| Domain Contoller - Core server functionality test | ||||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments | |
| 1 | Verify domain controller health | 1. Logon to the domain controllers(MSS-CDC-01,MSS-CDC-02, MSS-RDC-01) 2. From command shell run DCDIAG.EXE |
DCDIAG executes a series of tests. All tests should pass. | DCDIAG.EXE | ||
| 2 | Verify domain controllers can be detected by clients | 1. Logon to any client machine 2. Open a command prompt 3. Specify the command "ipconfig /flushdns" 4. Verify that the client can access the DCs namely MSS-CDC-01, MSS-CDC-02, MSS-RDC-01 (Use ping and nslookup) |
Ping and nslookup should be able to detect the host. | |||
| 3 | Verify inter site and intra site Active Directory replication | 1. Logon to the domain controllers(MSS-CDC-01,MSS-CDC-02, MSS-RDC-01) 2. From command shell, run repadmin /showreps 3. From command shell, run repadmin /showconn 4. Run replmon on the command shell. Add a domain controller to be monitored and check status. |
This verifies correct inbound and outbound links and all inbound connections. All links should be detected successfully. | |||
| 4 | Verify FRS works in intrasite as well as intersite file replication | DCDIAG runs the test for frs replication also. Syntax: DCDIAG /test:frssysvol |
Verify that the test passes. | |||
| 5 | Verify Event Logs | Verify there are no error logs in the directory section of event logs in the management console. | There should not be any error logs. | |||
| 6 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| DNS Server - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify DNS service health on the domain controller | 1. Logon to the domain controllers(MSS-CDC-01,MSS-CDC-02, MSS-RDC-01) 2. Click on Start->Programs->Administrative Tools-> Services 3. Verify that the DNS service has started. |
The DNS service should have started. | ||
| 2 | Verify that naming service works | 1. Ensure you can ping the domain controller by name and ip address. If both work then DNS service is running properly. 2. Ensure that names can be resolved. For example, ping MSS-WEB-01.northamerica.corp.contoso.com |
ping should be able to detect the server with name as well as ip address. | ||
| 3 | Event Logs | 1. Logon to the domain controllers(MSS-CDC-01,MSS-CDC-02, MSS-RDC-01) 2. Verify there are no error logs in the dns section of event logs in the management console. |
There should not be any error logs. | ||
| 4 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| DHCP Server - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify DHCP service health | 1.Logon to DHCP server(MSS-DHCP-01) 2. Click on Start->Programs->Administrative Tools-> Services 3. Verify that the DHCP Server service is running. 4. Open MMC DHCP snap in and check server statistics. 5. Also check the Address Leases to verify which addresses have been leased. |
DHCP service should be running. Server statistics should reveal the server start time and up time. Address Leased shows DHCP server is running. | ||
| 2 | Verify whether DHCP client can obtain an address | 1. From a client machine, open command prompt 2. Type "ipconfig /all" 3. Verify that the client can obtain an IP address. 4. In the client machine's command prompt, type "ipconfig /release" 5. In the client machine's command prompt, type "ipconfig /flushdns" 6. Have a client machine obtain a DHCP address using "ipconfig /renew" 7. Verify that the client can get an IP address |
Client machine must obtain an IP address | ||
| 3 | Verify Event Logs | Check the Event Logs(Application, Security, System) to check if there are any error conditions | |||
| 4 | Verify DHCP database consistency | 1. Stop DHCP server from service from computer management console. 2. Run JETPACK.EXE from %SYSTEMROOT%\SYSTEM32\DHCP directory. Syntax: JETPACK dhcp.mdb tmp.mdbfrom 3. Start DHCP server from computer management console. |
JETPACK should complete without any errors. | ||
| 5 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| WINS Server - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify WINS service health | 1. Logon to WINS server(MSS-WINS-01) 2. Click on Start->Programs->Administrative Tools-> Services 3. Verify that the WINS service is running. 4. Open MMC WINS snap in and verify that server status is responding. 5. Also check the Active Registrations to verify that servers are registered with WINS. 6. Run NETDIAG.EXE on the command shell to check WINS sevice. Syntax: NETDIAG /test:WINS |
WINS service should be running. Should be able to view all registrations for the WINS server. NETDIAG test should pass. | ||
| 2 | Verify WINS database consistency | 1. Run JETPACK.EXE from %SYSTEMROOT%\SYSTEM32\WINS directory. Syntax: NET STOP WINS JETPACK WINS.MDB TMP.MDB NET START WINS |
Database consistency check should complete without any errors. | ||
| 3 | Verify that the Win 98/Win NT client can resolve names, renew names | 1. Verify that Win 98/Win NT client name gets registered in the WINS server 2. Run name resolution query of any other server from Win 98/Win NT client machine and it succeeds 3. Shut down the client machine and verify the entries do not exist on the WINS server 4. Restart the client machine 5. Verify that the entries get renewed in the WINS server |
Win 98/Win NT client should be able to resolve names, renew names and register itself with WINS server | ||
| 4 | WINS Event Logs | Verify there are no error logs in the WINS section of event logs in the management console. | There should not be any error logs. | ||
| 5 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| File and Print Server - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify ability to modify NTFS ACL for domain users on file share | 1. Logon to the file server(MSS-FILE-01) 2. Right-click on the folder(whose ACL has to be modified) within the file share folder, click Properties, and then click the Security tab. 3. Add a domain user and give him/her appropriate rights. 4. Select the user, click Advanced button, and then click View/Edit. 5. Change permissions and apply. |
The Administrator should be able to modify the ACL. | ||
| 2 | Verify file share creation | 1. Logon to the file server(MSS-FILE-01) 2.Locate the share folder(D:\public). 3. Verify permissions on the share folder and subfolders. |
Share folder should be present and ACL created. | ||
| 3 | Verify publishing new share in active directory | 1. Logon to the file server(MSS-FILE-01) 2. Locate the share(D:\public) and create a new subfolder inside this share. Grant appropriate access to domain users on the new share. 3. Logon to the domain controller(MSS-CDC-01) 4. Open Start->Programs->Administrative Tools->Active Directory Users and Computers 5. Right click on domain name, click on New->Shared Folder. 6. Verify that you are able to add a new share in the active directory. 7. Logon to a client machine. Goto Network places and locate your shared folder. |
The new share should get published in the Active Directory. You should be able to explore it through a client machine. | ||
| 4 | Verify Event Logs | 1. Logon to the file server(MSS-FILE-01) 2. Verify there are no file share related errors in the event logs in the management console. |
There should not be any error logs. | ||
| 5 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| File and Print Server - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Add a new printer | 1. Logon to the printer server(MSS-PRN-01) 2. Go to Start->Settings->Printers 3. Click on Add Printer Wizard and follow the steps till the end. Create a new port to use with the printer. 4. Print a test page. |
Should be able to add a printer. Should be able to see the test should be in the printer queue. | ||
| 2 | Publish new printer in active directory | 1. Logon to the domain controller(MSS-CDC-01) 2. Open Start->Programs->Administrative Tools->Active Directory Users and Computers 3. Right click on domain name->All Tasks->Find 4. Select Printers in the drop down list. 5. Type the printer name you want to find and click Find Now |
The printer should be listed in the results section. | ||
| 3 | Verify print spooler service health | 1. Logon to the printer server(MSS-PRN-01) 2. Go to Start->Programs->Administrative Tools->Services 3. Verify that Print Spooler is running. 4. Verify that it can be stopped and restarted without any errors. |
The Print Spool service should be running. | ||
| 4 | Verify Event Logs | 1. Logon to the printer server(MSS-PRN-01) 2. Verify there are no Print related errors in the event logs in the management console. |
There should not be any error logs. | ||
| 5 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| Web Server IIS - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify that Server is running. | 1. Logon to the Web Server(MSS-WEB-01) 2. Go to Start->Programs->Administrative Tools->Services 3. Verify that IIS Admin service and World Wide Web Publishing services are running. 4. Go to Task manager console. 5.On the Processes tab, verify that the Inetinfo.exe program is listed in the Image Name column. |
The services should be running and Inetinfo.exe should be present in the list of processes. | ||
| 2 | Verify that server is running after Restart. | 1. Logon to the Web Server(MSS-WEB-01) 2. Go to Start->Programs->Administrative Tools->IIS Management. 3. Right-click the Web server name and then click Restart IIS to restart the IIS services. |
The Inetinfo.exe application is running. Also check that in services the Start Up type is Automatic. | ||
| 3 | Verify the Authentication and Encryption Levels on the Web Server | 1. Logon to the Web Server(MSS-WEB-01) 2. Go to Start->Programs->Administrative Tools->IIS Management. 3. Right-click on the Web site and then click Properties. 4. On the Directory Security tab, under anonymous access and authentication control, click Edit. 5.Verify that the correct authentication and encryption settings are set at the server. (Windows authetication or anonymous authetication etc.) |
User can Access the content of the Web. | ||
| 4 | Verify IP address and domain name in IIS Management | 1. Logon to the Web Server(MSS-WEB-01). 2. Go to Start->Programs->Administrative Tools->IIS Management. 3. Right-click on a website and then click Properties. 4. On the Directory Services tab, under IP Address and Domain Name Restrictions, click Edit. 5.Verify that the IP address and Domain name Restrictions are not set to Deny. |
The IP addeess and Domain Name Restrictions should not be set to Deny. | ||
| 5 | Verify all necessary files are Present in Root folder. | 1. Open Windows Explorer. 2. Goto the \Inetpub\wwwroot\ folder. 3. See It include all the necessary .html files for the Web site. (e.g. File: postinfo.html) |
Root folder and all files should be present. | ||
| 6 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| Bastion Host - Functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify that the IAS Service is running | Open services.msc and look for Internet Authentication Service | The service should be set to Automatic and should be started | ||
| 2 | Grant Remote Access permission | On the IAS console, add a radius client name with Friendly name as MSS, Address as the name of the machine on which you run the radius client and provide the shared secret. Set the client-vendor attribute to "RADIUS-Standard". In the remote access policy section of the IAS console add a new remote access policy. Chose access method as Ethernet. Make access criteria as "user". Chose the MD-5 Challenge type for the EAP policy. After you finish creating this policy, edit it and chose the "Grant remote access permission" option. Now start the radius client and send an authentication request. For information on settings required on the RADIUS Client, refer to the job aid for interoperability test cases. | From the cmd, run the command: iasparse -f:IN0304.log > ias.txt. Open ias.txt and verify that the Packet-Type for the last transaction logged in the file IN0304.log is "Access-reject" and that the Reason-Code provided is "The connection attempt did not match any connection request policy" | ||
| 3 | Deny Remote Access permission | On the IAS console, add a radius client name with Friendly name as MSS, Address as the name of the machine on which you run the radius client and provide the shared secret. Set the client-vendor attribute to "RADIUS-Standard". In the remote access policy section of the IAS console add a new remote access policy. Chose access method as Ethernet. Make access criteria as "user". Chose the MD-5 Challenge type for the EAP policy. After you finish creating this policy, edit it and chose the "Deny remote access permission" option. Now start the radius client and send an authentication request. For information on settings required on the RADIUS Client, refer to the job aid for interoperability test cases. | From the cmd, run the command: iasparse -f:IN0304.log > ias.txt. Open ias.txt and verify that the Packet-Type for the last transaction logged in the file IN0304.log is "Access-Accept" and that the Reason-Code provided is "The operation completed successfully" |
||
| 4 | No errors in eventlog | Open the Eventvwr console and look warnings and errors | There should be no warnings and errors in the system log. You will see information items for every instance of a RADIUS authentication request succeeding and warning messages for every failed authentication attempt. | ||
| 5 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| WINS Server - Core server functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Verify that the CA certificate is valid. | 1. Go to Run. Type MMC. Open the Certificate snap-in. 2. Open the Certificate. On General Tab. 3. Check for the Validity date and issued to/issued by. Also verify certificate path -> certificate chain is valid. |
Validity issued to/issued by dates. Also verify certificate path -> certificate chain is valid. | ||
| 2 | Verify that the certificate chain can be build | 1. On the Command prompt, Type certutil -verify <Windows/system32/certsrv/certenroll/<cert.cer> or 2. open the certificate -> Certificate Authority tab -> Check for the chain. |
Verify the output. It should be "Leaf certificate revocation check passed" and the value of dwErrorStatus variable in the output is zero. | ||
| 3 | Verify that the right CRL distribution point has been added to the CA certificate. | 1. Open the Certificate and go to Details tab. 2. Scroll down to CRL Distribution Point. 3. Verify that the correct CRL Distribution Point name is given. For this check for the correct http and ldap location |
CRL Distribution Point is correct. | ||
| 4 | Certificate Verification: Client is able to verify a certificate validity manually. | 1. Go to Run. Type MMC. 2. From the Certifiacte snap in, Open the Certificate manually through CA MMC and check for the fields. |
Genral tab Should show "Certificate is ok" and it should be in the correct validity period. | ||
| 5 | Force publishing of CRL from issueing CA. | 1. Log on to 2-MSS-CA-01 as CA Administrator. 2. open CA MMC. Go to Revoke Certificates folders -> Action -> Publish. 3. Select New CRL. |
Revoked Certificates folder -> Properties -> View CRLs tab should have the new CRL, Check for date and time. | ||
| 6 | Certificate Management: Client receives root CA certificate automatically. | 1. Open the Certificate MMC for the current user. 2. Go to Certificates -> trusted Certificate Authoritities and Check for the Root CA certificate in this folder. |
Root CA certificate should be present in the list of Trusted CA Authorities. | ||
| 7 | Auto Enrollment: An Administrator is able to force a certificate reenrollment for all clients. | 1. Go to Run. Type MMC. Open the certificate Template snap -in. 2. Change the parameter Validity Period, Requires manual Approval in the properties tab. 3. Right Click user template and click reenroll all certificate holders. |
Verify that the certificates enrolling happens as per the new template for any user. | ||
| 8 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |
| Bastion Host - Functionality test | |||||
| Test case No. | Condition to be tested | Execution Details | Expected Result | Tools Required | Comments |
| 1 | Bastion Host can access the internet | Open a web browser and try to access http://msn.com | Access successful | ||
| 2 | Bastion host can access FTP sites | Open a web browser and try to access ftp://ftp.microsoft.com | Access successful | ||
| 3 | Check that all the necessary services are started | Verify that all the services which have been set to automatic in the security template are started. | All services are running | ||
| 4 | IIS Functionality | Add the IIS windows component. Start the IIS Manager. Open a browser and see if you can access default content (default.html) located in c:\inetpub\wwwroot\. | The IIS Admin Service is started and one can view local content. | ||
| 5 | FTP Functionality | Enable the windows component for FTP and verify that the FTP site configuration menu has been generated in IIS Manager. Further check that the FTP publishing service has been started. Also verify that the "Users" only have read and list folder contents permission on the FTP site. Run interoperability test cases in conjunction with this testcase to verify that the FTP service is functioning correctly | The FTP Publishing service is running | ||
| 6 | SMTP Functionality | Add the Email Services windows component and verify that you can administer SMTP through the IIS manager under the menu for "Default SMTP Virtual Server". Verify that the SMTP service is running. Use interoperability test cases to confirm that the bastion host acts as an SMTP relay agent. | The SMTP service is running | ||
| 7 | Event Logs | Verify that there are no error logs in the Eventvwr | There are no errors and warnings except those document in Ch 11 of the Security Guide. These errors and warnings are expected because of server hardening | ||
| 8 | Processes in Task Manager | Open the task manager and verify that the following processes are running: smss.exe csrss.exe winlogon.exe services.exe lsass.exe explorer.exe |
The listed processes are all running | ||
| 9 | Windows Registry is accessible by Local Administrator | Logon to the Bastion Host as local administrator. Open the windows registry using regedt32 or any other registry editor. | The registry can be accessed. | ||
| 10 | Administrator can take system/data backup | Run ntbackup utility from command prompt. It invokes the "Backup or Restore wizard". | Follow the steps and you should be able to take backup. |