Domain Contoller - Core server functionality test

Test Condition to be tested Execution Details

case
No.
1 Verify domain controller 1. Logon to the domain controllers(MSS-CDC-01,MSS-CDC-02,
health MSS-RDC-01)
2. From command shell run DCDIAG.EXE

2 Verify domain controllers 1. Logon to any client machine

can be detected by 2. Open a command prompt
clients 3. Specify the command "ipconfig /flushdns"
4. Verify that the client can access the DCs namely MSS-CDC-01,
MSS-CDC-02, MSS-RDC-01 (Use ping and nslookup)

3 Verify inter site and intra 1. Logon to the domain controllers(MSS-CDC-01,MSS-CDC-02,

site Active Directory
replication
MSS-RDC-01)
2. From command shell, run repadmin /showreps
3. From command shell, run
repadmin /showconn
4. Run replmon on the command shell. Add a domain controller to
be monitored and check status.

4 Verify FRS works in
intrasite as well as
intersite file replication
5 Verify Event Logs
6 Administrator can take
system/data backup
DCDIAG runs the test for frs replication also.
Syntax:
DCDIAG /test:frssysvol
Verify there are no error logs in the directory section of event logs
in the management console.
Run ntbackup utility from command prompt. It invokes the "Backup
or Restore wizard".
Expected Result Tools Comments
Required

DCDIAG executes a series of tests. DCDIAG.EXE

All tests should pass.

Ping and nslookup should be able

to detect the host.

This verifies correct inbound and

outbound links and all inbound
connections. All links should be
detected successfully.

Verify that the test passes.

There should not be any error logs.

Follow the steps and you should be

able to take backup.
DNS Server - Core server functionality test
Test Condition to be Execution Details Expected Result Tools
case tested Required
No.
1 Verify DNS 1. Logon to the domain controllers(MSS-CDC- The DNS service
service health on 01,MSS-CDC-02, MSS-RDC-01) should have
the domain 2. Click on Start->Programs->Administrative Tools- started.
controller > Services
3. Verify that the DNS service has started.

2 Verify that naming 1. Ensure you can ping the domain controller by ping should be able
service works name and ip address. If both work then DNS to detect the server
service is running properly. with name as well
2. Ensure that names can be resolved. For as ip address.
example, ping MSS-WEB-
01.northamerica.corp.contoso.com

3 Event Logs 1. Logon to the domain controllers(MSS-CDC- There should not

01,MSS-CDC-02, MSS-RDC-01) be any error logs.
2. Verify there are no error logs in the dns section
of event logs in the management console.

4 Administrator can Run ntbackup utility from command prompt. It Follow the steps
take system/data invokes the "Backup or Restore wizard". and you should be
backup able to take
backup.
Comments
DHCP Server - Core server functionality test
Test Condition to be Execution Details Expected Result Tools
case tested Required
No.
1 Verify DHCP 1.Logon to DHCP server(MSS-DHCP-01) DHCP service should
service health 2. Click on Start->Programs->Administrative Tools- be running. Server
> Services statistics should reveal
3. Verify that the DHCP Server service is running. the server start time
4. Open MMC DHCP snap in and check server and up time. Address
statistics. Leased shows DHCP
5. Also check the Address Leases to verify which server is running.
addresses have been leased.

2 Verify whether 1. From a client machine, open command prompt Client machine must
DHCP client can 2. Type "ipconfig /all" obtain an IP address
obtain an address 3. Verify that the client can obtain an IP address.
4. In the client machine's command prompt, type
"ipconfig /release"
5. In the client machine's command prompt, type
"ipconfig /flushdns"
6. Have a client machine obtain a DHCP address
using "ipconfig /renew"
7. Verify that the client can get an IP address

3 Verify Event Logs Check the Event Logs(Application, Security,

System) to check if there are any error conditions

4 Verify DHCP 1. Stop DHCP server from service from computer JETPACK should
database management console. complete without any
consistency 2. Run JETPACK.EXE from %SYSTEMROOT errors.
%\SYSTEM32\DHCP directory.
Syntax:
JETPACK dhcp.mdb tmp.mdbfrom
3. Start DHCP server from computer management
console.

5 Administrator can Run ntbackup utility from command prompt. It Follow the steps and
take system/data invokes the "Backup or Restore wizard". you should be able to
backup take backup.
Comments
WINS Server - Core server functionality test
Test Condition to be Execution Details Expected Result Tools
case tested Required
No.
1 Verify WINS 1. Logon to WINS server(MSS-WINS-01) WINS service
service health 2. Click on Start->Programs->Administrative Tools- should be running.
> Services Should be able to
3. Verify that the WINS service is running. view all registrations
4. Open MMC WINS snap in and verify that server for the WINS server.
status is responding. NETDIAG test
5. Also check the Active Registrations to verify that should pass.
servers are registered with WINS.
6. Run NETDIAG.EXE on the command shell to
check WINS sevice.
Syntax:
NETDIAG /test:WINS

2 Verify WINS 1. Run JETPACK.EXE from %SYSTEMROOT Database

database %\SYSTEM32\WINS directory. consistency check
consistency Syntax: should complete
NET STOP WINS without any errors.
JETPACK WINS.MDB TMP.MDB NET START
WINS

3 Verify that the Win 1. Verify that Win 98/Win NT client name gets Win 98/Win NT
98/Win NT client registered in the WINS server client should be able
can resolve 2. Run name resolution query of any other server to resolve names,
names, renew from Win 98/Win NT client machine and it renew names and
names succeeds register itself with
3. Shut down the client machine and verify the WINS server
entries do not exist on the WINS server
4. Restart the client machine
5. Verify that the entries get renewed in the WINS
server

4 WINS Event Logs Verify there are no error logs in the WINS section There should not be
of event logs in the management console. any error logs.

5 Administrator can Run ntbackup utility from command prompt. It Follow the steps
take system/data invokes the "Backup or Restore wizard". and you should be
backup able to take backup.
Comment
s
File and Print Server - Core server functionality test
Test Condition to be Execution Details Expected Result Tools
case tested Required
No.
1 Verify ability to 1. Logon to the file server(MSS-FILE-01) The Administrator
modify NTFS ACL 2. Right-click on the folder(whose ACL has to be should be able to
for domain users modified) within the file share folder, click modify the ACL.
on file share Properties, and then click the Security tab.
3. Add a domain user and give him/her appropriate
rights.
4. Select the user, click Advanced button, and then
click View/Edit.
5. Change permissions and apply.

2 Verify file share 1. Logon to the file server(MSS-FILE-01) Share folder should
creation 2.Locate the share folder(D:\public). be present and ACL
3. Verify permissions on the share folder and created.
subfolders.
3 Verify publishing 1. Logon to the file server(MSS-FILE-01) The new share
new share in 2. Locate the share(D:\public) and create a new should get
active directory subfolder inside this share. Grant appropriate published in the
access to domain users on the new share. Active Directory.
3. Logon to the domain controller(MSS-CDC-01) You should be able
4. Open Start->Programs->Administrative Tools- to explore it through
>Active Directory Users and Computers a client machine.
5. Right click on domain name, click on New-
>Shared Folder.
6. Verify that you are able to add a new share in
the active directory.
7. Logon to a client machine. Goto Network places
and locate your shared folder.

4 Verify Event Logs 1. Logon to the file server(MSS-FILE-01) There should not be
2. Verify there are no file share related errors in any error logs.
the event logs in the management console.

5 Administrator can Run ntbackup utility from command prompt. It Follow the steps
take system/data invokes the "Backup or Restore wizard". and you should be
backup able to take backup.
Comments
File and Print Server - Core server functionality test
Test Condition to be Execution Details Expected Result Tools
case tested Required
No.
1 Add a new printer 1. Logon to the printer server(MSS-PRN-01) Should be able to
2. Go to Start->Settings->Printers add a printer.
3. Click on Add Printer Wizard and follow the steps Should be able to
till the end. Create a new port to use with the see the test should
printer. be in the printer
4. Print a test page. queue.

2 Publish new 1. Logon to the domain controller(MSS-CDC-01) The printer should

printer in active 2. Open Start->Programs->Administrative Tools- be listed in the
directory >Active Directory Users and Computers results section.
3. Right click on domain name->All Tasks->Find
4. Select Printers in the drop down list.
5. Type the printer name you want to find and click
Find Now

3 Verify print spooler 1. Logon to the printer server(MSS-PRN-01) The Print Spool
service health 2. Go to Start->Programs->Administrative Tools- service should be
>Services running.
3. Verify that Print Spooler is running.
4. Verify that it can be stopped and restarted
without any errors.

4 Verify Event Logs 1. Logon to the printer server(MSS-PRN-01) There should not be
2. Verify there are no Print related errors in the any error logs.
event logs in the management console.
5 Administrator can Run ntbackup utility from command prompt. It Follow the steps
take system/data invokes the "Backup or Restore wizard". and you should be
backup able to take backup.
Comments
Web Server IIS - Core server functionality test
Test Condition to be Execution Details Expected Result Tools
case tested Required
No.
1 Verify that Server 1. Logon to the Web Server(MSS-WEB-01) The services should
is running. 2. Go to Start->Programs->Administrative Tools- be running and
>Services Inetinfo.exe should be
3. Verify that IIS Admin service and World Wide present in the list of
Web Publishing services are running. processes.
4. Go to Task manager console.
5.On the Processes tab, verify that the Inetinfo.exe
program is listed in the Image Name column.

2 Verify that server 1. Logon to the Web Server(MSS-WEB-01) The Inetinfo.exe

is running after 2. Go to Start->Programs->Administrative Tools- application is running.
Restart. >IIS Management. Also check that in
3. Right-click the Web server name and then click services the Start Up
Restart IIS to restart the IIS services. type is Automatic.

3 Verify the 1. Logon to the Web Server(MSS-WEB-01) User can Access the
Authentication and 2. Go to Start->Programs->Administrative Tools- content of the Web.
Encryption Levels >IIS Management.
on the Web Server 3. Right-click on the Web site and then click
Properties.
4. On the Directory Security tab, under anonymous
access and authentication control, click Edit.
5.Verify that the correct authentication and
encryption settings are set at the server. (Windows
authetication or anonymous authetication etc.)

4 Verify IP address 1. Logon to the Web Server(MSS-WEB-01). The IP addeess and

and domain name 2. Go to Start->Programs->Administrative Tools- Domain Name
in IIS Management >IIS Management. Restrictions should
3. Right-click on a website and then click not be set to Deny.
Properties.
4. On the Directory Services tab, under IP Address
and Domain Name Restrictions, click Edit.
5.Verify that the IP address and Domain name
Restrictions are not set to Deny.

5 Verify all 1. Open Windows Explorer. Root folder and all

necessary files are 2. Goto the \Inetpub\wwwroot\ folder. files should be
Present in Root 3. See It include all the necessary .html files for present.
folder. the Web site. (e.g. File: postinfo.html)

6 Administrator can Run ntbackup utility from command prompt. It Follow the steps and
take system/data invokes the "Backup or Restore wizard". you should be able to
backup take backup.
Comments
Bastion Host - Functionality test
Test case Condition to be tested
No.
1 Verify that the IAS Service is running
2 Grant Remote Access permission
3 Deny Remote Access permission
4 No errors in eventlog
5 Administrator can take system/data backup Run ntbackup utility from command prompt. It invokes the
"Backup or Restore wizard".
Execution Details
Open services.msc and look for Internet Authentication
Service
On the IAS console, add a radius client name with Friendly
name as MSS, Address as the name of the machine on
which you run the radius client and provide the shared
secret. Set the client-vendor attribute to "RADIUS-
Standard". In the remote access policy section of the IAS
console add a new remote access policy. Chose access
method as Ethernet. Make access criteria as "user".
Chose the MD-5 Challenge type for the EAP policy. After
you finish creating this policy, edit it and chose the "Grant
remote access permission" option. Now start the radius
client and send an authentication request. For information
on settings required on the RADIUS Client, refer to the job
aid for interoperability test cases.
On the IAS console, add a radius client name with Friendly
name as MSS, Address as the name of the machine on
which you run the radius client and provide the shared
secret. Set the client-vendor attribute to "RADIUS-
Standard". In the remote access policy section of the IAS
console add a new remote access policy. Chose access
method as Ethernet. Make access criteria as "user".
Chose the MD-5 Challenge type for the EAP policy. After
you finish creating this policy, edit it and chose the "Deny
remote access permission" option. Now start the radius
client and send an authentication request. For information
on settings required on the RADIUS Client, refer to the job
aid for interoperability test cases.
Open the Eventvwr console and look warnings and errors
Expected Result Tools Comment
Required s
The service should be set to
Automatic and should be started
From the cmd, run the command:
iasparse -f:IN0304.log > ias.txt. Open
ias.txt and verify that the Packet-Type
for the last transaction logged in the
file IN0304.log is "Access-reject" and
that the Reason-Code provided is
"The connection attempt did not
match any connection request policy"

From the cmd, run the command:

iasparse -f:IN0304.log > ias.txt.
Open ias.txt and verify that the
Packet-Type for the last transaction
logged in the file IN0304.log is
"Access-Accept" and that the
Reason-Code provided is "The
operation completed successfully"

There should be no warnings and

errors in the system log. You will see
information items for every instance of
a RADIUS authentication request
succeeding and warning messages
for every failed authentication
attempt.

Follow the steps and you should be

able to take backup.
WINS Server - Core server functionality test
Test Condition to be tested Execution Details
case
No.
1 Verify that the CA certificate is valid. 1. Go to Run. Type MMC. Open the Certificate snap-in.
2. Open the Certificate. On General Tab.
3. Check for the Validity date and issued to/issued by. Also
verify certificate path -> certificate chain is valid.
2 Verify that the certificate chain can 1. On the Command prompt, Type certutil -verify
be build <Windows/system32/certsrv/certenroll/<cert.cer> or
2. open the certificate -> Certificate Authority tab -> Check for
the chain.

3 Verify that the right CRL distribution 1. Open the Certificate and go to Details tab.
point has been added to the CA 2. Scroll down to CRL Distribution Point.
certificate. 3. Verify that the correct CRL Distribution Point name is given.
For this check for the correct http and ldap location

4 Certificate Verification: Client is 1. Go to Run. Type MMC.

able to verify a certificate validity 2. From the Certifiacte snap in, Open the Certificate manually
manually. through CA MMC and check for the fields.

5 Force publishing of CRL from 1. Log on to 2-MSS-CA-01 as CA Administrator.

issueing CA. 2. open CA MMC. Go to Revoke Certificates folders -> Action
-> Publish.
3. Select New CRL.

6 Certificate Management: Client
receives root CA certificate
automatically.
7 Auto Enrollment: An Administrator
is able to force a certificate
reenrollment for all clients.
1. Open the Certificate MMC for the current user.
2. Go to Certificates -> trusted Certificate Authoritities and
Check for the Root CA certificate in this folder.
1. Go to Run. Type MMC. Open the certificate Template snap
-in.
2. Change the parameter Validity Period, Requires manual
Approval in the properties tab.
3. Right Click user template and click reenroll all certificate
holders.

8 Administrator can take system/data Run ntbackup utility from command prompt. It invokes the
backup "Backup or Restore wizard".
Expected Result Tools Comments
Required

Validity issued to/issued by

dates. Also verify certificate path
-> certificate chain is valid.

Verify the output. It should be

"Leaf certificate revocation check
passed" and the value of
dwErrorStatus variable in the
output is zero.

CRL Distribution Point is correct.

Genral tab Should show

"Certificate is ok" and it should be
in the correct validity period.

Revoked Certificates folder ->

Properties -> View CRLs tab
should have the new CRL, Check
for date and time.

Root CA certificate should be

present in the list of Trusted CA
Authorities.
Verify that the certificates
enrolling happens as per the new
template for any user.

Follow the steps and you should

be able to take backup.
Bastion Host - Functionality test
Test case Condition to be tested Execution Details
No.
1 Bastion Host can access the internet Open a web browser and try to access http://msn.com

2 Bastion host can access FTP sites
3 Check that all the necessary services are
started
4 IIS Functionality
Open a web browser and try to access
ftp://ftp.microsoft.com
Verify that all the services which have been set to
automatic in the security template are started.
Add the IIS windows component. Start the IIS Manager.
Open a browser and see if you can access default
content (default.html) located in c:\inetpub\wwwroot\.

5 FTP Functionality Enable the windows component for FTP and verify that
the FTP site configuration menu has been generated in
IIS Manager. Further check that the FTP publishing
service has been started. Also verify that the "Users"
only have read and list folder contents permission on
the FTP site. Run interoperability test cases in
conjunction with this testcase to verify that the FTP
service is functioning correctly

6 SMTP Functionality Add the Email Services windows component and verify
that you can administer SMTP through the IIS manager
under the menu for "Default SMTP Virtual Server".
Verify that the SMTP service is running. Use
interoperability test cases to confirm that the bastion
host acts as an SMTP relay agent.

7 Event Logs Verify that there are no error logs in the Eventvwr

8 Processes in Task Manager Open the task manager and verify that the following
processes are running:
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
explorer.exe

9 Windows Registry is accessible by Local
Administrator
10 Administrator can take system/data backup
Logon to the Bastion Host as local administrator. Open
the windows registry using regedt32 or any other
registry editor.
Run ntbackup utility from command prompt. It invokes
the "Backup or Restore wizard".
Expected Result Tools Comment
Required s
Access successful

Access successful

All services are running

The IIS Admin Service is started

and one can view local content.

The FTP Publishing service is

running

The SMTP service is running

There are no errors and

warnings except those document
in Ch 11 of the Security Guide.
These errors and warnings are
expected because of server
hardening

The listed processes are all

running

The registry can be accessed.

Follow the steps and you should

be able to take backup.