Windows Server 2008 Lab 6

Introduction
IIS is Microsofts web server that has been tailored specifically to business users and provides
many features that make it easy for a business to use ecommerce, provide interactive websites
and host web browser based applications.
In todays lab you will perform the following tasks:
Task 1: Install IIS 7
Task 2: Creating Web Content
Task 3: Creating Virtual Directories
Task 4: Configuring IP Address Restrictions
Task 5: Install Active Directory Certificate Services
Task 6: Using the Certification Authority Tool
Task 7: Configuring a Certificate Template for Autoenrollment
Task 8: Configuring a Group Policy for Autoenrollment
Task 9: Configuring Credential Roaming

Task 1: Install IIS 7

1. Click Start -> All Programs -> Administrative Tools -> Server Manager or click on
the server manager icon on the task bar

Created 2/22/2012 by Donna P. Warren

Page 1

Windows Server 2008 Lab 6

2. In the Server Manager window, scroll down to Roles Summary, and then click Add
Roles. The Add Roles Wizard will start with a Before You Begin page. Click Next

3. Check the web server (IIS) role, if any roles or features are missing the screen below
will appear

4. Click on Add Required Features and then click Next

5. An introductory page will open with links for further information, click Next
Created 2/22/2012 by Donna P. Warren

Page 2

Windows Server 2008 Lab 6

6. Add the following role Services to the default ones:

7. ASP.NET (Click on Add Required Features when the dialogue box appears)
8.

Make sure IIS Client Certificate Mapping Authentication and read its description on the right
side of the window. This selection enables you to use digital IDs for security.

1. Click Next

2. Check to make sure all of the features are installed and then click Install
3. When the installation results page appears, IIS is now installed so click Close to
complete the process.
4. Open internet explorer to confirm that the Web server works by typing http://localhost in
the address bar. The following page should open

Created 2/22/2012 by Donna P. Warren

Page 3

Windows Server 2008 Lab 6

Task 2: Creating Web Content

1. Open Notepad and copy the following text (use your actual domain name and not
mydomain.com)
<html><body>
<h1><center>Welcome to my first web page</center></h1>
<h2><center>www.mydomainname.com</center></h2>
</html></body>
Note: use your actual domain name and not
mydomainname.com
2. Click File -> Save As. The Save As dialog box appears
3. Click Browse Folders. The dialog box expands to display the contents of your Documents
folder
4. Create a New Folder. Called www and press Enter
5. In the Save As type drop-down list, select All Files
Created 2/22/2012 by Donna P. Warren

Page 4

Windows Server 2008 Lab 6

6. In the File Name text box, type Default.htm, and click Save.
7. Create another folder in your Documents folder called Sales
8. Create a file inside it called Default.htm, containing the following text:
<html><body>
<h1><center>Mydomainname Sales</center></h1>
<h2><center>sales.mydomainname.com</center></h2>
</html></body>
9. Close the Notepad window
10. Click Start-> Administrative Tools -> DNS. Click Continue in the User Account Control
message box
11. Expand server name and the Forward Lookup Zones folder
12. Right-click the mydomainname.com zone and, from the context menu, select New Alias
(CNAME). The New Resource Record dialog box appears, as shown below

13. In the Alias Name text box, type www

14. In the Fully Qualified Domain Name (FQDN) For Target Host text box, type
myservername.mydomainname.com, then click OK.
15. Repeat the process to create another New Alias (CNAME) record, using the alias name
sales and the target host name myservername.mydomainname.com
Created 2/22/2012 by Donna P. Warren

Page 5

Windows Server 2008 Lab 6

16. Open a command prompt and do an nslookup on mydomainname.com,

www.mydomainname.com and sales.mydomainname.com
17. Press Ctrl+Prt Scr to take a screen shot of the DNS Manager console showing the two
CNAME records you created. Press Ctrl+V to paste the image into your lab 6 word

Task 3: Creating Virtual Directories

1. Open Windows Explorer, and browse to the Documents\www folder you created earlier
2. In the www folder, create a subfolder called Public
3. In the Public folder, use Notepad to create a file called Default.htm that contains the
following text:
<html><body>
<h1><center>Mydomainname.</center></h1>
<h2><center>www.mydomainname.com</center><h2>
<h2><center>Public</center></h2>
</body></html>
4. In Internet Explorer, type http://www.mydomainname.com/public in the address box,
and press Enter. The Public page you created appears
5. In the Internet Information Services (IIS) Manager window, right-click the www site you
created earlier and, from the context menu, select Add Virtual Directory. The Add Virtual
Directory dialog box appears, as shown

6. In the Alias text box, type Links.

7. In the Physical Path text box, type or browse to the C:\Users\you\Links folder
8. Click Test Settings. The Test Connection dialog box appears
Created 2/22/2012 by Donna P. Warren

Page 6

Windows Server 2008 Lab 6

9. Click Close. The Test Connection dialog box closes

10. In the Add Virtual Directory text box, click Connect As. The Connect As dialog box
appears
11. In the IIS manager, Select the Specific User option, and click Set. The Set Credentials
dialog box appears
12. In the User Name text box, type mydomainname\you
13. In the Password and Confirm Password text boxes, type Password1. Then click OK.
14. Click OK to close the Connect As dialog box.
15. Click Test Settings again.
16. In Internet Explorer, type the URL for the Links virtual directory, and press Enter
17. In the Internet Information Services (IIS) Manager window, select the www site. The
www Home Web page appears.
18. Double-click the Directory Browsing icon, and enable directory browsing
19. Switch to Internet Explorer, and click the Refresh button
20. In the Internet Information Services (IIS) Manager window, with the www site selected,
click the Content View tab
21. Press Ctrl+Prt Scr to take a screen shot of the Internet Information Services (IIS)
Manager window. Press Ctrl+V to paste the image into your lab 6 word

Task 4: Configuring IP Address Restrictions

1. Open Server Manager, and select the Roles node in the scope (left) pane.
2. In the detail (right) pane in the Web Server (IIS) section, click Add Role Services. The
Add Role Services wizard appears, displaying the Select Role Services page.
3. Select the Security > IP and Domain Restrictions checkbox, and click Next. The
Confirm Installation Selections page appears.
4. Click Install. The wizard installs the role service, and the Installation Results page
appears.
5. Click Close.
6. Open Internet Explorer. In the address box, type http://127.0.0.1, and press Enter.
7. On your partner server, open Internet Explorer, and try to connect to the following URL:
http://www.mydomainname.com
8. On Server1 open the Internet Information Services (IIS) Manager window, and expand the
servername and Sites nodes. (whatever you named your server)
9. Select Default Web Site. The Default Web Site home page appears.
10. Double-click the IPv4 Address and Domain Restrictions icon. The screen below appears
Created 2/22/2012 by Donna P. Warren

Page 7

Windows Server 2008 Lab 6

11. In the actions pane, click Edit Feature Settings. The Edit IP And Domain Restrictions
Settings dialog box appears.
12. From the Access For Unspecified Clients drop-down list, select Deny, and click OK.

13. Switch to Internet Explorer, and click the Refresh button.

14. On your second server, in Internet Explorer, try again to connect to your web site
15. In the Internet Information Services (IIS) Manager window, in the actions pane, click Add
Allow Entry. The Add Allow Restriction Rule dialog box appears, as shown

16. Leave the Specific IPv4 Address option selected. In the text box, type 127.0.0.1, and click
OK. The new rule you created appears in the IPv4 Address And Domain Restrictions
list.
17. Switch to Internet Explorer, and click the Refresh button
Created 2/22/2012 by Donna P. Warren

Page 8

Windows Server 2008 Lab 6

18. On your partner server, switch to Internet Explorer, and try again to connect to the
http://server.mydomainname.com URL
19. On your second server, click Start. Then click All Programs > Accessories > Command
Prompt. A command-prompt window appears
20. In the command-prompt window, type ipconfig, and press Enter
21. Back on your own server, create a new Allow entry for your second servers IP address
22. Retest your access to the Web site from your server and your second server, just as you did
in steps 17 to 18.
23. In the Internet Information Services (IIS) Manager window, in the actions pane, click Add
Allow Entry. The Add Allow Restriction Rule dialog box appears
24. Select the IPv4 Address Range option and, in the text box, type 10.10.10.0.
25. In the Mask text box, type 255.255.255.0, and click OK. The new rule you created appears
in the IPv4 Address And Domain Restrictions list.
26. Press Ctrl+Prt Scr to take a screen shot of the Internet Information Services (IIS) Manager
window showing the three rules you created. Press Ctrl+V to paste the image in your lab 6
word file
27. Click Edit Feature Settings again, and select Allow from the Access For Unspecified
Clients drop-down list. Then, click OK
28. Log off

Task 5: Install Active Directory Certificate Services

Certificate Services enable an organization to use PKI with digital certificates to establish proof
of identity of network users. In this activity, you use Server Manager to install a root CA. Active
Directory should already be installed in Windows Server 2008 before you begin.
1. Click Start, Administrative Tools, and click Server Manager
2. Find the Roles Summary section and click Add Roles
3. If you see the Before You Begin page, click Next
4. Click Active Directory Certificate Services. Click Next
5. In the Introduction to Active Directory Certificates Services window, click Next
6. Ensure the box is checked for Certification Authority
7. Click Next in the Select Role Services window
8. Make certain that Enterprise is selected in the Specify Setup Type window
9. Ensure that Root CA is selected on the Specify CA Type window
10. Click Next.
11. Select Create a new private key, if it is not already selected in the Set Up Private
Key window.
Created 2/22/2012 by Donna P. Warren

Page 9

Windows Server 2008 Lab 6

12. Click Next

13. Use the default cryptographic service hash in the Configure Cryptography for CA
screen and
14. click Next
15. In the Configure CA Name window, use the automatically generated name and suffix
to identify the CA. The CAs name cannot be more than 64 characters in length.
16. Click Next
17. In the Set Validity Period window, use the default of 5 years and click Next
18. Use the default certificate database location as presented in the Configure Certificate
Database screen
19. Click Next on the Configure Certificate Database screen
20. Review the Active Directory Certificate Services information you have configured
21. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste the
image into your lab 6 word
22. Click Install (Notice the warning that the name and domain settings of the computer
cannot be changed after the CA is installed)
23. The installation may take a few minutes to complete.
24. Click Close.
25. Close Server Manager

Task 6: Using the Certification Authority Tool

Most services management tasks are performed using the Certification Authority tool or MMC
snap-in. In this activity you launch the tool and survey its capabilities
1. Click Start, point to Administrative Tools, and click Certification Authority.
2. Click the CA server name in the tree in the left pane
3. In the tree in the left pane, right-click the name of the root CA you created
4. Point to All Tasks. Notice the options on the menu, including options to Stop
Service, Back up CA, Restore CA, and Renew CA Certificate
5. Click the pointer in an open area to close the menus
6. Right-click the root CA in the tree and click Properties
7. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste the
image into your lab 6 word
8. Click the Security tab in the Properties dialog box
9. Click each group in the Group or user names box and view the permissions given to
that group by default
10. Click the Certificate Managers tab
Created 2/22/2012 by Donna P. Warren

Page 10

Windows Server 2008 Lab 6

11. Click Restrict certificate managers

12. Click each of the remaining tabs to see the parameters that can be set
13. Click OK in the Properties dialog box
14. Close the Certification Authority tool

Task 7: Configuring a Certificate Template for Autoenrollment

Autoenrollment is an important feature that saves time for users and CA administrators.
1. Click Start, click Run, enter mmc in the Run box, and click OK
2. Click File and click Add/Remove Snap-in
3. Click Certificate Templates in the Available snap-ins window and click the Add button.
4. Click OK in the Add or Remove Snap-ins window
5. Click Certificate Templates in the tree in the left pane
6. Scroll through the middle pane to view the existing certificate templates
7. In the middle pane, right-click Workstation Authentication and click Properties.
8. Click the Security tab
9. On the Security tab you can select the group for which to enable autoenrollment. If the
group you want to configure is not displayed by default, you can use the Add button to
add that group. Ensure that Authenticated Users is selected
10. Click the Allow box for Autoenroll
11. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste the
image into your lab 6 word
12. Click OK in the Workstation Authentication Properties dialog box
13. Close the MMC console for Certificate Templates and click No to not save the settings
for Console1

Task 8: Configuring a Group Policy for Autoenrollment

Description: Even though you have configured autoenrollment in a certificate template, it must
still be authorized in Windows Server 2008 Active Directory and by Active Directory on users
who log into the network. This is accomplished by creating an autoenrollment group policy.
1. Click Start, click Run, enter mmc in the Run box, and click OK
2. Click File and click Add/Remove Snap-in
3. Click Group Policy Management Editor in the Available snap-ins window and click
the
1. Add button
4. In the Select Group Policy Object dialog box, click Browse
Created 2/22/2012 by Donna P. Warren

Page 11

Windows Server 2008 Lab 6

5. Double-click Default Domain Policy in the Browse for Group Policy Object dialog box
6. Click Finish in the Select Group Policy Object window
7. Click OK in the Add or Remove Snap-ins window
8. Maximize the windows, if necessary
9. In the left-pane tree, click Default Domain Policy [server and domain name].
10. In the left pane, expand User Confi guration, if necessary
11. In the left pane, expand Policies, if necessary
12. In the left pane, expand Windows Settings
13. In the left pane, expand Security Settings
14. In the left pane, double-click Public Key Policies
15. In the middle pane, double-click Certificate Services Client Auto-Enrollment
16. In the Certificate Services Client Auto-Enrollment Properties dialog box, click the
down arrow for Configuration Model and select Enabled
17. In the Certificate Services Client Auto-Enrollment Properties dialog box, check the
boxes for Renew expired certificates, update pending certificates, and remove
revoked certificates and for Update certificates that use certificate templatesif
these boxes are not already checked
18. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste the
image into your lab 6 word
19. Click OK in the Certificate Services Client Auto-Enrollment Properties dialog box
20. Leave the Default Domain Policy console open

Task 9: Configuring Credential Roaming

Active Directory security works with client computers through the use of group policies. In this
activity, you learn how to enable CA client synchronization through credential roaming
1. Open the Group Policy Management Editor snap-in to the Default Domain Policy
2. Ensure that the following are expanded in the tree in the left pane:
a. Default Domain Policy [server and domain name]
b. User Confi guration
c. Policies
d. Windows Settings
e. Security Settings
3. Double-click Public Key Policies
4. In the middle pane, double-click Certificate Services Client Credential Roaming
5. In the Certificate Services Client Credential Roaming dialog box, click Enabled to
enable credential roaming Leave the default settings for the remaining parameters
Created 2/22/2012 by Donna P. Warren

Page 12

Windows Server 2008 Lab 6

6. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste the
image into your lab 6 word
7. Click OK in the Certificate Services Client Credential Roaming dialog box
8. Click OK in the Changing RUP Exclusion List information box
9. Close the Default Domain Policy console
10. Click No when asked whether to save changes to the console

Created 2/22/2012 by Donna P. Warren

Page 13