Microsoft® Jump Start

M5: Implementing Network Services

Rick Claus | Technical Evangelist | Microsoft

Ed Liberman | Technical Trainer | Train Signal

Jump Start Target Agenda | Day One

Day 1 Day 2

Module 1: Installing and Configuring

Servers Based on Windows Server

2012

Module 7: Implementing Failover

Clustering

Module 2: Monitoring and

Maintaining Windows Server 2012

Module 8: Implementing Hyper-V

Module 3: Managing Windows Server

2012 by Using PowerShell 3.0

Module 9: Implementing Failover

Clustering with Hyper-V

- MEAL BREAK - - MEAL BREAK -

Module 4: Managing Storage for

Windows Server 2012

Module 10: Implementing Dynamic

Access Control

Module 5: Implementing Network

Services

Module 11: Implementing Active

Directory Domain Services

Module 6: Implementing Direct Access Module 12: Implementing Active

Directory Federation Services

Module Overview

• Implementing DNS and DHCP Enhancements

• Implementing IP Address Management

•NAP Overview

• Implementing NAP

What's New in DNS in Windows Server 2012

•DNSSEC

•GlobalNames Zones

How to Configure DNSSEC

•DNSSEC is simpler to deploy in Windows Server

2012 than in previous versions of Windows Server.

• To Deploy DNSSEC: – Assign the DNS server role

– Sign the zones

– Configure trust anchor distribution points

– Configure NRPT on clients

DEMO: Configuring DNSSEC

In this demonstration you will learn how to

configure DNSSEC

What’s New in DHCP in Windows Server 2012

• DNCP name protection can be configured in properties

at the IP level or scope level

DHCP Limitations WS 2012 solution

Failure of DHCP will result in loss of

network connectivity for clients

DHCP failover

Windows systems can have their

DNS name registrations overwritten

by non-Microsoft systems bearing

the same system name

DHCP name

protection

How to Configure Failover for DHCP

• Failover relationships must have unique names

• The MCLT determines when a failover partner

takes control of the subnet or scope

• Failover supports two modes: – Hot Standby Mode

– Load Sharing Mode

•Auto State Switchover Interval determines when a

failover partner is considered to be down

•Message authentication can validate the failover

messages

• Firewall rules auto-configured during DHCP

installation

DEMO: Configuring Failover for DHCP

In this demonstration you will see how to

configure DHCP failover

What is IP Address Management?

• IPAM assists in the following areas of IP address

management: – Planning

– Managing

– Tracking

– Auditing

• IPAM provides multiple benefits for IP

administrators

IPAM Architecture

• IPAM has four main modules:

– IPAM discovery

– IP address space management

– Multi-server management and monitoring

– Operational auditing and IP address tracking

• IPAM can be deployed in three topologies: – Distributed

– Centralized

– Hybrid

• IPAM has two components: – IPAM Server

– IPAM Client

Requirements for IPAM Implementation

• IPAM requirements:

– IPAM server must belong to the domain

– IPAM server cannot be a domain controller

– IPv6 must be enabled to manage IPv6

– Log on with a domain account

– You must be in the correct IP security group

– Logging account logon events must be enabled for IP

address tracking and auditing

•Hardware and software: – CPU – dual core 2.0 GHZ or higher

– Windows Server 2012 Operating system

– 4 GB of RAM / 80 GB free disk space

DEMO: Implementing IPAM

In this demonstration you will see how to:

–Install IPAM

–Create IPAM related GPOs

–Initiate server discovery

What is NAP?

•Network Access Protection can:

– Enforce health-requirement policies on client computers

– Ensure client computers are compliant with policies

– Offer remediation support for computers that do not

meet health requirements

•Network Access Protection cannot: – Protect the network from malicious users

– Guarantee that a client computer is not infected

What’s New for NAP in Windows Server 2012

• Support for Windows PowerShell

•RRAS is now a role service in the Remote Access

server role

NAP Architecture

• Use slide 7 from 6421B_07.pptx

• The title is NAP Platform Architecture

Intranet

Remediation

Servers

Internet

NAP Health

Policy Server

DHCP

Server

Health

Registration

Authority

IEEE 802.1X

Devices Active

Directory

VPN

Server

Restricted Network NAP Client

with limited

access

Perimeter Network

Scenarios for Using NAP

•Roaming laptops

•Desktop computers

•Visiting laptops

•Unmanaged home computers

Considerations for NAP

•Use group policy to deploy client settings

• Plan the enforcement type you wish to enforce

• Plan for a remediation network

• Ensure you can provide the administrative support

for the solution

Requirements for Implementing NAP

• All enforcement methods require NAP agent to run on the client

• Network Policy Server (NPS) is required to create and enforce policies

• SHVs are required to determine what will be evaluated on the client

• System health policies are required to determine client compliance or noncompliance

• Certificates are required to validate computer identities for PEAP authentication

• Remediation networks can provide a way for clients to become compliant and gain access to the network

NAP with VPN

• The VPN server uses the NPS server as primary RADIUS

• VPN servers are configured as RADIUS clients in NPS

• Connection request policy has the VPN server as source

• Configure SHVs to test for health conditions

• Health policies pass compliant clients and fail noncompliant clients

• Network policy grants full access to compliant clients and limited access to noncompliant clients

• Group policy or local policy can enable the ECs on client computers

• NAP agent service must be enabled on clients

• Computer certificates are required for PEAP authentication

NAP with IPsec Requirements

•A CA to issue health certificates

•An HRA to authenticate and obtain health

certificate on behalf of clients

•Authentication requirements: domain only or

anonymous

•An NPS server

•Clients configured for IPsec enforcement

• IPsec policies to create logical networks

NAP with DHCP

•NAP enforcement can be integrated with DHCP

•NPS server uses health policies and SHVs to

evaluate client health

•NPS tells the DHCP server to provide full access to

compliant computers and to restrict access to

noncompliant computers

Quick Review

•Will client computers still be able to access the

network if the DHCP server fails?

• Is a third party certification authority required to

implement DNSSEC?

•What is the difference between a centralized and a

distributed IPAM topology?

• True or false: NAP can protect your network from

viruses and malware on remote computers that

connect to your network through VPN

connections.

Module Review and Takeaways

• Best Practices

•Common Issues and Troubleshooting Tips

•Review Questions

•Real-world Issues and Scenarios

• Tools