20411B-ENU-TrainerHandbook
.pdf3.Configure computer certificate auto-enrollment by performing the following steps: MCT49
a.On LON-DC1, switch to Server Manager, click Tools, and then click Group Policy Management.
b.In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, andUSE then expand Adatum.com.
c.In the Adatum.com console, right-click Default Domain Policy, and then click Edit.
d.In the Group Policy Management Editor, expand Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, and then expand Public ONLY Key Policies.
e.In the Public Key Policies details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
f.In the Automatic Certificate Request Setup Wizard, click Next.
g.On the Certificate Template page, click Computer, click Next, and then click Finish. .
h.Close both the Group Policy Management Editor and the Group Policy Management Console.Administering Windows Server® 2012 L7-
Task 3: Configure internal resources
1.Request a certificate for LON-SVR1 by performing the following steps:
a.On LON-SVR1, move the mouse to the lower-right corner of the screen, click Search, type cmd, and then press Enter.
b.At the command prompt, type the following command, and then press Enter:
|
mmc |
STUDENT |
|
|
|||
|
gpupdate /force |
|
|
|
|
|
|
c. At the command prompt, type the following command, and then press Enter: |
|
|
|
|
|
|
|
|
|
|
|
d.Click File, and then click Add/Remove Snap-in. USE
e.Click Certificates, click Add, click Computer account, click Next, click Local computer, click
Finish, and then click OK.
f.In the Certificates snap-in console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
g.Right-click Certificates, point to All Tasks, and then click Request New Certificate. PROHIBITED
h.Click Next twice.
i.On the Request Certificates page, click Adatum Web Server Certificate, and then click More information is required to enroll for this certificate.
j.In the Certificate Properties dialog box, on the Subject tab, under Subject name, under Type, click Common name.
k.In the Value text box, type nls.adatum.com, and then click Add.
l.Click OK, click Enroll, and then click Finish.
m.In the Certificates snap-in details pane, verify that a new certificate with the name nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
n.Close the console window. When you are prompted to save settings, click No.
|
Administering Windows Server® 2012 |
|
MCT |
|
|
L7-51 |
|||
d. |
In the console tree, expand to LON-RTR, expand Sites, click Default Web Site, right-click |
|
|
|
|
Default Web Site, and then click Add Virtual Directory. |
|
|
|
e. |
In the Add Virtual Directory dialog box, in the Alias text box, type CRLD. Next to Physical |
|
USE |
|
|
path, click the ellipsis (…) button. |
|
||
|
|
|
|
|
f. |
In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder. |
|
|
|
g. |
Type CRLDist, and then press Enter. |
|
|
|
h. |
In the Browse for Folder dialog box, click OK. |
|
.ONLY |
|
i. |
In the Add Virtual Directory dialog box, click OK. |
|
||
|
|
|
||
j. |
In the middle pane of the console, double-click Directory Browsing, and in the Actions pane, |
|
|
|
|
click Enable. |
|
|
|
k. |
In the console, click the CRLD folder. |
|
|
|
l. |
In the middle pane of the console, double-click the Configuration Editor icon. |
|
|
|
m. |
Click the down-arrow of the Section drop-down list, expand system.webServer, expand |
|
|
|
|
security, and then click requestFiltering. |
|
|
|
n. |
In the middle pane of the requestFiltering console, double-click allowDoubleEscaping to |
|
|
|
|
change the value from False to True. |
|
|
|
o. |
In the actions pane, click Apply. |
|
|
|
p. |
Close Internet Information Services (IIS) Manager. |
|
STUDENT |
|
Question: Why do you make the CRL available on the edge server? |
|
|||
|
|
|
Answer: You make the CRL available on the edge server so that the Internet DirectAccess clients can access the CRL.
3.Share and secure the CRL distribution point by performing the following steps:
a.On the taskbar, click the Windows Explorer icon. USE
b.In Windows Explorer, double-click Local Disk (C:).
c.In the Windows Explorer details pane, right-click the CRLDist folder, and then click Properties.
d.In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced SharingPROHIBITED.
e.In the Advanced Sharing dialog box, click Share this folder.
f.In the Share name text box, add a dollar sign ($) to the end of the name so that the share name is CRLDist$.
g.In the Advanced Sharing dialog box, click Permissions.
h.In the Permissions for CRLDist$ dialog box, click Add.
i.In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
j.In the Object Types dialog box, select Computers, and then click OK.
k.In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, type LON-DC1, click Check Names, and then click OK.
|
|
|
Administering Windows Server® 2012 |
|
MCT |
|
|
|
|
L7-53 |
|||
|
|
e. In the results pane, click Run the Getting Started Wizard. |
|
|
|
|
|
|
Note: If you get an error at this point, restart LON-RTR, sign in as Adatum\administrator, |
|
USE |
||
|
|
|
||||
|
and |
|
|
|||
|
|
|
|
|
||
|
|
f. |
In the Configure Remote Access Wizard, click Deploy DirectAccess only. |
|
|
|
|
|
g. |
In the Network Topology pane, verify that Edge is selected, and verify that 131.107.0.2 is the |
.ONLY |
||
|
|
|
public name used by clients to connect to the Remote Access server. |
|
||
|
|
h. |
Click Next. |
|
||
|
|
|
|
|
||
|
|
i. |
On the Configure Remote Access page, click Finish. |
|
|
|
|
|
j. |
When the configuration completes, click Close. |
|
|
|
|
|
k. |
In the Remote Access Management console, under Step 1, click Edit, and then click Next. |
|
|
|
|
|
l. |
Under Select Groups, in the details pane, click Add. |
|
STUDENT |
|
|
|
m. |
In the Select Group dialog box, type DA_Clients, click OK. |
|
||
|
|
|
|
|
||
|
|
n. |
Clear the Enable DirectAccess for mobile computers only check box. |
|
|
|
|
|
o. |
Remove the Domain Computers group, and then click Next. Click Finish. |
|
|
|
|
|
p. |
In the Remote Access Management console, under Step 2, click Edit. |
|
|
|
|
|
q. |
On the Network Topology page, verify that Edge is selected, type 131.107.0.2, and then click |
|||
|
|
|
Next. |
|
|
|
|
|
r. |
On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to |
|
|
|
|
|
|
authenticate IP-HTTPS connections, and then click Next. |
|
|
|
|
|
s. |
On the Authentication page, click Use computer certificates, click Browse, click Adatum- |
|
|
|
|
|
|
LON-DC1-CA, click OK, and then click Finish. |
|
USE |
|
|
|
t. |
In the Remote Access Setup pane, under Step 3, click Edit. |
|
||
|
|
|
|
|
||
|
|
u. |
On the Network Location Server page, click the The network location server is deployed on |
|||
|
|
|
a remote web server (recommended). In the URL field of the network location server (NLS), |
|
|
|
|
|
|
type https://nls.adatum.com, and then click Validate. |
|
|
|
|
|
v. |
Ensure that URL is validated. |
|
PROHIBITED |
|
|
|
|
|
|
w. Click Next, on the DNS page, examine the values, and then click Next. x. In the DNS Suffix Search List, click Next.
y. On the Management page, click Finish. z. Under Step 4, click Edit.
aa. On the DirectAccess Application Server Setup page, click Finish. bb. Click Finish to apply the changes.
cc. In Remote Access Review, click Apply.
dd. Under Applying Remote Access Setup Wizard Settings, click Close.
L7-54 Configuring
6. |
|
Update Group Policy settings on LON-RTR by performing the following steps: |
|
|
|
|||
|
|
|
a. Move the mouse pointer on the lower-right corner, on the menu bar, click Search, type cmd, andMCT |
|||||
|
|
|
|
then press Enter. |
USE |
|||
|
|
|
b. At the command prompt, type the following commands, pressing Enter at the end of each line: |
|||||
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: Verify that |
LON-RTR has an IPv6 address for Tunnel adapter IPHTTPSInterface |
.ONLY |
|||
|
|
|
||||||
|
|
|
|
|
|
|||
starting with 2002. |
|
|
|
|
||||
|
|
|
|
|
|
|
||
|
Results: After completing this exercise, you will have configured the DirectAccess infrastructure. |
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
Exercise 2: Configuring the DirectAccess Clients |
STUDENT |
||||||
|
|
|
|
|||||
|
Task 1: Configure DirectAccess Group Policy settings |
|
|
|
||||
1. |
|
Start LON-CL1 and sign in as Adatum\Administrator with the password of Pa$$w0rd. This is to |
|
|
|
|||
|
|
|
ensure that the LON-CL1 computer connects to the domain as a member of the DA_Clients security |
|
|
|
||
|
|
|
group. |
|
|
|
|
|
2. |
|
At Start, type cmd to open a command prompt window. |
|
|
|
|||
3. |
|
At the command prompt, type the following command, and then press Enter: |
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
gpupdate /force |
|
|
|
|
|
|
|
|
|
|
USE |
|||
4. |
|
At the command prompt, type the following command, and then press Enter: |
|
|||||
|
|
|
|
|
|
|
||
|
|
|
gpresult /R |
|
|
|||
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
||
5. |
|
Verify that DirectAccess Client Settings GPO displays in the list of the Applied Policy objects for the |
|
|
|
|||
|
|
|
Computer Settings. |
|
|
|
||
|
|
|
Note: If the policy is not being applied, run the gpupdate /force command again. If the |
PROHIBITED |
||||
|
|
|
||||||
|
|
|
|
|
|
|||
policy is still not being applied, restart the computer. After the computer restarts, sign in as |
|
|
|
|||||
Adatum\Administrator and run the Gpresult –R command again. |
|
|
|
|||||
|
Task 2: Verify client computer certificate distribution |
|
|
|
||||
1. |
|
In the command prompt, type mmc.exe, and then press Enter. |
|
|
|
|||
2. |
|
In the MMC console, click File and then click Add/Remove Snap-in. |
|
|
|
|||
3. |
|
Click Certificates, click Add, select Computer account, click Next, select Local computer, click |
|
|
|
|||
|
|
|
Finish, and then click OK. |
|
|
|
||
4. |
|
In the Certificates snap-in console, click to Certificates (Local Computer), expand |
|
|
|
|||
|
|
|
Personal, and then click Certificates. |
|
|
|
|
|
|
Administering Windows Server® 2012 |
|
MCT |
||
|
|
|
L7-55 |
|
|||
5. |
In the Certificates details pane, verify that a certificate with the name LON-CL1.adatum.com displays |
||||||
|
|
with Intended Purposes of Client Authentication and Server Authentication. |
|
|
|
|
|
6. |
Close the console window. When you are prompted to save settings, click No. |
|
USE |
||||
|
|
Task 3: Verify internal connectivity to resources |
|
||||
|
|
|
|
|
|||
1. |
On LON-CL1, on the desktop, in the task bar, click Internet Explorer. |
|
|
|
|
||
2. |
In the Windows Internet Explorer® address bar, type http://lon-svr1.adatum.com/, and then press |
||||||
|
|
Enter. The default IIS 8 web page for LON-SVR1 displays. |
|
.ONLY |
|||
3. |
In the Internet Explorer address bar, type https://nls.adatum.com/, and then press Enter. The |
|
|||||
|
|
|
|
||||
|
|
default IIS 8 web page for LON-SVR1 displays. |
|
|
|
|
|
4. |
Leave the Internet Explorer window open. |
|
|
|
|
||
5. |
On the taskbar, click the Windows Explorer icon. |
|
|
|
|
||
6. |
In the Windows Explorer address bar, type \\Lon-SVR1\Files, and then press Enter. A window with |
|
|
|
|||
|
|
the Files shared folder contents displays. |
|
STUDENT |
|||
2. |
On LON-CL1, move the mouse pointer to the lower-right end of the screen, click Settings, select |
|
|||||
7. |
Close all open windows. |
|
|
|
|
||
1. |
Switch to LON-CL1. |
|
|
|
|
||
|
|
Control Panel, and then click Network and Internet. |
|
USE |
|||
3. |
Click Network and Sharing Center. |
|
|||||
|
|
|
|
||||
4. |
Click Change Adapter Settings. |
|
|
|
|
||
5. |
Right-click Local Area Connection, and then click Properties. |
|
|
|
|
||
6. |
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4 |
|
PROHIBITED |
||||
|
|
(TCP/IPv4). |
|
||||
|
|
|
|
|
|
||
7. |
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP |
|
|
|
|||
|
|
address. |
|
|
|
|
|
8. |
Complete the following settings, and then click OK: |
|
|
|
|
||
|
|
o |
IP address: 131.107.0.10 |
|
|
|
|
|
|
o |
Subnet mask: 255.255.0.0 |
|
|
|
|
|
|
o |
Default gateway: 131.107.0.2 |
|
|
|
|
9. |
In the Local Area Connection Properties dialog box, click OK. |
|
|
|
|
||
10. |
In the Network Connections window, right-click Local Area Connection, and then click Disable. |
|
|
|
|
||
11. |
In the Network Connections window, right-click Local Area Connection, and then click Enable. |
|
|
|
|
MCT USE ONLY. STUDENT USE PROHIBITED