Date post: | 02-Apr-2018 |
Category: |
Documents |
Upload: | edmundo-lozada |
View: | 215 times |
Download: | 0 times |
of 25
7/27/2019 20417A_05.pdf
1/25
MicrosoftJump Start
M5: Implementing NetworkServices
Rick Claus | Technical Evangelist | MicrosoftEd Liberman | Technical Trainer | Train Signal
7/27/2019 20417A_05.pdf
2/25
Jump Start Target Agenda | Day One
Day 1 Day 2
Module 1: Installing and ConfiguringServers Based on Windows Server2012
Module 7: Implementing FailoverClustering
Module 2: Monitoring andMaintaining Windows Server 2012
Module 8: Implementing Hyper-V
Module 3: Managing Windows Server2012 by Using PowerShell 3.0
Module 9: Implementing FailoverClustering with Hyper-V
- MEAL BREAK - - MEAL BREAK -
Module 4: Managing Storage forWindows Server 2012
Module 10: Implementing DynamicAccess Control
Module 5: Implementing NetworkServices
Module 11: Implementing ActiveDirectory Domain Services
Module 6: Implementing Direct Access Module 12: Implementing ActiveDirectory Federation Services
7/27/2019 20417A_05.pdf
3/25
Module Overview
Implementing DNS and DHCP Enhancements Implementing IP Address Management
NAP Overview
Implementing NAP
7/27/2019 20417A_05.pdf
4/25
What's New in DNS in Windows Server 2012
DNSSEC
GlobalNames Zones
7/27/2019 20417A_05.pdf
5/25
How to Configure DNSSEC
DNSSEC is simpler to deploy in Windows Server2012 than in previous versions of Windows Server.
To Deploy DNSSEC: Assign the DNS server role
Sign the zones Configure trust anchor distribution points
Configure NRPT on clients
7/27/2019 20417A_05.pdf
6/25
DEMO: Configuring DNSSEC
In this demonstration you will learn how toconfigure DNSSEC
7/27/2019 20417A_05.pdf
7/25
Whats New in DHCP in Windows Server 2012
DNCP name protection can be configured in properties
at the IP level or scope level
DHCP Limitations WS 2012 solution
Failure of DHCP will result in loss ofnetwork connectivity for clients DHCP failover
Windows systems can have theirDNS name registrations overwrittenby non-Microsoft systems bearingthe same system name
DHCP nameprotection
7/27/2019 20417A_05.pdf
8/25
How to Configure Failover for DHCP
Failover relationships must have unique names
The MCLT determines when a failover partnertakes control of the subnet or scope
Failover supports two modes: Hot Standby Mode
Load Sharing Mode
Auto State Switchover Interval determines when a
failover partner is considered to be down Message authentication can validate the failovermessages
Firewall rules auto-configured during DHCPinstallation
7/27/2019 20417A_05.pdf
9/25
DEMO: Configuring Failover for DHCP
In this demonstration you will see how to
configure DHCP failover
7/27/2019 20417A_05.pdf
10/25
What is IP Address Management?
IPAM assists in the following areas of IP addressmanagement: Planning
Managing
Tracking Auditing
IPAM provides multiple benefits for IPadministrators
7/27/2019 20417A_05.pdf
11/25
IPAM Architecture
IPAM has four main modules: IPAM discovery
IP address space management
Multi-server management and monitoring
Operational auditing and IP address tracking IPAM can be deployed in three topologies:
Distributed
Centralized
Hybrid
IPAM has two components: IPAM Server
IPAM Client
7/27/2019 20417A_05.pdf
12/25
Requirements for IPAM Implementation
IPAM requirements: IPAM server must belong to the domain
IPAM server cannot be a domain controller
IPv6 must be enabled to manage IPv6
Log on with a domain account You must be in the correct IP security group
Logging account logon events must be enabled for IPaddress tracking and auditing
Hardware and software: CPU dual core 2.0 GHZ or higher
Windows Server 2012 Operating system
4 GB of RAM / 80 GB free disk space
7/27/2019 20417A_05.pdf
13/25
DEMO: Implementing IPAM
In this demonstration you will see how to:
Install IPAM
Create IPAM related GPOs
Initiate server discovery
7/27/2019 20417A_05.pdf
14/25
What is NAP?
Network Access Protection can: Enforce health-requirement policies on client computers
Ensure client computers are compliant with policies
Offer remediation support for computers that do not
meet health requirements Network Access Protection cannot:
Protect the network from malicious users
Guarantee that a client computer is not infected
7/27/2019 20417A_05.pdf
15/25
Whats New for NAP in Windows Server 2012
Support for Windows PowerShell
RRAS is now a role service in the Remote Accessserver role
7/27/2019 20417A_05.pdf
16/25
NAP Architecture
Use slide 7 from 6421B_07.pptx
The title is NAP Platform Architecture
Intranet
RemediationServers
Internet
NAP HealthPolicy Server
DHCPServer
HealthRegistration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN
Server
RestrictedNetwork NAP Client
with limitedaccess
PerimeterNetwork
7/27/2019 20417A_05.pdf
17/25
Scenarios for Using NAP
Roaming laptops
Desktop computers
Visiting laptops
Unmanaged home computers
7/27/2019 20417A_05.pdf
18/25
Considerations for NAP
Use group policy to deploy client settings
Plan the enforcement type you wish to enforce
Plan for a remediation network
Ensure you can provide the administrative supportfor the solution
7/27/2019 20417A_05.pdf
19/25
Requirements for Implementing NAP
All enforcement methods require NAP agent to run on
the client Network Policy Server (NPS) is required to create andenforce policies
SHVs are required to determine what will be evaluatedon the client
System health policies are required to determine clientcompliance or noncompliance
Certificates are required to validate computeridentities for PEAP authentication
Remediation networks can provide a way for clients tobecome compliant and gain access to the network
7/27/2019 20417A_05.pdf
20/25
NAP with VPN
The VPN server uses the NPS server as primary RADIUS
VPN servers are configured as RADIUS clients in NPS
Connection request policy has the VPN server as source
Configure SHVs to test for health conditions
Health policies pass compliant clients and failnoncompliant clients
Network policy grants full access to compliant clients andlimited access to noncompliant clients
Group policy or local policy can enable the ECs on client
computers NAP agent service must be enabled on clients
Computer certificates are required for PEAP authentication
7/27/2019 20417A_05.pdf
21/25
NAP with IPsec Requirements
A CA to issue health certificates
An HRA to authenticate and obtain healthcertificate on behalf of clients
Authentication requirements: domain only or
anonymous An NPS server
Clients configured for IPsec enforcement
IPsec policies to create logical networks
7/27/2019 20417A_05.pdf
22/25
NAP with DHCP
NAP enforcement can be integrated with DHCP
NPS server uses health policies and SHVs toevaluate client health
NPS tells the DHCP server to provide full access to
compliant computers and to restrict access tononcompliant computers
7/27/2019 20417A_05.pdf
23/25
Quick Review
Will client computers still be able to access thenetwork if the DHCP server fails?
Is a third party certification authority required toimplement DNSSEC?
What is the difference between a centralized and adistributed IPAM topology?
True or false: NAP can protect your network from
viruses and malware on remote computers thatconnect to your network through VPNconnections.
7/27/2019 20417A_05.pdf
24/25
Module Review and Takeaways
Best Practices
Common Issues and Troubleshooting Tips
Review Questions
Real-world Issues and Scenarios
Tools
7/27/2019 20417A_05.pdf
25/25