Microsoft Jump Start

M5: Implementing Network Services

Rick Claus | Technical Evangelist | Microsoft Ed Liberman | Technical Trainer | Train Signal

Jump Start Target Agenda | Day One

Day 1 Day 2

Module 1: Installing and Configuring Servers Based on Windows Server 2012

Module 2: Monitoring and Maintaining Windows Server 2012 Module 3: Managing Windows Server 2012 by Using PowerShell 3.0 - MEAL BREAK Module 4: Managing Storage for Windows Server 2012

Module 7: Implementing Failover Clustering

Module 8: Implementing Hyper-V Module 9: Implementing Failover Clustering with Hyper-V - MEAL BREAK Module 10: Implementing Dynamic Access Control

Module 5: Implementing Network Services

Module 11: Implementing Active Directory Domain Services

Module 6: Implementing Direct Access Module 12: Implementing Active Directory Federation Services

Module Overview
Implementing DNS and DHCP Enhancements Implementing IP Address Management NAP Overview

Implementing NAP

What's New in DNS in Windows Server 2012

DNSSEC

GlobalNames Zones

How to Configure DNSSEC

DNSSEC is simpler to deploy in Windows Server

2012 than in previous versions of Windows Server. To Deploy DNSSEC:

Assign

the DNS server role Sign the zones Configure trust anchor distribution points Configure NRPT on clients

DEMO: Configuring DNSSEC In this demonstration you will learn how to configure DNSSEC

Whats New in DHCP in Windows Server 2012

DNCP name protection can be configured in properties

at the IP level or scope level

DHCP Limitations Failure of DHCP will result in loss of network connectivity for clients

WS 2012 solution DHCP failover

Windows systems can have their DNS name registrations overwritten by non-Microsoft systems bearing the same system name

DHCP name protection

How to Configure Failover for DHCP

Failover relationships must have unique names The MCLT determines when a failover partner

takes control of the subnet or scope Failover supports two modes:

Hot

Standby Mode Load Sharing Mode

Auto State Switchover Interval determines when a

failover partner is considered to be down Message authentication can validate the failover messages Firewall rules auto-configured during DHCP installation

DEMO: Configuring Failover for DHCP

In this demonstration you will see how to configure DHCP failover

What is IP Address Management?

IPAM assists in the following areas of IP address

management:
Planning Managing Tracking Auditing

IPAM provides multiple benefits for IP

administrators

IPAM Architecture
IPAM has four main modules: IPAM discovery IP address space management Multi-server management and monitoring Operational auditing and IP address tracking IPAM can be deployed in three topologies: Distributed Centralized Hybrid IPAM has two components: IPAM Server IPAM Client

Requirements for IPAM Implementation

IPAM requirements: IPAM server must belong to the domain IPAM server cannot be a domain controller IPv6 must be enabled to manage IPv6 Log on with a domain account You must be in the correct IP security group Logging account logon events must be enabled for IP address tracking and auditing Hardware and software: CPU dual core 2.0 GHZ or higher Windows Server 2012 Operating system 4 GB of RAM / 80 GB free disk space

DEMO: Implementing IPAM In this demonstration you will see how to: Install IPAM Create IPAM related GPOs Initiate server discovery

What is NAP?
Network Access Protection can: Enforce health-requirement policies on client computers Ensure client computers are compliant with policies Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: Protect the network from malicious users Guarantee that a client computer is not infected

Whats New for NAP in Windows Server 2012

Support for Windows PowerShell RRAS is now a role service in the Remote Access

server role

NAP Architecture
VPN Use slide 7 from 6421B_07.pptx Server Architecture The title is NAP Platform Active Directory

IEEE 802.1X Devices

Intranet Health Registration Authority

Internet
Perimeter Network

DHCP Server

NAP Health Policy Server

Remediation Servers

Restricted Network

NAP Client with limited access

Scenarios for Using NAP

Roaming laptops Desktop computers Visiting laptops

Unmanaged home computers

Considerations for NAP

Use group policy to deploy client settings Plan the enforcement type you wish to enforce Plan for a remediation network

Ensure you can provide the administrative support

for the solution

Requirements for Implementing NAP

All enforcement methods require NAP agent to run on

the client Network Policy Server (NPS) is required to create and enforce policies SHVs are required to determine what will be evaluated on the client System health policies are required to determine client compliance or noncompliance Certificates are required to validate computer identities for PEAP authentication Remediation networks can provide a way for clients to become compliant and gain access to the network

NAP with VPN

The VPN server uses the NPS server as primary RADIUS

VPN servers are configured as RADIUS clients in NPS

Connection request policy has the VPN server as source Configure SHVs to test for health conditions

Health policies pass compliant clients and fail

noncompliant clients Network policy grants full access to compliant clients and limited access to noncompliant clients Group policy or local policy can enable the ECs on client computers NAP agent service must be enabled on clients Computer certificates are required for PEAP authentication

NAP with IPsec Requirements

A CA to issue health certificates An HRA to authenticate and obtain health

certificate on behalf of clients Authentication requirements: domain only or anonymous An NPS server Clients configured for IPsec enforcement IPsec policies to create logical networks

NAP with DHCP

NAP enforcement can be integrated with DHCP NPS server uses health policies and SHVs to

evaluate client health NPS tells the DHCP server to provide full access to compliant computers and to restrict access to noncompliant computers

Quick Review
Will client computers still be able to access the

network if the DHCP server fails? Is a third party certification authority required to implement DNSSEC? What is the difference between a centralized and a distributed IPAM topology? True or false: NAP can protect your network from viruses and malware on remote computers that connect to your network through VPN connections.

Module Review and Takeaways

Best Practices Common Issues and Troubleshooting Tips Review Questions

Real-world Issues and Scenarios

Tools