Steps for Configuring the Corpnet Subnet

There are three steps to setting up the Corpnet subnet of the Base Configuration test lab.

  1. Configure DC1.

  2. Configure APP1.

  3. Configure CLIENT1.

Note

You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

The following sections provide details about how to perform these steps.

Step 1: Configure DC1

DC1 provides the following services:

  • A domain controller for the corp.contoso.com Active Directory Domain Services (AD DS) domain.

  • A DNS server for the corp.contoso.com DNS domain.

  • A DHCP server for the Corpnet subnet.

  • An enterprise root CA for the corp.contoso.com domain.

DC1 configuration consists of the following:

  • Install the operating system.

  • Configure TCP/IP.

  • Install Active Directory and DNS.

  • Install DHCP.

  • Install an enterprise root CA.

  • Configure the CRL settings for the enterprise root CA.

  • Create a DNS entry for crl.corp.contoso.com.

  • Create a user account in Active Directory.

  • Configure computer certificate auto-enrollment.

  • Configure computer account maximum password age.

Install the operating system on DC1

First, install Windows Server 2008 R2 Enterprise Edition as a standalone server.

To install the operating system on DC1

  1. Start the installation of Windows Server 2008 R2.

  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition (full installation) and a strong password for the local Administrator account. Log on using the local Administrator account.

  3. Connect DC1 to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2008 R2.

  4. Connect DC1 to the Corpnet subnet.

Configure TCP/IP properties

Next, configure the TCP/IP protocol with a static IP address of 10.0.0.1 and the subnet mask of 255.255.255.0.

To configure TCP/IP on DC1

  1. In Initial Configuration Tasks, click Configure networking.

  2. In Network Connections, right-click Local Area Connection, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address. In IP address, type 10.0.0.1. In Subnet mask, type 255.255.255.0. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

  5. Click Advanced, and then click the DNS tab.

  6. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close.

  7. Close the Network Connections window.

  8. In Initial Configuration Tasks, click Provide computer name and domain.

  9. In System Properties, click Change. In Computer name, type DC1, click OK twice, and then click Close. When you are prompted to restart the computer, click Restart Now.

  10. After restarting, login using the local administrator account.

  11. In Initial Configuration Tasks, click Do not show this window at logon, and then click Close.

Configure DC1 as a domain controller and DNS server

Next, configure DC1 as a domain controller and DNS server for the corp.contoso.com domain.

To configure DC1 as a domain controller and DNS server

  1. In the console tree of Server Manager, click Roles. In the details pane, click Add Roles, and then click Next.

  2. On the Select Server Roles page, click Active Directory Domain Services, click Add Required Features, click Next twice, and then click Install. When installation is complete, click Close.

  3. To start the Active Directory Installation Wizard, click Start, type dcpromo, and then press ENTER.

  4. In the Active Directory Installation Wizard dialog box, click Next twice.

  5. On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.

  6. On the Name the Forest Root Domain page, type corp.contoso.com, and then click Next.

  7. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008 R2, and then click Next.

  8. On the Additional Domain Controller Options page, click Next, click Yes to continue, and then click Next.

  9. On the Directory Services Restore Mode Administrator Password page, type a strong password twice, and then click Next.

  10. On the Summary page, click Next.

  11. Wait while the wizard completes the configuration of Active Directory and DNS services, and then click Finish.

  12. When you are prompted to restart the computer, click Restart Now.

  13. After the computer restarts, log in to the CORP domain using the Administrator account.

Install and configure the DHCP server role on DC1

Next, configure DC1 as a DHCP server so that CLIENT1 can automatically configure itself when it connects to the Corpnet subnet.

To install and configure the DHCP server role

  1. In the console tree of Server Manager, click Roles.

  2. In the details pane, under Roles Summary, click Add roles, and then click Next.

  3. On the Select Server Roles page, click DHCP Server, and then click Next twice.

  4. On the Select Network Connection Bindings page, verify that 10.0.0.1 is selected, and then click Next.

  5. On the Specify IPv4 DNS Server Settings page, verify that corp.contoso.com is listed under Parent domain.

  6. Type 10.0.0.1 under Preferred DNS server IP address, and then click Validate. Verify that the result returned is Valid, and then click Next.

  7. On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.

  8. On the Add or Edit DHCP Scopes page, click Add.

  9. In the Add Scope dialog box, type Corpnet next to Scope Name. Next to Starting IP Address, type 10.0.0.100, next to Ending IP Address, type 10.0.0.150, and next to Subnet Mask, type 255.255.255.0. Click OK, and then click Next.

  10. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next.

  11. On the Authorize DHCP Server page, select Use current credentials. Verify that CORP\Administrator is displayed next to User Name, and then click Next.

  12. On the Confirm Installation Selections page, click Install.

  13. Verify the installation was successful, and then click Close.

Install an enterprise root CA on DC1

Next, install an enterprise root CA on DC1 to provide digital certificates for domain member computers.

To install an enterprise root CA on DC1

  1. In the console tree of Server Manager, click Roles.

  2. Under Roles Summary, click Add roles, and then click Next.

  3. On the Select Server Roles page, click Active Directory Certificate Services, and then click Next twice.

  4. On the Role Services page, click Next.

  5. On the Setup Type page, click Enterprise, and then click Next.

  6. On the CA Type page, click Root CA, and then click Next.

  7. On the Private Key page, click Create a new private key, and then click Next.

  8. On the Cryptography page, click Next.

  9. On the CA Name page, click Next.

  10. On the Validity Period page, click Next.

  11. On the Certificate Database page, click Next.

  12. On the Confirm Installation Selections page, click Install.

  13. On the Results page, click Close.

Configure the CRL distribution settings

Next, configure the certification authority on DC1 for the location of the CRL for certificates issued by DC1.

To configure the CRL distribution settings on DC1

  1. On DC1, click Start, point to Administrative Tools, and then click Certification Authority.

  2. In the details pane, right-click corp-DC1-CA and click Properties.

  3. In the corp-DC1-CA Properties dialog box, click the Extensions tab.

  4. On the Extensions tab, click Add. In Location, type https://crl.corp.contoso.com/crld/.

  5. In Variable, click <CAName>, and then click Insert.

  6. In Variable, click <CRLNameSuffix>, and then click Insert.

  7. In Variable, click <DeltaCRLAllowed>, and then click Insert.

  8. In Location, type .crl at the end of the Location string, and then click OK.

  9. Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box asking you to restart Active Directory Certificate Services.

  10. Click Add.

  11. In Location, type \\app1\crldist$\.

  12. In Variable, click <CAName>, and then click Insert.

  13. In Variable, click <CRLNameSuffix>, and then click Insert.

  14. In Variable, click <DeltaCRLAllowed>, and then click Insert.

  15. In Location, type .crl at the end of the string, and then click OK.

  16. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.

  17. Click Yes to restart Active Directory Certificate Services.

  18. Close the Certification Authority console.

Create a DNS record for crl.corp.contoso.com

The URL for the CRL distribution point uses the name crl.corp.contoso.com. Next, create a DNS Host (A) record on DC1 so that this name resolves to the IPv4 address of APP1.

To create a DNS record for crl.corp.contoso.com on DC1

  1. On DC1, click Start, point to Administrative Tools, and then click DNS.

  2. In the DNS Manager console, expand DC1 and then expand Forward Lookup Zones. Right-click corp.contoso.com and click New Host (A or AAAA).

  3. In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In IP address, type 10.0.0.3. Click Add Host.

  4. In the DNS dialog box informing you that the record was created, click OK.

  5. Click Done in the New Host dialog box.

  6. Close the DNS Manager console.

Create a user account in Active Directory

Next, create a user account in Active Directory that will be used when logging in to CORP domain member computers.

To create a user account in Active Directory

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, open corp.contoso.com, right-click Users, point to New, and then click User.

  3. In the New Object - User dialog box, in Full name, type User1, and in User logon name, type User1.

  4. Click Next.

  5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.

  6. Clear User must change password at next logon and select Password never expires.

  7. Click Next, and then click Finish.

  8. In the console tree, click Users.

  9. In the details pane, double-click Domain Admins.

  10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

  11. Under Enter the object names to select (examples), type User1, and then click OK twice.

  12. Close the Active Directory Users and Computers console.

Configure computer certificate auto-enrollment

Next, configure Group Policy so that domain members automatically request computer certificates.

To configure computer certificate auto-enrollment in Group Policy

  1. Click Start, click Administrative Tools, and then click Group Policy Management.

  2. In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com.

  3. In the details pane, right-click Default Domain Policy, and then click Edit.

  4. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

  5. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

  6. In the Automatic Certificate Request Wizard, click Next.

  7. On the Certificate Template page, click Computer, click Next, and then click Finish.

  8. Leave the Group Policy Management Editor and Group Policy Management consoles open for the next procedure.

Configure computer account maximum password age

Next, configure Group Policy so that computer accounts have a maximum password age of 999 days. By default, computer accounts change their passwords automatically every 30 days. If you are saving computer images or snapshots and restoring them later, this setting ensures that the disk images or virtual snapshots will be restorable for up to 999 days.

To configure the maximum computer account password age in Group Policy

  1. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.

  2. In the details pane, double-click Domain member: Maximum machine account password age.

  3. On the Security Policy Setting tab, select Define this policy setting, type 999, and then click OK.

  4. Close the Group Policy Management Editor and Group Policy Management consoles.

Step 2: Configure APP1

APP1 provides web and file sharing services. APP1 configuration consists of the following:

  • Install the operating system.

  • Configure TCP/IP.

  • Join the computer to the domain.

  • Install the Web Server (IIS) role.

  • Create a web-based CRL distribution point.

  • Configure the Secure Hypertext Transfer Protocol (HTTPS) security binding.

  • Configure permissions on the CRL distribution point file share.

  • Publish the CRL to APP1 from DC1.

  • Create a shared folder on APP1.

Install the operating system on APP1

First, install Windows Server 2008 R2 Enterprise Edition.

To install the operating system on APP1

  1. Start the installation of Windows Server 2008 R2 Enterprise Edition.

  2. Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.

  3. Connect APP1 to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2008 R2.

  4. Connect APP1 to the Corpnet subnet.

Configure TCP/IP properties

Next, configure TCP/IP.

To configure TCP/IP properties

  1. In Initial Configuration Tasks, click Configure networking.

  2. In the Network Connections window, right-click Local Area Connection, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address. In IP address, type 10.0.0.3. In Subnet mask, type 255.255.255.0.

  5. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

  6. Click Advanced, and then click the DNS tab. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close.

  7. Close the Network Connections window and leave the Initial Configuration Tasks window open.

  8. To check name resolution and network communication between APP1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.

  9. In the Command Prompt window, type ping dc1.corp.contoso.com.

  10. Verify that there are four replies from 10.0.0.1.

  11. Close the Command Prompt window.

Join APP1 to the CORP domain

Next, join APP1 to the corp.contoso.com domain.

To join APP1 to the CORP domain

  1. In Initial Configuration Tasks, click Provide Computer Name and Domain.

  2. In the System Properties dialog box, on the Computer Name tab, click Change.

  3. In Computer Name, type APP1. In Member of, click Domain, and then type corp.contoso.com.

  4. Click OK.

  5. When you are prompted for a user name and password, type User1 and its password, and then click OK.

  6. When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.

  7. When you are prompted that you must restart the computer, click OK.

  8. On the System Properties dialog box, click Close.

  9. When you are prompted to restart the computer, click Restart Now.

  10. After the computer restarts, click Switch User, and then click Other User and log on to the CORP domain with the User1 account.

  11. In Initial Configuration Tasks, click Do not show this window at logon, and then click Close.

Install the Web Server (IIS) role on APP1

Next, install the Web Server (IIS) role to make APP1 a web server.

To install the Web Server (IIS) role

  1. In the console tree of Server Manager, click Roles. In the details pane, click Add Roles, and then click Next.

  2. On the Select Server Roles page, select Web Server (IIS), and then click Next three times.

  3. Click Install.

  4. Verify that the installation was successful, and then click Close.

Create a web-based CRL distribution point

Next, create a web-based CRL distribution point so that computers on the Corpnet subnet can access the CRL.

To create a web-based CRL distribution point

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, navigate to APP1\Sites\Default Web Site. Right-click Default Web Site and click Add Virtual Directory.

  3. In the Add Virtual Directory dialog box, in Alias, type CRLD. Next to Physical path, click the ellipsis “…” button.

  4. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.

  5. Type CRLDist, and then press ENTER. Click OK in the Browse for Folder dialog box.

  6. Click OK in the Add Virtual Directory dialog box.

  7. In the middle pane of the console, double-click Directory Browsing.

  8. In the details pane, click Enable.

  9. In the console tree, click the CRLD folder.

  10. In the middle pane of the console, double-click the Configuration Editor icon.

  11. Click the down-arrow for the Section drop-down list, and then navigate to system.webServer\security\requestFiltering.

  12. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.

  13. In the details pane, click Apply.

Configure the HTTPS security binding

Next, configure the HTTPS security binding so that APP1 can host HTTPS-based URLs.

To configure the HTTPS security binding

  1. Click Default Web site.

  2. In the Actions pane, click Bindings.

  3. In the Site Bindings dialog box, click Add.

  4. In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name app1.corp.contoso.com. Click OK, and then click Close.

  5. Close the Internet Information Services (IIS) Manager console.

Configure permissions on the CRL distribution point file share

Next, configure file share permissions on the CRLD folder so that DC1 can publish the CRL and delta CRL files.

To configure permissions on the CRL distribution point file share

  1. On APP1, click Start, and then click Computer.

  2. Double-click Local Disk (C:).

  3. In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties.

  4. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.

  5. In the Advanced Sharing dialog box, select Share this folder.

  6. In Share name, add a “$” to the end so that the share name is CRLDist$.

  7. In the Advanced Sharing dialog box, click Permissions.

  8. In the Permissions for CRLDist$ dialog box, click Add.

  9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

  10. In the Object Types dialog box, select Computers, and then click OK.

  11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK.

  12. In the Permissions for CRLDist$ dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK.

  13. In the Advanced Sharing dialog box, click OK.

  14. In the CRLDist Properties dialog box, click the Security tab.

  15. On the Security tab, click Edit.

  16. In the Permissions for CRLDist dialog box, click Add.

  17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

  18. In the Object Types dialog box, select Computers. Click OK.

  19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK.

  20. In the Permissions for CRLDist dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK.

  21. Click Close in the CRLDist Properties dialog box.

  22. Close the Windows Explorer window.

Publish the CRL to APP1 from DC1

Next, configure the certification authority on DC1 to publish the CRL to the CRLDist file share on APP1.

To publish the CRL to APP1 from DC1

  1. On DC1, click Start, point to Administrative Tools, and then click Certification Authority.

  2. In the console tree, open corp-DC1-CA. Right-click Revoked Certificates, point to All Tasks, and then click Publish.

  3. In the Publish CRL dialog box, click New CRL, and then click OK.

  4. Click Start, type \\APP1\CRLDist$ and press ENTER.

  5. In the Windows Explorer window, you should see the corp-DC1-CA and corp-DC1-CA+ files.

  6. Close the Windows Explorer window.

  7. Close the Certification Authority console.

Create a shared folder on APP1

Next, create a shared folder and a text file within the folder on APP1.

To create a shared folder

  1. On APP1, click Start, and then click Computer.

  2. Double-click Local Disk (C:).

  3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.

  4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

  5. In the Untitled – Notepad window, type This is a shared file.

  6. Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the Files folder.

  7. In File name, type example.txt, and then click Save. Close the Notepad window.

  8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

  9. Click Share, and then click Done.

  10. Close the Local Disk window.

Step 3: Configure CLIENT1

CLIENT1 configuration consists of the following:

  • Install the operating system.

  • Join CLIENT1 to the CORP domain.

  • Verify the computer certificate.

  • Test access to intranet resources on the Corpnet subnet.

Install the operating system on CLIENT1

First, install Windows 7 Enterprise or Ultimate on CLIENT1.

To install the operating system on CLIENT1

  1. Start the installation of Windows 7 Enterprise or Ultimate.

  2. When you are prompted for a user name, type User1. When you are prompted for a computer name, type CLIENT1.

  3. When you are prompted for a password, type a strong password twice.

  4. When you are prompted for protection settings, click Use recommended settings.

  5. When you are prompted for your computer's current location, click Work.

  6. Connect CLIENT1 to a network that has Internet access and run Windows Update to install the latest updates for Windows 7.

  7. Connect CLIENT1 to the Corpnet subnet.

User account control

When you configure the Windows 7 operating system, you are required to click Continue in the User Account Control (UAC) dialog box for some tasks. Several of the configuration tasks require UAC approval. When you are prompted, always click Continue to authorize these changes. Alternatively, see Appendix A of this guide for instructions about how to set the UAC behavior of the elevation prompt for administrators.

Join CLIENT1 to the CORP domain

Next, join CLIENT1 to the corp.contoso.com domain.

To join CLIENT1 to the CORP domain

  1. Click Start, right-click Computer, and then click Properties.

  2. On the System page, click Advanced system settings.

  3. In the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

  4. In the Computer Name/Domain Changes dialog box, click Domain, type corp.contoso.com, and then click OK.

  5. When you are prompted for a user name and password, type the user name and password for the User1 domain account, and then click OK.

  6. When you see a dialog box that welcomes you to the corp.contoso.com domain, click OK.

  7. When you see a dialog box that prompts you to restart the computer, click OK.

  8. In the System Properties dialog box, click Close. Click the button that restarts the computer.

  9. After the computer restarts, log on as CORP\User1.

Verify the computer certificate

Next, verify that a computer certificate has been installed on CLIENT1.

To verify that CLIENT1 has a computer certificate installed

  1. On CLIENT1, click Start, type mmc, and then press ENTER.

  2. Click File, and then click Add/Remove Snap-in.

  3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

  4. In the console tree, open Certificates (Local Computer)\Personal\Certificates.

  5. In the details pane, verify that a certificate with the name CLIENT1.corp.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication.

  6. Close the console window. When you are prompted to save settings, click No.

Test access to intranet resources from the Corpnet subnet

Next, verify that intranet web and file share resources on APP1 can be accessed by CLIENT1.

To test access to intranet resources

  1. From the taskbar, click the Internet Explorer icon.

  2. In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box, click Use express settings, and then click Finish.

  3. In the toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and then click OK.

  4. In the Address bar, type https://app1.corp.contoso.com/, and then press ENTER. You should see the default IIS 7 web page for APP1.

  5. In the Address bar, type https://app1.corp.contoso.com/, and then press ENTER. You should see the default IIS 7 web page for APP1.

  6. Leave the Internet Explorer window open.

  7. Click Start, type \\app1\Files, and then press ENTER.

  8. You should see a folder window with the contents of the Files shared folder.

  9. In the Files shared folder window, double-click the Example.txt file. You should see the contents of the Example.txt file.

  10. Close the example.txt - Notepad and the Files shared folder windows.