Custom (the Full Server option is explained later).
Step 2 makes you choose the folders you want to backup:
653
You can add items as you wish.
The Advanced Settings button deals with Exclusions and VSS settings:
654
The Exclusions tab is self explanatory (files or folders to exclude from the items you
specified).
The VSS Settings tab has to do with backup history and the cohabitation with another
backup product.
Step 3 asks you to specify time and frequency of the backup:
655
You cannot specify a weekly or monthly backup. This limitation makes sense once
you understand the way WSB works.
Step 4 asks you to choose between three types of destination:
656
Read the three available options. Each has specific restrictions.
As said before, we choose shared network folder:
This warning makes sure we understand that only the most recent backup is kept.
Finally, Step 5 asks you to specify the destination of the backup:
657
Launching the Backup Oncewizard
Click on Backup Once in the Actions pane:
658
In Step 1, the wizard asks you if you want to run a manual backup using the same
settings as the existing scheduled backup or a brand new backup:
659
Choose Different Options
In Step 2, you are asked if you want a Full Server or if you want to pick and choose:
660
Select Full Server
In Step 3, you specify the destination type:
661
Choose Local drives
In Step 4, you specify the destination:
662
Here the USB drive appears as E:
You will see a final warning:
Click OK (you do not want to backup the backup!)
(Actually, you really do not have a choice: Cancel brings you back to Step 4)
A confirmation window will appear and then the backup will start:
663
Notice that WBS separates the backup into 4 items:
. System Reserved (boot and system volume information)

. Local Disk (it will contain the data)
. System State (information about the server)
. Bare metal recovery (information needed to recover to a new hardware)
And it is done:
664
And what about restoring?
In the previous article, I briefly mentioned how to use the Recover wizard to
restore a file or a folder. Admittedly, it is nerve-wracking but technically simple.
In the Recover wizard, WSB does not differentiate a Full Server backup from a
Custom backup. It will just ask the date of the backup you want to use:
665
And then the type of restore:
666
Choose Files and Folders
667
Windows Server Backup 2008 Restore from Network Location
1. Start the computer by using the Windows Server 2008 DVD
2. On the first screen Click Next.
668
3. Select the Repair your computer option in the lower-left corner of screen.
4. It will show you any currently installed operating systems. Click Next.
669
If this screen is blank you may have to load a third-party driver for your mass
storage driver. You can click Load Drivers to load the mass storage driver from
your USB flash drive.
5. Click Windows Complete PC Restore.
6. It will report A valid backup location could not be found. Click cancel.
670
7. Select Restore a different backup then next.
8. Click Advanced.
671
9. If the network adapter driver is included with Windows Server 2008 you can
click Search for a backup on the network. If the network adapter driver is not
included you have to click install a driver and browse to your driver to load it. In
my test I was using a Hyper-V virtual machine with the legacy network adapter.
The legacy network adapter driver is in Windows Server 2008 so that it just works.
The synthetic driver is not included.
You would receive an error similar to the following when you try to connect to the
server.
672
10. Click Yes to the Are you sure you want to connect to the network and then
specify the path of your backup. You can use IP address instead to eliminate any
netbios/dns issues.
11. Select the backup listed and then click Next.
673
12. Select the backup then Next.
13. You are presented with the restore options.
674
The exclude disks option enables you to exclude disks from the restore process.
The advanced button has the following options.
14. Click Finish to confirm the settings.
675
If you selected Format and repartition disks you are prompted with Windows
Complete PC restore will format the disks you chose to restore, which will erase all
existing data. Click I confirm that I want to format the disks and restore the
backup.
You can monitor the progress through the final dialog box.
676
The restart will automatically occur or you can delay it.
For some scenarios, you may want to do this manually. The following lists the
basic general steps to do this at the command prompt.
1. At the following screen select the Command prompt option.
2. Run the following commands at the command prompt.
677
If your network adapter is not included with Windows you need to load the driver
using drvload.
Drvload driver.inf
Where driver.inf is the inf for the network adapter. You can load this from an usb
flash drive or the local drive if it is available.
Start /w wpeinit
Run ipconfig to verify the driver loaded and you have a valid ip address. If you
have to set a static IP address, you could use netsh. For example
netsh interface ipv4 set address name = "<idx>" source=static address=<staticIP>
mask=<SubnetMask> gateway=<DefaultGateway>
Netsh Commands for Interface (IPv4 and IPv6)
http://technet.microsoft.com/en-us/library/cc770948.aspx
Net use z: \\server\share /user:username
Where \\server\share is the location that you saved your backup to. There should be
a WindowsImageBackup folder in the root of the share/directory that you saved
your backup to.
wbadmin get versions -backuptarget:\\server\share
You should output similar to the following
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
The times of the backups displayed are based on the timezone of the current
operating system you have booted into.
The timezone used currently is (GMT -08:00) Pacific Standard Time
Backup time: 1/8/2009 11:20 AM
Backup target: Network Share labeled \\server\share
Version identifier: 01/08/2009-19:20
Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery
From this you must have the Version Identifier for the next step.
Note this basically wipes the drive so be careful when you use the next command
wbadmin start sysrecovery backuptarget:\\server\share -version:01/08/2009-
19:20 -recreatedisks restoreallvolumes -quiet
678
10.2.1.1
Monitoring & Printer
: Monitoring*
: event viewer -
:
The first step in setting the monitoring up is to open Performance Monitor and
create an alert so begin by opening up the application in Administrative Tools then
navigate to Data Collector Sets > User Defined:
Right click on the User Defined node and select New > Data Collector Set:
679
In the Create new Data Collector Set, type in a name for this collector,
select Create manually (Advanced) and click Next:
680
Select Performance Counter Alert and click Next:
681
Click on the Add button:
682
Navigate to the Logical Disk selection:
683
Youll find various counters in this section and whether you prefer to use % Free
Space or Free Megabytes will be based on the type of application and drive size
youll be monitoring. I personally prefer Free Megabytesbecause the drive Im
monitoring is a 1TB drive and setting up a hard threshold based on a constant value
seems to make more sense:
684
Note the logical drives are listed under the Instances of selected object so select the
ones youd like to monitor:
685
Clicking on OK will bring you back to the Create new Data Collector
Set window. Proceed with setting a threshold:
686
Notice how Ive set the Alert when to Below and the Limit to 2048. This simply
means Im setting a threshold to 2GB for each of the drives. Proceed with clicking
the Next button when youve configured all of the drives thresholds:
687
Unless you have restrictions on the service account where the default is SYSTEM,
proceed by click on Finish:
688
Its not necessary to verify the Run As account but I like to double check just to be
sure so right click on the newData Collector Set and select Properties:
689
Under the General tab, ensure that Run As is the account you wanted to run
this Data Collector Set as:
690
With the Data Collector Set account verified, notice how a new collector is now set
up:
691
Continue by right clicking on the data collector and choose properties:
692
Navigate to the Alert Action tab and select the Log an entry in the application
event log:
With the data collector configured, the next step is to set the collector to start after
server restarts so begin by navigating to Task Scheduler > Task Scheduler Library
> Microsoft > Windows > PLA, right click on the collector task and
select Properties:
693
Navigate to the Triggers tab and click on the New button:
694
Click on the New button and select At startup for Begin the task and ensure
that Enabled is selected:
695
You should now see a new trigger listed, proceed to save the trigger by clicking on
the OK button:
696
Start the data collector set by right clicking on the object and selecting Start:
Unlike Windows Server 2003, the data collector DOES NOT write logs to the
application logs but rather the following log:
Applications and Services Logs/Microsoft/Windows/Diagnosis-PLA/Operational
697
Note that I changed the threshold from 2048 to 20480 so that I could trigger the
alert:
698
Now that weve generated an information event with the ID 2031 in the logs, we
can proceed with setting up a task to send an email to an address. Proceed by right
clicking on the event and select Attach Task To This Event:
Give the task a meaningful name and proceed by clicking the Next button:
699
There isnt much to change in the When an Event Is Logged so continue by
clicking on the Next button:
700
In the Action step, change the action from Start a program to Send an e-mail:
701
702
Fill in the appropriate fields (make sure this server can relay mail off of your
SMTP server:
703
Complete the wizard:
704
Whats important to note is that the task we created is automatically assigned the
account youre logged in as to run the service and is set to run only when the user
is logged on which probably isnt what most of us want to navigate to Task
Scheduler > Task Scheduler Library > Event Viewer Tasks:
705
Right click on the e-mail notification event that was created and select Properties:
From within the properties window under the General tab, click on Change User or
Group:
706
Change the account to service account (local or domain) that is a local
administrator on the server and is allowed to run as a service (Log on as batch
job permissions):
707
In this example, I created a service account named svc_monitoring:
708
Save the configuration by click on the OK button.
The last step to configure for this task is to set it to run after server restarts so open
up the properties of the task and navigate to the Actions tab:
709
Click on the New button and select At startup for Begin the task and ensure
that Enabled is selected:
Proceed with saving the settings by clicking OK:
710
Trigger an event to test and you should see an email similar to the following:
711
: Printer *
-
.
. -
:
Installing the Print Server
To add network printers using auto-detection, open the Print Management tool
via Start -> All Programs -> Administrative Tools -> Print Management, unfold
the Print Servers from the list in the left pane, right click the local or remote print
server to which the new printer is to be added and select Add Printer.... This will
display the Network Printer Installation Wizard as illustrated below:
If no printers are detected, ensure that the printers are connected to the network and
powered on and are on the same subnet as the print server.
712
713
Manually Adding Network Printers to a Print Server
Adding a Locally Connected Printer
714
Managing Remote Print Servers
Once all the required remote print servers have been added to the list, click
on Apply then close the dialog to return to the main Print Management window.
The new print servers will now appear alongside the local server under Print
Servers in the left hand pane of the Print Management screen as illustrated below:
715
Migrating Printers and Queues Between Servers
716
These options require a little explanation:
Keep existing printers; import copies - It is possible that a printer being

imported is already also installed on the destination server. With this option
selected, the original printer on the destination server will be left unchanged and
the new printer imported as a copy.
Overwrite existing printers - If the printer being imported is already installed

on the target server it is overwritten by the imported copy when this option is
selected.
List printers that were previously listed - When selected, only printers that
were already listed in Active Directory will still be listed after the import
process is completed.
List all printers - All printers are listed in Active Directory
Don't list any printers - No printers are listed in Active Directory

Configuring Printer Permissions
The standard printer permissions are outlined in the following table:
Permission Description
717
Allows users and groups to send documents to the printer and to
manage their own print jobs. Also includes the Read special
Print
permission allowing viewing, but not alteration, of printer
permissions
Allows full management of the printer, including changing shared

status, changing of permissions and properties, taking ownership
Manage
of printers and print jobs and starting and stopping print jobs.
Printers
Includes the Read, Change and Take Ownership special
permissions.
Allows user and groups to manage print jobs but does not provide
Manage the ability to print. Permissions consist of pausing, restarting,
Documents resuming and reordering and canceling print jobs. Includes
the Read, Change and Take Ownership special permissions
The special permissions are as follows:

Permission Description
Read Permissions User or Group may view the permissions on the printer.
Change
User or Group may change the permissions of a printer.
Permissions
User or Group may take ownership of printer and/or print

Take Ownership
jobs.
The current permissions for a printer may be viewed and changed by right clicking
on that printer in the Print Management tool (Start -> Administrative Tools ->
718
Print Management), selecting Propertiesand clicking on the Security tab:
To change the permissions for a currently listed user or group, select the user or
group and change the Allow and Deny permissions to the required settings. When
the settings are configured, click on apply to commit the changes. If the user or
group is not currently listed in the properties dialog, click on the Add... button to
invoke the Select Users or Groups dialog. Change the Location setting if necessary
and then enter the names of the users or groups, separated by semi-colons into the
bottom text box. Click the Check Names button to verify the selected users or
groups exist within the current location scope:
Assuming the names are correct click on OK to return to the properties dialog
where the selected users and/or groups will now be included in the Group or user
719
names list. To configure permissions, select a user or group and set the permissions
in the Permissions for section of the dialog. Click Apply to commit the changes and
repeat the task for any other users or groups added to the list.
To configure the special permissions click on the Advanced button in the Security
page of the properties panel to display the Advanced Security Settings dialog as
illustrated below:
. For example, setting the Manage Printers standard permission also enables
the Read, Change and Take Ownership special permissions. Once the desired
permission changes have been made click on OK to dismiss the Permission Entry
for dialog, followed by Apply, then OK in the Advanced Security Settings dialog.
Finally, click on OK to dismiss the properties dialog and return to Print
Management.
Changing Printer Ownership
720
Printer Pooling Configuration
Configuring Printer Availability and Priority
721

Mcitp 42 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Mcitp 42 PDF

Caricato da

Copyright:

Formati disponibili

1.2.1.

We get to read the standard End User License Agreement.

You may be asked to install new updates. Do.

Assigning an IP Address to the Server

c. Click Local Area Connection

iii. A small window will come up:

A wizard will start:

q. Click Next. A new dialog box will startperforming an operation:

Therefore, click Restart Now

c. Click Local Area Connection

To create the primary account to manage the network, on the server:

i. Make sure Administrators is selected and underlined.

To prepare a workstation to join the domain, on the workstation:

To join a domain using Microsoft Windows 7 Professional, Ultimate, or

. forest Root Domain DC -

- DC domain ( global Catalog user forest

- DC administrator enterprise administrator

Windows Server 2008 Installed

Give your scope a name

- Public IP Private IP ( Private IP

Just follow next two pictures what to choose

Now your Server have successfully configured RRAS.

For previously described configuration of RRAS option Use my Internet

Configuring client on Windows XP for VPN access

A wizard will start. Follow next three pictures.

Installing the Server Computer

NIC connected to Test LAN:

NIC connected to Workplace LAN:

Installing the Client Computers on the Test LAN

IP address = 10.0.0.101 (.102, .103, )

Installing and Configuring RRAS

Static Routing in Windows Server 2008

Show the static routing table

route add 1.1.1.0 mask 255.255.255.0 10.0.1.1 if 1

Figure 2: Using the route add command in Windows 2008

Delete a static route

Dynamic Routing in Windows Server 2008 using RIPV2

Next, choose to install RIPV2 as your routing protocol.

File Server Resource Manager MMC

Click on Administrative Tools and select File Server Resource Manager to

File Screening Management

FSRM includes a list of pre-defined File Groups, as shown below:

Storage Reports Management

Reports can be generated manually, on a scheduled or triggered by a Quota or File

That folder can also be updated in the FSRM configuration:

3. Select File Services from the list of roles.

Distributed File System

1. Open DFS Management Snap-in.

Local path of share folder

Domain-based namespace Stored on one or more servers and in Active

Configure DFS Replication on Windows Server 2008

3. Your first choice is: if you want a Multipurpose replication

Replication will not begin until the configuration is picked up by the

2. Type in the domain and namespace, in our case it

Static public IP address

Check for Static IP address

Install the DNS server role

The server manager can

Disabling recursion and root hints

Proceed with the wizard and choose Primary Zone type.

Place a dot for

Finally click Finish

Creating an authoritative zone