The NAP (Network Access Protection) DHCP (Dynamic Host Configuration Protocol) demonstration lab instructions provided by Microsoft (“Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab” ) are a great way to ramp-up on NAP and to see the technology in action. However, the lab has two shortcomings:
- It requires three separate machines, rather than just two.
- It doesn’t talk about using virtual machines, which is the most common configuration customers want to try.
Having experimented at great length, I can now share the following addendum to the lab instructions. These steps will allow you to setup a two-VM NAP DHCP demo (requiring one virtual Vista client and one virtual Server 2008, RC1 or RTM when it’s available). My test environment includes the latest (free) version of VMware Server running on Windows Server 2003. However, I would guess that any of the most recent VMware SKUs on any supported host OS will work.
I have also seen the same configuration work on Microsoft Virtual Server, but I won’t vouch that these specific steps will get you there.
I recommend reviewing both the following steps and the full lab instructions before getting started. Seriously – doing so will save you a lot of time. The lab steps actually aren’t as complicated as they first appear, because the text is actually super-specific. But if you miss a single one, the demo just won’t work.
By the way, why do people prefer the DHCP lab over the other scenarios (IPsec, VPN, 802.1X) as a first attempt? Because, as long as you can create a test environment (such as the one I discuss below) in which you won’t be interfering with some other deployed DHCP service, it’s the simplest configuration. The others require additional server roles, such as Certificate Services, and are tougher to get working with just two VMs.
- Create a new VM with a custom (previously unused) Ethernet device. Use VMnet2 for example.
- Setup Windows Server 2008 (WS08). Note that for Vista and WS08 VMs, I configure 2 GB of RAM apiece. Hence, your host needs at least 5 GB of RAM for smooth operation of this demo. You can do it with less, especially if you have multiple fast hard disks to run in parallel, but it can be frustratingly slow.
- Once server installation is complete, configure its single NIC with static IP 192.168.0.1 (subnet mask 255.255.255.255, gateway 192.168.0.1, DNS server 127.0.0.1). This resembles instructions in the lab.
- Using the new WS08 admin configuration screen, add the DHCP server role. Then configure and enable the DHCP service. Refer to the lab instructions for this, but don’t do the NAP portions yet. And, specifically, don’t configure DHCP to require NAP yet. But don’t forget to do so later!
- Create a new VM with the same Ethernet device as above. That is, you’ll have two guest machines on one private network (on a single host).
- Setup Vista. When complete, ensure that it’s configured for DHCP, and that it gets an IP lease from the WS08 DHCP server, using the first free address. If this part doesn’t work, the rest of the lab won’t work either, so do network connectivity troubleshooting now and/or ask for help. However, note that this private network doesn’t have internet access, which can make debugging painful. Thus, if you get stuck here, you’ll probably have to experiment with some different virtual network settings.
- Now go back to the server VM and add the Active Directory role. Then run dcpromo.exe. Per the lab instructions, create a new domain in a new forest: contoso.com. You may get a warning that there’s a network interface not bound to a static IP. As long as you re-confirm that that’s actually not the case, I found it safe to ignore that. Reboot, etc.
- Join the client VM to the new domain. Upon reboot, re-confirm that the client still has its IP lease and can see the server. If so, you’re good to go to complete the rest of the steps in the lab: add the NAP role to the server, configure it, enable NAP in the DHCP service, enable NAP on the client, test that the built-in Windows SHA/SHV can auto-remediate the client firewall.
After you’ve completed the remediation demo in the lab, you’ll probably want to pursue whatever broader agenda led you to start experimenting with NAP in the first place (for example, trying out my MSDN sample NAP plug-in ;). In any case, not having internet access from those VMs is likely an obstacle.
This solution assumes that the VM host has full internet connectivity.
- Shutdown the server VM.
- Add a second VMware Ethernet device to it, using whatever full-connectivity option has worked before (“Bridged,” typically).
- Boot the server and ensure that both NICs are behaving as expected. That is, that DHCP is still serving the private one, and that the new bridged one obtained an IP lease from the same DHCP server that’s serving the host machine.
- Verify that you can reach the internet.