Workshop on Windows Server 2012

Similar documents
INF204x Module 1, Lab 3 - Configure Windows 10 VPN

Module 9. Configuring IPsec. Contents:

Hands-On Lab. Windows Azure Virtual Machine Roles. Lab version: Last updated: 12/14/2010. Page 1

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

20411D D Enayat Meer

Course No. MCSA Days Instructor-led, Hands-on

APSCN VPN Settings for Windows 7 2. APSCN VPN Settings for Windows XP 8. APSCN VPN Settings for MAC OS 15

Using the Terminal Services Gateway Lesson 10

Managing and Maintaining Windows 8

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

ms-help://ms.technet.2004apr.1033/win2ksrv/tnoffline/prodtechnol/win2ksrv/howto/efsguide.htm

How to Integrate SmartDeploy with Windows Deployment Services

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

70-643: Windows Server 2008 Applications Infrastructure. Course 01 - Deploying Windows in the Enterprise

VMware AirWatch Certificate Authentication for EAS with ADCS

Copyright

Exam Questions Demo Microsoft. Exam Questions

Best Practices for Security Certificates w/ Connect

Install and Configure FindIT Network Manager and FindIT Network Probe on Microsoft Hyper-V Manager

Implementing Security in Windows 2003 Network (70-299)

Microsoft Certified Solutions Associate (MCSA)

Course Content of MCSA ( Microsoft Certified Solutions Associate )

Administrator s Guide

MCSA Windows Server 2012

How to Integrate SmartDeploy Enterprise with System Center Configuration Manager

MCSA Windows Server 2012

BitLocker: How to enable Network Unlock

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Brocade Vyatta Network OS Remote Access IPsec VPN Configuration Guide, 5.2R1

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Module 4 Network Controller Estimated Time: 90 minutes

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

VMware AirWatch: Directory and Certificate Authority

Managing Site-to-Site VPNs: The Basics

What s in Installing and Configuring Windows Server 2012 (70-410):

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Managing Windows-based Dell Wyse Thin Clients using System Center Configuration Manager Administrator s Guide

Enabling Smart Card Logon for Linux Using Centrify Suite

Managing Site-to-Site VPNs

Installation, Storage, and Compute with Windows Server

6421A: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Installing and Configuring vcloud Connector

Recent Operating System Class notes 04 Managing Users on Windows XP March 22, 2004

NETWRIX PASSWORD EXPIRATION NOTIFIER

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Managing Site-to-Site VPNs: The Basics

Implementing Messaging Security for Exchange Server Clients

Client VPN OS Configuration. Android

Install and Manage Windows Nano Server 2016 Step by Step

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

L2TP IPsec Support for NAT and PAT Windows Clients

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Brocade 5600 vrouter Remote Access IPsec VPN Configuration Guide, 5.0R1

NBC-IG Installation Guide. Version 7.2

Hyper-V Rapid Recovery - Recovery in Place

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

Windows Server 2016 MCSA Bootcamp

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

Administering. Windows Server 2012 R2. Exam Wiley. Patrick Regan

Configure DHCP for Failover Step-by-Step.

Configuring Microsoft SCVMM

Microsoft Pro: Windows Server 2008, Server Administrator. Practice Test. Updated: Jan 19, 2010 Version

Enabling Smart Card Logon for Mac OS X Using Centrify Suite

Secure Access Configuration Guide For Wireless Clients

MCSA Guide to Networking with Windows Server 2016, Exam

Microsoft Exam Designing and Implementing a Server Infrastructure Version: 19.0 [ Total Questions: 206 ]

App Orchestration 2.6

etoken Integration Guide etoken and ISA Server 2006

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Deploying Windows 8.1 with ConfigMgr 2012 R2 and MDT 2013

Lab: Deploying Operating System Images Using SMS 2003

Q&A. DEMO Version

Secure Mobile Access Module

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Using vrealize Operations Tenant App as a Service Provider

3.0. Manual and. Application note. USB Adapter

How to Integrate SmartDeploy Enterprise with Windows Deployment Services

Parallels Virtuozzo Containers 4.6 for Windows

Getting Started with ESX Server 3i Installable Update 2 and later for ESX Server 3i version 3.5 Installable and VirtualCenter 2.5

Installation Guide. Tandberg Data DPS1000 Series Model: DPS1100 and DPS1200, Release: 1.3

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

VMware AirWatch Integration with RSA PKI Guide

SAML-Based SSO Configuration

EML10 Best Practces for Implementing Deployment Solution Hands-On Lab

Extend On-Premises Windows Server 2016 Active Directory to Azure VM Complete Lab (V1.1)

vrealize Operations Management Pack for NSX for vsphere 2.0

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Configuring the VPN Client

The information in this document is based on these software and hardware versions:

Using SSL to Secure Client/Server Connections

VPN Solutions for Zerto Virtual Replication to Azure. SoftEther Installation Guide

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

VMware AirWatch Integration with SecureAuth PKI Guide

Guide Installation and User Guide - Mac

Cisco CTL Client setup

FAQ about Communication

Transcription:

Workshop on Windows Server 2012 Topics covered on Workshop DHCP Scope Splitting. A Dynamic Host Configuration Protocol (DHCP) split-scope configuration using multiple DHCP servers allows for increased fault tolerance and redundancy over using only one DHCP server. This step-by-step guide contains an introduction to using DHCP with a split scope on a secondary server, with delay, and instructions for setting up a test lab using two DHCP servers and one DHCP client. Requirements of DHCP Scope Splitting. You must have Three computers running with Windows Server 2012 Computer1: Promote DC. Computer2 and Computer3: Member of Domain and install DHCP Service. Configure DHCP Scope Splitting: 1. In the DHCP console tree, right-click Scope [172.16.0.0] SS Scope, and then click Advanced > Split-Scope. 2. The DHCP Split-Scope Configuration wizard is launched.

3. On the Percentage of Split page, set the configuration for a ratio of 80:20 by assigning DHCP Server 1 to exclude addresses 172.16.1.164 to 172.16.1.204, and DHCP Server 2 to exclude 172.16.1.4 to 172.16.1.163. See the example below. 4. Click Next, and then on the Delay in DHCP Offer page, configure DHCP Server 1 with a value of 0 (default) and configure Added DHCP Server (DHCP Server 2) for 1000 milliseconds. This enables DHCP Server 2 to offer DHCP OFFER messages only after a delay of 1000 milliseconds, thereby preventing the exhaustion of IPv4 addresses from the required scope of DHCP Server 2. VM Migration using Hyper-V.

Hyper-V role migration involves moving the virtual machines, virtual networks, and all the associated settings from one physical computer to another physical computer in the enterprise. The process supports moving from a server running Hyper-V in Windows Server 2012 to a server running Hyper-V in Windows Server 2012 R2. The Hyper-V role does not depend on any other roles. Installing Hyper-V Role in windows Server 2012 R2 1. Install Windows Server 2012 R2 on the new server hardware. 2. Install the Hyper-V role on the server. 3. Configure the following Hyper-V settings, for example: The default location for virtual hard disks and virtual machine configuration files. Live migration settings. Even if live migration was not previously configured, you must enable and configure live migration on both servers. Virtual switches. Hyper-V Administrators local group membership. 4. Install the latest updates. 5. You must have Three computers running with Windows Server 2012 6. Computer1: Promote DC. 7. Computer2 and Computer3: Member of Domain and install DHCP Service. Perform this procedure on the source server running Hyper-V in Windows Server 2012. To move the virtual machine to Hyper-V in Windows Server 2012 R2 1. On the source server running Hyper-V in Windows Server 2012, open the Hyper-V Manager console, and then select the virtual machine that you want to move. 2. From the Actions pane, click Move. This action opens the Move Wizard. 1. On the Choose Move Type page, select Move the virtual machine. 2. On the Specify Destination Computer, specify the name or server that is running Windows Server 2012 R2. 3. On the Choose Move Options page, select Move only the virtual machine. Iscsi Target and Initiator

8. iscsi target allows your Windows Server to share block storage remotely. iscsi leverages the Ethernet network and does not require any specialized hardware. iscsi target is a service available in Windows 2012 R2 and can enabled from Add Roles and Features Wizard. Target: Targets are created in order to manage the connections between the iscsi target server and the servers that need to access them. You assign logical unit numbers (LUNs) to a target, and all servers that log on to that target will have access to the LUNs assigned to it. iscsi Target Server: iscsi target server is the server where iscsi target service is running. In Windows 2012 there is a service called iscsi service that you can install to configure iscsi target server. iscsi virtual disk: iscsi virtual disks are created on iscsi target server and associated to the iscsi target. iscsi virtual disk represents an iscsi LUN, which are connect to the clients using iscsi initiator. iscsi initiator: iscsi Initiator enables you to connect a host computer that is running Windows 7 / Windows Server 2008 R2 or higher to an external iscsi-based storage array through an Ethernet network adapter. iscsi initiator service runs on the client and used to make a connection to the iscsi Target by logging on to a Target server. how to configure the iscsi service in Windows 2012 R2. 1. Go to Add Roles and Features Wizard and install the iscsi target server role under file server role. 2. Install the iscsi target server role. 3. Once the iscsi service is installed you can go ahead create the virtual iscsi virtual disks and then connect it to the servers you want. Click on New iscsi virtual Disk: 4. As Windows 2012 R2 allows you to manage other servers, you can select the server where you want to create the iscsi VHD. 5. Provide a name to the iscsi virtual disk. As you would notice now it has support has for.vhdx file. 6. Different options that you can select for your disk including fixed size, dynamically expanding disks and differencing disk. As I do not have a dedicated storage for the disk, I want to select the Dynamically expanding storage.

7. If you have an iscsi target created, you can add the iscsi virtual disk to the same iscsi target or created a new iscsi target. Once an iscsi initiator connects to the iscsi target all virtual iscsi virtual disks will be available to the server. 8. Provide a name to the iscsi target. 9. Add the iscsi initiator server which will access the iscsi target. There can be more the one initiator that you can specify here, I have added two servers under iscsi initiator. 10. Add the iscsi initiator that will access this iscsi target. 11. Select an authentication method that is used to connect to the iscsi target. As this is just a lab I didn t select any authentication method. 12. Target is created Connecting iscsi initiator to the iscsi target server The iscsi initiator and iscsi Target are on different machines (physical or virtual). You will need to provide the iscsi Target server IP or hostname to the initiator, and the initiator will be able to do a discovery of the iscsi Target. All the Targets which can be accessed will be presented to the initiator. 1. Once the iscsi target is configured, go to the Windows 2012 R2 server where you want to connect to the iscsi virtual disk. Open the iscsi initiator from server tools and provide the IP address / hostname for the iscsi target server. 2. It displays the targets which are configured on the server. Connect to the iscsi target. Once connected to the iscsi target, it provides you access to all the iscsi virtual disks that are associated to the iscsi target.

3. Create new volume Once the connection is established, the iscsi virtual disk will be presented to the initiator as a disk. By default, this disk will be offline,. For typical usage, you want to create a volume, format the volume and assign with a drive letter so it can be used just like a local hard disk. Capture image using WDS How to Create a Capture Image by Using WDS Console

"A capture image is created from an existing boot image. You will create a new capture image by right-clicking on an existing boot image and then selecting Create Capture Image option (see the following figure). The Create Capture Image Wizard will start." "The default details in the Image Name and Image Description fields will be derived from those same details in the source boot image. You should customize them to make it clear that this is a capture image rather than a normal boot image. The Location And File Name filed is used to specify where the new WIM file for the capture image will be created. I am going to show you a little shortcut. The wizard will lead you to think that you should create the new WIM file in a temporary location and then add it again in a later step. I feel like that is a bit of wasted effort. Instead, I recommend that you simply create the new capture image file in the image store location for boot images. That will eliminate the additional step. You should create 32-bit images in \Remoteinstall\Boot\x86\Images and 64-bit images in \Remoteinstall\Boot\x64\Images. " Look at the following figure:

"The source boot image will be used as a template for the new capture image file. The new capture image WIM file will be added in the location that you have specified. The screen in the following figure will appear when the image creation has completed successfully. Clear the Add Image To The Windows Deployment Server Now check box if you have followed my advice on where to create the image. This option is used when you have created the capture image in another location and want to add it to the correct location." Returning to the WDS console, you can right-click on you server and select Refresh. Browse into Boot Images and you should see your new capture image. This is a new WIM file that is independent of the source boot image and consumes disk space. You will need to remember to update this capture image with any new driver packages that you

add from this point on. Remember that you may also need to have 32-bit and 64-bit capture images. You will now use this capture image to boot up the reference machine and capture the generalized image. How to Create An Image by Using a Capture Image Power up the reference machine and boot it up on the network. Choose the capture boot image when the PXE client starts.

The boot image will download over the network and start. You can skip the welcome screen to get to the Directory To Capture screen, as shown in the following figures:

You have to enter three pieces of information. You should select the volume letter that you want to capture using WDS. This highlights a limitation of WDS; you can only capture and deploy a single volume. You might notice something odd here. The volume we are capturing is shown as D:, even though it is the C: drive when the reference machine is booted up. There is a handy solution you can use if you are a little confused about the volume that you are capturing. 1. Start command prompt in Windows PE by pressing Shift+F10. 2. Navigate the volumes (cd) and list their contents to see which volume letter it is that you need to select. You can so this using diskpart and by running the list volume command.

3. Enter the image name and description as you want them appear in the WDS console and to users when they are deploying images to their machines. You can change the name and description later in the console. 4. The New Image Location screen is where you configure the location of the new image that is to be created and if and how you want the image to be uploaded to the WDS server. 5. Click Browse to select a location to create the new installation image in and to name the file. You can create the new image on the same volume that you are capturing if there is sufficient space. You will need an additional local (not network-based) volume if there is not enough space. 6. Optionally select the option to upload the new image to the WDS server. If you do want to do this, click the Connect button to authenticate with the WDS server. Once you have entered valid credentials, you can select an Image Group to add the new image to. This will use Single Instance Storage (SIS) to reduce the amount of disk space that is needed to store the image. Make sure you choose an image group that matches the operating system, edition, and architecture of your new image.

The image is captured and will be uploaded to your WDS server if configured. The image will then be available for further configuration (such as access permissions) and deployment to other machines.

Note --> Remember that you will need to refresh the WDS console (if it was open already) to see the new installation image.

VPN with RADIUS Authentication and Digital Certificates. VPN: Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization s private network. Properties of VPN connections VPN connections that use PPTP, L2TP/IPsec, and SSTP have the following properties: Encapsulation Authentication Data encryption Encapsulation With VPN technology, private data is encapsulated with a header that contains routing information that allows the data to traverse the transit network. For examples of encapsulation. Authentication Authentication for VPN connections takes three different forms: 1. User-level authentication by using PPP authentication 2. To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a Point-to-Point Protocol (PPP) user-level authentication method and verifies that the VPN client has the appropriate authorization. If mutual authentication is used, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers. 3. Computer-level authentication by using Internet Key Exchange (IKE) 4. To establish an Internet Protocol security (IPsec) security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. Computer certificate authentication is highly recommended because it is a much stronger authentication method. Computer-level authentication is only performed for L2TP/IPsec connections. 5. Data origin authentication and data integrity 6. To verify that the data sent on the VPN connection originated at the other end of the connection and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver.

Data origin authentication and data integrity are only available for L2TP/IPsec connections. Data encryption 7. To ensure confidentiality of the data as it traverses the shared or public transit network, the data is encrypted by the sender and decrypted by the receiver. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key. 8. Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have the common encryption key. The length of the encryption key is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as the encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality. RADIUS After the Routing and Remote Access and Demand-Dial Interface wizards complete, Windows authentication and Windows accounting are selected by default. You can change these defaults from Windows authentication and Windows accounting to Remote Authentication Dial-In User Service (RADIUS) authentication and RADIUS accounting, or you can choose separate providers for authentication and accounting. For a deployment that supports only a site-to-site connection, use Windows authentication and Windows accounting. However, you can change these defaults if the same answering router will support both the site-to-site connection and remote access users, and you want to use RADIUS as either the authentication provider or the accounting provider. Use the following procedures to accomplish these tasks: Configure the authentication provider on the answering router Configure the accounting provider on the answering router Configure the authentication provider on the answering router Configure either Windows authentication or RADIUS authentication. If you select RADIUS authentication, add the answering router as a RADIUS client on the Network Policy Server (NPS) server. For information about how to add the answering router as a RADIUS client. To use Windows Authentication 1. Open the Routing and Remote Access MMC snap-in.

2. Right-click the server name for which you want to configure authentication, and then click Properties. 3. On the Security tab, in Authentication provider, click Windows Authentication. To use RADIUS Authentication 1. Open the Routing and Remote Access MMC snap-in. 2. Right-click the server name for which you want to configure RADIUS authentication, and then click Properties. 3. On the Security tab, in Authentication provider, click RADIUS Authentication, and then click Configure. 4. In the RADIUS Authentication dialog box, click Add. 5. In the Add RADIUS Server dialog box, configure the settings for your RADIUS authentication server, and then click OK. Configure the accounting provider on the answering router Configure either Windows accounting or RADIUS accounting. If you select RADIUS accounting, add the answering router as a RADIUS client on the NPS server. For information about how to add the answering router as a RADIUS client. To use Windows Accounting 1. Open the Routing and Remote Access MMC snap-in. 2. Right-click the server name for which you want to configure Windows Accounting, and then click Properties. 3. On the Security tab, in Accounting provider, click Windows Accounting, and then click OK. To use RADIUS Accounting 1. Open the Routing and Remote Access MMC snap-in. 2. Right-click the server name for which you want to configure RADIUS accounting, and then click Properties. 3. On the Security tab, in Accounting provider, click RADIUS Accounting, and then click Configure. 4. In the RADIUS Accounting dialog box, click Add. 5. In the Add RADIUS Server dialog box, configure the settings for your RADIUS accounting server, and then click OK. Certificate-based Authentication Protocols

Certificates are digital documents that are issued by certification authorities (CAs), such as Active Directory Certificate Services (AD CS) or the VeriSign public CA. Certificates are used for network access authentication because they provide strong security for authenticating users and computers and eliminate the need for less secure password-based authentication methods. In this section Certificate types When you use certificate-based authentication methods, it is important to understand the following types of certificates and how they are used: CA certificate When present on client and server computers, tells the client or server that it can trust other certificates, such as certificates used for client or server authentication, that are issued by this CA. This certificate is required for all deployments of certificate-based authentication methods. Client computer certificate Issued to client computers by a CA and used when the client computer needs to prove its identity to a server running NPS during the authentication process. Server certificate Issued to NPS servers by a CA and used when the NPS server needs to prove its identity to client computers during the authentication process. User certificate Issued to individuals by a CA and typically distributed as a certificate that is embedded on a smart card. The certificate on the smart card is used, along with a smart card reader that is attached to the client computer, when individuals need to prove their identity to NPS servers during the authentication process.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback