Microsoft® Jump Start
M5: Implementing Network Services
Rick Claus | Technical Evangelist | Microsoft
Ed Liberman | Technical Trainer | Train Signal
Jump Start Target Agenda | Day One
Day 1 Day 2
Module 1: Installing and Configuring
Servers Based on Windows Server
2012
Module 7: Implementing Failover
Clustering
Module 2: Monitoring and
Maintaining Windows Server 2012
Module 8: Implementing Hyper-V
Module 3: Managing Windows Server
2012 by Using PowerShell 3.0
Module 9: Implementing Failover
Clustering with Hyper-V
- MEAL BREAK - - MEAL BREAK -
Module 4: Managing Storage for
Windows Server 2012
Module 10: Implementing Dynamic
Access Control
Module 5: Implementing Network
Services
Module 11: Implementing Active
Directory Domain Services
Module 6: Implementing Direct Access Module 12: Implementing Active
Directory Federation Services
Module Overview
• Implementing DNS and DHCP Enhancements
• Implementing IP Address Management
•NAP Overview
• Implementing NAP
What's New in DNS in Windows Server 2012
•DNSSEC
•GlobalNames Zones
How to Configure DNSSEC
•DNSSEC is simpler to deploy in Windows Server
2012 than in previous versions of Windows Server.
• To Deploy DNSSEC: – Assign the DNS server role
– Sign the zones
– Configure trust anchor distribution points
– Configure NRPT on clients
DEMO: Configuring DNSSEC
In this demonstration you will learn how to
configure DNSSEC
What’s New in DHCP in Windows Server 2012
• DNCP name protection can be configured in properties
at the IP level or scope level
DHCP Limitations WS 2012 solution
Failure of DHCP will result in loss of
network connectivity for clients
DHCP failover
Windows systems can have their
DNS name registrations overwritten
by non-Microsoft systems bearing
the same system name
DHCP name
protection
How to Configure Failover for DHCP
• Failover relationships must have unique names
• The MCLT determines when a failover partner
takes control of the subnet or scope
• Failover supports two modes: – Hot Standby Mode
– Load Sharing Mode
•Auto State Switchover Interval determines when a
failover partner is considered to be down
•Message authentication can validate the failover
messages
• Firewall rules auto-configured during DHCP
installation
DEMO: Configuring Failover for DHCP
In this demonstration you will see how to
configure DHCP failover
What is IP Address Management?
• IPAM assists in the following areas of IP address
management: – Planning
– Managing
– Tracking
– Auditing
• IPAM provides multiple benefits for IP
administrators
IPAM Architecture
• IPAM has four main modules:
– IPAM discovery
– IP address space management
– Multi-server management and monitoring
– Operational auditing and IP address tracking
• IPAM can be deployed in three topologies: – Distributed
– Centralized
– Hybrid
• IPAM has two components: – IPAM Server
– IPAM Client
Requirements for IPAM Implementation
• IPAM requirements:
– IPAM server must belong to the domain
– IPAM server cannot be a domain controller
– IPv6 must be enabled to manage IPv6
– Log on with a domain account
– You must be in the correct IP security group
– Logging account logon events must be enabled for IP
address tracking and auditing
•Hardware and software: – CPU – dual core 2.0 GHZ or higher
– Windows Server 2012 Operating system
– 4 GB of RAM / 80 GB free disk space
DEMO: Implementing IPAM
In this demonstration you will see how to:
–Install IPAM
–Create IPAM related GPOs
–Initiate server discovery
What is NAP?
•Network Access Protection can:
– Enforce health-requirement policies on client computers
– Ensure client computers are compliant with policies
– Offer remediation support for computers that do not
meet health requirements
•Network Access Protection cannot: – Protect the network from malicious users
– Guarantee that a client computer is not infected
What’s New for NAP in Windows Server 2012
• Support for Windows PowerShell
•RRAS is now a role service in the Remote Access
server role
NAP Architecture
• Use slide 7 from 6421B_07.pptx
• The title is NAP Platform Architecture
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP
Server
Health
Registration
Authority
IEEE 802.1X
Devices Active
Directory
VPN
Server
Restricted Network NAP Client
with limited
access
Perimeter Network
Scenarios for Using NAP
•Roaming laptops
•Desktop computers
•Visiting laptops
•Unmanaged home computers
Considerations for NAP
•Use group policy to deploy client settings
• Plan the enforcement type you wish to enforce
• Plan for a remediation network
• Ensure you can provide the administrative support
for the solution
Requirements for Implementing NAP
• All enforcement methods require NAP agent to run on the client
• Network Policy Server (NPS) is required to create and enforce policies
• SHVs are required to determine what will be evaluated on the client
• System health policies are required to determine client compliance or noncompliance
• Certificates are required to validate computer identities for PEAP authentication
• Remediation networks can provide a way for clients to become compliant and gain access to the network
NAP with VPN
• The VPN server uses the NPS server as primary RADIUS
• VPN servers are configured as RADIUS clients in NPS
• Connection request policy has the VPN server as source
• Configure SHVs to test for health conditions
• Health policies pass compliant clients and fail noncompliant clients
• Network policy grants full access to compliant clients and limited access to noncompliant clients
• Group policy or local policy can enable the ECs on client computers
• NAP agent service must be enabled on clients
• Computer certificates are required for PEAP authentication
NAP with IPsec Requirements
•A CA to issue health certificates
•An HRA to authenticate and obtain health
certificate on behalf of clients
•Authentication requirements: domain only or
anonymous
•An NPS server
•Clients configured for IPsec enforcement
• IPsec policies to create logical networks
NAP with DHCP
•NAP enforcement can be integrated with DHCP
•NPS server uses health policies and SHVs to
evaluate client health
•NPS tells the DHCP server to provide full access to
compliant computers and to restrict access to
noncompliant computers
Quick Review
•Will client computers still be able to access the
network if the DHCP server fails?
• Is a third party certification authority required to
implement DNSSEC?
•What is the difference between a centralized and a
distributed IPAM topology?
• True or false: NAP can protect your network from
viruses and malware on remote computers that
connect to your network through VPN
connections.
Module Review and Takeaways
• Best Practices
•Common Issues and Troubleshooting Tips
•Review Questions
•Real-world Issues and Scenarios
• Tools