Designing A Windows Server 2008 Network Infrastructure

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
6435A
Designing a Windows Server 2008 Network Infrastructure
Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Technical Reviewer: John Policelli
Product Number: 6435A Part Number X14-69200 Released: 08/2008
Contents
Module 1: Overview of Network Infrastructure
Contents:
Lesson 1: Preparing for a Network Infrastructure Design Lesson 2: Designing the Network Topology Lesson 3: Designing Network Infrastructure for Virtualization Lesson 4: Designing a Change Management Structure for Network Infrastructure Lab: Designing Network Infrastructure in Windows Server 2008 1-3 1-14 1-22 1-30 1-38
Module 2: Designing Network Security

Lesson 1: Overview of Network Security Design Lesson 2: Designing the Network Topology Lesson 3: Designing Network Infrastructure for Virtualization Lesson 4: Designing a Change Management Structure for Network Infrastructure 2-3 2-14 2-22 2-30
Module 3: Designing IP Addressing

Lesson 1: Designing an IPv4 Addressing Scheme Lesson 2: Designing DHCP Infrastructure Lesson 3: Designing DHCP Configuration Options Lesson 4: Designing an IPv6 Addressing Scheme Lesson 5: Designing an IPv6 Transition Lab: Designing Network Infrastructure in Windows Server 2008 3-3 3-11 3-18 3-23 3-34 3-42
Module 4: Designing Routing and Switching Requirements

Lesson 1: Preparing for Designing a Network Routing Topology Lesson 2: Selecting Network Devices Lesson 3: Designing Internet Connectivity and Perimeter Networks 4-3 4-8 4-16
Lesson 4: Designing Routing Communications Lesson 5: Evaluating Network Performance Lesson 6: Quality of Service Lab: Designing Routing and Switching
4-25 4-32 4-41 4-47
Module 5: Designing Security for Internal Networks

Lesson 1: Designing Windows Firewall Implementation Lesson 2: Overview of IPSec Lesson 3: Designing IPSec Implementation Lab: Designing a Secure Internal Network 5-3 5-8 5-15 5-21
Module 6: Designing Name Resolution

Lesson 1: Collecting Information for a Name Resolution Design Lesson 2: Designing a DNS Server Strategy Lesson 3: Designing a DNS Namespace Lesson 4: Designing DNS Zone Implementation Lesson 5: Designing Zone Replication and Delegation Lab: Designing a Name Resolution Strategy in Windows Server 2008 6-3 6-11 6-17 6-22 6-27 6-33
Module 7: Designing Advanced Name Resolution

Lesson 1: Optimizing DNS Servers Lesson 2: Designing DNS for High Availability and Security Lesson 3: Designing a WINS Name Resolution Strategy Lesson 4: Designing WINS Replication Lab: Designing a Name Resolution Strategy in Windows Server 2008 7-3 7-11 7-19 7-24 7-28
Module 8: Designing Network Access Solutions

Lesson 1: Gathering Data for Designing Network Access Solutions Lesson 2: Securing and Controlling Network Access Lesson 3: Designing Remote Access Services Lesson 4: Designing RADIUS Authentication with Network Policy Services Lesson 5: Designing Wireless Access Lab: Designing a Network Access Solution 8-3 8-11 8-21 8-31 8-39 8-49
Module 9: Designing Network Access Protection

Lesson 1: Overview of NAP Lesson 2: NAP Architecture Lesson 3: NAP Enforcement Lesson 4: Designing NAP Policy Lesson 5: Designing NAP Enforcement and Remediation Lab: Designing Network Access Protection 9-3 9-7 9-17 9-24 9-36 9-44
Module 10: Designing Operating System Deployment and Maintenance

Lesson 1: Determining Operating System Deployment Requirements Lesson 2: Designing Windows Deployment Services Lesson 3: Windows Deployment Services Images Lesson 4: Designing Multicast Transmission of Images Lesson 5: Designing a Software Update Process Lab: Designing Operating System Deployment and Maintenance 10-3 10-13 10-24 10-31 10-35 10-43
Module 11: Designing Files Services and DFS in Windows Server 2008
Lesson 1: Designing File Services Lesson 2: Designing Distributed File System Lesson 3: Designing File Server Resource Manager Configuration Lab: Designing Files Services and DFS in Windows Server 2008 11-3 11-11 11-22 11-27
Module 12: Designing High Availability in Windows Server 2008
Lesson 1: Overview of High Availability Lesson 2: Designing Network Load Balancing for High Availability Lesson 3: Designing Failover Clustering for High Availability Lesson 4: Geographically Dispersed Failover Clusters Lab: Designing High Availability in Windows Server 2008
12-3 12-10 12-16 12-25 12-30
Module 13: Designing Print Services in Windows Server 2008

Lesson 1: Overview of a Print Services Design Lesson 2: Windows Server 2008 Printing Features Lesson 3: Designing Print Services Lab: Designing Print Services in Windows Server 2008 13-3 13-10 13-19 13-26
Overview of Network Infrastructure
1-1
Module 1
Contents
Lesson 1: Preparing for a Network Infrastructure Design Lesson 2: Designing the Network Topology Lesson 3: Designing Network Infrastructure for Virtualization Lesson 4: Designing a Change Management Structure for Network Infrastructure Lab: Designing Network Infrastructure in Windows Server 2008 1-3 1-14 1-22 1-30 1-38
1-2
Module Overview
Designing a network infrastructure should follow a consistent process to ensure that all necessary factors are taken into account. You should adequately prepare by gathering the necessary data and defining the broad network topology that is required to support your network. When designing your network infrastructure, you should take into account the specialized needs of virtualized servers. Finally, you must have a change management process for analyzing and approving the changes before implementing the network infrastructure.
1-3
Lesson 1
Preparing for a Network Infrastructure Design
When preparing to design a network infrastructure, you need to understand the network life cycle and how it relates to your design. Include the team that is required to create the design. Then you can consider specific details about your environment, such as physical layout, the existing network, and servers on your network.
1-4
Overview of the Network Life Cycle
Key Points
The five phases of the network life cycle are based on the principles of Microsoft Solutions Framework (MSF). Using a model such as this helps facilitate understanding of the network designs complexity. Envisioning. Define the high level objectives for the project. Planning. Gather detailed information and analyzing business requirements Developing. Create a detailed design and select vendors Stabilizing. Test the plan to ensure that it meets business needs. This often includes a pilot implementation. Deploying. Incorporate the changes identified during stabilization and then implementing the overall network design.
The maintenance of the network infrastructure continues until the organization resumes the envisioning phase for an upgrade of its network infrastructure.
1-5
For more information, see "Microsoft Solutions Framework". For more information, see "Microsoft Solutions Framework version 3.0 Overview". For more information, see "Microsoft Solutions Framework Core Whitepapers".
1-6
Description of the MSF Network Design Team
Key Points
The MSF team model calls for six roles on a design team, with each role corresponding to a major project goal. Depending on the complexity of the design project, multiple people might contribute to a single role, or an individual might assume more than one role. Communication among all roles is integral to the structure of the design team and essential to team success. The team has the following responsibilities: Product management. Product management identifies requirements of the organization, articulates a vision for the network design project, develops and maintains the business reasons for initiating the project, owns the communication plan, and manages the expectations of the organization. Program management. Delivering the network infrastructure design on time and within budget. They secure the resources that the team needs to complete the design. They also own the master project plan, schedule, and budget.
1-7
Development. Constructing the network solution according to the given specifications. Development provides technical expertise and input for the technology decisions that will affect the network design, and evaluates the design for implementation feasibility. Testing. Approving the project solution for implementation only after all quality issues are identified and addressed. Testing includes determining the criteria for a successful design, outlining the test strategy, and testing the design. Release management. Piloting and deployment of the network project solution and ongoing management which includes communicating with operations groups that will be affected by the implementation of the design and determining those groups requirements for the design. User experience. Ensuring effectiveness of the network solution for users. User experience functions as a user advocate and communicates the needs of users to the design team as various network options are considered. User experience is also used to plan for user documentation and formulate necessary training.
1-8
Discussion: Design Tasks for Network Infrastructure
Your classroom discussion will include many tasks for network infrastructure. This list of tasks will vary depending on the scenario.
1-9
Components of a Network Infrastructure Design
Key Points
The distinct plans contained in a network infrastructure design will vary depending on the design and organizational processes. However, the details in the following plans are typically included: Hardware plan. The hardware plan contains information about server and workstation computers, switches, cabling, routers, and wide area network (WAN) links. Topology plan. The topology plan describes the physical layout of the network. Operating system plan. The operating system plan describes the operating systems that will run on server and client computers. The version of operating system for other devices such as switches and routers should also be included. Directory services plan. The directory services plan describes the directory service being used and any network infrastructure requirements to support it.
1-10
Network protocols and services. Network protocols and services describes IPv4 and IPv6 configuration and services, including domain name system (DNS and) Dynamic Host Configuration Protocol (DHCP). Server-based applications plan. The server-based applications plan lists the requirements of any network services such as e-mail or firewalls. Internet connectivity plan. The Internet connectivity plan specifies how the organization will be connected to and secured from the Internet. Extranet connectivity plan. The extranet connectivity plan specifies how trusted external clients can access the internal network. This can include secured Web sites and VPNs. Security plan. The security plan specifies the hardware and software that will be used to secure the network. This includes overall strategies and details such as firewall configuration.
1-11
Discussion: Information Required for a Network Infrastructure Design
Your classroom discussion will include what information is required for a network infrastructure design.
1-12
Guidelines for Designing a Network Infrastructure
Key Points
Use the following guidelines to help increase the likelihood of your success in designing and implementing an effective network infrastructure: Consider the planned growth or contraction of the organization. Analyze both the existing size and characteristics of the organization, and any known or planned changes, such as growth, acquisitions, organizational structure reorganizations, downsizing, and sales of divisions. Consider the interoperability of network infrastructure with Active Directory. Keep in mind the network components required by Active Directory, such as Transmission Control Protocol/Internet Protocol (TCP/IP), and DNS as you create your network infrastructure design.
1-13
Build security into your design. Protect your network at all times from external and internal attacks. You want to provide Internet access to all authorized users but protect your network resources from unauthorized users and intruders. Consider total cost of ownership (TCO) of network components, and their initial investment cost. Often, network components that initially appear more expensive than alternate choices actually end up costing less to own and operate in the long run.
1-14
Lesson 2
Designing the Network Topology
A network topology is the layout of a network in both physical and logical terms. When designing the network topology you must consider connectivity within each location and between locations.
1-15
Discussion: Components of a Network Topology Design
Your classroom discussion will include components of network topology design.
For more information, see "Enterprise Design of Network Architecture".
1-16
Strategies for Connectivity within a Location
Key Points
The modular nature of a hierarchical model such as the three-tier model can simplify deployment, capacity planning, and troubleshooting in a large Internetwork. In this design model, the tiers represent the logical layers of functionality within the network. The core tier facilitates the efficient transfer of data between interconnected distribution tiers and typically functions as the high-speed backbone of the enterprise network. The primary design goal for the core is reliable, high-speed network performance. Select high-performance and highly reliable network equipment for the core tier. The distribution tier distributes network traffic between related access layers, and separates the locally destined traffic from the network traffic destined for other tiers through the core. Network security and access control policies are often implemented within this tier. The distribution tier is often the layer in which you define subnets. The access tier is the layer in which users connect to the rest of the network, including individual workstations and workgroup servers. The access tier of an intranet usually
1-17
includes a relatively large number of low-speed to medium-speed network ports, whereas the core tier usually contains fewer but higher-speed network ports.
For more information, see "Planning the IP-Based Infrastructure". For more information, see "Enterprise Design for Switches and Routers".
1-18
Discussion: Strategies for Connectivity Between Locations
Your classroom discussion will include strategies for connectivity between locations.
1-19
Bandwidth Requirements
Key Points
The bandwidth requirements for wide area network (WAN) and local area network (LAN) segments will vary depending on the services implemented on your network and how those services are used. The following are some considerations for network bandwidth: A 500 Kbps link or slower is considered slow for group policy processing. This can prevent group policy objects from being downloaded. The speed of connectivity is calculated when communicating with a domain controller. Adsizer.exe can be used to estimate bandwidth required for Active Directory replication. You can use Adsizer.exe to enter in the characteristics that describe your organization. Adsizer.exe will then recommend a number of domain controllers and global catalog servers. Estimates for bandwidth requirements must include network overhead. Network overhead includes packet headers and the additional packets required to open and close TCP connections.
1-20
The most accurate method for estimating bandwidth requirement is to start with a baseline of your current network activity.
For more information, see "Network Analysis and Optimization Techniques". For more information, see "Optimizing Bandwidth at Microsoft".
1-21
Network Data Collection Tools
Key Points
There are a wide variety of tools available to collect network data. Some of these tools are: Network Monitor 3 can be used to monitor the network traffic used by specific applications and overall traffic. You may need to configure port mirroring on your switches to accurately view network traffic. Switch and router vendors may provide tools for network analysis. Third-party tools for network analysis are available. They typically query network statistics from switches and routers by using Simple Network Management Protocol (SNMP).
For more information, see "Network Monitor Blog".
1-22
Lesson 3
Designing Network Infrastructure for Virtualization
Virtualizing network servers provides a number of benefits including more efficient hardware utilization. However, it also introduces unique concerns for network infrastructure design. You need to consider connectivity, throughput, reliability, and assignment of media access control (MAC) addresses.
1-23
Network Infrastructure Considerations for Virtualization
Key Points
When virtualization is implemented, you should consider: Multiple virtual machines are connecting to the network through a single physical computer. All virtual machines must be connected to the appropriate virtual local area networks (VLANs). Each virtual machine must have sufficient throughput to the network. Fault tolerance for network connectivity may be more important because multiple virtual machines may be affected by the failure of a single network adapter. Each virtual machine has a unique source MAC address that is not tied to the MAC address of the host computers network adapter.
For more information, see "Windows Server Virtualization".
1-24
Virtual Machine Connectivity Requirements
Key Points
A typical network server is either connected or not connected to the physical network. Virtual machines have additional configuration options that may be appropriate, depending on circumstances. No network connectivity. The virtual machine is unable to communicate on the network or with other virtual machines. This is not suitable for production environments, but may be useful for some testing. Virtual machineonly (logical) networks. The virtual machine is able to communicate only with other virtual machines on the same internal logical network of the host. This can be used for security when virtual machines need to communicate only with each other and not with other hosts on the network. For example, a front-end Web server may use a virtual machineonly network to communicate with a virtual machine running a back-end database on the same host.
1-25
Physical network access. The virtual machine is able to communicate with hosts on the physical network. When physical network access is used, you must ensure that each virtual machine has access to the necessary VLANs. If the virtual machines need access to separate VLANs, and the VLANs are defined by a switch port, then you will need separate physical connections in the host for connectivity to each VLAN.
1-26
Host Throughput Requirements
Key Points
The network adapters in a host must be able to support the network traffic generated by all virtual machines running on that host. To support multiple virtual machines on the same host, you may need to use a high-speed network adapter or team multiple adapters to increase throughput. When estimating network traffic generated by each virtual machine consider the following: Private networks are used for heartbeat communication by cluster nodes. Public networks are used for communication between cluster nodes and other hosts. Virtual machine networks will not affect overall virtual machine throughput. Management networks are used by some organizations to provide a redundant link for management in case the primary connection fails.
1-27
Backup networks are used to perform over the wire backups. Storage networks are used for iSCSI or Fiber Channel SANs. This communication is separate from the public network and is critical for virtual machine performance if used.
1-28
Network Reliability Requirements
Key Points
In general, the reliability requirements for network connectivity of virtual machine hosts are higher than typical servers. This is because each virtual machine host can have multiple virtual machines. The failure of network connectivity to a virtual machine host affects all virtual machines on that host. Ultimately, the level of reliability required by a virtual machine host is determined by the virtual machine with highest reliability requirements running on that host. To increase network reliability, consider teaming network adapters. If one adapter in the team fails, the remaining adapters can continue providing communication to the network for all virtual machines, albeit at a reduced throughput rate. Support for network adapter team relies on drivers obtained from the network adapter vendor. The network infrastructure should also be fault tolerant. This means that teamed network adapters should be connected to separate switches and that there should be redundant paths through network switches.
1-29
MAC Addressing for Virtual Machines
Key Points
Each virtual machine requires a unique MAC address for each virtual network adapter. On a physical server, the MAC address is uniquely assigned to the network adapter by the manufacturer of the network adapter. By default, the MAC address for a virtual network adapter in a virtual machine is assigned randomly. In situations where there are many virtual machines, the random assignment of MAC addresses to virtual network adapters can result in duplicates. To avoid duplicate assignment of MAC addresses, you can manually assign unique MAC addresses to the virtual network adapters in virtual machines
1-30
Lesson 4
Designing a Change Management Structure for Network Infrastructure
Change management is an important part of maintaining network infrastructure. When properly implemented, change management helps to ensure that there are no unintended consequences when changes are implemented. Change management for a network infrastructure includes the monitoring of network usage. The specific process used will vary depending on the organization, but it should follow some general guidelines.
1-31
Components of a Change Management Design
Key Points
Every change, great or small, that is made to the physical network has an impact. Change management strives to minimize those impacts by managing how and when changes are made to a system. Because of the dynamic nature of both organizations and networks, changes to one often affect the other. For example, the reorganization of a department or the acquisition of a company might necessitate a change in the physical structure of the network. The components of a change management design are: Monitoring. This allows you to identify when changes in network usage might require a change to the network infrastructure. You should specify what is monitored, how often the data is collected, and how long collected data is retained. Analysis. The analysis of the data collected from monitoring allows you to identify trends in usage and identify potential problems before they affect users. Your design should specify how often the data is reviewed and who is responsible for reviewing the data.
1-32
Response. This allows design changes to be made to the network infrastructure to address both current and potential performance problems. Your design should include the process for submitting and approving change requests.
1-33
Monitoring Network Usage
Key Points
When you design a system for monitoring your organizations network activity, include a plan for monitoring both the physical and logical network. For the physical network, monitor devices such as client computers and domain controllers. For the logical network structure, monitor events such as creating of user accounts, and changes to the organizations business model such as increased productivity and company acquisitions. A change management design for network monitoring should specify: What to monitor. Specify which network devices and services to monitor, and which specific statistics for that device or service to monitor. Gathering too much data makes analysis difficult. When to monitor. Specify how often and at what times of the day to monitor the network. Perform monitoring at various times of the day, week, month, and year. This will help you understand how the network infrastructure is used throughout the business cycle, and it will help you determine trends in usage.
1-34
How to monitor. Specify tools or types of tools to use to monitor the network infrastructure. Tools can include Network Monitor, Reliability and Performance Monitor, System Center Operations Manager (formerly Microsoft Operations Manager), and Event Viewer.
1-35
Discussion: The Change Management Process
Your classroom discussion will include the appropriate process for change management.
1-36
Guidelines for Designing a Change Management Process
Key Points
Use the following guidelines when designing a change management process: Specify how trend analysis is to be performed. A consistent process is required to accurately identify trends. This is particularly important when staff change positions. Specify how potential changes will be communicated, requested, and approved. You need to define how personnel will communicate the potential need for a change to the network, how the request for the specific network change will be made, and ultimately how the approval to the network change will be given. This component should also include the person or team to which communications and requests should be submitted, and the person or team who has the authority to approve the requested changes to the network.
1-37
Specify how changes will be tested, implemented, and documented. Specify a detailed process for implementing a change to the network, which might include such restrictions as the personnel who are authorized to perform specific types of changes, the days of the week or month on which change can or cannot be implemented, and the time of day that changes can or cannot be implemented. Also include a process for documenting, logging, and tracking changes. Specify a backout plan. This critical part of the change management structure specifies how an implemented change will be undone if it produces unwanted or unexpected consequences.
1-38
Lab: Designing Network Infrastructure in Windows Server 2008
Scenario
Woodgrove Bank is a large multinational corporation with offices in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are asked to design the network infrastructure for the new locations.
1-39
Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are asked to design the network infrastructure for the new locations. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies. In North America, there are two major changes. Two new Canadian Branches are opening that will be connected to the Toronto hub site. Also, a regional bank in Washington State has been purchased and must be integrated into the rest of the network. Each region operates independently most of the time. All user applications and data are self-contained within each region. Batch transfers of data from each region to New York City are performed daily. The batch transfers are approximately 1GB and must be completed within 2 hours during average usage times. Network utilization between regions averages 500 Kbps when the batch transfer is not being performed. The failure of one WAN link between regions should not affect other regions. The main applications used by Woodgrove bank are located in the network hub locations. Users in the branches use terminal services to run applications on servers in the network hub locations. Approximately 10 Kbps of WAN connectivity is required for each user at a branch location for optimal performance. Communication between hub site locations averages 2 Mbps and peaks at 6 Mbps. The implementation of a Voice over IP system is being considered to lower telecommunication costs. If implemented, this system will use approximately 250 Kbps between each branch office and hub site. Approximately 500 Kbps will be used between hub sites within regions and between regions.
Within a hub site, traffic should be tiered to increase manageability.
1-40
The connectivity of the newly acquired regional bank in Washington State uses Seattle as a hub site for the other four locations. Also review the following documents: M1_Locations.doc M1_Physical.vsd M1_VirtualMachines.doc
1-41
Exercise 1: Preparing for a Network Infrastructure Design

The main tasks for this exercise are: 1. 2. Read the scenario and supporting documents. Discuss whether additional information is required.
Task 1: Read the scenario and supporting documents

1. 2. Read the scenario above. Open a read the following documents from the Labdocs folder on your student CD: M1_Locations.doc. M1_Physical.png M1_VirtualMachines.doc
Task 2: Discuss whether additional information is required

1. 2. With your instructor, discuss what additional information, if any, is required to create a network infrastructure design. With your instructor, determine what data can be assumed for completing the remainder of the lab.
1-42
Exercise 2: Designing the Network Topology

The existing network topology for Woodgrove Bank grew over time in an unplanned manner. This has resulted in the current network not meeting requirements. You need to create a new network topology that meets the requirements listed in the scenario and supporting documentation. The main tasks for this exercise are: 1. 2. 3. 4. 5. Design the WAN links between regions. Design the WAN links between hub sites in North America. Design the WAN links to the new Canadian branches. Design the connectivity for the new purchased Washington state regional bank. Design the tiers for the network within a hub site.
Task 1: Design the WAN links between regions

1. 2. 3. Determine what WAN links will be created between regions. Determine which hub site in each region should be connected to other regions. Determine how fast the WAN links.
Task 2: Design the WAN links between hub sites in North America
1. 2. Determine what WAN links will be created between hub sites in North America. Determine how fast the WAN links will be between hub sites in North America.
Task 3: Design the WAN links to the new Canadian branches

Determine how fast the WAN links will be between the new Canadian branches and the Toronto hub site.
Task 4: Design the connectivity for the new purchased Washington State regional bank
Determine how Seattle and other branches will be connected to Woodgrove Bank.
Task 5: Design the tiers for the network within a hub site
1. Determine the number of tiers that should be used.
1-43
2.
Determine the resources that will be placed in each tier.
1-44
Exercise 3: Designing Network Infrastructure for Virtualization

Woodgrove Bank is planning to virtualize several of its servers to optimize hardware utilization. You must determine how to design the network infrastructure to support the virtualized servers. The main tasks in this exercise are: 1. 2. 3. 4. Start the virtual machines, and then log on. Review the MAC addresses used for virtualization. Close all virtual machines and discard undo disks Determine the network connectivity required for each host server.
Task 1: Start the virtual machines, and then log on

1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Review the MAC addresses used for virtualization

1. 2. 3. Open the Virtual Server administration Web site Edit the configuration of 6135-NYC-DC1 and note the current MAC address: __________________________ View the Network adapter properties and review the available configuration options.
Task 3: Close all virtual machines and discard undo disks

1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.
1-45
Task 4: Determine the network connectivity required for each host server
1. 2. 3. Determine the network connectivity required for NYC-HOST1. Determine the network connectivity required for NYC-HOST2. Determine the network connectivity required for NYC-HOST3.
Exercise 4: Designing a Change Management Plan

The existing change management system at Woodgrove Bank is very informal. When technical staff want to make a change, they seek approval from their immediate supervisor. However, supervisors often do not understand all the implications of a change. This has led to several outages. To reduce the chances of outages in the future, you need to design a formal change management process. The main tasks in this exercise are: 1. 2. 3. Determine stakeholders who should be involved in the change management process Determine the process for submitting and approving a change Design a change request form.
Task 1: Determine stakeholders who should be involved in the change management process
1. 2. Determine which IT roles should be part of the change management process. Determine which non-IT roles should be part of the change management process.
Task 2: Determine the process for submitting and approving a change

1. 2. 3. 4. 5. Determine who should submit a change request. Determine when changes can be implemented. Determine who can approve change requests. Determine an alternate process for emergency changes. Determine who can approve emergency changes.
Task 3: Design a change request form

Determine what information should be included in a change request.
1-46
Exercise 5: Lab Discussion

A discussion with the entire class allows you to learn from the experience of other students in the class. They may have different ideas of how an appropriate design can be implemented. The main task in this exercise is to participate in a group discussion about your design decisions.
Task 1: Participate in a group discussion about your design decisions

1. 2. 3. As a group, discuss why you made the design decisions you did, for the network topology. As a group, discuss the specific concerns for virtualization and how they can be addressed. As a group, discuss how the change management plan will be implemented.
Designing Network Security
2-1
Module 2
Contents:
Lesson 1: Overview of Network Security Design Lesson 2: Creating a Network Security Plan Lesson 3: Identifying Threats to Network Security Lesson 4: Analyzing Risks to Network Security Lesson 5: Defense-in-Depth Model Overview Lab: Designing a Network Security Plan 2-3 2-11 2-21 2-34 2-42 2-47
2-2
Module Overview
There are many aspects to a network security design. One important aspect is using a consistent process for monitoring and maintaining security. The STRIDE and Defensein-Depth models provide consistent frameworks for identifying network threats. After you have used the models to identify risks, you can analyze them to determine how you will mitigate those risks.
2-3
Lesson 1
Overview of Network Security Design
Many organizations underestimate the value of their information technology (IT) environment, often because they exclude substantial indirect costs. If there is a severe attack on the servers in the IT environment, it could significantly damage the entire organization. For example, an attack in which your organizations Web site is brought down could cause a major loss of revenue or customer confidence, which could affect your organizations profitability. An effective security design helps an organization to protect its assets.
2-4
Reasons for Investing in Network Security
Key Points
Organizations invest in network security to protect their assets from threats. Assets on a computer network can include such items as e-mail messages, intellectual property like trade secrets or source code, customer databases, and e-commerce transactions. A threat is a danger or vulnerability to an asset. Threats to assets include attackers trying to steal information, software applications that lack the latest security updates, and natural disasters such as fires or floods. A security design uses the concept of risk management to determine appropriate security responses to threats. Risk management is a careful study of criteria, for example, the likelihood of a threat occurring, the impact of the threat, the value of an asset to your organization, and the cost of a security solution. After you perform risk management, you can decide on an appropriate response to a threat.
2-5
Key Principles of Network Security
Key Points
For any network, users must have access to resources and the network requires a secure shared IT infrastructure. To attain these goals, three principles can be applied: Defense in depth refers to a combination of people, operations, and security technologies. Defense in depth provides multiple layers of protection to a network by defending against threats at multiple points in the network. Least privilege refers to granting a user, resource, or application the least amount of privilege or permissions necessary to perform the required task. Granting excessive permissions can introduce numerous vulnerabilities that attackers can easily exploit. A minimized attack surface reduces the number of possible points of entry for an attacker by removing unnecessary software, services, and devices.
2-6
Security Design and Implementation
Key Points
Security design ensures that an organization has a logical and carefully planned strategy for securing its assets. For example, not all assets are of equal value. In some cases, the cost of protecting an asset may exceed the value of the asset. Security design balances these and other considerations to ensure that security is applied throughout the organization in a controlled and logical manner. Security implementation applies the policies and procedures that you created during the design and ensures that they are deployed consistently throughout the organization. For example, security implementation ensures that individual computers receive the appropriate security templates and that computers are correctly configured to achieve the level of security that a specific security policy requires.
2-7
Components of Network Security
Key Points
Consider the components in the following table when securing a network.
Component Physical security Consideration Poorly secured buildings Data links Theft of hardware Hosts Attacks during initial installation Incorrectly configured baseline security Accounts Incorrect privileges Misuse of administrator accounts Weak passwords Authentication Interception of passwords
2-8
Component
Consideration Incompatibility with software Weak encryption
Data
Configuration of permissions Failure of hardware Corruption of data
Data Transmission
Attackers monitoring network Address spoofing Data modification Denial of service
Perimeter networks
Exposure of network information Lack of control over infrastructure Exposure of computers to attack
2-9
Network Security Design Process
Key Points
The stages in the network security design process are: Create a security design team. Ensure that your design is the product of various perspectives so that all vulnerabilities and threats may be discovered. As well, wide consultation encourages acceptance of the finished plan. Perform threat modeling. This predicts threats to a given asset or resource. Knowing the threats that affect an asset helps you to design countermeasures to protect the asset. Perform risk management. This analyzes the likelihood of a threat occurring and the potential damage that a threat may cause. Risk management is a valuable tool that can help you to convince management that security measures are necessary to adequately defend a resource against a threat. Design security measures for your network elements. Create appropriate policies and procedures to protect your network based on the threat modeling and risk management that has been performed.
2-10
Detect and react. Identify ways to detect intrusions and respond to security incidents in a controlled manner. Early detection of an attack is vital to limiting the damage that the attack may cause. Careful and thoughtful response can make recovery easier and can also prevent mistakes that may make the situation worse. Manage and review network security on a continual basis. Create, implement, and review policies for acceptable use, network management, and the secure operation of a network.
2-11
Lesson 2
Creating a Network Security Plan
A network security plan includes policies and procedures that need to be followed by users and administrators. You should follow guidelines to ensure that the risk of policy failure is minimized. You should also follow guidelines when creating a security design team.
2-12
Security Policies and Procedures
Key Points
Security policies are individual policies and guidelines that you create to govern the secure and appropriate use of technology and processes in your organization. Administrative policies are enforced by management. These policies cannot be enforced by operating systems, applications, or physical controls. An example is a nondisclosure agreement. Technical policies are enforced by operating systems and applications such as security templates. Physical policies. Policies that are enforced by implementing physical controls such as locks.
Security procedures describe how to comply with security policies. These should include the detailed steps necessary implement the security policies.
2-13
For more information, see "RFC 2196: Site Security Handbook". For more information, see "Best Practices for Enterprise Security".
2-14
Reasons for Security Policy Failure
Key Points
Security policies fail for many reasons. Anticipate these reasons and ensure that your policies address these concerns. Security policies often fail because they are: Not enforced. Employees tend to disregard security policies if the policies are not enforced and violators go unpunished. Difficult to read. Security policies often contain legal or technical jargon that makes them difficult for employees to understand. Difficult to find. Security policies that are stored in obscure or inaccessible locations prevent many employees from following them. Outdated. Security policies that are not kept up to date quickly become obsolete when technologies and business processes change. Too vague. Security policies that are open to interpretation by employees often result in inconsistent deployment of security in an organization.
2-15
Too strict. Security policies that are too strict in their enforcement or their effect on business processes are generally not taken seriously by employees or enforced by management. Not supported by management. If management does not follow security policies or support their implementation, employees typically do not follow them either.
2-16
Guidelines for Creating Policies and Procedures
Key Points
Guidelines for creating policies and procedures include: Ensure that your security policies serve a clear purpose and are written concisely. Write simple procedures and policies that demonstrate how to successfully comply with the policies. Obtain management support for the purpose, implementation, and enforcement of security policies. Distribute your security policies so that employees can refer to them easily. For example, give paper copies of policies to employees or post the policies to convenient internal Web sites, and update the policies regularly. Before implementing security policies, ensure that they do not disrupt business processes. Using technology to enforce security policies helps to prevent employees from unwittingly violating security policies. However, remember that technology is not the only method of enforcement.
2-17
Ensure that the consequences of violating security policy are consistent with the severity of the violation and with the culture of your organization. Ensure that managers are empowered to enforce the consequences of violating security policy.
2-18
Roles for a Security Design Team
Key Points
Each role is responsible for a unique part of the security design. Your team does not necessarily require one person per role, but all roles must be assigned to an owner or representative. Other potential roles on the security design team include: A legal representative. This person advises the team about local, national, and international laws and liabilities that may affect the security policies. A representative from human resources. This person ensures that security policies can be enforced and do not conflict with employment laws. Managers. They enforce security policies. Manager involvement also helps to ensure that security policies do not conflict with business processes. End users. They provide feedback about how to train end users on the security policies and how the policies may affect end users. Auditors. They ensure compliance with government or industry regulations during the design
2-19
Guidelines for Creating a Security Design Team
Key Points
Guidelines for creating a security design team include: An executive sponsor who can make decisions gives authority to your design and helps to keep team members focused on the project. Coordinating team members from various parts of your organization is a difficult task. Ensure that you use a program manager who is experienced with personnel and with your corporate culture. Teams that will deploy and manage network security are essential to the success of your design after you have finished it. Involving them in the planning process promotes successful implementation. Legal and human resources departments can ensure that your design is legal and ethical. Involving representatives of managers and end users in the design will help to ensure that all managers and end users follow your policies.
2-20
Ensure that all members of the security design team understand their responsibilities and the goals of all other roles. Communicate regularly and clearly to your organization so that people know whom to expect communication from and have time to prepare for your design. Various communication tasks should be planned and assigned to specific team members.
2-21
Lesson 3
Identifying Threats to Network Security
When you incorporate security in your network it helps to understand how attackers think. By thinking like an attacker and being aware of security threats you can be more effective when applying countermeasures. The STRIDE model is one model that helps you to predict network threats.
2-22
Reasons for Network Attacks
Key Points
Some of the reasons why network attacks occur include: Profit. A common motivation for attacks is profit. Attackers may use the threat of a denial of service attack to extort money or phishing attacks to footprint your network. Revenge. Attackers may feel slighted by an organization and want to punish it. For example, former employees may attack their previous organizations if they consider that their employment was terminated unfairly. Attackers like this are particularly dangerous because they have an in-depth knowledge of the network and a personal motivation for attack. Espionage. Attackers may spy on an organization or government to obtain secrets. Such an attacker is often motivated by patriotism or monetary gain. Publicity. Attackers may attack a network or application to seek public notoriety or to advertise their own services. Publicity seekers often report their attacks.
2-23
Personal satisfaction. Attackers may attack networks as a hobby, for the challenge, or to boost their egos. Attackers like this are dangerous because they attack networks indiscriminately. Terrorism. Attackers may attack a network as part of a terrorist effort that has been sponsored by a group or state. These are the most serious types of attack because human life may be at risk.
2-24
Stages of Network Attacks
Key Points
By understanding the basic approach used by attackers to target your network, you are better equipped to take defensive measures. 1. The first step that an attacker usually takes is to survey the potential target to identify and assess its characteristics. These characteristics may include its supported services and protocols together with potential vulnerabilities and entry points. After surveying a potential target, the next step is to exploit and penetrate. Attackers will look for known vulnerabilities based on the list of network resources they have gathered during survey and assessment. After compromising a network, attackers immediately attempt to escalate privileges by accessing administrative and system accounts. Using least privileged service accounts throughout your network is a primary defense against privilege escalation attacks.
2.
3.
2-25
4.
After gaining access to a system, attackers take steps to make future access easier, such as planting back-door programs, using an existing account that lacks strong protection or creating a new account. Then attackers cover their tracks by clearing logs and hiding tools. Attackers who cannot gain access may mount a denial of service attack to prevent others from using the services on your network. For other attackers, the denial of service option is their goal from the outset.
5.
2-26
Types of Network Attacks
Key Points
Some types of network attacks are: Eavesdropping is performed by using a network sniffer to capture network communication. All clear text data is at risk. However packet sniffing is relatively difficult on a switched network. Data modification can be performed after data has been captures with a network sniffer. Most network sniffers support modifying packets and replaying them. Identify spoofing can be used fool some firewalls into thinking communication is coming from an internal source rather than an external source by falsifying the source IP address. Password-based attacks rely on users with simple passwords. After guessing the password of a user, attackers can view network resource that can be accessed by that user. Denial of service attacks prevents normal users from accessing network services. Most denial service attacks are possible due to software flaws that are exploited.
2-27
Man-in-the-middle attacks require a computer to monitor and potentially modify network communication between two hosts. This is relatively difficult to implement. A compromised key occurs when a key used for encryption is known to anyone other than legitimate parties to communication. Knowledge of the key allows unauthorized parties to view the contents of encrypted communication. This also includes unauthorized knowledge of private keys for certificates used during authentication. Application layer attacks cause faults in an operating system or application to bypass normal access controls. A common application layer attack is a buffer overflow.
2-28
Common Network Vulnerabilities
Key Points
Most successful attacks on networks succeed by exploiting common and well known vulnerabilities or weaknesses. These can be organized into the following general categories: Weak passwords and authentication systems allow attackers to gain access to your system by using brute force password attacks. You can increase security by requiring complex passwords or introducing two factor authentication such as smart cards. However, increased security for passwords must be balances with ease of use. Audit logs can be used to monitor which users accessed network resources and when. If audit logs are not enabled, or are not configured to collect the appropriate information, then it may be impossible to detect attackers accessing your network.
2-29
The rights and permissions granted to any users should be the minimum required to perform their job. Then if an account is compromised by an attacker, the damage they can cause is minimized. This is also true for service accounts. Any service or application is a potential point of attack. To minimize the risk of applications and services being attacked, all unnecessary applications and services should be removed. As well, you should regularly apply security updates for your applications and services.
Note: Microsoft distributes the Microsoft Security Intelligence Report which is a report listing the most common current threats. You can download the latest version from the Technet Security Center at http://www.microsoft.com/technet/security/default.mspx.
2-30
STRIDE Threat Model Overview
Key Points
Threats faced by the network can be categorized based on the purposes of the attacks. A working knowledge of these threat categories can help you to organize a security strategy so that you have planned responses to threats. A threat model is a structured approach to predicting potential threats to information security. By discovering potential threats while performing threat modeling, you can create an accurate risk management plan. By predicting threats, you can proactively reduce your risk.
2-31
Guidelines for Modeling Network Threats
Key Points
The following guidelines will assist you when modeling threats to your network: Encourage creative thinking among team members. Some suggestions, however unrealistic, may prompt others to discover additional valid threats. Ensure that team members have all the information that they require, such as network diagrams or application source code. Manage discussions about the validity of a threat to focus on threats to the network and to avoid disagreements about minor differences of opinion. When assembling your team, consider including a trusted third party who specializes in network penetration testing. The third party will have skills that are likely not available internally, and will bring a different perspective. Use caution when including team members who may have conflicts of interest. For example, a developer who wrote the code in the application being assessed, or a manager who funded the project to create the application may overestimate the ability of the application to withstand an attack, or may be too familiar with it to be objective about its assessment.
2-32
Countering Network Threats
Key Points
Each threat category described by STRIDE has a corresponding set of countermeasure techniques that should be used to reduce risk. The appropriate countermeasure depends upon the specific attack.
Category Spoofing
Example Countermeasures Protect authentication credentials by using SSL Do not store personal information in plaintext
Tampering
Use tamper-resistant protocols across communication links Protect communication links by using protocols that provide message integrity
Repudiation Information disclosure
Create secure audit trails Protect communication links by using protocols that provide
2-33
Category
Example Countermeasures message confidentiality Do not store secrets, such as passwords, in plaintext
Denial of service Elevation of privilege
Validate and filter inputs Use least privileged service accounts to run processes and access resources
2-34
Lesson 4
Analyzing Network Security Risks
Risk analysis is the act of examining the relative value of your assets and then allocating your security resources based on the likelihood of the risk occurring and the value of the asset. Risk analysis helps you to prioritize your efforts and spending to secure your network.
2-35
Risk Assessment
Key Points
Risk assessment helps to ensure that your security plan is rational and that you apply your resources to maximize results. By assessing risks and creating a risk management plan, you can: You can rank security risks to your organization relative to other risks. This helps your organization to determine how to allocate resources to secure the network. You can discover the point at which incremental improvements to security become inefficient and costly. You can use a quantitative risk analysis to justify the expense of security personnel, hardware, and software. Risk assessment requires a comprehensive list of threats to your network and their potential impacts. This is necessary to properly allocate resources for network security. An organized process of risk assessment ensures that all important threats are identified. An organization that chooses to respond to security threats randomly may overlook critical security issues on its network.
2-36
Risk assessment creates metrics that help you to judge the success of your security plan. You can also use metrics to prepare compensation plans for executives and security personnel.
2-37
Network Assets at Risk
Key Points
When assessing risk, you must start with a comprehensive list of assets that may be attacked. You can then analyze the various risks for each asset. Some categories of risk are hardware, software, documentation, and data. A large part of the role of security is protecting public confidence and the trust of business partners. This is known as goodwill. For example, suppose an attacker has defaced your organizations Web site. You notify customers that the attacker has stolen the private information of the Web sites users, including their addresses and credit card numbers. In addition to incurring direct financial losses from lost business, your organization also suffers a loss of goodwill because the companys image is tarnished.
2-38
Calculating Risk Impact
Key Points
The impact of any given risk is based on the probability of the risk occurring and the costs associated with that risk occurring. The costs can be direct such as staff time to perform a recovery or lost orders during an outage. The costs can also be indirect such as loss of good will and prospective customers. The overall impact of a risk is calculated as: Risk impact = probability of occurrence x (direct costs + indirect costs) In most cases, there is not exact method for calculating costs or the probability of occurrence. These values must be estimated as accurately as possible. In some cases, due to a lack of data, organizations prefer a qualitative approach that assigns a ranking to various risks rather than a dollar value.
2-39
The MOF Risk Management Process
Key Points
Most IT organizations attempt to reduce risk by restricting change. This is an effective way to reduce risk, but it also restricts the ability of organizations to respond to changes in their environment and take advantage of opportunities. The MOF risk management process provides a way to manage risks instead of simply attempting to avoid them all. The stages of the risk management process are: Identify risks as early as possible and frequently to ensure that all risks are known and can be managed appropriately. Analyze and prioritize risks by using a consistent process to rank or value the known risks. Plan and schedule how to mitigate risks based on the rankings or values produces by risk analysis. Track and report specific risks and their occurrence to ensure that your estimates of cost and probability of occurrence are accurate.
2-40
Control risks by implementing plans for risk mitigation. This also includes initiating change control requests when changes in risk status affect SLA agreements or service availability. Learn from risks by formally documenting risk occurrences and other knowledge related to the risk management process. This is essential in the future when refining risk management plans.
Note: For more information about the MOF Risk Management Process see MOF Risk Management Discipline for Operations at http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofrisk.mspx.
2-41
Guidelines for Creating a Risk Management Plan
Key Points
For your risk management plan to be successful, you must consider the following guidelines: Approval and support from management is a key component to success. Support from a single executive sponsor, if possible, is even more valuable. Determining scope early in the design helps to ensure that your efforts remain focused on your plans objectives. The data that you compile during your analysis may change, so it is important to act on that information as quickly as possible. When your network resources change, the risks to those resources may change. Be sure to update your risk management plan accordingly. The risk management plan can act as a guide so that each risk has an owner, and you can track how much you spend to manage each risk.
2-42
Lesson 5
Defense-in-Depth Model Overview
The Defense-in-Depth model is a layered approach for analyzing network security. It can be used to both identify risks and methods for mitigating those risks. The layered approach allows you to see how mitigation methods can be combined for greater security.
2-43
Layers of the Defense-in-Depth Model
Key Points
Defending your organization in depth means that you apply a combination of people, processes, and technology to protect against threats at each layer. If one layer is compromised, it protections for other layers are still in place. Using a layered approach increases the probability of detecting an attacker and reduces the probability that an attack will be successful. As a general guideline, design and build each layer of your security under the assumption that every other layer has been breached. The policies, procedures, and awareness layers affects all other layers and needs to be considered as part of each other layer. For example, appropriate procedures must be defined to ensure that the IT staff does not introduce unnecessary risk by making unauthorized changes. The physical security layers also affect other layers. If physical security is not in place then measures implemented to protect other layers may be easy to compromise. For example, a server could be started for a CD-ROM with malicious software that can be used to reset the local Administrator account.
2-44
Using Defense-in-Depth to Identify Risks
Key Points
The Defense-in-Depth model can be used to identify network risks. For each layer in the Defense-in-Depth model, you can generate a list of assets and risks that can be used for risk analysis.
2-45
Using Defense-in-Depth to Mitigate Risks
Key Points
In addition to identifying risks, the Defense-in-Depth model can also be used to identify methods for mitigating risks. The costs associated with these risk mitigation methods can then be used as part of risk analysis.
2-46
Discussion: Security Implementation
Your classroom discussion will include security measures for your organization.
2-47
Lab: Designing a Network Security Plan
Scenario
Woodgrove Bank is a large multinational corporation with office locations located in multiple countries. Until now security planning for IT resources has been handled by individual areas responsible for network infrastructure and applications. For example, the network team was responsible for all network related security with not formal process for involving application support or functional areas within the business. There is concern within Woodgrove Bank at the executive level that the current structure for security is not efficient for allocating resources. A new centralized system for managing security is being implemented. This process will include creating a security design team and performing formal risk analysis to allocate resources.
Use the following documents to help create your design: M2_ITSupport.doc
2-48
M2_NANetwork.png M2_NetworkConnectivity.doc M2_OrgChart.png M2_OrgStructure.doc
2-49
Exercise 1: Identifying a Team for the Security Plan Scenario

Woodgrove Bank is a large multinational corporation with office locations located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. The main tasks for this exercise are: Start the virtual machines, and then log on. Design a security design process. Design a team for the security plan.

Task 2: Design a security design process

1. What steps need to be performed when designing network security?
Task 3: Design a team for the security plan

1. 2. 3. 4. 5. 6. 7. What are the necessary roles for a security design team? Which person should be the sponsor for this project? Which people should be involved from product management? Which person should be the project manager? Which people should be involved in development of security measures? Which people should be involved in testing? Which people should be involved in user experience?
2-50
Exercise 2: Identifying Threats

The main tasks for this exercise are: Identify risks to resources.
Task 1: Identify risks to resources

1. Use the STRIDE model to identify risks to resources in the perimeter network.
Example Risk STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
2.
Use the STRIDE model to identify risks to resources on the internal network
Example Risk
STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
2-51
3.
Use the defense-in-depth model to identify risks to resources on the network.

Example Risk
Layer Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness
2-52
Exercise 3: Analyzing Risk

After identifying potential risks, it has been determined that the risks to resources in the perimeter networks are those that are most important to address. You must now calculate the risk impact for risks to resource in the perimeter network to determine which projects to implement. You budget for implementing new security measures this year is $500,000. The document M2_RiskFigures.doc in the Labdocs folder on the student CD contains additional information about risk probability and costs. The main tasks in this exercise are: 1. 2. Determining risk impact. Determine how to allocate your security budget.
Task 1: Determining risk impact

1. What is the risk impact for a denial of service attack on the Web application for investors? 2. 3. What is the risk impact for a password attack on the Web application for customer service accounts? What is the risk impact for an attack on the Web server with general information for customers that puts false information on the Web site?
Task 2: Determine how to allocate your security budget

1. 2. Which projects will you fund based on your budget? Can you make an effective argument to management for more security funding?
2-53
Exercise 4: Implementing Password Policies

Now that all domain controllers have been upgraded to Windows Server 2008, you would like to take advantage of the fine grained password policies that are available. Fine-grained password policies allow you to vary the password policy for various groups of users. A password policy is required for Customer Service staff. The main tasks in this exercise are: 1. 2. 3. 4. 5. Raise the domain functional level to Windows Server 2008. Create a fine grained password policy for customer service staff. Associate the new fine grained password policy with Customer Service groups. Verify resultant PSO for a user. Close all virtual machines and discard undo disks
Task 1: Raise the domain functional level to Windows Server 2008

1. On NYC-DC1, use Active Directory Users and Computers to raise the domain functional level to Windows Server 2008.
Task 2: Create a fine grained password policy for customer service staff
1. 2. 3. On NYC-DC1, open ADSI Edit. Connect to the Default naming context and browse to CN=Password Settings Container,CN=System,DC=WoodgroveBank,DC=com. Create a new msDS-PasswordSettings object in the Password Settings Container with the following settings: Common-Name: CustomerService Password Settings Precendence: 1 Password reversible encryption status for user accounts: FALSE Password History Length for user accounts: 5 Password complexity status for user accounts: TRUE. Minimum Password Length for user accounts: 6 Minimum Password Age for user accounts: 1:00:00:00 Maximum Password Age for user accounts: 60:00:00:00 Lockout threshold for lockout of user accounts: 10 Observation Windows for lockout of user accounts: 0:00:30:00
2-54
Lockout duration for locked out user accounts: 0:00:45:00
Task 3 Associate the new fine grained password policy with Customer Service groups
1. 2. 3. 4. On NYC-DC1, open Active Directory Users and Computers and enable viewing of Advanced Features. Browse to the Password Settings Container in the System container. In the properties of the CustomerService object, edit the msDC-PSOAppliesTo attribute. Add the following windows groups: NYC_CustomerServiceGG MIA_CustomerServiceGG TOR_CustomerServiceGG
Task 4: Verify resultant PSO for a user

1. 2. 3. On NYC-DC1, use Active Directory Users and Computers, to view the properties of Matt Berg in the Toronto Customer Service OU. On the Attribute Editor tab, enable viewing of Constructed attributes. Verify that the msDC-ResultantPSO attribute shows the CustomerService PSO.

Designing IP Addressing
3-1
Module 3
Contents:
Lesson 1: Designing an IPv4 Addressing Scheme Lesson 2: Designing DHCP Infrastructure Lesson 3: Designing DHCP Configuration Options Lesson 4: Designing an IPv6 Addressing Scheme Lesson 5: Designing an IPv6 Transition Lab: Designing IP Addressing in Windows Server 2008 3-3 3-11 3-18 3-23 3-32 3-43
3-2
Module Overview
After you have determined your network topology, you must define the IP networks in your organization. In the past, this would have included only IPv4 networks and determining how to assign IPv4 addresses. However, IPv6 is increasing in popularity and must be considered in modern networks.
3-3
Lesson 1
Designing an IPv4 Addressing Scheme
An IPv4 addressing scheme requires you to determine an appropriate subnet mask for each IPv4 network. The subnet mask is based on the number of subnets you require and the number of hosts you require on each subnet. You must also determine when public and private IPv4 addresses are required.
3-4
Considerations for Determining the Hosts per Subnet
Key Points
Consider the following when determining the number of hosts per subnet: All devices on each subnet must have an IP address including routers, and in most cases, switches. In many environments, servers have multiple network adapters and multiple IP addresses. Network design specifications must allow you to meet performance goals determined by network analysis. This may include limiting the number of hosts per subnet. The number of hosts on a subnet must be supported by your routers and switches. Switches in particular have a limit on the number of hosts they can support. Future growth must be considered when determining the number of hosts on each subnet, to avoid expensive adjustments to the network design.
3-5
Use the formula 2 to the power of n-2 to determine the number of host bits required in a subnet mask. This formula calculates the number of valid hosts on a subnet using the power of n bits. The -2 removes the network and broadcast addresses.
Note: Subnet calculators are widely available on the Internet to help you calculate an appropriate subnet mask without performing binary calculations.
3-6
Considerations for Determining the Number of Subnets
Key Points
Consider the following when determining the number of subnets required: Each WAN location must have a separate subnet. This allows you to control communication between WAN locations. Create separate subnets for each security zone within a LAN. This allows you to control communication between security zones. Create enough subnets so that no individual subnet is overloaded with too many hosts based on you router and switch performance. This ensures sufficient overall network performance. Future growth must be considered for new subnets within LANs, in addition to new WAN locations. This avoids expensive adjustments to the network design. Use the formula 2 to the power of n to determine the number of subnet bits required in a subnet mask. This formula calculates the number of subnets that can be created by using n bits.
3-7
Reduce the number of hosts on a subnet to decrease broadcast traffic. This ensures that switch performance is not compromised.
Note: Some documentation uses the formula 2 to the power of n-2 for determining subnet bits. The -2 removes the first and last subnets where the subnet bits are all 1s or all 0s. This was required for class-based routing, but not for classless routing, which is common on current networks.
For more information, see "Architecture Design section of Enterprise Design".
3-8
Public Addressing vs. Private Addressing
Key Points
Hosts that are connected directly to the Internet require a public, globally unique IP address. Any network connected to the Internet has a minimum of one public address for Internet connectivity. To enhance security, a private network that uses public addresses and is connected to the Internet requires isolation from the Internet by a firewall, a screened subnet, or a packet-filtering router. If the network design requires that a large number of IP addresses be accessible from the Internet, you must obtain a suitable range of public IP addresses. You can apply for public IP addresses from an Internet service provider (ISP) or Internet registry. However, having a large number of public addresses is expensive to maintain, and in most cases, unnecessary.
For more information, see "RFC 1918: Address Allocation for Private Internets".
3-9
Guidelines for Designing IPv4 Addressing
Key Points
Consider the following guidelines when designing IPv4 addressing: Use classless IP addressing to make more efficient use of IP addresses by subnetting appropriately. Use classless routing protocols on your routers to use classless IP addressing on your network. Most current routing protocols, with the exception of Routing Information Protocol for IP version 1 (RIPv1), support classless IP addressing.
3-10
Use variable-length subnetting to customize your subnets based on the number of hosts on each segment. Use supernetting to combine multiple IP ranges into a large, single range of addresses. This makes routing more efficient. Use public addresses if you use a direct (routed) connection to the Internet. Public addresses are reachable on the Internet; private addresses are not. Use private addresses if you use an indirect connection to the Internet, such as a proxy server or NAT. Private addresses are strongly recommended for this application to prevent conflicts with public addresses, which might already be in use on the Internet.
3-11
Lesson 2
Designing DHCP Infrastructure
DHCP is an essential component of an IPv4 network. A majority of network clients rely on DHCP to obtain an IPv4 address for network connectivity. When designing DHCP infrastructure, you must ensure that it is reliable and secure.
3-12
Options for Automatic IPv4 Address Assignment
Key Points
Most organizations use DHCP to deliver IPv4 addresses and configuration options to clients. DHCP can be scaled to very large environments and is much easier to maintain than static IP addresses. When Windows clients are configured to use a DHCP server, but a DHCP server cannot be reached, they will generate an Automatic Private IP Addressing (APIPA) address. APIPA addresses are suitable only for very small peer-to-peer networks where Internet connectivity is not required. APIPA does not assign IP configuration options such as a DNS or WINS server. Alternate IP configuration is used as an alternative to APIPA when a Windows client cannot communicate with a DHCP server. However, in this case, a static IP address and configuration options are used. In some situations, this can be useful for roaming users.
3-13
DHCP Communication Process
Key Points
All DHCP communication to and from a DHCP client during the initial lease is broadcast-based. This is required because the DHCP client is not yet assigned an IP address. As a consequence, DHCP communication is limited to the local subnet by default. In this scenario, a DHCP server is required on each subnet with DHCP clients. In larger organizations, a DHCP relay is used to forward DHCP requests from a remote subnet to a central DHCP server. The DHCP relay also takes the response from the DHCP server and broadcasts it for the DHCP client. Windows Server 2008 can be configured as a DHCP relay, but it is more common to configure routers as a DHCP relay.
3-14
Design Options for DHCP Servers
Key Points
A distributed DHCP infrastructure assumes that no DHCP/BOOTP relays are in place. Consequently, a DHCP server is required for each subnet. This is not practical for larger organizations because it would require a large number of DHCP servers, which would be awkward to manage. A centralized DHCP infrastructure places DHCP servers in a central location and uses DHCP/BOOTP relays to forward requests from remote subnets. This works well within a single location, but may not be suitable for large organizations with many WAN links. The failure of a WAN link may prevent some clients from obtaining an IP address and accessing network resources. A combined infrastructure is used by many organizations. Each WAN location has its own centralized infrastructure with one or more DHCP servers. This allows for centralized management of the DHCP servers and avoids concerns about WAN link reliability.
3-15
Methods for Improving DHCP Server Availability
Key Points
The split scope method for improving DHCP server availability requires two DHCP servers to service each subnet. The scope for that subnet is split between the two servers, typically using an 80%:20% split for the addresses. There is no coordination between servers and any reservations must be created on both servers. Failover clustering can be used to increase the availability of a DHCP server. If one node in the cluster fails, it will restart on another server node. However, failover clustering is more complex to implement than a standby server or split scope.
3-16
A standby server can also be used to increase DHCP availability. The standby server is preconfigured with the necessary DHCP configuration, but is manually activated when another DHCP server fails. You must configure server-side address conflict detection to prevent the assignment of duplicate IP addresses. In addition, you must have a mechanism for synchronizing configuration between the production server and the standby server.
3-17
Securing DHCP Servers
Key Points
DHCP authorization prevents rogue DHCP servers from running Windows 2000 Server, Windows Server 2003, and Windows Server 2008. This is important to prevent DHCP clients from obtaining incorrect IP addresses and configuration information. However, rogue DHCP servers, which are not Windows-based, do not need to be authorized and can still be introduced to the network. There are several built-in groups for controlling the configuration of DHCP servers. The groups should be used to limit the management of DHCP server to authorized administrators
3-18
Guidelines for Designing DHCP Infrastructure
Key Points
Consider the following guidelines when designing DHCP infrastructure: Virtualize DHCP servers as part of a server consolidation effort. They have low resource utilization. Use the internal virtual DHCP server where appropriate on virtualized networks. Plan a combined DHCP infrastructure based on network characteristics such as WAN links and their reliability. Make DHCP a high availability service in your organization to ensure that clients are able to access network resources. Limit each DHCP server to no more than a thousand scopes in centralized and combined DHCP infrastructures
3-19
Lesson 3
Designing DHCP Configuration Options
When a DHCP scope is configured, there a number of configuration options. Understanding how lease lengths, superscopes, reservations and DHCP class-level options can be used will simplify management of your DHCP infrastructure.
3-20
Options for Determining a Lease Length
Key Points
The considerations when determining lease length are: Network traffic. When lease lengths are short, additional network traffic is generated as clients renew their leases more often. In most networks, the traffic generated by DHCP requests is minimal and unlikely to affect performance. However, this may be a concern when using a centralized infrastructure over WAN links. Address reuse. Roaming clients such as laptops obtain an IP address that cannot be reused by other clients until the lease is over. In a situation with a high number of roaming clients, this can result in a large address space being depleted quickly even if the addresses are no longer actively being used. Change. If clients have long leases, it may be more difficult to change IP address configuration and DHCP options. For example, a computer with a 60-day lease may keep that information for 60 days without being updated. Although typically, new addressing information is obtained at half the lease length when a renewal is attempted.
3-21
Superscopes in DHCP Infrastructure
Key Points
Superscopes are relevant only when a single physical network segment has subnets on it. This can occur when a physical location has added additional clients and expanded beyond the number of addresses available in a single subnet. If IP addressing has not been assigned appropriately, it may not be possible to supernet the two addresses and they must be managed as two separate networks. In this scenario, a DHCP server is configured with a scope for each subnet, and then the scopes are combined into a single superscope. This configures the DHCP server to recognize that both scopes are on a single physical segment. Without a superscope, the DHCP server would send a lease offer for each scope. With a superscope in place, only a single lease offer is sent.
3-22
Using Reservations in DHCP Infrastructure
Key Points
DHCP reservations are used to assign the same IP address to a device each time it leases an address from DHCP. In the reservation, the MAC address of the device is used to identify the device. Reservations are an alternative to using static IP addresses for devices. Reservations are also easier to manage than static IP addresses because you do not need to physically visit the device that is being configured, to make a change; you just change the reservation and the device is updated with the new IP configuration information during the next lease renewal.
3-23
DHCP Class-Level Options
Key Points
When planning, you need to determine if you will use option classes in your enterprise. You use option classes to provide unique configurations to specific types of client computers. The Windows Server 2008 implementation of DHCP supports two types of option classes: vendor-defined classes and user-defined classes. A DHCP client can use vendor-defined option classes to identify its vendor type and configure it to the DHCP server when obtaining a lease. The client must include the vendor class ID option (option code 60) when it requests or selects a lease from a DHCP server. User-defined classes identify a DHCP client by its type. A client type refers to characteristics such as a dial-up connection or a portable computer. You configure user-defined classes to manage DHCP options that you want to assign to clients that require a common configuration.
3-24
Lesson 4
Designing an IPv6 Addressing Scheme
IPv6 is a new version of IP that is meant to replace IPv4. Eventually, networks and the Internet will move over to IPv6 addressing. To design IPv6 addressing in your environment, you must understand IPv6 addressing and how autoconfiguration can be performed.
3-25
Benefits of IPv6
Key Points
IPv6 provides the following benefits: A larger address space, which ensures that devices can have a public IPv6 address. Hierarchical design of networks, which results in greater routing efficiency for Internet routers. Support for IPSec is part of IPv6 and does not rely on additional software being installed on hosts. Quality of service support is built into IPv6 and does not rely on additional software being installed on hosts. Stateless address configuration, which lets IPv6 obtain an address from any router rather than a DHCP server or static configuration.
3-26
A new extensible header format, which minimizes overhead by reducing packet header size for better performance. Neighbor Discovery using multicasts, which replaces ARP broadcasts and increases overall network efficiency.
For more information, see "Introduction to IP Version 6".
3-27
IPv6 Address Types
Key Points
IPv6 has some significant changes in terminology and functionality from IPv4. In particular, there are many different unicast address types: Global unicast addresses are equivalent to public IPv4 addresses and are routable on the IPv6 Internet. Link-Local unicast addresses are automatically generated by each host for communication only on the local subnet, similar to an APIPA IPv4 address. Unique local unicast addresses are equivalent to private IPv4 addresses. They are allocated for internal use. Site local unicast addresses are similar in functionality to unique local unicast addresses but are more difficult to configure. They have been depreciated. Multicast addresses continue to be used in IPv6, but are used more extensive and have an additional scope option to control how many routers will forward a multicast.
3-28
Anycast addresses are a new address types that do not exist in IPv4. When a unicast address is assigned to multiple hosts, it becomes an anycast address. When communication is sent to an anycast address, only the closest host with that address responds.
3-29
IPv6 Unicast Address Structure
Key Points
The last 64 bits of an IPv6 address are always a unique host identifier. The host identifier is based on the hardware address of the network card. This replaces the host portion of an IPv4 address. When global unicast addresses are used, an organization is assigned a unique global routing prefix. Sixteen bits are available for subnetting, which allows for up to 65,536 subnets. It is possible for the Internet Service Provider (ISP) to be the organization and companies to be allocated a portion of the ISP subnet.
Unique local addresses require organizations to select a single global ID and then use 16 bits for subnetting. The global ID should be randomly generated. Then, if multiple organizations merge, there will likely be no conflict and routing can be performed between them. This is a significant improvement over IPv4 private networks, which often conflicted during mergers.
3-30
IPv6 Address Autoconfiguration Options
IPv6 addresses can be statically assigned or dynamically through autoconfiguration. Autoconfiguration can be stateful, stateless, or a combination of the two. Stateless configuration allows hosts to create an IPv6 address by using a network identifier provided by the local router in a router advertisement. This method provides some IP configuration settings such as maximum MTU size, but does not provide other common options, such as DNS servers. Stateful configuration is typically performed with DHCPv6. An IPv6 address is obtained from the DHCPv6 server and can include options such as a DNS server. Stateless and stateful configuration can be combined. When combined, stateless configuration is used to provide the IPv6 address and stateful configuration is used to provide additional options such as a DNS server.
Note: It is practical to used stateless configuration to configure the IPv6 address of servers because the host portion of the address will not change and the server will retain a consistent IPv6 address over time.
3-31
IPv6 Address Autoconfiguration Process
3-32
Key Points
The first step in autoconfiguration is a link-local address being derived and verified for uniqueness. If this address is not unique, then autoconfiguration stops, because this address is used during further configuration. The IPv6 client then attempts to obtain stateless configuration information from a router by using router advertisements. Stateful configuration from DHCP v6 will be requested if: A router is not able to provide stateless configuration or is not available. The router advertisement is set by an administrator to instruct the computer to obtain a stateful address. The router advertisement is configured by an administrator to instruct the computer to obtain configuration settings by using a stateful address configuration protocol.
3-33
Guidelines for Designing an IPv6 Addressing Scheme
Key Points
Consider the following guidelines when designing an IPv6 addressing scheme: Many older applications do not support IPv6, so you must plan to update those applications for IPv6, or maintain IPv4 support. Use a hierarchical design for routing, to simplify router configuration. If you want to communicate on the IPv6 Internet, you should obtain a global unicast IPv6 address. Do not use the global ID of a unique local address for subnetting because it increases the chance of non-unique global IDs when organizations merge. Randomly generate the global ID of a unique local address to minimize the chance of non-unique global IDs when organizations merge.
3-34
Use stateless autoconfiguration to simplify IPv6 address configuration for both clients and servers. Use DHCPv6 in combination with stateless autoconfiguration to assign additional configuration options such as DNS servers.
3-35
Lesson 5
Designing an IPv6 Transition
The transition from IPv4 to IPv6 must be carefully planned to ensure that all services remain available. You can use IPv4 and IPv6 at the same time. Additionally, you can use ISATAP, 6to4, and Teredo to provide IPv6 connectivity over IPv4 networks. The options you choose for interoperability must be based on your specific situation.
3-36
What is Dual Layer IPv4 and IPv6
Key Points
Using IPv4 and IPv6 at the same time allows hosts to access services regardless of whether the service is using IPv4 or IPv6. This is very easy to implement and has low risk because you are not removing functionality from the network, just providing additional functionality. The main drawback to this method is that IPv4 and IPv6 must be routed through the entire network to be effective. There is no method for tunneling IPv6 packets over an IPv4 network such as the Internet. However, the tunneling functionality can be added with other technologies such as ISATAP, 6to4, or Teredo. Windows Vista and Windows Server 2008 both have IPv6 and IPv4 enabled by default. For Windows Server 2003 and Window XP, IPv6 must be installed as additional software.
3-37
What Is ISATAP?
Key Points
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is a tunneling technology for unicast IPv6 traffic over an IPv4 internal network. This can be used to allow IPv6 applications to communicate over an IPv4 network. It can also be used to allow an IPv6/IPv4 host to communicate with an IPv6-only network by using an ISATAP router that performs the tunneling for the IPv6-only network. On Windows Vista and Windows Server 2008 computers, ISATAP is enabled by default. If an ISATAP router is part of the infrastructure, then a host record for ISATAP must be configured in DNS.
3-38
This technology is not suitable for use over the Internet.
For more information, see "IPv6 Transition Technologies". For more information, see "Manageable Transition to IPv6 using ISATAP.
3-39
What Is 6to4?
Key Points
6to4 is a tunneling technology for unicast IPv6 traffic over the IPv4 Internet. This can be used to provide site-to-site connectivity over the IPv4 Internet. It can also be used to allow IPv6/IPv4 to communicate with the IPv6 Internet. The main drawback of this technology is that it is not suitable for hosts behind a firewall performing NAT. This is a problem that affects the majority of IPv4 hosts with connectivity to the IPv4 Internet. On Windows Vista and Windows Server 2008 computers, 6to4 is enabled by default.
IPv6 Transition Technologies
3-40
What Is Teredo?
Key Points
Teredo is a tunneling technology for unicast IPv6 traffic over the IPv4 Internet between two hosts. This can be used to provide host-to-host connectivity over the IPv4 Internet even when both hosts are behind firewalls, performing NAT. A Teredo server on the Internet is used to set up the communication process. Teredo is not enabled by default on Windows Server 2008, but is enabled by default on Windows Vista. However, Windows Firewall rules on Windows Vista must be configured to allow Teredo connectivity. In many cases, the application installation will perform the necessary configuration of Windows Firewall rules. The combination of ISATAP and 6to4 is preferred whenever possible because it is more efficient and can perform site-based connectivity.
3-41
For more information, see "Teredo Overview". For more information, see "IPv6 Transition Technologies".
3-42
Process for Transitioning to IPv6
Key Points
The migration from IPv4 to IPv6 is expected to take a considerable amount of time. As a result, the IPv6 transition plan is a multistep process that allows for extended coexistence. The process for transitioning to IPv6 is: Applications must be updated to use an Application Programmer Interface (API) that is not specific to IPv4 or IPv6. Earlier Windows applications use an API that is specific to IPv4. DNS servers must be updated to support IPv6 host records and pointer (PTR) records. You must also ensure that all necessary IPv6 host records are created. Hosts must be upgraded to use both IPv4 and IPv6 before they can access any IPv6 services. At this point, you can also begin to use tunneling technologies such as ISATAP, 60to4, and Teredo.
3-43
Upgrade routing infrastructure for native IPv6 routing. This provides IPv6 connectivity within your organization without using the tunneling technologies to traverse IPv4 networks. After all necessary components have been updated, including applications, IPv4 can be removed from the hosts.
For more information, see "IPv6 see IPv6 Guide for Windows Sockets Applications".
3-44
Guidelines for Designing an IPv6 Transition
Key Points
Consider the following guidelines when designing an IPv6 transition: Use both IPv4 and IPv6 throughout your entire network to avoid the need to introduce tunneling technologies. Use Teredo for your transition only if ISATAP and 6to4 do not meet your needs. Teredo provides only host-to-host connectivity rather than site-based connectivity, which is more efficient in most corporate environments. Ensure that tunneled packets have the Dont Fragment flag set to 0. This ensures that if necessary, the packets can be fragmented by routers if the MTU size varies for different networks. Ensure that IPv6 hosts have host records configured in DNS. In some cases, the necessary host records may not be created automatically by dynamic DNS.
3-45
Remember that IPv6 addresses are generally preferred over IPv4 addresses. This can cause unexpected routing when tunneling technologies are used.
For more information, see "Source and Destination Address Selection for IPv6".
3-46
Lab: Designing IP Addressing in Windows Server 2008
Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the IP addressing for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are re-evaluating IP addressing for the entire organization. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies.
3-47
Exercise 1: Designing an IPv4 Addressing Scheme

You must design an IPv4 addressing scheme for Woodgrove Bank that takes into account the number of hosts in each location. The following documents provide the information you need to complete the design: 1. 2. M3_NANetwork.png M3_NetworkConnectivity.doc M3_LocationDetails.doc Determine the number of external addresses required. Determine an internal IPv4 addressing scheme for locations.
The main tasks for this exercise are:
Task 1 Determine the number of external addresses required.

1. 2. 3. Which resources require public IPv4 addresses? How many public IPv4 addresses are required? How will you obtain the necessary public IP addresses?
Task 2: Determine an internal IPv4 addressing scheme for locations.

1. 2. 3. 4. 5. 6. Which internal network address will you use? Which subnet mask will you use for branch offices? Which subnet mask will you use for hub sites? Which subnet mask will you use for the North America division? List the networks and subnet masks used by each hub site. List the networks and subnet masks by the New York hub site internally, and for branches.
3-48
Exercise 2: Designing a DHCP Implementation.

You must design a DHCP implementation that meets the needs of Woodgrove Bank in North America. Use the following criteria for your planning: Hub sites must have some form of high availability for DHCP. The number of DHCP servers should be minimized to simplify administration. All client applications are centralized in hub sites by using Terminal Services. Design a DHCP implementation.
The main task for this exercise is:
Task 1: Design a DHCP implementation.

1. 2. 3. How should DHCP clients in branch offices obtain an IP address? How will you provide high availability for DHCP in the hub sites? How many scopes need to be configured on the DHCP servers in the hub site?
Exercise 3: Designing an IPv6 Addressing Scheme

Woodgrove Bank is implementing a new Voice-over-IP (VoIP) phone system that will integrate with the messaging system to provide unified communications. The selected phone system uses IPv6 rather than IPv4. You must design an IPv6 addressing scheme and determine how IPv6 will be implemented. The main tasks for this exercise are: 1. 2. Design an IPv6 addressing scheme. Design an IPv6 implementation.
Task 1: Design an IPv6 addressing scheme.

1. 2. 3. 4. Which internal network address will you use? Which network address will you use for the North America division? Which network addresses will you use for hub sites? Which network addresses will you use for branch offices?
Task 2: Design an IPv6 implementation.

1. 2. What IPv6 transition method will you use? What process will you follow when implementing IPv6?
Designing Routing and Switching Requirements
4-1
Module 4
Contents
Lesson 1: Preparing for Designing a Network Routing Topology Lesson 2: Selecting Network Devices Lesson 3: Designing Internet Connectivity and Perimeter Networks Lesson 4: Designing Routing Communications Lesson 5: Evaluating Network Performance Lesson 6: Quality of Service Lab: Designing Routing and Switching 4-3 4-8 4-16 4-25 4-32 4-40 4-47
4-2
Module Overview
The design of routing and switching affects the performance and security of a network. To ensure an acceptable design, you must first gather the appropriate information required to create the design. Then you can select the appropriate network devices and their configuration. You must also evaluate network performance to ensure that no changes are required.
4-3
Lesson 1
Preparing for Designing a Network Routing Topology
When designing a network routing topology, you must first understand the requirements of your organization. You need to understand both connectivity and security requirements.
4-4
Connectivity Requirements
Key Points
As you map the details of Local Area Network (LAN) and Wide Area Network (WAN) links on a physical network diagram, consider your organizations current connections and usage statistics. Use this information to determine whether the existing connections meet your business needs for Active Directory, other network applications, and future growth. Also consider the requirements of your organization for network availability, performance, security, fault tolerance, and disaster recovery.
For connectivity, consider:
4-5
Connectivity Type Local
Considerations Wireless Security
Remote
WAN links Bandwidth requirements Dial-up
Internet
Points of connectivity VPN for sites or roaming users
Microsoft Solutions Framework Microsoft Solutions Framework version 3.0 Overview Microsoft Solutions Framework Core Whitepapers
4-6
Security Requirements
Key Points
Before Internet connectivity became common, an organizations network often maintained a single connection to a public network. Today, Internet access, remote access, and branch office connectivity have become vital to the operation of an organization. As requirements for connectivity increase, so does the difficulty of managing network connection security and the risk that information and computers might be exposed to threats and attacks. When designing for network connectivity, identify all internal and external threats to data transmission. You can then design your network connectivity to overcome these threats and thereby meet the security requirements of your organization.
4-7
Discussion: Gathering Data for Designing Network Connectivity
Your classroom discussion will include what data needs to be gathered for design network connectivity.
4-8
Lesson 2
Selecting Network Devices
As part of the routing and switching design, you must select the appropriate network devices to meet organizational needs. You need to be aware of the various types of network devices that are available and how they manage network traffic. Virtual Area Local Area Network VLANs are an important consideration for LANs.
4-9
Types of Network Devices
Key Points
The most commonly used network devices are routers and switches. Traditional switches operate at layer 2 of the Open Systems Interconnect (OSI) model and control network communication based on the physical hardware addresses in the packets. Switches also support full duplex communication, which allows hosts to send and receive data at the same time without causing a collision. Routers are used to control communication between physical locations and between security zones. On enterprise networks, most switches are layer 3 capable and can provide basic routing capabilities. Hubs are an older technology that is not used in modern networks. Hubs have been replaced by switches. Bridges are another older technology that is similar to switches. Bridges are still sometimes used to control communication between physical locations, when routing is not used
4-10
Reasons for Using Routers
Key Points
Traditionally, routers were placed at the edges of networks and were used to connect dissimilar LANs over long distances. However, it has become common to place additional routers in the center of networks to create smaller, connected networks with multiple broadcast domains. It is more beneficial to use a router than a switch for the following purposes: Connecting a branch office network to the corporate network Segmenting a large network into smaller sections to improve performance and security Connecting a large network to a WAN
4-11
Types of Network Domains
Key Points
Nodes in a shared environment can collide with each other when attempting to transmit at the same time. When a collision happens, all nodes in the segment detect it, thus the term, collision domain. All nodes in a shared or repeated network segment are in the same collision domain. However, collisions do not traverse a bridge or a switch, so a switch forms an edge or border of a collision domain. The area of a network that a broadcast frame can reach is known as a broadcast domain. Bridges and switches, which operate at Layer 2, are invisible to broadcast frames and automatically forward all broadcast traffic that is received. Therefore, a switch does not form a border or an edge of a broadcast domain. To form a border, you need a Layer 3 device such as a router or a Layer 3 switch.
4-12
Benefits of Layer 3 Switches
Key Points
Layer 3 switches have the following important features: Routing performed in hardware (application-specific integrated circuit [ASIC] chips) for very fast performance (near wire speed) with minimal latency (less than 10 microseconds for 100 Mbps) Substantially cheaper price per port than similar performance routers Very simple implementation, focused primarily on LAN-based IP or IPX routing Support for Quality of Service (QoS) allows you to ensure critical applications have the necessary bandwidth through the network Todays Layer 3 switches are used primarily to interconnect virtual LANs (VLANs) or to subdivide larger LANs into smaller broadcast domains. Layer 3 switches are replacing expensive LAN routers on the enterprise backbone.
4-13
Virtual LANs
Key Points
A VLAN is a LAN that the broadcast domain creates artificially through the switch configuration. The LAN members do not need to be physically connected to the same switch or even to be located in the same physical area. Nodes configured in the same VLAN function as though they are connected to the same physical switch, even if they are not.
4-14
The most significant benefits of VLANs are that they: Provide more bandwidth, because broadcasts are isolated. Remove network physical limitations. The resources and workstations can be in different buildings, yet can still be members of the same VLAN. Can replace segmentation routers. VLANs can perform the same function as segmentation routers (broadcast containment), yet VLANs are cheaper and easier to configure. Provide multicast containment, thereby increasing available bandwidth. Are easier to administer than a physical LAN.
Note: VLANs can be based on physical ports or other characteristics such as network protocol or device hardware address.
4-15
Discussion: Considerations for Selecting an Appropriate Network Device
Your classroom discussion will include considerations for selecting an appropriate network device.
4-16
Lesson 3
Designing Internet Connectivity and Perimeter Networks
Internet connectivity is a critical part of corporate networks. Connectivity to the Internet is required for communication with customers and external partners. You must determine how internal users will gain access to the Internet, and how to provide access to applications over the Internet.
4-17
Internet Connectivity Requirements
Key Points
To select an Internet connectivity solution, you must determine your business needs. These needs can include: A scalable solution that can be expanded for more users as required. A fault tolerant solution that has high availability. Filtering based on specific IP ports, protocols, or applications. Access control based on users, groups, or IP addresses. Bandwidth control to ensure that critical applications have enough bandwidth. Time of day scheduling rules to control user access or application access. Additional security services such as antivirus or antiphishing software, and site blocking Monitoring tools to report on user access and bandwidth usage. Support for all necessary applications, such as VPN protocols.
4-18
Network Address Translation for Internet Connectivity
Key Points
Network Address Translation (NAT) allows an organization to use private IPv4 addresses internally and share a single public IPv4 address on the Internet. NAT is an appropriate solution for Internet connectivity when: All required applications are supported by NAT. The organization is using private IP addresses. User specific restrictions are not required.
Note: You can use port redirection to provide external access to specific internal resources when using NAT.
4-19
Internet Security and Acceleration for Internet Connectivity
Key Points
If your enterprise requires additional security and functionality, you might want to choose a proxy server. Like NAT, a proxy server allows multiple users to access the Internet by using a single, public IP address. However, typically, clients must be configured to use the proxy server.
4-20
Internet Security and Acceleration (ISA) Server is Microsoft implementation of a proxy server and has the following features: Application traffic monitoring by inspection of packet contents to increase security Internet content caching to speed up access to Internet content for the second user to access a resource User-based control to limit which users can access the Internet
For more information, see "Microsoft Internet Security and Acceleration Server "
4-21
Strategies for Designing a Firewall
Key Points
There are many possible firewall configurations. The three most commonly used firewall configurations are: Bastion host. This firewall is used as the single point of contact between the internal network and the Internet. It is typically implemented on small networks to protect against attacks on resources on the internal network. Multi-homed firewall. This is a single firewall that contains multiple network adapters. One adapter is connected to the internal private network. A second adapter is connected to the Internet. The other adapters are connected to different perimeter networks that contain Web, e-mail, and other servers that will be accessed by users on the Internet. The multi-homed firewall uses different filters for traffic, depending on the network for which the traffic is destined.
4-22
Back-to-back firewalls. This configuration uses two firewalls to create a perimeter network, which is protected from the Internet by one firewall but is also separated from the internal network by another firewall. This configuration is often used for larger networks.
4-23
Strategies for Designing Extranet
Key Points
The purpose of an extranet is to allow a supplier, vendor, business partner, or customer to access some or all of your private corporate data. Because most of these parties will not have a direct WAN connection to your corporate intranet, you must make arrangements for them to either dial up to your network, or more commonly, access your data over the Internet. The connectivity options are: A VPN can be used to provide site-to-site connectivity between partners over the Internet. It can be used to provide access to a large part of your network. Dial-up connectivity can be used to provide site-to-site connectivity between partners. However, dial-up is seldom used because of its slow communication speed. A secure Web server can be used to provide access to a Web application or a subset of data. Communication, including authentication, is secured by using SSL. RPC over HTTP can be used to provide access to a specific RPC-based application over the Internet. Communication is secured by using Secure Sockets Layer (SSL).
4-24
Terminal Services can be used to provide access to a specific application or applications, and their associated data. Communication is secured by Terminal Services and the remote desktop client. Active Directory Federation Services (ADFS) is used to provide Active Directory authentication to Web-based applications in perimeter networks or hosted at third party locations. The communication process used by ADFS properly traverses firewalls.
4-25
Discussion: Guidelines for Designing Internet Connectivity
Your classroom discussion will include guidelines for designing Internet connectivity.
4-26
Lesson 4
Designing Routing Communications
When you design routing communications you must look at several factors. One factor you must consider is the connection method being used between WAN locations. Then you can consider which routing protocol you will use. Finally you can use packet filters on routers to create security zones within your network. If you have chosen to use a site-to-site VPN tunnel, you must determine which type of tunnel to use.
4-27
Determining Connection Methods
Key Points
A leased line is a continuously open connection that is available for an annual fixed fee. This type of connection is typically used when a companys network usage is intensive. Because leased lines are dedicated point-to-point connections, using them can be more secure than sending data into a point-to-many-point network mesh. Tunneling is the transmission of internal private network data over a public network. Data is encrypted while it traverses the public network. This is less expensive than leased lines, but does not provide a guarantee of service quality. Demand-dial connections are dial-up or Virtual Private Network (VPN) connections that are initiated automatically. On-demand connections are initiated when there is data to be sent; these connections will disconnect after a specified idle time. This is appropriate when you are charged for your connection, based on time used. Persistent demand-dial connections do not automatically disconnect based on idle time, but if a connection breaks, they reconnect immediately. A persistent connection is only appropriate when you are not charged for the time the connection is up, such as a VPN over the Internet.
4-28
Selecting a Routing Protocol
Key Points
When designing routing, you must select between static and dynamic routing. If you use dynamic routing, you must also select a routing protocol to control how routes are updated and calculated. Static routing requires you to manually update the routers whenever there are changes. This is typically done only for smaller organizations with simple routing tables. A larger organization with a limited number of routing table changes may also select static routing. Dynamic routing allows routers to automatically exchange routing information without administrator intervention. This makes routing tables easier to maintain for larger organizations. When Windows Server 2008 is configured as a router, the only dynamic routing protocol supported is Routing Information Protocol (RIP) version 2.
Note: Windows 2000 Server and Windows Server 2003 also supported the Open Shortest Path First (OSPF) dynamic routing protocol. You must plan for removal of OSPF, if Windows routers are upgraded to Windows Server 2008.
4-29
Using Packet Filters to Create Security Zones
Key Points
Packet filtering is a security measure that you implement at the network layer. An IP router can provide the ability to allow or disallow the forwarding of specific types of IP traffic. By using IP packet filters, you can intercept and either allow or block packets destined for specific computers on your corporate network. By configuring packet filters on routers, you can support the creation of security zones. A router with configured packet filters acts as a firewall. When Windows Server 2008 is configured as a router, the filters used by Windows Firewall do not affect routing. Separate stateless packet filters are configured by using the Routing and Remote Access administrative tool or Netsh.
For more information, "RAS Server in LHS: Which one to use Windows firewall or RRAS filters".
4-30
Selecting a Site-to-Site VPN Tunnel
Key Points
The primary benefit of using a VPN tunnel over the Internet, instead of leased lines, is cost. A Windows Server 2008 router can use Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol/Internet Security Protocol (L2TP/IPSec), or IPSec as the tunnel type. Other routing vendors may offer additional options specific to their products. PPTP is a protocol that almost all routers support passthrough for. It provides userbased authentication only and supports non-IP protocols. It is considered less secure than IPSec-based encryption. L2TP/IPSec encapsulates data packets in an L2TP packet, which is then encapsulated in an IPSec packet. L2TP provides user-based authentication and IPSec provides computer-based authentication. IPSec authentication is more complex to implement than the simple username and password required by PPTP.
4-31
IPSec in tunnel mode provides the same level of encryption as L2TP/IPSec. However, it does not use user-based authentication. Only computer-based authentication is used. In addition, only IP protocols are supported. Other protocols such as Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) cannot be used.
Note: For IPSec to traverse NAT, IPSec NAT Traversal (NAT-T) must be used. For more information about IPSec Nat-T, see The Cable Guy August 2002 at http://technet.microsoft.com/en-us/library/bb878090.aspx.
4-32
Guidelines for Planning Router Connectivity
Key Points
When planning router connectivity, consider the following guidelines: You first need to determine if you will be using leased lines, tunneling, demanddial routing, or an on-demand connection. If leased lines are not used, you need to select a tunneling option that meets your needs for security. Select a routing protocol that meets the needs of your organization. Windows Server 2008 supports only static routing and Routing Information Protocol (RIP) when configured as a router. Determine the appropriate filters to configure on your routers, to control communication between security zones.
4-33
Lesson 5
Evaluating Network Performance
Evaluating network performance is an important part of designing a network infrastructure. Evaluation needs to be done before the design process begins, and also during implementation and after implementation. Only through the monitoring and evaluating of network performance can you determine whether your network design has been successful.
4-34
Factors Affecting Network Performance
Key Points
Networks may have limitations on the amount of data that they can transfer in a given time period. When planning a network infrastructure, you need to be aware of the factors that can affect network performance: Bandwidth is the maximum amount of data that can travel a communication path in a given time period. Latency is the amount of time that it takes a packet to travel from the source to the destination. Throughput is the data transfer rate that is achieved by combining the effects of bandwidth and latency. Wire speed is the actual speed of the data transmission over the cable after a transmission has started. Utilization is the percentage of time that the wire is occupied and includes both successful and unsuccessful frame transmission. Jitter is variable delays on a network.
4-35
Jabber is a continuous stream of random data transmitted over a network as the result of a malfunction. A bottleneck is a delay that occurs when one part of a network is slower than the others and thus hinders overall throughput. Collisions are frames that were not sent successfully on a shared medium because the senders tried to send frames at the same time. Efficiency is the percentage of the actual data contained in a frame compared to the total frame length. Frame rate represents the number of frames sent per second. More frames results in more overhead and lower efficiency.
4-36
Tools for Evaluating Network Performance
Key Points
Many tools are available to help you measure network load and determine network utilization. Some of these tools, such as software-based traffic monitoring tools and protocol analyzers, are free. Others, such as handheld diagnostics tools, offer greater convenience and portability. The specific network monitoring tool that you select will be based on the specific needs of your organization. For example, a large enterprise will typically use a network monitoring tool that provides centralized management and monitoring, and gathers historical trends. A smaller organization may only perform network monitoring for troubleshooting. Some specific Microsoft tools for monitoring network performance are: Network Monitor 3 Reliability and Performance Monitor System Center Operations Manager
4-37
Network Upgrade Considerations
Key Points
When upgrading a network, consider the following: Utilization statistics must be gathered at various times to provide an accurate picture of the overall utilization. Traffic sources must be understood so that the consequences of reorganization can be predicated accurately. Future growth must be planned for, to avoid costly future reorganizations. Select target utilization rates for all network links. This allows you to identify future concerns when monitoring. Carefully plan and study the impact of any planned changes to avoid unexpected degradations in network performance.
4-38
Recommended Ethernet Utilization Guidelines
Key Points
When planning a network infrastructure, you need to determine the maximum amount of data that flows during peak periods when users access data and services. Knowing this peak traffic value enables you to select the correct network speed to maintain acceptable network throughput. The following are best practices for optimizing network throughput: Try to limit your shared Ethernets to no more than 50 percent average utilization and 80 percent peak utilization. Stay below 200 users for any shared LAN segment. A collision rate of up to 20 percent is acceptable. A switched connection can operate at up to 90 percent utilization because the connection does not have to be time-shared with other nodes. Full-duplex switched connections can operate at up to 95 percent utilization on each cable pair (send and receive) for a theoretical utilization of 190 percent.
4-39
Calculating Actual Data Throughput
Key Points
Actual data throughput is the amount of usable data that is delivered to the higher-level Layer 3 software. You can determine actual data throughput (ADT) in several ways. Because data is packaged in frames and packets that contain header information, you must subtract the bits used for overhead if you are trying to measure actual data throughput. Actual data throughput = NET UTILIZATION * efficiency * wire speed Actual data throughput is less than wire speed because of inefficiency introduced by packet overhead and collisions. Your capacity to change packet overhead is limited, but you can reduce collisions by introducing switching or reducing hosts on a shared segment.
4-40
Discussion: Planning for Future Organizational Growth
Your classroom discussion will address planning for future organizational growth.
4-41
Lesson 6
Quality of Service
Quality of Service (QoS) is used to make sure that certain types of data packets have priority on the network. Windows uses QoS policies to delivery QoS configuration information to workstations and servers.
4-42
What Is Quality of Service?
Key Points
QoS for network communication is used to give specific network packets higher priority for delivery through the network than other packets. As each packet is created on the workstation or server, a Differentiated Services Code Point (DCSP) is embedded in the header of the packet. The DSCP value is read by routers during delivery and the packet is given priority by routers based on the DSCP value. The Windows implementation of QoS also implements bandwidth throttling. This limits the bandwidth usage of an application and prevents that application from overwhelming the network.
4-43
A DSCP value or bandwidth throttling can be applied based on: Sending application. All network traffic generated by a specific executable is affected. Source or destination IPv4 or IPv6 address. All traffic that is sent to or sent from a specific host or network is affected. Protocol (TCP or UDP). All TCP or UDP traffic is affected. Source or destination port. All traffic that is sent from or sent to a particular TCP or UDP port is affected.
4-44
What Is a QoS Policy?
Key Points
A QoS policy is how QoS settings are applied to servers and client computers running Windows. The QoS policy is part of a Group Policy object. You cannot edit a QoS policy directly in the local security policy; it must be delivered by Group Policy. Within the QoS policy, you can define the DSCP value for specific network packets or a throttle rate.
4-45
To apply a QoS policy to specific users and computers: Apply a Group Policy with the QoS policy to users or computers based on which organizational unit (OU) that is linked to the Group Policy object. Multiple group policies are created for specific OUs and applied to the users and computers in that OU. Include specific IPv4 or Ipv6 addresses or networks as part of the QoS policy. In this manner, you can use one QoS policy for a large part of the organization and only specific parts of the QoS policy apply to particular computer based on their IP address.
If multiple QoS policies are based on network and IP addresses, the most specific policy applies. For example, a QoS policy based on IP address would override a QoS policy based on a network address.
4-46
Discussion: QoS Scenarios
Your classroom discussion will include Quality of Service scenarios.
4-47
Demonstration: Creating a QoS Policy
Question Is it possible to create a QoS policy locally on a computer?
4-48
Lab: Designing Routing and Switching
Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network routing topology within the enterprise. Woodgrove Bank has purchased a regional bank located in Washington State. This bank must be integrated into the existing network. You are evaluating and redesigning the network infrastructure and routing of the newly purchased regional bank.
4-49
Exercise 1: Designing Internal Infrastructure

Use the following documents when designing internal infrastructure: M3_NANetwork.vsd M4_WashingtonNetwork.vsd M4_RoutingRequirements.doc The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Design the routing between locations. Design the routing within the Seattle hub site.

1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Design the routing between locations.

1. 2. 3. 4. 5. What type of WAN link will you use between Seattle and the New York hub site? What type of WAN link will you use between Seattle and the branch offices? What routing protocol should be used to control routing? Will you place any filters on communication between Seattle and the branch offices? On a piece of paper, draw how the new bank will integrate with the existing network infrastructure.
Task 3: Design the routing within the Seattle hub site.

1. Which networks will you create within the Seattle hub site?
4-50
2. 3. 4.
Will you perform routing within the Seattle hub site by using routers or layer 3 switches? If switches are used, how will you define VLANs? On a piece of paper, draw the logical networks of the Seattle hub site?
4-51
Exercise 2: Designing a Perimeter Network

The perimeter network for Woodgrove Bank is currently configured with a multihomed firewall. The firewall is running on an x86 server with specialized firewall software. However, the vendor that provided the software is no longer in business. As a consequence, the perimeter network is being redesigned. Woodgrove Bank has recently partnered with Humongous Insurance to provide new services. As part of the agreement, Humongous Insurance agents will have access to a private customer database through a Web-based interface. Use the following documents when designing the perimeter network: M4_InternetConnectivity.doc. The main tasks for this exercise are: 1. 2. 3. Design extranet communication. Design firewall configuration. Design Internet access.
Task 1: Design extranet communication.

1. 2. 3. What are the requirements for extranet communication with Humongous Insurance? Which type of WAN link will you use for the extranet? How will you limit partner access to your network?
Task 2: Design firewall configuration.

1. 2. 3. What criteria will you consider when purchasing a new firewall? Which firewall design will you use? Which filtering rules will be in place?
4-52
Task 3: Design Internet Access

How will users be provided with Internet Access? You should implement a proxy server to provide internal users with Internet access. To provide user based logging, the users must be authenticated, which cannot be provided by NAT. To reduce the impact of Internet access on the WAN links, a hierarchy of proxy servers can be configured. In this way a cache of commonly accessed Internet Web sites can be maintained at each hub site.
Exercise 3: Evaluating Network Performance

The Toronto hub site has added several new applications including a streaming media server for training videos. After adding these new servers, network performance has been inconsistent with some users complaining about slow access to network services. You must determine how to adjust the existing network infrastructure for better performance. You will use Network Monitor to view network utilization statistics. Use the following documents when designing the perimeter network: M4_TorontoPerformance.doc M4_TorontoNetwork.vsd. The main task in this exercise is: 1. Adjust the network design.
Task 1: Adjust the network design.

1. 2. 3. 4. Why is the problem only occurring when a live broadcast is being streamed? What appears to be the bottleneck on the network? How can you eliminate the bottleneck? Is there any way to adjust the application to resolve this problem?
4-53
Exercise 4: Monitoring Network Performance

In this exercise, you will use Microsoft tools to monitor network performance on a server. Network Monitor can be used to view the network traffic generated by any computer on a network. The main tasks in this exercise are: 1. 2. 3. 4. 5. Enable file sharing on NYC-WEB Use Windows Task Manager to view network statistics. Use Reliability and Performance Monitor to view network statistics. Use Network Monitor to view network statistics. Close all virtual machines and discard undo disks.
Task 1: Enable file sharing on NYC-WEB

1. Use Network and Sharing Center in Control panel to turn on network discovery and file sharing.
Task 2: Use Windows Task Manager to view network statistics.

1. 2. Run D:\Mod04\Labfiles\copyloop.bat. Open Windows Task Manager and review the statistics on the Networking tab.
Task 3: Use Reliability and Performance Monitor to view network statistics.

1. 2. 3. On NYC-DC1, open Reliability and Performance Monitor. On the Resource Overview page, expand the Network section and review the available statistics. Start the process of adding a new counter and view the counters available for the following objects: ICMP ICMPv6 IPv4 IPv6 Network Interface Redirector
4-54
Task 4: Use Network Monitor to view network statistics.

1. 2. 3. 4. 5. On NYC-DC1, start Network Monitor. Create a new capture tab. Start a new capture. Review the information in the Frame Summary pane. Stop the capture.

Designing Security for Internal Networks
5-1
Module 5
Contents
Lesson 1: Designing Windows Firewall Implementation Lesson 2: Overview of IPsec Lesson 3: Designing IPsec Implementation Lab: Designing a Secure Internal Network 5-3 5-8 5-15 5-21
5-2
Module Overview
When planning network security, you must consider the security requirements of perimeter networks and attackers from the Internet. You must also consider how to apply security on internal networks. Two common ways to protect internal network are by using Windows Firewall and Internet Protocol security (IPsec).
5-3
Lesson 1
Designing Windows Firewall Implementation
Windows Firewall is a host-based firewall for Windows servers and client. It has been significantly enhanced in Windows Server 2008 and Windows Vista to include support for different network types and outbound rules. As part of your security design, you need to consider what rules should be implemented and how they will be deployed to hosts on your network.
5-4
Reasons for Implementing Windows Firewall
Key Points
Windows Firewall is a host-based stateful firewall that was first included with Windows XP. The version of Windows Firewall included with Windows XP only supported rules to control inbound traffic. The version of windows Firewall included with Windows Vista and Windows Server 2008 has been enhanced with support of outbound rules. In addition, Windows Firewall now supports varying rules for public, private, and domain networks. Windows Firewall is implemented to: Protect servers from internal threats by restricting incoming communication to specific ranges of IP addresses or specific port. Prevent malware from propagating by restricting outbound communication to specific ports or applications.
5-5
Methods for Configuring Windows Firewall
Key Points
You can use the Windows Firewall applet in Control Panel to configure Windows Firewall. This utility configures only one computer at a time and does not include support for advanced configuration options, such as outbound rules or different network types. The Windows Firewall with Advanced Security snap-in allows you to configure all aspects of Windows Firewall. However, it is still limited to configuring a single computer at a time. Group Policy can be used to configure any aspect of Windows Firewall. In addition, Group Policy allows you to configure hundreds or thousands of computers in a single step. However, Group Policy cannot be used to configure computers that are not joined to a domain.
5-6
Discussion: Guidelines for Designing Inbound Rules
Your classroom discussion will include rules for designing inbound packets.
5-7
Discussion: Guidelines for Designing Outbound Rules
Your classroom discussion will include guidelines for designing outbound packets.
5-8
Lesson 2
Overview of IPsec
IPsec can be used to secure internal networks by requiring authentication and encryption between communicating network devices. Connection security rules are used to implement IPsec in Windows Server 2008. These rules allow you to define characteristics, such as authentication methods.
5-9
Benefits of IPsec
IPsec is a system for authenticating and encrypting communication between devices. It has the following benefits: Authentication ensures that only authorized computers are able to communicate. Each packet is digitally signed to ensure that it has not been modified in transit. Encryption for IPsec is enabled by default in Windows Server 2008 to secure communication. IPsec can be used to ensure that only healthy computers can access the network as part of implementing Network Access Protection (NAP). IPsec can be used to secure communication between two hosts, or two networks, as long as the packets being encrypted are IP-based.
5-10
Connection Security Rules
Key Points
Windows 2000, Windows XP, and Windows Server 2003 use IPsec policies to configure IPsec. In Windows Vista and Windows Server 2008, connection security rules are used in place of IPsec policies. For backward compatibility, Windows Vista and Windows Server 2008 can still use IPsec policies but it is not recommended. Consider the following when implementing connection security rules: Compatible connection security rules must exist on both hosts to create an IPsec connection. For example, authentication must be configured in the same way. Connection security rules apply to all traffic between hosts, not just traffic generated on specific ports or by specific applications. Connection security rules can be applied to specific profiles to be used only when connected to private, public, or domain networks.
5-11
Types of Connection Security Rules
Key Points
When new connection security rules are created, the wizard provides several options for a rule type that you select depends on your needs. The various connection security rule types are: Isolation rules are used to prevent unauthorized computers from communicating with each other. Domain isolation can be implemented with these rules. Server-to-server rules authenticate, and possibly encrypt, communication between two hosts. These are typically used to secure communication between a few hosts because you specify endpoints (IP addresses) that the rules apply to. Tunnel rules are used when Windows Server 2008 computers act as a router and IPsec is used to secure communication between them. Authentication exemptions are use to allow operating systems that do not support IPsec to communicate on the network.
5-12
Custom rules are use to create unique rules that do not match any of the types available in the wizard. All configuration options are available in the wizard when you create custom rules.
For more information, see "Server and Domain Isolation".
5-13
IPsec Authentication
Key Points
Authentication requirements specify when authentication is performed. If authentication is requested, an attempt is made to perform authentication, but if authentication fails, then unauthenticated communication is allowed. If authentication is required and authentication fails, then no communication between the hosts is allowed. The authentication method specifies how authentication will be performed. Kerberos authentication is based on domain authentication and has the flexibility to perform user authentication, computer authentication or both. All other methods perform only computer authentication. The computer certificate authentication method lets you specify a CA that hosts must be issued a certificate from. The preshared key requires that a string of text be configured on both hosts.
5-14
Demonstration: Creating a Connection Security Rule
Your classroom discussion will include how to create a connection security rule.
5-15
Lesson 3
Designing IPsec Implementation
When you design an IPsec implementation, you must be sure of the purpose for your implementation. Then you can select the appropriate IPsec policy settings. When designing an IPsec implementation, you must select an appropriate authentication method and deployment method. You must also consider co-existence with IPsec policies.
5-16
Deployment Methods for Connection Security Rules
Key Points
Windows Firewall with Advanced Security can be used to configure connection security rules. However, it can only configure one host at a time. When a manual process is repeated many times it is subject to human error. Group Policy allows connection security rules to be applied to all computers in a OU in a single step. This is the most common way to deploy connection security rules. You can use netsh to Windows PowerShell to create scripts that manage connection security rules. Scripts allow you to configure individual computers in a repeatable way that eliminates the potential errors introduced when using Windows Firewall with Advanced Security.
5-17
Determining the Authentication Method
Key Points
Kerberos is the simplest authentication method to implement when all computers are part of the same Active Directory forest or trusted domains. Because Kerberos is used for network authentication, it can be used for IPsec authentication with no additional configuration. Kerberos also allows the flexibility to perform authentication based on user or computer. When use public key certificates for authentication, the certificates must be issued from the same certification authority (CA). Each IPsec client will be configured with a certificate issued by that CA. This allows each client to have individual credentials and avoids any security issues regarding the configuration of credentials on the clients. A preshared key is simple to implement but has security concerns during configuration. During initial configuration, the preshared key must be transmitted in such a way that the key is kept secure. Anyone who learns the key could create IPsec connections to restricted resources.
5-18
Co-existence with IPsec Policies
Key Points
Windows Server 2008 and Windows Vista have the ability to use IPsec policies or connection security policies to configure IPsec. IPsec policies are required to configure IPsec for Windows 2000, Windows XP, and Windows Server 2003. If you have already configured IPsec policies to be distributed through Group Policy, they will be applied to computers running Windows Server 2008 and Windows Vista. IPsec policies and connection security rules can be applied at the same time, but this is not recommended because the two can conflict. When there is a conflict it is difficult to determine where the problem is occurring.
5-19
Integration with Windows Firewall Rules
Key Points
Connection security rules and Windows Firewall rules are integrated in Windows Vista and Windows Server 2008. This integration allows Windows Firewall rules to apply to specific users or computers. When a Windows firewall rules lists specific users or computers, those users or computers must be authenticated to verify their identity. Kerberos authentication is used by IPsec to verify user or computer identity. You can also specify within a Windows Firewall rule that only secure connections are allowed. This requires connections to be authenticated, but are not restricted to specific users and computers. NAP with IPsec enforcement uses this type of rule to limit connectivity of unhealthy computers that have not been issued a health certificate.
For more information about NAP, see Module 9:Designing Network Access Protection
5-20
Guidelines for Designing IPsec Implementation
Key Points
Consider the following guideline when deploying IPsec in your organization: Use Group Policy to simplify deployment of connection security rules to multiple computers. Avoid combining IPsec policies and connection security rules because they may conflict and the conflicts are difficult to troubleshoot. Test thoroughly before implementation to ensure that all computers are configured properly. The best practice is to request IPsec authentication and verify functionality before requiring IPsec authentication. Use IPsec only where required as part of your security plan. Using IPsec increases the complexity of your network and should not be done without a defined purpose.
5-21
Lab: Designing a Secure Internal Network
Scenario
Woodgrove Bank has completed a redesign of the physical network infrastructure. This included all WAN links, routing, and switching. The next project assigned to the network infrastructure team is securing the internal network. This involves analyzing how to implement Windows Firewall and IPsec to protect network resources. The first location to analyze is the Toronto hub site. The design developed for the Toronto hub site will be used as a template for other hub sites.
5-22
Exercise 1: Designing a Windows Firewall Implementation

After analyzing security on the Woodgrove Bank network by using the defense-indepth model. The network infrastructure team has realized that internal security can be improved by implementing Windows Firewall. To maximize security outbound rules will also be implemented on workstations and servers. Use the following documents to help create your design: 1. 2. 3. 4. M5_TorontoApplications.doc Start the virtual machines, and then log on. Determine what rules to create on each computer. Determine how to configure Windows firewall on each computer. Implement a Windows Firewall rule by using Group Policy. The main tasks for this exercise are:

Task 2: Determine what rules to create on each computer.

1. 2. 3. 4. 5. What inbound rules should be implemented on servers? What outbound rules should be implemented on servers? What inbound rules should be implemented on Vista workstations? What outbound rules should be implemented on Vista workstations? What concerns do you have about operating systems other than Windows Server 2008 and Windows Vista?
Task 3: Determine how to configure Windows firewall on each computer.

1. 2. How will Windows Firewall be deployed on servers? How will Windows Firewall be deployed on workstations?
5-23
Task 4: Implement a Windows Firewall rule by using Group Policy.

1. 2. 3. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Use the Group Policy Management administrative tool to link a new GPO to the Toronto OU. Name: Firewall Rules Edit the Firewall Rules GPO and add a new Windows Firewall outbound rule under Computer Configuration. Rule type: Program Program path: C:\Program Files\Internet Explorer\Iexplore.exe Action: Allow the connection Profile: Domain, Private, and Public Name: Allow IE
Exercise 2: Designing an IPsec Implementation

To further secure network communication, the network infrastructure team has decided to secure communication between all users in the investments group. This will prevent non-investments users from accessing investments data or applications. Use the following documents to help create your design: 1. 2. 3. 4. 5. M5_IPsecRequirements.doc Determine connection security rules. Determine how to configure connection security rules on each computer. Implement connection security rules. Create a firewall rule for a specific user. Close all virtual machines and discard undo disks. The main tasks for this exercise are:
Task 1: Determine connection security rules.

1. What authentication requirements should be used? All of the computers in the investments group should require authentication for inbound connections and request authentication for outbound connections. In this way, all communication to investments servers and workstations must be
5-24
authenticated. However, investments workstations can initiate communication with servers that are not part of the investments area and those will not be authenticated. 2. What authentication method should be used? Using Kerberos authentication (user and computer) provides the flexibility to create firewall rules that are specific to particular computer accounts or user accounts. This is the best way to control communication. It also requires no additional configuration on the computers because they are part of a domain already and therefore participate in Kerberos authentication. What type of connection security rule should be used? An Isolation rule should be used. This type of rule uses Kerberos authentication. After authentication is established, firewall rules can be created based on the specific users and computers you want to allow. This type of rule does not designate endpoints by IP address.
3.
Task 2: Determine how to configure connection security rules on each computer.

1. How will connection security rules be deployed to servers? All Investments servers can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments servers have the same configuration. How will connection security rules be deployed to workstations? All Investments workstations can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments workstations have the same configuration. How will you address Windows XP clients? Based on the conditions presented in the scenario, the best solution is to upgrade the few remaining XP computers to Windows Vista. Other alternatives will be relatively complex. In the short term, an exemption rule can be used for the Windows XP computers, to prevent the need for IPsec authentication from those computers. Exemption rules are based on computer IP address and the XP computers must be given static IP addresses or reservations in DHCP. Other alternatives are: Use both IPsec policies and connection security rules on the servers. This is not recommended because the results are difficult to predict.
2.
3.
5-25
Use IPsec policies only. Windows Server 2008 and Windows Vista are both capable of using IPsec policies. However, if IPsec policies are used, then you cannot control authentication based on computer and user accounts.
Task 3: Implement connection security rules.

1. 2. 3. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd. Use the Group Policy Management administrative tool to link a new GPO to the Toronto Investments OU. Name: Connection Security Rules Edit the Connection Security Rules GPO and add a new Windows Firewall outbound rule under Computer Configuration. Rule type: Isolation Requirements: Require authentication for inbound connections and request authentication for outbound connections. Authentication method: Computer and user (Kerberos V5) Profile: Domain, Private, and Public Name: Secure Communication
Task 4: Create a Firewall Rule for a specific user

1. On NYC-DC1, use the Windows Firewall with Advanced Security administrative tool to create a new inbound security rule to authenticate Web traffic on port 80 and restrict access to Administrator. Rule type: Port Protocol: TCP Port: 80 Action: Allow the connection if it is secure Only allow connections from: Administrator Profiles: All Name: Administrator Access to Web site

1. For each virtual machine that is running, close the Virtual Machine Remote Control window.
5-26
2. 3.
In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.
Designing Name Resolution
6-1
Module 6
Contents
Lesson 1: Collecting Information for a Name Resolution Design Lesson 2: Designing a DNS Server Strategy Lesson 3: Designing a DNS Namespace Lesson 4: Designing DNS Zone Implementation Lesson 5: Designing Zone Replication and Delegation Lab: Designing a Name Resolution Strategy in Windows Server 2008 6-3 6-11 6-17 6-22 6-27 6-32
6-2
Module Overview
Name resolution is an essential service in modern computer networks. The structure of the domain name system (DNS) namespace and location of DNS servers has significant performance implications. In addition to determining the location of servers, you must determine which server specific DNS zones are located on. You also must determine the zone types required to support your design.
6-3
Lesson 1
Collecting Information for a Name Resolution Design
To begin the name resolution design process, you must collect the information necessary to create the design. Some of the information that must be collected includes: physical locations, host requirements, and Network Basic Input/Output System (NetBIOS) resources.
6-4
Reasons for Name Resolution
Key Points
Name resolution is a requirement in modern computer networks to simplify access to resources. Most resources can be accessed directly by the IP address, but it is not realistic to expect users to remember complex IP addresses. Host names provide an easily understandable structure for users to access resources. In a Windows-based environment, DNS is required to support Active Directory. The name of an Active Directory domain uses the same structure as a DNS domain. DNS hold records for locating domain resources, such as domain controllers and global catalog servers. Domain-joined computers require access to DNS to locate domain resources. If Active Directory records are not available in DNS, then replication between domain controllers will fail and clients will be unable to log onto the domain.
6-5
Considerations for Configuring Name Resolution
Key Points
The majority of network environments already have a DNS infrastructure in place. You must identify this infrastructure to determine how Active Directory will integrate with it. If the Active Directory namespace is the same as the public namespace, then you must determine how you will synchronize data between the internal and external DNS. Internal DNS records should not be publicly available, but external DNS records should be available internally. If the Active Directory namespace does not overlap with the public namespace, then there are no integration concerns. However, you must ensure that users understand when the Active Directory and public namespaces are used. NetBIOS names are used by some older applications and operating systems. If required, you must plan the resolution NetBIOS names in addition to host names.
6-6
Physical Location Considerations for a Name Resolution Design
Physical locations influence your DNS design decisions. You need to gather information about your organizations physical locations before you begin your namespace design. Gather the following physical location information: Determine the number of locations. Each location typically has at least one DNS server. Determine the number of hosts at each location. The number of hosts at each location determines the number of DNS clients each location must support. The existence of any legacy DNS servers, such as Berkeley Internet Name Domain (BIND) servers or Microsoft Windows NT 4.0 DNS servers. Existing legacy DNS servers might limit the use of DNS features such as incremental zone transfers. The existence of, or plans to include, an Active Directory service infrastructure. Active Directory provides the option of including Active Directory-integrated zones in your DNS design.
6-7
Location of the clients in relation to a Windows Internet Name Service (WINS) server. You will need to identify if the clients are located in the same broadcast domain or in different broadcast domains. If clients are in separate broadcast domains, Microsoft recommends using WINS.
6-8
Host Requirements for a Name Resolution Design
Host requirements influence your design decisions for name resolution. Before you can design a name resolution strategy, you must first gather information about host requirements on your network. You need to consider the following: If computers with dynamic IP addresses provide services, you may need to consider DHCP integration with DNS. If reverse DNS lookup zones are required to resolve IP addresses to a host name. If NetBIOS name resolution is required, then you will need to implement WINS in most cases. If NetBIOS broadcasts are restricted to the local subnet, or if a WINS proxy is used.
6-9
NetBIOS Resources
Key Points
Windows services, such as file and printer, do not rely on NetBIOS name resolution in a domain-based environment. Basic operating system services use DNS for name resolution. However, Windows 98 and Windows NT computers are not capable of using DNS for operating system services and require NetBIOS name resolution. It is important to note non-domain Windows environments still use NetBIOS names. In most organizations, the biggest requirement for NetBIOS name resolution is older applications and services. You must carefully identify which applications and services require NetBIOS name resolution. If NetBIOS is used by an application, you can: Retire the application Obtain an updated version of the application Continue supporting NetBIOS name resolution
6-10
Discussion: Gathering Data for Name Resolution Design
Your classroom discussion will address gathering data for name resolution design.
6-11
Lesson 2
Designing a DNS Server Strategy
A DNS server strategy is used to determine the placement and configuration of DNS servers. When configuring DNS servers, you must consider the DNS server roles that are available and how you will secure DNS servers.
6-12
How Clients Resolve Host Names
Key Points
Windows client computers use several methods to resolve host names. The first location searched is the local cache. This contains recently resolved names and the contents of the local HOSTS file. If the name is not in the local cache, then DNS is used. If DNS is not successful, then NetBIOS name resolution methods are used. When a client queries a DNS server, the DNS server attempts to resolve the name from its locally configured zones. If the DNS server does have a local copy, then it communicates with other DNS servers to resolve the name and respond to the client. The process used by a DNS server to resolve names is controlled by root hints, caching, delegation, forwarding, and conditional forwarding.
6-13
Determining DNS Server Requirements
Key Points
The resource requirements for a DNS server are typically very low. This makes DNS servers good candidates for virtualization. The overall capacity of a DNS server is based on: The number of zones hosted by a server. The number of records in each zone. The number of queries for records in each zone.
A DNS server service fully loads all of its configured zones into memory at startup. If your server is operating and loading a large number of zones -- and if dynamic updates occur frequently for zone clients -- additional memory can be helpful.
6-14
Considerations for Placing DNS Server
Key Points
The placement of DNS servers will affect application and client performance. While placing DNS servers, you should consider: DNS resolution over WAN links by many clients can generate significant network traffic. Also consider that resolution over WAN links is slower than local name resolution and may affect application performance due to latency. If a WAN link fails and DNS information is not cached or located in the current site, service access may be affected. Some method should be used for DNS server redundancy in case a DNS server fails. You should plan how clients will failover from one DNS server to another. Understand which computers will experience problems when a particular DNS is unavailable. Understand which applications are affected if a particular DNS server is unavailable or a particular part of you internal DNS namespace is unavailable.
6-15
DNS Server Roles
Key Points
A caching only server is a simple way to ensure that remote sites have a copy of commonly used DNS records. As each record is resolved, it is cached locally without any need for configuring zone replication. A non-recursive server can resolve only locally hosted DNS records. This is useful on Internet facing servers to ensure that they are used to resolve only the public records you have configured. Forward-only servers are similar to caching-only servers in that they build a local cache of resolved DNS records. However, a forward-only server is configured to forward requests to another specific server rather than using root hints. Conditional forwarders are DNS servers that perform forwarding only for some domains. You can configure these specific domains. This allows you to create a flexible structure for name resolution. For example, you could forward internal name resolution requests to another internal DNS server, but forward request for other domains to an Internet DNS server.
6-16
Securing DNS Servers
Key Points
Some methods for security DNS servers are: Firewalls can be used to restrict communication with DNS servers to only authorized IP address ranges and authorized ports. Restricting zone transfers prevents footprinting of the network by querying a list of internal resources from the DNS server. Securing dynamic updates ensures that only a host that created a dynamic DNS record can modify it. Active Directory integrated zones are required for secure dynamic updates. They also have the advantage of automatically securing the replication of DNS records as part of Active Directory replication. Forwarding can be used to centralize name resolution in your organization. In this way, name resolution on the Internet can be restricted to specific servers.
6-17
Lesson 3
Designing a DNS Namespace
When you implement Active Directory, you must select a namespace design. You must also determine how the namespace will be hosted on DNS servers.
6-18
DNS Namespace Options
Key Points
When you implement Active Directory, you must use a DNS namespace for hosting Active Directory records. You can choose from the following options: Internal namespace is the same as the public namespace. In this scenario, the internal and public namespaces are the same, but will have varying records. Internal namespace is a subdomain of the public namespace. In this scenario, the internal namespace is linked to the public namespace, but there is no overlap between them. Internal namespace is different from the public namespace. In this scenario, the internal and public namespaces are completely different with no link between them.
6-19
Selecting a DNS Namespace Option
Key Points
Using the same namespace internally and externally simplifies resource access from the perspective of users, but increases management complexity. Internal DNS records should not be available externally, but some synchronization of records for external resources is typically required. Using a subdomain of the public namespace for Active Directory avoids the need to synchronize records between the internal and external DNS servers. Because the namespaces are linked, users typically find this structure easy to understand. Using unique namespaces for the internal and public namespaces provides a clear delineation between internal and external DNS and avoids the need to synchronize records between the namespaces. However, in some cases, having multiple namespaces may lead to user confusion.
6-20
Hosting Options for DNS
Key Points
A complete DNS design hosts both internal and external name resolution on a single server. This is typical for small organizations. A split DNS has separate DNS servers for hosting internal and external DNS records. This enhances security by preventing external users from contacting DNS servers with internal DNS records. A split-split DNS is an enhancement to the split DNS structure. External name resolution is performed by two separate servers. One external DNS server resolved the local names only. The second external server is responsible for performing recursive Internet name resolution for internal DNS servers.
6-21
Guidelines for Designing DNS Namespaces
Key Points
Consider the following guidelines for designing DNS namespaces: Carefully consider your options before selecting a namespace design for Active Directory. While it is possible to change a namespace after implementing Active Directory, it is an involved process. The simplest namespace design is a subdomain of the public namespace. If you cannot use a subdomain of the public namespace for Active Directory, then you should use unique namespaces. Avoid using the same namespace for internal and public namespaces because it is difficult to manage.
6-22
Lesson 4
Designing DNS Zone Implementation
In addition to selecting DNS server locations and a namespace design, you must also determine how DNS zones will be implemented to support your design. You need to determine both the zone types to be used and where the zone data will be stored.
6-23
Selecting Zone Types
Key Points
A primary zone is a read/write copy of zone information. A secondary zone is a readonly copy of zone information. Information from primary zones is synchronized with secondary zones by a zone transfer. Traditionally, zone transfers included all zone information, but modern DNS servers support incremental zone updates. A stub zone is also a read-only copy of a zone. However, a stub zone just contains a subset of the records associated with that zone. It contains information about the name servers that are authoritative for that domain alone, allowing a client (or other DNS server) to go directly to an authoritative server without having to visit intermediate servers. This can increase the efficiency of the name resolution process across zones across discontiguous namespaces.
6-24
Selecting Zone Data Location
Key Points
When zone data is stored on disk, traditional DNS zones are used. In this scenario, a single primary zone can be used with multiple secondary zones. Using traditional secondary zones allows you to synchronize zones from non-Windows primary zones. Also, remember that disk storage can be implemented on any Windows server. Active directory integrated zones store DNS information in Active Directory. Zone information is then automatically replicated to all domain controllers and can be updated by any domain controller. Any domain controller with DNS installed begins servicing active directory integrated zones automatically. Active Directory integrated zones behave as primary zones to traditional secondary zones. However, unlike traditional primary zones, there can be multiple Active Directory integrated zones.
6-25
Zone Security Considerations
Key Points
Active Directory integrated zones allow you to configure secure dynamic updates. This restricts the modification of DNS records to the host that created the record. The Microsoft Windows 2000 operating system, the WindowsXP Professional operating system, and the Windows Vista operating system clients perform their own dynamic update. They attempt to perform dynamic DNS updates on the DNS server that they are configured to use. For this to be successful, the DNS server must accept dynamic updates. Clients that cannot perform their own dynamic updates, require Dynamic Host Configuration Protocol (DHCP) to perform dynamic updates for them. In such cases, the DHCP server is the owner of the records.
6-26
You can configure zone permissions to control who can manage the zones. The following groups have permission to manage DNS by default: Administrators DnsAdmins Domain Admins Enterprise Admins
6-27
Lesson 5
Designing Zone Replication and Delegation
Zone replication is used to synchronize the zone information between multiple DNS servers. To design zone replication, you must consider when to use secondary zones and how zone replication is performed. Finally, you should consider when delegation is useful for your design.
6-28
Reasons for Designing Secondary Zones
Key Points
Adding DNS servers provides zone redundancy, enabling the resolution of DNS names in the zone for clients, if a primary server for the zone stops responding. The more servers you have that are authoritative for a particular zone, the less likely it is that queries will go unanswered for resources in that zone. If you place servers close to large client populations or close to isolated networks, you can reduce the amount of query traffic that has to flow across potentially costly and slow WAN links. You can use additional secondary servers to reduce loads on a primary server for a zone. For example, you can direct clients to secondary servers that service queries from local clients only, not clients from across the entire enterprise.
6-29
Zone Replication
Key Points
Due to the essential role that zones play in DNS, it is important that they be available from more than one DNS server on the network to provide availability and fault tolerance when resolving name queries. Zone transfers occur in a traditional DNS zone. Zone replication occurs in an Active Directoryintegrated zone. Zone transfers are always initiated at a zones secondary server and then sent to the configured master servers that act as their zones source. A master server can be any other DNS server that loads the zone, such as the primary server for the zone or another secondary server. When the master server receives the request for the zone, it can reply with either a partial or full transfer of the zone to the secondary server.
Active Directory replication provides an advantage over standard DNS replication. With standard DNS replication, only the primary server for a zone can modify the zone. With Active Directory replication, all domain controllers for the domain can
6-30
modify the zone and then replicate the changes to other domain controllers. This replication process is known as multimaster replication because multiple domain controllers, or masters, can update the zone.
6-31
Zone Transfers
Key Points
When zone transfers are used to synchronize data with secondary zones, you need to consider both security measure and the impact on network traffic. You can implement the following to increase security: Restrict zone transfers based on IP address. Encrypt zone transfers by implementing IPSec or virtual private network (VPN) tunnels. Change to Active Directory integrated zone for automatic encryption. Use incremental zone transfers to synchronize only DNS changes. Use fast zone transfers to compress data. Configure zone transfers to occur outside of peak hours.
In addition, to reduce the network impact of zone transfers, you need to:
6-32
Zone Delegation
Key Points
In the context of DNS, delegation is the process of assigning responsibility for a portion of a DNS namespace to a separate entity. This entity could be another organization, department, or workgroup within your enterprise. In technical terms, delegation means assigning authority over portions of your DNS namespace to other zones. The NS resource record that specifies the delegated zone and DNS name of the server that is authoritative for that zone represents such delegation. The following are the main reasons for the delegation of zones: A need to delegate management of a DNS domain to a number of organizations, or departments within your enterprise. A need to distribute the load of maintaining one large DNS database among multiple name servers to improve the name resolution performance and create a DNS fault-tolerant environment.
6-33
Lab: Designing a Name Resolution Strategy in Windows Server 2008
Scenario
Woodgrove Bank has experienced significant growth and needs to re-evaluate the current name resolution structure to verify that it is appropriate. This involves selecting locations for DNS servers, designing the DNS namespace, and determining a zone replication strategy.
6-34
Exercise 1: Designing a DNS Namespace

Woodgrove Bank has three Active Directory domains. The forest root domain is WoodgroveBank.com and contains information about North American resources. The EMEA.WoodgroveBank.com domain is used by European operations and the Asia.WoodgroveBank.com domain is used by Asian operations. The following guidelines have been given for evaluating the current DNS structure: The namespace for Active Directory should simplify maintenance if possible. Changes to the existing system should be avoided if they will cause a significant amount of change.
Woodgrove Bank has external DNS records that are manually synchronized with the internal DNS structure. These records change on average less than once per year.
External DNS Records www.woodgrovebank.com Customer.woodgrovebank.com Invest.woodgrovebank.com Vpn.woodgrovebank.com Mail.woodgrovebank.com Dns1.woodgrovebank.com Dns2.woodgrovebank.com Purpose Public Web site Secure Web site for customers Secure Web site for investments customers VPN server used by roaming staff Internet mail server External DNS server External DNS server
The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a DNS namespace for Active Directory.
Task 1: Start the virtual machines, and then log on.

1. 2. 3. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-LON-DC1, click Launch.
6-35
4. 5. 6.
Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Select a DNS namespace for Active Directory

1. 2. 3. What would be your preferred namespace for Active Directory if creating a new design? What additional considerations must be taken into account when modifying an existing design? What DNS namespace do you recommend that Woodgrove Bank use for Active Directory?
6-36
Exercise 2: Designing a DNS Server Strategy

The placement of DNS servers is important to minimize WAN traffic and ensure availability. You must determine which locations will have DNS servers, based on the network infrastructure and number of users. In addition, the failure of a WAN link between hub sites should not cause a failure in name resolution. Individual branch locations do not have servers. All branches access applications by using terminal servers at their hub site. Use the following documents to create your design: M6_Physical.png M6_LocationDetails.doc
Task 1: Determine a DNS server location.

1. 2. 3. Are DNS servers required at the branch locations? Are DNS servers required at each hub site? How many DNS servers should be located at each hub site?
6-37
Exercise 3: Designing a DNS Zone and Replication Strategy

After determining the location of DNS servers, you must now determine how to divide the DNS namespace and how replication will be performed. DNS for each of the three domains should be managed separately. Each DNS zone should be capable of performing secure dynamic updates for computers in the local domain.
Task 1: Determine DNS Zone requirements

1. 2. 3. 4. Which zones need to be created on internal DNS servers? Which zones need to be created on external DNS servers? In which hub sites will each DNS zone be placed? How will replication/zone transfers be configured for each zone?
6-38
Exercise 4: Discuss the Design of Name Resolution

Now that you have completed your name resolution strategy, participate in a discussion with your instructor and the class.
Task 1: Discuss your design for name resolution with the instructor and other students.
1. 2. 3. With your instructor, discuss the namespace design that is appropriate for Woodgrove Bank. With your instructor, discuss the DNS server strategy that is appropriate for Woodgrove Bank. With you instructor, discuss the DNS zone and replication strategy that is appropriate for Woodgrove Bank.
6-39
Exercise 5: Implement a DNS and Zone Replication Strategy

After completing your name resolution strategy, you must take steps to implement it. Some of the name resolution strategy is already in place. However, you must verify the components that are in place and implement others. The main tasks for this exercise are: 1. 2. 3. 4. 5. Review the configuration of zones in North America. Review the configuration of zones in Europe. Configure zone transfers for EMEA.WoodgroveBank.com. Configure a secondary zone for EMEA. WoodgroveBank.com. Close all virtual machines and discard undo disks.
Task 1: Review the configuration of zones in North America.

1. 2. On NYC-DC1, use the DNS administrative tools to view the type and replication configuration of the WoodgroveBank.com zone. View the type and replication configuration of the _msdcs.WoodgroveBank.com zone.
Task 2: Review the configuration of zones in Europe.

1. 2. On LON-DC1, use the DNS administrative tools to view the type and replication configuration of the EMEA.WoodgroveBank.com zone. View the type and replication configuration of the _msdcs.WoodgroveBank.com zone.
Task 3: Configure zone transfers for EMEA.WoodgroveBank.com

On LON-DC1, use the DNS administrative tool to configure the EMEA.WoodgroveBank.com zone to allow zone transfers to 10.10.0.10.
Task 4: Configure a secondary zone for EMEA. WoodgroveBank.com

1. On NYC-DC1, use the DNS administrative tool to create a new secondary zone for EMEA.WoodgroveBank.com. 2. Type: Secondary zone Zone name: EMEA.WoodgroveBank.com Master server: 10.10.0.110
View the replicated records for EMEA.WoodgroveBank.com.
6-40

1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes, and then click OK. Close the 6435A Lab Launcher.
Designing Advanced Name Resolution
7-1
Module 7
Contents
Lesson 1: Optimizing DNS Servers Lesson 2: Designing DNS for High Availability and Security Lesson 3: Designing a WINS Name Resolution Strategy Lesson 4: Designing WINS Replication Lab: Designing a Name Resolution Strategy in Windows Server 2008 7-3 7-11 7-19 7-25 7-31
7-2
Designing a Windows Server2008 Network Infrastructure
Module Overview
As part of designing name resolution you need to consider more than just what zones to create and the placement of those zones. You should also consider optimizing Domain Name Systems (DNS) queries and determine how DNS can be highly available and secure. In addition, in many environments, you must implement Windows Internet Name Service (WINS) during the design phase.
7-3
Lesson 1
Optimizing DNS Servers
To begin the name resolution design process, you must collect the information necessary to create the design. Some of the information that must be collected includes: physical locations, host requirements, and Network Basic Input/Output System (NetBIOS) resources.
7-4
Disabling Recursion
Key Points
A recursive DNS query is one in which a DNS server resolves a non-local hostname on behalf of a DNS client. When recursion is disabled, a DNS server will not use root hints or forwarders to resolve queries for clients. You should disable recursion on all DNS servers that do not require this functionality. Internal DNS servers typically require recursion to be enabled. A DNS server hosting an external DNS namespace should typically have recursion disabled. This prevents Internet clients from using your server to resolve DNS names. Preventing Internet clients from performing recursive queries on your external DNS server will reduce the load on your server. It may also prevent denial-of serviceattacks.
7-5
Deleting and Modifying Root Hints
Key Points
Root hints is a list of preliminary resource records that the DNS service can use to locate other DNS servers that are authoritative for the root of the DNS domain namespace tree. The default configuration of root hints allows DNS servers to resolve Internet DNS names. If you delete the root hints file from a DNS server, you remove the ability of that server to directly contact a server that is authoritative for the root of the DNS infrastructure. If you delete the root hints file, you should configure servers to forward requests to another server that has a root hints file. This controls the path used for Internet DNS lookups in your organization. If you are not connected to the Internet, you may need to create a root domain to use internally for name resolution. On servers that are authoritative for the root domain, you can safely remove the root hints information entirely, because these servers do not use the root hints file. On the other servers in your organization, you should remove the default resource records and replace them with resource records for your organization.
7-6
Optimizing DNS Server Response
You can optimize server response by disabling either local subnet prioritization or round-robin rotation. Both of these features are only relevant when a single host name resolves to more than one IP address. Disabling these features increases performance because they require extra processing by the DNS server and cause slower response times. Local subnet prioritization orders records in a response to a DNS query based on the subnet of the client performing the query. The records are ordered so that those most closely matching the IP address of the client are listed first. This results in the client contacting the IP address closest to the client. This feature is enabled by default. Round-robin rotation is a load balancing mechanism used by DNS servers to share and distribute network resource loads. You can use it to rotate all resource record types that are contained in a query answer if multiple resource records are found. If round-robin rotation is disabled, resource records are returned in a static list. This feature is enabled by default. You can also optimize server response by ensuring that the server has enough physical memory to cache the complete contents of all DNS zones.
7-7
Optimizing DNS Server Functionality
Windows Server 2008 and other recent implementations of DNS use incremental zone transfers. Incremental zone transfers include only changes to DNS zones rather than a complete zone transfer. In many cases, this means that zone transfers consume very little network capacity and do not need to be optimized. To optimize zone transfers, you can control how often zone transfers occur, how quickly a zone transfer is reattempted after failure, and how data is considered reliable. By default, zone transfers occur every 15 minutes, and a retry occurs after 10 minutes if a zone transfer fails. By default, the data in a secondary zone expires after 24 hours if the master server with the primary zone cannot be contacted. Caching-only servers perform name resolution on behalf of clients, and then they cache, or store, the results. This type of server is not configured to be authoritative for a zone and, therefore, does not store standard primary or standard secondary zones. The cache is populated with the most frequently requested names. A caching only server is a simple way to provide some local DNS resolution capabilities without configuring zones.
7-8
Optimizing Active Directory Integrated Zones
Key Points
Active Directory integrated zones are stored in specialized application partitions in Active Directory. The ForestDNSZones partition is replicated to all domain controllers in the forest. The DomainDNSZones partion in each domain is replicated to all domain controllers with the domain. The _msdcs subdomain is in the ForestDNSZones by default, because it contains records for all Active Directory domains. In most cases, other zones are replicated only within the local domain. To optimize Active Directory integrated zones, you should optimize the performance of Active Directory. Using Active Directory sites allows you to control replication between physical locations. Placing the Active Directory database and logs on dedicated partitions can increase the performance of Active Directory queries and changes.
7-9
DNS Troubleshooting Tools
Key Points
Some common DNS troubleshooting tools are: NSLookup. The NSLookup tool is used to query a DNS server. This allows you to verify that any DNS record is configured properly. For example, you can verify that a particular DNS server can resolve a hostname successfully. DNScmd. The DNScmd tool is a command line utility for viewing and changing the configuration of DNS servers and zones. It is typically considered an administration tool, but can be useful for troubleshooting. DNSLint. The DNSLint tool is a command line utility for diagnosing common DNS resolution issues. In particular, it can verify whether the necessary records are in place for Active Directory.
Note: DNSLint is not included with Windows Server 2008. For detailed information about DNSLint and to download DNSLint, visit the Description of DNSLint utility Web page at http://support.microsoft.com/kb/321045.
7-10
Discussion: Optimizing DNS Performance
Your classroom discussion will include what you can do to optimize DNS server performance.
7-11
Lesson 2
Designing DNS for High Availability and Security
To have highly available DNS, there must be at least two servers capable of servicing a DNS zone. The exact configuration you select will depend on your organization. You must also consider security as part of your DNS design.
7-12
Guidelines for Designing DNS Availability
Key Points
For the best DNS availability, consider the following guidelines: Have at least two DNS servers authoritative for each zone. This ensures that if one DNS server is unavailable, the zone can be serviced by another DNS server. Depending on your design, more than two DNS servers may be desired. Place DNS servers in separate subnets or sites. Placing DNS servers in separate sites ensures that WAN link failure does not affect name resolution. Placing DNS servers in separate subnets reduces the possibility that routing problems will affect name resolution. Place at least one DNS server in each Active Directory site. DNS is critical for Active Directory. Place a DNS server at each Active Directory site to ensure that the WAN link failure does not affect Active Directory. In most cases, two DNS servers should be configured for each site. Configure clients with two DNS servers. Clients must be configured with two DNS servers to be fault tolerant. If the first DNS server cannot be contacted, clients will automatically contact the second DNS server.
7-13
Using Load Balancing for DNS Servers
Key Points
Load balancing provides both availability and scalability for DNS resolution. Multiple physical servers share a single virtual IP address. Clients communicate with the virtual IP address for name resolution. You can increase performance by adding extra nodes to the load balancing cluster. If a single node in the cluster fails, the remaining nodes continue responding to DNS queries. All nodes in the load balancing cluster must be located on the same subnet because they share a single virtual IP address on that subnet. When all nodes are on a single subnet, a load balancing cluster cannot protect against the failure of network links. Consequently, this is suitable for centralized implementation of DNS; when the risks of network link failure have been considered and mitigated.
7-14
DNS Security Risks
Key Points
Common DNS attacks can occur through the following instances: Footprinting is the process of building a diagram or footprint of a DNS infrastructure by capturing DNS zone data. Attackers who are able to retrieve a list of hosts and IP addresses on your network, gain valuable information that can be used to launch attacks against specific services. A Denial-of-service attack attempts to make network services unavailable by flooding one or more DNS servers in the network with recursive queries. Its CPU usage eventually reaches its maximum and the DNS Server service becomes unavailable. Without a fully operating DNS server on the network, the network services that use DNS become unavailable to network users. Data modification uses IP spoofing to modify zone data. By changing zone data, users can be redirected to fake Web servers or email can be redirected to a hacker controlled server.
7-15
A redirection attack is one in which attackers redirect queries for DNS names to servers that are under their control. One method of redirection involves an attempt to corrupt the DNS cache of a server with erroneous data that directs future queries to servers under the control of the attacker.
7-16
DNS Security Policies
Key Points
DNS security can be configured as: Low. This is the default configuration for DNS servers that are not running on domain controllers. The low DNS security policy is appropriate when there are no concerns about data integrity or when a private network has no external connectivity. Medium. This configuration disables dynamic updates and limits zone transfers to protect zone data. Active Directory integrated zones are not required. Internal DNS servers are isolated from the Internet by using a proxy.
7-17
High. This configuration requires the use of Active Directory integrated zones to implement secure dynamic updates. Only domain controllers can be configured as DNS servers. Also, security is configured to restrict DNS modification to specific individuals.
For more information, see "Enterprise Design for DNS".
7-18
Discussion: Guidelines for Designing DNS Security
Your classroom discussion will address best practices for securing DNS servers.
7-19
Lesson 3
Designing a WINS Name Resolution Strategy
WINS is the most common method for resolving NetBIOS names on a network. To provide fault tolerance and increased performance, you may need to implement multiple WINS servers. To aid organizations attempting to migrate completely to DNS resolution, Windows Server 2008 includes the ability to resolve single-label names in a GlobalNames zone.
7-20
Options for NetBIOS Name Resolution
Key Points
Windows clients attempt to resolve NetBIOS names first by using a WINS server, then broadcast, and then finally, by using the contents of an LMHOSTS file. The options you configure will be based on your needs. Broadcast resolution of NetBIOS names is suitable only for very small organizations with a single subnet because broadcasts are not routed. However, because this process is dynamic, static IP addresses are not required. An LMHOSTS file can be used in a multi-subnet environment, but it requires static IP addresses. Managing the LMHOSTS files on many computers can consume a significant amount of administrator time. Therefore, using an LMHOSTS file is suitable only for small organizations. WINS can be used for any size of organization with NetBIOS name resolution. WINS eliminates broadcast traffic, and can be used across multiple subnets. In addition, it does not require the use of static IP addresses.
7-21
Scenarios Requiring Multiple WINS Servers
Key Points
You should have multiple WINS servers when: WAN links are overloaded by WINS request. WINS servers can be placed in multiple locations to reduce WAN traffic. Replication of WINS information is typically less network traffic than WINS registrations and lookups performed by many clients. Redundancy is required to improve availability. When multiple WINS servers are in place, clients can be configured to use more than one. Then, if the first WINS server is unavailable, clients can use one of the remaining WINS servers. There are more than 10,000 clients. A single WINS server can comfortably service approximately 10,000 clients. To enhance scalability, you can configure additional WINS servers. You can determine the need for additional servers based on monitoring the performance of your WINS server.
7-22
WINS Fault Tolerance
Key Points
You can plan for network outages and hardware failures by determining the maximum length of time that any WINS server can be out of service for on your network, factoring in the length of both planned and unplanned outages. You should also consider what happens to your WINS clients if their primary WINS server is shut down. You can reduce the effects of a single WINS server being offline by maintaining and assigning secondary WINS servers for clients. Assuming that a hub and spoke design is used for replication, clients in remote locations should be configured to use a local WINS server first. The clients should be configured to use the WINS server in the hub location as a secondary WINS server.
Note: For greater availability in the hub site, you can use clustering of the WINS server.
7-23
DNS GlobalNames Zone
Key Points
Windows Server 2008 DNS servers are capable of using a GlobalNames zone to help retire WINS by resolving single-names. The GlobalNames does not replace dynamically generated NetBIOS records; it is designed to provide name resolution for a few specific names that are configured manually. GlobalNames should be created as an Active Directory integrated zone. In this zone, CNAME records are created that point to the host (A) records for specific servers. By default, when GlobalNames is enabled on the DNS server, the DNS server will attempt to resolve any DNS request in the GlobalNames zone if it cannot be resolved based on the fully qualified name. For dynamic updates, the GlobalNames zone is checked first to guarantee uniqueness.
7-24
The GlobalNames zone may help in the retirement of NetBIOS names. When Windows clients attempt to resolve NetBIOS names, they use DNS resolution if the name cannot be resolved by using standard NetBIOS name resolution methods. As well, many administrators like the convenience of single label names for UNC paths and other purposes that can use hostnames.
For more information, see "DNS Server GlobalNames Zone Deployment".
7-25
Lesson 4
Designing WINS Replication and Integration
WINS replication is used to synchronize records between WINS servers. You need to determine how replication will be configured to ensure adequate performance. Also, you need to consider how DNS and WINS are integrated.
7-26
Selecting a WINS Replication Type
Key Points
WINS servers can use push and pull replication. In most cases, push and pull replication are both used between replication partners. This avoids the shortcomings of both methods. Push replication occurs after a specified number of changes occur. This allows changes to be sent as a batch and reduce network overhead. However, replication can take a longer period of time if there are only a small number of changes because it takes a long time to reach the necessary threshold. Pull replication occurs after a specified period of time. This ensures that all changes are synchronized within a reasonable time period. However, in periods of high activity, changes may not be sent quickly enough.
7-27
Selecting a Partner Replication Method
Key Points
Automatic partner configuration uses multicasts to locate other WINS servers as replication partners. This solution is not very scalable because you cannot control the replication path for WINS updates. Also, many organizations restrict multicast packets over WAN links. Automatic partner configuration is best suited to organizations with three or less WINS servers and a single location. Manual partner configuration requires more initial administrative work than automatic partner configuration, but it allows for complete flexibility in design. This allows you to optimize the WINS replication on your network and provides better scalability.
7-28
Selecting a WINS Replication Topology
Key Points
The most commonly implemented replication topology is a hub-and-spoke topology. A single server is designated as the hub and other WINS servers replicate with the hub. This design must be manually configured. A hub-and-spoke topology provides excellent scalability by minimizing replication latency. In addition, it mirrors the WAN design used in most organizations.
7-29
Guidelines for Interoperability with DNS
Key Points
Consider the following guidelines for interoperability with DNS: Do not use extended characters in NetBIOS names that cannot be used in DNS names. The underscore (_) character is one example of an extended character that is not supported by DNS. However, DNS and NetBIOS both support the use of the dash (-) character. If possible, retire the use of NetBIOS names. This may require updating applications and older operating systems. The implementation of a GlobalNames DNS zone may assist in this process.
7-30
Integrate DNS with WINS by using WINS Lookup and WINS Reverse Lookup records. When configured, a DNS server can use WINS to resolve hostnames for a specific zone. Unlike the GlobalNames zone, WINS integration with DNS must be configured for each zone and subdomain for which it is required.
For more information, see "Help Topic: Enable DNS to Use WINS Resolution".
7-31
Lab: Designing Advanced Name Resolution
Scenario
You have recently completed the high level design for DNS name resolution at Woodgrove Bank. You now need to create some detailed configuration information for DNS servers to optimize name resolution and secure the DNS servers appropriately. You also need to design name resolution for NetBIOS names to support older applications.
7-32
Exercise 1: Optimizing DNS Servers

The high level design of DNS zones and their locations has been completed. You now need to determine the detailed configuration that is required on each DNS server to support that design. Considerations include root hints and forwarding. The requirements for the implementation are: DNS servers are located only at hub sites. Only DNS servers in the New York hub site can resolve Internet DNS names. The DNS servers in the New York hub site must be protected from the Internet. The server responsible for the external WoodgroveBank.com domain should be protected from denial-of-service attacks based on recursive queries.
All DNS servers should cache resolved names to reduce network traffic. Use the following documents to complete your design: 1. 2. 3. M6_Physical.png M7_DNSConfiguration.doc Start the virtual machines, and then log on. Determine configuration for internal DNS servers. Determine configuration for external DNS servers.
The main tasks for this exercise are:

1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A -LON-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to LON-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Determine configuration for internal DNS servers

1. Which DNS servers should be able to perform to perform recursive lookups?
7-33
2. 3. 4. 5.
Which DNS servers should use forwarding and how is it configured? Which DNS servers should use root hints to lookup names? How will DNS servers in New York performing external lookups be protected from the Internet? How should caching be configured on the DNS servers?
Task 3: Determine configuration for external DNS servers

1. 2. What configuration should be performed on external servers hosting the WoodgroveBank.com domain to prevent denial-of-service attacks? How should root hints be configured on the external DNS servers performing external lookups?
7-34
Exercise 2: Designing High Availability for Name Resolution

Most services on the Woodgrove Bank network rely on DNS name resolution for full functionality. It is critical that DNS is highly available. Each hub site has at least two domain controllers that can be configured as DNS servers
Task 1: Determining high availability methods for external DNS servers

1. 2. How will you configure high availability for the external DNS servers hosting WoodgroveBank.com? Will DNS servers be hosted in multiple locations?
Task 2: Determining high availability methods for internal DNS servers

1. 2. 3. How many DNS servers will be located at each hub site? What method will you use to configure DNS servers as highly available? How will clients be configured to support high availability of DNS?
7-35
Exercise 3: Designing WINS

There are a few older applications that rely on NetBIOS name resolution for proper functionality. You must determine how WINS will be implemented to support those applications. The requirements for NetBIOS name resolution are: Applications requiring NetBIOS name resolution support are in New York, London, and Tokyo. Users for the applications are located in all areas of the organization, but access the applications through terminal services. Registered NetBIOS names must be replicated and synchronized between all WINS servers. Failure of WAN links should not affect NetBIOS name resolution.
Task 1: Determine the requirements for NetBIOS name resolution

1. 2. 3. Which computers need to register and resolve NetBIOS names? Where should WINS servers be located? How would your plan change if NetBIOS applications were installed on all computers?
Task 2: Determine how WINS replication will be configured

1. 2. What type of replication should be used between WINS servers? What replication topology should be used between WINS servers?
Task 3: Determine how WINS will be integrated with DNS

1. 2. Is there a need for WINS integration with DNS? How can a GlobalNames DNS zone reduce the need for WINS?
Exercise 4: Implementing a GlobalNames Zone

You would like to test whether one of your applications requiring NetBIOS name resolution can be supported by using a GlobalNames zone. To do this you will configure an application client and server without WINS and test them. In the following steps you implement the GlobalNames zone that they will use.
Task 1: Create a GlobalNames zone

On NYC-DC1, create a GlobalNames forward lookup zone by using DNS Manager.
7-36
Primary zone Store the zone in Active Directory Replication: To all DNS servers in the forest Zone name: GlobalNames Do not allow dynamic updates
Task 2: Enable support for a GlobalNames zone

1. 2. On NYC-DC1, run the command dnscmd nyc-dc1 /config /enableglobalnamessupport 1. On LON-DC1, run the command dnscmd lon-dc1 /config /enableglobalnamessupport 1.
Task 3: Configure records in a GlobalNames zone

On NYC-DC1, use DNS Manager to add a new CNAME record in the GlobalNames zone. Alias name: NBSrv Target host: NYC-DC1.WoodgroveBank.com
Task 4: Verify replication to LON-DC1

On LON-DC1, use DNS Manager to verify that the NBSrv record exists in the GlobalNames zone. You may need to wait several minutes for the record to appear.
Task 5: Test resolution of records in a GlobalNames zone

On LON-DC1, ping NBSrv to verify name resolution.

Designing Network Access Solutions
8-1
Module 8
Contents
Lesson 1: Gathering Data for Designing Network Access Solutions Lesson 2: Securing and Controlling Network Access Lesson 3: Designing Remote Access Services 8-3 8-11 8-21
Lesson 4: Designing RADIUS Authentication with Network Policy Services 8-31 Lesson 5: Designing Wireless Access Lab: Designing a Network Access Solution 8-39 8-48
8-2
Module Overview
Network access solutions provide roaming users with access to network resources. To provide an appropriate solution, you must gather the necessary data about business requirements and the existing configuration of the network. As part of designing a network access solution, you need to consider the use of RADIUS for authentication. Also, you should consider wireless users in your organization.
8-3
Lesson 1
Gathering Data for Designing Network Access Solutions
To design an appropriate network access solution, you must first gather data about business needs and user requirements. You must also gather information about security requirements. After gathering all of the requirements you can consider what types of network access need to be configured.
8-4
Business Requirements
Key Points
When determining business requirements, you need to consider: Internal staff. Various members of the organization may need access to data from a non-traditional location. Some internal staff to consider are: traveling executives, sales people on the road, users with mobile devices, and users with wireless connections. External users. You may need to provide access for external users to access data or applications in your organization. The external users can include partners, suppliers, or vendors. The data being accessed. The type of access you provide will, in part, be based on the type of data that is being accessed. If an application needs to be accessed remotely, then Terminal Services may be an effective solution. While, a secure Web site may be the most appropriate solution, if a small amount of data needs to be accessed remotely.
8-5
User Requirements
Key Points
When determining user requirements, you need to consider: The tasks performed by internal staff The type of access you provide will vary depending on the tasks being performed by internal staff. For example, applications requiring fast data connectivity may not be appropriate for VPN connections. The tasks performed by external users The type of access you provide will vary depending on the tasks being performed by external users. For example, if external users are performing data entry into a Web-based application, using SSL may provide sufficient security. The length of connection The length of a user connection is important because the connections' length for some network access methods can be limited. You must ensure that your network access method does not disconnect users and cause problems. For example, if external users connect to a VPN for up to 12 hours at a time, you should ensure that the VPN server allows connections for at least 12 hours.
8-6
The number of concurrent users The number of concurrent users is important because you must design your network access solution to support the maximum number of concurrent users that are expected and allocate for growth. For example, if you expect there to be 150 concurrent VPN connections, you must ensure that your Internet connection and VPN server can handle that capacity.
8-7
Security Requirements
When determining security requirements, you need to consider: Types of client computers. Different operating systems have different security capabilities. Knowing the types of client computers in use helps you determine whether a third party solution is required for additional security. Need for encryption. In general, data that travels over public network should be encrypted. Depending on how sensitive data is, you may also need to encrypt it over internal networks. Portions of the network to be accessed. As part of a security design, you will segment your network into security zones. You can restrict specific types of clients to specific security zones to mitigate the risk of an unauthorized user gaining access to data. For example, VPN users may be given access only to a subset of servers in your organization, with sensitive data unavailable through a VPN connection.
8-8
Discussion: Network Access Types
Your classroom discussion will include instances when you would use various access types.
8-9
Guidelines for Gathering Data for a Network Access Design
Key Points
When gathering data for a remote access infrastructure design, consider the following guidelines: Determine and document any existing network access infrastructure. Gather data about the number and types of users, the types of connections used, and the length of connections. Also, gather data about the types of servers and client computers used and the connection protocols used. Interview administrator groups, user groups, application groups, security groups, management groups, and any other groups that will be part of the network access design. Failure to gather information from a key group might cause the design to fail. Collect data on the specific security needs of your organization. Your remote access design should balance the business needs for accessing data with the security needs of restricting access to data. Failure to gather security information might lead to a design that has security flaws and is susceptible to unauthorized access to data of the organization.
8-10
Gather information about the future needs of your organization. This ensures that the design remains valid over time and avoids the need for an expensive redesign. Most network access designs take into account the anticipated growth for the next three to five years.
8-11
Lesson 2
Securing and Controlling Network Access
When designing network access, you must determine a number of characteristics for the connections. For remote access connections through Routing and Remote Access Server (RRAS), you can select an appropriate authentication method and encryption method. You must also determine the appropriate network policies to restrict remote access to authorized users.
8-12
Authentication Methods
Key Points
When Windows Server 2008 is configured with the RRAS role, many authentication methods are supported. However, many are supported only for backward compatibility with older systems and should not typically be used. For example, Password Authentication Protocol (PAP) sends authentication credentials in cleartext over the network.
8-13
Authentication protocol
MS-CHAPv2
Use
Use for password-based authentication of VPN or dial-up connections. Not supported by Windows 95. Use for certificate-based authentication using smartcards for VPN or dial-up connections. Not supported by Windows 98 or Windows NT 4.0. Use to support the authentication of wireless client computers by a RADIUS server. PEAP is not supported for VPN or dial-up clients.
EAP-TLS
PEAP
Note: EAP-MD5 is depreciated in Windows Vista and Windows Server 2008. Its use is no longer recommended due to security weaknesses.
8-14
Encryption Methods
Key Points
The encryption method used for securing data while in transit varies depending on the type of VPN connection that is being used. Windows Server 2008 supports the use of Microsoft Point to Point Encryption (MPPE), Internet Protocol Security (IPSec), and Secure Sockets layer (SSL). MPPE uses the Rivest-Shamir-Adleman (RSA) public-key cipher for encryption and decryption with an RC4 stream cipher to encrypt data for Point-to-Point Protocol (PPP) or PPTP connections. PPTP connections use MPPE with MS-CHAP, MS-CHAP v2, EAP-MD5 Challenge, or EAP-TLS authentication. IPSec is used for encryption by L2TP VPN connections. The authentication performed by IPSec can be based on a pre-shared key, Kerberos authentication, or certificates. However, basing authentication on certificates is recommended. In addition, L2TP will perform user-based authentication with CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5 Challenge, or EAP-TLS authentication. SSL is used for encryption by a Secure Sockets Tunneling Protocol (SSTP) VPN connection. SSL requires a certificate to be installed on the server, but not on the client computers. SSL is firewall friendly because it is a Web protocol.
8-15
IPSec and SSL are considered more secure than MPPE encryption. IPSec provides additional authentication security by requiring computer-based authentication. However, the additional computer-based authentication used by IPSec requires additional administrative effort.
8-16
Network Policies
Key Points
Network policies are used to control authentication to Windows Server 2008 dial-up, VPN, and RADIUS servers. Permission for connections can also be granted by editing user properties. It is most efficient to create network policies that grant access based on Windows groups and other criteria.
8-17
Network policies are composed of: Conditions that determine whether a policy is used to evaluate a connection request. This includes user groups, day and time restrictions, or operating systems. Access permissions that allow or deny a connection attempt. It can also indicate that user dial-in properties are examined. Authentication methods that limit the authentication methods that are allowed. This can restrict the authentication method even if a VPN or dial-up server allows the method.
Constraints that impose limits on the connection such as idle time or maximum connection time. Settings that are imposed on the connection such as encryption or IP filters.
8-18
Network Policy Processing
Key Points
The default network policies deny access to all users. This ensures that only users you have specifically granted access are allowed. To allow users access, you create additional network policies with conditions that match authorized users. You must place policies in the correct order for processing. Only the first policy with matching conditions is evaluated. If the first matching policy denies access, no additional policies are evaluated and the user is denied access.
8-19
Demonstration: Configuring Network Policies
Question How do you know that the default policies will be processed last?
8-20
Remote Access Monitoring
Key Points
When designing your network access infrastructure, include monitoring and auditing in your design. Monitoring and auditing remote access connections and attempted connections enables you to determine: How secure your remote access infrastructure is. If your remote access solution meets the needs of current remote access users. If the current remote access infrastructure is adequate to meet the future growth for remote access.
8-21
Lesson 3
Designing Remote Access Services
When users require remote access to the network, you first need to determine the type of remote access to be provided. In most cases, a VPN will be provided for remote access. When planning implementation of VPN services, you must determine the VPN tunneling protocol, select appropriate hardware, and place the VPN server in an appropriate area of the network.
8-22
Remote Access Methods
Key Points
VPN is the most commonly used remote access method for modern networks. A VPN encrypts data for transmission over the Internet. Internet access is easy to obtain in most areas and is inexpensive. Dial-up networking is more expensive than a VPN because long distance charges are often incurred. Also, dial-up connections are relatively slow at a maximum of 56 Kbps. However, in some cases an Internet connection cannot be obtained and dial-up networking is the only connectivity available. RPC over HTTP is used for specific applications to allow connectivity through firewalls. RPC-based applications use randomly selected port numbers. This makes it difficult to allow data packets from RPC-based applications through firewalls. RPC over HTTP encapsulates the RPC packets in HTTP packets which use a single consistent port number for easier firewall configuration. RPC over HTTP can be secured with SSL.
8-23
VPN Tunneling Protocols
Key Points
PPTP is a VPN protocol supported by Windows 98, Windows NT, Windows 2000, Windows XP, and Windows Vista clients. This is a simple VPN type to implement because it requires only a username and password for authentication. In some cases, PPTP may be blocked by firewalls. L2TP is a VPN protocol supported by Windows 2000, Windows XP, and Windows Vista clients. This type of VPN uses IPSec for encryption and consequently requires additional configuration. L2TP authenticates users for the connection and IPSec authenticates the remote computer. In some cases, IPSec may be blocked by a firewall. In addition, some older firewalls may not allow IPSec to properly traverse NAT. SSTP is a new VPN protocol in Windows Server 2008. It is supported only by Windows Vista clients with Service Pack 1. SSTP is more secure than PPTP and does not require the additional administrative overhead of L2TP because there is no computer authentication. Also, SSTP uses TCP port 443 which is unlikely to be blocked by any firewall.
8-24
For more information about secure socket tunneling, see "The Cable Guy: The Secure Socket Tunneling Protocol: Microsoft Web site".
8-25
Hardware Considerations
Key Points
When determining hardware for a remote access solution, you should consider the following factors: Your capacity requirement is determined by many factors including the number of users, what tasks your users perform, where they are connecting from, and what level of security you require. If you estimate a capacity that is inadequate, your remote access infrastructure might slow down user productivity. If you estimate a capacity that is too large, you might end up paying for capacity that is not used. Provisioning communication links requires you to determine an appropriate connection capacity and installation time. The link capacity must support the maximum number of users expected and support future growth. Installation of a new line requires lead time for both installation and testing. Select a service provider that can meet your needs for a service level agreement (SLA). An important part of an SLA are uptime and recovery requirements for outages. Cost often varies between providers depending on SLA conditions.
8-26
Clients must have the necessary hardware to support the remote access method you have selected. If you are providing dial-up networking, then clients must have a modem. If you are providing VPN access, then clients must have the necessary hardware to connect to their Internet provider. This may require a wireless connection, Ethernet, or dial-up. Remote access servers can be dedicated hardware servers or a software-based solution such as Windows Server 2008 Routing and Remote Access. As a general rule, the server-based software solution is more flexible than the dedicated remote access device, because the server on which the remote access software is installed can be used for additional functions besides providing remote access.
8-27
Strategies for Placing VPN Servers
Key Points
Consider the following strategies for placing VPN servers: Many firewall solutions are also capable of being configured as VPN servers. This can be considered provided that the firewall has the capability and sufficient capacity. The cost of this solution may be higher than using RRAS. A VPN server in front of the firewall is a simple configuration to implement. It also allows you to apply firewall rules to clients accessing the internal network. The major drawback is that the VPN server is not protected. A VPN server in a perimeter network allows firewall rules to be applied to incoming clients and protects the VPN server. Configuration of firewall rules is more complex than other options because the two firewalls creating the perimeter network must be configured appropriately. Also, when the VPN server is hosted on a perimeter network, it can use an internal IP address with ports redirected from the external firewall. A VPN server used in parallel with a firewall is a simple configuration, but does not protect the VPN server. Also, firewall security is not applied to clients.
8-28
User Environment Configuration
When determining how you will configure remote access client computers, consider: Travel. Do the remote access users require access configurations that cover multiple locations? For example, if you have users who travel frequently or need to access your private network from home or other locations, you will need to create multiple connection environments on the client. Security. As the remote access client is the starting point of the remote access request, it is imperative that only authorized users can initiate a request. For example, a salespersons laptop should be configured in such a way that only the salesperson can initiate a remote access request.
8-29
Number of remote users. If you have hundreds of users that need remote access configurations, you must consider the amount of administrative overhead that will be involved in setting up each users desktop for remote access. Distribution. How will you design a distribution process to get each remote access user the configuration settings that they need? For example, if the users computer is at home, is there a Web site where the user can access the connection configuration? Or will the user require a compact disc to configure the settings?
You can use the Connection Manager Administration Kit to create an installable configuration that remote users can use to configure their computers. The Connection Manager allows the distribution of a phone book with multiple access numbers to clients. Clients connect to the dialup numbers in the order specified in their phone book. The order of the phone book entries can be set for individual users or groups, allowing the client load to be evenly distributed among servers.
8-30
Discussion: Guidelines for Remote Access Design
Your classroom discussion will include guidelines for determining remote access design.
8-31
Lesson 4
Designing RADIUS Authentication with Network Policy Services
Windows Server 2008 can be configured as RADIUS server by using Network Policy Services. To design your implementation of RADIUS, you need to be aware of the RADIUS roles and scenarios for using RADIUS servers. In some cases, you may also need to configure a RADIUS proxy by using connection request policies.
8-32
What Is RADIUS?
Key Points
RADIUS is a protocol for controlling authentication, authorization, and accounting. It can be used to control authentication requests for remote access connections and wireless connections. The process for RADIUS authentication is as follows: 1. 2. 3. 4. 5. A user computer contacts a RADIUS client, such as a remote access server. The RADIUS client takes credentials from the user computer and passes them to the RADIUS server. The RADIUS server verifies the credentials against a directory, such as Active Directory The RADIUS server informs the RADIUS client of whether the user is allowed or denied access. The RADIUS client allows or denies the user access.
8-33
RADIUS Roles
Key Points
Network Policy Server (NPS) is the Windows Server 2008 component that functions as a RADIUS server. This replaces Internet Authentication Service (IAS) in Windows Server 2003. NPS is also capable of being configured as RADIUS proxy by using connection request policies. RRAS can be configured as a RADIUS client. When RRAS is configured as a RADIUS client, authentication requests are forwarded to the RADIUS server for approval rather than using locally configured network policies.
8-34
How RADIUS Works for Remote Access
Key Points
RADIUS can be used to: Remotely authenticate ISP access. To authenticate your users, an ISP can forward authentication requests to an NPS server on your corporate network. This allows users to logon to the ISP with their regular network password. Also, the help desk of your organization will be able to reset those passwords. Centralize authentication rules for multiple VPN servers. In this scenario, multiple RRAS servers are configured as RADIUS clients for a single NPS server. Network policies are created on the NPS server rather than on the individual RRAS servers. Centralize logging for multiple VPN servers. Accounting information can be forwarded by RADIUS clients to a RADIUS server for central storage. This makes it easier to monitor remote access.
8-35
When a RADIUS client and server communicate through firewalls, you must correctly configure the firewalls for authentication and accounting traffic. The RADIUS server uses user datagram protocol (UDP) port 1812 for authentication and UDP port 1813 for accounting.
8-36
What Is a RADIUS Proxy?
Key Points
A RADIUS proxy distributes RADIUS request to the appropriate RADIUS server. This is required when a RADIUS client authenticates connections for multiple RADIUS servers. In a typical configuration, a RADIUS client is configured to communicate with a single RADIUS server. A RADIUS proxy is configured by using rules to determine to which RADIUS server an authentication request should be forwarded. If an ISP is servicing dial-up authentication requests for multiple organizations with RADIUS servers, the dial-up server forwards authentication requests to the RADIUS proxy, which will then forward authentication requests to the RADIUS server at the appropriate organization. Inside an organization, a RADIUS proxy can be used to forward authentication requests to the appropriate department when the remote access infrastructure is managed separately by each department.
8-37
Connection Request Policies
Key Points
Connection request policies are part of the RADIUS proxy functionality in NPS. The connection request policies are used by NPS to determine how authentication requests should be forwarded, or if they should be forwarded. The default connection request policy authenticates all requests locally. If you want NPS to act as a RADIUS proxy and forward some request to other RADIUS servers, then you must create additional connection request policies.
8-38
Some conditions that can be used in a connection request policy are as follows: User Name. This can contain a user name and realm name. Service Type. Specifies a type of service such as 802.1X connection or VPN connection. Tunnel Type. Specifies a type of tunnel for services, such as L2TP or PPTP for VPN connections. Day and Time Restrictions. Specifies specific days and times at which this policy applies. Client IPv4 Address. The IPv4 address of the RADIUS client. Client Vendor. The vendor of the RADIUS client. Called Station ID. The telephone number of the network access server that was called.
8-39
Demonstration: Configuring Connection Request Policies
Question Do most organizations need to configure connection request policies?
8-40
Lesson 5
Designing Wireless Access
Wireless connectivity offers a high degree of mobility. It also provides an alternative networking option when traditional wired networks are impractical. When you design wireless access, you should be aware of the various networking standards that are available. Security is a particular concern for wireless networks because they can extend outside the physical area controlled by your organization. Using 802.1X is a security method you can consider implementing to secure wireless networks.
8-41
Wireless Networking Standards
Key Points
Wireless standards are specified by the Institute of Electrical and Electronics Engineers (IEEE). The 802.11 standard, also known as Wi-Fi, is a family of specifications for wireless local area networks (WLANs). The standard 802.11 defines the physical and MAC portion of the data link layer. The MAC layer is the same for all 802.11 standards; however, the physical layer implementation varies. The wireless networking standard that you select will depend on your needs for data speed and avoidance of interference. Many networking vendors build network cards and Wireless Access Points (WAPs) that support multiple standards. All equipment capable of 802.11g is also capable of 802.11b.
8-42
Wireless Security Threats
Key Points
Consider the following threats when designing security for a wireless network: Eavesdropping. This is when someone listens to communication on your wireless network with a packet sniffer. This can be performed by a roaming hacker with a laptop outside your building if encryption is not used on your wireless network. Interception and modification of data. This is a risk when data is not encrypted on your network. After using a packet sniffer to capture network data, the packets could be altered and retransmitted to attack one of your systems. Spoofing. On a wireless network, spoofing can refer to using a false MAC address or IP address. Using a false MAC address is used to overcome security restrictions on WAPs based on MAC address. Spoofing IP addresses are used to overcome restrictions created by firewall rules. Freeloading. This is when an unauthorized user accesses your network and uses its services. Typically, this refers to the unauthorized use of an Internet connection over a wireless network.
8-43
Denial of Service (DoS). DoS attacks can be effectively performed from outside the organization, because the network extends beyond the physical location of the organization. Rouge WAPs. A rogue is typically created when an individual in the company wants to roam with a laptop and the organization does not yet provide wireless connectivity WAP. This is a concern, because rogue WAPs are not likely to be configured in a secure manner. .
8-44
Strategies for Wireless Security
Key Points
When implementing a wireless network, consider the following: Wired Equivalent Privacy (WEP) is no longer considered secure enough for use in corporate networks. WiFi Protected Access (WPA) and WPA2 are the preferred methods for encrypting communication on a wireless network. These are supported by all recent WAPs. Use 802.1X to authenticate computers connecting to a wireless network. This can be used in combination with WEP or WPA. This method is preferred to authenticating based on MAC addresses, which can be easily spoofed. Use monitoring software to find rogue access points and then remove them from your network. If wireless networking is required by users in your organization, ensure that they use an approved configuration.
8-45
Allowing unauthenticated access to your wireless network but requiring a VPN connection to access corporate data allows guests to access the Internet over your wireless network. This is suitable when there are only a few wireless clients. If there are many wireless clients, consider having a separate wireless network for guests, or require guests to use a wired connection.
8-46
How RADIUS Works for 802.1X Connections
Key Points
The 802.1X protocol is used to authenticate devices before they access the network. Implementing 802.1X increases network security by preventing unauthorized devices from accessing the network. This system can require less administration than controlling network access based on the MAC address of computers. Also, it is easy to configure false MAC addresses on wireless network adapters. When RADIUS is used for 802.1X connections, the RADIUS client is the network access device, for instance a switch or wireless access point. The simplest configuration uses workstation credentials for authentication, but certificates can also be used.
For more information about wireless authentication, see "The Cable Guy: IEEE 802.1X Authentication for Wireless Connections".
8-47
Hardware Considerations for Wireless Networks
Key Points
Each wireless device will require a wireless adapter. They come in a variety of types for a variety of hardware platforms. For example, wireless PC cards for laptops and handheld devices. Many current laptops and handheld devices have the wireless adapter built in. Most wireless adapters are capable of using multiple wireless protocols such as 802.11n and 802.11g. Wireless access points are the connection points to the wired network. A WAP is typically a dedicated hardware hub or switch with wireless capabilities. The wireless AP that you choose for your design will depend on the capacity and features that are required by your organization. If you use 802.1X authentication as a part of your wireless design, you will need to include a RADIUS server in your design to perform the authentication of wireless users.
8-48
Discussion: Guidelines for Designing Wireless Network
Your classroom discussion will include guidelines for securing wireless networks.
8-49
Lab: Designing a Remote Access Solution
Scenario
Woodgrove Bank is evaluating the network access needs for roaming users within the organization. At this time a VPN server is in place, but no wireless LANs have been implemented due to security concerns. You must design a remote access solution and a wireless connection solution based on user and business requirements. The current VPN deployment consists of a single VPN server. Clients use PPTP connections and are given connectivity to the entire network when connected.
8-50
Exercise 1: Designing a Network Access Solution

Woodgrove Bank is facing increasing demand from users for remote access. Many of the hub site management staff travel to remote locations and need access to organizational data from hotel rooms. Also, executives want the ability to work from home or while on vacation. The following information has been gathered: Some travelling users do not have Internet access in their hotel rooms. Security of data is very important Woodgrove Bank has an infrastructure in place for deploying certificates and smart cards. Some executives have had problems with VPN connections being blocked by hotel firewalls. Users from non-North America sites have complained about slow access to data over the VPN. Some roaming clients use Windows XP and there are no plans to upgrade those clients to Windows Vista until new laptops are purchased. There is only a single Internet connection for Woodgrove Bank. It is located in the New York hub site. The current service provider for Internet access provides no guarantees for availability. Availability guarantees are required for disaster recovery planning.
The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine remote access methods. Determine physical infrastructure for remote access.

1. 2. 3. 4. 5. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-RAS, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.
8-51
6. 7. 8.
Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Determining remote access methods

1. 2. 3. Is dial-up access required? Which authentication method should be used for VPN connections? Which VPN tunneling protocol should be used?
Task 3: Determining physical infrastructure for remote access

1. 2. 3. 4. Where should VPN servers be located? How will you address the concerns of non-North American users about slow access to data over the VPN? How will clients be configured with dial-up and VPN connections? How will you address concerns about availability for the Internet connection?
8-52
Exercise 2: Designing Network Policy Services

It has been determined that the most effective way to provide dial-up access for remote users is by outsourcing dial-up access to an ISP with a world-wide presence. The requirements for network policies are as follows: Executives are allowed remote access to network resources and are not restricted. Branch management staff is allowed remote access only to resources in their hub site. For example, branch managers in Toronto are allowed access only to Toronto resources. Customer Service staff are not allowed remote access. Investments staff are allowed remote access to all Investments resources in their hub site. Marketing staff are allowed remote access only for e-mail.
The main tasks for this exercise are: 1. 2. Determine the infrastructure requirements for RADIUS. Determine network policies.
Task 1: Determining the infrastructure requirements for RADIUS

1. 2. 3. 4. How will RADIUS allow the Woodgrove Bank help desk to control passwords? What configuration needs are to be performed at the ISP and which is a RADIUS server? What configuration needs to be performed at Woodgrove Bank? How does the implementation of RADIUS affect the local VPN server?
Task 2: Determining network policies

1. 2. What network policies should be created? How does the processing order affect your network policies?
8-53
Exercise 3: Designing a Wireless Connection Solution

Woodgrove Bank does not have any wireless infrastructure in place to support roaming users throughout the buildings. The Investments department staff in particular, would like the ability to move from office to office with their laptops for spontaneous meetings. This will be piloted first in the Toronto hub site and then deployed at other hub sites. The requirements for a wireless network design are as follows: Only laptops that are members of the domain can connect to the wireless network. The highest possible level of security must be used. Users must be able to roam throughout the building. The highest possible speed is required.
The main tasks for this exercise are: 1. 2. Selecting wireless standards. Designing the physical implementation.
Task 1: Selecting wireless standards

1. 2. 3. Which wireless networking standard is preferred for your implementation? Which encryption standard is preferred for your implementation? How will computers be authenticated?
Task 2: Designing the physical implementation

1. 2. 3. How will you provide power to the WAPs? How will you ensure that users can roam throughout the building? How will you ensure that signal strength is acceptable in all areas of the building?
8-54
Exercise 4: Discuss the Design of Network Access

Now that you have completed your design for network access, participate in a discussion with your instructor and the class. The main task for this exercise is: Discuss your design for network access with the instructor and other students.
Task 1: Discuss your design for name resolution with the instructor and other students
1. 2. 3. With your instructor, discuss the remote access solution that is appropriate for Woodgrove Bank. With your instructor, discuss the Network Policy Services design that is appropriate for Woodgrove Bank. With you instructor, discuss the wireless connection solution that is appropriate for Woodgrove Bank.
8-55
Exercise 5: Deploying an SSTP VPN Solution

Woodgrove Bank has determined that an SSTP VPN will meet the requirements for roaming users. In this exercise, you install an SSTP VPN Server and connect to it. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Install Active Directory Certificate Services and Web server. Create an SSL certificate. Configure RRAS. Create a Network Policy to allow VPN access. Configure the client with a trusted root certificate. Configure and test an SSTP VPN connection. Close all virtual machines and discard undo disks.
Task 1: Install Active Directory Certificate Services and Web server

1. 2. On NYC-RAS, use Server Manager to add the Active Directory Certificate Services and Web Server (IIS) roles. Install the following configuration for Active Directory Certificate Services: 3. Role services: Certification Authority and Certification Authority Web Enrollment CA type: Enterprise Root CA Create a new private key Cryptography: default CA name: default Validity period: default Database and log locations: default
Accept default settings for the Web Server (IIS) role.
Task 2: Create an SSL certificate

On NYC-RAS, use Internet Information Services Manager to request a new server certificate for NYC-RAS. Create Domain Certificate Common name: NYC-RAS.WoodgroveBank.com
8-56
Organization: Woodgrove Bank Organizational unit: IT City/locality: New York State/province: New York Country/region: US Online Certification Authority: WoodgroveBank-NYC-RAS-CA\NYCRAS.WoodgroveBank.com
Friendly name: WebSSL
Task 3: Configure RRAS

On NYC-RAS, Use the Routing and Remote Access administrative tool to enable Routing and Remote Access. Configuration: Remote access (dial-up or VPN) Remote access: VPN Network interface: Local Area Connection Do not enable security on the selected interface by setting up static packet filters. IP address assignment: From a specified range of IP addresses IP address range: 10.11.0.200 to 10.11.0.225 Use Routing and Remote Access to authenticate connection requests
Task 4: Create a Network Policy to allow VPN access.

1. On NYC-RAS, use Network Policy Server to create a new network policy Policy name: Allow Domain Admins Condition: Windows Groups WoodgroveBank\Domain Admins Access permission: Access Granted Authentication type: default Constraints: default Settings: default
8-57
Task 5: Configure the client with a trusted root certificate

1. 2. 3. 4. 5. 6. On NYC-CL1, use Internet Explorer to open the Certificate Services Web site at http://NYC-RAS.WoodgroveBank.com/certsrv. Log on as WoodgroveBank\Administrator with a password of Pa$$w0rd. Download a CA certificate, open it, and install it. Automatically select the certificate store based on the type of certificate. Open an empty MMC console and add: The certificates snap-in focused on My user account. The certificates snap-in focused on Local computer. Click Start, type mmc, and press Enter. Copy the WoodgroveBank-NYC-RAS-CA certificate from Certificates Current User > Intermediate Certification Authorities > Certificates to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
Task 6: Configure and test an SSTP VPN connection

1. 2. 3. 4. 5. 6. On NYC-CL1, open Connect To from the Start menu. Set up a new connection. Connect to a workplace Use my Internet connection (VPN) Ill set up and Internet connection later Internet address: NYC-RAS.WoodgroveBank.com Destination name: NYC VPN Leave the username and password blank Open Connect To from the Start menu. Open the properties of the NYC VPN connection and select SSTP as the type of VPN on the Networking tab. Connect the NYC VPN. Open Connect To from the Start menu and verify that the NYC VPN connection is connected.
8-58
Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting up the SSTP listener and verifying it in the Routing and Remote Access Blog at http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstp-listener-andverification.aspx. In particular, you must manually remove and replace the certificate used by SSTP if you want to replace it.

Designing Network Access Protection
9-1
Module 9
Contents
Lesson 1: Overview of NAP Lesson 2: NAP Architecture Lesson 3: NAP Enforcement Lesson 4: Designing NAP Policy Lesson 5: Designing NAP Enforcement and Remediation Lab: Designing Network Access Protection 9-3 9-8 9-18 9-25 9-37 9-44
9-2
Module Overview
Network Accept Protection (NAP) is a new feature in Windows Server 2008 that prevents unhealthy computers from accessing a network. When deploying NAP, you must understand NAP architecture and how NAP is enforced. The two main aspects of designing NAP are determining the health requirements that will be enforced and which enforcement methods to use.
9-3
Lesson 1
Overview of NAP
NAP is used to prevent unhealthy computers from accessing the network and potentially creating a security problem. It can be used on high-risk computers such as roaming users and home computers, in addition to computers controlled by the organization.
9-4
What Is NAP?
Key Points
NAP is a system that enforces client health before allowing access to the network. Client health is defined in policies by an administrator and enforced by a Network Policy Services (NPS) server. NAP does not block intruders or malicious users. Instead, NAP ensures that clients have an appropriate configuration such as software updates installed and antivirus software that is current. NAP includes multiple enforcement mechanisms. You can implement one or more of these mechanisms at the same time, depending on your network scenario.
9-5
When a computer is non-compliant with the health policy, you can then allow limited access to the network. The limited access is, typically, to remediation servers. Remediation servers provide resources for computers to become compliant. For example, a remediation server could be a Windows Server Update Services (WSUS) server that clients can use to download and then apply required updates.
For more information, see "Introduction to Network Access Protection".
9-6
Scenarios for Implementing NAP
NAP can be implemented in virtually any scenario where computers are accessing a network. The most common scenarios are: Desktop computers. NAP can be applied to all desktop computers in an organization. This ensures that a misconfigured desktop computer does not affect the security of the organization. Roaming laptops. NAP can be implemented when wireless clients authenticate to a wireless access point or a virtual private network (VPN) connection. This ensures that laptops that are often outside the organizational network are still in compliance when they return. Visiting laptops. Visiting laptops are not controlled by the organization and can, often, not be compliant with organizational policies. NAP can ensure that they are restricted to a limited number of resources. Home computers. Many employees use home computers when remotely accessing the corporate network over a VPN connection. NAP can ensure that these computers are healthy and do not introduce viruses or malware onto the organizational network over the VPN.
9-7
Considerations for Designing NAP
When NAP is designed, you must ensure that the design meets the needs of your organization. As for other technologies, you need to gather business needs from the various departments. However, a well-designed NAP implementation is transparent to users with computers that are in compliance. Some considerations when designing NAP are: Health requirements. You must determine what specific criteria will define a health computer. Limits. You must determine the limits that will be placed on non-compliant computers. Remediation. You must determine which resources are needed on the remediation network to bring clients into a healthy state.
9-8
Lesson 2
NAP Architecture
It is important to understand NAP architecture as part of the NAP design process. Understanding the architecture of NAP allows you to determine which NAP components are required for your organization. The specific NAP components you implement will vary depending on the type of enforcement that you select.
9-9
Network Components and Services for NAP
Key Points
NAP clients are capable of providing health status for evaluation by NAP. The NAP capable clients are Windows XP SP3, Windows Vista, and Windows Server 2008. Enforcement points are components that receive health status from a NAP client control access to the network. Some enforcement points are DHCP servers, VPN servers, and network devices with 802.1X support. A NAP health policy server receives requests from enforcement points with the health status of NAP clients. If the health status meets the health requirements defined in NAP policies, then the NAP health policy server responds back to the enforcement point with approval. Remediation servers contain resources to bring non-compliant computers into compliance. An example is a server that provides security updates.
9-10
A health registration authority (HRA) is used only when NAP is implemented by using Internet Protocol security (IPSec) as an enforcement mechanism. NAP clients, which are configured to use IPSec enforcement, send a request with the health status over HTTP to an HRA. The HRA acts as an enforcement point by getting approval for the client from the health policy servers and then obtains a health certificate for the client from a certification authority (CA).
For more information, see "Network Access Protection Platform Architecture on the TechNet".
9-11
NAP Architecture Overview
Key Points
Within a NAP client, the components are: System Health Agent (SHA). The SHA checks the state of a client and declares its health. Each SHA can report a specific set of system health requirements. For example, there might be an SHA for antivirus signatures and an SHA for operating system updates. Enforcement Client (EC). The EC handles the method of enforcement. Each NAP EC is defined for a different type of network access or communication. For example, there is a NAP EC for DHCP configuration and a NAP EC for VPN connections. NAP Agent. The NAP agent coordinates the SHA and the EC.
9-12
The Health Policy Server (NPS) includes: System Health Validator (SHV). The component corresponds with the SHA component on the client side. An SHV certifies declarations made by a corresponding SHA. NAP Server. The NAP server coordinates communication with the SHVs installed on the NPS server.
A system health server provides updates to an SHV on a health policy server. For example, a health requirement server for an antivirus program tracks the latest version of the antivirus signature file.
9-13
Network Layer Protection with NAP
Key Points
NAP is capable of providing network layer protection. This means that access to the network is controlled by a specific network device, such as: a VPN server, DHCP server, or an 802.1X capable switch or wireless access point (WAP). The process for NAP enforcement of network layer protection is: The system health servers provide updates to the NPS server The client sends health status along with a network access request to the enforcement point. The enforcement point forwards the health status to the NPS server If the health status is not appropriate, the enforcement point is instructed to quarantine the client. The client is quarantined on a restricted network with remediation servers. The client requests and obtains updates from the remediation server.
9-14
The client sends the new health status along with a network access request to the enforcement point. The enforcement point obtains approval with the new health status and provides access to the network.
9-15
Host Layer Protection with NAP
Key Points
NAP is also capable of providing host layer protection. This means that access is controlled at each host rather than by a network device. Host layer protection is enforced by IPsec.
9-16
The process for NAP enforcement of host layer protection is: A client provides health status to an HRA and requests a health certificate. The HRA forwards health status to the NPS server. If remediation is required, then the HRA does not provide a health certificate. The client obtains updates from a remediation server. The client provides new health status to an HRA and requests a health certificate. After approval of the new health status request by the NPS server, the HRA obtains a health certificate for the client from a CA. The HRA provides the health certificate to the client. The client then uses the health certificate to authenticate IPSec connections with computers.
9-17
NAP and Certificate Services
Key Points
You must implement Active Directory Certificate Services (AD CS) to support the host layer protection enforced by IPSec. In addition, you must implement AD CS as an Enterprise CA, which means that AD CS is integrated with Active Directory Directory Services (AD DS). The CA is responsible for providing health certificates for clients. However, NAP clients do not communicate directly with the CA. The clients send an HTTP request to an HRA and the HRA obtains and delivers the health certificates on behalf of the clients. Health certificates should be configured with a short expiry time. A health certificate is used by clients as long as it is valid. A short expiry time requires client health to be reevaluated and ensures that clients remain in compliance with health requirements.
Note: Some authentication types require certificates and AD CS independently of NAP.
9-18
Lesson 3
NAP Enforcement
NAP supports several enforcement methods. These include DHCP, IPSec, and VPN. The enforcement method you implement is based on the requirements of your organization and the location of the clients.
9-19
NAP Enforcement Methods
Key Points
An enforcement method defines how NAP controls access to network resources. In all cases, there must be an EC that can provide health status to the enforcement point. The enforcement point must also support NAP. The enforcement methods supported by NAP are: 802.1X. Health policies are enforced when a client computer authenticates to a 802.1X wireless connection or switch. This can be implemented wherever you control the network infrastructure. VPN. Health policies are enforced when a client computer authenticates to a VPN connection. This is well suited to remote clients. IPsec. Health policies are enforced by requiring computers to provide a health certificate to communicate with other computers. Health certificates are obtained from an HRA.
9-20
DHCP. Health policies are enforced at the DHCP server when a client computer attempts to lease an IP address. This is simple to implement but easy to circumvent. TS Gateway. Health policies are enforced when a client computer attempts to communicate through a TS Gateway. Enables health to be enforced so access to local resources during a Terminal Services connection is less of a risk.
9-21
IPsec Enforcement
Key Points
IP security (IPsec) Enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined in terms of which computers have health certificates and which computers require IPsec authentication with health certificates for incoming communication attempts. The logical networks allow for limited network access and remediation and provide compliant computers with a level of protection from noncompliant computers. To obtain a health certificate, the IPsec NAP EC on the client uses HTTP to communicate with an HRA. The HRA then contacts an NPS server for verification of the health status. If approved by the NPS server, the HRA obtains a health certificate from an Enterprise CA and forwards the health certificate to the client.
The networks are:
9-22
Secure network. This is the set of computers that have health certificates and require that incoming communication attempts use health certificates for IPsec authentication. On a managed network, most server and client computers that are members of the Active Directory domain would be in the secure network. Boundary network. This is the set of computers that have health certificates but do not require that incoming communication attempts use health certificates for IPsec authentication. Computers in the boundary network must be accessible to computers on the entire network. Restricted network . This is the set of computers that do not have health certificates that include noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable.
9-23
VPN Enforcement
Key Points
VPN Enforcement comprises a VPN NAP ES component and a VPN NAP EC component. Using VPN Enforcement, VPN servers can enforce health policy requirements any time a computer attempts to authenticate to a VPN connection. Unhealthy clients are configured with IP packet filters that restrict communication to resources defined on the limited network for remediation. The VPN NAP ES on the VPN server (a component of Routing and Remote Access) sends an EAP-Request/Identity message to the VPN NAP EC on the VPN client. The VPN NAP EC is a new feature in the Remote Access Connection Manager service which obtains the list of SoHs from the NAP Agent and sends the list of SoHs as a PEAP-Type-Length-Value (TLV) message. Alternately, the VPN NAP EC can send a health certificate in a PEAP-TLV message.
9-24
DHCP Enforcement
Key Points
DHCP Enforcement comprises a DHCP NAP enforcement server (ES) component and a DHCP NAP EC component. Using DHCP Enforcement, DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. Unhealthy clients configured with a valid IP address, a default gateway of 0.0.0.0, and a subnet mask of 255.255.255.255. To provide access to remediation servers, the client is configured with a static host route to each remediation server. Because DHCP Enforcement relies on entries in the IP routing table, it is the weakest form of limited network access in NAP. Malicious users can simply add additional routes to the routing table or by using a static IP address.
9-25
Lesson 4
Designing NAP Policy
NAP policies are used to define healthy and unhealthy clients. The options available for defining health and unhealthy clients are controlled by the available SHAs and SHVs. The Windows SHV is included in Windows Server 2008, but NAP can also integrate with other products.
9-26
System Health Agents and Validators
Key Points
An SHA is present on NAP clients. It is responsible for publishing the health status to an enforcement point. The Windows SHA is included with Windows XP SP3, Windows Vista, and Windows Server 2008. An SHA can also be provided by third parties for monitoring the status of their products. An SHV is present on NPS servers. It is responsible for comparing client health to the required health status. Each SHA on the client side must have a corresponding SHV on the server side. The Windows SHV is included with Windows Server 2008.
For more information, see "Network Access Protection Policies in Windows Server 2008".
9-27
Status Monitored by Windows Security Health Validator
Key Points
The Windows SHV is capable of monitoring health for Windows Vista, Windows Server 2008, or Windows XP SP3. The settings for Windows Vista also apply for Windows Server 2008. The following are the settings that can be monitored for Windows Vista: Firewall enabled Antivirus application on and up to date Antispyware application is on and up to date Automatic updating is enabled All available security update installed Locations where security updates can be downloaded.
The settings monitored by the Windows SHV are based on the settings that are monitored by Windows Security Center on the client. Software must be compatible with the Windows Security Center to be monitored.
9-28
Note: Security Update Protection should not be enabled unless you have configured WSUS for your network. If clients are not registered with a WSUS server and Security Update Protection is enabled, then clients are automatically placed on the restricted network even if they are configured with the necessary updates.
9-29
NAP Integration with Other Products
Key Points
NAP can be extended to monitor additional settings and software. You can do this by deploying additional SHAs on NAP clients and additional SHVs on NPS servers. Some products that NAP can integrate with are: System Center Configuration Manager (SCCM). When SCCM is integrated with NAP you can monitor the application of specific updates. Forefront Client Security. When Forefront client security is integrated with NAP, you can perform additional actions. For example, you can perform an autoremediation of a stopped service by restarting the stopped service. You can perform Forefront integration by using the Microsoft Forefront Integration Kit for Network Access Protection.
9-30
For more information, see "Network Access Protection Partners". For more information, see "System Center Team blog". For more information, see "Microsoft Forefront Integration Kit for Network Access Protection Frequently Asked Questions".
9-31
Considerations for Antivirus Software
Key Points
The Windows SHA is capable of monitoring antivirus software that integrates with and provides status to Windows Security Center. The two characteristics for antivirus software that can be monitored without a third party SHA are: An antivirus application is on Antivirus is up to date
A third party SHA may be capable of monitoring other antivirus software characteristics, such as: Manufacturer Software version Scan schedule
9-32
Considerations for Windows Updates
Key Points
The Windows SHA is capable of monitoring Windows Updates. The characteristics that can be monitored without an additional SHA are: Automatics updating is enabled Restrict access for clients that do not have all available security updates installed The severity rating of security updates that are required The number of hours allowed since the client has checked for new security updates
Other considerations that may be monitored with an additional SHA are: The categories of updates required Whether update installation is automatic
9-33
Considerations for Firewall Protection
Key Points
The Windows SHA is capable of monitoring firewall protection that integrates with and provides status information to Windows Security Center. The only characteristic that can be monitored by the Windows SHA is whether firewall protection is enabled. Some of the other firewall protection characteristics that it may be possible to monitor with an additional SHA are: Manufacturer Blocking of inbound or outbound connections by default Presence of specific firewall rules
9-34
Considerations for Spyware Protection
Key Points
The Windows SHA is capable of monitoring spyware protection that integrates with and provides status to Windows Security Center. The two characteristics for spyware protection that can be monitored are: An antispyware application is on Antispyware is up to date
Other spyware protection characteristics that may be possible to monitor with an additional SHA are: Manufacturer How current updates are defined
9-35
Unsupported Platforms
Key points
When NAP is designed, you must consider how non-NAP capable platforms will be accommodated. For example, Windows 2000 Professional is a non-NAP capable platform. If your organization still has some client computers running on Windows 2000 Professional, then you must determine how those clients will be accommodated. Unsupported platforms are reported as non-NAP capable rather than non-compliant. This allows you to differentiate between the two in policies. However, a NAP capable client is reported as non-NAP capable if the NAP client is disabled.
9-36
Unsupported platforms can be: Placed on a restricted network. This restricts unsupported platforms to using specific resources. It may be difficult to organize your network so that unsupported platforms have access to the resources they need, and still keep it secure with NAP. Allowed full access. Allowing unsupported platforms to have full access can be used as a temporary solution during a migration to begin using supported clients. However, it is a risk because unsupported clients such as older operating systems are more likely to be sources of malware and viruses.
9-37
Lesson 5
Designing NAP Enforcement and Remediation
When designing NAP, you need to consider which types of enforcement you will use. Multiple types of enforcement may be used depending on the clients accessing your network. You must also carefully consider which resources must be made available on the remediation network to allow clients to improve their health status.
9-38
Considerations for Designing DHCP Enforcement
Key Points
DHCP enforcement requires the use of a NAP-integrated DHCP server. The DHCP server included with Windows Server 2008 is NAP- integrated for IPv4 addressing, but not IPv6. DHCP enforcement is easy to implement, but also easy to circumvent. A client can circumvent DHCP enforcement by using a static IP address. In addition, a noncompliant computer could add static host routes to reach servers that are not remediation servers.
9-39
Considerations for Designing VPN Enforcement
Key Points
VPN enforcement requires the use of a NAP-integrated VPN server. The RRAS server included with Windows Server 2008 is NAP-integrated. This type of enforcement is best suited to situations where a VPN is already being used. For example, roaming users with laptops or staff using home computers to access the corporate network.
9-40
Considerations for Designing 802.1X Enforcement
Key Points
To implement 802.1X enforcement, the network switches or WAPs must support 802.1X authentication. The switches or WAPs then act as an enforcement point for NAP clients. This provides network-level enforcement for all internal clients of your network. The isolation of non-compliant computers is enforced by the switch or WAP that connects with the client. This makes it very difficult to circumvent and therefore very secure.
9-41
Considerations for Designing IPsec Enforcement
Key Points
To implement IPSec enforcement, you must put additional software components on the network. A HRA is required to act as an enforcement point and a CA is required to generate health certificates. However, no specific hardware components are required. So, IPSec enforcement can be implemented in any environment. IPSec enforcement is very secure and very difficult to circumvent. In addition to restricting unhealthy computers to a limited network, communication can also be encrypted by IPSec for enhanced security. Updates are typically downloaded and stored on a local WSUS server. However, if you specify that updates are stored on Microsoft Update then WSUS acts only as a mechanism to approve updates.
9-42
The synchronization schedule determines how often updates are downloaded by WSUS. To ensure that critical updates are obtained as quickly as possible, WSUS should be configured to synchronize daily. When you configure a new WSUS server, you can speed up initial synchronization by copying updates directly from one WSUS server to another.
9-43
Discussion: Selecting an Enforcement Method
Your classroom discussion will address enforcement methods.
9-44
Discussion: Selecting Remediation Servers
Your classroom will include what servers should be included as a remediation server.
9-45
Lab: Designing Network Access Protection
Scenario
Woodgrove Bank has recently experienced problems with malware being introduced to the network at the New York hub site. The introduction of malware has been a result of computers not being compliant with corporate security and maintenance policies. None of the lapses has been a result of malicious users attempting to bypass security guidelines. The following are examples of recent lapses: A user working from home did not have antivirus software enabled. A virus was introduced to the network over the corporate VPN connection. Windows Firewall was disabled on a desktop computer by a technician during application troubleshooting. The technician forgot to re-enable the firewall and the computer was subsequently infected with a worm. A visiting consultant connected a laptop to the corporate network and introduced a virus.
9-46
The New York hub site provides services for all bank branches in the northeastern United States. NAP is being implemented in New York as a trial for the rest of Woodgrove Bank. Varying scenarios need to be considered and tested. The infrastructure in place at the New York hub site and branches have the following characteristics: A VPN server running Windows Server 2008 RRAS Most, but not all, switches and WAPs support 802.1X authentication All client computers have been upgraded to Windows Vista No additional products with an SHA/SHV have been installed. All clients use dynamic IP addresses The DHCP server in Windows Server 2008 is used to lease IP addresses
Exercise 1: Analyzing Enforcement Methods

The first step in designing a NAP implementation is determining which enforcement methods are appropriate. You must determine the appropriate enforcement methods for Woodgrove Bank. The main tasks for this exercise are: 1. 2. 2. 3. 4. Start the virtual machines, and then log on. Analyze DHCP Enforcement. Analyze VPN Enforcement. Analyze 802.1X Enforcement. Analyze IPSec enforcement.

1. 2. 3. 4. 5. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.
9-47
6. 7. 8.
Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Analyze DHCP Enforcement

1. 2. 3. 4. 5. Which components are required for DHCP enforcement? Are the necessary components in place for DHCP enforcement? What are the benefits of using DHCP enforcement? What are the drawbacks of using DHCP enforcement? Is DHCP enforcement suitable for Woodgrove Bank?
Task 3: Analyze VPN Enforcement

1. 2. 3. 4. 5. Which components are required for VPN enforcement? Are the necessary components in place for VPN enforcement? What are the benefits of using VPN enforcement? What are the drawbacks of using VPN enforcement? Is VPN enforcement suitable for Woodgrove Bank?
Task 4: Analyze 802.1X Enforcement

1. 2. 3. 4. 5. Which components are required for 802.1X enforcement? Are the necessary components in place for 802.1X enforcement? What are the benefits of using 802.1X enforcement? What are the drawbacks of using 802.1X enforcement? Is 802.1X enforcement suitable for Woodgrove Bank?
Task 5: Analyze IPSec enforcement

1. 2. 3. Which components are required for IPSec enforcement? Are the necessary components in place for IPSec enforcement? What are the benefits of using IPSec enforcement?
9-48
4. 5.
What are the drawbacks of using IPSec enforcement? Is IPSec enforcement suitable for Woodgrove Bank?
Exercise 2: Designing DHCP Enforcement

Woodgrove Bank would like to see a design of DHCP enforcement before selecting enforcement methods for NAP. The following steps are required when configuring DHCP enforcement: 1. 2. 3. 4. 5. 6. NAP clients must be configured with appropriate settings. NAP must be enabled for the DHCP scope DHCP options must be configured for noncompliant computers Configure NPS as a health policy server Configure SHVs Configure remediation servers in NPS
The main tasks for this exercise are: 1. 2. 3. 4. Design client configuration. Design SHV configuration. Design DHCP implementation. Design remediation servers.
Task 1: Design client configuration

1. 2. What is the simplest way to apply the necessary client configuration to many computers at once? How will you ensure that only the client computers are configured and not servers?
Task 2: Design SHV configuration

1. 2. How are the options available for checking client status determined? How can these options be expanded?
9-49
Task 3: Design DHCP implementation

1. 2. 3. Where will DHCP servers be located? How will client communicate with the DHCP servers? Is additional configuration necessary on the DHCP server?
Task 4: Design remediation servers

1. 2. How are remediation servers accessed by noncompliant computers? Which servers should be configured as remediation servers?
Exercise 3: Designing IPsec Enforcement

Woodgrove Bank would like to see a design of IPSec enforcement before selecting enforcement methods for NAP. IPSec enforcement uses IPSec policies to create a restricted network, a boundary network, and a secure network. The same client and SHV configuration steps must be performed for IPSec enforcement as for DHCP enforcement. The main tasks for this exercise are: 1. 2. 3. Design IPSec enforcement networks. Design the IPSec implementation. Design the CA implementation.
Task 1: Design IPSec enforcement networks

1. 2. 3. 4. What computers are on the restricted network? What computers are on the boundary network? What computers are on the secure network? What communication is allowed between the IPSec networks?
Task 2: Design the IPSec implementation

1. 2. Why are IPSec policies required? What configuration is used for IPSec configured in the restricted network?
9-50
3. 4. 5.
What configuration is used for IPSec configured in the boundary network? What configuration is used for IPSec configured in the secure network? How are remediation servers configured?
Task 3: Design the CA implementation

1. 2. What type of CA must be installed and why? How long will you make health certificates be valid?
Exercise 4: Implementing DHCP Enforcement

Woodgrove Bank has decided to implement DHCP enforcement. In this exercise DHCP enforcement is configured and tested. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. Install necessary components. Configure NPS. Configure DHCP. Configure NAP Client by using Group Policy. Configure networking on the client. Configure the SHV. Test compliance and auto-remediation on the client. Close all virtual machines and discard undo disks
Task 1: Install necessary components

1. 2. 3. On NYC-DC1, use Server Manager to add the DHCP Server and Network Policy and Access Services server roles. For the Network Policy and Access Services server role, include the Network Policy Server role service. For the DHCP server role, use the following settings: Network connection: 10.10.0.10 Parent Domain: WoodgroveBank.com
9-51
Preferred DNS Server Ipv4 Address: 10.10.0.10 WINS is not required for applications on the network Add a DHCP scope Scope Name: New York Scope Starting IP Address: 10.10.1.0 Ending IP Address: 10.10.9.254 Subnet Mask: 255.255.0.0 Default Gateway (optional): 10.10.0.1 Subnet Type: Wired (lease duration will be 6 days) Activate this scope
Disable DHCPv6 stateless mode for this server Use current credentials
Task 2: Configure NPS

1. On NYC-DC1, use the Network Policy Server Administrative tool to select the Network Access Protection (NAP) standard configuration and then configure NAP. 2. 3. 4. Connection method: Dynamic Host Configuration Protocol (DHCP) Policy name: NAP DHCP Radius clients: None DHCP scopes: None User and machines groups: None Remediation server groups: None Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers
Review the connection request policies created by the wizard. Review the network policies created by the wizard. Review the health policies created by the wizard.
9-52
Task 3: Configure DHCP

1. On NYC-DC1, use the DHCP administrative tool to enable Network Access Protection for the New York Scope and use the Default Network Access Protection profile. On the Advanced tab of Scope Options, for the Default Network Access Protection Class, configure the following: 006 DNS Servers: 10.10.0.10 015 DNS Domain Name: restricted.woodgrovebank.com
2.
Task 4: Configure NAP Client by using Group Policy

1. 2. 3. On NYC-DC1, use Active Directory Users and Computers to create a new organizational unit, named NYC NAP Clients, in the NYC organizational unit. Move the NYC-CL1 computer object into the NYC NAP Clients organizational unit. Use the Group Policy Management administrative tool to create a new group policy object, named DHCP NAP Client, linked to the NYC NAP Clients organizational unit with the following settings: Computer Configuration/Policies/Windows Settings/Security Settings/System Services/Network Access Protection Agent: Automatic Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Enforcement Clients/DHCP Quarantine Enforcement Client: Enable Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration: Apply from context menu Computer Configuration/Policies/Administrative Templates/Windows Components/Security Center/ Turn on Security Center (Domain PCs only): Enabled.
9-53
Task 5: Configure networking on the client

1. 2. Restart NYC-CL1, and log on as Administrator with a password or Pa$$w0rd. On NYC-CL1, open a command prompt and use the following command to update group policy settings. 3. 4. gpupdate
Reconfigure Local Area Connection to use DHCP to obtain an IP address and DNS server. Open a command prompt and use the following command to view the configured IP address. ipconfig /all
5.
Notice that an IPv4 address has been configured, but the subnet mask is 255.255.255.255 and the Connection-specific DNS Suffix is restricted.woodgrovebank.com. Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com fails.
6. 7.
Task 6: Configure the SHV

On NYC-DC1, use the Network Policy Server administrative tools to configure the Windows Security Health Validator in Network Access Protection. Test only for an enabled firewall.
Task 7: Test compliance and auto-remediation on the client

1. 2. 3. 4. 5. 6. On NYC-CL1, renew the IP address by using the command ipconfig /renew. Notice that NYC-CL1 now has a default gateway, a subnet mask of 255.255.0.0, and the Connection-specific DNS suffix is WoodgroveBank.com Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com is successful. In the Control Panel Security settings, turn off Windows Firewall. Notice that Windows Firewall status is off only briefly, before being turned back on by the NAP client
9-54

Designing Operating System Deployment and Maintenance
10-1
Module 10
Contents
Lesson 1: Determining Operating System Deployment Requirements Lesson 2: Designing Windows Deployment Services Lesson 3: Windows Deployment Services Images Lesson 4: Designing Multicast Transmission of Images Lesson 5: Designing a Software Update Process Lab: Designing Operating System Deployment and Maintenance 10-3 10-13 10-24 10-29 10-33 10-41
10-2
Module Overview
Windows Server 2008 includes Windows Deployment Services (WDS) to deploy and maintain computer operating systems. The first step to design a WDS deployment is to determine the requirements for deployment of operating systems. Then you can design the specifics of your deployment such as boot and install images, and multicast transmissions. You must also consider how software updates are applied to previously deployed operating systems and applications.
10-3
Lesson 1
Determining Operating System Deployment Requirements
Careful planning is an important part of implementing the deployment of operating systems. As part of your plan, you need to consider the design options and the tools for the deployment of operating systems, storage requirements, and security.
10-4
Reasons for Planning the Operating System Deployment
Key Points
Deployment of multiple desktops or servers within an organization requires careful planning to address the different configurations that support the various business needs. The reliability, speed, and ease of deployment and re-deployment of computers can have a major impact on minimizing disruptions to the business, and reducing operations costs. A properly planned deployment will deliver a reliable installation and configuration of machines and accommodate multiple configurations and the parameters associated with each computer. The clients image can be standardized to help organizations address application compatibility issues, provide a consistent look and feel of all components, and reduce the troubleshooting and training for end-users.
10-5
After the standardized build is created; it should be tested. Testing ensures the users will not be affected during installation of the operating system, due to issues such as incorrect disk drivers. Testing also ensures these issues will be resolved before rollout. Testing should include evaluation of any new features of the operating system. An impact assessment should follow to understand the changes and their impact to the existing environment. To ensure a smooth rollout, you must test all deployment methods. Testing of deployment methods includes scripts, automation steps, and manual build processes. The plan should ensure continued user productivity and the availability of all critical services during and after the rollout.
10-6
Design Options for Deploying Operating Systems
Key Points
Most deployments of operating systems can be performed as either an in-place upgrade or a side-by-side migration. With the latter, an operating system is installed on a new hardware. User state migration is then performed to ensure that all user settings and files are migrated over to the new hardware. The Microsoft Windows User State Migration Tool (USMT) can be used in such scenarios to improve and simplify the migration process. It is scriptable and configurable to control exactly what files and settings are transferred.
10-7
Deployment method Bare metal installations
Characteristics
Are used to deploy operating system

to bare metal computers (no operating system installed)
Are used to eliminate the need for an

operating system to be present on a local disk drive
Are used for operating system recovery

Lite Touch Deployments
Are used to allow the installation and

deployment of Windows Vista computers, complete with application install and other configuration of the final image
Can be automated using a combination

of pre-configured files and the Business Desktop Deployment (BDD) 2007
Are used with a LAN that has at least

one server and sufficient disk space to store working files and images
Are recommended for customers with

25 PCs or more and without SMS 2003 or SCCM 2007 infrastructure in place
Zero Touch Deployments
Are used with Microsoft System Center

Configuration Manager 2007 or Systems Management Server 2003 with the Operating System Deployment Feature Pack
Are used with Windows Server 2003 or

Windows Server 2008 with Windows Deployment Services and Active Directory
Are use to completely automate the

deployment process on the target computer.
Are recommended for larger customers

with SMS 2003 or SCCM 2007 infrastructure in place and managing the PCs targeted for deployment.
10-8
10-9
Determining Storage Requirements
When designing storage for a WDS deployment, you should consider the following:. Deployment images. Organizations often have several deployment images to accommodate various workstation configurations. An individual deployment image can be several gigabytes of data. However, WDS identifies redundant data in images to reduce storage requirements. User state migrations data. The amount of data generated by USMT varies based on size of user profiles and local data storage. Large user profiles are created when users store data in My Documents or cache email locally. Computer backups. If the new operating system is being deployed over an existing operating system, then the existing configuration should be backed up in case recovery is required. Application and operation system source files. Based on the deployment method, you may need additional space to store the application and installation files of the operating system.
10-10
Security Considerations for Operating System Deployment
It is important to maintain security when planning a solution for the deployment of an operating system. Consider the following when planning security for operating system deployment: Maintain security of the file server and the deployment server. By managing these servers, user's data in the log files, the answer files, and image files are protected against unauthorized users. To ensure user's privacy, USMT does not allow the migration of passwords. Make sure that the end users know their passwords prior to migration. Restrict access to the image store to prevent unauthorized users from reading and mounting images. Be sure to set file permissions for images to have the least privilege to prevent unauthorized access. Consider implementing a store encryption to protect the user state data. Perform scan of the source and destination computers for viruses prior to migration. In addition, scan the destination computer image. This will ensure that all data is virus-free.
10-11
Do not transmit data over an Internet connection unless you have a secure connection (such as a virtual private network). Use Internet Protocol security (IPSec) or other network security protocols to secure data as it travels over the network. The Pre-boot execution environment (PXE) protocol, used to to initiate operating system deployments, is not secure. Both the PXE server and the PXE client should be located on a physically secure network, to prevent unauthorized access. Further, to minimize the potential for successful attacks on the PXE-enabled clients implement safeguards such as a password to enable PXE boot, and regular audits to detect intrusions on the network. Windows Server 2008 domain controllers do not allow the NETSETUP_JOIN_UNSECURE option by default. This option is used by WDS and RIS when deploying all operating systems before Windows Vista SP1. You can allow this by enabling Allow algorithms compatible with Windows NT 4.0 in Group Policy.
10-12
Tools for Operating System Deployment
Key Points
Some tools that help automate operating system deployment are: Windows Automated Installation Kit (WAIK). WAIK includes tools and instructions to automate the deployment of operating systems. System Image Manager is used to generate unattended installation files for Windows Vista. ImageX can be used to create and modify operating system images. Business Desktop Deployment (BDD) 2007. BDD 2007 is a process and technology framework based on the best practices for deployment projects developed by Microsoft, its customers, and partners. It includes management and technology guidance and scripts used as is or customized to suit the organizations requirements. BDD 2007 allows administrators to deploy desktops with Zero Touch and Lite Touch interaction at the target PCs. Deployment Solution Accelerator. Deployment Solution Accelerator is a bestpractice guide that uses limited tools and requires basic infrastructure for the deployment of desktops. It provides guidance, sample templates, and technology
10-13
files, such as scripts and configuration files to help administrators who are deploying systems using Microsoft products and technologies. Windows Deployment Services. WDS is the updated and redesigned version of Remote Installation Services (RIS) in Windows Server 2008. It provides platform components that enable the use of custom solutions, which include remote boot capabilities, a plug-in model for PXE server extensibility, and a client-server communication protocol for diagnostics, logging, and image enumeration. System Center Configuration Manager (SCCM) 2007. Systems Management Server (SMS) 2003 and the SCCM 2007 provide a solution for change and configuration management of Microsoft platforms. They enable organizations to provide operating systems, software, and updates to users in a quick and costeffective way.
For more information about System Center Configuration Manager, see "System Center Configuration Manager 2007 OSD Comparison Matrix".
10-14
Lesson 2
Designing Windows Deployment Services
Windows Deployment Services is the updated and redesigned versions of Remote Installation Services (RIS) in Windows Server 2008. It is important to understand the improvements in WDS as it delivers a better inbox deployment.
10-15
Enhanced Features in WDS
Key Points
Some enhanced features are: It supports the deployment of Windows Server Vista and Windows Server 2008. It has higher performing PXE and TFTP servers for greater scalability. It has a new boot menu format that allows WDS to support separate boot architectures and a choice of boot images for each architecture type. It uses the WIM image format which is hardware-agnostic, so you need only one image to address many different hardware configurations. In addition, the WIM image format provides an efficient mechanism for single instance storage of images.
10-16
It uses Windows Preinstallation Environment (PE), which is a small version of Windows that runs entirely from RAM. Many network drivers are supported and additional Windows-based network drivers can be added if required. It has multicast support that allows a single image to be transmitted simultaneously to multiple computers. This reduces network utilization during imaging.
For more information, see "Whats new in Windows Deployment Services section of Step-by-Step Guide for Windows Deployment Services in Windows Server 2008 in the Windows Server 2008 Technical Library".
10-17
Network Infrastructure Requirements
Key Points
The following are network infrastructure requirements to install and support a WDS deployment server: A WDS deployment server must be part of an AD DS domain. All domain and forest functional levels support WDS. DHCP must be configured on the network. PXE clients receiving images rely on DHCP to obtain an IP address. DNS is required by WDS to communicate with AD DS. NTFS is required for storing WDS images. WDS installation requires the administrator to be a member of the Local Administrators group on the WDS server. To boot to the WDS client, you must be a member of the Domain Users group.
Note: WDS can also be deployed as a transport server, which does not require AD DS.
10-18
Comparing Transport Server and Deployments Server
Key Points
WDS supports the implementation of both a transport server and a deployment server. A deployment server is a fully functional WDS deployment and requires infrastructure such as AD CS, DHCP, and DNS. A transport server requires none of these. A transport server provides a subset of features for customized multicast deployments. For example, a transport server could be used in a setup lab where AD CS is not available.
For more information, see "Using Transport Server in the Windows Server 2008 Technical Library".
10-19
Considerations for Upgrading from RIS to WDS
Key Points
WDS is included in Windows Server 2003 Service Pack 2. The three server modes of operation that exist for WDS in Windows Server 2003 are Legacy, Mixed, and Native. You can reach each of these based on whether you perform a clean WDS install or an upgrade from RIS. These server modes determine the administration experience, the image formats that you can use, and the boot environment. The Legacy and Mixed modes only exist on Windows Server 2003. Native mode exists on Windows Server 2003 and Windows Server 2008. On Windows Server 2008, this is the only supported server mode. Only servers in the Native mode can upgrade from Windows Server 2003 to Windows Server 2008. The transition between the server modes provides a migration path between the existing RIS functionality and the dedicated WDS functionality in Windows Server 2008.
10-20
You can upgrade RIS servers by installing WDS onto the existing RIS servers. This step provides WDS functionality in the Legacy mode. From this point, initializing the server with the WDS management tools will result in a transition to the WDS Mixed mode. The switch to Native mode occurs when legacy image types are converted to WIM format and the OSChooser functionality is disabled. Alternatively, you can install WDS onto new servers while continuing to maintain the existing RIS servers. If RIS is not installed on the computer running Windows Server 2003 at the time of WDS installation, the server will automatically be in Native mode and therefore ready to be upgraded to Windows Server 2008.
10-21
Considerations for Designing WDS
Key Points
You should note the following issues when you configure your WDS server: Internet Protocol version 6 (IPv6) is not supported for this version of WDS, even though management utilities allow specifying the IPv6 address range. Standard boot images (boot.wim) from the media must match (or be newer than) the operating system of the install image. Both the WDS and DHCP services listen on port UDP 67. When WDS and a nonMicrosoft DHCP server run on the same computer, you need to configure the server so that it does not listen on port 67, and add Option 60 to the DHCP scopes. Option 60 lets the DHCP client know that the DHCP server is also a WDS/PXE server.
10-22
If DHCP is installed on a server located in a different subnet, one of the following needs to be done: Configure a DHCP relay to forward client DHCP broadcasts on UDP port 67 to both the DHCP server and the WDS PXE server. In addition, allow routing of all unicast traffic from the client computers to UDP port 4011 on the WDS PXE server. Add DHCP options 66 (Boot Server Host Name) and 67 (Boot File Name).
10-23
Discussion: Designing WDS Deployment
Your classroom discussion will include ways to implement WDS in your organization.
10-24
Lesson 3
Windows Deployment Services Images
WDS uses both boot and install images to perform operating system deployment. There are also multiple utilities for image creation and maintenance. Understanding how and when to use each of these is important for an effective deployment of WDS.
10-25
Features of WDS Images
Key Points
Boot images are used to perform the imaging process. Clients download the boot image and run it in memory as the first step in the imaging process. Additional software in the boot image then performs the imaging process to apply the install images. A capture boot image is used to retrieve an image from a sysprepped workstation. A discover boot image is booted from CD or other portable media to perform imaging on non-PXE clients. Install images contain the operating system and applications that are applied to the computer. Install images are in WIM format and multiple images are stored in a single image group. An image group has multiple WIM files and a single res.rwm file. The WIM files contain metadata about images. The res.rwm file is the single instance storage for image data.
10-26
You must use sysprep to generalize an installation of the operating system before it is captured as an install image. Generalizing an operating system allows SIDs to be regenerated and hardware to be redetected when the image is applied. You can use the ImageX utility to create images manually, but the file format used by ImageX is different from WDS. Images created by ImageX must be imported into WDS. RIS images can also be converted to WIM format and imported into WDS.
For more information, see "Working with Images".
10-27
Image Capture Utilities
Key Points
ImageX and WDSCapture are both utilities that create WIM images. However, they are used to create WIM images in different scenarios. WDSCapture is best suited to capture images of the operating system that will be deployed by using WDS. It is efficient because files are copied directly to the WDS server without making a local copy of the image first. ImageX is best suited to modify the existing images. It is capable of performing online editing by applying images of a partial volume to an already applied image. It is also capable of editing the existing image files. ImageX may also be suitable for small scale imaging where the advanced features available in WDS is not required. ImageX is used to create boot images.
10-28
Discussion: Considerations for Creating a Custom Install Image
Your classroom discussion will include considerations for creating a custom install image.
10-29
Considerations for Maintaining Boot and Install Images
Key Points
When you create boot images, they must use the Windows PE operating system and be stored in WIM format. The version of Windows PE in Boot.wim must not be older than the operating system being installed. For example, Windows PE 2.0 can be used to deploy Windows Vista, but Windows PE 2.1 is required to deploy Windows Vista SP1. The boot.wim image must be marked as boot from RAMDISK by using the /boot option in ImageX. This allows the image to load and run in memory. The image must also have all necessary drivers for network disk access and network connectivity. When creating images of Windows Vista, you need to consider that Windows Vista can only be rearmed three times. To limit the number of rearms you need to perform, make modifications on a base image version rather than performing multiple consecutive revisions on the same image. You can also edit images offline by using ImageX to mount a WIM file. This allows you to make minor changes such as configuration files. However, you cannot install applications during offline editing. To perform offline editing, you must export the image from WDS and then import it when editing is completed.
10-30
Lesson 4
Designing Multicast Transmission of Images
10-31
Deploying images through multicasting can significantly reduce the network traffic associated with the deployment of operating systems. Before designing multicast transmission of images, you must understand the scenarios in which multicasting can be used and the types of multicast transmissions that are available.
10-32
Scenarios for Using Multicasting
Key Points
Reduced network traffic is the primary benefit of multicasting.. A single image is delivered to multiple computers at the same time during a multicast. When unicast transmission is used, the image is delivered over the network once to each computer. Consider using multicasting when: Network routers are configured to forward multicast packets. Many network routers are configured to block multicast packets. Concurrent installations of the same image are being performed. This is typical when a new batch of computers has been purchased. Network traffic should be minimized to avoid other network services being affected. Clients have sufficient disk space to hold the image before it is applied locally. Multicasting requires that the image be entirely stored on the local disk before it is applied.
10-33
Types of Multicast Transmissions
Key Points
An auto-cast begins when the first client requests the designated image. When additional clients request the same image,.they are joined to the multicast transmission already in progress. Client that join later will eventually obtain the entire image by requesting missing portions of the image. A scheduled-cast, begins at a specified time or when certain number of clients join. You can also manually start transmission if the requirements are not met. Clients must join before the image transmission begins.
For more information, see "Chapter 13: Multicasting with Deployment Server".
10-34
Considerations for Designing Multicast Transmissions
Key Points
When designing a multicast transmission you need to be aware of several prerequisites. Routers on the network must support multicasting, and at least one install image is to be transmitted and a boot.wim file from the Windows Server 2008 media must exist on the server. Ensure that the boot.wim comes from the Windows Server 2008 media. The boot.wim from the Windows Vista DVD (pre SP1) does not support multicasting. If multiple WDS servers are performing multicasting, then they must have unique multicast addresses. Each WDS server will have the same default range. You can manually create static ranges that do not overlap on each server or use MADCAP to automatically avoid conflicting multicast addresses for multiple WDS servers. Once a WDS server is configured, any changes to the Multicast IP Address, the UDP Port Range, or the RPC port number will require service to be restarted before the changes take effect.
10-35
Lesson 5
Designing a Software Update Process
After deploying the operating systems in your organization, you also need to implement a process to ensure that you can efficiently distribute software updates to servers and client computers. Microsoft provides several tools to implement this process. As part of your deployment design for the operating system, you should also create the design to evaluate the requirements for software updates and distribution of the software updates.
10-36
Overview of Update Management Tools
Key Points
Microsoft periodically releases software updates for Windows operating systems and Microsoft applications such as Office 2007. Several update management tools and distribution mechanisms can be used to assist with updating computers. Microsoft and Windows Update both apply updates to Windows operating systems. However, Microsoft Update also identifies and applies updates for additional Microsoft software such as Microsoft Office and Microsoft SQL Server. These are typically used in home and small office environments. The Automatic Updates client obtains and installs high-priority updates from Microsoft or Windows Update. It can also be configured to obtain updates from an internal Windows Server Update Services (WSUS) server. Microsoft Baseline Security Analyzer (MBSA) is a tool designed to help small- and medium-sized businesses determine their security state in accordance with the security recommendations of Microsoft. MBSA also offers specific remediation guidance.
10-37
WSUS obtains updates from Microsoft Update and allows administrators to test and approve the updates before distributing them to client computers in the organization. This is typically implemented in larger companies that need to manage updates to many client machines. System Center Configuration Manager 2007 (SCCM) provides a set of tools to manage software updates in an enterprise environment that improves upon the original tools introduced with Systems Management Server (SMS) 2003. Software updates in SCCM 2007 provides more advanced configuration options and utilizes new components and improved technology.
10-38
How WSUS Works
Key Points
A WSUS server can be configured to download updates from Microsoft Update or another WSUS server. The updates are downloaded on a schedule. An administrator can define the schedule and the types of updates to be downloaded. When updates are downloaded, they must be approved before they are delivered to clients. An update can be approved for a specific group of computers alone. This allows administrators to test updates on a specific group of computers before full deployment. The Automatic Updates client must be configured to download updates from a WSUS server and not from Microsoft Update. This can be done manually on each computer, but is typically done by using Group Policy.
10-39
WSUS Deployment Scenarios
Key Points
A single WSUS server scenario involves setting up a server that runs WSUS inside the corporate firewall. WSUS synchronizes content directly with Microsoft Update and distributes updates to client computers. A scenario in which multiple independent WSUS servers are used, involves the deployment of multiple servers so that each server is managed independently and each server synchronizes its content from Microsoft Update. This method might be appropriate for situations in which different LAN or WAN segments are managed as separate entities, like in the case of a branch office. It can also be used when each server that runs WSUS is configured to deploy updates only to client computers that run a certain operating system.
10-40
A scenario in which multiple internally synchronized WSUS servers are used, involves the deployment of multiple servers that run WSUS and synchronize all content within their organizations intranet. In such scenario, only one server is exposed to the Internet to download updates from Microsoft Update. This server is set up as the upstream server and acts as the source to which the downstream server synchronizes. When applicable, servers can be located throughout a geographically dispersed network to provide the best connectivity to all client computers. A scenario in which disconnected WSUS servers are used includes an internal server that runs WSUS and is not connected to the network, except initially when it connects to the Internet to download the updates. After downloading, testing, and approving the updates on this server, an administrator would export the update metadata and content to the appropriate media. From the media, the administrator would then import the update metadata and content to servers that run WSUS within the intranet. Companies with strict policies or other conditions that limit computer access to the Internet can implement this method. It can be scaled to a deployment of any size.
10-41
Guidelines for Planning a WSUS Infrastructure
Key Points
To simplify security, place a single WSUS server in a perimeter network that can be used to provide updates to other WSUS servers. When configured this way, WSUS shares only updates and metadata with its downstream servers during synchronization and not information on computer groups or updates that are approved. This method can be used to download updates once from the Internet and then distribute those updates to branch offices having downstream servers, saving bandwidth on the Internet connection. You will typically want to place WSUS servers close to client computers, to minimize the amount of network traffic. For example, placing a WSUS server in a branch office allows updates to be applied to all computers in the branch office, but the update is delivered over the WAN link only once to the WSUS server.
10-42
When configuring synchronization, download only the languages that are required. Updates are available in many languages and limiting the number of downloads reduces Internet bandwidth and storage space on WSUS server. Updates are typically downloaded and stored on a local WSUS server. However, if you specify that updates are stored on Microsoft Update then WSUS acts only as a mechanism to approve updates. The synchronization schedule determines how often updates are downloaded by WSUS. To ensure that critical updates are obtained as quickly as possible, WSUS should be configured to synchronize daily. When you configure a new WSUS server, you can speed up initial synchronization by copying updates directly from one WSUS server to another.
10-43
Lab: Designing Operating System Deployment and Maintenance
Scenario
Woodgrove Bank would like to design and implement an effective solution for the deployment of operating systems. They would like you to evaluate their requirements and determine the best solution to use within their organization. You are designing a solution for North America that will be used as a template for other regions. Client machines are running Windows 2000, Windows XP SP2, and Windows Vista. A number of applications, including Microsoft Office 2007 Professional are installed. Data is stored only in the hub sites and documents are accessed from file servers in the hub sites over WAN links.
Updating desktops with the Microsoft updates is performed using a number of outdated in-house tools. The update process is very time consuming and some of the client
10-44
machines are not properly patched for an extended period. The current process involves downloading large amounts of data by each client computer. You want the new solution to be less bandwidth consuming. The company would like you to design and implement a better update management solution that supports all Microsoft Windows operating systems and Microsoft Office 2007 applications deployed at the bank. You should be able to control the updates that are available for download to clients. All servers and desktop computers are joined as member servers to the banks Active Directory Directory Services (AD DS) domain. Servers are located in data centers in each hub site and connected to the corporate Ethernet using Gigabit network access cards (NICs). Only the hub site in New York is configured with a perimeter network protected by a firewall. All other branches are connected to a hub site by T1 lines. The hub sites are connected to New York with 10 Mbps WAN links. All routers can support multicasting but are currently using the default configuration. The user desktops are all connected using 100 MB NICs and they acquire their addresses from Microsoft DHCP servers at each location. AD DS utilizes Microsoft DNS. The company would like you to design and implement an effective and secure deployment solution for operating systems. The bank wants to replace 2500 computers at the New York location and 1000 computers in Toronto with x86-based computers that run Windows Vista. You also want to upgrade your remaining Windows 2003 Server infrastructure to Windows 2008 Server Standard and Enterprise editions that run on an x86 hardware platform. All servers have been provided with sufficient hard drive space for an upgrade and have been formatted with NTFS file system. If possible, you should be able to control the schedule of the deployment though you have not yet decided on the exact dates. Currently, operating system deployments are done using RIS that run on Windows Server 2003 servers, and you want to ensure that the existing processes for computer building are preserved. Users are concerned that some of their data and personalized settings may be lost during the migration. They are also concerned with their data being exposed to unauthorized users. The security group at the bank is concerned with some machines not being patched in a timely fashion. They also demand that the new deployment design for operating systems considers the privacy of the users and ensures that security is maintained during and after the migration. Access to the images store needs to be secured to prevent unauthorized users from reading and mounting images.
10-45
Exercise 1: Designing an Operating System Deployment Solution

In this exercise, you will review the business and technical requirements for the deployment and maintenance of operating systems and select an appropriate method to deploy operating systems. The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Review information about the current business requirements. Select a deployment solution for the operating system.

Task 2: Review information about the current business requirements

1. 2. What are the business requirements described in the scenario? What are the requirements to choose the appropriate deployment solution for operating systems for the Woodgrove Bank design?
Task 3: Select a deployment solution for operating systems

What deployment solution for operating systems do you recommend and why?
10-46
Exercise 2: Designing WDS Deployment

WDS will be used for both deploying new operating systems and ad hoc reimaging of failed workstations. When a single computer is reimaged, the target time for completion is 30 minutes or less. When new batches of computers are imaged, the impact on network performance must be minimized. User profile information should be migrated from the old computers and applied to the new computers. The main tasks for this exercise are: 1. 2. Design WDS infrastructure. Design the deployment process.
Task 1: Design WDS infrastructure

1. 2. 3. Where will WDS servers be located? What types of data need to be stored on each WDS server? How will the impact on network performance be minimized during the deployment of new computers. What are the requirements for this solution?
Task 2: Design the deployment process

1. 2. 3. How will user data be captured from existing workstations and applied to new workstations? What process will be used when deploying new workstations? How will this process vary for reimaging existing workstations?
Exercise 3: Designing WDS Images

It has been determined that each workgroup in Woodgrove Bank requires a different image to accommodate the varying applications required by each group. Four images will be created for executives, investments, customer services, and branch managers. Within each workgroup, there are varying types of hardware. The imaging process needs to be completely automated so that desktop support staffs do not need to provide any input during or after the imaging process. The main task for this exercise is: Design the images and imaging process.
10-47
Task 1: Design the images and imaging process

1. 2. 3. 4. 5. How will you accommodate varying types of hardware within each workgroup? What process will you use for image creation? How can you automate the imaging process to ensure that user input is not required? What are the requirements for the boot image? Is there a need to convert existing RIS images to WIM images?
10-48
Exercise 4: Designing a WSUS Deployment

Woodgrove Bank has determined that Windows Server Update Services (WSUS) will meet the needs for applying updates to Windows workstations. A deployment of WSUS for Woodgrove Bank needs to be designed. Each hub site has 1000 or more computers. While each bank branch has 50 computers or less. The main task for this exercise is: Design a WSUS Deployment.
Task 1: Design a WSUS Deployment

1. 2. 3. 4. 5. What process will be used to approve updates? Which updates should be downloaded and applied? Which deployment scenario should be used for WSUS servers? Where should WSUS servers be located? What client configuration is necessary?
Exercise 5: Discussing Operating System Deployment and Maintenance

Now that you have completed your design for the deployment and maintenance of operating systems, participate in a discussion with your instructor and the class. The main task for this exercise is: 1. Discuss your design for the deployment and maintenance of operating systems with the instructor and other students.
Task 1: Discuss your design for the deployment and maintenance of operating with the instructor and other students
1. 2. 3. With your instructor, discuss the WDS deployment design that is appropriate for Woodgrove Bank. With your instructor, discuss the WDS images design that is appropriate for Woodgrove Bank. With you instructor, discuss the WSUS deployment design that is appropriate for Woodgrove Bank.
10-49
Exercise 6: Implementing Multicast Transmissions for Images

The first batch of five new servers has arrived at Woodgrove Bank. A scheduled multicast must be configured to complete imaging these servers with Windows Server 2008. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install the WDS server role. Configure the WDS server. Add images to the WDS server. Configure a multicast. Close all virtual machines and discard undo disks.
Task 1: Install the WDS server role

On NYC-DC1, use Server Manager to install the Windows Deployment Services server role. Service roles: Deployment Server and Transport Server
Task 2: Configure the WDS server

On NYC-DC1, use the Windows Deployment Services administrative tool to configure WDS on NYC-DC1. Folder of operating system images: Accept default location Respond only to know client computers Do not add images to Windows Deployment Server now
Task 3: Add images to the WDS server

1. On NYC-DC1, use the Windows Deployment Services administrative tool to add an install image. Image group name: WindowsServer2008 File location: D:\sources\install.wim Deselect Windows Longhorn SERVERDATACENTER Deselect Windows Longhorn SERVERDATACENTERCORE
10-50
2.
Use the default name and description for each selected image. Wait while the images are imported into the WindowsServer2008 image group. This can take 10 minutes or more. The process is much faster after the first image is imported. Use the Windows Deployment Services administrative tool to add a boot image. File location: D:\sources\boot.wim Image description: From Windows Server 2008 DVD
3.
Task 4: Configure a multicast

On NYC-DC1, use the Windows Deployment Services administrative tool to create a multicast transmission. Friendly name: First Batch Image: Windows Longhorn SERVERENTERPRISE Scheduled-Cast that waits for 5 clients

Designing Files Services and DFS in Windows Server 2008
11-1
Module 11
Contents
Lesson 1: Designing File Services Lesson 2: Designing Distributed File System Lesson 3: Designing File Server Resource Manager Configuration Lab: Designing Files Services and DFS in Windows Server 2008 11-3 11-11 11-23 11-29
11-2
Module Overview
Access to files is a critical service in a Windows Server 2008 network. To design file services, you need to be aware of the server roles and features available in Windows Server 2008 that support file services, both Distributed File System (DFS) and File System Resource Manager (FSRM).
11-3
Lesson 1
Designing File Services
To design file services for a Windows Server 2008 network, you must understand the business requirements for file services and the file services options available in Windows Server 2008. In Windows Server 2008 and Windows Vista, Server Message Block 2.0 (SMB 2.0) is available for file sharing. The DFS can be used to increase the availability of files and synchronize data between servers.
11-4
Business Requirements for File Services
Key Points
Access to file services is a critical part of a Windows Server 2008 network. Users and applications rely on access to files to keep the organization running smoothly. When files are not available, workers and applications are idle. Business requirements for file services can include: High Availability. This ensures that files are available based on the uptime required by the organization. Geographic distribution. This synchronizes files between servers in different physical locations. Synchronizing files allows users to access a local copy of files which is much faster than accessing centralized data over a WAN link. File storage management. This ensures that administrators understand and control how storage is being used on the network.
11-5
Components of a File Services Design
Key Points
The most basic component of file services design is shared folders. Shared folders on a server are used to provide access to files stored on that server. Other components that can be used as part of a file services design are: Failover clustering. Failover clustering provides high availability but requires shared storage between the cluster nodes and Windows Server 2008 Enterprise Edition. DFS. DFS provides high availability and file synchronization between servers. FSRM. FSRM provides file storage management by controlling how storage can be used and reporting on current usage. Access-based enumeration. Access-based enumeration limits the files and folders that users can see to only those which they have permission to access.
11-6
WAN acceleration. WAN acceleration is not a feature of Windows Server 2008. WAN acceleration is implemented by dedicated hardware devices on the network to enhance communication over WAN links. It is very effective for SMB 1.0 traffic. Server Message Block Version 2.0. SMB 2.0 is a new version of the file sharing protocol in Windows Server 2008 increases file sharing performance by lowering the number of packets transmitted on the network.
11-7
SMB Enhancements in Windows Server 2008
Server Message Block (SMB), also known as Common Internet File Sharing (CIFS), is the protocol used for file sharing between Windows server and clients. Windows Server 2008 and Windows Vista implement SMB version 2.0. However, Windows Server 2008 and Windows Vista use SMB 1.0 to communicate with Windows operating systems that do not support SMB 2.0. SMB 2.0 supports sending multiple commands in a single packet and larger buffer sizes. These features should increase performance, particularly over WAN links where latency exacerbates slowness introduced by having many packets in a network communication. Durable handles that can survive short network interruptions are another new feature of SMB 2.0. This will help maintain file connectivity for wireless and VPN users where network interruptions are common.
For more information, see "New Networking Features in Windows Server 2008 and Windows Vista".
11-8
What Is Distributed File System?
DFS enables replication of data from one server to another. It also proves a single folder structure for shared folders on multiple servers to simplify user access. DFS is most commonly used in the following scenarios: Publishing files. Files are updated at a central location and replicated out to other locations as read-only documents. This is suitable for policies and procedures documents. Collecting files. Files from branch offices can be replicated to a central location for backup. Also, if files are unavailable in the branch office, they can be accessed at the central location. Loose collaboration. Files are replicated between multiple locations and can be edited by users in any location. There is a risk that multiple users edit a document at the same time and conflict resolution must be performed.
11-9
Components of DFS
Key Points
DFS namespaces are responsible for managing user access to shared folders. Multiple folders are configured in a single folder structure that can include data from multiple servers. Each folder is configured with one or more targets. Each target is a shared folder. A domain-based DFS namespace stores configuration data in Active Directory and is used in most circumstances. A stand-alone DFS namespace has greater scalability in very large scenarios and can be used when Active Directory is not available on the network. DFS replication is responsible for replicating data between folders in a replication group and replaces the File Replication Service used by DFS in Windows 2000 Server and Windows Server 2003. DFS replication has many additional options over FRS, such as remote differential compression (RDC), which replicates only file changes when possible, rather than an entire file.
11-10
Comparing Failover Clustering and DFS for High Availability
Key Points
Failover clustering has two or more nodes that are typically in the same physical area. Data must be located on shared storage, such as a SAN or a shared SCSI bus, and only one node at a time provides file share access to the data. No synchronization of files is required because there is only a single instance of the data on the shared storage. DFS synchronizes data between two or more shared folders. The shared folders can be geographically dispersed without using any specialized hardware. A copy of the files exists on each shared folder in the replication group. Due to the distributed nature of DFS, there is a risk that multiple users could modify the same file simultaneously and create a replication conflict, which must then be resolved.
11-11
Lesson 2
Designing Distributed File System
DFS in Windows Server 2008 is significantly enhanced over the version of DFS found in Windows 2000 Server and Windows Server 2003. However, they can interoperate if required. To design DFS, you need to consider namespace availability, referrals, and optimization. You must also determine how DFS replication will be configured.
11-12
New DFS Features in Windows Server 2008
Key Points
DFS was significantly enhanced in Windows Server 2003 R2 with the introduction of DFS replication. The version of DFS in Windows Server 2008 has a few new features which are enhancements over DFS in Windows Server 2003 R2. DFS namespaces have been enhanced with access-based enumeration and cluster support for stand-alone namespaces. To enable these features, DFS must be changed to Windows Server 2008 mode. DFS replication has been enhanced with: A new content freshness check to prevent servers that have been offline for an extended period of time from overwriting current data. Faster recovery from unexpected shutdowns of DFS replication, the computer, or volumes. Increased performance, which provides faster replication of files, better utilized available bandwidth, and accommodation of high latency networks.
11-13
A propagation report that is generated based on propagation of a test file as a diagnostic test. The replicate now option, which allows you to initiate replication of a folder immediately despite the replication schedule.
For more information, see "Distributed File System in the Windows Server 2008 Technical Library".
11-14
Interoperability with Previous Versions of DFS
Key Points
The namespaces used by varying versions of DFS on Windows server are interoperable. However, lower level versions may not support some of the newer features, such as failback. Windows Server 2003 and Windows Server 2000 use FRS for replication. Windows Server 2003 R2 and Windows Server 2008 use either: DFS replication or FRS for replication. Each set of replicated folders can use only one type of replication. However, with the folder structure provided by DFS namespaces, each folder can be configured with varying replication types. When configuring replication, it is important to use the appropriate tool. The DFS Management administrator tool should be used to manage DFS replication while the Distributed File System administrative tool should be used to manage FRS replication.
11-15
For more information, see "TechNet Webcast: Migrating File Replication Service Replica Sets to Distributed File System Replication (Level 200)".
Guidelines for Designing DFS Namespace Availability
Key Points
A domain-based namespace can be hosted on multiple servers. Hosting on multiple servers increases the availability of a namespace because availability of a single server is not required. Stand-alone namespaces are hosted on a single server with configuration data stored locally. Increase the availability of a stand-alone namespace by using failover clustering.
11-16
Each folder in a namespace can have one or more targets. Use multiple targets for each folder to increase availability. Replication is then used to synchronize data between folder targets. When domain-based namespaces have more than 5000 folders, performance issues can be experienced. Use stand-alone namespaces when there are more than 5000 folders in a namespace.
11-17
Considerations for Configuring Referrals
Key Points
Referral ordering controls the order in which the targets for a folder are presented to clients. The configuration of the DFS root is default, but can be overridden for each folder. Targets with the same cost are randomly ordered. The referral options are: Lowest cost Random Exclude targets outside of the clients site
11-18
Target priority is used for fine tuning referrals and overrides the referral ordering configuration. The target priority options are: First among targets of equal cost Last among targets of equal costs First among all targets Last among all targets
11-19
Guidelines for Optimizing DFS Namespaces
Key Points
Consider the following guidelines for optimizing DFS namespaces: Disable referrals to a folder during server maintenance to avoid impacting users. Shorten the referral cache on clients to speed up discovery of namespace changes. The default time-to-live is 30 minutes. Enable client failback to resume using a preferred server after recovery. This is useful when you want clients to resume using a local server instead of a remote server.
11-20
Optimize namespace polling consistency or scalability. Namespace polling is used by namespace servers to retrieve configuration data from Active Directory. When optimized for consistency, Active Directory is polled more often.
For more information, see "Designing Distributed File Systems".
11-21
Best Practices for Deploying DFS Namespaces
Key Points
The best practices for deploying DFS namespaces are: Use DFS namespaces to create a unified folder hierarchy. This makes it easier for users to locate files because they do not need to browse multiple servers. Use multiple folder targets to increase availability of individual folders. Use the lowest cost method for ordering target referrals. In most cases, you prefer users to access files from a target that is within the local Active Directory site. Use scalability mode for more than 16 namespace servers. Scalability mode reduces the namespace polling performed by the namespace servers and reduces the load on Active Directory. Specify a primary server by using target priority to reduce replication conflicts. When a primary server is specified, then all users access files on a single server.
11-22
Guidelines for Designing DFS Replication
Key Points
Guidelines for designing DFS replication include: Use a mesh replication topology only with less than 10 members. This reduces replication complexity and improves performance. With more than 10 members, consider a hub and spoke replication topology. Use bandwidth throttling to ensure that replication does not overwhelm WAN links. This can be important when WAN links are of a low bandwidth. Use cross-file remote differential compression (RDC) to reduce replication traffic. Cross-file RDC recognizes patterns in multiple files and uses those patterns to reduce replication. The feature is available when one replication partner is running an Enterprise Edition version of Windows Server. Use replication filters to prevent replication of unwanted file types. Replication filters can restrict replication based on file extension.
11-23
Size Staging folders and Conflict and Deleted folders appropriately. The Staging folder (4 GB default size) should be at least two times the size of the largest replicated file. If the Conflict and Deleted folder (660 MB default size) is too small, then conflicts could be purged before they are addressed. Both folders are purged to 60% usage when they ready 90% usage.
For more information, see "Designing Distributed File Systems".
11-24
Lesson 3
Designing File Server Resource Manager Configuration
Designing the configuration and implementation of FSRM requires you to understand the capabilities of FSRM. The two components of FSRM are quotas and file screening.
11-25
Uses for FSRM
Key Points
FSRM is a component that is used by administrators to manage storage. It allows you to: Monitor storage. Monitoring storage allows you to identify trends in storage utilization. When trends are identified, you can take appropriate action such as imposing quotas or increasing storage capacity. Limit storage utilization. In many environments, it is not feasible to allow unlimited storage due to cost concerns. FSRM can impose limits on folders or users. Prevent storage of specific file types. Storage is often unnecessarily wasted on data with no organizational purpose, such as MP3 files or videos. You can block files based on their file extensions. Generate storage reports. Storage reports simplify the monitoring of storage by providing an easy way to generate information in a consistent format.
11-26
FSRM Quotas
Key Points
FSRM quotas are used to limit and monitor storage utilization. A hard quota imposes a limit on storage utilization for a volume or folder. Hard quotas should be implemented after the user impact has been evaluated. Quotas are not specific to users or groups. A soft quota is used to trigger only notifications when a limit on a volume or folder is reached. Notifications can trigger events, emails, commands, or reports. Notifications are based on a percentage of the quota limit. To simplify management of quota, you can use quota templates. Quota templates allow you to define a quota configuration and apply it to multiple volumes or folders. When a quota template is modified, the quota for all folders to which the template has been applied is also modified.
For more information, see "Working with Quotas in the Windows Server 2008 Technical Library".
11-27
FSRM File Screening
11-28
Key Points
FSRM file screening is used to limit and monitor storage of specific file types. The file types are identified based on files extension, not analysis of data content. You can prevent storage of specific file types or trigger notifications based on storage of specific file types. To manage file screening, multiple file extensions are defined as a file group. The file group is then allowed or denied. You can standardize the file groups available by using file screen templates.
For more information, see "Screening Files in the Windows Server 2008 Technical Library".
11-29
Discussion: Designing FSRM
Key Points
Discuss the potential uses for FSRM in your environment in a classroom discussion. Also, discuss the detailed settings that would be used to implement the discussed scenarios.
11-30
Lab: Designing Files Services and DFS in Windows Server 2008
Scenario
Woodgrove Bank has data distributed on files servers in every hub site in the organization. The North America region is being evaluated and changes made there will be used as a template for redesigning file services in other regions. North America has four hub sites with branches connected to each one. A hub and spoke design has been used for the WAN with New York as the hub. The hub sites in North America are: New York Toronto Miami Seattle
File services are organized based on workgroups. There is a single file server for each workgroup in each hub site. Occasionally, users need to access workgroup resources in
11-31
other hub sites over the WAN links. Bank branches access files in the hub sites over WAN links. There is no local file storage in the branches. The file shares in North America are listed are: \\NYC-FS1\Customer \\NYC-FS2\Investments \\NYC-FS3\Managers \\NYC-FS4\Executives \\TOR-FS1\Customer \\TOR -FS2\Investments \\TOR -FS3\Managers \\MIA-FS1\Customer \\MIA -FS2\Investments \\MIA -FS3\Managers \\SEA-FS1\Customer \\SEA -FS2\Investments \\SEA -FS3\Managers
All file servers use new hardware and run on Windows Server 2008. All storage is local to minimize storage costs. The SAN is used only for application servers.
11-32
Exercise 1: Selecting File Services Components

During the initial design process for file services, you have had meetings with various user and management groups. Based on those meetings, the following concerns have been raised: Access to files between hub sites is slow for users running Windows XP, particularly file browsing. This occurs even over fast links. Within files shares, access to files is limited based on NTFS permissions. However, users are able to see folder to which they do not have access. This is confusing for users and generates help desk calls when users experience an error when trying to access folders to which they do not have access. The outage of a file server in any hub site would cause a significant interruption in services to customers. File shares should be highly available within a hub site. Storage use is difficult to monitor at this time because it is a manual process. This should be automated to ensure that sufficient capacity is available.
The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a file service component.

1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
11-33
Task 2: Select a file service component

1. 2. 3. 4. How will you address the concern over slow access to files over WAN links? How will you address the concern over users seeing folders to which they do not have permission? How will you implement high availability for file shares? How will you monitor storage utilization?
Exercise 2: Designing DFS

You have decided to implement DFS for Woodgrove Bank. A single namespace will be used to simplify user access to files. A single new file server has been allocated to each hub site to implement high availability. The following requirements have been determined: Backup for all file servers will be centralized in New York by using DFS replication to centralize data. Executive data must be made available locally in all hub sites. When implementing high availability in each hub site, replication conflicts must be minimized. The namespace for DFS should provide the simplest access to files possible for users.
The main tasks for this exercise are: 1. 2. Design replication. Design the namespace.
Task 1: Design replication

1. 2. Where will files be stored in each hub site? How will centralized backup be accommodated?
Task 2: Design the namespace

1. 2. 3. 4. How many namespace servers should there be? Should a domain-based or stand-alone namespace server be used? List the folders and targets in the DFS namespace. Which options should be used for each folder in the namespace?
11-34
Exercise 3: Designing FSRM

Woodgrove Bank currently has no system in place for controlling and monitoring storage utilization. It has been determined that FSRM should be used to monitor and control storage utilization.
The Investments file share in Toronto recently ran out of disk space. After the file share content was analyzed, it was found that unauthorized multimedia files were using over 150 GB of storage. To prevent this from happening again, FSRM will be used. The main task for this exercise is: Design FSRM.
Task 1: Design FSRM

1. 2. 3. 4. Should hard or soft quotas be implemented on the Investments folder? What should occur when the quota is reached? How can FSRM be used to prevent multimedia files from being stored on the server? How can you allow multimedia files to be stored in a single folder in the Investments file share?
Exercise 4: Implementing DFS

In this exercise, you begin the implementation of DFS for Woodgrove Bank. NYCWEB will be the primary server for the Investments documents in New York. NYCDC1 will be the backup server. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install DFS. Configure the Investments file shares. Create a namespace. Create and configure a namespace folder. Verify replication.
11-35
Task 1: Install DFS

1. 2. On NYC-DC1, use Server Manager to install the File Services role with the Distributed File System service role. Do not create a namespace. On NYC-WEB, use Server Manager to install the File Services role with the Distributed File System service role. Do not create a namespace.
Task 2: Configure the Investments file shares

1. 2. 3. 4. On NYC-DC1, create the folder C:\Backup\NYCInvestments. Share C:\Backup\NYCInvestments and give the NYC_InvestmentsGG group Contributor permissions. On NYC-WEB, create the folder C:\Investments folder. Share C:\Investments and give the NYC_InvestmentsGG group Contributor permissions.
Task 3: Create a namespace

1. 2. On NYC-WEB, use the DFS Management administrative tool to create a new domain-based namespace. Name: NA. Do not enable Windows Server 2008 mode. Add NYC-DC1 as a second namespace server for the \\WoodgroveBank.com\NA namespace.
Task 4: Create and configure a namespace folder

1. 2. 3. On NYC-WEB in DFS Management, add a new folder inside the \\WoodgroveBank.com\NA namespace. Name: Investments No targets Create a new folder inside \\WoodgroveBank.com\NA\Investments Name: NYCInvestments Target: \\NYC-WEB\Investments Target: \\NYC-DC1\NYCInvestments Replications group name: Use the default provided Replicated folder name: Use the default provided
11-36
4.
Primary member: NYC-WEB Topology: Full mesh Replicate continuously at up to 8 Mbps Configure the NYC-DC1\NYCInvestments target of the NYCInvestments namespace folder as Last among all targets on the Advanced tab in the properties of the target. Enable client fail back to preferred targets on the Referrals tab in the properties of the NYCInvestments namespace folder.
5.
Task 5: Verify replication

1. 2. 3. 4. On NYC-WEB, create a new text file named InvestmentFile in \\WoodgroveBank.com\NA\Investments\NYCInvestments. Enter some text in InvestmentFile and save the file. Verify that InvestmentsFile exists in C:\Investments. On NYC-DC1, verify that InvestmentsFile exists in C:\Investments\NYCInvestments.
Exercise 5: Implement FSRM

In this exercise, you implement FSRM for the Investments file share in New York. The Investments folder on NYC-WEB will be limited and configured with notifications. The investments folder will also be configured with file screening to prevent media from being stored in any folder other than the media folder. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install the FSRM server role Configure a quota Configure file screening Verify file screening Close all virtual machines and discard undo disks
11-37
Task 1: Install the FSRM server role

1. On NYC-WEB, use Server Manager to add the File Server Resource Manager role service from the File Services role. Enable on the C: drive Report storage location: Use the default provided
Task 2: Configure a quota

1. On NYC-WEB, use the File Server Resource Manager administrative tool to create a new quota. Quota path: C:\Investments Soft quota 200 GB limit Add a notification that sends email to Administrator@WoodgroveBank.com when 75% of the quota is reached Do not create a template
Task 3: Configure file screening

1. 2. 3. On NYC-WEB, use the File Server Resource Manager administrative tool to create a file screen that prevents audio and video files from being stored. Create the folder C:\Investments\media. Use the File Server Resource Manager administrative tool to create a file screen exception that allows audio and video files.
Task 4: Verify file screening

1. 2. On NYC-WEB, create Video.wmv in the C:\Investments\media folder. Copy Video.wmv to the C:\Investments folder.
Note: Copying Video.wmv to the C:\Investments folder is prevented by file screening.
11-38

Designing High Availability in Windows Server 2008
12-1
Module 12
Contents
Lesson 1: Overview of High Availability Lesson 2: Designing Network Load Balancing for High Availability Lesson 3: Designing Failover Clustering for High Availability Lesson 4: Geographically Dispersed Failover Clusters Lab: Designing High Availability in Windows Server 2008 12-3 12-10 12-16 12-27 12-33
12-2
Module Overview
Window Server 2008 can use both load balancing and failover clustering to make applications highly available. Load Balancing is used primarily to provide availability and scalability for application front-ends while failover clustering is typically used to provide availability for application back-ends such as databases. Geographically dispersed failover clusters require special considerations. It is important to accurately define high availability for an application before designing a high availability solution
12-3
Lesson 1
Overview of High Availability
Designing high availability requires careful definition of high availability for a specific application. This includes defining maintenance outage and the percentage of availability required. The requirements for high availability should be documented in a service level agreement (SLA).
12-4
Discussion: What Is High Availability?
Key Points
Your classroom discussion should include how overall high availability is defined.
12-5
High Availability Requirements
Key Points
When defining high availability requirements you must balance the cost of outages with the cost of implementing high availability. Typically, only a specific number of projects can be accomplished with the approved budget and those projects with the best return must be selected. The cost of an outage is determined by: The number of impacted users and the impact severity. The number of impacted external customers and the impact severity. The number of other services affected and the impact severity.
12-6
Service Level Agreements
An SLA is an agreement, which typically is signed between an IT group and an organization. It is important to define an SLA early because it documents the service expectations and requirements that an organization expects the IT service provider to deliver. An SLA might be written for the availability of a specific system component, a specific service, or an entire system. It is important to define SLA agreements before designing and implementing an information system. You should design the system to meet /the terms defined in the service level agreement. A more highly available system typically has a higher cost than a less available system, and you can factor in the cost when negotiating the SLA. An internal SLA between two departments within one organization rarely has legal consequences, but does describe the relationship, expectations, and timescale for service deliveries. External SLA agreements are more formal, legally binding contracts than internal SLAs. An external SLA may have more structure because it usually includes cost and bonus clauses and sometimes includes penalty clauses. However, an external SLA always includes the services specific cost and deliverables, which often include availability and security services.
12-7
Components of a High Availability Design
A high availability design must include back and recovery design. Backup design is essential, because a properly designed backup is essential to being able to recover data. If data is not backed up, it cant be recovered. Recovery design is essential to ensure that data can be recovered in the necessary timelines. Without a recovery design in place and tested, valuable time is lost researching the appropriate process to follow for recovery. A design to make services highly availabile attempts to avoid a situation where a recovery is required. Windows Server 2008 includes Network Load Balancing and Failover Clustering to make services highly availabile. .
12-8
Infrastructure Requirements for High Availability
Key Points
The infrastructure used by an application must be highly available. This infrastructure includes both services and physical infrastructures. The methods used to create highly available infrastructure vary depending the infrastructure component. Some examples are infrastructure that requires high availability are: Data center cooling and power Server hardware, such as power supplies and disk systems Network hardware, such as network adapters and switches Active Directory Domain Services for authentication and configuration data DNS for resolving host names and locating domain controllers.
12-9
High Availability Options in Windows Server 2008
Key Points
Windows Server 2008 includes the following options to provide high availability: Network Load Balancing (NLB). NLB is used to distribute application requests among multiple nodes in an NLB cluster. When one node in an NLB cluster fails, other nodes continue to service application requests. Failover clustering. Failover clustering runs services in a virtual server on a node in a failover cluster. When a node fails the virtual server is started on another node in the failover cluster. Hyper-V virtualization. Hyper-V virtualization supports quick migration of virtual machines between servers. First, a virtual machine is paused, which writes the contents of virtual machine memory to disk. The disk storage with the virtual machine is then allocated to a second server. The virtual machine is then started on the second server. When a SAN is used, this process can be accomplished more quickly than rebooting a server.
12-10
Lesson 2
Designing Network Load Balancing for High Availability
NLB is an effective way to provide availability and scalability for applications. The suitability of applications for NLB is determined by how they store data. Host priority and affinity can be used to control how requests are distributed to nodes in an NLB cluster. You can also select between unicast and multicast communication in an NLB cluster.
12-11
Overview of Network Load Balancing
Key Points
NLB is a software based solution that is fully distributed. There is no central communication point that can act as a bottleneck of a single point of failure. It provides both scalability and availability. To scale an application with NLB, additional nodes are added. When a node is added, it can begin servicing application requests and reduce the load on existing servers. The availability of services in an NLB cluster is based on server failure. When one node in the cluster fails, the load is automatically distributed among the remaining nodes. However, NLB is not capable of detecting application failure. Consequently, if an application fails, the node is not removed from the NLB cluster and, as a result, clients will experience errors.
12-12
Consideration for Storing Application Data for NLB
Key Points
Requests to an NLB cluster can be distributed to any node in the cluster. This means that all nodes must have access to the same data. This can be accomplished by: Storing data in a central location. All nodes can access data from a single file share, or an SQL server. This option is typically used for applications. Synchronizing data between servers. When data is synchronized between servers, there will be brief periods of time when nodes in the cluster will have different data and clients will have different experiences. This is, however, acceptable for applications such as Web sites.
12-13
Host Priority and Affinity
Key Points
Host affinity determines how requests are distributed. Host affinity is relevant only when the filtering mode is configured as multiple hosts. The proportion of requests serviced by a particular node is determined by the weight assigned to that node. The options for affinity are: None. Each request could be services by any node in the NLB cluster. Suitable for stateless applications. Single. All requests from an IP address are serviced by a single node in the NLB cluster. Suitable for applications that store state information. Network. All requests from a class C address range are serviced by a single node. This is used when a single client is behind a cluster of proxy servers with multiple IP addresses.
12-14
When the filtering mode is configured as a single host, then only one node in an NLB cluster responds to all requests. The responding node is the node configured with the highest priority. No two nodes can be configured with the same priority. This system can be used when multiple nodes cannot share the data source.
12-15
Selecting a Network Communication Method for NLB
Key Points
NLB communicates between nodes to keep track of which nodes are still in the cluster and synchronize configuration changes. Cluster communication can be configured as unicast or multicast. All nodes in a NLB cluster must be on the same subnet. Unicast communication requires each NLB node to have two network adapters. One network adapter is dedicated to cluster communication. The main advantage of this method is the ability to segment NLB communication. Multicast communication requires each NLM node to have only a single network adapter. NLB communication happens by using multicasts. All communication occurs on a single network.
For more information, see "Network Load Balancing (NLB) and Virtual Machines".http://blogs.msdn.com/virtual_pc_guy/archive/2006/03/21/55 6222.aspx
12-16
Lesson 3
Designing Failover Clustering for High Availability
Failover clustering is used to provide high availability for applications and services. In most cases, shared storage is used for failover clusters. When designing a failover cluster, you need to determine appropriate hardware and plan the capacity of the cluster. You must determine which quorum configuration is appropriate for the situation you are designing for.
12-17
Overview of Failover Clustering
Key Points
A failover cluster has between two and sixteen nodes. Services and applications run on a virtual server hosted by a node in the cluster. One node can host multiple virtual servers, you must plan capacity appropriately. If a node in the cluster fails, the virtual server can failover to another node. This is not an immediate process and clients cannot reconnect to the application until the virtual server has started on the second node. In most scenarios, shared storage is required. All application data is stored on the shared storage and control of the shared storage is passed to an alternate node when failover occurs.
12-18
Note: Failover clustering is available only in the Enterprise, Datacenter, and Itanium Editions of Windows Server 2008.
For more information, see "Whats New in Failover Clusters in Windows Server 2008".
12-19
Failover Clustering Scenarios
Key Points
Failover clustering does not provide enhanced scalability by adding nodes. Scalability can only be obtained by scaling up and using more powerful hardware for the individual nodes. Therefore, failover clustering should only be used when the goal is high availability rather than scalability. Failover clustering is best suited to stateful applications that are restricted to a single set of data. One example of such an application is databases. The data is stored in a single location and can only be used by one database instance. Failover clustering uses only IP-based protocols and is, therefore, suited only to IPbased applications. The best results occur when the client is capable of automatically reconnecting to the application after failover.
For more information, see "Building a Host Cluster with Hyper-V Beta 1".
12-20
Shared Storage for Failover Clustering
Key Points
Most failover clustering scenarios require shared storage to provide consistent data to a virtual server after failover. There are three shared storage options for a failover cluster: Shared serial attached SCSI (SAS). Shared serial attached SCSI (SAS) is the lowest cost option, but is not very flexible for deployment as the two cluster nodes must be physically close together. iSCSI.. iSCI is a type of storage area network (SAN) that transmits SCSI commands over IP networks. When 1Gbps or 10Gbps Ethernet is used as the physical medium for data transmission, the performance is acceptable for most scenarios. This type of SAN is relatively inexpensive to implement because no specialized networking hardware is required. Fiber channel. Fiber channel SANs typically have a better performance ability than iSCSI SANs, but are much more expensive. Specialized knowledge and hardware are required to implement a Fibre Channel SAN.
12-21
Guidelines for Designing Hardware for Failover Clustering
Key Points
Consider the following guidelines when selecting hardware for failover clustering: Use a 64-bit operating system and hardware to increase memory scalability. The 64-bit version of Windows Server Enterprise Edition can use up to 2 TB of RAM on 64-bit hardware. Use multicore and multiple processors to increase scalability. Multiple cores and multiple processors allow multiple VMs to perform processing tasks at the same time. Windows Server 2008 Enterprise Edition supports up to eight processors.
12-22
Use the validation tool to verify correct configuration and ensure support from Microsoft. The Validation tool lets you verify that your specific configuration will be supported by Microsoft even if the specific hardware has not been approved for cluster support. Use GUID Partition Table (GPT) disk partitioning to increase partition sizes up to 160 TB. Master Boot Record (MBR) disk partitioning restricts the size of a single partition to 2 TB. The increase in size can be important for large databases.
12-23
Guidelines for Failover Clustering Capacity Planning
Consider the following guidelines when planning node capacity in a failover cluster: When all nodes in a failover cluster are active, the virtual servers from a failed node should be spread out among the remaining nodes to prevent a single node from being overwhelmed. Ensure that each node has sufficient idle capacity to properly service the virtual servers that are allocated to it when another node fails. Failure to adequately plan resource utilization can result in performance degradation after node failure. Use hardware with similar capacity for all nodes in a cluster. This simplifies the planning process for failover. Use standby servers to simplify capacity planning. When a passive node is included in the cluster, then all virtual servers from a failed node can be failed over to the passive node. This avoids the need for complex capacity planning.
12-24
Quorum Configuration for Failover Clustering
Key Points
The quorum is an important part of planning a failover cluster. The quorum defines which servers in the cluster can run virtual servers. This protects against scenarios, such as a single node in the cluster, which is isolated due to a network communication failure, attempting to run all virtual servers. The majority of nodes in the failover cluster must agree on cluster state.
12-25
The supported quorum configurations are: Node majority. A simple majority of nodes in the cluster is a quorum. Node and disk majority. A shared disk is added and treated as a node for quorum calculation. In a 2-node failover cluster, a node still capable of communicating with the shared disk would run all virtual servers, because the node plus disk is two of the three in the quorum. Node and file share majority. Similar to the node and disk majority, except that a file share is used in place of a shared disk. No majority: disk only. Only communication with the shared disk is required to be part of the quorum.
For more information, "Help Topic: Understanding Quorum configurations in a Failover Cluster".
12-26
Lesson 4
Geographically Dispersed Failover Clusters
Geographically dispersed failover clusters have nodes in multiple physical locations for greater availability. There are special concerns for data replication and quorum configuration when a failover cluster is geographically dispersed.
12-27
Overview of Geographically Dispersed Clusters
Key Points
Geographically dispersed failover clusters are used to protect against the failure of the entire physical location in your network. Typically, the failover node is located at a disaster recovery hot site. To be supported by Microsoft, the hardware used in a geographically dispersed failover cluster must be certified for that particular use by Microsoft. Failover clustering in Windows Server 2008 allows the use of Or networking. This means that a cluster can have two IP address, only one of which needs to be available for the cluster to start. When the Or option is used, all nodes in a cluster do not need to be on the same subnet. However, clients must be configured to use a DNS name that can be resolved to both IP addresses. Data synchronization must be performed between locations because shared storage is not possible over WAN links. You must carefully plan out the quorum configuration to ensure that a single node is never isolated, so that automatic failover is possible.
12-28
Data Replication for Geographically Dispersed Clusters
Key Points
It is not possible for a geographically dispersed failover cluster to use shared storage between physical locations. WAN links are too slow and have too much latency to support shared storage. Data must be synchronized between locations by using specialized hardware. This hardware will support either synchronous or asynchronous replication. Synchronous replication does not mark a file change completely on the local version of storage until the change has also been replicated to the remote storage. This ensures that data is consistent at both locations, but results in lower performance. Performance degrades with increased latency due to distance.
12-29
Asynchronous replication completes a file change on the local version of storage, and then replicates the change to the remote location. This allows for better performance, but there is a risk of data loss if a failure occurs in the local location. However, if the disk operation order is preserved, as changes are applied to the remote location, then the data is consistent and intact.
For more information, see "Server Clusters: Geographically Dispersed Clusters".
12-30
Quorum Configuration for Geographically Dispersed Clusters
Key Points
Since geographically dispersed clusters do not use shared disks, it is not possible to use the quorum configurations that require a shared disk. If there are an odd number of nodes, then the Node Majority quorum should be used. If there is an even number of nodes, which is typical in a geographically dispersed cluster, then the Node Majority with File Share quorum can be used. Three locations must be used to allow automatic failover of a virtual server. One node is located in the primary location that runs the virtual server. A second node is located in a disaster recovery site. The third node for file share witness is in another location. There must be direct network connectivity between all three locations. In this way, if one site becomes unavailable, the two remaining sites can still communicate and have enough nodes for a quorum.
For more information, see "Server Clusters: Geographically Dispersed Clusters".
12-31
Lab: Designing High Availability in Windows Server 2008
Scenario
Woodgrove Bank provides several online applications for customers. Some customers recently experienced outages that caused a loss of goodwill among current and potential customers. One outage in the online banking system was of such an extended duration that it was reported on national news in North America. The public Web site and Online banking applications for Woodgrove Bank must now be evaluated and made highly available.
12-32
Exercise 1: Designing High Availability for a Stateless Application

The public Web site for Woodgrove Bank is a stateless application. A recent outage was embarrassing for the company and a new project team has been created to increase the availability of the public Web site. The public Web site is hosted on a Windows Server 2008 server with the Web Server (IIS) role installed. Updates are performed by using a customized content management system on a development server. Users from various departments have been given permissions to modify only the portion of the Web site they are responsible for. Site updates are pushed from the development server to production server once per day. The requirements for the public Web site are: The process for updating content cannot change because it would require too much user training. Maintenance on an individual server must not affect Web site availability. The solution should be scalable to accommodate traffic increases as Woodgrove Bank expands.
The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine how to provide high availability. Determine how to configure NLB.

1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-WEB, click Launch. In the Lab Launcher, next to 6435A -NYC-RAS, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-WEB as Administrator with the password Pa$$w0rd. Log on to NYC-RAS as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
12-33
Task 2: Determine how to provide high availability

1. 2. 3. 4. 5. How can a Web site be made highly available by using Windows Server 2008? How will the need for availability during maintenance be accommodated? How will the need for scalability be accommodated? What other components need to be considered as part of high availability solution? What should you consider when determining when the application be hosted locally or outsourced?
Task 3: Determine how to configure NLB

1. 2. 3. 4. 5. When configuring a port rule, which ports should be included? How will affinity be configured? How will host priority be configured? How will networking be configured? How will data be synchronized between servers in the NLB cluster?
12-34
Exercise 2: Designing High Availability for a Stateful Application

The online banking application used by bank customers recently experienced an outage that was reported in the media. This causes a significant loss of goodwill and a new project team has been created to increase the availability of the public Web site. The online banking application has a Web front-end and SQL server back-end. Customers log onto the Web frontend server and code on the Web front-end server sends SQL queries to the SQL server back-end. The SQL server back-end requires that only a single set of data is used. The SQL server supports using locally attached storage or a SAN. The requirements for the online banking application are: The application must be scalable as the number of customers increases. Maintenance on an individual server must not affect application availability. Client data must be hosted locally.
The main tasks for this exercise are: 1. 2. Determine how to configure NLB for the Web front-end. Determine how to provide high availability for the SQL server back-end.
Task 1: Determine how to configure NLB for the Web front-end

1. 2. 3. When configuring a port rule, which ports should be included? How will affinity be configured? How will data be synchronized between servers in the NLB cluster?
Task 2: Determine how to provide high availability for the SQL server back-end
1. 2. 3. How can the SQL server be made highly available by using Windows Server 2008? How can the SQL server be scaled as capacity increases? How will maintenance be accommodated?
12-35
Exercise 3: Designing a Geographically Dispersed Cluster

Woodgrove Bank has an investments database that hosts all client account information for North America. It is critical that this database is available at all times. Failover clustering has been used for this database, but a disaster planning exercise determined that the company is vulnerable to a disaster at the New York hub site, where this application is based. A new disaster recovery hot site is being rented in Chicago to host critical applications and data. The investments database will be part of a geographically dispersed failover cluster with one active node in New York and a passive node in the Chicago disaster recovery hot site. Requirements for the geographically dispersed failover cluster are: Failover must be automatic if the New York site fails Data integrity is an absolute requirement A small tolerance for data loss due to synchronization between sites during failover Additional information on the physical network is available in M12_NANetwork.png
The main task for this exercise is: Design a geographically dispersed cluster.
Task 1: Design a geographically dispersed cluster

1. 2. 3. What special hardware requirements are there for a geographically dispersed failover cluster? What additional network links are required to provide availability after the New York location fails? What quorum configuration should be used for the failover cluster?
12-36
Exercise 4: Implementing NLB

As the first step in deploying NLB for the public Web site, you need to configure NLB in your test lab. You will need to first configure Web sites on NYC-WEB and NYCRAS, and then need to add both servers to an NLB cluster. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Prepare the network connections. Create a DNS record for the NLB cluster. Configure Web sites. Verify Web site functionality. Install the Network Load Balancing feature. Create an NLB cluster. Add NYC-RAS to the NLB cluster. Configure a port rule for load balancing. Verify cluster functionality.
10. Close all virtual machines and discard undo disks.
Task 1: Prepare the network connections

1. 2. On NYC-WEB, configure Local Area Connection 2 with an IP address of 10.10.0.201 and subnet mask of 255.255.0.0. On NYC-RAS, configure Local Area Connection 2 with an IP address of 10.10.0.202 and subnet mask of 255.255.0.0.
Task 2: Create a DNS record for the NLB cluster

1. On NYC-DC1, use the DNS administrative tool to create a new host record in the WoodgroveBank.com domain: Name: webapp IP address: 10.10.0.200
12-37
Task 3: Configure Web sites

1. 2. 3. On NYC-RAS, use Server Manager to add the Web Server (IIS) server role. Copy the file \\NYC-DC1\e$\Mod12\Labfiles\RAS.txt to C:\Inetpub\wwwroot\default.htm On NYC-WEB, copy the file \\NYC-DC1\e$\Mod12\Labfiles\WEB.txt to C:\Inetpub\wwwroot\default.htm.
Task 4: Verify Web site functionality

On NYC-DC1, use Internet Explorer to view the following Web sites: http://nyc-web.woodgrovebank.com http://nyc-ras.woodgrovebank.com http://webapp.woodgrovebank.com
Note: Access to webapp.woodgrovebank.com will fail because the NLB cluster is not configured yet.
Task 5: Install the Network Load Balancing feature

1. 2. On NYC-WEB, use Server Manager to install the Network Load Balancing Feature. On NYC-RAS, use Server Manager to install the Network Load Balancing Feature.
Task 6: Create an NLB cluster

On NYC-WEB, use the Network Load Balancing Manager administrative tool to create a new cluster. Connect to NYC-WEB Use the Local Area Connection 2 interface Accept the default host parameters Cluster IP address: 10.10.0.200 Subnet mask: 255.255.0.0 Full Internet name: webapp.woodgrovebank.com Operation mode: Unicast
12-38
Accept the default port rules
Task 7: Add NYC-RAS to the NLB cluster

On NYC-RAS, use the Network Load Balancing Manager administrative tool to connect to the existing cluster named webapp.woodgrovebank.com on NYC-WEB. Add NYC-RAS as a node to the cluster. Use the Local Area Connection 2 interface. Accept the default host parameters. Accept the default port rules.
Task 8: Configure a port rule for load balancing

1. 2. On NYC-WEB, use the Network Load Balancing Manager administrative tool to open the properties of the cluster. On the Port Rules tab, edit the existing rule with the following settings: Port range: from 80 to 80 Protocols: TCP Filtering mode: Multiple host Affinity: None
Task 9: Verify cluster functionality

On NYC-DC1, use Internet Explorer to view the Web site on the NLB cluster. http:// webapp.woodgrovebank.com
Designing Print Services in Windows Server 2008
13-1
Module 13
Contents
Lesson 1: Overview of a Print Services Design Lesson 2: Windows Server 2008 Printing Features Lesson 3: Designing Print Services Lab: Designing Print Services in Windows Server 2008 13-3 13-10 13-20 13-27
13-2
Module Overview
Printing is a core service required by users and needs to be designed to meet user and organizational needs. Organizations can select from many variations of network and local printing. When Windows Server 2008 is used as a print server, there are many benefits, such as centralized printer management.
13-3
Lesson 1
Overview of a Print Services Design
To design an appropriate network access solution, you must first gather data about business needs and user requirements. You must also gather information about security requirements. After gathering all of the requirements, you must consider what types of network access need to be configured.
13-4
Considerations for a Print Services Design
Key Points
When designing print services, consider the following: Ease of administration results in lower support costs. Ease of access for users results in reduced help desk calls and higher user satisfaction. Cost of print services can vary widely depending on the overall design and type of printers that are selected. High availability is important for print services in general because it is a highly visible service to users. However, some printing, such as customer communication, is critical and requires a specific plan for high availability.
13-5
Local Printing
Key Points
Local printing is when a printer is directly attached to the workstation of a user. This is typically done in smaller organizations and some specific situations, such as a requirement for high security. Characteristics of local printing are: Printing is secure because it does not travel over the network and printed pages are located in a private space, such as an office directly by the user. When used in larger organizations, local printing is difficult to administer because it requires many printers. Individual printers used for local printing are typically inexpensive; and consequently, print slowly and sometime lower quality.
13-6
Purchasing many individual printers is typically higher cost than purchasing a single higher performing printer that is shared. Users find local printing convenient because the printed output is physically very close to them. However, locating desk space for a printer can be challenging in some office environments.
13-7
Direct IP Printing
Direct IP printing is when a workstation sends print jobs directly to a printer over the network. This is typically done in smaller organizations because workstation administration can be challenging due to a lack of centralized administration. The management of direct IP printing is simpler than local printing because there are fewer printers. The cost of direct IP printing is typically lower in cost than local printing because fewer printers are used and the printers have a lower cost per page for printing. In direct IP printing, there is no central point for communication, and consequently no bottleneck for communication. However, there is also no centralize queuing of print jobs, which results in random submission of print jobs from clients to the printer. If scalability is a concern, then direct IP printing is not appropriate. Direct IP printing cannot be scaled up by adding additional printers without reconfiguring workstations.
13-8
Server-based Printing
Server-based printing is when a workstation sends print jobs to a print server, which queues the jobs from all workstations before sending the print jobs to the appropriate printer. Centralized queuing allows you to control print jobs by pausing and reordering jobs. Some benefits of server-based printing are: Workstations can be centrally configured with printer drivers. When users install a new printer, the printer driver can be downloaded from the print server. Printer pools can be used to scale printing. Additional physical printers are added, but reconfiguration of workstations is not required. Usage of printers can be controlled based on user or group. This allows you to restrict usage of special purpose printers on the network.
The potential drawback of server-based printing is that the failure of a print server affects multiple printers and users. If a print server fails, printing for an entire department or physical location may be affected
13-9
Considerations for Selecting a Printer
Key Points
When you select printers for your organization, you must consider the overall cost of printing. Inexpensive printers tend to have higher cost of consumables which increases the cost per page over the lifetime of the printer. The duty cycle of a printer is the number of pages expected to be printed in a month. You must match the duty cycle of a printer to its expected usage, or else it may fail in a short period of time. A less expensive printer typically has a lower number of pages per month in its duty cycle, but you should check manufacturer specifications. If the printer is attached to a network, then you can purchase it with network support built in, or use a print server device. Built-in print servers typically have higher levels of functionality. Each printer supports specific printer control languages. Windows Vista and Windows Server 2008 include support for XML Paper Specification (XPS)-based printing, which provides higher quality printing. XPS printers use XPS as a printer control language for the best possible quality of printing.
13-10
Lesson 2
Windows Server 2008 Printing Features
Windows Server 2008 has a number of useful printer features that can be used for server-based printing. Print pools can be used to increase the availability and scalability of printers. XPS-based printing can be used to increase print quality. The Print Management console can be used to centralize printer management. The printer driver store allows you to distribute printer driver packages rather than just simple printer drivers. And finally, Internet Printing Protocol (IPP) can be enabled to support printing through firewalls.
13-11
Printer Pools
Key Points
Printer pools combine multiple physical printers into a single logical unit for printing. When a job is sent to the printer pool, it is directed to the next available printer in the pool. If one printer is unavailable, then other printers in the pool continue to process print jobs. To scale up printing, addition printers can be added to the printer pool. Printer pools have the following requirements: There must be at least two printers to create a printer pool. All printers in the printer pool must use the same printer driver because print jobs are rendered before the specific printer is selected. All printers must be in the same physical location so that users have a predictable location to pick up their printed documents.
13-12
XPS-based Printing
Key Points
Windows Server 2008 and Windows Vista include a new printing process that is known as XPS-based printing. This printing process uses only XPS as a single format for print jobs. Only newer applications that use Windows Presentation Foundation (WPF) APIs use XPS-based printing. The process for XPS-based printing is as follows: 1. 2. 3. 4. A WPF application calls print APIs. The document is spooled in XPS format. The XPS document is sent to an XPS-capable printer. The printer prints the XPS document.
XPS-based printing results in better quality printed copies. The print quality of graphics is superior because conversion is removed from the process, and better color information is stored in the XPS file. The XPS files are also smaller than the equivalent EMF files. The XPS printing process also makes is easier for applications to query print jobs and printer configuration information.
13-13
Interoperability of XPS and GDI-based Printing
Key Points
There is interoperability between XPS and graphics device interface (GDI)-based printing. This lets you use older GDI-based printer drivers together with an application that uses XPS-based printing. If it is necessary, the printing subsystem converts an XPS file to EMF to support older printer drivers. You can also use newer XPS-based printers with older Win32 applications. If it is necessary, the printing subsystem converts EMF files to XPS to support new XPSbased printer drivers.
13-14
Print Management Console
Key Points
The Print Management console can be used to perform all of the printer management functions that can be performed by using the Printers applet in Control Panel. In addition, it can used to: Manage multiple print servers from a single workstation or server. This avoids the need to use a Remote Desktop for printer management. Create filters for viewing printers by characteristics. This allows you to quickly view all of the printers in a physical location or all of the printers with errors. Deploy printers by using group policy. Printers can be added to a group policy and deployed to users or computers in an OU. Windows Vista supports this functionality by default. Windows XP clients need to run the pushprinterconnections.exe utility.
13-15
Automatically add printers to a print server by scanning a subnet for network printers. This can be used as a way to configure a new print server. However, it will locate only printers on the same subnet as the print server. Perform bulk operations on multiple printers at one time. For example, you can pause all printers on a print server in a single step before performing maintenance.
13-16
Printer Driver Store
Windows Vista and Windows Server 2008 includes a new printer driver store as a mechanism for storing printer drivers. The printer driver store is improved because it can: Contain printer driver packages. Earlier versions of Windows supported only installing basic printing functionality over the network. Printer driver packages support the installation of additional components for full printer driver functionality. Stage drivers. Printer driver packages can be put in the printer driver store without installing a printer. This lets you maintain a standard set of printer drivers on all print servers to support the standard printers in your organization.
13-17
Contain multiple driver versions side-by-side. Side-by-side storage of printer driver version lets you add a new version of a printer driver without removing the old version.
For more information, see "Architecture and Driver Support".
13-18
Internet Printing Protocol
Key Points
Internet Printing Protocol (IPP) in Windows Server 2008 allows you to perform printer management through a Web browser and print to a URL by using HTTP or HTTPS. Printing by using HTTP or HTTPS is firewall friendly and can be used to perform remote printing over the Internet. Printers and their drivers can also be installed by using HTTP or HTTPS. When clients install an IPP printer from the Web pages on a Windows Server 2008 print servers, the client link to the printer may be a UNC path or a URL. If the print server is in an Internet Explorer zone with medium-low or lower security then a UNC path is used rather than URL. This is meant to configure printers within your organization as a UNC path and remote printers with a URL. Printing through a UNC path provides enhanced functionality. Remote management of printers by using the IPP Web pages is not preferred due to security concerns about the management asp pages. Remote Desktop or the Print Management consoles are preferred for remote management.
13-19
For more information, see "Internet Printing and Resulting Internet Communication in Windows Vista". For more information, see "Printing Effectively with Internet Printing Protocol (IPP) 1.0".
13-20
Lesson 3
Designing Print Services
Failover clustering is one method that you can consider to provide high availability for print services in you design. You also need to consider how to simplify user access and administration. Finally, there are special considerations for branch-office printing.
13-21
Failover Clustering for Print Services
Key Points
A failover cluster has two or more servers, referred to as nodes, which host at least one virtual server. The virtual server exists on only one node at a time. When one node fails, the virtual server is started on another node in the cluster and services resume. Print services can be installed on a virtual server in a failover cluster. A failover cluster increases availability, but does not enhance scalability. Outages due to server failure are kept very short, but application failures, such as a stalled print spooler, are not detected.
13-22
Recommendations for Simplifying User Access to Printers
Key Points
Consider the following to simplify user access to printers: Publish printers in Active Directory so that users can search for them. Use intuitive printer names so that users can understand which printer to install and print to. Use printer location tracking to present users with printers in the local physical location when adding a new printer. Use a Group Policy to deploy printers and printing preferences. This avoids the need to visit workstations for printer installation and maintenance. Use IPP for remote printing from the Internet, to simplify firewall rules. Use Web-based maps for manual printer installation. This makes it easy for users to locate the specific printer they need to install. The map can be configured with clickable hot spots that link to the installation of the printer by using IPP or VBScript.
13-23
Recommendations for Simplifying Print Services Administration
Key Points
Consider the following to simplify administration of print services: Use the Print Management console to centrally manage printers. This avoids the need to use remote desktop and allows you to unify printer management for your organization as a single view. Use the Print Management console to migrate printers between print servers when performing consolidation. You can export printers from one printer server and import the printers on another print server to migrate the printer from one print server to another. Workstations must then be updated with the new printer location.
13-24
Standardize the printers in your organization to reduce the number of drivers that must be tested. Driver configuration and application compatibility can be a major challenge if there are a large number of printer models and drivers in use. Standardizing reduces the administrative time spent on diagnosing printing problems. Avoid the use of inexpensive desktop printers. Inexpensive printers are more likely to have problems with driver errors and physical breakdowns.
13-25
Monitoring Print Services
Key Points
You can monitor print services with: Notifications in the Print Management console. Notifications can trigger a script or message when printer status changes occur. Performance Monitor. Performance Monitor can view a wide variety of statistics for print services. You can also use alerts to trigger notifications or a scheduled task when thresholds for performance counters are reached. Microsoft System Center Operations Manager. Microsoft System Center Operations Manager can centrally monitor performance counters on a number of print servers simultaneously.
13-26
Considerations for Branch Office Printing
Many organizations are starting to reduce the number of servers in branch offices to reduce maintenance costs. As part of this process, printing may be centralized in a hub site or applications may be provided from a hub site via Terminal Services. Consider the following when designing branch office printing: Print jobs are relatively large files and consume lots of bandwidth. Sending print jobs over slow WAN links will take a long period of time and may slow down other applications that use the same WAN link. Print jobs generated through Terminal Services are transmitted over WAN links. The terminal server may print directly to a printer in the branch office. Or, if printer redirection is used, the print job is passed to the remote desktop client which sends the print job to a printer in the branch office. Branch offices require a person to perform on-site maintenance of printers. This includes common tasks, such as replacing toner and clearing paper jam.
13-27
Lab: Designing Print Services in Windows Server 2008
Scenario
Woodgrove Bank is reevaluating the design of print service for the organization. You must determine a new print services design, design user access, and design high availability for printing. Then, you will distribute a printer by using group policy and implement IPP.
13-28
Exercise 1: Selecting a Print Services Design

Woodgrove Bank currently uses direct IP printing. This configuration was initially selected when there were many desktop support staff allocated to each department. You must reevaluate the print services design based on the following criteria: The print services design must be cost effective for a large environment. A few users require absolute privacy for their printing. Branch locations use Terminal Services to run applications that print. Administrators must be able to manage all printers from a remote location.
The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a print services design.

1. 2. 3. 4. 5. 6. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6435A. The Lab Launcher starts. In the Lab Launcher, next to 6435A-NYC-DC1, click Launch. In the Lab Launcher, next to 6435A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Select a print services design

1. 2. 3. 4. Which print services design is most cost effective in a large network? How will you address the requirement for users that require privacy? How will you address concerns about printing for Terminal services applications in the branches? How will printer management be performed?
Exercise 2: Designing User Access to Printers

Woodgrove Bank is reevaluating how users access printers and the features available in Windows Server 2008. Use the following to create a design for user access to printers:
13-29
Users with stationary desktop computers should have printers automatically installed, based on their physical location. Roaming users with laptops should be able to install an appropriate printer, based on the physical location they are in. Printing from over the Internet is not required.
The main task for this exercise is: Design user access to printer.
Task 1: Design user access to printer

1. 2. How will printers be installed on stationary desktop computer? How will printers be installed for roaming users with laptops?
Exercise 3: Designing High Availability for Printing

Each hub site at Woodgrove Bank has several instances of a customer service application running. Each instance is configured to use a separate but identical printer. If a printer fails, large batch jobs are recreated on another instance of the application. All printers are serviced by a single print server. Woodgrove Bank has estimated that resubmitting jobs is costing several million dollar per year. Improving printing reliability for this application has been added to the current years budget. The main task for this exercise is: Determine a method for increasing availability.
Task 1: Determine a method for increasing availability

1. 2. 3. 4. Which availability method can prevent downtime due to printer failure? Which availability method can prevent downtime due to a server failure? How can you prevent downtime based on both printer failure and server failure? What limitations may prevent you from implementing you plan for increasing availability?
Exercise 4: Implementing IPP

Woodgrove Bank is planning on implementing web-based maps for users to install printers. It has been decided to use IPP printing for distribution of printer drivers by using hot spots on the maps. The first implementation is installing IPP printing and testing it.
13-30
The main tasks for this exercise are: 1. 2. 3. Install the Print Services role. Create a new printer. Install a printer by using IPP.
Task 1: Install the Print Services role

1. 2. On NYC-DC1, use Server Manager to install the Print Service role. Add the Internet Printing role service. Add required role services Accept the default options for installation Accept the default options for installation of the Web Server (IIS) role.
Task 2: Create a new printer

1. 2. On NYC-DC1, use the Print Management administrative tool to install a new printer on the NYC-DC1 print server. TCP/IP or Web Services printer Type of device: TCP/IP device IP address: 10.10.0.250 Do not auto detect the printer driver to use Generic network card Install a new driver: Dell 3100cn PS Share the printer with default settings.
Task 3: Install a printer by using IPP

1. 2. 3. 4. 5. On NYC-CL1 in Internet Explorer, add http://NYC-DC1.WoodgroveBank.com as an Intranet site on the Security tab of Internet Options. On the Security tab of Internet Options, disable protected mode to support installation of UNC based printers. Restart Internet Explorer. Open the http://NYC-DC1.WoodgroveBank.com/Printers Web site. View the Dell 3100cn PS printer and connect to it.
13-31
6.
View the printers folder and read the printer name to verify if it was installed on nyc-dc1.woodgrovebank.com rather than a URL starting with http.
Exercise 5: Deploying Printers by Using Group Policy

Woodgrove Bank has decided to distribute printers by using Group Policy. In your test lab you would like to test the process for deploying a printer to an entire domain of users. The main tasks for this exercise are: 1. 2. 3. 4. Create a new printer. Add the printer to a group policy. Test the installation of a printer by using Group Policy. Close all virtual machines and discard undo disks.
Task 1: Create a new printer

1. 2. On NYC-DC1, use the Print Management administrative tool to install a new printer on the NYC-DC1 print server. TCP/IP or Web Services printer Type of device: TCP/IP device IP address: 10.10.0.251 Do not auto detect the printer driver to use Generic network card Install a new driver: Dell 3100cn PCL6 Share the printer with default settings.
Task 2: Add the printer to a Group Policy

1. 2. 3. On NYC-DC1, in the Print Management administrative tool, right-click the Dell 3100cn PCL6 printer and deploy it with the Group Policy. Browse and create a new Group Policy named Domain Printers in WoodgroveBank.com. Apply the printer to users rather than computers.4.
Task 3: Test the installation of a printer by using Group Policy

1. On NYC-CL1, update Group Policy by running gpupdate at a command prompt.
13-32
2. 3. 4.
Log off NYC-CL1. Log on NYC-CL1 as Woodgrovebank\Administrator with a password of Pa$$w0rd. Verify that the Dell 3100cn PCL6 printer has been installed.

6435A Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

Designing A Windows Server 2008 Network Infrastructure

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Designing A Windows Server 2008 Network Infrastructure

Caricato da

Copyright:

Formati disponibili

OFFICIAL

Technical Reviewer: John Policelli

Product Number: 6435A Part Number X14-69200 Released: 08/2008

Module 2: Designing Network Security

Module 3: Designing IP Addressing

Module 4: Designing Routing and Switching Requirements

4-25 4-32 4-41 4-47

Module 5: Designing Security for Internal Networks

Module 6: Designing Name Resolution

Module 7: Designing Advanced Name Resolution

Module 8: Designing Network Access Solutions

Module 9: Designing Network Access Protection

Module 10: Designing Operating System Deployment and Maintenance

Module 12: Designing High Availability in Windows Server 2008

12-3 12-10 12-16 12-25 12-30

Module 13: Designing Print Services in Windows Server 2008

Overview of Network Infrastructure