Appendices
Appendix A: Set UAC Behavior of the Elevation Prompt for Administrators
This appendix describes how to change the default User Account Control (UAC) behavior in Windows Server 2008 R2 and Windows 7.
By default, UAC is enabled in Windows Server 2008 R2 and Windows 7. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases, you can click Continue in the UAC dialog box to grant this permission, or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators.
To set UAC behavior of the elevation prompt for administrators
Click Start, point to All Programs, click Accessories, and then click Run.
Type secpol.msc, and press ENTER.
In the console tree, open Local Policies, and then click Security Options.
In the contents pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.
Click Elevate without prompting in the list, and then click OK.
Close the Local Security Policy window.
Appendix B: Resulting Configuration
This appendix describes the results of configuring the Base Configuration test lab in terms of the following:
Computers
Active Directory and DNS infrastructure
Web infrastructure
PKI
Computers
The Base Configuration test lab contains the following computers:
DC1
APP1
EDGE1
INET1
CLIENT1
DC1
Operating system |
Windows Server 2008 R2 Enterprise |
Domain membership |
Member of the corp.contoso.com domain |
TCP/IP configuration on the Corpnet subnet network adapter |
IP address: 10.0.0.1 Subnet mask: 255.255.255.0 No default gateway Connection specific DNS suffix: corp.contoso.com |
Roles |
|
Installed certificates |
Computer certificate: dc1.corp.contoso.com |
APP1
Operating system |
Windows Server 2008 R2 Enterprise |
Domain membership |
Member of the corp.contoso.com domain |
TCP/IP configuration on the Corpnet subnet network adapter |
IP address: 10.0.0.3 Subnet mask: 255.255.255.0 DNS server: 10.0.0.1 No default gateway Connection specific DNS suffix: corp.contoso.com |
Roles |
|
Installed certificates |
Computer certificate: app1.corp.contoso.com |
EDGE1
Operating system |
Windows Server 2008 R2 Enterprise |
Domain membership |
Member of the corp.contoso.com domain |
TCP/IP configuration on the Corpnet subnet network adapter |
IP address: 10.0.0.2 Subnet mask: 255.255.255.0 DNS server: 10.0.0.1 No default gateway Connection specific DNS suffix: corp.contoso.com |
TCP/IP configuration on the Internet subnet network adapter |
IP address: 131.107.0.2 and 131.107.0.3 Subnet mask: 255.255.255.0 No default gateway Connection specific DNS suffix: isp.example.com |
Installed certificates |
Computer certificate: edge1.corp.contoso.com |
Note that EDGE1 is not configured to provide Internet connectivity for hosts on the Corpnet subnet or intranet connectivity for CLIENT1 when it is connected to the Internet subnet. Subsequent modular TLGs can provide this functionality.
CLIENT1
Operating system |
Windows 7 Enterprise or Ultimate |
Domain membership |
Member of the corp.contoso.com domain |
TCP/IP configuration on the network adapter |
Automatic (DHCP client) |
Installed certificates |
Computer certificate: client1.corp.contoso.com |
INET1
Operating system |
Windows Server 2008 R2 Enterprise |
Domain membership |
None (standalone) |
TCP/IP configuration on the Internet subnet network adapter |
IP address: 10.0.0.1 Subnet mask: 131.107.0.1 No default gateway Connection specific DNS suffix: isp.example.com |
Roles |
|
Installed certificates |
None |
Active Directory and DNS infrastructure
The Active Directory infrastructure consists of a single domain in a single forest, corp.contoso.com, and a single domain controller, DC1.
The DNS infrastructure consists of two separate DNS servers:
DC1 is the corp.contoso.com intranet DNS server, which supports DNS dynamic updates
INET1 is an Internet DNS server, which does not support DNS dynamic updates
The example Contoso Corporation uses a split-DNS configuration: contoso.com on the Internet and corp.contoso.com on the intranet.
DC1 has the following manually created Host (A) records:
crl.corp.contoso.com with the IP address 10.0.0.3
Resolves the URL of the CRL distribution point to APP1.
INET1 has the following manually created Host (A) records:
inet1.isp.example.com with the IP address 131.107.0.1
Resolves the inet1.isp.example.com name to INET1’s address.
edge1.contoso.com with the IP address 131.107.0.2
Resolves the Internet name of EDGE1 to its Internet address.
www.msftncsi.com with the IP address 131.107.0.1
Resolves the www.msftncsi.com name to INET1’s address for Internet detection.
dns.msftncsi.com with the IP address 131.107.255.255
Resolves the dns.msftncsi.com name to the expected address for Internet detection.
Web infrastructure
On the Corpnet subnet, APP1 is a Web server with the IIS server role and supports unprotected (https://app1.corp.contoso.com) and protected Web pages (https://app1.corp.contoso.com). The SSL binding is configured for the auto-enrolled computer certificate with the subject name app1.corp.contoso.com.
On the Internet subnet, INET1 is a Web server with the IIS server role and supports unprotected Web pages (https://inet1.isp.example.com). To provide support for Network Connectivity Status Indicator (NCSI) Internet detection, INET1 is also known as www.msftncsi.com and hosts the Ncsi.txt file in the WWWRoot folder.
PKI
The PKI in the base configuration test lab consists of the following:
DC1 acting as an Enterprise Root CA for the corp.contoso.com domain
The default Group Policy object configured for computer certificate autoenrollment
All of the domain member computers have a computer certificate installed (DC1, APP1, EDGE1, CLIENT1), with the Subject field set the FQDN of the computer name and with the Server Authentication and Client Authentication OIDs
AD CS on DC1 is configured to store the CRL files on the \\app1\crldist$ share, which corresponds to the CRLD virtual web site on APP1
Certificates issued by DC1 are configured with the additional CRL distribution point of https://crl.corp.contoso.com/crld/corp-DC1-CA.crl.
When performing certificate revocation on the Corpnet subnet, a computer attempts to access the path https://crl.corp.contoso.com/crld/corp-DC1-CA.crl. The manually configured Host (A) record on DC1 resolves crl.corp.contoso.com to 10.0.0.3, the IP address of APP1.