Professional Documents
Culture Documents
M I C R O S O F T
L E A R N I N G
P R O D U C T
6435A
Lab Instructions and Lab Answer Key: Designing a Windows Server 2008 Network Infrastructure
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Module 1
Lab Instructions: Overview of Network Infrastructure
Contents
Exercise 1: Preparing for a Network Infrastructure Design Exercise 2: Designing the Network Topology Exercise 3: Designing Network Infrastructure for Virtualization Exercise 4: Designing a Change Management Plan Exercise 5: Lab Discussion 4 5 6 7 8
Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network infrastructure for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are asked to design the network infrastructure for the new locations. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies. In North America, there are two major changes. Two new Canadian Branches are opening that will be connected to the Toronto hub site. Also, a regional bank in Washington State has been purchased and must be integrated into the rest of the network. Each region operates independently most of the time. All user applications and data are self-contained within each region. Batch transfers of data from each region to New York City are performed daily. The batch transfers are approximately 1GB and must be completed within 2 hours during average usage times. Network utilization between regions averages 500 Kbps when the batch transfer is not being performed. The failure of one WAN link between regions should not affect other regions. The main applications used by Woodgrove bank are located in the network hub locations. Users in the branches use terminal services to run applications on servers in the network hub locations. Approximately 10 Kbps of WAN connectivity is required for each user at a branch location for optimal performance. Communication between hub site locations averages 2 Mbps and peaks at 6 Mbps.
The implementation of a Voice over IP system is being considered to lower telecommunication costs. If implemented, this system will use approximately 250 Kbps between each branch office and hub site. Approximately 500 Kbps will be used between hub sites within regions and between regions. Within a hub site, traffic should be tiered to increase manageability. The connectivity of the newly acquired regional bank in Washington State uses Seattle as a hub site for the other four locations. Also review the following documents: M1_Locations.doc M1_Physical.vsd M1_VirtualMachines.doc
Task 2: Design the WAN links between hub sites in North America
1. 2. Determine what WAN links will be created between hub sites in North America. Determine how fast the WAN links will be between hub sites in North America.
Task 4: Design the connectivity for the new purchased Washington State regional bank
Determine how Seattle and other branches will be connected to Woodgrove Bank.
Task 5: Design the tiers for the network within a hub site
1. 2. Determine the number of tiers that should be used. Determine the resources that will be placed in each tier.
Task 4: Determine the network connectivity required for each host server
1. 2. 3. Determine the network connectivity required for NYC-HOST1. Determine the network connectivity required for NYC-HOST2. Determine the network connectivity required for NYC-HOST3.
Module 2
Lab Instructions: Designing Network Security
Contents:
Exercise 1: Identifying a Team for the Security Plan Scenario Exercise 2: Identifying Threats Exercise 3: Analyzing Risk Exercise 4: Implementing Password Policies 3 4 5 6
Scenario
Woodgrove Bank is a large multinational corporation with office locations located in multiple countries. Until now security planning for IT resources has been handled by individual areas responsible for network infrastructure and applications. For example, the network team was responsible for all network related security with not formal process for involving application support or functional areas within the business. There is concern within Woodgrove Bank at the executive level that the current structure for security is not efficient for allocating resources. A new centralized system for managing security is being implemented. This process will include creating a security design team and performing formal risk analysis to allocate resources. Use the following documents to help create your design: M2_ITSupport.doc M2_NANetwork.png M2_NetworkConnectivity.doc M2_OrgChart.png M2_OrgStructure.doc
STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 3.
Use the defense-in-depth model to identify risks to resources on the network. Example Risk
Layer Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness
Task 2: Create a fine grained password policy for customer service staff
1. 2. 3. On NYC-DC1, open ADSI Edit. Connect to the Default naming context and browse to CN=Password Settings Container,CN=System,DC=WoodgroveBank,DC=com. Create a new msDS-PasswordSettings object in the Password Settings Container with the following settings: Common-Name: CustomerService Password Settings Precendence: 1 Password reversible encryption status for user accounts: FALSE Password History Length for user accounts: 5 Password complexity status for user accounts: TRUE. Minimum Password Length for user accounts: 6 Minimum Password Age for user accounts: 1:00:00:00 Maximum Password Age for user accounts: 60:00:00:00 Lockout threshold for lockout of user accounts: 10 Observation Windows for lockout of user accounts: 0:00:30:00 Lockout duration for locked out user accounts: 0:00:45:00
Task 3: Associate the new fine grained password policy with Customer Service groups
1. 2. 3. 4. On NYC-DC1, open Active Directory Users and Computers and enable viewing of Advanced Features. Browse to the Password Settings Container in the System container. In the properties of the CustomerService object, edit the msDC-PSOAppliesTo attribute. Add the following windows groups: NYC_CustomerServiceGG MIA_CustomerServiceGG TOR_CustomerServiceGG
Module 3
Lab Instructions: Designing IP Addressing
Contents:
Exercise 1: Designing an IPv4 Addressing Scheme Exercise 2: Designing a DHCP Implementation. Exercise 3: Designing an IPv6 Addressing Scheme 3 4 5
Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the IP addressing for segments within the enterprise. Woodgrove Bank has expanded significantly since the company implemented Windows Server 2008. The company has expanded to different countries located in different regions of the world, and has acquired several subsidiaries. As a result, you are re-evaluating IP addressing for the entire organization. There are three divisions in Woodgrove Bank for different regions of the world. The three regions are North America, Europe, and Asia. The first part of the network to be redesigned is the North America region. The changes in North America will be used as a template for adding additional branches and integrating newly acquired companies.
The main tasks for this exercise are: 1. 2. Determine the number of external addresses required. Determine an internal IPv4 addressing scheme for locations.
The main task for this exercise is: Design a DHCP implementation.
Module 4
Lab Instructions: Designing Routing and Switching Requirements
Contents
Exercise 1: Designing Internal Infrastructure Exercise 2: Designing a Perimeter Network Exercise 3: Evaluating Network Performance Exercise 4: Monitoring Network Performance 3 4 5 6
Scenario
Woodgrove Bank is a large multinational corporation with offices located in multiple countries. The organization is currently running Windows Server 2008. As an enterprise administrator, it is your role to design the network routing topology within the enterprise. Woodgrove Bank has purchased a regional bank located in Washington State. This bank must be integrated into the existing network. You are evaluating and redesigning the network infrastructure and routing of the newly purchased regional bank.
Module 5
Lab Instructions: Designing Security for Internal Networks
Contents
Exercise 1: Designing a Windows Firewall Implementation Exercise 2: Designing an IPsec Implementation 3 4
Scenario
Woodgrove Bank has completed a redesign of the physical network infrastructure. This included all WAN links, routing, and switching. The next project assigned to the network infrastructure team is securing the internal network. This involves analyzing how to implement Windows Firewall and IPsec to protect network resources. The first location to analyze is the Toronto hub site. The design developed for the Toronto hub site will be used as a template for other hub sites.
The main tasks for this exercise are: 1. 2. 3. 4. Start the virtual machines, and then log on. Determine what rules to create on each computer. Determine how to configure Windows firewall on each computer. Implement a Windows Firewall rule by using Group Policy.
The main tasks for this exercise are: 1. 2. 3. 4. 5. Determine connection security rules. Determine how to configure connection security rules on each computer. Implement connection security rules. Create a firewall rule for a specific user. Close all virtual machines and discard undo disks.
2.
3.
3.
Other alternatives are: Use both IPsec policies and connection security rules on the servers. This is not recommended because the results are difficult to predict. Use IPsec policies only. Windows Server 2008 and Windows Vista are both capable of using IPsec policies. However, if IPsec policies are used, then you cannot control authentication based on computer and user accounts.
Module 6
Lab Instructions: Designing Name Resolution
Contents
Exercise 1: Designing a DNS Namespace Exercise 2: Designing a DNS Server Strategy Exercise 3: Designing a DNS Zone and Replication Strategy Exercise 4: Discuss the Design of Name Resolution Exercise 5: Implement a DNS and Zone Replication Strategy 3 4 5 6 7
Scenario
Woodgrove Bank has experienced significant growth and needs to re-evaluate the current name resolution structure to verify that it is appropriate. This involves selecting locations for DNS servers, designing the DNS namespace, and determining a zone replication strategy.
Woodgrove Bank has external DNS records that are manually synchronized with the internal DNS structure. These records change on average less than once per year.
Purpose
Public Web site Secure Web site for customers Secure Web site for investments customers VPN server used by roaming staff Internet mail server External DNS server External DNS server
Start the virtual machines, and then log on. Select a DNS namespace for Active Directory.
Task 1: Discuss your design for name resolution with the instructor and other students.
1. 2. 3. With your instructor, discuss the namespace design that is appropriate for Woodgrove Bank. With your instructor, discuss the DNS server strategy that is appropriate for Woodgrove Bank. With you instructor, discuss the DNS zone and replication strategy that is appropriate for Woodgrove Bank.
Module 7
Lab Instructions: Designing Advanced Name Resolution
Contents
Exercise 1: Optimizing DNS Servers Exercise 2: Designing High Availability for Name Resolution Exercise 3: Designing WINS Exercise 4: Implementing a GlobalNames Zone 3 4 5 6
Scenario
You have recently completed the high level design for DNS name resolution at Woodgrove Bank. You now need to create some detailed configuration information for DNS servers to optimize name resolution and secure the DNS servers appropriately. You also need to design name resolution for NetBIOS names to support older applications.
All DNS servers should cache resolved names to reduce network traffic. Use the following documents to complete your design: M6_Physical.png M7_DNSConfiguration.doc
The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine configuration for internal DNS servers. Determine configuration for external DNS servers.
Module 8
Lab Instructions: Designing Network Access Solutions
Contents
Exercise 1: Designing a Network Access Solution Exercise 2: Designing Network Policy Services Exercise 3: Designing a Wireless Connection Solution Exercise 4: Discuss the Design of Network Access Exercise 5: Deploying an SSTP VPN Solution 3 4 5 6 7
Scenario
Woodgrove Bank is evaluating the network access needs for roaming users within the organization. At this time a VPN server is in place, but no wireless LANs have been implemented due to security concerns. You must design a remote access solution and a wireless connection solution based on user and business requirements. The current VPN deployment consists of a single VPN server. Clients use PPTP connections and are given connectivity to the entire network when connected.
The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine remote access methods. Determine physical infrastructure for remote access.
The main tasks for this exercise are: 1. 2. Determine the infrastructure requirements for RADIUS. Determine network policies.
The main tasks for this exercise are: 1. 2. Selecting wireless standards. Designing the physical implementation.
Task 1: Discuss your design for name resolution with the instructor and other students
1. 2. 3. With your instructor, discuss the remote access solution that is appropriate for Woodgrove Bank. With your instructor, discuss the Network Policy Services design that is appropriate for Woodgrove Bank. With you instructor, discuss the wireless connection solution that is appropriate for Woodgrove Bank.
Remote access: VPN Network interface: Local Area Connection Do not enable security on the selected interface by setting up static packet filters. IP address assignment: From a specified range of IP addresses IP address range: 10.11.0.200 to 10.11.0.225 Use Routing and Remote Access to authenticate connection requests
4. 5. 6.
Open the properties of the NYC VPN connection and select SSTP as the type of VPN on the Networking tab. Connect the NYC VPN. Open Connect To from the Start menu and verify that the NYC VPN connection is connected.
Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting up the SSTP listener and verifying it in the Routing and Remote Access Blog at http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstplistener-and-verification.aspx. In particular, you must manually remove and replace the certificate used by SSTP if you want to replace it.
Module 9
Lab Instructions: Designing Network Access Protection
Contents
Exercise 1: Analyzing Enforcement Methods Exercise 2: Designing DHCP Enforcement Exercise 3: Designing IPsec Enforcement Exercise 4: Implementing DHCP Enforcement 3 4 5 6
Scenario
Woodgrove Bank has recently experienced problems with malware being introduced to the network at the New York hub site. The introduction of malware has been a result of computers not being compliant with corporate security and maintenance policies. None of the lapses has been a result of malicious users attempting to bypass security guidelines. The following are examples of recent lapses: A user working from home did not have antivirus software enabled. A virus was introduced to the network over the corporate VPN connection. Windows Firewall was disabled on a desktop computer by a technician during application troubleshooting. The technician forgot to re-enable the firewall and the computer was subsequently infected with a worm. A visiting consultant connected a laptop to the corporate network and introduced a virus.
The New York hub site provides services for all bank branches in the northeastern United States. NAP is being implemented in New York as a trial for the rest of Woodgrove Bank. Varying scenarios need to be considered and tested. The infrastructure in place at the New York hub site and branches have the following characteristics: A VPN server running Windows Server 2008 RRAS Most, but not all, switches and WAPs support 802.1X authentication All client computers have been upgraded to Windows Vista No additional products with an SHA/SHV have been installed. All clients use dynamic IP addresses The DHCP server in Windows Server 2008 is used to lease IP addresses
The main tasks for this exercise are: 1. 2. 3. 4. Design client configuration. Design SHV configuration. Design DHCP implementation. Design remediation servers.
Disable DHCPv6 stateless mode for this server Use current credentials
2. 3. 4.
Remediation server groups: None Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers
Review the connection request policies created by the wizard. Review the network policies created by the wizard. Review the health policies created by the wizard.
Reconfigure Local Area Connection to use DHCP to obtain an IP address and DNS server. Open a command prompt and use the following command to view the configured IP address. ipconfig /all
5. 6. 7.
Notice that an IPv4 address has been configured, but the subnet mask is 255.255.255.255 and the Connection-specific DNS Suffix is restricted.woodgrovebank.com. Ping NYC-WEB.WoodgroveBank.com to test connectivity. The ping to NYC-WEB.WoodgroveBank.com fails.
Module 10
Lab Instructions: Designing Operating System Deployment and Maintenance
Contents
Exercise 1: Designing an Operating System Deployment Solution Exercise 2: Designing WDS Deployment Exercise 3: Designing WDS Images Exercise 4: Designing a WSUS Deployment Exercise 5: Discussing Operating System Deployment and Maintenance Exercise 6: Implementing Multicast Transmissions for Images 4 5 6 7 8 9
Scenario
Woodgrove Bank would like to design and implement an effective solution for the deployment of operating systems. They would like you to evaluate their requirements and determine the best solution to use within their organization. You are designing a solution for North America that will be used as a template for other regions. Client machines are running Windows 2000, Windows XP SP2, and Windows Vista. A number of applications, including Microsoft Office 2007 Professional are installed. Data is stored only in the hub sites and documents are accessed from file servers in the hub sites over WAN links. Updating desktops with the Microsoft updates is performed using a number of outdated in-house tools. The update process is very time consuming and some of the client machines are not properly patched for an extended period. The current process involves downloading large amounts of data by each client computer. You want the new solution to be less bandwidth consuming. The company would like you to design and implement a better update management solution that supports all Microsoft Windows operating systems and Microsoft Office 2007 applications deployed at the bank. You should be able to control the updates that are available for download to clients. All servers and desktop computers are joined as member servers to the banks Active Directory Directory Services (AD DS) domain. Servers are located in data centers in each hub site and connected to the corporate Ethernet using Gigabit network access cards (NICs). Only the hub site in New York is configured with a perimeter network protected by a firewall. All other branches are connected to a hub site by T1 lines. The hub sites are connected to New York with 10 Mbps WAN links. All routers can support multicasting but are currently using the default configuration. The user desktops are all connected using 100 MB NICs and they acquire their addresses from Microsoft DHCP servers at each location. AD DS utilizes Microsoft DNS.
The company would like you to design and implement an effective and secure deployment solution for operating systems. The bank wants to replace 2500 computers at the New York location and 1000 computers in Toronto with x86-based computers that run Windows Vista. You also want to upgrade your remaining Windows 2003 Server infrastructure to Windows 2008 Server Standard and Enterprise editions that run on an x86 hardware platform. All servers have been provided with sufficient hard drive space for an upgrade and have been formatted with NTFS file system. If possible, you should be able to control the schedule of the deployment though you have not yet decided on the exact dates. Currently, operating system deployments are done using RIS that run on Windows Server 2003 servers, and you want to ensure that the existing processes for computer building are preserved. Users are concerned that some of their data and personalized settings may be lost during the migration. They are also concerned with their data being exposed to unauthorized users. The security group at the bank is concerned with some machines not being patched in a timely fashion. They also demand that the new deployment design for operating systems considers the privacy of the users and ensures that security is maintained during and after the migration. Access to the images store needs to be secured to prevent unauthorized users from reading and mounting images.
Task 1: Discuss your design for the deployment and maintenance of operating with the
instructor and other students
1. 2. 3. With your instructor, discuss the WDS deployment design that is appropriate for Woodgrove Bank. With your instructor, discuss the WDS images design that is appropriate for Woodgrove Bank. With you instructor, discuss the WSUS deployment design that is appropriate for Woodgrove Bank.
10
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Module 11
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Contents
Exercise 1: Selecting File Services Components Exercise 2: Designing DFS Exercise 3: Designing FSRM Exercise 4: Implementing DFS Exercise 5: Implement FSRM 4 5 6 7 9
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Scenario
Woodgrove Bank has data distributed on files servers in every hub site in the organization. The North America region is being evaluated and changes made there will be used as a template for redesigning file services in other regions. North America has four hub sites with branches connected to each one. A hub and spoke design has been used for the WAN with New York as the hub. The hub sites in North America are: New York Toronto Miami Seattle
File services are organized based on workgroups. There is a single file server for each workgroup in each hub site. Occasionally, users need to access workgroup resources in other hub sites over the WAN links. Bank branches access files in the hub sites over WAN links. There is no local file storage in the branches. The file shares in North America are listed are: \\NYC-FS1\Customer \\NYC-FS2\Investments \\NYC-FS3\Managers \\NYC-FS4\Executives \\TOR-FS1\Customer \\TOR -FS2\Investments
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
\\TOR -FS3\Managers \\MIA-FS1\Customer \\MIA -FS2\Investments \\MIA -FS3\Managers \\SEA-FS1\Customer \\SEA -FS2\Investments \\SEA -FS3\Managers
All file servers use new hardware and run on Windows Server 2008. All storage is local to minimize storage costs. The SAN is used only for application servers.
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a file service component.
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
The main tasks for this exercise are: 1. 2. Design replication. Design the namespace.
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
4. 5.
Replicate continuously at up to 8 Mbps Configure the NYC-DC1\NYCInvestments target of the NYCInvestments namespace folder as Last among all targets on the Advanced tab in the properties of the target. Enable client fail back to preferred targets on the Referrals tab in the properties of the NYCInvestments namespace folder.
Lab Instructions: Designing Files Services and DFS in Windows Server 2008
Module 12
Lab Instructions: Designing High Availability in Windows Server 2008
Contents
Exercise 1: Designing High Availability for a Stateless Application Exercise 2: Designing High Availability for a Stateful Application Exercise 3: Designing a Geographically Dispersed Cluster Exercise 4: Implementing NLB 3 4 5 6
Scenario
Woodgrove Bank provides several online applications for customers. Some customers recently experienced outages that caused a loss of goodwill among current and potential customers. One outage in the online banking system was of such an extended duration that it was reported on national news in North America. The public Web site and Online banking applications for Woodgrove Bank must now be evaluated and made highly available.
The main tasks for this exercise are: 1. 2. 3. Start the virtual machines, and then log on. Determine how to provide high availability. Determine how to configure NLB.
The main tasks for this exercise are: 1. 2. Determine how to configure NLB for the Web front-end. Determine how to provide high availability for the SQL server back-end.
Task 2: Determine how to provide high availability for the SQL server back-end
1. 2. 3. How can the SQL server be made highly available by using Windows Server 2008? How can the SQL server be scaled as capacity increases? How will maintenance be accommodated?
The main task for this exercise is: Design a geographically dispersed cluster.
Note: Access to webapp.woodgrovebank.com will fail because the NLB cluster is not configured yet.
Task 10: Close all virtual machines and discard undo disks
1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.
Module 13
Lab Instructions: Designing Print Services in Windows Server 2008
Contents
Exercise 1: Selecting a Print Services Design Exercise 2: Designing User Access to Printers Exercise 3: Designing High Availability for Printing Exercise 4: Implementing IPP Exercise 5: Deploying Printers by Using Group Policy 3 4 5 6 7
Scenario
Woodgrove Bank is reevaluating the design of print service for the organization. You must determine a new print services design, design user access, and design high availability for printing. Then, you will distribute a printer by using group policy and implement IPP.
The main tasks for this exercise are: 1. 2. Start the virtual machines, and then log on. Select a print services design.
The main task for this exercise is: Design user access to printer.
Module 1
Lab Answer Key: Overview of Network Infrastructure
Contents
Exercise 1: Preparing for a Network Infrastructure Design Exercise 2: Designing the Network Topology Exercise 3: Designing Network Infrastructure for Virtualization Exercise 4: Designing a Change Management Plan Exercise 5: Lab Discussion 2 2 3 4 5
With your instructor, determine what data can be assumed for completing the remainder of the lab. At the discretion of the instructor and students, additional information can be added as an assumption that is used during further exercises. No specific assumptions are required.
2.
Determine which hub site in each region should be connected to other regions. The hub sites generating the most inter-regional communication should serve as the bridgehead for communication with other regions. In this case, the largest hub site in each region should serve as a bridgehead to communicate with other regions.
3.
Determine how fast the WAN links. The speed of WAN links between regions must be sufficient to support the batch transfers and voice over Internet protocol (VoIP) traffic. To move 1 GB of data within two hours, a WAN link must be approximately 1.5 Mbps. The requirements for data (.5 Mbps) and VoIP (.5 Mbps) bring that requirement up to 2.5 Mbps during the bulk transfers.
Task 2: Design the WAN links between hub sites in North America
1. Determine what WAN links will be created between hub sites in North America. There should be a ring network between the three hub sites in North America. This configuration allows a single WAN link to fail, but still provides full connectivity between the hub sites. If a single hub site becomes completely unavailable, the two remaining hub sites are still able to communicate. However, if there were 10 or 15 hub sites, a ring network would result in inefficient communication.
2.
Determine how fast the WAN links will be between hub sites in North America. The speed of the WAN links between hub sites must support 2 Mbps of general traffic and .5 Mbps of VoIP traffic. This means an overall average requirement of 1.5 Mbps. However, these links should be sized closer to or even beyond peak utilization. Peak utilization is 6.5 Mbps.
Task 4: Design the connectivity for the new purchased Washington State regional bank
Determine how Seattle and other branches will be connected to Woodgrove Bank. The first determination that must be made is whether Seattle will be a new hub site. This is the simplest for implementation and makes sense at least until those new branches are fully integrated into the applications of Woodgrove Bank. The WAN links between the branches and Seattle will also need to be evaluated to ensure they have enough bandwidth to support any new applications that will be put in place as part of the merger with Woodgrove Bank. Assuming that Seattle is designated as a new hub site, it should be included in the ring network that is used by other North American hub sites.
Task 5: Design the tiers for the network within a hub site
1. Determine the number of tiers that should be used. 2. Within a hub site, traffic should be tiered to increase manageability. There are typically 3-tiers.
Determine the resources that will be placed in each tier. The first tier is the high-speed backbone tier. The second tier should contain network services and servers that are used by multiple workgroups. The third tier should contain workgroup servers, user computers, and devices such as printers
4.
Click Network adapters. Notice that you can select the network that the virtual adapter is connected to. You can select whether the MAC address for the virtual adapter is assigned dynamically or statically. Close Internet Explorer.
5.
Task 4: Determine the network connectivity required for each host server
1. Determine the network connectivity required for NYC-HOST1. 2. A dedicated 1 Gbps Ethernet adapter for connectivity to the iSCSI SAN for NYC-EX1 A shared 1 Gbps Ethernet adapter for backups on all VMs A shared 1 Gbps Ethernet adapter for client connectivity to the VMs
Determine the network connectivity required for NYC-HOST2. A dedicated 1 Gbps Ethernet adapter for connectivity to the iSCSI SAN for NYC-EX2 A shared 1 Gbps Ethernet adapter for backups on all VMs A shared 1 Gbps Ethernet adapter for client connectivity to the VMs
3.
Determine the network connectivity required for NYC-HOST3. A dedicated Fiber Channel adapter for NYC-APP3 A dedicated 1 Gbps Ethernet adapter for NYC-APP3 A dedicated Fiber Channel adapter for NYC-SQL1 A dedicated 1 Gbps Ethernet adapter for NYC-SQL1 A shared 1 Gbps Ethernet adapter for backups on all VMs
2.
Determine which non-IT roles should be part of the change management process. All business areas within the organization should have a representative involved in the change management process. This ensures that outages do not have an impact on business units during critical periods such as year end or a high sales season.
In most cases, the person planning a change will be the person submitting a change request. This person is also responsible for responding to any concerns about the change. This person may or may not also implement the change.
2.
Determine when changes can be implemented. Most applications and network infrastructure components are allocated daily, weekly, or monthly outages for maintenance. Changes are typically performed at this time. However, special approval can be made for changes outside of that time period.
3.
Determine who can approve change requests. Change requests are typically approved by a change committee that is composed of representatives from IT and business units. In a large organization, there is usually a meeting of the change committee once per week, and changes must be planned accordingly.
4.
Determine an alternate process for emergency changes. When emergency changes are required to repair a system that is failing, the process will be abbreviated. An emergency change can be submitted at any time, but is typically reviewed only by a subset of the change committee. In some cases, it may be only the change manager who is required to approve the change. However emergency changes must be thoroughly documented after completion.
5.
Determine who can approve emergency changes. The people who approve emergency changes must have a good understanding of the overall IT systems to ensure that they understand the risks created by the emergency change. Often the Change Manager has authority to approve emergency changes, but will confer with other experts to ensure that no unnecessary risks are taken.
Module 2
Lab Answer Key: Designing Network Security
Contents:
Exercise 1: Identifying a Team for the Security Plan Scenario Exercise 2: Identifying Threats Exercise 3: Analyzing Risk Exercise 4: Implementing Password Policies 2 3 4 4
2.
3.
4.
5.
6.
the security design team. The specific person from each area may be the managers listed in the organizational chart of a highly knowledgeable expert from that area. Which people should be involved in testing? Testing of security measure should involve technical staff that represents each area, similar to those performing the development role. However, those people that are performing development should not also be performing testing. You can also consider having a third party come to perform testing. Which people should be involved in user experience? The people involved in user experience should be a combination of technical staff and business staff so that both points of view are taken into account. Actual end users should be involved in usability testing at some point as well.
7.
Information disclosure Customer information could be stolen by attackers Denial of service Elevation of privilege 2. Attackers could exploit an application flaw to create a denial of service attack Attackers cold exploit an application flaw to elevate privileges and execute arbitrary code
Use the STRIDE model to indentify risks to resources on the internal network. STRIDE Spoofing Tampering Repudiation Example Risk A staff person could log on by using a co-workers user ID A disgruntles staff person could place incorrect information in documents or delete data Staff could deny making changes to a customer account
Information disclosure Private investment information could be accessed by unauthorized customer service staff Denial of service Elevation of privilege 3. Attackers (internal) could exploit an application flaw to create a denial of service attack Attackers (internal) cold exploit an application flaw to elevate privileges and execute arbitrary code
Layer Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness
Example Risk Customer account information could be stolen Application flaws can be exploited for denial of service Operating system flaws can be exploited to elevate privileges Unauthorized users could connect to the network and attempt to attack network resources Attackers could attempt to gain access to resources in the perimeter network Lost mobile devices could result in valuable corporate data being lost Employees could take confidential information offsite when it is less secure
2.
4. 5.
In the warning dialog box click OK. Close Active Directory Users and Computers.
Task 2: Create a fine grained password policy for customer service staff
1. 2. 3. 4. 5. On NYC-DC1, click Start, and then click Run. Type adsiedit.msc and then press ENTER. In the left pane, right-click ADSI Edit and then click Connect to. Click OK to connect to the Default naming context. In the left pane, click Default naming context [NYC-DC1.WoodgroveBank.com], expand Default naming context [NYC-DC1.WoodgroveBank.com], click DC=WoodgroveBank,DC=com, expand DC=WoodgroveBank,DC=com, click CN=System, expand CN=System, and then click CN=Password Settings Container. Right-click CN=Password Settings Container, point to New, and then click Object. In the Create Object dialog box, select msDS-PasswordSettings, and then click Next. In the Value box for Common-Name, type CustomerService and then click Next. In the Value box for Password Settings Precedence, type 1 and then click Next.
6. 7. 8. 9.
10. In the Value box for Password reversible encryption status for user accounts, type FALSE and then click Next. 11. In the Value box for Password History Length for user accounts, type 5 and then click Next. 12. In the Value box for Password complexity status for user accounts, type TRUE and then click Next. 13. In the Value box for Minimum Password Length for user accounts, type 6 and then click Next. 14. In the Value box for Minimum Password Age for user accounts, type 1:00:00:00, and then click Next. This is 1 day. 15. In the Value box for Maximum Password Age for user accounts, type 60:00:00:00, and then click Next. This is 60 days. 16. In the Value box for Lockout threshold for lockout of user accounts, type 10 and then click Next. Accounts will be locked after 10 incorrect logon attempts. 17. In the Value box for Observation Window for lockout of user accounts, type 0:00:30:00, and then click Next. Lockouts occur if the incorrect attempts are performed within a 30 minute window. 18. In the Value box for Lockout duration for locked out user accounts, type 0:00:45:00, and then click Next. Accounts are locked out for 45 minutes. 19. Click Finish. 20. Close ADSI Edit.
Task 3: Associate the new fine grained password policy with Customer Service groups
1. 2. 3. 4. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Click the View menu and then click Advanced Features. In the left-pane, Under WoodgroveBank.com, expand System, and then click Password Settings Container. In the Right Pane, Right-click Customer Service and then click Properties.
5. 6. 7. 8. 9.
Click the Attribute Editor tab. Scroll down and then double-click the msDS-PSOAppliesTo attribute. Click the Add Windows Account button. Type NYC_CustomerServiceGG; MIA_CustomerServiceGG; TOR_CustomerServiceGG, click Check Names, and then click OK. Click OK to close the Multi-valued Distinguished Name With Security Principal Editor window.
Module 3
Lab Answer Key: Designing IP Addressing
Contents:
Exercise 1: Designing an IPv4 Addressing Scheme Exercise 2: Designing a DHCP Implementation Exercise 3: Designing an IPv6 Addressing Scheme 2 3 3
2.
How many public IPv4 addresses are required? There are 5 servers in the perimeter network that require an external IP address for direct connectivity to the Internet. A sixth IP address should be provided for NAT or a proxy server to provide Internet access for clients.
3.
How will you obtain the necessary public IP addresses? Public IP addresses are obtained from an ISP.
Which subnet mask will you use for branch offices? All branch offices have 200 devices or less. Therefore a class C sized address can be allocated to each one with a subnet mask of 255.255.255.0.
3.
Which subnet mask will you use for hub sites? Hub sites need a sufficient number of addresses allocated for their own use as well as branches that connect to them. Allocating a class B sized address to each hub site with a subnet mask of 255.255.0.0 provides maximum flexibility.
4.
Which subnet mask will you use for the North America division? The simplest method for subnetting allocates equal sized portions of the address space to each of the three regions while allowing enough flexibility for future expansion if required. Using five bits of the second octet to define the hub site allows up to 32 hub sites in each division. Using 3 bits of the second octet to define the division allows future expansion up to 8 divisions. The subnet mask in this case is: 255.224.0.0. North America can be assigned the network 10.32.0.0/11 network.
5.
List the networks and subnet masks used by each hub site. Hub Site NYC Miami Toronto Network 10.32.0.0/16 10.33.0.0/16 10.34.0.0/16 Subnet mask 255.255.0.0 255.255.0.0 255.255.0.0
6.
List the networks and subnet masks used by the NYC hub site internally and for branches.
The NYC location is allocated approximately 8000 addresses. Which can be further subnetted for internal routing based on security zones and other factors. There are still enough bits available for 224 branches. Network 10.32.0.0/19 10.32.32.0/24 10.32.33.0/24 10.32.34.0/24 Subnet mask 255.255.224.0 255.255.255.0 255.255.255.0 255.255.255.0
Location NYC hub site internal NYC branch 1 NYC branch 2 NYC branch 3
2.
How will you provide high availability for DHCP in the hub sites? Because the DHCP servers will be responsible for such a high number of clients. The highest possible availability is preferred. There are not enough spare IP addresses to use a 50-50 split with multiple DHCP servers. So, failover clustering is the best option.
3.
How many scopes need to be configured on the DHCP servers in the hub site? Each DHCP server needs a scope for each subnet that is being serviced. This will include one scope for each branch location and a scope for each subnet in the hub site with DHCP clients.
Example: FD00:1234:ABCD::/48, where 00:1234:ABCD is the global ID portion of the address. 2. Which network address will you use for the North America division? 3. Four bits will be allocated for divisions. This corresponds with a single digit in the address. Therefore North America can be: FD00:1234:ABCD:1000::/52
Which network addresses will you use for hub sites? The next four bits can be allocated to hub sites. This corresponds to another digit in the addresses and allows for 16 hub sites in each division. The hub sites for North America can be: Hub site NYC Miami Toronto Network address FD00:1234:ABCD:1000::/56 FD00:1234:ABCD:1100::/56 FD00:1234:ABCD:1200::/56
4.
Which network address will you use for branch offices? The remaining 8 bits can be allocated for branch offices and internal networks within the hub sites. The table below allows for 16 subnets for NYC internal use. Hub site NYC internal use NYC branch 1 NYC branch 2 Network address FD00:1234:ABCD:1000::/60 FD00:1234:ABCD:1010::/64 FD00:1234:ABCD:1011::/64
2.
What process will you follow when implementing IPv6? At this time there is no specific need to update any applications other than the messaging system to ensure that it can communicate with the IPv6 VoIP phone system. DNS needs to be configured with all necessary IPv6 host records to support integration of the phone system and the messaging system. All routing infrastructure must also be upgraded to support IPv6 routing. You will also have to determine how the IPv6 phones will obtain and IPv6 address and configuration options such as DNS. Over time, as more applications are available for IPv6 computers can have IPv6 installed on them if not already installed by default. Eventually when all applications using IPv4 have retired, you can remove IPv4 from network hosts.
Module 4
Lab Answer Key: Designing Routing and Switching Requirements
Contents
Exercise 1: Designing Internal Infrastructure Exercise 2: Designing a Perimeter Network Exercise 3: Evaluating Network Performance Exercise 4: Monitoring Network Performance 2 3 4 5
What type of WAN link will you use between Seattle and the branch offices? It has been determined that a VPN can provide sufficient security for WAN links between the branch offices and the Seattle hub site. However, because there has been no study of the reliability of Internet connections at the branch offices, you should used leased lines at this time. Later you can do a pilot project using a VPN link to a single branch for testing. If performance and reliability is sufficient, then you can migrate the branch WAN links to VPN for cost savings.
3.
What routing protocol should be used to control routing? Woodgrove Bank is a large organization where it is not practical to use static routing. If static routing were used, any small change to the routing table would need to be updated on many routers manually. Dynamic routing should be used instead. In most cases, routing will be performed by dedicated hardware routers. In which case, you should select a dynamic routing protocol supported by your hardware routers. You are only limited to RIP when Windows Server 2008 is used as a router.
4.
Will you place any filters on communication between Seattle and the branch offices? Because there is no direct transfer of files between branch locations, you can implement filters that stop direct branch to branch communication. However, you must allow communication from branch offices to the hub sites so that regional managers can access their files when travelling to the branch offices.
5.
On a piece of paper, draw how the new bank will integrate with the existing network infrastructure. See M4_WashingtonNetwork.in the LabAnswerKey folder of the student CD for an example.
applications used by branches. The third tier has workgroups, with each workgroup getting a separate network. Servers specific to a workgroup, such as a file server, are also located in the third tier. 2. Will you perform routing within the Seattle hub site by using routers or layer 3 switches? 3. The routing within a hub site is not complex and can easily be performed by using layer 3 switches. This is a cost advantage and allows you to use VLANs.
If switches are used, how will you define VLANs? VLANs will be based on ports. Each port will be assigned to a VLAN. Then later reorganizations of network will require only that ports be changed to a different VLAN.
4.
On a piece of paper, draw the logical networks of the Seattle hub site? See M4_SeattleNetwork.in the LabAnswerKey folder of the student CD for an example.
Which type of WAN link will you use for the extranet? A secure VPN tunnel over the Internet is better than leased lines in this case due to lower costs. Because this is a site to site VPN, there is no need to provide user-based authentication, computer-based (router) authentication is sufficient. Therefore and IPSec tunnel should be used rather than PPTP or L2TP/IPSec. The VPN tunnel will encrypt communication as it traverses the Internet, but will not encrypt authentication credentials in transit on either side of the tunnel. The Web front end should use SSL to secure authentication credentials and data from end to end during the communication process.
3.
How will you limit partner access to your network? The Web front end for the customer database should be located in a perimeter network. Appropriate filters should be configured such that users coming in over the VPN tunnel can only access the Web front end for the customer database. The Web front end server will be allowed to communicate with the customer database on the Internal network.
The requirement for multiple perimeter networks necessitates a multihomed firewall to create the multiple perimeter networks. A port of the multihomed firewall can be designated as a separate perimeter network. Configuring all rules in a single device will simplify management.
3.
Which filtering rules will be in place? On the VPN perimeter network, VPN communication will be allowed from the Internet to the VPN server. Communication from the VPN server to the internal network will be allowed for those resources that are specified such as file servers and applications servers. Some resources may not be available because the security risk is considered too high. On the non-secure perimeter network, ports 25 and 80 will be allowed in to the Exchange Edge Transport server and Web server respectively. Communication from the Exchange Edge Transport server to at least one internal Exchange Hub Transport server will be allowed. Clients on the Internet network must have rules to allow them to update content on the Web server with general information. On the account secure perimeter network, Internet clients will be able to access ports 80 and 443 on the Web server. When port 80 on the Web server is accessed, it will redirect clients to port 443 for secure communication by using SSL. The Web server will be allowed to communicate with the necessary databases and application servers on the Internal network. On the investment secure perimeter network, Internet clients will be able to access ports 80 and 443 on the Web server. When port 80 on the Web server is accessed, it will redirect clients to port 443 for secure communication by using SSL. The Web server will be allowed to communicate with the necessary databases and application servers on the Internal network.
What appears to be the bottleneck on the network? The 1 Gbps links between the switches are being overloaded by traffic from the streaming media server.
3.
How can you eliminate the bottleneck? The simplest method to eliminate the 1 Gbps links as a bottleneck is to move the streaming media server to the central data center instead of on the 5th floor. Then the only data transfer from the 4th floor during a live broadcast will be a single stream from the encoding computer to the streaming media server. However, the switches on each floor should also be reorganized to connect directly to a central switch. This way a single switch acts as a high speed backbone rather than multiple 1 Gbps links.
4.
Is there any way to adjust the application to resolve this problem? Streaming Media Services supports delivery of live events as multicasts. When multicast packets are used, packets are delivered once to each network rather than once to each workstation. This would eliminate live events as a concern for network performance. As an added benefit, it would allow live events to be streamed to other locations within the organization over WAN links with limit impact on network performance. All routers must be configured to support forwarding of multicasts.
10. In the list of available counters, expand IPv6 and read the available counters.
11. In the list of available counters, expand Network Interface and read the available counters. 12. In the list of available counters, expand Redirector and read the available counters. 13. Click Cancel to close the Add Counters window. 14. Close Reliability and Performance Monitor.
Module 5
Lab Answer Key: Designing Security for Internal Networks
Contents
Exercise 1: Designing a Windows Firewall Implementation Exercise 2: Designing an IPsec Implementation 2 3
2.
What outbound rules should be implemented on servers? There are no specific requirements for outbound rules listed on the servers. Windows Firewall is a stateful firewall and does not require corresponding outbound rules to be created for communication already established by inbound rules. Outbound rules need to be configured for basic network services, such as DNS lookups, and domain authentication. These are in place by default.
3.
What inbound rules should be implemented on Vista workstations? There are no listed applications on client computers that require inbound communication. However, inbound communication for basic network communication is required. These are in place by default.
4.
What outbound rules should be implemented on Vista workstations? The outbound rules necessary for basic network communication are in place by default. However, outbound rules must be created for other applications. For the investments custom application, a program rule should be created to allow invest.exe to communicate on the network. This is more secure than creating a port rule that allows communication to port 10101.
For Internet Explorer, you should create a program rule that allows iexplore.exe access to the network. This prevents unsupported Web browsers from being used. After the program rule is created, you can edit it to restrict communication to ports 80, 443, and 8080.
5.
What concerns do you have about operating systems other than Windows Server 2008 and Windows Vista? Windows XP and Windows Server 2003 do not support outbound rules as part of the Windows Firewall configuration. If malware is installed on these operating systems, there is no method to prevent propagation to vulnerable hosts. However, all inbound rules can still be configured.
2.
How will Windows Firewall be deployed on workstations? Workstations should be configured with the necessary Windows Firewall rules by using Group Policy. If desired, customized group policies can be created for various workgroups that include only the necessary applications for each workgroup. To support this, each workgroup should have a separate OU in Active Directory.
7. 8. 9.
10. Click Next to apply the rule to the Domain, Private, and Public domains. 11. In the Name box, type Allow IE and then click Finish. 12. Close the Group Policy Management Editor. 13. Close Group Policy Management.
All of the computers in the Investments group must require authentication for inbound connections and request authentication for outbound connections. Similarly, all communication to Investments servers and workstations must be authenticated. However, Investments workstations can initiate communication with servers that are not part of the Investments area and those will not be authenticated.
2.
What authentication method should be used? Using Kerberos authentication (user and computer) provides the flexibility to create firewall rules that are specific to particular computer accounts or user accounts. This is the best way to control communication. It also requires no additional configuration on the computers, because they are part of a domain already and therefore participate in Kerberos authentication.
3.
What type of connection security rule should be used? An Isolation rule should be used. This type of rule uses Kerberos authentication. After authentication is established, firewall rules can be created based on the specific users and computers you want to allow. This type of rule does not designate endpoints by IP address.
2.
How will connection security rules be deployed to workstations? All Investments workstations can be placed in a specific OU and have the connection security rules applied by using Group Policy. This ensures that all investments workstations have the same configuration.
3.
How will you address Windows XP clients? Based on the conditions presented in the scenario, the best solution is to upgrade the few remaining XP computers to Windows Vista. Other alternatives will be relatively complex. In the short term, an exemption rule can be used for the Windows XP computers to prevent the need for IPSec authentication from those computers. Exemption rules are based on computer IP address and the XP computers must be given static IP addresses or reservations in DHCP. Other alternatives are: a. b. Use both IPSec policies and connection security rules on the servers. This is not recommended because the results are difficult to predict. Use IPSec policies only. Windows Server 2008 and Windows Vista are both capable of using IPSec policies. However, if IPSec policies are used, then you cannot control authentication based on computer and user accounts.
6.
Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Connection Security Rules. Right-click Connection Security Rules, and then click New Rule. Ensure Isolation is selected and click Next. Click Require authentication for inbound connections and request authentication for outbound connections and click Next.
7. 8. 9.
10. Click Computer and user (Kerberos V5) and click Next. 11. Click Next to apply the rule to the Domain, Private, and Public domains. 12. In the Name box, type Secure Communication, and then click Finish. 13. Close the Group Policy Management Editor. 14. Close Group Policy Management.
10. On the Profile page, ensure that all profiles are selected and then click Next. 11. In the Name box, type Administrator Access to Web site and then click Finish. 12. Close Windows Firewall with Advanced Security.
Module 6
Lab Answer Key: Designing Name Resolution
Contents
Exercise 1: Designing a DNS Namespace Exercise 2: Designing a DNS Server Strategy Exercise 3: Designing a DNS Zone and Replication Strategy Exercise 4: Discuss the Design of Name Resolution Exercise 5: Implement a DNS and Zone Replication Strategy 2 2 3 5 5
2.
What additional considerations must be taken into account when modifying an existing design? When you are evaluating an existing namespace design, you must take into account the amount of work and risk involved in modifying the namespace. In this case, woodgrovebank.com is the namespace used for both internal and external DNS. Changing the internal namespace to corp.woodgrovebank.com will involve extensive planning and testing to ensure that network services and applications are not interrupted.
3.
What DNS namespace do you recommend that Woodgrove Bank use for Active Directory? It is recommended that Woodgrove Bank continues to use the woodgrovebank.com namespace for both internal and external namespaces. This is due to the work and risk in involved in changing the namespace from woodgrovebank.com to corp.woodgrovebank.com. Also, this will make the manual synchronization of records between the internal and external DNS servers minimal.
2.
Are DNS servers required at each hub site? Yes, DNS servers should be located at each hub site. There are a large number of users for each hub site and performing DNS lookups over the WAN may cause WAN congestion.
3.
How many DNS servers should be located at each hub site? Two DNS servers should be located at each hub site for redundancy. There are a large number of users for DNS in each hub site, and forcing clients to use the DNS server from an alternate hub site could result in WAN congestion.
Which zones need to be created on external DNS servers? Only the woodgrovebank.com zone needs to be created on external DNS servers. This is the only zone that contains external records.
3.
In which hub sites will each DNS zone be placed? Each hub site for a domain should have a copy of the domain DNS zone. In addition, the main hub site in each domain should have a copy of the DNS zones for other domains. The _msdcs should be located in all hub sites because it contains records used to locate other domain controllers and global catalog servers for all domains. This zone will have very few changes and will not cause a lot of replication traffic. Hub site New York Zones WoodgroveBank.com Emea.WoodgroveBank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com Emea.WoodgroveBank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com
Toronto
Miami
Seattle
London
Zones Emea.WoodgroveBank.com _msdcs.woodgrovebank.com Emea.WoodgroveBank.com _msdcs.woodgrovebank.com WoodgroveBank.com Emea.WoodgroveBank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com Asia.WoodgroveBank.com _msdcs.woodgrovebank.com
Lisbon
Tokyo
Beijing
4.
How will replication/zone transfers be configured for each zone? Within each domain, the local zone should be configured as Active Directory integrated. This will allow secure dynamic updates to be configured. By default, Active Directory integrated zones are replicated to all domain controllers in the same domain. Since each instance acts as a primary zone, all domain controllers in the domain that are configured as DNS servers can accept dynamic updates. Hub site New York Zones WoodgroveBank.com (AD integrated) Emea.WoodgroveBank.com (secondary) Asia.WoodgroveBank.com (secondary) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (secondary) Emea.WoodgroveBank.com (AD integrated) Asia.WoodgroveBank.com (secondary) _msdcs.woodgrovebank.com (AD integrated) Emea.WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) Emea.WoodgroveBank.com (AD integrated) _msdcs.woodgrovebank.com (AD integrated) WoodgroveBank.com (secondary) Emea.WoodgroveBank.com (secondary)
Toronto
Miami
Seattle
London
Paris
Lisbon
Tokyo
Hub site
Beijing
Note: You must click Finish as soon as it appears. Else it will automatically change to Next. Then, you will have to click Next again and then click Finish. 8. 9. In the left pane, click EMEA.WoodgroveBank.com. Review the records that have been transferred.
Module 7
Lab Answer Key: Designing Advanced Name Resolution
Contents
Exercise 1: Optimizing DNS Servers Exercise 2: Designing High Availability for Name Resolution Exercise 3: Designing WINS Exercise 4: Implementing a GlobalNames Zone 2 3 4 4
2.
Which DNS servers should use forwarding and how is it configured? Forwarding needs to be configured in all hub sites that do not have secondary zones of the remote domains. Hub Site New York Miami Toronto Seattle London Paris Lisbon Tokyo Beijing Forwarding Configuration To Internet To New York To New York To New York To New York To London To London To New York To Tokyo
3.
Which DNS servers should use root hints to lookup names? Root hints should be removed from all internal DNS servers except the New York DNS servers. Only the New York DNS servers need to be able to perform Internet lookups.
4.
How will DNS servers in New York, which perform external lookups, be protected from the Internet? The New York DNS servers can be protected by placing a dedicated server for external DNS lookups in the perimeter network. The New York DNS servers will be configured to forward requests to the dedicated external DNS server.
5.
How should caching be configured on the DNS servers? The DNS servers are configured to cache all DNS lookups by default. The individual records are cached based on the expiry set in the primary zone. Typically a record TTL is 3600 seconds or 1 hour.
2.
How should root hints be configured on the external DNS servers performing external lookups? The root hints that allow lookups on the Internet are automatically configured when a DNS server is installed. You can manually update the root hints if required.
2.
Will DNS servers be hosted in multiple locations? For best network availability, DNS servers should be hosted in multiple locations to provide fault tolerance for network problems. However, this is only relevant if those network problems do not affect the services Internet clients are attempting to access. In which case, Woodgrove Bank does not need to have multiple data centers to support their Internet services, and hosting external DNS servers in multiple locations has no added benefit.
What method will you use to configure DNS servers to make them highly available? Using clustering would be unnecessarily complex to provide high availability. Simply having two DNS servers in each hub site provides high availability. If one DNS server is unavailable, then clients can use the other DNS server.
3.
Clients should be configured to use both local DNS servers in the hub site. If one fails, then the clients will use the other.
2.
Where should WINS servers be located? Because the failure of a WAN link is a concern, WINS servers should be located in London, New York, and Tokyo.
3.
How would your plans change if NetBIOS applications were installed on all computers? If all computers were running applications that required NetBIOS, then all computers would need to communicate with WINS servers. Also, WINS servers would be configured at each Hub site.
What replication topology should be used between WINS servers? A hub and spoke replication topology can be used, with New York acting as the hub. This provides a system that is simple to maintain. The replication partners must be configured manually.
How can a GlobalNames DNS zone reduce the need for WINS? Depending on the application, you may be able to use a DNS GlobalNames zone instead of WINS. However, this must be tested to ensure that all applications will work properly in this configuration. The use of a GlobalNames zone requires the clients to make a DNS query when after NetBIOS name resolution methods, including broadcast, LMHOSTS, and WINS, have failed.
6. 7. 8. 9.
Click To all DNS servers in this forest: WoodgroveBank.com and click Next. In the Zone name box, type GlobalNames, and then click Next. Select Do not allow dynamic updates and click Next. Click Finish.
2. 3.
In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.
Module 8
Lab Answer Key: Designing Network Access Solutions
Contents
Exercise 1: Designing a Network Access Solution Exercise 2: Designing Network Policy Services Exercise 3: Designing a Wireless Connection Solution Exercise 4: Discuss the Design of Network Access Exercise 5: Deploying an SSTP VPN Solution 2 3 4 5 5
3.
Which VPN tunnelling protocol should be used? To provide the best level of security, either SSTP or L2TP should be used. L2TP may provide slightly better security for authentication because computers are authenticated in addition to users. However, L2TP VPNs may be blocked by firewalls in some cases. SSTP has similar encryption strength to L2TP/IPSec, but is easier to configure because there is no computer authentication required. SSTP is almost never blocked by firewalls. SSTP should be used for Windows Vista clients. L2TP should be used for Windows XP clients.
2.
How will you address the concerns of non-North American users about slow access to data over the VPN?
The current physical configuration of the Woodgrove Bank network has only a single Internet connection in New York. To provide faster access to data, you could add more Internet connections in Tokyo and London. However, this will make controlling Internet access more difficult. The simplest solution is to provide terminal servers in Tokyo and London with the necessary applications for EMEA and Asia users. These users can use the VPN to connect to New York and then run their applications on the terminal services in their home site. The terminal servers will have fast access to local data and only screen updates are sent to the remote access clients over the VPN. Screen updates from terminal services typically generate much less traffic over a network connection than accessing data from a workstation does.
3.
How will clients be configured with dial-up and VPN connections? The Connection Manager can be used to generate packages that provide connectivity information for dial-up and VPN connections. Users will need to be trained on which connection to use, depending on their location. Client computers must also be configured with appropriate hardware. Any users that require dialup access must have a modem. Other users requiring Internet connectivity will require either a wireless network adapter or Ethernet adapter.
4.
How will you address concerns about availability for the Internet connection? When planning a disaster recovery and service availability, it is essential for an SLA to be in place with an ISP. If the current ISP is unable to provide an SLA, Woodgrove Bank should investigate other providers of Internet connectivity that can provide an SLA. When evaluating SLAs, you need to balance the guarantee of availability with the cost of service.
2.
What configuration needs to be performed at the ISP? The ISP has a dial-up server that must be configured as a RADIUS client. This computer will forward authentication requests to a RADIUS proxy at the ISP. The RADIUS proxy must be configured to forward authentication requests for Woodgrove Bank users to the NPS server at Woodgrove Bank, which is a RADIUS server.
3.
What configuration needs to be performed at Woodgrove Bank? At Woodgrove Bank, an NPS server must be configured to accept RADIUS requests from the ISP.
4.
How does the implementation of RADIUS affect the local VPN server? The implementation of RADIUS can be kept separate from the local VPN server and does not necessarily affect it. However, by keeping RADIUS separate from the VPN server, network policies must be maintained on both the VPN server and the NPS server used by RADIUS. To simplify maintenance of network policies, the VPN server should be configured as a RADIUS client of the NPS server. Then, all authentication and logging can be centralized on the NPS server and network policies are maintained only on the NPS server.
2.
How does the processing order affect your network policies? Only the first network policy with matching conditions is evaluated. Therefore, you must be sure that the appropriate policy is evaluated first, based on the conditions you have in place. Typically, the largest concern is group memberships that overlap. For example, if an executive is a member of both the Executives group and the Customer Service group, then you must ensure that the Executives network policy that allows access is evaluated before the Customer Service network policy that denies access.
2.
Which encryption standard is preferred for your implementation? The WPA2 encryption standard provides the best encryption strength available for wireless LANs. It should be used as far as possible. WPA provides most of the same features and is acceptable for laptops that do not support WPA2. WEP is not acceptable and should not be enabled on the WAPs.
3.
How will computers be authenticated? To provide the highest level of security, 802.1X authentication should be used for wireless computers. This allows computers to be authenticated based on their Active Directory computer accounts. To support this implementation, you must configure a RADIUS server. Windows Server 2008 with NPS installed can perform this role. Network policies must be created to support the authentication. Another common mechanism for authenticating computers is by restricting connections based on MAC address. However, it is relatively easy to spoof MAC addresses on wireless connections. Consequently, this provides minimal security.
WAPs typically require minimal power. In most cases, you can use Power over Ethernet to provide the necessary power. This means that the same Ethernet cable used for data connectivity to the network backbone can also provide power to the WAP.
2.
How will you ensure that users can roam throughout the building? Multiple access points must be configured with some overlap between their signals to provide roaming access throughout the building. To minimize interference between WAPs, adjoining WAPs should use separate channels that do not overlap. You may need to tune the signal strength of your WAPs to provide the necessary level of overlap.
3.
How will you ensure that signal strength is acceptable in all areas of the building? As part of planning and implementing a wireless design, you should perform a site survey. During implementation, you should have a mobile device that measures signal strength to test the location of WAPs.
10. Ensure that Root CA is selected and click Next. 11. Ensure that Create a new private key is selected and click Next. 12. Click Next to accept the default cryptography settings. 13. Click Next to accept the default CA Name of WoodgroveBank-NYC-RAS-CA. 14. Click Next to accept the default validity period of 5 years. 15. Click Next to accept the default database and log locations. 16. Click Next on the Web Server (IIS) page. 17. Click Next on the Select Role Services page.
18. Click Install on the Confirm Installation Selections page. 19. After installation is complete, click Close and close Server Manager.
In the Specify Online Certification Authority box, type WoodgroveBank-NYC-RAS-CA\NYCRAS.WoodgroveBank.com. In the Friendly name box, type WebSSL and click Finish. Close Internet Information Services (IIS) Manager.
7. 8.
Click Next.
10. Click No, use Routing and Remote Access to authenticate connection requests and click Next. 11. Click Finish. 12. Click OK to clear the warning message about DHCP and then close Routing and Remote Access.
10. Click Next to accept the default authentication types. 11. Click Next to accept the default constraints. 12. Click Next to accept the default settings. 13. Click Finish and close Network Policy Server.
10. Click Finish. 11. Click OK to close the Certificate Import Wizard dialog box. 12. Click OK to close the Certificate window. 13. Close Internet Explorer. 14. Click Start, in the Start Search box, type mmc, and press ENTER. 15. Click File and click Add/Remove Snap-in. 16. Double-click Certificates, Ensure "My user account" is selected and click Finish. 17. Double-click Certificates, click Computer account, and click Next. 18. Click Local computer: (the computer this console is running on) and click Finish. 19. Click OK. 20. In the left pane, expand Certificates Current User, expand Intermediate Certification Authorities, and click Certificates.
21. Right-click WoodgroveBank-NYC-RAS-CA and click Copy. 22. In the left pane, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 23. Right-click Certificates and click Paste. 24. Close the MMC window. 25. Click No when prompted to save settings.
10. Click Start and click Connect To. 11. Right-click NYC VPN and click Properties. 12. Click the Networking tab. 13. In the Type of VPN box, select Secure Socket Tunneling Protocol (SSTP) and then click OK. 14. Click Connect. 15. Log on as WoodgroveBank\Administrator with a password of Pa$$w0rd. 16. Click Close to close the Connect to a network window. 17. Click Start and click Connect To. 18. Verify that the status of the connection is connected. 19. Close all open windows. Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting up the SSTP listener and verifying it in the Routing and Remote Access Blog at http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstp-listener-andverification.aspx. In particular, you must manually remove and replace the certificate used by SSTP if you want to change it.
Module 9
Lab Answer Key: Designing Network Access Protection
Contents
Exercise 1: Analyzing Enforcement Methods Exercise 2: Designing DHCP Enforcement Exercise 3: Designing IPsec Enforcement Exercise 4: Implementing DHCP Enforcement 2 4 5 6
2.
Are the necessary components in place for DHCP enforcement? Yes. All necessary components are in place.
3.
What are the benefits of using DHCP enforcement? It is simple to implement because little configuration is required.
4.
What are the drawbacks of using DHCP enforcement? DHCP enforcement is relatively easy to circumvent and does not apply to computers with static IP addresses.
5.
Is DHCP enforcement suitable for Woodgrove Bank? Yes, because malicious users have not been listed as a concern. If there are no concerns about malicious users, then DHCP enforcement is a simple way to implement NAP. DHCP enforcement is well suited to desktop computers and wireless computers within a LAN.
2.
Are the necessary components in place for VPN enforcement? Yes. All necessary components are in place.
3.
4.
What are the drawbacks of using VPN enforcement? VPN enforcement is not well suited for protecting LANs from internal users.
5.
Is VPN enforcement suitable for Woodgrove Bank? Yes. It is well suited for protecting the network from remote users with laptops or home computers.
2.
Are the necessary components in place for 802.1X enforcement? No. Not all network devices support 802.1X.
3.
What are the benefits of using 802.1X enforcement? Using 802.1X enforcement is difficult to circumvent because it is enforced by the switch or WAP. If 802.1X authentication is already in place then 802.1X enforcement is relatively easy to implement.
4.
What are the drawbacks of using 802.1X enforcement? All network devices must support 802.1X authentication to be effective. This can be expensive if new devices are required. Also, implementing 802.1X authentication can be time consuming if it is not already in place.
5.
Is 802.1X enforcement suitable for Woodgrove Bank? No. Not all network devices support 802.1X authentication and replacing those devices may be expensive.
2.
Are the necessary components in place for IPSec enforcement? At this time neither a CA or HRA have been implemented.
3.
What are the benefits of using IPSec enforcement? IPSec enforcement provides a very high level of security because it is enforced on each host. No specialized hardware is required for implementation.
4.
What are the drawbacks of using IPSec enforcement? IPSec enforcement requires additional servers when compared with DHCP or VPN enforcement. Also, if Windows XP clients are present on the network, you must use IPSec policies that are compatible with Windows XP clients rather than the security connection rules for Windows Vista clients.
5.
Yes. All clients are using Windows Vista. However, a CA and HRA must be implemented.
How will you ensure that only the client computers are configured and not servers? If client computers are in separate organizational units, you can link the group policy object only to those organizational units with client computers. Alternatively, if client computers and servers exist in the same organizational unit, you can use security filtering to ensure that only client computers can apply the policy. Create a group for the client computers and ensure that only that group has the necessary permissions to apply the group policy object.
2.
How can these options be expanded? You use additional SHAs and SHVs to expand the monitoring capabilities of NAP. An SHA and SHV are added as a pair, with the SHA on the client side and the SHV on the server side.
How will the client communicate with the DHCP servers? Routers will be configured as DHCP relays to forward DHCP requests from remote subnets to the DHCP server.
3.
Is additional configuration necessary on the DHCP server? Yes. NAP must be enabled for each scope where NAP is to be enforced. You can also configure different server options for restricted and non-restricted computers. For example, a different DNS server could be assigned to restricted computers. The Default User Class is used for non-restricted clients. The Default Network Access Protection Class is used for restricted clients.
Which servers should be configured as remediation servers? All servers necessary to bring a computer into compliance should be configured as remediation servers. This can includes domain controllers, DNS servers, and WSUS servers.
What computers are on the boundary network? The boundary network contains remediation servers and enforcement points. The HRA is the enforcement point for IPSec enforcement. These computers have health certificates.
3.
What computers are on the secure network? All compliant NAP clients and most servers are on the secure network. The NAP components on the secure network are the CA and NPS server. These computers have health certificates.
4.
What communication is allowed between the IPSec networks? Computers on the restricted network are able to initiate communication with other computers in the restricted network and computers in the boundary network. Computers in the boundary network are able to initiate communication with computers in any network. Computers in the secure network are able to initiate communication with computers on any network.
2.
What configuration is used for IPSec configured in the restricted network? IPSec is not configured on the restricted network. Client computers are configured to use the IPSec configuration for the secure network. If authentication fails because a health certificate is not configured, then clients are placed on the restricted network.
3.
What configuration is used for IPSec configured in the boundary network? Computers in the boundary network must communicate with all computers. Therefore, the computers in the boundary network should be configured with an Isolation rule that requests authentication for inbound and outbound connections.
4.
What configuration is used for IPSec configured in the secure network? Computers in the secure network should not communicate with noncompliant computers. Therefore, the computers in the secure network should be configured with an Isolation rule that requires authentication for inbound connections and requests authentication for outbound connections.
5.
How are remediation servers configured? Remediation servers are configured by placing them in the boundary network. Remediation server groups created in the NPS administrative tools are only relevant for VPN and DHCP enforcement.
2.
How long will you configured health certificates to be valid for? There is no specific time-frame for certificate lifetime that must be implemented. However, 24 hours is reasonable. This ensures that health status must be verified every 24 hours. A longer certificate lifetime could result in unhealthy computers on the network with NAP unable to identify them.
10. Ensure "WINS is not required for application on this network" and click Next. 11. Click Add to create a DHCP scope. 12. Enter the following: Scope Name: New York Scope Starting IP Address: 10.10.1.0 Ending IP Address: 10.10.9.254 Subnet Mask: 255.255.0.0 Default Gateway (optional): 10.10.0.1 Subnet Type : Wired (lease duration will be 6 days)
13. Ensure that the Activate this scope checkbox is selected and click OK. 14. Click Next. 15. Click Disable DHCPv6 stateless mode for this server and click Next. 16. Ensure "Use current credentials" is selected and then click Next. 17. Click Install. 18. When installation is complete, click Close. 19. Close Server Manager.
2. 3. 4. 5. 6. 7. 8. 9.
In the Standard Configuration area, Ensure Network Access Protection (NAP) is selected and click Configure NAP. In the drop down list box, select Dynamic Host Configuration Protocol (DHCP) as the connection method. Accept NAP DHCP as the policy name and click Next. Click Next to skip the configuration of RADIUS clients. This is not necessary because DHCP is running on the NPS server. On the Specify DHCP Scopes page, click Next. On the Configure User Group and Machine Groups page, click Next. On the Specify a NAP Remediation Server Group and URL page, click Next. On the Define NAP Health Policy page, ensure that the following are selected and then click Next. Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers. Allow access to a restricted network only.
10. Review the settings and click Finish. 11. Expand Policies and click Connection Request Policies. Notice that a NAP DHCP policy has been created by the wizard. 12. Click Network Policies. Notice that several policies for NAP have been created by the wizard. 13. Click Health Policies. Notice that two policies for NAP have been created by the wizard. 14. Close Network Policy Server.
2. 3. 4. 5. 6. 7. 8. 9.
In the left pane, Ensure "WoodgroveBank.com is expanded, right-click NYC, point to New, and click Organizational Unit. In the Name box, type NYC NAP Clients and click OK. In the left pane, click Computers. Right-click NYC-CL1 and click Move. Expand NYC, click NYC NAP Clients, and click OK. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, and click Group Policy Management. Expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, expand NYC, and then click NYC NAP Clients.
10. Right-click NYC NAP Clients and click Create a GPO in this domain, and Link it here. 11. In the Name box, type DHCP NAP Client and click OK. 12. Right-click DHCP NAP Client and click Edit. 13. In the left pane, browse to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center. 14. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. 15. Browse to Computer Configuration/Policies/Windows Settings/Security Settings/System Services and double-click Network Access Protection Agent. 16. Select the Define this policy setting checkbox, click Automatic, and click OK. 17. In the left pane, in Security Settings, expand Network Access Protection, expand NAP Client Configuration, and then click Enforcement Clients. 18. Right-click DHCP Quarantine Enforcement Client and click Enable. 19. In the left pane, right-click NAP Client Configuration and click Apply. 20. Close the Group Policy Management Editor. 21. Close Group Policy Management.
10. Click Close and close all open windows. 11. Wait a few moments and a warning about limited network access will appear.
12. Click Start, in the Start Search box, type cmd, and then press Enter. 13. At the command prompt, type ipconfig /all and press Enter. Notice that an IPv4 address has been configured, but the subnet mask is 255.255.255.255 and the Connection-specific DNS suffix is restricted.woodgrovebank.com. 14. Type ping nyc-web.woodgrovebank.com and press Enter. This is not successful. 15. Close the command prompt.
Module 10
Lab Answer Key: Designing Operating System Deployment and Maintenance
Contents
Exercise 1: Designing an Operating System Deployment Solution Exercise 2: Designing WDS Deployment Exercise 3: Designing WDS Images Exercise 4: Designing a WSUS Deployment Exercise 5: Discussing Operating System Deployment and Maintenance Exercise 6: Implementing Multicast Transmissions for Images 2 3 4 5 6 6
2.
User data and personalized settings must be preserved User data must be secured during and after migration Existing Windows Server 2003 infrastructure needs to be upgraded to that of Windows Sever 2008 A more robust and less time-consuming update management solution is required Computer updates must not impact the network performance
What are the requirements to choose the appropriate deployment solution for the operating system in the Woodgrove Bank design? The requirements for the deployment of the operating system are: The existing RIS-based computer building process needs to be preserved The solution must support deployment of Windows Vista and Windows Server 2008 operating systems The operating system deployment solution needs to ensure privacy for the users and their data and ensure that security is maintained during and after the migration The solution should provide the best connectivity to all client computers
2.
What types of data need to be stored on each WDS server? Each WDS server must store the images that it delivers. This includes boot and install images. When new batches of computers are imaged, there also needs to be a storage location for user profile data. However, user profile data does not need to be stored on the WDS server.
3.
How will the impact on network performance be minimized during the deployment of new computers. What are the requirements for this solution?
The use of multicasting minimizes the amount of data traversing the network during the deployment of new batches of computers. When multicasting is used, an image is transmitted just once over the network to multiple computers. To use multicasting all of the routers must be configured to forward multicast traffic. This may or may not be the case with the default router configuration. Multicast forwarding is required within each physical location.
2.
What process will be used when deploying new workstations? When deploying new workstations the following process can be used: a. b. c. Capture user data from existing workstations and store it on a file server. You can run USMT in a login script to automate this process for many users. Place the new workstations at user desktops. Create a multicast on the WDS server. This multicast can be schedule or auto-cast. However, a scheduled multicast triggered based on the number of workstations joined would be the most efficient for network traffic. Start the new computers using PXE and select the appropriate image for the multicast. Once the multicast is complete, restart the workstations and log on. Apply the user data captured from the old workstations by using USMT. You can automate this process with login scripts.
d. e. f. 3.
How will this process vary for reimaging existing workstations? When a single workstation is being reimaged, it may not be possible to capture user data before imaging is performed. So, a multicast is not required. Unicast communication will be used.
2.
What process will you use for image creation? a. b. c. d. The following processes will be used to create each of the four images: Windows Vista will be installed on a computer. Applications for the workgroup will be installed and configured. Sysprep is used to generalize the image. The image is captured and stored on a WDS server.
3.
How can you automate the imaging process to ensure that user input is not required?
You can use Windows System Image Manager (SIM) in the Windows Automated Installation Kit (WAIK) to create an unattended setup file. This file can be used to automate the configuration process after the generalized operating system is applied to a computer.
4.
What are the requirements for the boot image? The boot image used must match the version of the operating system being deployed. As new service packs are released, you should check if a new boot.sim is released too. You should not use the boot.sim from the original Windows Vista DVD because it does not support multicasting.
5.
Is there a need to convert existing RIS images to WIM images? If the current RIS servers are being updated to Windows Server 2008, then the RIS images should be updated to WIM images. This is necessary to support the reimaging of the existing clients until Windows Vista is deployed to all client computers. If current RIS servers are not being updated then the current RIS servers can be used to support the down-level clients and the new WDS servers can be used to support the deployment of Windows Vista and Windows Server 2008.
4.
Where should WSUS servers be located? A WSUS server should be located in each hub site to minimize network utilization over WAN links, because there are a large number of computers in each hub site. A WSUS server is not required for each branch because the numbers of computers are small so the overall amount of data involved in updates is typically quite small. When you deploy large updates (such as service packs), you can avoid saturating the network by using BITS and IIS throttling and by using computer groups to control the rollout. In addition, WSUS clients can be configured to synchronize more frequently from the WSUS server and
downstream WSUS servers can be configured to synchronize more frequently from their upstream server. 5. What client configuration is necessary? Clients must be configured to obtain automatic updates from the closest WSUS server rather than Microsoft Update. This configuration should be applied by using Group Policy. As well, client computers should be configured to apply updates automatically as they become available. The only updates available to these computers will be those approved on the WSUS server. This configuration should also be applied by using Group Policy.
8.
When configuration is complete, clear the Add images to the Windows Deployment Server now checkbox and click Finish.
10. In the left pane, click Boot Images. 11. Right-click Boot Images and click Add Boot Image. 12. In the File location box, type E:\sources\boot.wim and then click Next. 13. In the Image description box, type From Windows Server 2008 DVD and click Next. 14. On the Summary page, click Next. 15. When the task is complete, click Finish.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
Module 11
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
Contents
Exercise 1: Selecting File Services Components Exercise 2: Designing DFS Exercise 3: Designing FSRM Exercise 4: Implement DFS Exercise 5: Implement FSRM 2 2 4 5 8
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
2.
How will you address the concern over users seeing folders to which they do not have permissions? Access-based enumeration prevents users from seeing folders that they do not have permission to view the contents. This should be implemented for all file shares.
3.
How will you implement high availability for file shares? High availability can be implemented by using failover clustering or DFS. However, failover clustering requires shared storage that is relatively expensive. Currently the SAN is restricted to application servers only. DFS can be implemented by using existing servers on local storage. Additional storage capacity may be required on the servers. DFS is the most cost-effective solution and eliminates shared storage as a potential single point of failure.
4.
How will you monitor storage utilization? Storage utilization can be monitored by using FSRM. FSRM can generate reports showing storage utilization. As well, FSRM can generate notifications when a percentage of the quota is reached.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
2.
How will centralized backup be accommodated? The backup server in the New York hub site can be used to hold data for the entire region. Data from all hub sites can be replicated to this server for backup.
Should a domain-based or stand-alone namespace server be used? To have multiple namespace servers a domain-based namespace should be used. A stand-alone namespace is required for scalability when more than 5000 folders exist in a namespace. That is not the case for Woodgrove Bank.
3.
List the folders and targets in the DFS namespace. Folder \\WoodgroveBank.com\NA \\WoodgroveBank.com\NA\Customer \\WoodgroveBank.com\NA\Customer\NYC Targets None namespace root None empty folder for organization \\NYC-FS1\Customer \\NYC-BACK\NYCCustomer \\TOR-FS1\Customer \\TOR-BACK\Customer \\NYC-BACK\TORCustomer \\MIA-FS1\Customer \\MIA-BACK\Customer \\NYC-BACK\MIACustomer \\SEA-FS1\Customer \\SEA-BACK\Customer \\NYC-BACK\SEACustomer None empty folder for organization
\\WoodgroveBank.com\NA\Customer\TOR
\\WoodgroveBank.com\NA\Customer\MIA
\\WoodgroveBank.com\NA\Customer\SEA
\\WoodgroveBank.com\NA\Investments
\\WoodgroveBank.com\NA\Investments\NYC \\NYC-FS2\Investments \\NYC-BACK\NYCInvestments \\WoodgroveBank.com\NA\Investments\TOR \\TOR-FS2\Investments \\TOR-BACK\Investments \\NYC-BACK\TORInvestments \\WoodgroveBank.com\NA\Investments\MIA \\MIA-FS2\Investments \\MIA-BACK\Investments \\NYC-BACK\MIAInvestments \\WoodgroveBank.com\NA\Investments\SEA \\SEA-FS2\Investments \\SEA-BACK\Investments \\NYC-BACK\SEAInvestments
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
Targets None empty folder for organization \\NYC-FS3\Managers \\NYC-BACK\NYCManagers \\TOR-FS3\Managers \\TOR-BACK\Managers \\NYC-BACK\TORManagers \\MIA-FS3\Managers \\MIA-BACK\Managers \\NYC-BACK\MIAManagers \\SEA-FS3\Managers \\SEA-BACK\Managers \\NYC-BACK\SEAManagers \\NYC-FS4\Executives \\TOR-FS3\Executives \\MIA-FS3\Executives \\SEA-FS3\Executives
\\WoodgroveBank.com\NA\Managers\TOR
\\WoodgroveBank.com\NA\Managers\MIA
\\WoodgroveBank.com\NA\Managers\SEA
\\WoodgroveBank.com\NA\Executives
4.
Which options should be used for each folder in the namespace? Each folder should be configured to use lowest cost referral ordering. This directs users in each site to use a local copy of the data before accessing data over WAN links. To minimize replication conflicts, the original file shares should be configured with the First among targets of equal cost target priority. When this is configured, users in a site will all use a single target unless it is unavailable. If the original file share is unavailable, then the file share on the backup server in the site will be used. If the backup server in the local site cannot be contacted, then the backup server in New York will be used. The targets pointing to the backup server in New York should be configured with the target priority of Last among all targets. This ensures that when a user accesses data in another location, the user does not access the backup server in New York as well, unless it is the only target available. Failback should be enabled for all folders to ensure that users begin using the primary data copy again when it is available. Access-based enumeration should be used to simplify the view of the DFS namespace for users. To enable access-based enumeration, DFS must be in Windows Server 2008 mode.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
2.
What should occur when the quota is reached? A notification should be generated and emailed to an administrator, who can analyze what is causing the growth in data storage, and can then take any necessary actions.
3.
How can FSRM be used to prevent multimedia files from being stored on the server? File screening can be used to prevent storage based on file extensions. A file group can be created for multimedia files and then applied to the Investments file share. This will not stop users who are sophisticated enough to rename files with alternate file extensions, but is sufficient to deter most users.
4.
How can you allow multimedia files to be stored in a single folder in the Investments file share? When file screening is configured for a folder, it also applies to subfolders. However, if file screening is configured directly on a subfolder, those limitations override the file screening configured at the higher level.
10. On NYC-WEB, click Start and click Server Manager. 11. In the left pane, to expand the Server Manager and click Roles and then click Add Roles. 12. Click Next to start the Add Roles Wizard. 13. Select the File Services checkbox and click Next. 14. Read the Introduction to File Services and click Next. 15. Select the Distributed File System checkbox and click Next. 16. Click Create a namespace later using the DFS Management snap-in in Server Manager and click Next. 17. Click Install. 18. When installation is complete, click Close and close Server Manager.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
4. 5. 6. 7. 8. 9.
Type Backup and press Enter. Browse to C:\Backup. In the right pane, right-click an open area, point to New, and click Folder. Type NYCInvestments and press Enter. Right-click NYCInvestments and click Share. Type NYC_InvestmentsGG and click Add.
10. Change the permission level for NYC_InvestmentsGG to Contributor and click Share. 11. Read the UNC path for the share and click Done. 12. Close the Backup window. 13. On NYC-WEB, click Start and click Computer. 14. Browse to C:\. 15. In the right pane, right-click an open area, point to New, and click Folder. 16. Type Investments and press Enter. 17. Right-click Investments and click Share. 18. Type NYC_InvestmentsGG and click Add. 19. Change the permission level for NYC_InvestmentsGG to Contributor and click Share. 20. Read the UNC path for the share and click Done. 21. Close the Local Disk (C:) window.
7. 8. 9.
10. In the Actions pane, click Add Namespace Server. 11. In the Namespace server box, type NYC-DC1 and click OK. 12. In the center pane, click the Namespace Servers tab.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
3. 4. 5. 6. 7. 8. 9.
In the left pane, expand \\WoodgroveBank.com\NA and click Investments. In the Actions pane, click New Folder. In the Name box, type NYCInvestments. Click the Add button, type \\NYC-WEB\Investments, and click OK. Click the Add button, type \\NYC-DC1\NYCInvestments, and click OK. Click OK to close the New Folder window. Click Yes to create a replication group.
10. Click Next to accept the default replication group name and replicated folder name. 11. Review the replication eligibility information and click Next. 12. In the Primary member box, select NYC-WEB and click Next. 13. On the Topology Selection page, ensure that Full mesh is selected, and click Next. 14. Ensure that Replicate continuously using the specified bandwidth is selected. 15. In the Bandwidth box, select 8 Mbps and then click Next. 16. Review the settings and then click Create. 17. When all tasks are completed, click Close. 18. Click OK to close the message about replication delay. 19. In the left pane, under Namespaces, expand Investments and click NYCInvestments. 20. In the center pane, right-click NYC-DC1\NYCInvestments and click Properties. 21. Click the Advanced tab, select the Override referral ordering checkbox, click Last among all targets, and click OK. 22. Right-click NYCInvestments and click Properties. 23. Click the Referrals tab, select the Clients fail back to preferred targets checkbox, and click OK. 24. Close DFS Management.
10. On NYC-DC1, click Start and click Computer. 11. Browse to C:\Backup\NYCInvestments and verify that InvestmentFile exists.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
10. On the E-mail Message tab, select the Send e-mail to the following administrators checkbox. 11. Enter Administrator@WoodgroveBank.com as the e-mail address and then click OK. 12. Click Yes to continue. 13. Click OK to close the Quota Properties of C:\Investments window. 14. Click Create, click Save the custom quota without creating a template, and click OK.
Lab Answer Key: Designing Files Services and DFS in Windows Server 2008
7. 8. 9.
Close the command prompt. In the Actions pane, click Create File Screen Exception. In the Exception path box, type C:\Investments\media.
10. In the File groups area, select the Audio and Video Files checkbox, and click OK. 11. Close File Server Resource Manager.
10. Click Cancel to clear the error. 11. Close Windows Explorer.
Module 12
Lab Answer Key: Designing High Availability in Windows Server 2008
Contents
Exercise 1: Designing High Availability for a Stateless Application Exercise 2: Designing High Availability for a Stateful Application Exercise 3: Designing a Geographically Dispersed Cluster Exercise 4: Implementing NLB 2 3 4 4
2.
How will the need for availability during maintenance be accommodated? When a node is removed from an NLB cluster, the remaining nodes continue servicing requests. This makes it easy to perform maintenance, like installing patches, on a single node while the overall NLB cluster continues to service requests.
3.
How will the need for scalability be accommodated? You can scale an NLB cluster by adding additional nodes. A new node automatically begins servicing requests. You can use the weight assigned to a node to control the proportion of requests serviced by a node. This allows you to accommodate nodes with different capacities.
4.
What other components need to be considered as part of high availability solution? High availability for all components in the system need to be considered. This includes the data center infrastructure, network infrastructure, and Internet connectivity.
5.
What should you consider when determining if the application must be hosted locally or outsourced? The most important concerns for determining where a Web site should be located are cost and functionality. If your organization is providing a limited number of applications, it may not be cost-effective to provide the necessary infrastructure for high availability locally. Hosting a Webbased application at a third-party with the necessary infrastructure already in place may be more cost-effective because the infrastructure cost is shared by multiple clients. However, you must ensure that the hosting provider can accommodate all of your needs. For example, can updates from the development server at Woodgrove Bank be pushed to Web servers hosted at a third party.
2.
How will affinity be configured? Affinity can be configured as None because this is a stateless application. Each server will provide exactly the same information. This is done when the filtering mode is configured as multiple hosts.
3.
How will host priority be configured? Host priority is only relevant if the filtering mode is configured as a single host. This is not relevant in this scenario.
4.
How will networking be configured? Networking should be configured as unicast. This provides better options for segmenting network traffic.
5.
How will data be synchronized between servers in the NLB cluster? In the current configuration, data is pushed from the development server to the production server once per day. This process can be modified to push data from the development server to all nodes in the cluster once per day.
How will affinity be configured? Affinity should be configured as Network. This allows all requests from a class C address range to be serviced by a single server. Network affinity accommodates Internet service providers that may use clustered proxy servers.
3.
How will data be synchronized between servers in the NLB cluster? The backend data for online banking does not need to be synchronized because it is stored centrally in the SQL Server database. However, the application configuration on the Web front end servers does need to be synchronized. Nevertheless, the application files cannot be updated while users are connected to the server. To update the applications files on a node, the node should be drained. This prevents new connections but allows existing connections to complete. When all users have disconnected from the server, then the application files can be updated. This process should be repeated for all nodes when the application files are updated.
Task 2: Determine how to provide high availability for the SQL server back end
1. How can the SQL server be made highly available by using Windows Server 2008? There can be only a single instance of SQL Server. Based on this, failover clustering should be used to provide high availability. When a node in the failover cluster fails, the virtual server
hosting SQL server will be started on a remaining node. The Web application should be configured to automatically reconnect to the SQL server after failover occurs. 2. How can the SQL server be scaled as capacity increases? Failover clustering does not support scaling by adding additional nodes. Scalability must be performed by increasing hardware capacity. This can mean adding additional processors or memory. These should be taken into account during the purchase of hardware for failover cluster nodes. In particular, 64-bit hardware and operating systems support a larger memory than 32-bit. In addition, multicore processors and multiple processors increase processing power.
3.
How will maintenance be accommodated? You can maintain a passive node in a failover cluster without affecting other nodes. If you need to maintain the active node, you can manually failover virtual servers to another node, and then perform maintenance. After maintenance is complete, the virtual servers can be failed back to the original node.
2.
What additional network links are required to provide availability after the New York location fails? Additional network links must be created from the North American hub sites to Chicago. This is required to provide database access when the New York site fails. It will also be used to establish a quorum.
3.
What quorum configuration should be used for the failover cluster? Only two nodes are required in the failover cluster to host the application. To ensure that a quorum can be negotiated, the node majority with file share quorum should be selected. The file share should be hosted in Toronto, Miami, or Seattle. In this way, when the New York location fails, the cluster node in Chicago will still be able to communicate with the file share. This results in the necessary number of nodes for a quorum and the node in Chicago to start running the investments database.
8. 9.
Click Close and then close all open windows. On NYC-RAS, click Start and click Server Manager.
10. In the Computer Information area, click View Network Connections. 11. Right-click Local Areas Connection 2 and click Properties. 12. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. 13. Ensure "Use the following IP address" is selected. 14. In the IP address box, type 10.10.0.202. 15. In the Subnet mask box, type 255.255.0.0 and click OK. 16. Click Close and then close all open windows.
10. Type copy \\NYC-DC1\d$\Mod12\Labfiles\RAS.txt C:\Inetpub\wwwroot\default.htm and press Enter. 11. Close the command prompt. 12. On NYC-WEB, click Start and click Command Prompt. 13. Type copy \\NYC-DC1\d$\Mod12\Labfiles\WEB.txt C:\Inetpub\wwwroot\default.htm and press Enter. 14. Close the command prompt.
Note: Access to webapp.woodgrovebank.com will fail because the NLB cluster is not configured yet.
10. When installation is complete, click Close and close Server Manager.
4. 5. 6. 7. 8.
When webapp.woodgrovebank.com appears in the Clusters box, click Finish. Right-click webapp.woodgrovebank.com (10.10.0.200) and click Add Host to Cluster.In the Host box, type NYC-RAS and click Connect. In the Host box, type NYC-RAS and click Connect. Click Local Area Connection 2 and the click Next. Click Next and then click Finish.
Task 10: Close all virtual machines and discard undo disks
1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6435A Lab Launcher.
Module 13
Lab Answer Key: Designing Print Services in Windows Server 2008
Contents
Exercise 1: Selecting a Print Services Design Exercise 2: Designing User Access to Printers Exercise 3: Designing High Availability for Printing Exercise 4: Implementing IPP Exercise 5: Deploying Printers by Using Group Policy 2 2 3 3 5
How will you address the requirement for users that require privacy? For the few users requiring absolute privacy, you can configure a local printer. This should be minimized to reduce administrative complexity.
3.
How will you address concerns about printing for Terminal services applications in the branches? The size of print jobs is a concern because the print jobs can be slow to travel across the WAN link. This may be addressed by WAN acceleration hardware. It is also possible that print jobs travelling over WAN links could cause other traffic, such a terminal services applications, to slow down. Implementing Quality of Service (QoS) on the WAN links can help to alleviate this concern.
4.
How will printer management be performed? The Print Management console in Windows Server 2008 can be used to manage all the print servers in the entire organization. Filters can be used to easily monitor the design for printers with a status indicating that there is a problem.
2.
How will printers be installed for roaming users with laptops? To allow roaming users to install printers, you can implement printer location tracking or graphical maps. Printer location tracking will allow users to select from a list of printers in their current Active Directory site when installing a new printer. This is good, but using a map can be better. When a map is used for printer installation, a graphic of a floor plan is used in a Web page to create clickable hot spots that install a printer. This allows users to see exactly where the printer that they are installing is physically located. In most cases, IPP printing is used in combination with the maps. However, you can have the hotspots run a VB script that installs a printer instead of linking up to an IPP printer.
Which availability method can prevent downtime due to a server failure? Failover clustering can be used to prevent downtime due to server failure. If one node in the cluster fails, then the virtual server hosting print services starts on another node. Print queues should be located on a shared disk to avoid the loss of print jobs during failover.
3.
How can you prevent downtime based on both printer failure and server failure? A printer pool and failover clustering can be combined. The virtual server hosting print services is configured to failover when the node fails. A printer pool provides availability for the printers.
4.
What limitations may prevent you from implementing your plan for increasing availability? Budget is the primary concern. No new printers are required because the existing printers in each hub site can be configured as a printer pool. The only additional cost will be the configuration of a failover cluster with shared storage. Given that Woodgrove Bank is likely to already have a SAN in place, the additional cost is minimal. Windows Server 2008 Enterprise Edition is required for failover clustering.
10. After the installation is complete, click Close and close Server Manager.
10. In the Manufacturer box, select Dell. 11. In the Printers box, select Dell 3100cn PS and click Next. 12. Click Next to share the printer with the default share name of Dell 3100cn PS. 13. Click Next to begin installation. 14. Click Finish and close Print Management.
Note: If Information Bar window appears, click Close. 9. Close Internet Explorer.
10. Click Start and click Internet. 11. In the Information Bar window, select the Dont show this message again checkbox and click Close. 12. In the Address bar, type http://NYC-DC1.WoodgroveBank.com/Printers and press Enter. 13. Click Dell 3100cn PS. 14. Under PRINTER ACTIONS, click Connect. 15. Click Yes to add a printer connection.
16. Click Click here to open the printers folder on your machine. 17. Read the printer name to verify if it was installed on nyc-dc1.woodgrovebank.com rather than a URL starting with http. 18. Close all open windows.
10. In the Manufacturer box, select Dell. 11. In the Printers box, select Dell 3100cn PCL6 and click Next. 12. Click Next to share the printer with the default share name of Dell 3100cn PCL6. 13. Click Next to begin installation. 14. Click Finish.
6. 7. 8. 9.
Click Start and click Control Panel. Under Hardware and Sound, click Printer. Verify that the Dell 3100cn PCL6 printer has been installed. Close all open windows.