Skip to content

Next Training : Security Solutions in KL & Penetration Testing Methodology in Sabah...

Simple Step : Configure FTP Server in Windows Server 2012 R2

FTP (File Transfer Protocol) is a very popular protocol that allows users to upload and download files easily.

Even FTP consider a quite legacy data transfer technology, but it still usable and easy to use by some of Server Administrator.

You can configure FTP server in Windows Server 2012 by installing FTP server role.

In this post, I will show you a very simple step how to install and configure FTP server role in Windows Server 2012 R2.

1st – You need to setup authentication for user in Domain environment before installing FTP roles.

1 – In your Domain Server, open Active Directory Users & Computers, and create FTP_Users group.

1

2 – In the FTP_Users properties, please add Administrator and any user that need to use / log in to FTP Server…

2

3 – Now lets switch to Member Server, and create a folder for your FTP access then right click the FTP folder and click Security.

** In the FTP folder properties, under Security click Advanced…

3

4 – On the Advanced Security Settings for FTP folder, click add…

** what we going to do here is to give access permissions to FTP_Users group…

4

5 – On the Permission Entry for FTP folder, click Select a principal link, then under Enter the object name to select, type FTP_Users and click OK…

5

6 – On the Permission Entry for FTP folder, under Basic permissions, click Write and then click OK…

6

7 – verify that FTP_Users is listed under Advanced Security Setting for FTP folder…

7

2nd – Installing FTP Role service…

1 – Still in the member server, open Server Manager, click Add roles & features and proceed to server roles and browse for FTP Server (click FTP Service and FTP Extensibility), then click Next…

8

2 – On the Select features interface, proceed with Next…

9

3 – On the Confirm installation selections interface, click Install…

10

4 – Once installation complete, please restart the Server…

11

5 – Once server restarted, open Server Manager, click Tools and click Internet Information Services (IIS) Manager…

12

6 – On the IIS console, right click Sites and click Add FTP Site…

13

7 – On the Add FTP Site interface, in the FTP Site name:, enter your own FTP site name, then in Physical path, browse to FTP folder that you created in the previous step…

14

8 – Under Add FTP Site interface, verify that the IP Address assigned to All Unassigned with Port 21…

** click No SSL (I’m not going to secure this FTP site with web certificates)… and click Next…

15

 

9 – Under Authentication click Basic, under Allow access to:, choose Specified roles or user groups and type FTP_Users, confirm that you click Read & write under Permissions, then click Finish…

16

10 – Next, open Windows Firewall and click Allow an app or feature through Windows Firewall…

17

11 – Under Allow apps to communicate through Windows Firewall, browse to FTP Server and verify that and Domain, Private and Public are ticked, and then click OK…

18

12 – Next, open Windows Firewall with Advanced Security, click Inbound Rules and scroll to FTP (verify that 3 FTP component listed)…

19

13 – Now, lets switch to client PC (in this demo i use Windows 8.1)…

** in the client PC, open CMD and type telnet 172.16.0.21 21

** 172.16.0.21 –> FTP server IP

** 21 –> FTP port number

 

20

14 – on the CMD, it stated 220 Microsoft FTP Service (we have successfully connected to FTP Server)…

21

15 – Now open web browser, in the address bar type ftp://172.16.0.21 and enter, click view menu and then click Open FTP site in File Explorer…

22

16 – On the Log On As box, under user name, fill in with any of your FTP_Users, then fill in the password and click Log On…

23

17 – Once you successfully log in to FTP Server, you can try create any folder…

24

 

18 – Lastly, switch back to FTP server and confirm that the folder you created is listed in the FTP server…

25

Orait,  that’s all for now.. 

Thank you for reading this….

 

Step by Step : Implementing & Configuring IPAM in Windows Server 2012 R2

With the development of IPv6 and the bunch of devices that require IP addresses, networks have become so much complex and difficult for us to manage.

Maintaining an updated list of static IP addresses that have been issued has often been a manual task, which can lead to errors. To help organizations manage IP addresses, Windows Server 2012 R2 provides the IP Address Management (IPAM) tool.

IP address management is a difficult task in large networks, because tracking IP address usage is largely a manual operation. Windows Server 2012 introduces IPAM, which is a framework for discovering, auditing, monitoring utilization, and managing the IP address space in a network.

IPAM enables the administration and monitoring of DHCP and DNS, and provides a comprehensive view of where IP addresses are used.

IPAM collects information from domain controllers and Network Policy Servers (NPSs), and then stores that information in the Windows Internal Database.

Benefits of IPAM :
• IPv4 and IPv6 address space planning and allocation.
• IP address space utilization statistics and trend monitoring.
• Static IP inventory management, lifetime management, and DHCP and DNS record creation and deletion.
• Service and zone monitoring of DNS services.
• IP address lease and logon event tracking.
• Role-based access control (RBAC).
• Remote administration support through RSAT.
• Reporting in the IPAM management console.

There are a lot of information about IPAM that you may discover, if you need more thorough information, please log in to : http://technet.microsoft.com/en-us/library/hh831353.aspx

In case you are interested to learn how to implement & configuring IPAM, please make sure that you prepare a complete LAB environment and of course you may setup the whole infrastructure in Hyper-V. Confirm that you have 1 Domain Server and at least 1 member server, in this demo, i will use adatum domain with 1 Domain Controller Server and 2 Member Server, which is SVR1 & SVR2.

There are almost 40 over step just to complete the basic of IPAM implementation & configuration, so please spend some time to read and understand how IPAM working in Windows Server 2012 R2.

Lets get started…

1st – Installing IPAM in Member Server…

1 – Log in to your domain member Server (SVR2), open Server Manager, click add roles & features, proceed to Select features interface, and select the IP Address Management (IPAM) Server check box and proceed with Next…

1

2 – On the Confirm installation selections interface, click Install…

2

3 – Close the Installation progress interface when installation is complete…

3

2nd – Provisioning IPAM through a Group Policy Object (GPO)…

1 – In the Member server, on the Server Manager, click IPAM…

4

2 – In the IPAM Overview interface, click Connect to IPAM server…

5.1

3 – On the Connect to an IPAM Server interface, click LON-SVR2.Adatum.com, and then click OK…

5.2

4 – Next, click Provision the IPAM server…

5.0

5 – In the Provision IPAM Wizard interface, on the Before you begin page, click Next…

6

6 – On the Configure database interface, click Next…

7

7 – On the Select provisioning method interface, ensure that the Group Policy Based is selected then in the GPO name prefix box, type IPAM, and then click Next…

8

8 – On the Confirm the Settings interface, click Apply.

** Provisioning will take a few minutes to complete…

9

9 – Click Close once provisioning is complete…

10

3rd – Configure IP Management Server Discovery…

1 – On the IPAM Overview interface, click Configure server discovery…

11

2 – In the Configure Server Discovery settings box, click Add (verify that you add the correct domain)…

12

3 – On the Configure Server Discovery box, confirm that Domain Controller, DHCP Server and DNS Server is selected and then click OK…

13

4 – In the IPAM Overview interface, click Start server discovery.

** Discovery may take around 5 to 10 minutes to run…

14

 

5 – After few minutes,  the yellow bar will indicate that the discovery is completed…

16

4th – Configure managed servers…

1 – In the IPAM Overview interface, click Select or add servers to manage and verify IPAM access.

17

 

2 – Notice that the IPAM Access Status is blocked…

** This also indicate that IPAM server has not yet been granted permission to manage the domain server via Group Policy

18

3 – I will use Windows PowerShell to provisioning the IPAM GPO…

19

4 – In the Windows PowerShell, type :

Invoke-IpamGpoProvisioning –Domain Adatum.com –GpoPrefixName IPAM –IpamServerFqdn LON-SVR2.adatum.com –DelegatedGpoUser Administrator

** When you are prompted to confirm the action, type Y, and then press Enter.

** The command will take a few minutes to complete…

20

5 – Next, in the SERVER INVENTORY>IPv4 pane, right-click LON-DC1, and then click Edit Server…

21

6 – In the Add or Edit Server box, set the Manageability status to Managed, and then click OK…

22

7 – Please switch to Domain Server and run gpudate /boot /force command to update the IPAM GPO…

8 – Next, in the IPAM console, right-click LON-DC1, and then click Refresh Server Access Status…

** It may take up to 10 minutes for the status to change…

23

 

9 – Refresh tasks as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked for the server…

10 – Next, right-click LON-DC1 and then click Retrieve ALL Server Data.

This action also will take a few minutes to complete….

24

5th – Configure and verify a new DHCP scope with IPAM…

1 – in the IPAM navigation interface, under MONITOR AND MANAGE, click DNS and DHCP Servers.

** then right-click the instance of LON-DC1.Adatum.com that contains the DHCP server role, and then click Create DHCP Scope.

25

2 – In the Create DHCP Scope box, in the Scope Name box, type Branch Scope…

** In the Start IP address box, type 10.0.0.50

** In the End IP address box, type 10.0.0.100

** subnet mask is 255.0.0.0

26

3 – In the Create scope pane, click Options…

** On the DHCP Scope Options interface, click New…

** In the Configure options interface, in the Option select 003 Router…

** Under Values, in the IP Address box, type 10.0.0.1, click Add Configuration, and then click OK…

27

4 – Verify the configuration, then click OK…

28

5 – In the navigation interface, click DHCP Scopes, then right-click Branch Scope, and then click Configure DHCP Failover…

29

6 – In the Configure DHCP Failover Relationship interface, for the Partner server field, click the click lon-svr1.adatum.com…

** In the Relationship Name field, type AdatumDHCPFailover…

** In the Enable Message Authentication Secret field, type Pa$$w0rd

** In the Maximum Client Lead Time field, set the minutes to 10

** Ensure the Mode field is set to Load balance

30

** Verify that the Load Balance Percentage is set to 50%

** Select the Enable state switchover check box. Leave the default value of 60 minutes and then click OK…

31

7 – switch to Domain Server, and open DHCP console…

** expand lon-dc1.adatum.com, expand IPv4, and confirm that Branch Scope exists…

32

6th – Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records

1 – Still in IPAM Server, click IP Address Blocks, in the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block…

33

2 – In the Add or Edit IPv4 Address Block box, provide the following values, and then click OK: (please refer to picture)

34

3 – Next, click IP Address Inventory, in the right pane, click the Tasks drop-down arrow, and then click Add IP Address…

35

4 – In the Add IP Address box, under Basic Configurations, provide the following values :

36

5 – Click again the Tasks drop-down arrow, and then click Add IP Address…

37

6 – In the Add IP Address box, under Basic Configuration, provide the following values : (Please refer to the picture)

38

7 – In the Add IPv4 Address pane, click DHCP Reservation, and then enter the following values : (Please refer to the picture)…

39

8 – In the Add IPv4 Address pane, click DNS Record, enter the following values : (Please refer to the picture)…

40

9 – On the Summary interface, verify that the task is complete without failed…

41

10 – Switch to Domain Server and open DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then
click Reservations.

** Verify that the reservation for 172.16.0.10 is displays.

42

11 – Lastly, open the DNS console, expand Forward Lookup Zones, and then click Adatum.com.

** Verify that a host record displays for Webserver

43

Wow, what a long step.. we done for now, and if as at this step, we manage to installed IPAM and configured IPAM with IPAM related GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP addresses, DHCP reservations, and DNS records.

 

 

Simple Step : Implementing DNS Security in Windows Server 2012 R2

As we all know, DNS is one of the most critical network services for any network, because there are many applications and services such as ADDS, rely on DNS to resolve resource names to IP addresses.

Without DNS, user authentications fail, and network-based resources and applications might become inaccessible.

For these reasons in mind, you need to manage and protect DNS.

Since DNS is a critical network service, as a Server Administrator you must protect it as much as possible.

A number of options are available for protecting the DNS server, including :
• DNS cache locking
• DNS socket pool
• DNSSEC

Before we start the step by step to implement the DNS Security, lets go through a theory behind this technology.

DNS Cache Locking

Cache locking is a Windows Server 2012 R2 security feature that allows you to control when information in the DNS cache can be overwritten. When a recursive DNS server responds to a query, it caches the results so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server keeps information in its cache is determined by the Time to Live (TTL) value for a resource record.

DNS Socket Pool

The DNS socket pool enables a DNS server to use source port randomization when it issues DNS queries. When the DNS service starts, the server chooses a source port from a pool of sockets that are available for issuing queries. Instead of using a predicable source port, the DNS server uses a random port number that it selects from the DNS socket pool. The DNS socket pool makes cache-tampering attacks more difficult because a malicious user must correctly guess both the source port of a DNS query and a random transaction ID to successfully run the attack. The DNS socket pool is enabled by default in Windows Server 2012 R2.

DNSSEC

DNSSEC enables a DNS zone and all records in the zone to be signed cryptographically so that client computers can validate the DNS response. DNS is often subject to various attacks, such as spoofing and cache-tampering. DNSSEC helps protect against these threats and provides a more secure DNS infrastructure.

For more information, please log in to : http://technet.microsoft.com/en-us/library/cc731367.aspx

So now, lets go through a simple step how you as Server Administrator can implement DNS Security.

1st – Step to configure DNSSEC.

1 – Open Server Manager,  click Tools and open DNS Manager, in the DNS Manager, browse to your Domain name, then right click domain name, click DNSSEC and then click Sign the Zone

1

2 – In the Zone Signing Wizard interface, click Next

2

3 – On the Signing options interface, click Customize zone signing parameters, and then click Next…

3

4 – On the Key Master interface, ensure that “The DNS server LON-DC1 is selected as the Key Master“, and then click Next…

4

5 – On the Key Signing Key (KSK) interface, click Next…

5

6 – On the Key Signing Key (KSK) interface, click Add

6

7 – On the New Key Signing Key (KSK) interface, click OK…

** please spend some time to go through about key properties on the New Key Signing Key (KSK) interface.

7

 

8 – On the Key Signing Key (KSK) interface, click Next…

8

9 – On the Zone Signing Key (ZSK) interface, click Next…

9

10 – On the Zone Signing Key (ZSK) interface, click Add

10

11 – On the New Zone Signing Key (ZSK) interface, click OK…

11

12 – On the Zone Signing Key (ZSK) interface, click Next…

12

13 – On the Next Secure (NSEC) interface, click Next…

** NSEC is when the DNS response has no data to provide to the client, this record authenticates that the host does not exist…

13

14 – On the Trust Anchors (TAs) interface, check the Enable the distribution of trust anchors for this zone check box, and then click Next.

** A trust anchor is an authoritative entity that is represented by a public key. The TrustAnchors zone stores
preconfigured public keys that are associated with a specific zone.

14

15 – On the Signing and Polling Parameters interface, click Next…

15

16 – On the DNS Security Extensions (DNSSEC) interface, click Next, and then click Finish…

16

17

17 – In the DNS console, expand Trust Points, expand com, and then click your domain name.

Ensure that the DNSKEY resource records display, and that their status is valid…

18

18 – Next, open Group Policy Management, expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit…

19

19 – In the Group Policy Management Editor interface, under Computer Configuration, expand Policies, expand Windows Settings, and then click Name Resolution Policy…

** In the right pane, under Create Rules, in the Suffix box, type Adatum.com to apply the rule to the suffix of the namespace.

** Select both the Enable DNSSEC in this rule check box and the Require DNS clients to check that the name and address data has been validated by the DNS server check box, and then click Create.

20

2nd – Configure the DNS Socket Pool

1 – In domain Server, open Windows PowerShell and type : Get-DNSServer

** This command displays the current size of the DNS socket pool (on the fourth line in the ServerSetting section). Note that the current size is 2,500.

*** Please take note that the default DNS socket pool size is 2,500. When you configure the DNS socket pool, you can choose a size value from 0 to 10,000. The larger the value, the greater the protection you will have against DNS spoofing attacks.

21

2 – Now lets change the socket pool size to 3,000…

type : dnscmd /config /socketpoolsize 3000

22

3 – Restart your DNS Server for the changes to take effect…

** confirm that the new socket pool size now is 3000

23

3rd – Configure the DNS Cache Locking

1 – In Windows PowerShell, type Get-Dnsserver

** This command will displays the current percentage value of the DNS cache lock.

** Note that the current value is 100 percent.

24

2 – type Set-DnsServerCache –LockingPercent 70

** This changes the cache lock value to 70 percent

25

 

*** Please take note that you configure cache locking as a percentage value.

For example, if the cache locking value is set to 50, then the DNS server will not overwrite a cached entry for half of the duration of the TTL.

So By default, the cache locking percentage value is 100.

This means that cached entries will not be overwritten for the entire duration of the TTL.

So, as a best practice, you should set your cache locking settings to at least 90%.

OK folk, that’s all for now, i will continue blogging later on the how to configure a GlobalNames zone in DNS.

 

 

Simple Step : Implementing VPN in Windows Server 2012 R2

VPN provides secure access to organizations’ internal data and applications to clients and devices that are using the Internet.

To properly implement and support a VPN environment within your organization, you must understand how to select a suitable tunnelling protocol, configure VPN authentication, and configure the server role to support your chosen configuration.

As in previous versions of Windows Server, there are two types of VPN connection available in Windows Server 2012 R2 :
• Remote access
• Site-to-site

Remote Access VPN Connections

Remote access VPN connections enable your users who are working offsite, such as at home, at a customer site, or from a public wireless access point, to access a server on your organization’s private network by using the infrastructure that a public network, such as the Internet, provides.

Site-to-Site VPN Connections

Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your organization to establish routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN
connection operates as a data-link layer link.

So in my post this time, lets go through a simple step how you can implement VPN in your infrastructure and for this demo purposes, i will continue using the same VM that i had for my DirectAccess implementation.

Please do refer to my previous DirectAccess post on what kind of VM’s that i use to implement this VPN.

https://mizitechinfo.wordpress.com/2014/11/20/step-by-step-implementing-basic-directaccess-in-windows-server-2012-r2/

For more information about VPN / Remote Access, please do log in to : http://technet.microsoft.com/en-us/library/dn383589.aspx

Lets get started with our VPN configuration.

1st, lets review some of the Routing & Remote Access settings and do dome some changes on the RRAS.

1 – Log in to LON-RTR server, open Server Manager, click Tools and then click Remote Access Management Console…

1

2 – In the Remote Access Management Console, click DirectAccess and VPN, and from the Actions pane, under the VPN section, click Enable VPN…

2

3 – In the Enable VPN box, click OK…

3

4 – Verify that the configuration was applied successfully and then click Close…

4

5 – Next, switch to Server Manager, click Tools and then click Routing and Remote Access…

5

6 – Next, in the Routing and Remote Access console, expand LON-RTR, right-click ports, click Properties…

6

7 – Verify that 128 ports exist for SSTP, IKEv2, PPTP, and L2TP, then double-click WAN Miniport (SSTP)…

7

8 – In the Maximum ports box, type 5, and then click OK…

8

9 – In the Routing and Remote Access message box, click Yes…

9

10 – Repeat the same step no.8 & 9 for IKEv2, PPTP, and L2TP,  then click OK…

10

11 – Next, right-click LON-RTR (local), click Properties…

11

12 – In the General tab, verify that IPv4 Remote access server is selected…

12

13 – Next, click Security, and then verify that Certificate 131.107.0.10 is selected for SSL Certificate Binding, and then click Authentication Methods…

13

14 – In the Authentication Methods box, verify that EAP is selected as the authentication protocol and then click OK…

14

15 – Next, click the IPv4 tab, and then verify that the VPN server is configured to assign IPv4 addressing by using Dynamic Host Configuration Protocol (DHCP), click OK to close the Properties interface…

15

2nd, before we proceed, please make sure that you verify the certificate requirements for IKEv2 and SSTP in LON-RTR Server…

1 – In LON-RTR Server, open MMC, click File and then click Add/Remove Snap-in…

1

2 – In the Add/Remove Snap-in interface, click Certificates, click Add, select Computer account, and then click Next…

2

3 – Click Local computer and then click Finish…

3

4 – To close the Add or Remove Snap-in, click OK…

4

5 – Next, expand Certificates (Local Computer), expand Personal, and then click Certificates.

— Notice that certificate 131.107.0.10, this certificate is for Server Authentication (this is required for Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) VPN connectivity).

5

3rd, its time now for us to configure the Remote Access Server…

1 – Still in the  LON-RTR server, open Server Manager, on the Tools menu, click Network Policy Server. ..

1

2 – In the Network Policy Server console, expand Policies, and then click Network Policies.

– Right-click the policy at the top & bottom of the list, and then click Disable…

2

3 – Next, in the navigation pane, right-click Network Policies, and then click New…

3

4 – In the New Network Policy wizard, in the Policy name box, type Adatum VPN Policy, then in the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next…

4

5 – On the Specify Conditions interface, click Add…

5

6 – In the Select condition interface, click Windows Groups, and then click Add…

6

7 – In the Windows Groups interface, click Add Groups…

7

8 – Type IT, and then click OK (you can choose your own group that you prefer)…

8

9 – In the Windows Groups interface, verify that ADATUM\IT is listed, and then click OK…

9

10 – In the Specify Conditions interface, click Next…

10

11 – In the Specify Access Permission interface, click Access granted, and then click Next…

11

12 – On the Configure Authentication Methods interface, make sure that you clear the Microsoft Encrypted Authentication (MSCHAP)
check box, and then to add EAP Types, click Add…

12

13 – On the Add EAP Types interface, select Microsoft Secured password (EAP-MSCHAP v2), and then click OK…

13

14 – repeat the same step above but this time choose Microsoft: Smart Card or other certificate, then click Next…

14

15 – On the Configure Constraints interface, click Next…

15

16 – On the Configure Settings interface, click Next…

16

17 – On the Completing New Network Policy interface, click Finish…

17

 

Till this step, we’ve successful modified the remote access server configuration to provide VPN connectivity.

4th, so now lets verify our VPN connectivity in our Windows 8.1 client…

1 – On the Windows 8.1 client PC, open Network and Sharing Center, then click Set up a new connection or network…

1

2 – Next, on the Choose a connection option interface, click Connect to a workplace, and then click Next…

2

3 – On the How do you want to connect? interface, click Use my Internet connection (VPN)…

3

4 – On the Connect to a Workplace interface, click I’ll set up an Internet connection later…

4

5 – In the Internet address box, type 131.107.0.10 (LON-RTR IP Address)…

— In the Destination name box, type HQ VPN, select Allow other people to use this connection checkbox, and then click Create…

5

6 – Next, right-click HQ VPN connection and select Properties…

6

7 – In the HQ VPN Properties, click the Security tab, select Allow these protocols, ensure that Microsoft CHAP version 2 (MSCHAP
v2) is selected, and then click OK…

7

8 – Next, right click HQ VPN, and then click Connect…

8

9 – In the Network list, under HQ VPN, click connect…

9

10 – In the sign-in dialog box, type the domain user from IT department and then click OK…

10

11 – Verify that you are connected to Adatum by using a PPTP connection, right click HQ VPN and then click Status…

11

12

Orait, that all for now, we’ve connected to HQ VPN successfully…

box, type Pa$$w0rd, and then click OK.

 

 

Step by Step : Implementing Basic DirectAccess in Windows Server 2012 R2

As promised previously, this time i will show you a basic step how you can implement DirectAccess in Windows Server 2012 R2.

But, as usual lets go through a bit information about DirectAccess.

The DirectAccess feature in Windows Server 2012 R2 enables seamless remote access to intranet resources without first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless connectivity to the application infrastructure, for both internal users and remote users.

Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables any application on the client computer to have complete access to intranet resources. DirectAccess also enables you to specify resources and client-side applications that are restricted for remote access.

To deploy and configure DirectAccess, your organization must support the following infrastructure components:

• DirectAccess server.
• DirectAccess clients.
• Network location server.
• Internal resources, such as corporate applications.
• An AD DS domain.
• Group Policy.
• PKI (optional for the internal network).
• Domain Name System (DNS) server.
• Network Access Protection (NAP) server.

To be honest, implementing DirectAccess not as easy as you read the manual, there are many things you need to understand and familiar with. But, i’ll try my best to present the simple step so that you can try in your Isolated Testing Environment.

For more information, please browse to :  http://technet.microsoft.com/en-us/library/dn636118.aspx

So, ladies & gentlemen.. start your engine.. let drive to the world of DirectAccess…

1st, before we begin, there are few requirement that you need, of course numbers of VM and settings need to be done before implementing the DirectAccess.

For this demo purposes, i will be using 5 VM, consists of 4 Windows Server 2012 R2 VM and 1 Windows 8.1 client VM which is all running in Hyper-V.

Infrastructure Requirement (this is based on the Isolated Environment) it might different in the Real Production implementation.

  • 1 Domain Controller Server (LON-DC01)
  • 1 Routing & Remote Access Server (LON-RTR)
  • 1 Member Server (LON-SVR1 )
  • 1 Internet DNS server (INET1) ** Please take note that INET1 server is use to simulate the Internet DNS server.
  • 1 Client PC running Windows 8.1 (LON-CL1)

2nd, lets verify the network configuration for all our VM’s (please refer to the pictures)

  • LON-DC01

1 - DC01

  • LON-RTR
    • Require 3 NIC
      • Ethernet
      • Ethernet 2
      • Internet

2 - RTR - 1

 

Ethernet :

3 - RTR - 2

Ethernet 2 :

4 - RTR - 3

Internet :

5 - RTR - 4

  • LON-SVR1

8 - SVR1

  • INET1

9 - INET

  • LON-CL1
    • Require 3 NIC (only for simulation)
      • Ethernet
      • Ethernet 2

Ethernet :

6 - CL1 -1

Ethernet 2 :

7 - CL1 -2

We done on the network configuration, please be careful on the network setup & understand more what ip’s go to which connection.

3rd, Creating DirectAccess OU & Group in Active Directory.

** You need to create the OU & Group because we going to add LON-CL1 into this group so that the client can have DirectAccess connection.

1 – Create a new OU – In the New Object – Organizational Unit dialog box, in the Name box, type DirectAccess _Clients, and
then click OK…

1

2 – In the Active Directory Users and Computers console, expand Adatum.com, right-click DirectAccess _Clients OU, click New, and then click Group…

2

3 – In the New Object – Group dialog box, in the Group name box, type Adatum DA_Clients…

3

4 – Next, right-click Adatum DA_Clients, and then click Properties…

4

5 – In the Adatum DA_Clients Properties dialog box, click the Members tab, and then click Add and then click Object Types…

5

6 – Next, click Computers check box, and then click OK…

6

7 – In the Enter the object names to select (examples) box, type LON-CL1, and then click OK…

7

8 – Verify that LON-CL1 is displayed under Members, and then click OK…

8

We done on the Domain Server, now lets switch to LON-RTR server to configure our DirectAccess…

1 – On the LON-RTR Server, open Server Manager, click Tools and then click Remote Access Management (for this demo i expect that you should know how to install Remote Access Role)…

1

2 – In the Remote Access Management console, under Configuration, click DirectAccess and VPN and then click Run the Getting Started Wizard

2

3 – On the Configure Remote Access interface, click Deploy DirectAccess only

3

4 – On the Configure Remote Access interface, verify that Edge is selected, and in Type the public name or IPv4 address used by clients to connect to the Remote Access server box, type 131.107.0.10, and then click Next

4

5 – In the Configure Remote Access interface, click the here link…

5

6 – On the Remote Access Review interface, verify that two GPOs are created, DirectAccess Server Settings and DirectAccess Client settings, and then next to Remote Clients, click the Change

6

7 – Next, select Domain Computers (Adatum\Domain Computers), and then click Remove

7

8 – Next, on the same interface, click Add, and then type Adatum DA_Clients, and then click OK

8

9 – Make sure you clear the Enable DirectAccess for mobile computers only check box, and then click Next…

9

10 – On the DirectAccess Client Setup interface, click Finish.

10

11 – On the Remote Access Review interface, verify that ADATUM\Adatum DA_Clients listed under Remote Clients and then click OK…

11

12 – wait for few minutes for the settings to complete…

12

13 – Once the configuration complete, click Close…

13

14 – Confirm that your DirectAccess setup is complete with this interface…

14

4th, after all the configuration done, now its time for us to test / validate our DirectAccess deployment.

1 – Switch to your client PC, log in as administrator and then open CMD, at the CMD type gpupdate /boot /force

** We doing this because when you configuring DirectAccess server, the wizard created 2 Group Policies and linked them
to the domain, so that you need to apply the policy to our client PC…

1

 

2 – Next, lets verify that the DirectAccess Client Settings GPO is applied to our client PC, in the CMD type gpresult /r

** Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.

2

3 – Next, on the CMD type netsh name show effectivepolicy

** Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings

3

4 – Now let move our client from the intranet to the public network, on LON-CL1 please disable Ethernet connection…

4

5 – Then, enable the Ethernet 2…

5

6 – Open the Ethernet 2 IPv4 to verify the IP settings…

6

7 – Now, its time for us to test the DirectAccess connectivity (finger crossed)…

** In LON-CL1, open IE and then type http://lon-svr1.adatum.com

** verify that the default Internet Information Services (IIS) 8.0 web page for LON-SVR1 appears.

** Restart LON-CL1 if If the default IIS 8.0 web page for LON-SVR1 doesn’t appear…

7

 

8 – Next, try access LON-SVR1 server files (just to confirm that all the access is available)…

8

9 – Next, lets verify Connectivity to the DirectAccess Server, still on the  LON-Cl1, open CMD and type netsh name show effectivepolicy…

** Verify that DNS Effective Name Resolution Policy Table Settings presents 2 entries for adatum.com and Directaccess-NLS.Adatum.com.

9

10 – Next, in the LON-CL1, open PowerShell and type Get-DAClientExperienceConfiguration

** this command just to get the DirectAccess client settings

10

11 – Finally, to verify LON-CL1 connectivity on DirectAccess Server, switch to LON-RTR server, on the Remote Access Management console, click Remote Client Status and notice that the client is connected via IPHttps…

** we’ve successfully verified that LON-CL1 can access the internal network by using DirectAccess.

11

I’m done for now, thank you for reading and wait for my next post…

Simple Step : Configure Folder Redirection in Window Server 2012 R2

As a Server Admin, you can use GPOs to deploy scripts to users and computers.

You also can redirect folders that are included in the user’s profile to a File Server. These features enable you to configure the users’ desktop settings more easily and, where desirable, to create a standardized desktop environment that meets your organization’s needs.

So, what is Folder Redirection? 

You can use the Folder Redirection to manage data effectively and, if you choose, to back up data.

By redirecting folders, you can ensure user access to data regardless of the computers from which a user logs in.

So in this post, lets go through a simple step on how to configure Folder Redirection…

1 – 1st, make sure that you have share folder for this step, for this demo, i had my shared folder created previously (MCT Docs – OSI Branch 01)…

1

2 – Next, we need to create a new GPO and link it to the IT OU (you can use any OU you prefer)…

– On the Group Policy Management console, right click IT OU and then click Create a GPO in this domain and Link it here…

2

3 – In the Name box, type MCT Folder Redirection, and then click OK…

3

4 – Next, expand IT OU, right-click MCT Folder Redirection, and then click Edit…

4

5 – In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection…

– Next, right-click Documents, and then click Properties…

5

6 – In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down
arrow, and then select Basic – Redirect everyone’s folder to the same location…

– Ensure the Target folder location box is set to Create a folder for each user under the root path…

– In the Root Path box, type \\dc01\MCT Docs – OSI Branch 01, and then click OK…

6

7 – In the Warning dialog box, click Yes…

7

8 – Next, lets try test the folder redirection settings, switch to your client PC and log in as any of your domain user, right-click the desktop, and then click Personalize…

8

9 – In the navigation pane, click Change desktop icons…

9

10 – In Desktop Icon Settings, select the User’s Files check box, and then click OK…

10

11 – On the desktop, double-click Steve Winfield folder…

– Right-click Documents, and then click Properties…

11

12 – In the Document Properties dialog box, verify that the location of the folder is now the network
share in a subfolder named for the user…

12

OK, that’s it for now..

In my next post, i will go through on how to configure Direct Access…

Simple Step : Deploying Software using Group Policy in Windows Server 2012 R2

Windows Server 2012 R2 includes a feature called Software Installation and Maintenance that AD DS, Group
Policy, and the Windows Installer service use to install, maintain, and remove software from your
organization’s computers.

In this post this time, lets go through a simple step how we can deploy software to our infrastructure using GPO.

For this demo, i will be using Adobe Reader X as my application.

1 – In your Domain Server, open Server Manager, click Tools and open Group Policy Management…

– In the Group Policy Management console, right click domain name which is osi.com.my, and click Create a GPO in this domain, and link it here…

1

2 – In the New GPO box, in the Name box, type Deploy Adobe Reader, and then click OK…

2

3 – Next, on the Group Policy Management console, right click Deploy Adobe Reader GPO and click Edit…

3

4 – In the Group Policy Management Editor, under Computer Configuration, expand Policies, and
then expand Software Settings.

– Right-click Software installation. From the context menu, click New, and then click Package…

4

5 – In the Open dialog box, browse to \\dc01\Adobe, click AdbeRdr1000_en_US.msi, and then click
Open.

5

6 – In the Deploy Software window, ensure that the Assigned option is selected, and then click OK…

6

7 – Wait for few second and verify that the Adobe ReaderX is listed in the Group Policy Management Editor…

7

8 – Now lets switch to our Windows 8.1 client PC, i do recommend that you run gpupdate /boot /force in the client PC and then restart the client PC.

— after restarting your client PC and log in as domain user, you can verify that Adobe is installed.

8

That’s all for now.. i will continue later with Configuring Folder Redirection in Windows Server 2012 R2…