How to install and configure WSUS 3.0 sp2 on server 2008

Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) provides a comprehensive solution for managing updates to your network. So, rather than having every computer in your organization download megabytes worth of updates over the internet, you can configure a WSUS server to be the only computer that downloads updates and than you configure every other computer in your organization to use the WSUS server as the source of update files.
WSUS 3.0 SP2 Server Software Prerequisites:
Microsoft Management Console 3.0
The Microsoft .NET Framework 2.0 or later versions
Microsoft Report Viewer Redistributable 2008
You must have one of the following supported databases installed:
Microsoft SQL Server 2008 Express, Standard, or Enterprise Edition SQL Server 2005 SP2
◦ Windows Internal Database
Internet Information Services (IIS)

Install IIS:
wsus (1)
Install WSUS Server:
If you are running Windows 7 or Windows Server 2008 SP2, you can install WSUS 3.0 SP2 from Server Manager. If you are using server 2008, you need to download WsusSetup.exe first from Microsoft website. To download it click here.
Here I am using WsusSetup.exe for server 2008.
The WSUS Setup Wizard is launched from the WSUSSetup.exe file.
wsus (2)
On the Welcome page of the Windows Server Update Services 3.0 Setup Wizard, click Next.
wsus (3)
On the Installation Mode Selection page, select Full server installation including Administration Console.
wsus (4)
On the License Agreement page, read the terms of the license agreement, click I accept the terms of the License agreement, and then click Next.
wsus (5)
You can specify where clients get updates on the Select Update Source page of the installation wizard. By default, the Store updates locally check box is selected and updates will be stored on the WSUS server in the location that you specify. If you clear the Store updates locally check box, client computers obtain approved updates by connecting to Microsoft Update. So leave it default and then click Next.
wsus (6)
On the Database Options page, select the software that is used to manage the WSUS 3.0 database. By default, the installation wizard offers to install Windows Internal Database.
If you do not want to use Windows Internal Database, provide an instance of Microsoft SQL Server for WSUS to use by selecting Use an existing database on this server (if SQL is installed on your local system) or Use an existing database server on a remote computer. Type the instance name in the applicable box. The instance name should appear as \, where serverName is the name of the server and instanceName is the name of the SQL instance. Now go to Next.

wsus (7)
you have opted to connect to a SQL Server, on the Connecting to SQL Server Instance page, WSUS will try to connect to the specified instance of SQL Server. When it has connected successfully, click Next to continue.
image030-8
On the Web Site Selection page, specify the Web site that WSUS will use. If you want to use the default Web site on port 80 or 443, select Use the existing IIS Default Web site. If you already have a Web site on port 80, you can create an alternate site on port 8530 or 8531 by selecting Create a Windows Server Update Services 3.0 SP2 Web site. Click Next.
image031-9
On the Ready to Install Windows Server Update Services page, review the selections, and then click Next.
wsus (8)
The final page of the installation wizard will let you know if the WSUS installation completed successfully. After you click Finish the configuration wizard will start.
wsus (9)
The before you begin page will show you three matters, you have to resolve these issues before begin configuration.
wsus (10)
From the configuration wizard, after joining the Microsoft Improvement Program, click Next to select the upstream server.
If you choose to synchronize from Microsoft Update, you are finished with the Options page. Click Next, or select Specify Proxy Server from the navigation pane.
On the Specify Proxy Server page of the configuration wizard, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.

wsus (11)
On the Connect to Upstream Server page click start connecting and wait until upstream server connection is processing.
wsus (12)
Now this server is connected to upstream server click next.
wsus (13)
On the choose languages page select desired languages what your organization need and click next.
wsus (14)
On the choose Product page select desired products those are deployed in your organization and click next. I chose win7 and server 2008.
wsus (15)
On the choose classifications page, select required kind of classifications and click next.
wsus (16)
On the set synchronization page either you can choose synchronization manually or you can set a synchronization schedule, click next.
wsus (17)
On the finished page choose both options to launch WSUS admin console and start initial synchronization. After you click Finish the WSUS administration console will open.
wsus (18)
Now you can see your server is synchronizing with upstream server.
This will take several minutes depending your OS and Applications selection. So, Please wait until synchronization is processing.

wsus (19)
After synchronization finished, you will realize your update server is synchronized successfully from Microsoft update servers.
wsus (20)
Now Expand ServerName(main)\updates\all update, you will see lot of updates are available for download. These updates need you approval to download on your server. First create computer groups to approve an update to a particular group.
wsus (21)
To create a computer groups expand ServerName\computers\all computers, right click on all computer and click add computer group, specify a name for the new group and then click add.
wsus (22)
To approve updates to a group expand Servername\updates\all update, double click on an update the approve update page will open, select appropriate group in which this update belongs to and click approved for install, then click ok.

Configure Client Updates:
The best way to configure Automatic Updates depends on the network environment. In an environment that uses Active Directory directory service, you can use an existing domain–based Group Policy object (GPO) or create a new GPO. In an environment without Active Directory, use the Local GPO.
(for older version of os first add wsus template in gpmc console by navigating computer configuration/administrative templates/rc/add-remove templates/add/ wuau.adm)
To point the client computers to the WSUS server, In the GPMC, expand Computer Configuration\Administrative Templates\Windows Components, and then click Windows Update.

wsus (23)
In the Windows Update details pane, double-click Specify intranet Microsoft update service location.
Click Enabled, and type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http://servername in both boxes, and then click OK. (I.e.: http://main)

To assign computer to the specific group, In the Windows Update details pane, double-click Enable client side targeting.

wsus (24)
Click Enabled, and type the group name in the target group name for this computer box. For example, type win7, and then click OK.
Note:
If you are using the Local GPO to point the computer to WSUS, this setting takes effect immediately, and this computer appears in the WSUS Administrative Console after a short time, and the update takes about 20 minutes.
For client computers configured with a domain-based Group Policy, it can take about 20 minutes after Group Policy refreshes.
If you want to update Group Policy sooner, you can go to a command prompt on the client computer and type gpupdate /force.
If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. To manually start detection by the WSUS server, open CMD and type type wuauclt.exe /detectnow, or on Windows 7, Windows Server 2008, and Windows Vista systems, you can perform an interactive detection.

Now view update distribution status:
After configuring client to install update automatically, client will check and install updates successfully.
You can verify which updates were installed or not using by update section under WSUS administration console as a snap shot given below.

wsus (25)
To know which computer has installed update or needs to be update, expand WSUS administration console\Servername\computers\All computer or group as a snap shot given below.
wsus (26)
To know computers status, Expand WSUS administration console\ServerName\reports, in the Reports pane, under computer reports, click computer detailed status. After selecting desired options click run reports. Computer report will look like given below, which will show computer status in detail.
wsus (27)
To know update status where it is applied or where not. Expand WSUS administration console\ServerName\reports, in the Reports pane, under update reports, click update detailed status. After selecting desired options click run reports. Update report will look like given below, which will show Update status in detail.
Update Report page 1st of 3:

wsus (28)
Update Report page 2nd of 3:
wsus (29)
Note: To know about WSUS in detail, please visit Microsoft web site

Advertisements

How to Configure NAP enforcement for DHCP ?

DHCP enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.
LAB SCENARIO:
napdhcp (1)
In above diagram server1 is main.server.com will be configured as a Domain controller with AD and DNS. Server2 is nps.server.com that will be configured as NAP and DHCP Server. CLIENT1 is a client computer running Windows Vista or Windows 7. CLIENT1 will be configured as a DHCP and NAP client.
Note: You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to perform the tasks.

CONFIGURE DC ON SERVER1:
Step1: Configure server1 as a domain controller and TCP/IP as given below.

Step2: Create user1 account in Active Directory
This account will be used when logging in to NPS and CLIENT1.

Step3: Add user1 to the Domain Admins group

Step4: Create a security group for NAP client computers

Step5: Add CLIENT1 to the NAP client computers security group

CONFIGURE NPS ON SERVER2:
Step6: Configure TCP\IP and join serevr2 to the Domain, see the example as given below :
napdhcp (2)

Step7: Install DHCP and Network Policy Service:
log on to SERVER domain with the User1 account you created.
Go to start >server manager > Under Roles Summary, click Add roles, and then click Next > On the Select Server Roles page, select the DHCP Server and Network Policy and Access Services check boxes, and then click Next twice.
napdhcp (3)
On the Select Role Services page, select the Network Policy Server check box, and then click Next twice.
napdhcp (4)
On the Select Network Connection Bindings page, verify that 10.10.10.1 is selected, and then click Next.
On the Specify IPv4 DNS Server Settings page, verify that srver.com is listed under Parent domain.
Type 10.10.10.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next.
napdhcp (5)
On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.
On the Add or Edit DHCP Scopes page, click Add.
In the Add Scope dialog box, type Scope1 next to Scope Name. Next to Starting IP Address, type 10.10.10.12, next to Ending IP Address, type 10.10.10.51, and next to Subnet Mask, type 255.255.255.0.
napdhcp (6)
Select the Activate this scope check box, click OK, and then click Next.
On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next
napdhcp (7)
On the Authorize DHCP Server page, select Use current credentials. Verify that SERVER\user1 is displayed next to Username, and then click Next.
napdhcp (8)
On the Confirm Installation Selections page, click Install.
Verify the installation was successful, and then click Close.
napdhcp (9)
Step8: Install the Group Policy Management feature by using servermanagercmd command:
napdhcp (10)
Step9: Configure NPS as a NAP health policy server:
Click Start, click Run, type nps.msc, and then press ENTER> In the details pane, under Standard Configuration, click Configure NAP.
napdhcp (11)
On the Select Network Connection Method for Use with NAP page, under Network connection method, select Dynamic Host Configuration Protocol (DHCP), and then click Next.
napdhcp (12)
On the Specify NAP Enforcement Servers Running DHCP page, click Next. Because this NAP health policy server has DHCP installed locally, we do not need to add RADIUS clients.
On the Specify DHCP Scopes page, click Next
On the Configure User Groups and Machine Groups page, click Next.
On the Specify a NAP Remediation Server Group and URL, click Next. Remediation servers will be configured later.
On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.
napdhcp (13)
On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.

Step10: Configure WSHV:
SHVs define configuration requirements for computers that attempt to connect to your network. Here, the WSHV will be configured to require only that Windows Firewall is enabled.
Go to Network Policy Server console > Network Access Protection > System Health Validators > under Name, double-click Windows Security Health Validator > In the Windows Security Health Validator Properties dialog box, click Configure.
napdhcp (14)
Clear all check boxes except A firewall is enabled for all network connections, click apply and then click ok.
napdhcp (15)
Step 11: Configure server1 as a remediation server:
A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into compliance with health policy, as defined in Network Policy Server (NPS).
click Start, click Run, type nps.msc> policies \ network policies \NAP DHCP Non-Capable properties > NAP enforcement under setting tab > click configure under remediation server group option > click new group > add group name and server name and click ok thrice.
napdhcp (16)
click Start, click Run, type nps.msc> policies \ network policies \NAP DHCP Noncomplient properties > NAP enforcement under setting tab > click configure under remediation server group option > click new group > add group name and server name and click ok thrice.
napdhcp (17)
Step112: Enable DHCP scope for NAP:
Click Start, click Run, type dhcpmgmt.msc > nps.server.com > IPv4 > Right-click Scope [10.10.10.0] Scope1, and then click Properties > On the Network Access Protection tab, under Network Access Protection Settings, choose Enable for this scope, verify that Use default Network Access Protection profile is chosen, and then click OK.
napdhcp (18)
Configure the default user class:
In the DHCP console tree, under Scope [10.10.10.0] Scope1, right-click Scope Options, and then click Configure Options. On the Advanced tab, verify that Default User Class is chosen next to User class.
Select the 006 DNS Servers check box, in IP Address, under Data entry, type 10.10.10.1, and then click Add.
napdhcp (19)
Select the 015 DNS Domain Name check box, in String value, under Data entry, type server.com, and then click OK. The server.com domain is a full-access network assigned to compliant NAP clients.
napdhcp (20)
Configure the default NAP class:
On the Advanced tab, next to User class, choose Default Network Access Protection Class.
Select the 006 DNS Servers check box, in IP Address, under Data entry, type 10.10.10.1, and then click Add.
napdhcp (21)
Select the 015 DNS Domain Name check box, in String value, under Data entry, type restricted.server.com, and then click OK. The restricted.server.com domain is a restricted-access network assigned to noncompliant NAP clients.
napdhcp (22)
Step 13: Configure NAP client settings in Group Policy:
click Start, click Run, type gpme.msc > In the Browse for a Group Policy Object dialog box, next to server.com, click the icon to create a new GPO, type NAP client settings for the name of the new GPO, and then click OK.
The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services/ Network Access Protection Agent > select the Define this policy setting check box, choose Automatic, and then click OK.
napdhcp (23)
In the console tree, open Network Access Protection\NAP Client Configuration\Enforcement Clients > right-click DHCP Quarantine Enforcement Client, and then click Enable.
napdhcp (24)
right-click NAP Client Configuration, and then click Apply.
In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center > Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.
napdhcp (25)
Step14: Configure security filters for the NAP client settings GPO
click Start, click Run, type gpmc.msc> navigate to Forest: Server.com\Domains\server.com\Group Policy Objects\NAP client settings.
In the details pane, under Security Filtering, click Authenticated Users, and then click Remove and then add Nap client computers group.
napdhcp (26)

CONFIGURE CLIENT1:
Step15: Join client1 to the server.com domain and then log on to the server.com domain with the User1 account you created.
Step 16: Configure Local Area Connection Properties to obtain an IP address automatically and Obtain DNS server address automatically.
Step 17: Verify Group Policy settings
In the command window, type netsh nap client show grouppolicy, and then press ENTER.
In the command output, under Enforcement clients, verify that the Admin status of the DHCP Quarantine Enforcement Client is Enabled.
napdhcp (27)
In the command window, type netsh nap client show state, and then press ENTER.
In the command output, under Enforcement client state, verify that the Initialized status of the DHCP Quarantine Enforcement Client is Yes.
napdhcp (28)
Step18: VERIFYING NAP FUNCTIONALITY
obtain a new IP address profile for CLIENT1 from DHCP, type ipconfig /renew, and then press ENTER.
napdhcp (29)
Step19: Verification of NAP auto-remediation
Turn Off the Windows Firewall, In Windows Security Center, you will see that the status of Windows Firewall is displayed as Off and is then displayed as On.
You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off.
The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network. See the following example.
napdhcp (30)

Because auto-remediation occurs rapidly, you might not see one or both of these messages.

VERIFICATION OF HEALTH POLICY ENFORCEMENT
Step20: Login to server2> Network Policy Server console > Network Access Protection > System Health Validators > under Name, double-click Windows Security Health Validator > In the Windows Security Health Validator Properties dialog box, click Configure.
In the Windows Security Health Validator dialog box, under Virus Protection, select the An antivirus application is on check box
napdhcp (31)
Step21: Now log in to client1, Release and renew the IP address .
In the command output, verify that the value of Connection-specific DNS Suffix is restricted.server.com and that the value of Subnet Mask is 255.255.255.255. Because the NAP Agent service is not running on CLIENT1, restricted access to the network is still enforced.
Because the client computer is in a noncompliant state, the DHCP server will assign an IP address to the client computer for the restricted network. You can tell that the client is on the restricted network because the DHCP server assigns a connection-specific DNS suffix of restricted.server.com. The following figure shows an example.
napdhcp (32)
You might see a message in the notification area that indicates the computer does not meet the corporate security requirements as given below.
napdhcp (33)
Step22: View the client’s restriction state with Netsh:
At the command prompt, type netsh nap client show state, and then press ENTER.
Scroll up the command window to display the Client state section. The Restriction state should be “Restricted.”
napdhcp (34)

How to Deploy RADIUS (NAP enforcement for VPN) in server 2008 inviornment ?

Remote Authentication Dial-in User Service (RADIUS) is an Industry standard protocol used to provide network authentication, authorization, and accounting services.
Following components are parts of the RADIUS AAA Infrastructure:
•Access clients
•Access servers (VPN, Dial-up, WAP, 802.1x switches)
•RADIUS Servers (NAP)
•User account databases

NAP is a client health policy creation, remediation and enforcement technology.
When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. You can configure NAP policies in NPS that allow client computers to update their configuration to become compliant with your organization’s network policy. To help protect network access, NAP relies on three processes: policy validation, NAP enforcement and network restriction, and remediation and ongoing compliance.

Lab scenario:
radious (1)
In above diagram server1 is main.server.com will be configured as a Domain controller with AD and DNS. Server2 is nps.server.com that will be configured as a RADIOUS server with NAP. Server3 is vpn.server.com that will be configured as a NAP enforcement client (vpn). CLIENT1 is a client computer running Windows Vista or Windows 7. CLIENT1 will be configured as a VPN client and a NAP client.
Note: You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to perform the tasks.

Configure DC:
Step1: Configure server1 as a domain controller and TCP/IP as given below.

Step2: Create user1 account in Active Directory
This account will be used when logging in to NPS, VPN, and CLIENT1.

Step3: Add user1 to the Domain Admins group

Step4: Grant remote access permission to user1

Step5: Create a security group for NAP client computers

Step6: Add CLIENT1 to the NAP client computers security group

Note: Deploy ADCS on server1 to assign server certificate to server2 for PEAP authentication of VPN clients. Click here to know more about ADCS configuration.
Or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.

Configure NPS:
Step7: Configure TCP\IP on server2 as given below:
radious(08)
Step8: Install the NPS server role and Group Policy Management feature.

Step9: Enable Network Access Protection Agent service.
Open the Group Policy Management console window and create new group policy name it “NAP client settings”. Right click on NAP client settings policy and select Edit. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services. In the details pane, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.

Step10: Enable NAP enforcement clients
In the console tree, open Network Access Protection\NAP Client Configuration\Enforcement Clients. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable.

In the console tree, right-click NAP Client Configuration, and then click Apply.

Step11: Enable Security Center user interface
In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center. In the details pane, double-click Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.

Strp12: Configure security filters for the NAP client settings GPO
In the Group Policy Management Console (GPMC) tree, navigate to Forest: server.com\Domains\server.com\NAP client settings. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.

In the details pane, under Security Filtering, click Add. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers, and then click OK.

Step13: Obtain a computer certificate on NPS:
To provide server-side PEAP authentication, the server running NPS uses a computer certificate stored in its local computer certificate store. Certificate Manager will be used to obtain a computer certificate from the certification authority.
Step14: Configure NAP:
Go to Start>Administrative tools>network policy server> In the details pane select NAP and click configure NAP.

On the Select Network Connection Method for Use with NAP page, under Network connection method, select Virtual Private Network (VPN), and then click Next.

On the Specify NAP Enforcement Servers Running VPN Server page, under RADIUS clients, click Add. In the New RADIUS Client dialog box, under Friendly name, type NAP VPN Server. Under Address (IP or DNS), type vpn.server.com. Under Shared secret, type secret. click OK, and then click Next.

On the Configure an Authentication Method page, confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAP-MSCHAP-v2) is selected under EAP types. Click Next.

On the Specify a NAP Remediation Server Group and URL page, click New Group. In the New Remediation Server Group dialog box, under Group Name, type Domain Services, and then click Add. In the Add New Server dialog box, under Friendly name, type main. Under IP address or DNS name, type main.server.com, and click OK twice, and then click Next.

On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.

And then click Finish.
Step15: Configure system health validators:
In the Network Policy Server console tree, open Network Access Protection, and then click System Health Validators. In the details pane, under Name, double-click Windows Security Health Validator. In the Windows Security Health Validator Properties dialog box, click Configure.

Clear all check boxes except A firewall is enabled for all network connections.

Click OK to close the Windows Security Health Validator dialog box, and then click OK.
Step16: Configure VPN1 as a NAP-capable RADIUS client.
In the NPS console tree, under RADIUS Clients and Servers, click RADIUS Clients. In the details pane, double-click NAP VPN Server, on the Settings tab, select the RADIUS client is NAP-capable check box.

Click OK and Close the Network Policy Server console.
Step17: Allow ping on NPS1:
Click Start, click Run, type wf.msc, and then press ENTER. In the Windows Firewall with Advanced Security console tree, right-click Inbound Rules, and then click New Rule. Select Custom, and then click Next.

Select All programs, and then click Next.

Next to Protocol type, select ICMPv4, and then click Customize. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.

In the Action window, verify that Allow the connection is selected, and then click Next.

Click Next to accept the default profile.

In the Name window, under Name, type ICMPv4 echo request, and then click Finish.

Configure VPN:
Step18: Configure TCP/IP on server3 as given below.

Step19: Install the Routing and Remote Access server role:

Step20: Configure Routing and Remote Access:
Click Start, click Run, type rrasmgmt.msc, and then press ENTER. In the Routing and Remote Access console, right-click VPN1, and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard.

Click Next, select Remote access (dial-up or VPN), and then click Next.

Select the VPN check box, and then click Next.

Click the network interface with an IP address of 192.168.1.11. Clear the check box next to Enable security on the selected interface by setting up static packet filters, and then click Next. This ensures that CLIENT1 will be able to ping VPN1 when attached to the Internet subnet without having to configure additional packet filters for ICMP traffic.

On the IP Address Assignment page, select From a specified range of addresses, and then click Next.

On the Address Range Assignment page, click New. Type 10.10.10.151 next to Start IP address and 10.10.10.200 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next.
radious (38)
On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server, and then click Next.

On the RADIUS Server Selection page, type 10.10.10.20 next to Primary RADIUS server, and type secret next to Shared secret.

Click Next, and then click Finish.
Step21: Configure authentication methods on VPN
In the Routing and Remote Access console, right-click VPN, and then click Properties. Click the Security tab. Click Authentication Methods and verify that Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) are selected. Click EAP Methods, and verify that Protected EAP (PEAP) is one of the installed EAP methods.

Step22: Allow ping on VPN1
Follow same process as NAP system which is mentioned in step17.
Configure CLIENT1 on windows 7
Step23: Join CLIENT1 to the Server.com domain.
Step24: Verify Group Policy settings
In the command window, type netsh nap client show grouppolicy and Verify that the Admin status of the EAP Quarantine Enforcement Client is Enabled.

In the command window, type netsh nap client show state and Verify that the Initialized status of the EAP Quarantine Enforcement Client is Yes.

Step25: Configure TCP/IP and test connectivity with DC as given below.

Step26: Configure a VPN connection:
Go to Start> control panel> Network and sharing centre> click on setup a new connection or network> select connect to a workplace and click next.

Select No, create a new connection and click next.

Click to Use my Internet connection (VPN) option under how do you want to connect page .

Select Let me decide later option under before You connect page and click next.

Add Internet address and destination name under type the internet address to connect page and click next.

Add user name, password and domain name under type your user name and password page and click create.

After creating a VPN connection, Go to Start> control panel> Network and sharing centre>change adopter setting>select server>properties>select security tab>select EAP under authentication option and click properties>select validate server certificate and enforce network protection option.

Step27: Test the new VPN connection
Go to notification area >Click on Network icon > select server under dial-up and VPN and click connect.

Verifying NAP functionality
Step28: Verification of NAP auto-remediation:
Disable windows firewall and Connect VPN Connection. You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more detailed information about the health status of CLIENT1.

The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets security standards defined by your network administrator.

Step29: Verification of NAP policy enforcement
Verify that the response reads “Reply from 10.10.10.1.” CLIENT1 is able to ping this IP address because IP filters were applied in network policy to ensure that traffic from noncompliant clients can reach DC.
radious (054)
Important
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

How to Install and configure ADCS ?

Types of certificate Authorities:

Root and subordinate CAs
A root CA is meant to be the most trusted type of CA in an organization’s PKI. If the root CA is compromised or issues a certificate to an unauthorized entity, then any certificate-based security in your organization becomes vulnerable. Therefore, both the physical security and the certificate issuance policy of a root CA are normally more rigorous than those for subordinate CAs. While root CAs can be used to issue certificates to end users for such tasks as sending secure e-mail, in most organizations they will only be used to issue certificates to other CAs, called subordinate CAs.

A subordinate CA is a CA that has been issued a certificate by another CA in your organization. Typically, a subordinate CA will issue certificates for specific uses, such as secure e-mail, Web-based authentication, or smart card authentication. Subordinate CAs can also issue certificates to other CAs that are more subordinate. Together, a root CA, the subordinate CAs that have been certified by the root, and subordinate CAs that have been certified by other subordinate CAs form a certification hierarchy.

Enterprise and stand-alone CAs
An Enterprises CA Requires access to Active Directory Domain Services (AD DS).Uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. Publishes user certificates and certificate revocation lists (CRLs) to AD DS. An enterprise CA issues certificates based on a certificate template. The following functionality is possible when you use certificate templates. The certificate subject name can be generated automatically from the information in AD DS or supplied explicitly by the request. Autoenrollment can be used to issue certificates.

A stand-alone CA does not require the use of Active Directory Domain Services (AD DS). Even if you are using AD DS, stand-alone CAs can be used as offline trusted root CAs in a CA hierarchy or to issue certificates to clients over an extranet or the Internet. When users submit a certificate request to a stand-alone CA, they must provide their identifying information and specify the type of certificate they need. By default, all certificate requests sent to the stand-alone CA are set to pending until the administrator of the stand-alone CA verifies the submitted information and approves the request. The administrator has to perform these tasks because the certificate requester’s credentials are not verified by the stand-alone CA. Certificate templates are not used.

PRIREQUISITES:
Supported Server edition: Enterprises & Datacentres.

Needs ADDS, DNS, Static IP, Time Synchronization

LAB SCENARIO:

Server1 — 10.10.10.1— dc.sign.com

Server2 — 10.10.10.2— ca1.sign.com

Server3 — 10.10.10.3— ca2.sign.com

CONFIGURING ROOT CA:

Step1: Logon to server2 as domain admin member.

Install Root CA: go to server manager-Add Roles- select Certification Authority and click next.

Step2: select Standalone on setup type page and click next.

Step3: Select root CA on CA type page.

Step4: select create a new private key option and click next.

Step5: on cryptography for CA page u can select different CSP, hash algorithm and key length according to your need and click next.

Step6:On CA name page you can specify a CA name or leave it default and click next.

Step7: On certificate database page you can assign data base location or leave it default, click next and click finish.

By default, the Windows 2008 root CA will include AIA and CDP (CRL Distribution Point) information in the root CA certificate. If you want to specify this information, you must change or delete the [CRLDistributionPoint] and [AuthorityInformationAccess] extensions.

The following variables can be used in CDP & AIA extensions:
Variable Name
%1— ServerDNSName (fqdn)
%2— ServerShortName (Netbios)
%3— CA Name
%4— CertificateName
%5— Domain DN
%6— ConfigDN
%7— CATruncatedName
%8— CRLNameSuffix
%9— DeltaCRLAllowed
%10– CDPObjectClass
%11– CAObjectClass

It is advised to review all important settings before continuing.
You can get all current settings by running the following command line command :
Certutil –getreg CA
The settings that will require your attention are:
[CRLPeriod, CRLPeriodUnits, CRLOverlapUnits, CRLOverlapPeriod, ValidityPeriod, ValidityPeriodUnits ]

You can define/change these settings using the certutil commands:
Certutil -setreg CA\CRLPeriod “Years”
Certutil -setreg CA\CRLPeriodUnits 1
Certutil -setreg CA\CRLOverlapPeriod “Months”
Certutil -setreg CA\CRLOverlapUnits 1
Certutil -setreg CA\ValidityPeriod “Years”
Certutil -setreg CA\ValidityPeriodUnits 12

Note: If you mistype a regkey, you will not get a warning or error. Certutil will simply create a new registry key without further notice. You can find all registry keys under HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\My Root CA

CONFIGURING ISSUING CA:

Step8: Log on to Server3 as domain admin member.
Install Subordinate CA: go to server manager-Add Roles- select Certification Authority, web enrolment and Online Responder and click next.

Step9: Select Enterprises option because you are about to configure an online issuing CA and click next.

Step10: On CA type page select subordinate CA and click next.

Step11: You can specify a common name for this ca on ca name page and click next.

Step12: On Request Certificate from parent CA page u can choose any one of two option to create a certificate request and click next and finish.

Step13: After installing the Issuing CA, we need to get the certificate signed by the root CA.

By Default, the Request file created on this location “c:\*req”. Copy this file to Root ca Shared Folder.

Go to Root Ca, Certification Authority- Rc on CA name- All Tasks – Submit New Request- Select the request file from shared folder. After that go to Pending Requests- right-click on the pending request and choose “Issue”. Open the certificate from Issued Certificates- go to the “Details” tab-click “Copy to file”.-Click “next” on the Welcome screen-Select P7B format, make sure to select “Include all certificates in the certification path if possible”-save this file to Issuing CA’s Shared folder.

Came back on Issuing CA, Open Certificate Authority MMC, right click the Issuing CA name and choose “All Tasks – Install CA Certificate”-Browse certificate from shared folder-Restart CA.

Configure OCSP Response signing Certificate
Step14: Server manager- Roles-ADCS-Certificate Template- Rc the “OCSP Response Signing” template-click “Duplicate Template”-Choose server version-ok-Type the name of template under general tab-on “security” tab, under “Group or user name”, click “Add” to open the “Select Users, Computers or Groups” dialog box, Click “Object Types”, select the “Computers” check box, and then click “OK”-Type the ORS computer name and select the name, click “ok”, Click on ors computer name and in the permission dialog box select “Read, Enroll and Auto Enroll” check boxes. You also configure security to this template for authenticated Users Groups and computer(OR).

IMPORT OCSP TEMPLATE TO CA
Step15: After define AIA extension, go to CA- rc on “Certificate Template”-New Certificate Template To Issue- In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.
(Open Certificate Templates, and verify that the modified certificate templates appear in the list.)

CREATE A REVOCATION CONFIGURATION:

Step16: Go to Server manager-Roles- ADCS-Online Responder-rc on Revocation configuration-Add Revocation Configuration-Name of revocation configuration- click “Select a certificate for an existing enterprise CA”.

Step17: Browse a CA certificate published in AD, Browse and select a name of CA that u want to associate with your revocation configuration(where OCSC signing certificate resides)-Revocation provider page, click on Provider and add provider location for both Base & Delta Crl’s (http://FQDN_computer_name/CertEnroll/CA_name)-ok-finish.

Step18: To check Revocation Certificate status go to server manager/Roles/ADCS/Online Responder/Array configuration/CA name.

CONFIGURING CDP/AIA EXTENSIONS FOR ONLINE RESPONDER:
Step19: ADCS-Rc on CA _name – Properties-extensions-CDP/AIA-Add. AIA for Online Responder: “http://OR_FQDN name/ocsp”.(select only “include in the OCSP extension” )

Step20: To check CA status go to server manager/Roles/ADCS/Enterprise PKI/CA name.

Configure Auto Enrolment:
Logon to Domain system, go to Group Policy Management-Default Domain Policy-rc Edit-Computer Configuration-policies-windows setting-Security setting-public key policies-certificate service client-auto enrolment-enable it.

Configure a CA to accept a SAN (Subject Alternet Name) attribute from a certificate request
Note: If your Organization includes more than one domain, i.e. Mail.domain.com and mail2.domain.com, you need a SAN certificate.

By default, a CA that is configured on a Windows Server 2008 does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behaviour, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Create and submit a Server certificate request
When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the AD directory service.

Open internet explorer and type “https://servername/certsrv”.

After connecting Click Request a Certificate> Click Advanced certificate request> Click Create and submit a request to this CA > In the Certificate Template list, click Web Server and configure other properties as follows:

If you see the Certificate Issued Web page, click Install this Certificate.

Step21: To get CA Information run certutil –cainfo.

To veryfiy certificate Urls:
Open cmd and run: Certutil –url c:\cert_name.cer

To check ocsp location select OCSP and click Retrive.

To check revocation locations select either Certs or CRLs and click Retrieve.

To verify an certificate run: certutil –verify C:\filename.cer >verifyresults.txt
Result will look like given below.

To test connectivity run:
certutil –config FQDN\CAName –ping

Deploying the Root CA Certificate:
If the computers are apart from Domain:
Certuil –addstore –f Root Cert_name.cer

If the computers are part of the domain:

Certutil –dspublish –f Cert_name.cer RootCA

How to Configure Network Load Balancing for Terminal Services

NLB distributes traffic across several servers by using the TCP/IP networking protocol. You can use NLB with a terminal server farm to scale the performance of a single terminal server by distributing sessions across multiple servers.
Terminal Services Session Broker (TS Session Broker) keeps track of disconnected sessions on the terminal server farm, and ensures that users are reconnected to those sessions. Additionally, TS Session Broker enables you to load balance sessions between terminal servers in a farm. This functionality is provided by the TS Session Broker Load Balancing feature. However, this session-based load balancing feature requires a front-end load balancing mechanism to distribute the initial connection requests to the terminal server farm. You can use a load balancing mechanism such as DNS round robin and NLB to distribute the initial connection requests. By deploying NLB together with TS Session Broker Load Balancing, you can take advantage of both the network based load balancing and failed server detection of NLB, and the session-based load balancing and per server limit on the number of pending logon requests that is available with TS Session Broker Load Balancing.

To configure DNS round robin, you must create a host resource record for each terminal server in the farm that maps to the terminal server farm name in DNS. (The farm name is the virtual name that clients will use to connect to the terminal server farm.) DNS uses round robin to rotate the order of the resource records that are returned to the client. This functionality helps to distribute initial connections across servers in the farm. The initial connection behaviour is as follows:

Install the TS Session Broker role service

The server where you install the TS Session Broker role service must be a member of a domain.
The Windows Server 2008-based server where you install the TS Session Broker role service does not have to be a terminal server or have Remote Desktop enabled.
If you install the TS Session Broker role service on a domain controller, the Session Directory Computers group will be a domain local group, and it will be available on all domain controllers
Add a terminal server to the Session Directory Computers local group
If Ts session controller installed on member server run compmgmt.msc > open session directory computers group and add terminal server computers in to it.(In my case I had installed Ts Session Broker on Domain controller)

Deny logons to a terminal server in a load-balanced farm

It is good practice to configure all terminal servers in the farm to restrict each user to a single session. To do this, use either of the following methods:
•Configure the Restrict Terminal Services users to a single remote session Group Policy setting. This policy setting is available in the Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections node of the Group Policy Management Console (GPMC) on a Windows Server 2008-based domain controller. It is a best practice to group the terminal servers that are in the same terminal server farm into a single organizational unit (OU), and then configure this policy setting in a Group Policy object (GPO) that applies to the OU.

•Configure User Logon Mode setting. This setting available in terminal server configuration, Under the Edit settings area. On the General tab, click either of the following:
oAllow reconnections, but prevent new logons
oAllow reconnections, but prevent new logons until the server is restarted

Configure DNS for TS Session Broker Load Balancing
Configure host (A) Record for each Node to map the IP address of each terminal server in the farm to the terminal server farm name in DNS.
For example, if you have two terminal servers in a farm named FARM1, with IP addresses of 10.10.10.20 and 10.10.10.21, the entries would look similar to the following:
Farm1 Host(A) 10.10.10.20
Farm1 Host(A) 10.10.10.21
Configure TS Session Broker settings by using Group Policy (If NLB note present)
Open GPMC and create a new policy or edit existing policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Ts session Broker
•In the right pane, double-click the Join TS Session Broker policy setting, click Enabled, and then click OK.
•Double-click the Configure TS Session Broker farm name policy setting, and then do the following:
a.Click Enabled.
b.In the TS Session Broker farm name box, type the name of the farm in TS Session Broker that you want to join, and then click OK.
•Double-click the Configure TS Session Broker server name policy setting, and then do the following:
a.Click Enabled.
b.In the TS Session Broker server name box, type the name of the server where you installed the TS Session Broker role service, and then click OK.
•Double-click the Use TS Session Broker load balancing policy setting, click Enabled, and then click OK.
•Optionally, if you are using a hardware load balancer that supports token redirection, double-click Use IP Address Redirection and configure the setting. See the Group Policy Explain text for more information.
Install the Terminal Server role service

Install programs on the terminal server:
You must configure all terminal servers in the load-balanced farm identically, with the same available programs.

Configure RemteApp Manager Properties:
To add programs to Remote App go to Start> Admin Tool> terminal services>Ts RemoteApp manager> in right pane select Add RemoteApp programs.

To configure terminal server settings go to Start> Admin Tool> terminal services>Ts RemoteApp manager> in right pane select Terminal server settings

To Configure Digital Signature Settings go to Start> Admin Tool> terminal services>Ts RemoteApp manager> in right pane select Digital Signature Settings and add check mark on sign with a digital certificate and add a certificate.

To Configure RDP settings go to Start> Admin Tool> terminal services>Ts RemoteApp manager> under Overview pane click on change in RDP settings Row.

After configuring TS RemoteApp manager Properties will look like this.

Configure TS Session Broker settings
TS Session Broker uses a farm name to determine which servers are in the same terminal server farm. You must use the same farm name for all servers that are in the same load-balanced terminal server farm. Although the farm name in TS Session Broker does not have to be registered in Active Directory Domain Services, it is recommended that you use the same name that you will use in DNS for the terminal server farm. (The terminal server farm name in DNS represents the virtual name that clients will use to connect to the terminal server farm.) If you type a new farm name, a new farm is created in TS Session Broker and the server is joined to the farm. If you type an existing farm name, the server joins the existing farm in TS Session Broker.
To do this go to Start> Admin Tool> terminal services> Terminal Services configurations.

Install and Create an NLB Cluster
To install and create an NLB cluster please go to how to create NLB cluster.In Cluster Parameters, A full Internet name is not needed when using NLB with Terminal Services.

Verify remote connection settings
1.Back to terminal server go to Run> control system> Under Tasks, click Remote settings> You can select either of the following options:
oAllow connections from computers running any version of Remote Desktop (less secure)
oAllow connections only from computers running Remote Desktop with Network Level Authentication (more secure)
2.To add the users and groups that need to connect to the terminal server by using Remote Desktop, click Select Users, and then click Add.
The users and groups that you add are added to the Remote Desktop Users group.
Note that you must enable widows firewall exception for remote desktop.
Populate the TS Web Access Computers security group (Optional)
If the TS Web Access server and the terminal server that hosts the RemoteApp programs are separate servers, you must add the computer account of the TS Web Access server to the TS Web Access Computers security group on the terminal server.

Connect to TS Web Access
By default, you can access the TS Web Access Web site at the following location, where server_name is the NetBIOS name or the fully qualified domain name of the Web server where you installed TS Web Access:
http://server_name/ts
Enable ActiveX Control Add ins in web browser and Log on to the site.


Click on a remote application program and log on to access an program.

You can select the Remote Desktop tab to access a user desktop on the web.

Configure WDS on Server 2008.

Prerequisites:
Active Directory Domain Service, DNS, DHCP, Windows AIK.
Install and configure WDS:
Step1: Create an extra partition because wds needs extra partition to keep images and another configuration files.
To install WDS open CMD and run this command: servermanagercmd -i wds
Step2: After installing WDS role go to Admin Tool> Windows Deployment Service > servername > action > properties.
Select pxe Response settings tab and select respond to all.

Step3:Select Directory service tab and configure client naming policy and client account location.

Step4: Select advance tab and select allow wds to dynamically discover valid domain server option and select authorize this wds in DHCP.

Step5: Select network settings tab and u can choose either obtain ip from DHCP or use ip from following rage define a ip addresses range.

Step6: Select DHCP tab and select don’t listen on port 67 because DHCP server is running on the WDS and select configure DHCP option 60 to ‘PXEClient’ option as well.

Step7: Select Client tab and select enable unattended installation check box and browse a client unattended file, to create unattended file we will discuss in unattended setup section which is mentioned below.

Now our WDS configuration phase1 has finished.
Add Boot Image on WDS :
Step8: Go to WDS>Server name> Boot Image>Action>add boot image > brouse “boot.wim” file from cddrive-sources folder >configure image metadata>next >finish.
Create and Add Capture image on WDS:
The image capture utility copies an image of the computer from the reference computer that has been prepared with Sysprep.exe. The output is an install image that you can add back to the Windows Deployment Services server and then deploy to client computers.
Step9: go to wds – sever name – boot image, in right pane select image-rc-stop, again RC on image-create capture boot image-create this file named capture.wim & save in D:\image\.
Below is an example file that automates the UI screens of the Image Capture Wizard. To use this file, first update each section with the information for your environment. For example, the [ExclusionList] specifies the files that the capture process will exclude from capturing. Then create a capture image and save this file within the image.
Create a *.inf file using notepad and save as “Wdscapture.inf”.

Mount the capture image using ImageX:
Open Deployment tools command prompt and run commands those are given below,
C:\>imagex /mount d:\image\capture.wim 1 d:\destination_folder_name /check
Than paste Wdscapture.inf file in mounted file\windows\system32 folder and replace existing wdscapture.inf file.
C:\>imagex /unmount d:\destination_folder_name
Lastly, add the capture image to the Windows Deployment Services server Using CMD or WDS manager:

If you boot a computer into this image, the UI screens will be automated and the image will be uploaded to the server with the settings you have specified.
Add Install Image groups
Step10: Using GUI: WDS>Servername>Install Images >action >Add Image Group >enter image name “ImageGroup1”>finish.
Using CLI:

Add Install Image
Step11: Now we are going to upload win7 Image using GUI : WDS> Servername >Install Images>ImageGroup1 >Action >Add Install Image >brouse “boot.wim” file from -sources folder >If image file contains more than one editions select one or more >next >finish.
Using CLI:

Follow these steps again to add another Image.
Add xp image in wds :
Note that xp image doesn’t available in wim format, so will get it using any one of two methods.
Method1: If we upgrade server 2003 to server 2008. older RIPREP Image by default will moved in “WDs>Servername>Legacy Images” directory. convert this image to wim format and add in second image group.
Method2: Capture Image from well prepared target machine, to do this:
Log on to target machine where xp is installed and has more than one partition. add sysprep & setupcl files in windows\system32\sysprep folder.
After that Open command Prompt and type this command= sysprep -mini –reseal -restart
Now go to BIOS and select first boot device to LAN card. When the computer restarts, press F12.
In Windows Boot Manager, select the capture image, and then click next.
Choose the appropriate drive, and then provide a name and description for the image. Click next to continue.
Click Browse, and browse to a local location where you want to store the captured install image.(You must specify a location so that if there is a network issue when you deploy the capture image, you have a local copy.)
Type a name for the image (use the *.wim file name extension), and then click Save.
Select Upload image to WDS server.
Type the name of the Windows Deployment Services server, and then click Connect.
If prompted for credentials, add a user name and password for an account which has sufficient permissions to connect to the Windows Deployment Services server. On the Image Group list, choose the image group in which to store the image.
Note that using this method you can add any customised windows images.
Example sysprep.inf file is located below:

To automate xp installation create a directory hierarchy like this: D:\Remoteinstall\Images\\\$OEM$\$1 and place sysprep.inf file in it.
Unattended setup:
To unattended installation you need to create and assign answer files to images.
Now we will create two different unattend.xml file named client unattend.xml and image unuttend.xml. image unattend file contains boot and partition information and client unattend.xml file contains os configuration.
Note that you can use also a combined unatend file which will contain all information about installation.
Step13: Go to windows AIK> windows system image manager> under lower left pane> select an windows image or catalog file> Brouse catalog files from os disk\sources.
Configure add configuration passes to different components and configure this according to your need.

After that go to file menu select save answer file and save this as unattend.xml.
Example of image unattended file:

Example of client unattended file:

Now assign these files to an image:
•Associate image unattended file: server_name-rc-properties-client tab-salect clientunattend.xml.
•Associate client unattended file: server_name-install image- image groupe_name- image_name-rc-properties-Allow image to install image in unattended mode-select autounattend.xml.
Create a discover imageA discover image is a boot image that contains Windows PE 2.0 and has been modified to force Setup.exe to launch in Windows Deployment Services mode to find a Windows Deployment Services server. Generally, you will want to create a discover image for computers that are not PXE enabled. You save the discover image to a file, convert it to ISO format, and then burn it to a CD or DVD.
Step14:Open command prompt and run command as those are given below:

Create a discover boot diskStep15: Open Deployment tools command prompt and run command as those are given below:


Step16: Burn winpe.iso in to a disk. You will use this disk to boot and install an image on target machine.
To Install an image to target machine
Step17: go to BIOS and select first boot device to LAN card. When the computer restarts, press F12.

Step18: select windows boot image and press enter.

Step19: select an image that u want to install.

Step20: wait until server initiate your session after few minutes installation will starts without prompting anything else.

After a few minitus your new system will be ready to operate……………

Configure Network Load balancing (WLBS) on server 2008.

The NLB feature in win server 2008 enhances the ability and scalability of Internet applications such as those used on web, ftp, vpn and other mission critical servers. When a host has failed, ihe remaining hosts in the cluster converge and ensure that all new client requests are handled by surviving hosts. However, if u bring a host down intentionally can use the “wlbs drainstop” command to service all active connections prior to bringing the computer offline. When it is ready, the offline computer can transiently re-join the cluster and regain its share of workload, which allow the other computers in the cluster to handle less traffic.
Note that NLB supports up to 32 computers in a single cluster.
Lab configuration:
Server1 10.10.10.20 Nlb1.sign.com
Server2 10.10.10.21 Nlb2.sign.com
Virtual cluster 10.10.10.22 Cluster.sign.com
Step1: Install web-server role and configure a website.

Step2: Install NLB role on both server1 and server2 machines.

Step3: Log on to server1 with sufficient privileges, go to start> admin tool> NLB manager> select cluster menu> select new.

Step4: Add host name and click connect.

Step6: On next page select priority 1 and default state started.

Step6: On next page Add cluster IP address.

Step7: On next cluster parameter page add cluster name and select “Unicast” as cluster operational mode.

If you select multicast support, NLB converts the cluster MAC address that belongs to the cluster adapter into a multicast address. It also ensures that the cluster’s primary IP address resolves to this multicast address as part of the ARP protocol. The adapter can now use its original, built-in MAC address that was disabled in unicast mode. In multicast mode, you can also enable Internet Group Management Protocol (IGMP) support, which limits switch flooding by limiting traffic to Network Load Balancing ports only. That is, enabling IGMP support ensures that traffic intended for an NLB cluster passes through only those ports that are serving the cluster hosts and not all switch ports.
If you select unicast support, NLB automatically instructs the driver that belongs to the cluster adapter to override the adapter’s unique, built-in network address and to change its MAC address to the cluster’s MAC address. This is the address used on all cluster hosts. You do not need to manually configure the network adapter to recognize this address. (Note that some network adapters do not support changing their MAC addresses. If you experience this issue, you must install a network adapter that does.)
Step8: On next page either configure port rule or leave default as your need.

Step9: Now your cluster node1 is online.

Step10: Log on to Node2 with sufficient privileges, go to start> Admin tool> NLB manager> click on cluster menu> click on connect to existing.

Step11: After openings connect page add previous host name of cluster and click connect.

Step12: after connecting to a cluster, right click on cluster name and select add host to cluster.

Step13: After opening connect page Add second host name and click connect.

Step14: On next page select priority 2 and default state started.

Dtep15: On port rule page leave this default.

Step16:Now your NLB server Is ready to server……….

Step 17: you can configure load weight by selecting nlb1>host menu> properties> port rules> edit> under filtering mode.
Filtering mode, configure the following parameters:
The Multiple hosts parameter specifies that multiple hosts in the cluster will handle network traffic for the associated port rule. This filtering mode provides scaled performance and fault tolerance by distributing the network load among multiple hosts. You can specify that the load be equally distributed among the hosts or that each host will handle a specified load weight.
The Single host parameter specifies that network traffic for the associated port rule be handled by a single host in the cluster according to the specified handling priority. This filtering mode provides port specific fault tolerance for handling network traffic.
The Disable this port range parameter specifies that all network traffic for the associated port rule be blocked. In this case, the NLB driver filters all corresponding network packets or datagrams. This filtering mode lets you block network traffic that is addressed to a specific range of ports.
The Affinity parameter is applicable only for the multiple hosts filtering mode.
The None option specifies that multiple connections from the same client IP address can be handled by different cluster hosts (there is no client affinity). To allow Network Load Balancing to properly handle IP fragments, you should avoid using None when selecting UDP or Both for your protocol setting.
The Single option specifies that NLB should direct multiple requests from the same client IP address to the same cluster host. This is the default setting for affinity. You can optionally modify the NLB client affinity to direct all client requests from a TCP/IP Class C address range (instead of a single IP address) to a single cluster host by enabling the Network option instead of the Single option. This feature ensures that clients that use multiple proxy servers to access the cluster can have their TCP connections directed to the same cluster host.
The Load weight parameter is applicable only for the Multiple hosts filtering mode. You can configure this parameter only when you open the port rules dialog box through Host Properties. (This parameter is not configurable when you open the port rules dialog box through Cluster Properties.)
When using the Multiple hosts filtering mode, this parameter specifies the relative amount of load-balanced network traffic that this host should handle for the associated port rule. Allowed values range from 0 (zero) to 100. To prevent a host from handling any network traffic, set the load weight to 0 (zero). The actual fraction of traffic handled by each host is computed as the local load weight divided by the sum of all load weights across the cluster.
You can specify different load weights for each host in the cluster by using the Load weight parameter. You can specify that all hosts distribute the network load equally by using the Equal load distribution parameter instead of the Load weight parameter.

Test cluster Configuration:
Step17: Go to the command prompt and type “wlbs query”, as you can see node 1 and node 2 converged successfully on the cluster. This means things are working well.
• Ping each server locally and remotely
• Ping the virtual IP locally and remotely – you should do this three times from each location. If you cannot ping remotely you may need to add a static ARP entry in your switches and/or routers where the host machines reside.

Step18: You can see a LAN property is configured with a virtual IP 10.10.10.22.

Step19: Now Access your clustered website.

All reasults those are mentioned above shows your cluster is operating fine……………