In
this exercise we are going to implement the DHCP and NPS server roles
on the server NPS1. We will then configure NAP with the wizard and also
configure the SHVs that will force any connecting client using DHCP to
be network compliant. The domain name is CONTOSO.COM, Keeping with the
Microsoft tradition. Figure 2
depicts this simple network. We are going to imply that both servers
are Windows Server 2008 and Active Directory Domain Services have
already been set up for the CONTOSO.COM domain.
1. | First we will install the NPS and DHCP server roles on NPS1. Click Start and then click Server Manager.
| 2. | Under Roles Summary, click Add Roles and then click Next.
| 3. | On the Select Server Roles page, select the DHCP Server and Network Policy and Access Services check boxes and then click Next twice (see Figure 3).
| 4. | On the Select Server Roles page, select the Network Policy Server check box and then click Next twice.
| 5. | On the Select Network Connection Bindings page, verify that 172.16.0.11 is selected and click Next.
| 6. | On the Specify IPv4 DNS Server Settings page, verify that contoso.com is listed under Parent Domain.
| 7. | Type 172.16.0.10 under the Preferred DNS server IP address and click Validate. Verify that the server was able to validate the DNS server.
| 8. | On the Specify WINS Server Settings, click Next, accepting the default settings.
| 9. | On the Add or Edit DHCP Scopes page, click Add.
| 10. | In the Add Scope dialog box, type NAP SCOPE next to Scope Name. Add 172.16.0.20 as the Starting IP Address and 172.16.0.30 as the Ending IP Address. For the Subnet Mask use 255.255.255.0. Select the Activate this scope check box. Notice in Figure 4 that we do not specify a Default Gateway.
| 11. | On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server and then click Next. Remember that NAP does not support DHCPv6.
| 12. | On the Authorize DHCP Server page, select Specify, enter Administrator information, and then click Next.
| 13. | On the Confirm Installation Selections page, click Install.
| 14. | Verify the installation completed with no errors and then click Close.
|
At
this point, we now have our DHCP Server and NPS installed. The DHCP
Server is configured and authorized for the domain CONTOSO.COM. Now we
need to configure NPS as a NAP health policy server so that it can
validate the clients connecting to our domain via DHCP.
To do this, we will use the NAP configuration wizard.
1. | Click Start, click Run, type nps.msc and press Enter.
| 2. | Make sure that in the Network Policy Server console tree, that NPS (Local) is selected.
| 3. | Under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See Figure 5.
| 4. | On the Select Network Connection Method for Use with NAP page, under Network connection method, select Dynamic Host Configuration Protocol (DHPC), and then click Next.
| 5. | On the Specify NAP Enforcement Servers Running DHCP page, click Next.
| 6. | On the Specify DHCP Scopes page, click Next.
| 7. | On the Configure User Groups and Machine Groups page, click Next.
| 8. | On the Specify a NAP Remediation Server Group and URL page, click Next.
| 9. | On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, click Next. | 10. | Click Finish on the Completing NAP Enforcement Policy and RADIUS Configuration page.
|
The
only thing left to configure is our System Health Validators (SHVs). We
are going to set up our new SHV to make sure that the Windows Firewall
is enabled, and an antivirus application is on and up-to-date.
1. | In the Network Policy Server console tree, double-click Network Access Protection, and then click System Health Validators.
| 2. | In the details pane, under Name, double-click Windows Security Health Validator.
| 3. | In the Windows Security Health Validator Properties dialog box, click Configure.
| 4. | Clear all check boxes except for A firewall is enabled for all network connections and An antivirus application is on. See Figure 6.
| 5. | Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.
| 6. | Close the Network Policy Server console.
|
This
was a long exercise, but it is very important to see this process from
start to finish—it helps facilitate your understanding of all concepts
dealing with implementing DHCP enforcement.
|