Configuring the Corpnet Subnet of the Base Configuration Test Lab for Public Cloud Technologies

Configuring the Corpnet Subnet of the Base Configuration Test Lab for Public Cloud Technologies



Overview


This article describes how to configure the DC1, APP1, and CLIENT1 computers of the Corpnet subnet of the Base Configuration test lab so that they are connected to your organization intranet, yet logically isolated from your production network. The following figure shows the new configuration:



This logical isolation is done through the corp.contoso.com domain hosted on DC1 and manual DNS configuration of APP1 and CLIENT1. The new configuration allows DC1, APP1, CLIENT1, and additional logical Corpnet subnet computers to be:

 

  • Connected to the Internet through your organization network to automatically install updates, access Internet resources in real time, and participate in public cloud technologies such as Microsoft Office 365 and Windows Azure.
  • Hosted on different virtualization servers, instead of hosting them and other computers of the Corpnet test lab subnet on a single isolated internal subnet of a single virtualization server.
  • Remotely managed by your computer that is also connected to your organization subnet. For example, you can use a Remote Desktop Connection or a virtual machine portal, such as Microsoft Configuration Manager Virtual Machine Manager.

Key differences in the configuration from the Test Lab Guide: Base Configuration are the following:

  • DC1 is no longer a DHCP server. It must either have a static IPv4 address configuration or a DHCP client reservation. Because APP1, CLIENT1, and other logical Corpnet subnet computers are configured with the IPv4 address of DC1 as their DNS server, the IPv4 address of DC1 must not change over time.
  • APP1 is now a DHCP client, rather than statically configured.
  • APP1 and CLIENT1 are manually configured to use the static or DHCP-reserved IPv4 address of DC1 as their DNS server and with the DNS domain suffix corp.contoso.com.
  • To provide name resolution for intranet and Internet resources, the DNS Server service on DC1 is configured to forward DNS queries to the addresses of intranet DNS servers.
  • To gain access to Web-based Internet resources, the computers of the logical Corpnet subnet must be configured to use the proxy server of the organization intranet. Please see your network administrator for the additional configuration that needs to be done to these computers, if needed.

There are three steps to setting up the logical Corpnet subnet of the Base Configuration test lab on an organization intranet.

  1. Configure DC1.
  2. Configure APP1.
  3. Configure CLIENT1.

For instructions on configuring this lab using Hyper-V in Windows Server 2012, see Hosting the Corpnet subnet for public cloud test lab with Windows Server 2012 Hyper-V.

Note: You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

Important: The instructions for configuring the computers of the Corpnet logical subnet of the Base Configuration test lab is designed to be as simple as possible and require as few computers as possible. In some cases, servers provide multiple roles that would normally be placed on different servers. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network.

The following sections provide details about how to perform these steps.

Step 1: Configure DC1

DC1 provides the following services:

  • A domain controller for the corp.contoso.com Active Directory Domain Services (AD DS) domain.
  • A DNS server for the corp.contoso.com DNS domain.
  • An enterprise root CA for the corp.contoso.com domain.

DC1 configuration consists of the following:

  • Install the operating system.
  • Change the computer name to DC1.
  • Configure TCP/IP.
  • Install Active Directory and DNS.
  • Install an enterprise root CA.
  • Configure the CRL settings for the enterprise root CA.
  • Configure DC1 to forward DNS requests to organization intranet DNS servers.
  • Create a DNS entry for crl.corp.contoso.com.
  • Create a user account in Active Directory.
  • Configure computer certificate auto-enrollment.
  • Configure computer account maximum password age.

Install the operating system on DC1

First, install Windows Server 2008 R2 Enterprise Edition as a standalone server.

1.    Start the installation of Windows Server 2008 R2. For an evaluation copy of Windows Server 2008 R2 Enterprise Edition in download and virtual hard disk (VHD) form, see Windows Server 2008 R2 Evaluation Free 180-Day Trial (http://go.microsoft.com/fwlink/?LinkID=102582).

2.    Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition (full installation) and a strong password for the local Administrator account. Log on using the local Administrator account.

3.    Run Windows Update to install the latest updates for Windows Server 2008 R2.

Change the computer name to DC1

Next, change the computer name to DC1.

1.    In Initial Configuration Tasks, click Provide Computer Name and Domain.

2.    In the System Properties dialog box, on the Computer Name tab, click Change.

3.    In Computer Name, type DC1.

4.    Click OK.

5.    When you are prompted that you must restart the computer, click OK.

6.    On the System Properties dialog box, click Close.

7.    When you are prompted to restart the computer, click Restart Now.

8.    After the computer restarts, log on with the local Administrator account.

9.    In Initial Configuration Tasks, click Do not show this window at logon, and then click Close.

Configure TCP/IP properties

Next, configure the TCP/IP protocol with the DNS suffix corp.contoso.com.

1.    In Initial Configuration Tasks, click Configure networking.

2.    In Network Connections, right-click Local Area Connection, and then click Properties.

3.    Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4.    For a static IPv4 address configuration for DC1, enter the IPv4 address and subnet mask.

5.    Click Advanced, and then click the DNS tab.

6.    In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close.

7.    Close the Network Connections window.

Configure DC1 as a domain controller and DNS server

Next, configure DC1 as a domain controller and DNS server for the corp.contoso.com domain.

1.    In the console tree of Server Manager, click Roles. In the details pane, click Add Roles, and then click Next.

2.    On the Select Server Roles page, click Active Directory Domain Services, click Add Required Features, click Next twice, and then click Install. When installation is complete, click Close.

3.    To start the Active Directory Installation Wizard, click Start, type dcpromo, and then press ENTER.

4.    In the Active Directory Installation Wizard dialog box, click Next twice.

5.    On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.

6.    On the Name the Forest Root Domain page, type corp.contoso.com, and then click Next.

7.    On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008 R2, and then click Next.

8.    On the Additional Domain Controller Options page, click Next, click Yes to continue, and then click Next.

9.    On the Directory Services Restore Mode Administrator Password page, type a strong password twice, and then click Next.

10.  On the Summary page, click Next.

11.  Wait while the wizard completes the configuration of Active Directory and DNS services, and then click Finish.

12.  When you are prompted to restart the computer, click Restart Now.

13.  After the computer restarts, log in to the CORP domain using the Administrator account.

Install an enterprise root CA on DC1

Next, install an enterprise root CA on DC1 to provide digital certificates for domain member computers. Note that in a production environment, you would not install an enterprise root CA on a domain controller. This is done in the test lab for simplicity. For more information about PKI best practices, see Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure.

1.    In the console tree of Server Manager, click Roles.

2.    Under Roles Summary, click Add roles, and then click Next.

3.    On the Select Server Roles page, click Active Directory Certificate Services, and then click Next twice.

4.    On the Role Services page, click Next.

5.    On the Setup Type page, click Enterprise, and then click Next.

6.    On the CA Type page, click Root CA, and then click Next.

7.    On the Private Key page, click Create a new private key, and then click Next.

8.    On the Cryptography page, click Next.

9.    On the CA Name page, click Next.

10.  On the Validity Period page, click Next.

11.  On the Certificate Database page, click Next.

12.  On the Confirm Installation Selections page, click Install.

13.  On the Results page, click Close.

Configure the CRL distribution settings

Next, configure the certification authority on DC1 for the location of the CRL for certificates issued by DC1.

1.    On DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2.    In the details pane, right-click corp-DC1-CA and click Properties.

3.    In the corp-DC1-CA Properties dialog box, click the Extensions tab.

4.    On the Extensions tab, click Add.  In Location, type http://crl.corp.contoso.com/crld/.

5.    In Variable, click <CAName>, and then click Insert.

6.    In Variable, click <CRLNameSuffix>, and then click Insert.

7.    In Variable, click <DeltaCRLAllowed>, and then click Insert.

8.    In Location, type .crl at the end of the Location string, and then click OK.

9.    Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box asking you to restart Active Directory Certificate Services.

10.  Click Add.

11.  In Location, type \\app1\crldist$\.

12.  In Variable, click <CAName>, and then click Insert.

13.  In Variable, click <CRLNameSuffix>, and then click Insert.

14.  In Variable, click <DeltaCRLAllowed>, and then click Insert.

15.  In Location, type .crl at the end of the string, and then click OK.

16.  Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.

17.  Click Yes to restart Active Directory Certificate Services.

18.  Close the Certification Authority console.

Configure DC1 to forward DNS requests to organization intranet DNS servers

Obtain the IP addresses of organization intranet DNS servers. Next, configure these IP address as forwarders on DC1.

1.    On DC1, click Start, point to Administrative Tools, and then click DNS.

2.    In the DNS Manager console, right-click DC1, and then click Properties. Click the Forwarders tab, and then click Edit.

3.    Add the IP addresses of your intranet DNS servers, and then click OK twice.

Create a DNS record for crl.corp.contoso.com

The URL for the CRL distribution point uses the name crl.corp.contoso.com. Next, create a DNS CNAME record on DC1 so that this name is aliased to app1.corp.contoso.com.

1.    In the DNS Manager console, expand DC1 and then expand Forward Lookup Zones. Right-click corp.contoso.com and click New Alias (CNAME).

2.    In the New Resource Record dialog box, type CRL in Alias name (uses parent domain name if blank). In Fully qualified domain name (FQDN) for target host, type app1.corp.contoso.com. Click OK.

3.    Close the DNS Manager console.

Create a user account in Active Directory

Next, create a user account in Active Directory that will be used when logging in to CORP domain member computers.

1.    Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2.    In the console tree, open corp.contoso.com, right-click Users, point to New, and then click User.

3.    In the New Object - User dialog box, in Full name, type User1, and in User logon name, type User1.

4.    Click Next.

5.    In Password, type the password that you want to use for this account, and in Confirm password, type the password again.

6.    Clear User must change password at next logon and select Password never expires.

7.    Click Next, and then click Finish.

8.    In the console tree, click Users.

9.    In the details pane, double-click Domain Admins.

10.  In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

11.  Under Enter the object names to select (examples), type User1, and then click OK twice.

12.  Close the Active Directory Users and Computers console.

Configure computer certificate auto-enrollment

Next, configure Group Policy so that domain members automatically request certificates.

1.    Click Start, click Administrative Tools, and then click Group Policy Management.

2.    In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com.

3.    In the details pane, right-click Default Domain Policy, and then click Edit.

4.    In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

5.    In the details pane, double-click Certificate Services Client – Auto-Enrollment. In Configuration Model, select Enabled.

6.    Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK.

7.    Leave the Group Policy Management Editor and Group Policy Management consoles open.

Next, configure a custom client-server authentication template that can be used by servers and clients.

1.    On DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2.    In the details pane, expand corp-DC1-CA.

3.    Right-click Certificate Templates, and then click Manage.

4.    In the Certificate Templates console, right-click Workstation Authentication and click Duplicate Template. In Duplicate Template, click Windows Server 2008 Enterprise, and then click OK.

5.    On the General tab, change the Template display name to Client-Server Authentication and select Publish certificate in Active Directory.

6.    Click the Extensions tab, click Application Policies and then click Edit. Click Add, and then select Server Authentication. Click OK twice.

7.    Click the Security tab. For Domain Computers, select the checkbox to Allow Autoenroll. Click OK. Close the Certificate Templates Console window.

8.    In the Certification Authority snap-in console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

9.    Click Client-Server Authentication and then click OK.

10. Close the Certification Authority window.

 

Configure computer account maximum password age

Next, configure Group Policy so that computer accounts have a maximum password age of 999 days. By default, computer accounts change their passwords automatically every 30 days. If you are saving computer images or snapshots and restoring them later, this setting ensures that the disk images or virtual snapshots will be restorable for up to 999 days.

1.    In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.

2.    In the details pane, double-click Domain member: Maximum machine account password age.

3.    On the Security Policy Setting tab, select Define this policy setting, type 999, and then click OK.

4.    Close the Group Policy Management Editor and Group Policy Management consoles.

Step 2: Configure APP1

APP1 provides web and file sharing services. APP1 configuration consists of the following:

  • Install the operating system.
  • Configure TCP/IP.
  • Join the computer to the domain.
  • Install the Web Server (IIS) role.
  • Create a web-based CRL distribution point.
  • Configure the Secure Hypertext Transfer Protocol (HTTPS) security binding.
  • Configure permissions on the CRL distribution point file share.
  • Publish the CRL to APP1 from DC1.
  • Create a shared folder on APP1.

Install the operating system on APP1

First, install Windows Server 2008 R2 Enterprise Edition.

1.    Start the installation of Windows Server 2008 R2 Enterprise Edition.

2.    Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.

3.    Run Windows Update to install the latest updates for Windows Server 2008 R2.

Configure TCP/IP properties

Next, configure TCP/IP.

1.    In Initial Configuration Tasks, click Configure networking.

2.    In the Network Connections window, right-click Local Area Connection, and then click Properties.

3.    Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4.    Select Use the following DNS server addresses. In Preferred DNS server, type the IPv4 address of DC1.

5.    Click Advanced, and then click the DNS tab. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close.

6.    Close the Network Connections window and leave the Initial Configuration Tasks window open.

7.    To check name resolution and network communication between APP1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.

8.    In the Command Prompt window, type ping dc1.corp.contoso.com.

9.    Verify that there are four replies.

10.  Close the Command Prompt window.

Join APP1 to the CORP domain

Next, join APP1 to the corp.contoso.com domain.

1.    In Initial Configuration Tasks, click Provide Computer Name and Domain.

2.    In the System Properties dialog box, on the Computer Name tab, click Change.

3.    In Computer Name, type APP1. In Member of, click Domain, and then type corp.contoso.com.

4.    Click OK.

5.    When you are prompted for a user name and password, type User1 and its password, and then click OK.

6.    When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.

7.    When you are prompted that you must restart the computer, click OK.

8.    On the System Properties dialog box, click Close.

9.    When you are prompted to restart the computer, click Restart Now.

10.  After the computer restarts, click Switch User, and then click Other User and log on to the CORP domain with the User1 account.

11.  In Initial Configuration Tasks, click Do not show this window at logon, and then click Close.

Install the Web Server (IIS) role on APP1

Next, install the Web Server (IIS) role to make APP1 a web server.

1.    In the console tree of Server Manager, click Roles. In the details pane, click Add Roles, and then click Next.

2.    On the Select Server Roles page, select Web Server (IIS), and then click Next three times.

3.    Click Install.

4.    Verify that the installation was successful, and then click Close.

Create a web-based CRL distribution point

Next, create a web-based CRL distribution point so that computers on the logical Corpnet subnet can access the CRL.

1.    Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2.    In the console tree, navigate to APP1\Sites\Default Web Site. Right-click Default Web Site and click Add Virtual Directory.

3.    In the Add Virtual Directory dialog box, in Alias, type CRLD. Next to Physical path, click the ellipsis “…” button.

4.    In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.

5.    Type CRLDist, and then press ENTER. Click OK in the Browse for Folder dialog box.

6.    Click OK in the Add Virtual Directory dialog box.

7.    In the middle pane of the console, double-click Directory Browsing.

8.    In the details pane, click Enable.

9.    In the console tree, click the CRLD folder.

10.  In the middle pane of the console, double-click the Configuration Editor icon.

11.  Click the down-arrow for the Section drop-down list, and then navigate to system.webServer\security\requestFiltering.

12.  In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.

13.  In the details pane, click Apply.

Configure the HTTPS security binding

Next, configure the HTTPS security binding so that APP1 can host HTTPS-based URLs.

1.    Click Default Web site.

2.    In the Actions pane, click Bindings.

3.    In the Site Bindings dialog box, click Add.

4.    In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name app1.corp.contoso.com. Click OK, and then click Close.

5.    Close the Internet Information Services (IIS) Manager console.

Configure permissions on the CRL distribution point file share

Next, configure file share permissions on the CRLD folder so that DC1 can publish the CRL and delta CRL files.

1.    On APP1, click Start, and then click Computer.

2.    Double-click Local Disk (C:).

3.    In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties.

4.    In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.

5.    In the Advanced Sharing dialog box, select Share this folder.

6.    In Share name, add a “$” to the end so that the share name is CRLDist$.

7.    In the Advanced Sharing dialog box, click Permissions.

8.    In the Permissions for CRLDist$ dialog box, click Add.

9.    In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

10.  In the Object Types dialog box, select Computers, and then click OK.

11.  In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK.

12.  In the Permissions for CRLDist$ dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK.

13.  In the Advanced Sharing dialog box, click OK.

14.  In the CRLDist Properties dialog box, click the Security tab.

15.  On the Security tab, click Edit.

16.  In the Permissions for CRLDist dialog box, click Add.

17.  In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

18.  In the Object Types dialog box, select Computers. Click OK.

19.  In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK.

20.  In the Permissions for CRLDist dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK.

21.  Click Close in the CRLDist Properties dialog box.

22.  Close the Windows Explorer window.

Publish the CRL to APP1 from DC1

Next, configure the certification authority on DC1 to publish the CRL to the CRLDist file share on APP1.

1.    On DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2.    In the console tree, open corp-DC1-CA. Right-click Revoked Certificates, point to All Tasks, and then click Publish.

3.    In the Publish CRL dialog box, click New CRL, and then click OK.

4.    Click Start, type \\APP1\CRLDist$ and press ENTER.

5.    In the Windows Explorer window, you should see the corp-DC1-CA and corp-DC1-CA+ files.

6.    Close the Windows Explorer window.

Create a shared folder on APP1

Next, create a shared folder and a text file within the folder on APP1.

1.    On APP1, click Start, and then click Computer.

2.    Double-click Local Disk (C:).

3.    Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.

4.    Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

5.    In the Untitled – Notepad window, type This is a shared file.

6.    Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the Files folder.

7.    In File name, type example.txt, and then click Save. Close the Notepad window.

8.    In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

9.    Click Share, and then click Done.

10.  Close the Local Disk window.

 

Note that the “Install the operating system on APP1,” “Configure TCP/IP properties,” and “Join APP1 to the CORP domain” procedures in this section can also be used to add more Windows Server 2008 R2-based server computers to the logical Corpnet subnet.

Step 3: Configure CLIENT1

CLIENT1 configuration consists of the following:

  • Install the operating system.
  • Join CLIENT1 to the CORP domain.
  • Verify the computer certificate.
  • Test access to intranet resources on the logical Corpnet subnet.

Install the operating system on CLIENT1

First, install Windows 7 Enterprise or Ultimate on CLIENT1.

1.    Start the installation of Windows 7 Enterprise or Ultimate. For an evaluation copy of Windows 7 Enterprise in download form, see Windows 7 Enterprise 90-day Trial (http://go.microsoft.com/fwlink/?LinkID=180603).

2.    When you are prompted for a user name, type User1. When you are prompted for a computer name, type CLIENT1.

3.    When you are prompted for a password, type a strong password twice.

4.    When you are prompted for protection settings, click Use recommended settings.

5.    When you are prompted for your computer's current location, click Work.

6.    Run Windows Update to install the latest updates for Windows 7.

User account control

When you configure the Windows 7 operating system, you are required to click Continue in the User Account Control (UAC) dialog box for some tasks. Several of the configuration tasks require UAC approval. When you are prompted, always click Continue to authorize these changes.

1.    Click Start, point to All Programs, click Accessories, and then click Run.

2.    Type secpol.msc, and press ENTER.

3.    In the console tree, open Local Policies, and then click Security Options.

4.    In the contents pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.

5.    Click Elevate without prompting in the list, and then click OK.

6.    Close the Local Security Policy window.

Configure TCP/IP properties

Next, configure TCP/IP.

1.    In Initial Configuration Tasks, click Configure networking.

2.    In the Network Connections window, right-click Local Area Connection, and then click Properties.

3.    Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4.    Select Use the following DNS server addresses. In Preferred DNS server, type the IPv4 address of DC1.

5.    Click Advanced, and then click the DNS tab. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close.

6.    Close the Network Connections window and leave the Initial Configuration Tasks window open.

7.    To check name resolution and network communication between CLIENT1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.

8.    In the Command Prompt window, type ping dc1.corp.contoso.com.

9.    Verify that there are four replies.

10.  Close the Command Prompt window.

Join CLIENT1 to the CORP domain

Next, join CLIENT1 to the corp.contoso.com domain.

1.    Click Start, right-click Computer, and then click Properties.

2.    On the System page, click Advanced system settings.

3.    In the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

4.    In the Computer Name/Domain Changes dialog box, click Domain, type corp.contoso.com, and then click OK.

5.    When you are prompted for a user name and password, type the user name and password for the User1 domain account, and then click OK.

6.    When you see a dialog box that welcomes you to the corp.contoso.com domain, click OK.

7.    When you see a dialog box that prompts you to restart the computer, click OK.

8.    In the System Properties dialog box, click Close. Click the button that restarts the computer.

9.    After the computer restarts, log on as CORP\User1.

Verify the computer certificate

Next, verify that a computer certificate has been installed on CLIENT1.

1.    On CLIENT1, click Start, type mmc, and then press ENTER.

2.    Click File, and then click Add/Remove Snap-in.

3.    Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

4.    In the console tree, open Certificates (Local Computer)\Personal\Certificates.

5.    In the details pane, verify that a certificate with the name CLIENT1.corp.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication.

6.    Close the console window. When you are prompted to save settings, click No.

Test access to intranet resources from the logical Corpnet subnet

Next, verify that intranet web and file share resources on APP1 can be accessed by CLIENT1.

1.    From the taskbar, click the Internet Explorer icon.

2.    In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box, click Use express settings, and then click Finish.

3.    In the toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and then click OK.

4.    In the Address bar, type http://app1.corp.contoso.com/, and then press ENTER.  You should see the default IIS 7 web page for APP1.

5.    In the Address bar, type https://app1.corp.contoso.com/, and then press ENTER.  You should see the default IIS 7 web page for APP1.

6.    Leave the Internet Explorer window open.

7.    Click Start, type \\app1\Files, and then press ENTER.

8.    You should see a folder window with the contents of the Files shared folder.

9.    In the Files shared folder window, double-click the Example.txt file. You should see the contents of the Example.txt file.

10.  Close the example.txt - Notepad and the Files shared folder windows.

 

Note that the “Install the operating system on CLIENT1,” “Configure TCP/IP properties,” and “Join CLIENT1 to the CORP domain” procedures in this section can also be used to add more Windows 7-based client computers to the logical Corpnet subnet.

Snapshot the Configuration

This completes the configuration of the logical Corpnet subnet of the Base Configuration test lab. To save this configuration for additional test labs, do the following:

1.    On all physical computers or virtual machines in the logical Corpnet subnet, close all windows and then perform a graceful shutdown.

2.    If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots Corpnet Base Configuration. If your lab uses physical computers, create disk images to save the Base Configuration.

 

For a list of additional Microsoft TLGs, see Test Lab Guides.