6425ak-en config troubleshooting ws08 ad ds-trainerhandbook

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6425A Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

ii Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

of Microsoft of the site or the products contained therein.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Access, Active Directory, ActiveX, BitLocker, Convergence, Internet Explorer, Jscript, MSDN, NetMeeting, PowerPoint, SharePoint, SQL Server, Verdana, Visual Basic, Visual Studio, Win32, Windows, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Technical Reviewer: John Policelli

Product Number: 6425A

Part Number: X14-69064

Released: 05/2008

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2008 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services xi

Contents

Module 1: Implementing Active Directory Domain Services Lesson 1: Installing Active Directory Domain Services 1-3

Lesson 2: Deploying Read-Only Domain Controllers 1-16

Lesson 3: Configuring AD DS Domain Controller Roles 1-25

Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-32

Module 2: Configuring Domain Name Service for Active Directory Domain Services

Lesson 1: Overview of Active Directory Domain Services and DNS Integration 2-3

Lesson 2: Configuring AD DS Integrated Zones 2-11

Lesson 3: Configuring Read-Only DNS Zones 2-19

Lab: Configuring AD DS and DNS Integration 2-23

Module 3: Configuring Active Directory Objects and Trusts Lesson 1: Configuring Active Directory Objects 3-3

Lesson 2: Strategies for Using Groups 3-14

Lesson 3: Automating AD DS Object Management 3-20

Lab A: Configuring Active Directory Objects 3-28

Lesson 4: Delegating Administrative Access to AD DS Objects 3-40

Lesson 5: Configuring AD DS Trusts 3-48

Lab B: Configuring Active Directory Delegation and Trusts 3-57

xii Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Module 4: Configuring Active Directory Domain Services Sites and Replication

Lesson 1: Overview of Active Directory Domain Services Replication 4-3

Lesson 2: Overview of AD DS Sites and Replication 4-13

Lesson 3: Configuring and Monitoring AD DS Replication 4-22

Lab: Configuring Active Directory Sites and Replication 4-32

Module 5: Creating and Configuring Group Policy Lesson 1: Overview of Group Policy 5-3

Lesson 2: Configuring the Scope of Group Policy Objects 5-16

Lesson 3: Evaluating the Application of Group Policy Objects 5-28

Lesson 4: Managing Group Policy Objects 5-33

Lesson 5: Delegating Administrative Control of Group Policy 5-40

Lab: Creating and Configuring GPOs 5-44

Module 6: Configuring User Environments Using Group Policy Lesson 1: Configuring Group Policy Settings 6-3

Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy 6-7

Lesson 3: Configuring Administrative Templates 6-15

Lesson 4: Configuring Group Policy Preferences 6-22

Lesson 5: Deploying Software Using Group Policy 6-28

Lab: Configuring User Environments Using Group Policy 6-38

Module 7: Implementing Security Using Group Policy Lesson 1: Configuring Security Policies 7-3

Lesson 2: Implementing Fine-Grained Password Policy 7-13

Lesson 3: Restricting Group Membership and Access to Software 7-18

Lesson 4: Managing Security Using Security Templates 7-25

Lab: Implementing Security Using Group Policy 7-33

Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services xiii

Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Lesson 1: Monitoring AD DS Using Event Viewer 8-3

Lesson 2: Monitoring Active Directory Domain Servers Using Reliability and Performance Monitor 8-10

Lesson 3: Configuring AD DS Auditing 8-19

Lab: Monitoring AD DS 8-25

Module 9: Implementing an Active Directory Domain Services Maintenance Plan

Lesson 1: Maintaining the AD DS Domain Controllers 9-3

Lesson 2: Backing Up Active Directory Domain Services 9-14

Lesson 3: Restoring AD DS 9-18

Lab: Implementing an AD DS Maintenance Plan 9-28

Module 10: Troubleshooting AD DS, DNS, and Replication Issues Lesson 1: Troubleshooting Active Directory Domain Services 10-3

Lesson 2: Troubleshooting DNS Integration with AD DS 10-9

Lesson 3: Troubleshooting AD DS Replication 10-15

Lab: Troubleshooting AD DS, DNS and Replication Issues 10-23

Module 11: Troubleshooting Group Policy Issues Lesson 1: Introduction to Group Policy Troubleshooting 11-3

Lesson 2: Troubleshooting Group Policy Application 11-10

Lesson 3: Troubleshooting Group Policy Settings 11-17

Lab: Troubleshooting Group Policy Issues 11-25

xiv Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Module 12: Implementing an Active Directory® Domain Services Infrastructure

Lesson 1: Overview of the AD DS Domain 12-3

Lesson 2: Planning a Group Policy Strategy 12-7

Lab A: Deploying Active Directory Domain Services 12-9

Lab B: Configuring Forest Trust Relationships 12-23

Lab C: Designing a Group Policy Strategy 12-31

Lab Answer Keys

About This Course xv

About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description The purpose of this 5-day course is to teach Active Directory® Technology Specialists how to configure Active Directory® Domain Services (AD DS) in a distributed environment, implement Group Policy, perform backup and restore, and monitor and troubleshoot Active Directory related issues. After completing this course, students will be able to implement and configure Active Directory domain services in their enterprise environment.

Audience The primary audience for this course are Active Directory Technology Specialists, Server Administrators, and Enterprise Administrators who want to learn how to implement Active Directory in a distributed environment, secure domains using Group Policy, and perform backup, restore, and monitor and troubleshoot Active Directory configuration to ensure trouble free operation.

Student Prerequisites This course requires that you meet the following prerequisites:

• Basic understanding of networking. For example, how TCP/IP functions, addressing, name resolution (Domain Name System [DNS]/Windows Internet Name Service [WINS]), and connection methods (wired, wireless, virtual private network [VPN]), NET+ or equivalent knowledge.

• Intermediate understanding of network operating systems. For example, Windows® 2000, Windows® XP, Windows® Server 2003 etc, the Windows Vista® operating system client (nice to have).

• An awareness of security best practices. For example, file system permissions, authentication methods, workstation and server hardening methods etc.

• Basic knowledge of server hardware. A+ or equivalent knowledge.

xvi About This Course

• Some experience creating objects in Active Directory.

• Foundation course (6424A: Fundamentals of Windows Server® 2008 Active Directory®) or equivalent knowledge.

• Basic concepts of backup and recovery in a Windows Server Environment. For example, backup types, backup methods, backup topologies etc. (information covered in 6420A: Fundamentals of Windows Server® 2008 Network Infrastructure and Application Platform).

Course Objectives After completing this course, students will be able to:

• Implement AD DS.

• Configure DNS for AD DS.

• Configure Active Directory objects and trusts.

• Configure Active Directory sites and replication.

• Create and configure Group Policy.

• Configure user environments using Group Policy.

• Implement security using Group Policy.

• Implement an AD DS monitoring plan.

• Implement an AD DS maintenance plan.

• Troubleshoot Active Directory, DNS, and replication issues.

• Troubleshoot Group Policy issues.

• Implement an AD DS infrastructure.

About This Course xvii

Course Outline This section provides an outline of the course:

Module 1: This module discusses the prerequisite hardware and software required for implementing AD DS, as well as the process for installing it. It also defines what a read-only domain controller (RODC) is and how to install it.

Module 2: This module covers DNS configuration specific to AD DS.

Module 3: This module discusses how to implement and configure AD DS objects and trusts.

Module 4: This module covers how to create and configure sites to manage replication.

Module 5: This module covers how Group Policy objects (GPOs) work and how to create and apply GPOs.

Module 6: This module discusses how to configure user desktop settings by using Group Policy.

Module 7: This module describes how to configure security settings and apply them using GPOs.

Module 8: This module describes how to monitor AD DS infrastructure and services.

Module 9: This module discusses how to perform maintenance, backup, and recovery of Active Directory servers and objects.

Module 10: This module covers how to troubleshoot and resolve issues related to AD DS, DNS, and replication.

Module 11: This module describes how to troubleshoot and resolve issues related to Group Policy.

Module 12: This module is a day-long lab. You are given scenarios that will help you learn how to create a solution from start to end.

xviii About This Course

Course Materials The following materials are included with your kit:

• Course handbook. The Course handbook contains the material covered in class. It is meant to be used in conjunction with the Course Companion CD.

• Course Companion CD. The Course Companion CD contains the full course content, including expanded content for each topic pages, full lab exercises and answer keys, topical and categorized resources and Web links. It is meant to be used both inside and outside the class.

Note: To access the full course content, insert the Course Companion CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration In this course, you will use Microsoft Virtual Server 2005 and MSL Lab Launcher to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. For each virtual machine that is running, close the Virtual Machine Remote Control window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

About This Course xix

The following table shows the role of each virtual machine that this course uses:

Virtual machine Role

6425A-NYC-DC1 Domain controller in the WoodgroveBank.com domain

6425A-NYC-DC2 Domain controller in the WoodgroveBank.com domain

6425A-MIA-RODC Read-only domain controller running on Windows Server 2008 Server core

6425A-NYC-SVR1 Standalone server

6425A-NYC-SVR2 Windows Server 2008 Server core computer

6425A-NYC-CL1 Windows Vista computer in the WoodgroveBank.com domain

6425A-NYC-RAS Member server in the WoodgroveBank.com domain

6425A-LON-DC1 Domain controller in the EMEA.WoodgroveBank.com domain

6425A-VAN-DC1 Windows Server 2003 domain controller in the Fabrikam.com domain

Software Configuration The following software is installed on each virtual machine:

• Windows Server® 2008 Enterprise; Windows Server® 2003 Enterprise Windows® Vista SP1

Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.

xx About This Course

Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. This course requires a computer that meets or exceeds hardware level 5.5, which specifies a 2.4–gigahertz (minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16 megabytes (MB) of video RAM, and two7200 RPM 40-GB hard disks.

Implementing Active Directory Domain Services 1-1

Module 1 Implementing Active Directory Domain Services

Contents: Lesson 1: Installing Active Directory Domain Services 1-3

Lesson 2: Deploying Read-Only Domain Controllers 1-16

Lesson 3: Configuring AD DS Domain Controller Roles 1-25

Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-32

1-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Module Overview

Active Directory Domain Services (AD DS) is installed as a server role in the Windows Server®

°2008 operating system. You have several choices to make when you install AD DS and run the Active Directory Domain Services Installation Wizard. You must choose whether to create a new domain, or add a domain controller to an existing domain. You also have the option of installing AD DS on a server running Windows Server 2008 Server Core, or installing read-only domain controllers. After deploying the domain controllers, you also must manage special domain controller roles, such as the global catalog and operations masters.


Lesson 1: Installing Active Directory Domain Services

Windows Server 2008 provides several ways to install and configure AD DS. This lesson describes the standard AD DS installation, and also describes some of the other options that are available when performing the installation.


Requirements for Installing AD DS

Key Points To install AD DS, the server must meet the following requirements:

• Windows Server 2008 operating system must be is installed. AD DS can only be installed on the following operating systems:

• The Windows Server® 2008 Standard operating system

• The Windows Server® 2008 Enterprise operating system

• The Windows Server® 2008 Datacenter operating system

Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain

Services

• Microsoft Technet article: Requirements for Installing AD DS


What Are Domain and Forest Functional Levels?

Key Points In Windows Server 2008, forest and domain functionality provides a way to enable forest-wide or domain-wide Active Directory features in your network environment. Different levels of forest and domain functionality are available, depending on domain and forest functional level.

Additional Reading • Active Directory Domain Services Help: Set the domain or forest functional

level

• Microsoft Technet article: Appendix of Functional Level Features


AD DS Installation Process

Key Points To configure a Windows Server 2008 domain controller, you must install the AD DS server role and run the Active Directory Domain Services Installation Wizard. Do this using one of the following processes:

• Install the Server role by using Server Manager, and then run the installation wizard by running DCPromo or the installation wizard from Server Manager.

• Run DCPromo from the Run command or a command prompt. This will install the AD DS server role and then start the installation wizard.



Services

• Microsoft Technet article: Installing a New Windows Server 2008 Forest and Scenarios for Installing AD DS


Advanced Options for Installing AD DS

Key Points Some of the Active Directory Domain Services Installation Wizard pages appear only if you select the Use advanced mode installation check box on the Welcome page of the wizard, or by running DCPromo with the /adv switch. If you do not run the Installation Wizard in advanced mode, the wizard will use default options that apply to most configurations.

Question: When would you use the advanced options mode in your organization?

Additional Reading • Active Directory Domain Services Help: Use advanced mode installation

• Microsoft Technet article: What's New in AD DS Installation and Removal


Installing AD DS from Media

Key Points Before you can use backup media as the source for installing a domain controller, use Ntdsutil.exe to create the installation media.

Ntdsutil.exe can create four different installation media types.

Question: Which types of installation media will you use in your organization?

Additional Reading • Microsoft Technet article: Installing AD DS from Media


Demonstration: Verifying the AD DS installation

Question: What steps would you take if you noticed that the domain controller installation failed?

Additional Reading • Microsoft Technet article: Verifying an AD DS Installation


Upgrading to Windows Server 2008 AD DS

Key Points To install a new Windows Server 2008 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain, complete the following steps:

• If the domain controller is the first Windows Server 2008 domain controller in the forest, you must prepare the forest for Windows Server 2008 by extending the schema on the schema operations master. To extend the schema, run adprep /forestprep. The adprep tool is located on the Windows Server 2008 installation media.

• If the domain controller is the first Windows Server 2008 domain controller in a Windows 2000 Server domain, you must first prepare the domain by running adprep /domainprep /gpprep on the infrastructure master. The gpprep switch adds inheritable access control entry (ACEs) to the Group Policy Objects (GPO) that are located in the SYSVOL shared folder and synchronizes the SYSVOL shared folder among the controllers in the domain.


• If the domain controller is the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep /domainprep on the infrastructure master.

• After you install a writeable domain controller, you can install an RODC in the Windows Server 2003 forest. Before doing this, you must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any computer in the forest. If the RODC will be a global catalog server, then you must run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. By running adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server.


Services

• Microsoft Technet article: Installing a New Windows Server 2008 Forest

• Microsoft Technet article: Scenarios for Installing AD DS


Installing AD DS on a Server Core Computer

Key Points

To install AD DS on a Windows Server 2008 computer running Server Core, you must use an unattended setup. Windows Server 2008 Server Core does not provide a graphical user interface (GUI) so you cannot run the Active Directory Domain Services Installation Wizard.

To perform an unattended AD DS install, use an answer file and the following syntax with the Dcpromo command:

Dcpromo /answer[:filename], where filename is the name of your answer file.


Additional Reading • Microsoft Technet article: Installing a New Windows Server 2008 Forest,

Appendix of Unattended Installation Parameters


Discussion: Common Configuration for AD DS

Key Points After installing a domain controller, you may need to perform additional tasks in your environment. You can access checklists for the following common configurations for AD DS in Server Manager, under Resources and Support.

Additional Reading • AD DS Help: Common Configurations for Active Directory Domain Services


Lesson 2: Deploying Read-Only Domain Controllers

One of the important new features in Windows Server 2008 is the option to use read-only domain controllers (RODCs). RODCs provide all of the functionality that clients require while providing additional security for domain controllers deployed in branch offices. When configuring RODCs, you can specify which user account passwords will be cached on the server, and configure delegated administrative permissions for the domain controller. This lesson describes how to install and configure RODCs.


What Is a Read-Only Domain Controller?

Key Points An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy stored by RODC, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC.

Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers


Read-Only Domain Controller Features

Key Points See the list on the slide.


• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3


Preparing to Install the RODC

Key Points Before you can install an RODC, you must prepare the AD DS environment by completing the following steps:

• Configure the domain and forest functional level.

• Plan for Windows Server 2008 domain controller availability.

• Prepare the forest and domain.


Additional Reading • AD DS Help: Delegate read-only domain controller installation and

administration

• Microsoft Technet article: AD DS: Read-Only Domain Controllers



Installing the RODC

Key Points The RODC installation is almost identical to the installation of AD DS on a domain controller with a writeable copy of the database. However there are a few additional steps.

Additional Reading • AD DS Help: Delegate read-only domain controller installation and

administration



Delegating the RODC Installation

Key Points You can delegate the installation of an RODC by performing a two stage installation.

Question: What are the benefits of delegating an RODC installation?

Additional reading • AD DS Help: Delegate read-only domain controller installation and

administration

• Microsoft Technet article: AD DS: Read-Only Domain Controllers:

• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controllers


What Are Password Replication Policies?

Key Points When you deploy an RODC, you can configure a Password Replication Policy for the RODC. The Password Replication Policy acts as an access control list (ACL) that determines if an RODC is permitted to cache a password.

The Password Replication Policy lists the accounts that you are explicitly allowing to be cached, and those that you are not. The passwords for any accounts are not actually cached on the RODC until after the first time the user or computer account is authenticated through the RODC.

Additional Reading • AD DS Online Help: Specify Password Replication Policy


Demonstration: Configuring Administrator Role Separation and Password Replication Policies

Questions:

What is an alternative way to configure administrator role separation and password replication policies?

Your organization has deployed two RODCs. How would you configure the password replication policy if you wanted the credentials for all user accounts and computer accounts except for administrators and executives to be cached on both RODCs?

Additional Reading • AD DS Help: Specify Password Replication Policy


Lesson 3: Configuring AD DS Domain Controller Roles

All domain controllers in a domain are essentially equal, meaning they all contain the same data and provide the same services. However, you also can assign special roles to domain controllers to provide additional services, or address scenarios in which only one domain controller should provide services at any given time. This lesson describes how to configure and manage global catalog servers and operations masters.


What Are Global Catalog Servers?

Key Points The global catalog is a partial, read-only replica of all domain directory partitions in a forest. The global catalog is a partial replica because it includes only a limited set of attributes for each of the forest’s objects. By including only the attributes that are searched the most frequently, the database of a single global catalog server can represent every object in every domain in the forest.

The global catalog server is a domain controller that also hosts the global catalog. AD DS configures the first domain controller automatically in the forest as a global catalog server. You can add global catalog functionality to other domain controllers, or change the default location of the global catalog to another domain controller.

Additional Reading • Microsoft Technet article: Domain Controller Roles


Modifying the Global Catalog

Key Points Sometimes you may want to customize the global catalog server to include additional attributes. By default, for every object in the forest, the global catalog server contains an object’s most common attributes. Applications and users can query these attributes. For example, you can find a user by first name, last name, e-mail address, or other common properties.

Additional Reading • Microsoft Technet article: Domain Controller Roles


Demonstration: Configuring Global Catalog Servers

Questions:

What types of errors or user experiences would lead you to investigate whether you needed to configure another server as a global catalog server?

What are reasons why you would choose to replicate an attribute to the global catalog?

Additional Reading • Microsoft Technet article: To add an attribute to the global catalog


What Are Operations Master Roles?

Key Points Active Directory is designed as a multimaster replication system. However, for certain directory operations, only a single authoritative server is required. The domain controllers that perform specific roles are known as operations masters. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database.

Additional Reading • Microsoft Technet article: To add an attribute to the global catalog

• Microsoft Technet article: Manage Operations Master Roles


Demonstration: Managing Operation Master Roles

Questions:

Under what circumstances might you need to seize an operations master role immediately rather than wait a few hours for a domain controller currently holding the role to be repaired?

You are deploying the first domain controller in a new domain that will be a new domain tree in the WoodgroveBank.com forest. What operations master roles will this server hold by default?

Additional Reading • Microsoft Technet article: Manage Operations Master Roles


How Windows Time Service Works

Key Points The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running on a Windows Server 2008 network. The Windows Time service uses the Network Time Protocol (NTP) to ensure highly accurate time settings throughout your network. You also can integrate the Windows Time service with external time sources.

Additional Reading • Microsoft Technet article: Windows Time Service Technical Reference

• Microsoft Technet article: Configuring a time source for the forest


Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles

Scenario

Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is preparing to deploy domain controllers in several branch offices. The Enterprise Administrator created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements.


Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC In this exercise, you will evaluate the forest and server readiness for installing an RODC. You also will prepare the forest for the installation. In addition, you will examine the configuration of a server running Server Core to ensure that it meets the prerequisites for the RODC installation.

Note: Due to the limitations of the virtual lab environment, you will be installing the RODC in the same site as the existing domain controllers. In a production environment, you would complete the same steps even if the RODC was in a different site.

The main tasks are as follows:

1. Start the virtual machines, and then log on.

2. Verify that the forest and domain functional level are compatible with an RODC deployment.

3. Verify the availability of a writeable domain controller running Windows Server 2008.

4. Configure the computer account settings for the RODC.

Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft

Learning, and then click 6425A. The Lab Launcher starts.

2. In the Lab Launcher, next to 6425A-NYC-DC1, click Launch.


4. In the Lab Launcher, next to 6425A-NYC-SVR1, click Launch.

5. Log on to NYC-DC1 and NYC-DC2 as Administrator with the password Pa$$w0rd.

6. Log on to NYC-SVR1 as LocalAdmin with the password Pa$$w0rd.

7. Minimize the Lab Launcher window.


Task 2: Verify that the forest and domain functional level are compatible with an RODC deployment 1. On NYC-DC1, open Active Directory Users and Computers.

2. View the WoodgroveBank.com properties, and verify that the domain functional level and the forest functional level are set to Windows Server 2003.

Task 3: Verify the availability of a writeable domain controller running Windows Server 2008 1. In Active Directory Users and Computers, check the properties for NYC-DC1.

2. Verify that the operating system name is Windows Server 2008 Enterprise.

Task 4: Configure the computer account settings for the RODC 1. On NYC-SVR1, open Server Manager.

2. Click Change System Properties, and on the Computer Name tab, change the computer name to TOR-DC1.

3. Restart the computer.

Result: At the end of this exercise you will have verified that the domain and the computer are ready to install an RODC.


Exercise 2: Installing and Configuring an RODC In this exercise, you will install the RODC server role on the Windows Server 2008 computer. To do this, you will prestage the computer account that the RODC will use. As part of the prestaging, you will configure an administrative group with permissions to install the domain controller. After the installation is complete, you will verify that the installation completed successfully. You also will configure password-replication policies for users that log on to the domain controller.


1. Pre-stage the computer account for the RODC.

2. Log on to TOR-DC1 as Administrator.

3. Install the RODC using the existing account. Use WoodgroveBank\Axel as the account with credentials to perform the installation.

4. Verify the successful installation of the domain controller.

5. Configure a password replication policy that enables credential caching for all user accounts in Toronto.

Task 1: Pre-stage the computer account for the RODC 1. On NYC-DC1, open Active Directory Users and Computers.

2. Right-click the Domain Controllers organization unit and click Pre-create Read-only Domain Controller account.

3. Complete the Active Directory Domain Services Installation Wizard using the following selections:

a. Use advanced mode installation

b. Use the current credentials.

c. Computer name: TOR-DC1

d. Default site

e. Install only the DNS and RODC options

f. Delegate permission to install the RODC to Axel Delgado

Task 2: Log on to TOR-DC1 as LocalAdmin • Log on as LocalAdmin using the password Pa$$w0rd.


Task 3: Install the RODC using the existing account. Use WoodgroveBank\Axel as the account with credentials to perform the installation 1. On TOR-DC1, open a command prompt and type dcpromo

/UseExistingAccount:Attach, and then press ENTER:

2. Complete the Active Directory Domain Services Installation Wizard using the following selections:

a. Use advanced mode installation

b. Type Axel as the alternative credential

c. Use TOR-DC1 as the computer name

d. Use NYC-DC1.WoodgroveBank.com as the source domain controller

e. Accept the default location for the Database, Log Files, and SYSVOL files.

f. Use Pa$$w0rd as the Directory Services Restore Mode Administrator Password

3. Reboot the computer when the installation finishes.

Task 4: Verify the successful installation of the domain controller 1. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd.

2. In Server Manager, verify that Active Directory Domain Services server role is installed.

3. Verify that all required services are running.

4. In Active Directory Users and Computers, verify that TOR-DC1 is listed in the Domain Controllers organizational unit.

5. Verify that you do not have permission to add or remove domain objects.

6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the Servers list for the Default-First-Site-Name.


7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have been created.

8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects have been created for replication with TOR-DC1.

9. Open Event Viewer. In the Directory Service log, locate and view a message with an event ID of 1128. This event ID verifies that a replication connection object has been created between NYC-DC1 and TOR-DC1.

Task 5: Configure a password replication policy that enables credential caching for all user accounts in Toronto 1. On NYC-DC1, in Active Directory Users and Computers, access the TOR-

DC1 Properties dialog box.

2. Add all of the Toronto groups to the password replication policy.

Result: At the end of this exercise, you will have installed an RODC and configured the RODC password replication policy for the RODC.


Exercise 3: Configuring AD DS Domain Controller Roles In this exercise, you will configure the RODC installed in the previous exercise as a global catalog server. You also will assign operation master roles to an additional domain controller in the domain.


1. Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server.

2. Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain.

3. Add the Department attribute to the global catalog.

4. Close down all virtual machines, and discard undo disks.

Task 1: Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server 1. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1

computer account.

2. Access the NTDS Settings, and select the Global Catalog check box.

Task 2: Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain 1. On NYC-DC1, in Active Directory Users and Computers, change the

console’s focus to NYC-DC1.WoodgroveBank.com, and then click OK.

2. Right-click WoodgroveBank.com, and then click Operations Masters. Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com.

3. On NYC-DC2, open Active Directory Domains and Trusts. Access the Operations Master settings and transfer the domain naming operations master role to NYC-DC2.


Task 3: Add the Department attribute to the global catalog 1. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory

Schema snap-in.

2. Create a new Microsoft management console (MMC) and add the Active Directory Schema snap-in.

3. In the Active Directory Schema, access the Department attribute and configure the attribute to replicate to the Global Catalog.

Task 4: Close down all virtual machines and discard any changes 1. For each virtual machine that is running, close the Virtual Machine Remote

Control window.

2. In the Close box, select Turn off machine and discard changes. Click OK.

3. Close the 6425A Lab Launcher.

Result: At the end of this exercise, you will have configured a global catalog server and configure AD DS domain controller roles.


Module Review and Takeaways

Review Questions 1. You are deploying a domain controller in a branch office. The branch office

does not have a highly secure server room so you are concerned about the security of the server. What two Windows Server 2008 features can you take advantage of to enhance the security of the domain controller deployment?

2. You must create a new domain by installing a domain controller in your Active Directory infrastructure. You are reviewing the inventory list of available servers for this purpose. Which of the following computers could be used as a domain controller?

a. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB) free hard disk space, TCP/IP.

b. Windows Server 2008 Enterprise Edition, NTFS files system, 500 megabyte (MB) free hard disk space, TCP/IP.


c. Windows Server 2008 Server Core Enterprise Edition, NTFS files system, 1GB free hard disk space, TCP/IP.

d. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free hard disk space, TCP/IP.

3. You are deploying an RODC in branch office. You need to ensure that all users in the branch office can authenticate even if the WAN connection from the branch office is not available. Only the users who normally log on in the branch office should be able to do this? How would you configure the password replication policy?

4. You need to install a domain controller by using the install from media option. What steps do you need to take to complete this process?

5. Will you be deploying RODCs in your AD DS environment? Describe the deployment scenario.

6. You are deploying a domain controller in a branch office. The office has a WAN connection to the main office that has very little available bandwidth and is not very reliable. Should you configure the branch office domain controller as a global catalog server?

Considerations Keep the following considerations in mind when you are implementing RODCs and managing domain controller roles:

• You can install the AD DS Server role on all Windows Server 2008 editions except Windows Server 2008 Web Server Edition.

• Consider installing a RODC on a Windows Server 2008 Server Core computer to provide additional security for your domain environment.

• To install AD DS on a Server Core computer, you must use an unattended installation.

• Plan the password replication policies carefully in your organization. If you enable credential caching for most of the accounts in your domain, you will increase the impact to your organization if the RODC is compromised. If you do not enable any credential caching, you increase the impact to the branch office location if the WAN link to the main office is not available.


• In most cases, deploying a global catalog server in a site will improve the logon experience for users. However, deploying a global catalog in a remote office also increases the network utilized for replication.

• Operation master roles provide important services on a network but the services are not usually time critical. Most of the time, if a domain controller holding an operation master role fails, you do not immediately need to seize the role to another domain controller if the failed server can be repaired within a few hours.

Configuring Domain Name Service for Active Directory Domain Services 2-1

Module 2 Configuring Domain Name Service for Active Directory Domain Services

Contents: Lesson 1: Overview of Active Directory Domain Services and DNS Integration 2-3

Lesson 2: Configuring AD DS Integrated Zones 2-11

Lesson 3: Configuring Read-Only DNS Zones 2-19

Lab: Configuring AD DS and DNS Integration 2-23


Module Overview

Domain Name System (DNS) is an integral part of Active Directory® Domain Services (AD DS) for Windows Server® 2008. By understanding the relationship between these applications, you can troubleshoot AD DS, and increase security, while providing clients with the full functionality of DNS.


Lesson 1: Overview of Active Directory Domain Services and DNS Integration

Windows Server 2008 requires that a DNS infrastructure be in place before you install AD DS. Understanding how DNS and AD DS are integrated, and how client computers use DNS during logon, will help you resolve problems related to DNS, such as client logon issues.


AD DS and DNS Namespace Integration

Key Points Domains and computers are represented by resource records in the DNS namespace, and by Active Directory objects in the Active Directory namespace. All Active Directory domains must have corresponding DNS domains with identical domain names. Clients rely on DNS to resolve computer host names to IP addresses, in order to locate domain controllers and other computers that provide AD DS and other network services.

Active Directory requires DNS, but not any particular type of DNS server. Therefore, there may be multiple different type DNS servers.

Question: What is the relationship between Active Directory domain names and DNS zone names?


Additional Reading: • Active Directory integration

• DNS integration


What Are Service Resource Locator Records?

Key Points For AD DS to function properly, client computers must be able to locate servers that provide specific services, such as logon requests authentication, and that provide Telnet or Session Initiated Protocol (SIP) services. AD DS clients and domain controllers use Service (SRV) resource records to determine the IP addresses of computers that provide these services. AD DS site-aware applications, such as Microsoft® Exchange, also use SRV resource records.

Question: In the following example of two SRV resource records. Which record will be used by a client querying for an SIP service?

• _sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com.



Additional Reading • Managing resource records

• RFC 2782 - A DNS RR for specifying the location of services (DNS SRV)


Demonstration: SRV Resource Records Registered by AD DS Domain Controllers

Questions:

What is the benefit of replicating the mscdcs zone to the entire forest?

How could one SRV resource record be given preference over another?


How Service Resource Locator Records Are Used

Key Points Domain client computers use the locator application programming interface (API) to locate a domain controller by querying DNS. If SRV resource records are not available to identify domain controllers, logons may fail. All computers, including workstations such as the Windows® XP Professional operating system and Windows Vista® operating system, and servers such as the Windows Server®°2003 operating systems and the Windows Server 2008 operating systems, use the same process to locate domain controllers.

Additional Reading • How Domain Controllers Are Located in Windows XP

• Domain Controller Location Process


Integrating Service Locator Records and AD DS Sites

Key Points During a search for a domain controller, the Locator attempts to find a domain controller in the site closest to the client. The domain controller uses the information stored in Active Directory to determine the closest site. In most cases, the domain controller that first responds to the client will be in the same site as the client. But in cases where a computer has physically moved to a different site, or the domain controller in the local site is unavailable, there is a process to find a different domain controller.

During Net Logon startup, the Net Logon service on each domain controller enumerates the site objects in the Configuration container. Net Logon uses the site information to build an in-memory structure that is used to map IP addresses to site names.

Additional Reading • Finding a Domain Controller in the Closest Site


Lesson 2: Configuring AD DS Integrated Zones

Integrating AD DS and DNS zones can simplify DNS administration by replicating DNS zone information as part of Active Directory replication. It also provides benefits like secure dynamic updates, and aging and scavenging of stale resource records.


What Are AD DS Integrated Zones?

Key Points One benefit of integrating DNS and AD DS is the ability to integrate DNS zones into an Active Directory database. A zone is a portion of the domain namespace that has a logical grouping of resource records, which allows zone transfers of these records to operate as one unit.

Additional Reading • Active Directory integration


What Are Application Partitions in AD DS?

Key Points Three major partitions contain AD DS information:

• The schema partition, which replicates schema information to the entire forest.

• The configuration partition, which replicates information about the physical structure to the entire forest.

• The domain partition, which replicates domain information to all domain controllers in a given domain.

Additional Reading • DNS zone replication in Active Directory


Options for Configuring Application Partitions for DNS

Key Points You can change the scope of DNS replication any time by using the DNS Microsoft Management Console (MMC), or the DNSCMD command-line tool. When using the DNS MMC, you can replicate to the following replication choices:

• To all DNS servers in this forest.

• To all DNS servers in this domain. (This is the default storage location.)

• To all domain controllers in this domain. (This is the domain information partition.)

• To all domain controllers hosting a particular application partition.

Additional Reading • DNS zone replication in Active Directory


How Dynamic Updates Work

Key Points Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need to administer zone records manually, especially for clients that frequently move or change locations, and that use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

Additional Reading • Dynamic update


How Secure Dynamic DNS Updates Work

Key Points Secure dynamic updates work like dynamic updates, with the following exception: the authoritative name server accepts updates only from clients and servers that are authenticated and joined to the Active Directory domain in which the DNS server is located.

As the slide shows, the client first attempts a non-secure update. If that attempt fails, the client then attempts to negotiate a secure update. If the client has been authenticated to AD DS, the update will succeed.

Question: What are the benefits of using Active Directory integrated DNS zones?


Demonstration: Configuring AD DS Integrated Zones

Questions:

How could you prevent a computer from registering in the DNS database?

What would be the implications of not allowing dynamic updates?

When using secure dynamic updates, how can you control which clients are allowed to update DNS records?


How Background Zone Loading Works

Key Points Very large organizations with extremely large zones that store their DNS data in AD DS sometimes discover that restarting a DNS server can take an hour or more, while the DNS data is retrieved from the directory service. The result is that the DNS server is effectively unavailable to service client requests for the entire time that it takes to load AD DS-based zones.

Additional Reading • DNS Server Role


Lesson 3: Configuring Read-Only DNS Zones

You can provide additional security by configuring read-only DNS zones, because only an administrator can change read-only DNS zones. While unauthorized personnel will not be able to alter records on the read-only domain controller (RODC), clients still have the full functionality of the Active Directory name resolution.


What Are Read-Only DNS Zones?

Key Points When installing a Windows Server 2008 RODC, you are prompted with DNS Server installation options. The default option is to install a primary read-only form of DNS Server locally on the RODC, which replicates the existing AD-integrated zone for the domain specified, and adds the local IP address as the preferred DNS server in the local TCP/IP settings. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones.



How Read-Only DNS Works

Key Points When a computer becomes an RODC, it replicates a full read-only copy of all application directory partitions that DNS uses, including the domain partition, ForestDNSZones, and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions. The administrator of an RODC can view the contents of a primary read-only zone. However, the administrator can change the contents only by changing the zone on a DNS server with a writable copy of the DNS database.

Question: How does RODC increase security?



Discussion: Comparing DNS Options for Branch Offices

Key Points Answer the questions in a classroom discussion.

Additional Reading • How DNS Works


Lab: Configuring AD DS and DNS Integration

Scenario

Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has business relationships with two other entities, Fabrikam Inc. and Contoso Inc. Woodgrove Bank has acquired copies of the DNS zone files for these entities. All employees in the Woodgrove Bank forest need access to the DNS records for Contoso Inc. Only employees in the Woodgrove Bank domain need access to the DNS files for Fabrikam Inc. The branch office of Woodgrove Bank has a read-only domain controller. This domain controller will be configured to support both the DNS server service, and all forest-wide and domain-wide DNS zones. The enterprise administrator has created a design document for the DNS configuration. The design includes configuring AD DS integrated zones, configuring DNS dynamic updates, and configuring read-only DNS zones.


Exercise 1: Configuring Active Directory Integrated Zones In this exercise, you will configure the Woodgrove Bank environment DNS zones to meet the design requirements. You will verify the SRV resource records that each domain controller has registered, and create a new SRV resource record to support the Telnet protocol. You also will modify DNS zones to examine the difference between Active Directory integrated zones and standard zones, and will configure dynamic updates and the scope of replication. You then will use the ADSI Edit management console to view the DNS records stored in the domain partition.


1. Start the domain controller and log on as Administrator.

2. Examine the SRV resource records.

3. Create a new SRV resource record to support the Telnet protocol on NYC-SRV2.

4. Create two new zones based on the zone files for Fabrikam and Contoso.

5. Configure the two new zones to be Active Directory-integrated, and ensure that no dynamic updates are allowed.

6. Configure the scope of replication for the Contoso zone to be forest-wide and the Fabrikam-zone to be domain wide.

7. Use ADSI Edit.exe to view the Active Directory-integrated DNS zones.

Task 1: Start NYC-DC1 and log on as Administrator • Start NYC-DC1 and log on as Administrator with the password Pa$$w0rd.

Task 2: Examine the SRV resource records 1. Open the DNS management console, expand the Forward Lookup Zones

and then click on _msdsc.woodgrovebank.com.

2. Expand the GC>_TCP folder.

3. Expand the DC>_TCP folder.

4. Open the Properties of the _msdsc.woodgrovebank.com.

5. Close the Properties page.


Task 3: Create a new SRV resource record to support the Telnet protocol on NYC-SRV2 1. Right click the _msdsc.woodgrovebank.com zone, and then click Other New

Records.

2. Select the Service Location (SRV) record type, and then click Create Record.

3. In the Service field, select _telnet from the drop-down list.

4. In the Host offering this service field, type NYC-SRV2.woodgrovebank.com, click OK, and then click Done.

Task 4: Create two new zones based on the zone files for Fabrikam and Contoso 1. Use Windows Explorer to copy the Contoso.com.dns and the

Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to C:\Windows\System32\DNS. Leave the Windows Explorer window open.

2. Use the DNS management console to create a new primary standard zone named Contoso.com using the existing file Contoso.com.dns.

3. Create a new primary standard zone named Fabrikam.com using the existing file Fabrikam.com.dns.

Task 5: Configure the Contoso and Fabrikam zones to be active directory integrated and ensure that no dynamic updates are allowed 1. Open the Contoso.com property page.

2. Change the zone type to be stored in Active Directory Domain Services.

3. Return to the Windows Explorer window. Notice the Contoso.com.dns zone file is no longer in the DNS folder. It is now stored in Active Directory Domain Services.

4. Return to the property page for the Woodgrovebank.com zone, and set Dynamic updates to be None.

5. Repeat steps 1-4 for the Fabrikam.com zone.


Task 6: Configure the scope of replication for the Contoso zone to be forest wide and the Fabrikam zone to be domain wide 1. Open the Contoso.com property page.

2. Change the replication scope to be To all DNS servers in this forest.

3. Open the Fabrikam.com property page.

4. Ensure the scope of replication for the Fabrikam zone is set To all DNS servers in this domain.

Task 7: Use ADSI Edit.exe to view the Active Directory-integrated DNS zones 1. From the Run command, launch the adsiedit.msc.

2. Right-click ADSI Edit, and then click Connect to….

3. In the Connection Point section, click Select or type a Distinguished Name or Naming Context.

4. Type DC=DomainDNSZones,DC=WoodgroveBank,DC=Com, and then click OK.

5. Expand the naming context, expand CN=MicrosoftDNS, click DC=Woodgrovebank.com, and then examine the records.

6. Double click the record for NYC-DC1.

7. Close all property pages and then close the ADSI management console.

Result: At the end of this exercise, you will have created Active Directory integrated DNS zones.


Exercise 2: Configuring Read-Only DNS Zones In this lab, you will configure a read-only DNS zone on an RODC, and you will test dynamic updates and administrative updates.

The main tasks are to configure a read-only DNS zone on the RODC to support Fabrikam.

The main tasks are as follow:

1. Start and log on the read-only domain controller as Administrator.

2. Install the DNS Server service.

3. Configure the DNS server to support all domain-wide and forest-wide zones.

4. Shut down all virtual machines, and discard any changes.

Task 1: Start and log on to the read-only domain controller as Administrator • Start and log on to the read-only domain controller as Administrator with the

password Pa$$w0rd.

Task 2: Install the DNS Server service • Use the Start /w Ocsetup DNS-Server-Core-Role to install the DNS server

role.

Note: The server role name is case sensitive.


Task 3: Configure the DNS server to support all domain-wide and forest-wide zones. 1. From the Command Prompt, type the following command:

Dnscmd /enlistdirectorypartition DomainDnsZones.woodgrovebank.com

2. Next type the following command: Dnscmd /enlistdirectorypartition ForestDnsZones.woodgrovebank.com

3. Switch to NYC-DC1 and then open the DNS management console.

4. Add the MIA-RODC computer to the DNS console and ensure that all DNS zones appear.


Task 4: Shut down all virtual machines, and discard changes

Result: At the end of this exercise, you will have configured the DNS server to support all domain-wide and forest-wide zones.



Review Questions 1. How does a client computer determine what site it is in?

2. List at least three benefits of Active Directory integrated zones.

3. In the following example of two SRV resource records. Which record will be used by a client querying for an SIP service?



4. What permissions are required to create DNS application directory partitions?

5. What utilities are available to create application partitions?

6. What is the default state of dynamic updates for an Active Directory integrated zone?

7. What is the default state of dynamic updates for a standard primary zone?

8. What groups have permission to perform secure dynamic updates?


Considerations When configuring AD DS and DNS integration, keep the following considerations in mind:

• Because of the dependency Windows Server 2008 and Active Directory clients have on DNS, the first step in troubleshooting Active Directory issues often is to troubleshoot DNS.

• Service locator records are critical to Active Directory functioning properly.

• Service locator records need to be highly available.

• Windows Server 2008 can operate with any compatible DNS server, but Active Directory integrated zones provide additional features and security.

• Active Directory integrated zones can be replicated to domain wide or forest wide, or to specific domain controllers via custom application partitions.

• Internal DNS records should be kept separate from public DNS records.

• Dynamic updates lighten the administrative overhead of maintaining the DNS zone database.

• Dynamic updates can be limited to Authenticated Users.

• Background zone loading will reduce the time for DNS servers to become available after a restart.

• You can use read-only DNS in conjunction with read-only domain controllers to provide security while still providing required client functionality.

Configuring Active Directory Objects and Trusts 3-1

Module 3 Configuring Active Directory Objects and Trusts

Contents: Lesson 1: Configuring Active Directory Objects 3-3

Lesson 2: Strategies for Using Groups 3-14

Lesson 3: Automating AD DS Object Management 3-20

Lab A: Configuring Active Directory Objects 3-28

Lesson 4: Delegating Administrative Access to AD DS Objects 3-40

Lesson 5: Configuring AD DS Trusts 3-48

Lab B: Configuring Active Directory Delegation and Trusts 3-57


Module Overview

After the initial deployment of Active Directory® Domain Services (AD DS), the most common tasks for an AD DS administrator are configuring and managing AD DS objects. In most organizations, each employee is issued a user account, which is added to one or more groups in AD DS. The user and group accounts enable access to Windows Server-based network resources such as Web sites, mailboxes, and shared folders.

This module describes how to perform many of these administrative tasks, and options available for delegating or automating these tasks. This module also describes how to configure and manage Active Directory trusts.


Lesson 1: Configuring Active Directory Objects

After the initial deployment of Active Directory® Domain Services (AD DS), the most common tasks for an AD DS administrator are configuring and managing AD DS objects. In most organizations, each employee is issued a user account, which is added to one or more groups in AD DS. The user and group accounts enable access to Windows Server-based network resources such as Web sites, mailboxes, and shared folders.

This module describes how to perform many of these administrative tasks, and options available for delegating or automating these tasks. This module also describes how to configure and manage Active Directory trusts.


Types of AD DS Objects

Key Points You can create several different objects in Active Directory.

Additional Reading • Active Directory Users and Computers Help


Demonstration: Configuring AD DS User Accounts

Questions:

How would you create several user objects with the same settings for attributes such as department and office location?

Under what circumstances would you disable a user account rather than delete the user account?


AD DS Group Types

Key Points AD DS supports two group types.



AD DS Group Scopes

Key Points Windows Server 2008 supports the group scopes shown on the slide.

Additional Reading • Active Directory Users and Computers Help: Managing Groups


Default AD DS Groups

Key Points Windows Server 2008 provides many built-in groups, which are created automatically when you install an Active Directory domain. You can use built-in groups to manage access to shared resources, and to delegate specific Active Directory administrative roles. For example, you could put the user account of an AD DS administrator into the Account Operators’ group to allow the administrator to create user accounts and groups.

Additional Reading • Microsoft Technet Default Groups


AD DS Special Identities

Key Points Servers running Windows Server 2008 include several special identities, generally referred to as special groups or special identities. These identities are in addition to the groups in the Users and Built-in containers.

Additional Reading • Microsoft Technet article: Special identities of ADM (Administrative Template)

Files in Windows


Discussion: Using Default Groups and Special Identities

Scenario Woodgrove Bank has more than 100 servers worldwide. You must determine whether you can use default groups, or whether you must create groups and then assign specific user rights or permissions to the groups, to perform the following Administrative tasks.

You must assign default groups, special identities, or create new groups for the following tasks. List the name of the default group that has the most restrictive user rights for performing the following actions, or determine whether you must create a new group:

1. Backing up and restoring domain controllers

2. Backing up, but not restoring, files on member servers

3. Creating groups in the Sales organizational unit

4. Granting access to a shared folder to which all Woodgrove Bank Employees need access. Employees are located in two different domains in the same forest


5. Granting administrative permissions to the user currently logged on to a client computer without granting access to any other computers. The permissions should apply to all users logging on to any client computer in the organization

6. Granting help desk employees access to remotely control the desktop

7. Providing administrative access to all computers in the entire domain

8. Providing access to a shared folder named Data, on a server named DEN-SRV1

9. Managing the print queue of a specific print server’s printer

10. Configuring network settings on a member server


Demonstration: Configuring AD DS Group Accounts

Questions:

What options are available for changing an AD DS group’s scope and type?

What are the benefits of assigning group managers? Is this a setting that you would configure in your organization?

Additional Reading • Active Directory Users and Computers Help: Managing Groups


Demonstration: Configuring Additional AD DS Objects

Questions:

What are the reasons why you would create organizational units?

What are the benefits and limitations of using printer objects and shared folder objects in AD DS?



Lesson 2: Strategies for Using Groups

AD DS groups are used to simplify AD DS management when assigning access to resources. Rather than assigning access to resources by using user accounts, it is much more efficient to add the users to groups and then assign access to the groups. However, because of the variety of group options and AD DS deployment options, you can use several different strategies when configuring groups.


Options for Assigning Access to Resources

Key Points One of the primary reasons for creating users and groups in AD DS is so that users can gain access to shared resources, such as shared folders, printers, Windows SharePoint® Services sites, or applications.

Additional Reading • Microsoft Technet article: Selecting a Resource Authorization Method


Using Account Groups to Assign Access to Resources

Key Points When you use account groups only to assign access to resources, you first add all user accounts to the groups, and then assign the group a set of access permissions. For example, an administrator can put all accounting user accounts into a global group called GG-All Accountants, and then assign this group with permissions to a shared resource. In a single domain environment, you can use domain local groups, global groups, or universal groups to assign access to resources.

Additional Reading • Microsoft Technet article: AG/ACL Method


Using Account Groups and Resource Groups

Key Points When you use account groups and resource groups, you first add users with similar access requirements into account groups, and then add the account groups as members to a resource group, to which you grant specific resource-access permissions.

This strategy provides the most flexibility while reducing the complexity of assigning access permissions to the network. This method is used most commonly by large organizations for controlling access to resources.

Additional Reading • Microsoft Technet article: AG/RG Method


Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment

Read the scenarios, and create a plan for configuring groups and assigning access to resources in each scenario.

Example 1

Contoso, Ltd has a single domain that is located in Paris, France. Contoso, Ltd managers need access to the Inventory database to perform their jobs.

Question: What do you do to ensure that the managers have access to the Inventory database?


Example 2

Contoso, Ltd has determined that all Accounting division personnel must have full access to the accounting data. Also, Contoso, Ltd executives must be able to view the data. Contoso, Ltd wants to create the group structure for the entire Accounting division, which also includes the Accounts Payable and Accounts Receivable departments.

Question: What do you do to ensure that the managers have the required access and that there is a minimum of administration?

Example 3

Contoso, Ltd has expanded to include operations in South America and Asia, and now contains three domains: the Contoso.com domain, the Asia.contoso.com domain, and the SA.contoso.com domain. You need to grant all IT managers, across all domains, access to the Admin_tools shared folder in the Contoso domain. You also need to grant the IT managers access to other resources in the future.

Question: How can you achieve the desired result with the least amount of administrative effort?


Lesson 3: Automating AD DS Object Management

In most cases, you are likely to create and configure AD DS objects on an individual basis. However, in some cases, you may need to create or modify the configuration for many objects simultaneously. For example, if your organization hires a large group of new employees, you may want to automate the new-accounts configuration process. If your organization moves to a new location, you may want to automate the task of assigning new addresses and phone numbers to all users. This lesson describes how to manage multiple AD DS objects.


Tools for Automating AD DS Object Management

Key Points Windows Server 2008 provides a number of tools that you can use to create or modify multiple user accounts automatically in AD DS. Some of these tools require that you use a text file containing information about the user accounts that you want to create. You also can create Windows® PowerShell scripts to add objects or make changes to Active Directory objects.


Configuring AD DS Objects Using Command-Line Tools

Key Points Use these command-line tools to configure AD DS objects.


Managing User Objects with LDIFDE

Key Points You can use the Ldifde command-line tool to create and make changes to multiple accounts. When you use the Ldifde tool, you will use a line-separated text file to provide the command’s input information.

Additional Reading • Microsoft Technet article: LDIFDE


Managing User Objects with CSVDE

Key Points You can use the Csvde command-line tool to create multiple accounts in AD DS; however, you only can use the Csvde tool to create accounts, not to change them.

Additional Reading • Microsoft Technet article: CSVDE


What Is Windows PowerShell?

Key Points Windows PowerShell is an extensible scripting and command-line technology that developers and administrators can use to automate tasks in a Windows environment. Windows PowerShell uses a set of small cmdlets that each performs a specific task, but can also be combined in multiple cmdlets to perform complex administrative tasks.

Additional Reading • Microsoft Support: Windows PowerShell 1.0 Documentation Pack


Windows PowerShell Cmdlets

Key Points Windows PowerShell is easy to learn because the use of Cmdlets. Pipelining is consistent across all Cmdlets.

Additional Reading • Windows PowerShell 1.0 Documentation Pack


Demonstration: Configuring Active Directory Objects Using Windows PowerShell

Questions:

What are the advantages and disadvantages of modifying Active Directory objects by using Windows PowerShell scripts?

How can you address the disadvantages?

Additional Reading • Windows PowerShell Blog

• Microsoft Technet article: Scripting with Windows PowerShell


Lab A: Configuring Active Directory Objects

Scenario

Woodgrove Bank has several requirements for managing Active Directory objects. The organization frequently hires interns who must have limited permissions, and whose accounts must be set to expire automatically when the internship is complete. User accounts also must be configured with a standard configuration that includes settings such as user profile settings, and mapped drives for home folders. The organization also requires AD DS groups that will be used to assign permissions to a variety of network resources. As much as possible, the organization would like to automate the user and group management tasks.


Exercise 1: Configuring AD DS Objects In this exercise, you will install the Active Directory management tools on a Windows Vista® computer. Then you will use these tools to configure several AD DS objects based on information that the human resources (HR) department provides. These tasks include creating new user accounts, and modifying existing user accounts.

The HR department has requested the following changes in AD DS:

• Create new user accounts for Kerim Hanif and Jun Cao. Both user accounts should be created in the ITAdmins OU.

• Modify the user account for Dana Birkby.



2. Create new user accounts.

3. Modify existing user accounts




3. In the Lab Launcher, next to 6425A-NYC-CL1, click Launch.

4. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.

5. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd.

6. Minimize the Lab Launcher window. Start 6425A-NYC-DC1 and then log on as Administrator using the password Pa$$w0rd.

Task 2: Create new user accounts 1. On NYC-DC1, open Active Directory Users and Computers.

2. In the ITAdmins OU, create a new user with the following parameters:

• First name: Kerim

• Last name: Hanif


• Full name: Kerim Hanif

• User logon name: Kerim

• Password: Pa$$w0rd

• Clear the User must change password at next logon check box

3. On NYC-DC1, use the Dsadd command-line tool to create a new user account for Jun Cao. The syntax for the Dsadd command is:

dsadd user "cn=username,ou=ouname,dc=domainname,dc=com" -samid logonname -pwd password –desc description

Task 3: Modify existing user accounts 1. On NYC-DC1, create a new folder on drive D named HomeDirs. Share the

folder. and then configure Domain Users with Contributor permissions.

2. In the HomeDirs folder, create a new folder named Marketing.

3. In Active Directory Users and Computers, locate Dana Birkby’s account, and then modify the user properties as follows:

a. On the General tab, set:

• Telephone number: 555-555-0100

• Office: Head Office

• E-mail: [email protected]

b. On the Dial-in tab, set:

• Network Access Permission: Allow access

c. On the Account tab, set:

• Logon Hours: Configure logon hours to be permitted between 8:00 A.M. and 5:00 P.M, and then click OK.

d. On the Profile tab, set:

• Home folder: Map H drive to:

\\NYC- DC1\HomeDirs\Marketing\%username%


4. In Windows Explorer, browse to D:\HomeDirs\Marketing. Ensure that a folder named Dana was created in the folder.

5. On NYC-CL1, log off and then log on as Dana using the password Pa$$w0rd. Confirm that the H: drive has been mapped correctly and that Dana has permission to create files in her home folder.

Result: At the end of this exercise, you will have configured Active Directory objects.


Exercise 2: Implementing an AD DS Group Strategy In this exercise, you will review the requirements for creating groups at Woodgrove Bank. You then will create the required groups and configure group nesting.


1. Start the 6425A-LON-DC1 virtual machine, and then logon as Administrator.

2. Review the group requirements documentation and create a group implementation strategy.

3. Discuss the group implementation strategy.

4. Create groups required by the group implementation strategy.

5. Nest groups required by the group implementation strategy.

6. Shut down 6425A-LON-DC2, and delete all changes.

Task 1: Start the 6425A-LON-DC1 virtual machine, and then logon as Administrator 1. In the Lab Launcher, next to 6425A-LON-DC1, click Launch.

2. Log on to LON-DC1 as Administrator with the password Pa$$w0rd.


Task 2: Review the group requirements documentation and create a group implementation strategy Woodgrove Bank needs to configure access to shared folders for the organization’s executives. The organization has implemented a shared folder on NYC-DC1 named ExecData. The following table lists the folders in the ExecData folder and their purposes:


Folder Contents

ExecData \HeadOffice

\Branch

\Corp

ExecData\HeadOfficeReports Contains confidential information related to head office operations and personnel. Executives in the head office and the NYC branch offices should be able to read and write information from this folder.

ExecData\BranchReports Contains confidential information related to branch office operations and personnel. A separate folder has been created for each branch office. Executives from the head office should have read access to all of the branch office folders. Branch office managers should have full access to only their branch’s folder.

ExecData\Corp Contains information that relates to Woodgrove Bank operations. All executives and branch office managers should have full control of this folder’s files.

The Woodgrove Bank executive team is distributed as follows:

• Executives may be based in any location. Executives are based in North America, Europe, and Asia.

• Each branch has one or more branch managers. Branches are located in Miami, New York, Toronto, London, and Tokyo.

The AD DS planning group has established the following naming scheme for AD DS groups:

• Three-character location code: NYC, TOR, MIA, LON, and TOK

• For groups that contain accounts from multiple domains, use the location code WGB.

• For groups that do not have a specific location, include the domain name in the group name.


• For account groups, use the department name: BranchManagers, Executives. This is followed by the group type: GG, UG.

• For resource groups, use the resource name: EX_HOReports, EX_LON_BranchReports, EX_Corp. This is followed by the level of access – FC, RO.

1. Determine which global groups you need to create:

• Determine the logical groupings of the organization’s users. Do not be concerned with the permissions that users require, just the groups of users.

• Document a group name for each group of users. Record your decisions in the Global Group Planning table below.

2. Determine which local groups you need to create:

• Determine which permissions are required on each resource. Do not be concerned with who requires the permission, just the permission itself.

• Document a group name for each type of permission. Record your decisions on the Local Group Planning table below.

3. Determine which groups you need to nest. Document the group nesting configuration in the Group Nesting Planning table below.

4. Determine how you would configure share level permissions for ExecData folder.

Global Group Planning table

Organizational group Group name


Local Group Planning table

Resource Access requirement Group names

ExecData\HeadOfficeReports

ExecData\BranchReports\NYC

ExecData\BranchReports\Toronto

ExecData\BranchReports\Miami

ExecData\BranchReports\London

ExecData\BranchReports\Tokyo

ExecData\Corp

Group Nesting Planning table

Domain local group name Nested groups

Task 3: Discuss the group implementation strategy


Task 4: Create groups required by the group implementation strategy

Note: To simplify the implementation process, some of the required groups may already have been created. In addition, you configure the required groups for only WoodgroveBank.com and EMEA.WoodgroveBank.com.

1. On NYC-DC1, in Active Directory Users and Computers, verify that all of the global groups required to assign permission have been created.

2. On LON-DC1, in Active Directory Users and Computers, verify that all of the global groups required to assign permission have been created.

3. On NYC-DC1, create the required universal groups based on the group implementation strategy. Create the universal groups in the Executives OU.

4. Create the required domain local groups based on the group implementation strategy.

Task 5: Nest groups required by the group implementation strategy • On NYC-DC1, nest the groups required to meet the group implementation

strategy.

Task 6: Shut down 6425A-LON-DC2, and delete all changes 1. Close the 6425A-LON-DC1 Virtual Machine Remote Control window.


Result: At the end of this exercise, you will have implemented a group implementation strategy.


Exercise 3: Automating the Management of AD DS Objects Woodgrove Bank is opening a new Houston branch. The HR department has provided you with a file that includes all of the new users that are being hired for the Houston location. You need to import the user accounts into AD DS, and then activate and assign passwords to all of the accounts.

You also need to modify the user properties for the Houston users by updating the city information.

Woodgrove Bank is also planning on starting a Research and Development department in the NYC location. You need to create a new OU for the research and development (R&D) department in the Woodgrove Bank domain, and import and configure new user accounts into AD DS.


1. Modify and use the Importusers.csv file to import a group of users into AD DS.

2. Modify and run the ActivateUser.vbs script to enable the imported user accounts and assign a password to each account.

3. Modify and use the Modifyusers.ldf file to prepare for modifying the properties for a group of users in AD DS.

4. Modify and run the CreateUsers.ps1 script to add new users to AD DS.

Task 1: Modify and use the Importusers.csv file to import a group of users into AD DS 1. On NYC-DC1, browse to D:\Mod03\6425\Labfiles and open

ImportUsers.csv with Notepad. Examine the header information required to create OUs and user accounts.

2. Copy and paste the contents of the Users.txt file into the ImportUsers.csv file, starting with the second line. Save the file as C:\import.csv.

3. At the command prompt, type CSVDE –I –F C:\import.csv and then press ENTER.

4. In Active Directory Users and Computers, verify that the Houston OU and five child OUs were created, and that several user accounts were created in each OU.


Task 2: Modify and run the ActivateUser.vbs script to enable the imported user accounts and assign a password to each account 1. On NYC-DC1, in D:\Mod03\6425\Labfiles, edit Activateusers.vbs.

2. Modify the container value in the second line to: OU=BranchManagers,OU=Houston DC=WoodgroveBank,DC=com.

3. Modify the container values in the additional lines at the end of the script to include the following OUs, and then save the file:

• OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com

• OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com

• OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com

• OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com

4. Save the file as c:\Activateusers.vbs, and then double-click c:\Activateusers.vbs.

5. In Active Directory Users and Computers, browse to the Houston OU, and then confirm that user accounts in all child OUs are activated.

Task 3: Modify and use the Modifyusers.ldf file to prepare to modify the properties for a group of users in AD DS 1. On NYC-DC1, export all of the user accounts in the Houston child OUs by

using the LDIFDE –f c:\ Modifyusers.ldf –d "OU=Houston,DC=WoodgroveBank,DC=com" –r "objectClass=user" –l physicalDeliveryOfficeName.

2. Edit the C:\Modifyusers.ldf file.

3. On the Edit menu, use the Replace option to replace all instances of changetype: add, with changetype: modify.

4. After each changetype line, add the following lines:

replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston

5. At the end of the entry for each user, add a dash (–) followed by a blank line.


6. Save the file as C:\ Modifyusers.

7. At the command prompt, type ldifde –I –f c:\ldifimport.ldf and then press ENTER.

8. In Active Directory Users and Computers, verify that the Office attribute for the user accounts in Houston has been updated with the Houston location.

Task 4: Modify and run the CreateMultipleUsers.ps1 script to add new users to AD DS 1. On NYC-DC1, in D:\6425\Labfiles\Mod03, edit CreateMultipleUsers.ps1.

2. In two places, change ADOUName to R&D.

3. Change Path to CSV file to C:\6425\Mod03\Labfiles\Createusers.csv, and then save the changes to the file.

4. Start Windows PowerShell, and at the PS prompt, type C:\6425\Labfiles\Mod03\Createusers.ps1 and press ENTER.

5. In Active Directory Users and Computers, verify that the R&D OU was created, and that the OU has been populated with user accounts that have the correct attributes.

Result: At the end of this exercise, you will have examined several options for automating the management of user objects.


Lesson 4: Delegating Administrative Access to AD DS Objects

Many of the AD DS administration tasks are quite easy to perform, but can be quite repetitive. One of the options available in Windows Server 2008 AD DS, is to delegate some of those administrative tasks to other administrators or users. By delegating control, you can enable these users to perform specific Active Directory management tasks, without granting them more permissions than they need.


Active Directory Object Permissions

Key Points Active Directory object permissions secure resources by enabling you to control which administrators or users can access individual objects or object attributes, and to control the type of access they have. You use permissions to assign administrative privileges for an organizational unit or a hierarchy of organizational units, to manage Active Directory objects.

Questions:

What are the risks with using special permissions to assign AD DS permissions?

What would permissions would a user have on an object if you granted them full control permission, and denied the user write access?


Additional Reading • Microsoft Technet article: Access control in Active Directory

• Microsoft Technet article: Assign, change, or remove permissions on Active Directory objects or attributes


Demonstration: Active Directory Domain Services Object Permission Inheritance

Questions:

What would happen to an object’s permissions if you moved the object from one OU to another if the OUs had different permissions applied?

What would happen if you removed all permissions from an OU when you blocked inheritance and did not assign any new permissions?

Additional Reading • Microsoft Technet article: Assign, change, or remove permissions on Active

Directory objects or attributes


What Are Effective Permissions?

Key Points The Effective Permissions tool helps you to determine the permissions for an Active Directory object. This tool calculates the permissions that are granted to the specified user or group, and takes into account the permissions that are in effect from group memberships and any permissions inherited from parent objects.

Additional Reading • Microsoft Technet article: Effective Permissions tool


What Is Delegation of Control?

Key Points Delegation of control is the ability to assign management responsibility of Active Directory objects to another user or group.

Delegated administration helps to ease the administrative burden of managing your network by distributing routine administrative tasks to multiple users. With delegated administration, you can assign basic administrative tasks to regular users or groups. For example, you could give supervisors the right to modify group memberships in their department.

By delegating administration, you give groups in your organization more control of their local network resources. You also help secure your network from accidental or malicious damage by limiting the membership of administrator groups.


Discussion: Scenarios for Delegating Control

Answer the questions on the slide as a class.


Demonstration: Configuring Delegation of Control


Lesson 5: Configuring AD DS Trusts

Many organizations that deploy AD DS will deploy only one domain. However, larger organizations, or organizations that need to enable access to resources in other organizations or business units, may deploy several domains in the same Active Directory forest or a separate forest. For users to access resources between the domains, you must configure the domains or forests with trusts. This lesson describes how to configure and manage trusts in an Active Directory environment.


What Are AD DS Trusts?

Key Points Trusts allow security principals to traverse their credentials from one domain to another, and are necessary to allow resource access between domains. When you configure a trust between domains, a user can be authenticated in their domain, and their security credentials can then be used to access resources in a different domain.


AD DS Trust Options

Key Points The graphic on the slide describes the trust options supported by Windows Server 2008.

Questions:

If you were going to configure a trust between a Windows Server 2008 domain and a Windows NT 4.0 domain, what type of trust would you need to configure?

If you need to share resources between domains, but do not want to configure a trust, how could provide access to the shared resources? A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this?

Additional Reading • Active Directory Domains and Trusts Help: Managing Trusts


How Trusts Work Within a Forest

Key Points When you set up trusts between domains either within the same forest, across forests, or with an external realm, information about these trusts is stored in AD DS so you can retrieve it when necessary. A trusted domain object (TDO) stores this information.

The TDO stores information about the trust such as the trust transitivity and type. Whenever you create a trust, a new TDO is created and stored in the System container in the trust’s domain.

Additional Reading • Active Directory Domains and Trusts Help: Managing Trusts


How Trusts Work Between Forests

Key Points Windows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources in another forest. When a user attempts to access a resource in a trusted forest, AD DS must first locate the resource. After the resource is located, the user can be authenticated and allowed to access the resource.

Additional Reading • Microsoft Technet article: How Domains and Forests Work


Demonstration: Configuring Trusts

Questions:

What is the difference between a shortcut trust and an external trust?

When you set up a forest trust, what information will need to be available in DNS in order for the forest trust to work?

Additional Reading • Active Directory Domains and Trusts Help: Create a shortcut trust, Create an

external trust, Create a forest trust


What Are User Principal Names?

Key Points A user principal name (UPN) is a logon name that is used only to log on to a Windows Server 2008 network. There are two parts to a UPN, which are separated by the @ sign, for example, [email protected].

• The user principal name prefix, which in this example is suzan.

• The user principal name suffix, which in this example is WoodgroveBank.com.

By default, the suffix is the domain name in which the user account was created. You can use the other domains in the network, or additional suffixes that you created, to configure other suffixes for users. For example, you may want to configure a suffix to create user logon names that match users’ e-mail addresses.

Additional Reading • Microsoft Technet article: Active Directory naming


What Are the Selective Authentication Settings?

Key Points Another option for restricting authentication across trusts in a Windows Server 2008 forest is selective authentication. With selective authentication, you can restrict which computers in your forest can be accessed by another forest’s users.

Additional Reading • Microsoft Technet article: Enable selective authentication over a forest trust

• Microsoft Technet article: Grant the Allowed to Authenticate permission on computers in the trusting domain or forest


Demonstration: Configuring Advanced Trust Settings

Key Points Another option for restricting authentication across trusts in a Windows Server 2008 forest is selective authentication. With selective authentication, you can restrict which computers in your forest users in another forest can access.

Questions:

What would happen if you configured a new UPN suffix in a forest after a trust had been configured with another forest that had the same UPN suffix?

In what situations would you implement selective authentication?

Additional Reading • Microsoft Technet article: Enable selective authentication over a forest trust

• Microsoft Technet article: Grant the Allowed to Authenticate permission on computers in the trusting domain or forest


Lab B: Configuring Active Directory Delegation and Trusts

Scenario

To optimize the use of AD DS administrator time, Woodgrove Bank would like to delegate some administrative tasks to junior administrators. These administrators will be granted access to manage user and group accounts in different OUs.

Woodgrove Bank also has established a partner relationship with Fabrikam Ltd. Some users in each organization must be able to access resources in the other organization. However, the access between organizations must be limited to as few users and as few servers as possible.


Exercise 1: Delegating Control of AD DS Objects In this exercise, you will delegate control of AD DS objects for other administrators. You will also test the delegate permissions to ensure that administrators can perform the required actions, but cannot perform other actions.

Woodgrove Bank has decided to delegate administrative tasks for the Toronto office. In this office, the branch managers must be able to create and manage user and group accounts. The customer service personnel must be able to reset user passwords and configure some user information, such as phone numbers and addresses.


1. Assign full control of users and groups in the Toronto OU.

2. Assign rights to reset passwords and configure private user information in the Toronto OU.

3. Verify the effective permissions assigned for the Toronto OU.

4. Test the delegated permissions for the Toronto OU.

Task 1: Assign full control of users and groups in the Toronto OU 1. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU.

2. Assign the right to Create, delete and manage user accounts and the Create, delete and manage groups to the Tor_BranchManagersGG.

Task 2: Assign rights to reset passwords and configure private user information in the Toronto OU 1. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU.

2. Assign the right to Reset user passwords and force password change at next logon to the Tor_CustomerServiceGG group.

3. Run the Delegation of Control Wizard again. Choose the option to create a custom task.

4. Assign the Tor_CustomerServiceGG group permission to change personal information only for user accounts.


Task 3: Verify the effective permissions assigned for the Toronto OU 1. In Active Directory Users and Computers, enable viewing of Advanced

Features.

2. Access the Advanced Security Settings for the Toronto OU.

3. Check the effective permissions for Sven Buck. Sven is a member of the Tor_BranchManagersGG group. Verify that Sven has permissions to create and delete user and group accounts.

4. Access the advanced security settings for Matt Berg, located in the CustomerService OU in the Toronto OU. Verify that Matt has permissions to create and delete user and group accounts.

5. Check the effective permissions for Helge Hoening. Helge is a member of the Tor_CustomerServiceGG group. Verify that Helge has permissions to reset passwords and permission to write personal attributes.

Task 4: Enable Domain Users to log on to domain controllers

Note: This step is included in the lab to enable you to test the delegated permissions. As a best practice, you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.

1. On NYC-DC1, start Group Policy Management, and then edit the Default Domain Controllers Policy.

2. In the Group Policy Management Editor window, access the User Rights Assignment folder.

3. Double-click Allow log on locally. In the Allow log on locally Properties dialog box, click Add User or Group.

4. Grant the Domain Users group the log on locally right.

5. Open a command prompt, and type GPUpdate /force and then press ENTER.


Task 5: Test the delegated permissions for the Toronto OU 1. Log on to NYC-DC1 as Sven with the password of Pa$$w0rd.

2. Start Active Directory Users and Computers, and verify that Sven can create a new user in the Toronto organizational unit.

3. Verify that Sven can create a new group in the Toronto OU.

4. Verify that Sven cannot create a user in the ITAdmins OU.

5. Log off NYC-DC1, and then log on as Helge with the password Pa$$w0rd.

6. In Active Directory Users and Computers, verify that Helge does not have permissions to create any new objects in the Toronto OU.

7. Verify that Helge can reset user passwords and configure user properties, such as the office and telephone number.

Result: At the end of this exercise, you will have delegated the administrative tasks for the Toronto office.


Exercise 2: Configuring AD DS Trusts In this exercise, you will configure trusts based on a trust-configuration design that the enterprise administrator provides. You also will test the trust configuration to ensure that the trusts are configured correctly.

Woodgrove Bank has initiated a strategic partnership with Fabrikam. Users at Woodgrove Bank will need to have access to several file shares and applications running on several servers at Fabrikam. Only users from Fabrikam should be able to access shares on NYC-SVR1.


1. Start the VAN-DC1 virtual machine, and then log on.

2. Configure the Network and DNS Settings to enable the forest trust.

3. Configure a forest trust between WoodgroveBank.com and NorthwindTraders.com.

4. Configure selective authentication for the forest trust to enable access to only NYC-DC2.

5. Test the selective authentication.

6. Close all virtual machines and discard undo disks.

Task 1: Start the VAN-DC1 virtual machines, and then log on 1. In the Lab Launcher, next to 6425A-VAN-DC1, click Launch.

2. Log on to VAN-DC1 as Administrator with the password Pa$$w0rd.


Task 2: Configure the Network and DNS Settings to enable the forest trust 1. On VAN-DC1, modify the Local Area Network properties to change the IP

address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred DNS server to 10.10.0.110, and then click OK.

2. Synchronize the time on VAN-DC1 with NYC-DC1.

3. In DNS Manager, add a conditional forwarder to forward all queries for Woodgrovebank.com to 10.10.0.10.


4. In Active Directory Domains and Trusts, raise the domain and forest functional level to Windows Server 2003.

5. On NYC-DC1, in the DNS Manager console, add a conditional forwarder to forward all queries for Fabrikam.com to 10.10.0.110.

6. Close the DNS Manager console.

Task 3: Configure a forest trust between WoodgroveBank.com and Fabrikam.com 1. On NYC-DC1, start Active Directory Domains and Trusts from the

Administrative Tools folder.

2. Right-click WoodgroveBank.com and then click Properties.

3. Start the New Trust Wizard and configure a forest trust with Fabikam.com.

4. Configure both sides of the trust. Use [email protected] to verify the trust.

5. Accept the default s setting of domain-wide authentication for both domains.

6. Confirm both trusts.

Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2 and NYC-CL1 1. In Active Directory Domains and Trusts, modify the incoming trust from

NorthwindTraders.com to use selective authentication.

2. In Active Directory Users and Computers, access NYC-DC2’s properties. On the Security tab, grant the MarketingGG group from Fabrikam.com permission to authenticate to this server.

3. Access NYC-CL1’s properties. On the Security tab, grant the MarketingGG group from Fabrikam.com permission to authenticate to this server.


Task 5: Test the selective authentication 1. Log on to the NYC-CL1 virtual machine as [email protected] using the

password Pa$$w0rd.

Note: Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to a computer in the WoodgroveBank.com domain because of the trust between the two forests and because he has been allowed to authenticate to NYC-CL1.

2. Try to access the \\NYC-DC2\Netlogon folder. Josh should be able to access the folder.

3. Try to access the \\NYC-DC1\Netlogon folder. Josh should not be able to access the folder because the server is not configured for selective authentication.

Task 6: Close all virtual machines and discard undo disks 1. For each running virtual machine, close the Virtual Machine Remote Control

window.

2. In the Close box, select Turn off machine and discard changes, and then click OK.


Result: At the end of this exercise, you will have configured trusts based on a trust configuration design.



Review Questions 1. You are responsible for managing accounts and access to resources for your

group’s members. A user in your group leaves the company, and you expect a replacement for that employee in a few days. What should you do with the previous user’s account?

2. You need to create several hundred computer accounts in AD DS so that the accounts can be pre-configured for an unattended installation. What is the best way to do this?

3. A user reports that she cannot log on to her computer. The error message indicates that the trust between the computer and the domain is broken. How will you fix the problem?

4. You have created a global group called Helpdesk, which contains all the help desk accounts. You want the help desk personnel to be able to perform any operation on local desktop computers, including taking ownership of files. Which is the best built-in group to use?


5. The BranchOffice_Admins group has been granted full control of all user accounts in the BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was moved from the BranchOffice_OU to the HeadOffice_OU?

6. Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each other’s forest. What type of trust do you create between the forest root domain of each forest?

Considerations for Configuring Active Directory Objects Supplement or modify the following best practices for your own work situations:

• Create a naming scheme for AD DS objects before starting the AD DS deployment. For example, you need to plan how you will create user logon names and devise your group-naming strategy. It is much easier to plan the naming strategies early in the AD DS deployment rather than change the names after deployment.

• Plan your AD DS group strategy before deploying AD DS. When planning the group strategy, consider the organization’s plans for future growth. Even if the organization only has a small number of users in a single domain, you may want to implement an account group/resource group strategy if the organization has an aggressive growth strategy or is likely to establish key partnerships that may require forest trusts.

• Look for opportunities to automate AD DS management tasks. It can take considerable time to create csvde and ldifde files, or to write VBScript or Windows PowerShell scripts. However, once these tools are in place, they can save a great deal of time.

• Another option for decreasing workload for AD DS administrators is to delegate tasks. One strategy for determining what tasks to delegate is to analyze what tasks take the most time for AD DS administrators. If mundane tasks, such as creating user accounts, resetting passwords, or updating user information, take a significant amount of time, consider delegating those specific tasks to other users.


Tools Use the following tools when configuring AD DS objects and trusts:

Tool Use for Where to find it

Server Manager • Accessing the AD DS management tools in a single console.

Click Start, point to Administrative Tools, and then click Server Manager.

Active Directory Users and Computers

• Creating and configuring all AD DS objects.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

Active Directory Domains and Trusts • Creating and configuring

trusts. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

Command line tools (including Csvde and Ldifde)

• Creating and configuring AD DS objects

These are installed by default and are accessible at a command prompt.

Windows PowerShell • Writing scripts that can

automate AD DS object management

Windows PowerShell is available as a download from Microsoft and can be installed as a feature in Windows Server 2008. After installing Windows PowerShell, all cmdlets are accessible through the Windows PowerShell command shell.

Configuring Active Directory Domain Services Sites and Replication 4-1

Module 4 Configuring Active Directory Domain Services Sites and Replication

Contents: Lesson 1: Overview of Active Directory Domain Services Replication 4-3

Lesson 2: Overview of AD DS Sites and Replication 4-13

Lesson 3: Configuring and Monitoring AD DS Replication 4-22

Lab: Configuring Active Directory Sites and Replication 4-32


Module Overview

In a Windows Server®°2008 Active Directory® Domain Services (AD DS) environment, you can deploy multiple domain controllers in the same domain, or in other domains in the same forest. The AD DS information replicates automatically between all of the domain controllers.

This module will help you understand how AD DS replication works, and enable you to manage replication network traffic, while ensuring the consistency of AD DS data across your network.


Lesson 1: Overview of Active Directory Domain Services Replication

When a user or an administrator performs an update to AD DS, the AD DS database on one domain controller is updated. That update then replicates to all other domain controllers in the domain, and in some cases, to all other domain controllers in the forest. AD DS uses a multimaster replication model, which means that you can make most changes on any one domain controller, and the changes will replicate to all other domain controllers.

This lesson describes how AD DS replication works in Windows Server 2008.


How AD DS Replication Works

Key Points The slide describes how the different components in AD DS replication work.

Additional Reading • Active Directory Sites and Services Help: Understanding Sites, Subnets, and

Site Links

• Microsoft Technet article: Replication Model Components

• Microsoft Technet article: How the Active Directory Replication Model Works


How AD DS Replication Works Within a Site

Key Points Within a single site, a notification from the sending domain controller initiates the replication process. When a database change is made, the sending computer notifies a replication partner that changes are available. The replication partner pulls the changes from the sending domain controller using a remote procedure call (RPC) connection. After replication is complete, the sending domain controller waits three seconds and then notifies another replication partner, which also pulls the changes. By default, a domain controller will wait for 15 seconds after a change is made, and then begin replicating the changes to other domain controllers in the same site.


Site Links

• Microsoft Technet article: How the Active Directory Replication Model Works


Resolving Replication Conflicts

Key Points There are three types of conflicts:

• Simultaneously modifying the same attribute value on an object on two domain controllers.

• Adding or modifying an object on one domain controller at the same time that the container object for the object is deleted on another domain controller.

• Adding objects with the same relative distinguished name into the same container.

Additional Reading • Microsoft Technet article: How the Active Directory Replication Model Works


Optimizing Replication

Key Points During replication, domain controllers may use multiple paths for sending and receiving updates. Although using multiple paths provides both fault tolerance and improved performance, it can result in updates being replicated to the same domain controller more than once along different replication paths. To prevent these repeated replications, AD DS replication uses propagation dampening. Propagation dampening is the process of reducing the amount of unnecessary data traveling from one domain controller to another.



What Are Directory Partitions?

Key Points The AD DS database is separated logically into directory partitions: a schema partition, a configuration partition, domain partitions, and application partitions. Each partition is a unit of replication, and each partition has its own replication topology.

Additional Reading • Microsoft Technet article: How the Data Store Works (Directory Partition

section)

• How the Active Directory Replication Model Works


What Is Replication Topology?

Key Points The replication topology is the route by which replication data travels throughout a network. To create a replication topology, AD DS must determine which domain controllers replicate data with other domain controllers.

Question: Which application partitions are created by default in AD DS?

Additional Reading • Microsoft Technet article: What Is Active Directory Replication Topology?


How Directory Partitions and the Global Catalog Are Replicated

Key Points Replication of the schema and configuration partitions follows the same process as all other directory partitions. However, because these partitions are forest-wide rather than domain-wide, you can create the connection objects for these partitions between any two domain controllers, regardless of the domain controller’s domain. All domain controllers in the forest are included in the replication topology for these partitions.

Additional Reading • Microsoft Technet article: What Is Active Directory Replication Topology?


How the Replication Topology Is Generated

Key Points When you add domain controllers to a site, AD DS uses the Knowledge Consistency Checker (KCC) to establish a replication path between domain controllers.



Demonstration: Creating and Configuring Connection Objects

Question: When would you configure connection objects manually?


Lesson 2: Overview of AD DS Sites and Replication

Within a single site, AD DS replication happens rapidly and automatically, without regard for network utilization. However, some organizations have multiple locations that are connected by slow network connections. You can use AD DS sites to control replication and other types of AD DS traffic across these network links.


What Are AD DS Sites and Site Links?

Key Points You use sites to control replication traffic, logon traffic, and client computer requests to the global catalog server.


Site Links


Discussion: Why Implement Additional Sites?


Site Links


Demonstration: Configuring AD DS Sites

Questions:

What would happen to the replication topology if you moved a domain controller from one site to another site?

You move a domain controller to a new site by using Active Directory Sites and Services. Six hours later you determine that the domain controller is not replicating with any other domain controller. What should you check?

Additional Reading • Active Directory Sites and Services Help: Create a Site, Create a Subnet


How Replication Works Between Sites

Key Points Within a site, you have very little control over the AD DS replication process. When you implement multiple sites in an AD DS forest, you also can configure AD DS replication to ensure optimal network utilization.


Comparing Replication Within Sites and Between Sites

Key Points See the slide for comparisons.

Additional Reading • Active Directory Sites and Services Help: Understanding Replication Between

Sites

• Microsoft Technet article: What Is Active Directory Replication Topology?


Demonstration: Configuring AD DS Site Links

Questions:

If all of the locations in your organization are connected by a wide area network that has the same available bandwidth, do you need to create additional site links?

Your organization has two sites and a single domain. Can you use SMTP as the replication protocol between the two sites?

Additional Reading • Active Directory Sites and Services Help: Create a Site Link


What Is the Inter-site Topology Generator?

Key Points The KCC on one domain controller in the site is designated as the site’s Inter-Site Topology Generator (ISTG). There is only one ISTG per site, regardless of how many domains or other directory partitions the site has. ISTG is responsible for calculating the site’s ideal replication topology.



How Unidirectional Replication Works

Key Points Because no changes are written directly to the read-only domain controller (RODC), no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the forest. This also reduces the hub’s bridgehead servers workload, and the effort required to monitor replication.



Lesson 3: Configuring and Monitoring AD DS Replication

Once you have configured the sites and site links for your AD DS environment, you can configure AD DS replication. AD DS in Windows Server 2008 provides several options that you can use to manage how replication will flow between sites. Because AD DS replication is so critical to your environment, you also need to know how to monitor AD DS replication.


What Is a Bridgehead Server?

Key Points The bridgehead server in an AD DS replication topology is the single domain controller in each site that is responsible for exchanging replicated data with other sites. The bridgehead server from the originating site collects all of the replication changes in its site, and then sends them to the receiving site’s bridgehead server, which replicates the changes to all of the site’s domain controllers.

By default, the ISTG identifies one domain controller in each site as the bridgehead server for each site link. If that bridgehead server becomes unavailable, the ISTG identifies another domain controller as the bridgehead server.



Demonstration: Configuring Bridgehead Servers

Question:

Your organization has two sites and two domains in the same forest with domain controllers for both domains in both sites. You configure one domain controller in each site as the preferred bridgehead server. Some time later you notice that the domain controllers for one of the domains are not replicating across the site link. What do you need to do to fix this?

Additional Reading • Microsoft Technet article: Managing Intersite Replication


Demonstration: Configuring Replication Availability and Frequency

Questions:

You configure site links between the New York site and the Toronto site, and between the New York site and the London site. The New York-Toronto site link is available from 2 am to 5 am EST. The New York-London site link is available from 8 pm to 11 pm EST. You create a new user in Toronto. When will the new user appear in AD DS on a domain controller in London?

Your organization has 4 sites. All of your sites are included in the DefaultIPSiteLink. You would like to modify the replication schedule for all of the sites so that replication between sites happens every 15 minutes. What should you do?


Additional Reading • Active Directory Sites and Services Help: Configure Intersite Replication


What Is Site Link Bridging?

Key Points By default, all AD DS site links are transitive or bridged. That means that if site A has a common site link with site B, site B also has a common site link with site C, and the two site links are bridged. Domain controllers in site A can then replicate directly with domain controllers in site C, even though there is no site link between sites A and C.

You can modify the default site link bridging configuration by disabling site-link bridging, and then configuring site link bridging only for those site links that should be transitive.



Demonstration: Modifying Site Link Bridges

Question:

Your organization has five sites. Four of the sites are connected by Wide Area Network (WAN) links with surplus network bandwidth, while one of the sites is connected to the other sites by a WAN link with very little available bandwidth. You disable site link bridging in your organization, and then realize that it is taking much longer than usual to replicate AD DS changes between sites. What should you do to optimize replication between the four sites with available bandwidth while minimizing the network utilization to the site with less available bandwidth?

Additional Reading • Microsoft Technet article: Managing Intersite Replication


What Is Universal Group Membership Caching

Key Points One of the issues that you may need to address when configuring AD DS replication is whether to deploy global catalog servers in each site. Because global catalog servers are required when users log on to the domain, deploying a global catalog server in each site optimizes the user experience. However, deploying a global catalog server in a site results in additional replication traffic, which may be an issue if the network connection between AD DS sites has limited bandwidth. In these scenarios, you can deploy domain controllers running Windows Server 2008, and then enable universal group membership caching for the site.

Additional Reading • Microsoft Technet article: Planning Global Catalog Server Placement


Demonstration: Configuring Universal Group Membership Caching

Additional Reading • Microsoft Technet article: Cache universal group memberships


Demonstration: Tools for Monitoring and Managing Replication

Questions:

Under what circumstance might you want to know which domain controller is the ISTG in a site?

What information is available in the command line tools that is not available through the GUI tools?


Lab: Configuring Active Directory Sites and Replication

Scenario

Woodgrove Bank has multiple offices throughout the world. To optimize client logon traffic and manage AD DS replication, the enterprise administrator has created a new design for configuring AD DS sites, and for configuring replication between sites. You need to create AD DS sites and configure replication based on the enterprise administrator’s design, monitor site replication, and ensure that all components required for replication are functional.

The current site design at Woodgrove Bank has not been modified from the default. Other than the default site, no AD DS sites or site links are configured.

The enterprise administrator has created the following site design:

• New York has a 1.544 megabits per second (Mbps) wide area network (WAN) connection to London, which has 50% available bandwidth. New York and Tokyo also are connected by a 1.544 Mbps WAN connection that has 50% available bandwidth. Any changes made to AD DS in any of these three locations should be replicated to the other locations within one hour.


• Miami is connected to New York through a 256 kilobits per second (Kbps) WAN connection, which has less than 20% available bandwidth during regular business hours. Changes made to AD DS in any site in the organization should not be replicated to Miami during regular business hours.

• The domain controller in Miami should receive updates only from a New York domain controller. Domain controllers in New York, Tokyo, and London can receive updates from any domain controller in one of these three sites.

• The domain controller in Miami is not configured as a global catalog server because of concerns with global catalog replication. To minimize the network traffic required for authentication, you should enable universal group membership caching for the Miami site.

• You should configure each company location as a separate site, with a site name of CityName-Site.

• You should name site links using the following format: CityName-CityName-Site-Link.

• The network-address configurations for each company location are as follows:

• New York – 10.10.0.0/16

• London – 10.20.0.0/16

• Miami – 10.30.0.0/16

• Tokyo – 10.40.0.0/16

Note: Due to the virtual lab limitations, you will be configuring the sites only for the New York, London, and Miami locations.

Note: The following lab requires that four virtual machines be running at one time. We recommend that the student computers be configured with an additional one GB of RAM (for a total of 3 GB) to improve the virtual machine performance in this lab.


Exercise 1: Configuring AD DS Sites and Subnets In this exercise, you will modify the existing site configuration based on the enterprise administrator’s design. The tasks include creating new subnets and sites, creating site links, and moving servers into the appropriate sites.



2. Verify the current site configuration and replication topology.

3. Create the AD DS sites.




3. In the Lab Launcher, next to 6425A-LON-DC1, click Launch. 4. In the Lab Launcher, next to 6425A-MIA-RODC, click Launch.

5. In the Lab Launcher, next to 6425A-NYC-RAS, click Launch.

6. Log on to NYC-DC1as Administrator with the password Pa$$w0rd.


8. Log on to MIA-RODC as Administrator with the password Pa$$w0rd.

9. Log on to NYC-RAS as Administrator with the password Pa$$w0rd.


Task 2: Start the 6425A-LON-DC1 virtual machine and log on as Administrator • Start 6425A-LON-DC1 and then log on as Administrator using the password

Pa$$w0rd.


Task 2: Verify the current site configuration and replication topology 1. On NYC-DC1, open Active Directory Sites and Services, and then access the

NTDS Settings properties for NYC-DC1.

2. Verify the connection objects are configured on NYC-DC1. Confirm that the connection objects are used to replicate all relevant directory partitions.

3. Verify that the connections are configured to always replicate, and to check for updates every hour.

4. Examine the connection objects configured on MIA-RODC. Verify that the RODC only has inbound replication partners and no outbound replication partners.

Task 3: Create the AD DS sites 1. In Active Directory Sites and Services, rename the Default-First-Site-Name to

NewYork-Site.

2. Create new sites named Miami-Site, London-Site, and Tokyo-site.

3. Create new subnet objects with the following properties:

• Prefix: 10.10.0.0/16, Site: NewYork-Site

• Prefix: 10.20.0.0/16, Site: London-Site

• Prefix: 10.30.0.0/16, Site: Miami-Site

• Prefix: 10.40.0.0/16, Site: Tokyo-Site

4. Verify that the correct subnets are associated with each site.

Result: At the end of this exercise, you will configure AD DS sites and subnets and linked the subnets to the appropriate sites.


Exercise 2: Configuring AD DS Replication In this exercise, you will configure AD DS replication between sites. The tasks include creating new site links, configuring site-link bridging, and finally, moving the domain controllers to the appropriate sites.


1. Create the site link objects.

2. Configure site link bridging.

3. Modify the domain controller IP address configuration.

4. Move the domain controllers into the appropriate sites.

5. Configure global catalog caching for the Miami site.

Task 1: Create the site link objects 1. In Active Directory Sites and Services, rename the DEFAULTIPSITELINK to

NewYork-London-Site-Link. Configure the site link to include only the NewYork-Site and London-Site, and to replicate every 30 minutes.

2. Right-click NewYork-London-Site-Link, and then click Properties.

3. Create a new site link named NewYork-Tokyo-Site-Link that includes the NewYork-Site and Tokyo-Site, and that replicates every 30 minutes.

4. Create another new site link named NewYork-Miami-Site-Link that includes the NewYork-Site and Miami-Site. Modify the schedule for the site link to not allow replication between 7 a.m. and 7 p.m., Monday to Friday.

Task 2: Configure site link bridging 1. In Active Directory Sites and Services, turn off site-link bridging for the IP site

links.

2. Create a new site-link bridge named NewYork-London-Tokyo-Site-Link-Bridge which includes all sites except the Miami-Site.


Task 3: Modify the domain controller IP address configuration 1. On LON-DC1, access the Local Area Connection properties. Change the IP-

address configuration to use an IP address of 10.20.0.110 and a default gateway to 10.11.0.1.

2. Ensure that you can ping 10.10.0.10 from LON-DC1, and force the server to register its IP address in DNS.

3. On MIA-RODC, in the command prompt window, use the Netsh interface ipv4 show interfaces to identify the Idx value assigned to the Local Area Connection.

4. Use the netsh interface ipv4 set address name="ID" source=static address=10.30.0.15 mask=255.255.0.0 gateway=10.30.0.1 command to change the IP address for MIA-RODC.

5. Ensure that you can ping 10.10.0.10 from MIA-RODC, and then force the server to register its IP address in DNS.

6. On NYC-DC1, verify that the IP addresses for LON-DC1 and MIA-RODC have been updated in DNS.

7. Modify the delegation record for EMEA to use 10.20.0.110 as the EMEA DNS server address.

Task 4: Move the domain controllers into the appropriate sites 1. On NYC-DC1, in Active Directory Sites and Services, move LON-DC1 from

the NewYork-Site to the London-Site.

2. Move MIA-RODC from the NewYork-Site to the Miami-Site.

Task 5: Configure global catalog caching for the Miami site 1. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Site

Settings properties for the Miami-Site.

2. Enable Universal Group Membership Caching, and then configure the cache to be refreshed from the NewYork-Site.

Result: At the end of this exercise, you will configure AD DS replication.


Exercise 3: Monitoring AD DS Replication In this exercise, you will monitor AD DS replication between sites. You will use DCDiag and NLTest to check for server availability, use Repadmin to configure AD DS objects, and use Replmon to monitor the replication between sites.


1. Verify that the replication topology has been updated.

2. Verify that replication is working between sites.

3. Use DCDiag to verify the replication topology.

4. Use Repadmin to verify successful replication.

5. Shut down all virtual machines and delete all changes.

Task 1: Verify that the replication topology has been updated 1. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Settings

for NYC-DC1, and then force the server to check the replication topology.

2. Access the NTDS Setting for MIA-RODC in the Miami-Site, and then force it to check the replication topology. This will take a few moments to complete.

3. Access the NTDS Site Settings properties for the NewYork-Site, and then verify that NYC-DC1 is configured as the Inter-Site Topology Generator.

4. Access the NTDS Site Settings for the Miami-Site, and then verify that MIA-RODC is not listed as the ISTG. Because MIA-RODC is an RODC, it cannot operate as a bridgehead server or an ISTG.

Task 2: Verify that replication is working between sites 1. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Settings

for NYC-DC1.

2. In the details pane, verify that a connection object has been created between NYC-DC1 and LON-DC1, and then force replication on the connection object.

3. On LON-DC1, open Active Directory Sites and Services, access the connection object configured on LON-DC1 between LON-DC1 and NYC-DC1, and then force replication on the connection object.


4. On NYC-DC1, in Active Directory Users and Computers, in the Users container, create a new user with a first name and logon name of TestUser and the password Pa$$w0rd.

5. In Active Directory Sites and Services, access the connection object configured on MIA-RODC between NYC-DC1 and MIA-RODC, and then force replication on the connection object.

6. In Active Directory Users and Computers, change the focus to MIA-RODC.WoodgroveBank.com.

7. In the Change Domain Controller dialog box, click MIA-RODC.WoodgroveBank.com, click OK, and then verify that the TestUser account has been replicated to MIA-RODC.

Task 3: Use DCDiag to verify the replication topology • On NYC-DC1, at a command prompt, type DCDiag /test:replications to

verify that NYC-DC1 passes all connectivity tests.

Note: There will be replication errors listed because NYC-DC2 and TOK-DC1 are not running and replication has been attempted.

Task 4: Use Repadmin to verify successful replication 1. On NYC-DC1, at the command prompt, type repadmin /showrepl, and then

verify that replication with LON-DC1 succeeded during the last replication update.

2. At the command prompt, type repadmin /showrepl MIA-RODC.WoodgroveBank.com, and then verify that all directory partitions were updated successfully during the last replication update.

3. At the command prompt, type repadmin /bridgeheads, and then verify that NYC-DC1 and LON-DC1 are listed as bridgehead servers for their site.

4. At the command prompt, type repadmin /replsummary, and then examine the replication summary, and then close the command prompt.


Task 5: Shut down all virtual machines, and delete all changes 1. For each virtual machine that is running, close the Virtual Machine Remote

Control window.



Result: At the end of this exercise, you will have verified that AD DS replication is working.



Review Questions 1. How can you minimize the chances of creating a replication conflict in your

organization?

2. You have deployed nine domain controllers in the same domain. Five of these domain controllers are in one site, while four are in a different site. You have not modified the default-replication frequency for intra-site and intersite replication. You create a user account on one domain controller. What is the maximum amount of time it will take for that user account to be replicated to all of the domain’s controllers?

3. You add a new domain controller to an existing domain in your forest. Which AD DS partitions will be modified as a result?


4. Your organization has one domain with three sites: a head-office site, and two branch-office sites. Domain controllers in the branch-office sites can communicate with domain controllers at the head office, but cannot communicate directly with domain controllers in the other branch office due to firewall restrictions. How can you configure the site-link architecture in AD DS to integrate the firewall, and ensure that the KCC will not automatically create a connection between the branch-office sites?

5. Your organization has a head office and 20 branch offices. Each office is configured as a separate site. You have three domain controllers deployed at the head office. One of the domain controllers at the head office has a faster processor and more memory than the other two. You want to ensure that the AD DS replication workload is assigned to the more powerful computer. What should you do?

Considerations for Configuring AD DS Sites and Replication Supplement or modify the following best practices for your own work situations:

• In an organization with a single site, you can almost always just accept the default replication configuration. Although you can modify the default notification times for AD DS replication, there is rarely any reason to do so.

• In organization with multiple sites, you must plan the site design to optimize WAN utilization by minimizing Active Directory replication and client logon traffic.

• Use preferred bridgehead servers only if you want to exclude some domain controllers in the site from being bridgehead servers. Some domain controllers may not be powerful enough to replicate reliably between sites. Otherwise, allow the intersite topology generator to automatically select bridgehead servers.

• The site configuration and domain controller locations within sites can be modified after deployment. If you discover that your AD DS replication is inefficient, or your organization expands, it is easy to modify the AD DS replication process by adding or removing sites, or modifying the site link configuration.

• AD DS replication traffic between sites is compressed. This means that in all but the largest organizations, replication traffic will not consume a great deal of network bandwidth between sites.


Tools Use the following tools when configuring AD DS sites and replication:


Server Manager Accessing the AD DS management tools in a single console.

Click Start, and then point to Administrative Tools. Click Server Manager.

Active Directory Sites and Services

Creating and configuring sites, subnets, moving domain controllers between sites, and forcing replication.

Click Start, and then point to Administrative Tools. Click Active Directory Users and Computers.

Repadmin Gathering data about the current replication topology and status and creating new replication objects

Installed by default and accessible at a command prompt.

DCDiag Gathering data about domain controllers including replication partners and status


Creating and Configuring Group Policy 5-1

Module 5 Creating and Configuring Group Policy

Contents: Lesson 1: Overview of Group Policy 5-3

Lesson 2: Configuring the Scope of Group Policy Objects 5-16

Lesson 3: Evaluating the Application of Group Policy Objects 5-28

Lesson 4: Managing Group Policy Objects 5-33

Lesson 5: Delegating Administrative Control of Group Policy 5-40

Lab: Creating and Configuring GPOs 5-44


Module Overview

Administrators face increasingly complex challenges in managing the Information Technology (IT) infrastructure. They must deliver and maintain customized desktop configurations for a greater variety of employees, such as mobile users, information workers, or others assigned to strictly defined tasks, such as data entry.

Group Policy and the Active Directory® Domain Services (AD DS) infrastructure in Windows Server®°2008 enable IT administrators to automate user and computer management, thus simplifying administrative tasks and reducing IT costs. With Group Policy and AD DS, administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of organizational units (OUs).


Lesson 1: Overview of Group Policy

This lesson introduces you to how to use Group Policy to simplify managing computers and users in an Active Directory environment. You will learn how Group Policy Objects (GPOs) are structured and applied, and about some of the exceptions of how GPOs are applied.

This lesson also discusses Group Policy features that are included with Windows Server 2008, which also will help simplify computer and user management.


What Is Group Policy?

Key Points Group Policy is a Microsoft® technology that supports one-to-many management of computers and users in an Active Directory environment. By editing Group Policy settings and targeting a Group Policy Object (GPO) at the intended users or computers, you can centrally manage specific configuration parameters. In this way, you can manage potentially thousands of computers or users by changing a single GPO.

A Group Policy object is the collection of settings that are applied to selected users and computers.

Group Policy can control many aspects of a target object’s environment, including the registry, NTFS file system security, audit and security policy, software installation and restriction, desktop environment, logon/logoff scripts, and so on.


One GPO can be associated with multiple containers in AD DS, through linking. Conversely, multiple GPOs may link to one container.

Question: When would local Group Policy be useful in a domain environment?

Additional Reading • Microsoft Technet article: Windows Server Group Policy


Group Policy Settings

Key Points Group Policy has thousands of configurable settings (approximately 2,400). These settings can affect nearly every area of the computing environment. You cannot apply all of the settings to all versions of Windows operating systems. For example, many of the new settings that came with the Windows® XP Professional operating system, Service Pack (SP) 2, such as software restriction policies, only applied to that operating system. Equally, many of the hundreds of new settings only apply to the Windows°Vista® operating system and Windows Server 2008. If a computer has a setting applied that it cannot process, it simply ignores it.

Question: Which of the new features will you find the most useful in your environment?


Additional Reading • Microsoft Technet article: Summary of New or Expanded Group Policy

Settings

• Microsoft Technet article: What's New in Group Policy in Windows Vista and Windows Server 2008?


How Group Policy Is Applied

Key Points Clients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied to a user or computer, the client component interprets the policy, and then makes the appropriate environment changes. These components are known as Group Policy client-side extensions. As GPOs are processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension. The extension then uses the list to process the appropriate policy, when applicable.

Question: What would be some advantages and disadvantages to lowering the refresh interval?

Additional Reading • Microsoft Technet article: Windows Server Group Policy


Exceptions to Group Policy Processing

Key Points Different factors can change the normal Group Policy processing behavior, such as logging on using a slow connection. Also, different types of connections or operating systems handle Group Policy processing differently.

Question: How is Network Location Awareness (NLA) better than Internet Control Message Protocol (ICMP) in the proper application of Group Policy?

Additional Reading • Controlling Client-Side Extensions by Using Group Policy


Group Policy Components

Key Points You can use Group Policy templates to create and configure Group Policy settings, which are stored by the GPOs. The GPOs in turn are stored in the System Volume (SYSVOL) container in AD DS. The SYSVOL container acts as a central repository for the GPOs. In this way, one policy may be associated with multiple Active Directory containers through linking. Conversely, multiple policies may link to one container.

Group Policy has three major components.

• Group Policy templates

• Group Policy container

• Group Policy objects


What Are ADM and ADMX Files?

Key Points

ADM Files Traditionally, ADM files have been used to define the settings the administrator can configure through Group Policy. Each successive Windows operating system and service pack has included a newer version of these files. ADM files use their own markup language. Because of this, it is difficult to customize ADM files. The ADM templates are located in the %SystemRoot%\Inf folder.

ADMX Files Windows Vista and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings are defined using a standards-based XML file format known as ADMX files. These new files replace ADM files. Group Policy tools on Windows Vista and Server 2008 will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that ADMX files have superseded.


Question: How could you tell if a GPO was created or edited using ADM or ADMX files?

Additional Reading • Microsoft Technet article: Managing Group Policy ADMX Files Step-by-Step

Guide

• Microsoft Support: Location of ADM (Administrative Template) Files in Windows


What Is the Central Store?

Key Points For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs. The GPO Editor on Windows Vista and Windows Server 2008 automatically reads and displays Administrative Template policy settings from ADMX files that the central store caches, and ignores the ones stored locally. If the domain controller is not available, then the local store is used.

You must create the central store, and then update it manually on a domain controller. The use of ADMX files is dependant on the computer’s operating system where you are creating or editing the GPO. Therefore, the domain controller can be a server with Windows 2000, Windows Server®°2003, or Windows Server 2008. The File Replication Service (FRS) will replicate the domain controller to that domain’s other controllers.


Question: What would be the advantage of creating the central store on the PDC emulator?

Additional Reading • Microsoft Support: How to create a Central Store for Group Policy

Administrative Templates in Window Vista


Demonstration: Configuring Group Policy Objects

Question: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Object Editor. Why not?


Lesson 2: Configuring the Scope of Group Policy Objects

There are several techniques in Group Policy that allow administrators to manipulate how Group Policy is applied. You can control the default processing order of policies through enforcement, blocking inheritance, security filtering, Windows Management Instrumentation (WMI) filters, or using the loopback feature. In this lesson, you will learn about these techniques.


Group Policy Processing Order

Key Points The GPOs that apply to a user or computer do not all have the same precedence. GPOs are applied in a particular order. This order means that settings that are processed first may be overwritten by settings that are processed later. For example, a policy that restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the OU level for that particular OU.

Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this?

Additional Reading • Microsoft Technet article: Group Policy processing and precedence


What Are Multiple Local Group Policy Objects?

Key Points In Microsoft operating systems prior to Windows Vista, there was only one user configuration available in the local Group Policy. That configuration was applied to all users logged on from the local computer. This is still true, but Windows Vista and Windows Server 2008 have an added feature. In Windows Vista and Windows Server 2008, it now is possible to have different user settings for different local users, although there remains only one computer configuration available that affects all users.

Question: When would multiple local Group Policy objects be useful in a domain environment?

Additional Reading • Microsoft Technet article: Step-by-Step Guide to Managing Multiple Local

Group Policy Objects


Options for Modifying Group Policy Processing

Key Points There may be occasions when the normal behavior of Group Policy is not desirable. For example, certain users or groups may need to be exempt from restrictive Group Policy settings, or a GPO should be applied only to computers with certain hardware or software characteristics. By default, all Group Policy settings apply to the Authenticated Users group in a given container. However, you can modify that behavior through various methods.

Question:

You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy?


Additional Reading • Microsoft Technet article: Controlling the Scope of Group Policy Objects using

GPMC


Demonstration: Configuring Group Policy Object Links

Question: True or false – if a GPO is linked to multiple containers, altering the settings for one of those links will only affect that container.


Demonstration: Configuring Group Policy Inheritance

Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this?


Demonstration: Filtering Group Policy Objects Using Security Groups

Question: You want to ensure that a specific policy linked to an OU will only affect the members of the Managers global group. How would you accomplish this?


Demonstration: Filtering Group Policy Objects Using WMI Filters

Question: You need to deploy a software application that requires computers to have more than 1 GB or RAM. What is the best way to accomplish this?


How Does Loopback Processing Work?

Key Points User policy settings are normally derived entirely from the GPOs associated with the user account, based on its AD DS location. However, Loopback processing directs the system to apply an alternate set of user settings for the computer to any user who logs on to a computer affected by this policy. Loopback processing is intended for special-use computers where you must modify the user policy based on the computer being used, such as the computers in public areas or classrooms. When you apply loopback, it will affect all users except local ones.

Loopback operates using the following two modes:

• Merge mode

• Replace mode

Additional Reading • Microsoft Technet article: Loopback processing with merge or replace

• Microsoft Technet article: Loopback processing of Group Policy


Discussion: Configuring the Scope of Group Policy Processing

Scenario Use the following scenario information for your discussion.

Physical structure Woodgrove bank has a single domain that spans two sites, Head Office and Toronto. The Toronto site is connected to the Head Office site across a high-speed link. Within the Head Office site, there is a branch office in Winnipeg. This office is connected to Head Office across a slow link. There are five users in the Winnipeg office. There is no domain controller in the Winnipeg office, but there is a SQL server.

This organization has deployed both Windows XP Professional and Windows Vista computers.


Requirements All domain computers that have Windows XP Professional installed will have a small software application distributed through Group Policy.

Domain users should not have access to the desktop display properties. The Administrators group will be exempt from this restriction.

Both the Winnipeg and Toronto branch users will have further desktop restrictions applied.

Both branches will have a kiosk computer available in the lobby for public Internet access. This computer needs to be locked down so that the user cannot change any settings. Their computer accounts are located in their respective branches’ OU.

The computer accounts for all servers other than domain controllers will be located in the server’s OU or in a nested OU inside the Servers OU. All servers must have baseline security settings applied.

SQL servers must have additional security settings applied.

Question: How would you construct a Group Policy scheme to satisfy the requirements?


Lesson 3: Evaluating the Application of Group Policy Objects

System administrators need to know how Group Policy settings affect computers and users in a managed environment. This information is essential when planning Group Policy for a network, and when debugging existing GPOs. Obtaining the information can be a complex task when you consider the many combinations of sites, domains, and organizational units that are possible, and the many types of Group Policy settings that can exist. Further complicating the task are security-group filtering, and GPO inheritance, blocking, and enforcement. The Group Policy Results (GPResult.exe) command-line tool and the GPMC provide reporting features to simplify these tasks.


What Is Group Policy Reporting?

Key Points Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting easier. Two main troubleshooting tools are the GPResult.exe command-line tool, and the Group Policy Results Wizard in the GPMC. The Group Policy Results feature allows administrators to determine the resultant policy set that was applied to a given computer and/or user that logged on to that computer. Although these tools are similar, they each provide different information.

Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use to find that out?

Additional Reading • Microsoft resources: Gpresult

• Microsoft Technet article: Group Policy Results (Administering Group Policy with Group Policy Management Console)


What Is Group Policy Modeling?

Key Points Another method for testing Group Policy is to use the Group Policy Modeling Wizard in the GPMC to model environment changes before you actually make them. The Group Policy Modeling Wizard calculates the simulated net effect of GPOs. Group Policy Modeling also simulates such things as security group membership, WMI filter evaluation, and the effects of moving user or computer objects to a different OU or site. You also can specify slow-link detection, loopback processing, or both when using the Group Policy Modeling Wizard.

The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain. Because the wizard never queries the client computer, it cannot take local policies into account.


Question: What simulations can be performed with the Group Policy Modeling Wizard? Choose all that apply.

a. Loopback processing

b. Moving a user to a different domain in the same forest.

c. Security group filtering

d. Slow link detection

e. WMI filtering

f. All of the above

Additional Reading • Microsoft Technet article: Using Group Policy Modeling and Group Policy

Results to Evaluate Group Policy Settings


Demonstration: How to Evaluate the Application of Group Policy Objects

Question: A user reports that they are unable to access Control Panel. Other users in the department can access Control Panel. What tools might you use to troubleshoot the problem?


Lesson 4: Managing Group Policy Objects

GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very important for maintaining your Group Policy deployments in the event of error or disaster. It helps you avoid manually recreating lost or damaged GPOs, and having to again go through the planning, testing, and deployment phases. Part of your ongoing Group Policy operations plan should include regular backups of all GPOs.

GPMC also provides for copying and importing GPOs, both from the same domain and across domains.


GPO Management Tasks

Key Points Like critical data and Active Directory-related resources, you must back up GPOs to protect the integrity of AD DS and GPOs. The GPMC provides the basic backup and restore options, but also provides additional control over GPOs for administrative purposes.

Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem?

Additional Reading • Windows Server Library: Backing up, Restoring, Migrating, and Copying GPOs

• Microsoft Technet article: Import using GPMC


What Is a Starter GPO?

Key Points Starter GPOs store a collection of Administrative Template policy settings in a single object. Starter GPOs only contain Administrative Templates. You can import and export Starter GPOs to distribute them to other areas of your enterprise.

When you create a new GPO from a Starter GPO, the new GPO has all the Administrative Template settings that the Starter GPO defined. In this way, Starter GPOs act as templates for creating GPOs, which helps provide consistency in distributed environments.

Individual Starter GPOs can be exported into .Cab files for easy distribution. You then can import these cab files back into the GPMC. The GPMC stores Starter GPOs in a folder named StarterGPOs, which is located in SYSVOL.

Additional Reading • Help Topics: Working with Starter GPOs


Demonstration: How to Copy a GPO

Question: What is the advantage of copying a GPO and linking it to an OU over linking the original GPO to multiple OUs?


Demonstration: Backing up and Restoring GPOs

Question: What permissions are required to back-up a GPO?


Demonstration: Importing a GPO

Question: What is the purpose of a migration table?


Migrating Group Policy Objects

Key Points The ADMX Migrator allows you to convert custom ADM templates into ADMX templates. The associated ADML file is also created. Converted files are saved into the user’s documents folder by default. Once you create the new files, copy the ADMX file into the PolicyDefinitions folder, or the central store, and copy the ADML file into the appropriate subfolder. The new Administrative Templates then become available in the GPMC.

Additional Reading • Microsoft Web site: ADMX Migrator


Lesson 5: Delegating Administrative Control of Group Policy

In a distributed environment, it is common to have different groups delegated to perform different administrative tasks. Group Policy management is one of the administrative tasks that you can delegate.


Options for Delegating Control of GPOs

Key Points Delegation allows the administrative workload to be distributed across the enterprise. One group could be tasked with creating and editing GPOs, while another group performs reporting and analysis duties. A separate group might be in charge of WMI filters.

The following Group Policy tasks can be independently delegated:

• Creating GPOs

• Editing GPOs

• Managing Group Policy links for a site, domain, or OU

• Performing Group Policy Modeling analyses on a given domain or OU

• Reading Group Policy Results data for objects in a given domain or OU

• Creating WMI filters in a domain


Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem?

Additional Reading • Microsoft Technet article: Delegating Group Policy


Demonstration: How to Delegate Administrative Control of GPOs

Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this?


Lab: Creating and Configuring GPOs

Scenario The Woodgrove Bank has decided to implement Group Policy to manage user desktops and to configure computer security. The organization already implemented an OU configuration that includes top-level OUs by location, with additional OUs within each location OU for different departments. User accounts are in the same container as their workstation computer accounts. Server computer accounts are spread throughout various OUs.

The enterprise administrator has created a GPO deployment plan. You have been asked to create GPOs so that certain policies can be applied to all domain objects. Some policies are considered mandatory. You also want to create policy settings that will apply only to subsets of the domain’s objects, and you want to have separate policies for computer settings and user settings. You must delegate GPO administration to administrators within each company location.


Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings and may not always follow best practices.

Group Policy Requirements • Domain users will not have access to the Run menu. The policy will apply to

all users except users in the IT Admin OU.

• Executives will not have access to the desktop display settings.

• The NYC, Miami and Toronto branch users will not have access to the Control Panel. All branch managers will be exempt from this restriction.

• All domain computers will have a mandatory baseline security policy applied that does not display the name of the last logged on user.

• Computers running Windows Vista or Windows XP will have additional settings applied to wait for the network at startup.

• Users in the administrators group will have the URL for Microsoft support added to their Favorites.

• Kiosk computers in the branch offices will have Loopback processing enabled.


Exercise 1: Creating and Configuring Group Policy Objects You will create and link the GPOs that the enterprise administrator’s design specifies. Tasks include modifying the default domain policy, and creating policies linked to specific OUs and sites.


1. Start and log on to NYC-DC1.

2. Create the GPOs.

3. Configure GPOs.

4. Link the GPOs.

Task 1: Start and log on to NYC-DC1 1. On your host machine, click Start, point to All Programs, point to Microsoft





Task 2: Create the GPOs • Use the GPMC to perform the following:

• Create a GPO named Restrict Control Panel.

• Create a GPO named Restrict Desktop Display.

• Create a GPO named Restrict Run Command.

• Create a GPO named Baseline Security.

• Create a GPO named Vista and XP Security.

• Create a GPO named Admin Favorites.

• Create a GPO named Kiosk Computer Security.


Task 3: Configure the GPOs 1. Edit the Restrict Run Command GPO to prevent access to the Run Menu.

2. Edit the Baseline Security GPO so that the name of the last logged on user is not displayed.

3. Edit the Server Security GPO to exempt Administrators from User Account Control prompts on computers running Windows Server 2008.

4. Edit the Admin Favorites GPO to include the URL for Microsoft tech support (http://support.microsoft.com) in the Internet Favorites.

5. Edit the Restrict Control Panel GPO to prevent user access to Control Panel.

6. Edit the Restrict Desktop Display GPO to prevent access to the desktop display settings.

7. Edit the Kiosk Computer Security GPO to use loopback processing, and to hide and disable all items on the desktop for the logged on user.

Task 4: Link the GPOs • Use the GPMC to perform the following:

• Link the Restrict Run Command GPO to the domain container.

• Link the Baseline Security GPO to the domain container.

• Link the Vista and XP Security GPO to the domain container

• Link the Kiosk Computer Security GPO to the domain container.

• Link the Admin Favorites GPO to the Admin OU.

• Link the Restrict Control Panel GPO to the NYC, Miami and Toronto OUs.

• Link the Restrict Desktop Display GPO to the Executive OU.

Result: At the end of this exercise, you will have created and configured GPOs.


Exercise 2: Managing the Scope of GPO Application In this exercise, you will configure the scope of GPO settings based on the enterprise administrator’s design. Tasks include disabling portions of GPOs, blocking and enforcing inheritance, and applying filtering based on security groups and WMI filters.


1. Configure Group Policy management for the domain container.

2. Configure Group Policy management for the IT Admin OU.

3. Configure Group Policy management for the branch OUs.

4. Create and apply a WMI filter for the Server Security GPO.

5. Verify the successful installation of the domain controller.

6. Configure a password replication policy that enables credential caching for all user accounts in Toronto.

7. Verify that the password replication policy has enabled credential caching.

Task 1: Configure Group Policy management for the domain container 1. Configure the Baseline Security link to be Enforced, and the disable the User

side of the policy.

2. Configure the Vista and XP Security link to be Enforced.

3. Use security group membership filtering to configure the Kiosk Computer Security GPO to apply only to the Kiosk Computers global group.

Task 2: Configure Group Policy management for the IT Admin OU • Block inheritance at the IT Admin OU, to exempt the ITAdmins users from the

Restrict Run Command GPO.


Task 3: Configure Group Policy management for the branch OUs • Use security group membership filtering to configure the Restrict Control

Panel GPO to deny the Apply Group Policy permission to the following groups:

• Mia_BranchManagersGG

• NYC_BranchManagersGG

• Tor_BranchManagersGG

Result: At the end of this exercise, you will have configured the scope of GPO settings.


Exercise 3: Verifying GPO Application In this exercise, you will test the application of GPOs to ensure that the GPOs are being applied as the design specifies. Students will log on as specific users, and also use Group Policy Modeling and Resultant Set of Policy (RSoP) to verify that GPOs are being applied correctly.


1. Start NYC-CL1.

2. Verify that a Miami branch user is receiving the correct policy.

3. Verify that a Miami Branch Manager is receiving the correct policy.

4. Verify that a user in the IT Admin OU is receiving the correct policy.

5. Verify that a user in the Executive OU user is receiving the correct policy.

6. Verify that the username does not appear.

7. Use Group Policy modeling to test kiosk computer settings.

Task 1: Start NYC-CL1

Task 2: Verify that a Miami branch user is receiving the correct policy 1. Log on to NYC-CL1 as Anton with the password Pa$$w0rd.

2. Ensure that there is no link to the Run menu in the Accessories folder on the Start Menu.

3. Ensure that there is no link to Control Panel on the Start Menu.

4. Log off.


Task 3: Verify that a Miami Branch Manager is receiving the correct policy 1. Log on to NYC-CL1 as Roya with the password Pa$$w0rd.

2. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu.

3. Ensure that a link to Control Panel appears on the Start menu.

4. Log off.

Task 4: Verify that a user in the IT Admin OU is receiving the correct policy 1. Log on to NYC-CL1 as Betsy with the password Pa$$w0rd.

2. Ensure that a link to the Run menu appears in the Accessories folder on the Start menu.

3. Ensure that a link to Control Panel appears on the Start menu.

4. Launch Internet Explorer, open the Favorites, and then ensure that the link to Tech Support appears.

5. Log off.

Task 5: Verify that a user in the Executive OU user is receiving the correct policy 1. Log on to NYC-CL1 as Chase with the password Pa$$w0rd.


3. Ensure that a link to Control Panel appears on the Start Menu.

4. Ensure that there is no access to the desktop display settings.

Hint: When you attempt to access display settings you will receive a message informing you that this has been disabled.

5. Log off.


Task 6: Verify username does not appear • Verify that the last logged on username does not appear.

Task 7: Use Group Policy modeling to test kiosk computer settings 1. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.

2. Launch the GPMC, right-click the Group Policy Modeling folder, click Group Policy Modeling Wizard, and then click Next twice.

3. On the User and Computer Selection screen, click Computer and enter Woodgrovebank\NYC-CL1, and click then Next three times.

4. In the Computer Security Groups screen, click Add.

5. In the Select Groups dialog box, type Kiosk Computers, and then click Next.

6. In the WMI Filters for Computers screen, click Next twice, click Finish and then view the report.

Result: At the end of this exercise, you will have tested and verified a GPO application.


Exercise 4: Managing GPOs In this exercise, you will use the GPMC to back up, restore, and import GPOs.


1. Backup an individual policy.

2. Back up all GPOs.

3. Delete and restore an individual GPO.

4. Import a GPO.

Task 1: Backup an individual policy 1. In the GPMC, open the Group Policy Objects folder.

2. Right-click the Restrict Control Panel policy, and then click Backup.

3. Browse to D:\6425\GPOackup. 4. Click Backup, and then click OK after the backup succeeds.

Task 2: Back up all GPOs 1. Right-click the Group Policy Objects folder and then click Back Up All.

2. Ensure that D:\6425\GPOackup is the backup location. Confirm the deletion.

Task 3: Delete and restore an individual GPO 1. Right-click the Admin Favorites policy and then click Delete. Click Yes and

then click OK when the deletion succeeds.

2. Right-click the Group Policy Objects folder and then click Manage Backups.

3. Restore the Admin Favorites GPO.

4. Confirm that the Admin Favorites policy appears in the Group Policy Objects folder.


Task 4: Import a GPO 1. Create a new GPO named Import in the Group Policy Objects folder.

2. Right-click the Import GPO, and then click Import Settings.

3. In the Import Settings Wizard, click Next.

4. On the Backup GPO window, click Next.

5. Ensure the Backup folder location is D:\6425\GPOackup.

6. On the Source GPO screen, click Restrict Control Panel, and then click Next.

7. Finish the Import Settings wizard.

8. Click the Import GPO, click the Settings tab, and then ensure that Restrict Access to Control Panel setting is Enabled.

Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.


Exercise 5: Delegating Administrative Control of GPOs In this exercise, you will delegate administrative control of GPOs based on the enterprise administrator design. Tasks include configuring permissions to create, edit and link GPOs. You will then test the permissions configuration.


1. Grant Betsy the right to create GPOs in the domain.

2. Delegate the right to edit the Import GPO to Betsy.

3. Delegate the right to link GPOs to the Executives OU to Betsy.

4. Enable Domain Users to log on to domain controllers.

5. Test the delegation.


Task 1: Grant Betsy the right to create GPOs in the domain 1. Select the Group Policy Objects folder and then click the Delegation tab, and

then click Add.

2. In the Select Users dialog box type Betsy in the Object name field, and then click OK.

Task 2: Delegate the right to edit the Import GPO to Betsy 1. In the Group Policy Objects folder, select Import GPO, click the Delegation

tab, and then click Add.

2. In the Select Users dialog box, type Betsy in the Object name field and then click OK.

3. In the Add Group or User dialog box, select Edit Settings from the drop-down list, and then click OK.


Task 3: Delegate the right to link GPOs to the Executives OU to Betsy 1. Select the Executives OU, the click the Delegation tab, and then click Add.

2. In the Select Users dialog box type Betsy in the Object name field, and then click OK.

3. In the Add Group or User dialog box select This container only, and then click OK.



1. On NYC-DC1, start Group Policy Management, and then edit the Default Domain Controllers Policy.

2. In the Group Policy Management Editor window, access the User Rights Assignment folder.


4. Grant the Domain Users group the log on locally right.

5. Open a command prompt, type GPUpdate /force, and then press ENTER.

Task 5: Test the delegation 1. Log on to NYC-CL1 as Betsy.

2. Create a Group Policy Management Console.

3. Right-click the Group Policy Objects folder, and then click New.

4. Create a new policy named Test. This operation will succeed.

5. Right-click the Import GPO, and then click Edit. This operation will succeed.


6. Right-click the Executives OU, and link the Test GPO to it. This operation will succeed.

7. Right-click the Admin Favorites policy, and attempt to edit it. This operation is not possible.

8. Close the GPMC.

Task 6: Close all virtual machines, and discard undo disks 1. For each virtual machine that is running, close the Virtual Machine Remote

Control window.



Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.



Considerations Keep the following considerations in mind when creating and configuring Group Policy:

• Multiple local Group Policy objects

• ADMX and ADML files replace ADM files

• Methods to control Group Policy, inheritance, filtering, enforcement

• Group Policy tools and reporting


Review Questions 1. You want to force the application of certain Group Policy settings across a slow

link. What can you do?

2. You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt form the policy. How would you accomplish this?

3. You want all GPOs that contain user settings to have certain Administrative Templates enabled. You need to be able to send those policies to other administrators in the enterprise. What is the best approach?

4. You want to control access to removable storage devices on all client workstations through Group Policy. Can you use Group Policy to do this?

Configuring User Environments Using Group Policy 6-1

Module 6 Configuring User Environments Using Group Policy

Contents: Lesson 1: Configuring Group Policy Settings 6-3

Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy 6-7

Lesson 3: Configuring Administrative Templates 6-15

Lesson 4: Configuring Group Policy Preferences 6-22

Lesson 5: Deploying Software Using Group Policy 6-28

Lab: Configuring User Environments Using Group Policy 6-38


Module Overview

This module introduces the job function of configuring the user environment using Group Policy. Specifically, this module provides the skills and knowledge that you need to use Group Policy to configure Folder Redirection, as well as how to use scripts. You also will learn how Administrative Templates affect Windows Vista® and Windows Server®°2008, and how to deploy software using Group Policy.


Lesson 1: Configuring Group Policy Settings

Group Policy can deliver many different types of settings. Some setting are simply a matter of “turning them on”, while others are more complex to configure. This lesson will describe how to configure the various Group Policy settings.


Options for Configuring Group Policy Settings

Key Points For a Group Policy setting to have an effect, you must configure it. Most Group Policy settings have three states. They are:

• Enabled

• Disabled

• Not Configured

You also must configure values for some Group Policy settings. For example, you need to configure restricted group-membership needs values for the groups and users.

Question: A domain level policy restricts access to the Control Panel. You want the users in the Admin organizational unit (OU) to have access to the Control Panel, but you do not want to block inheritance. How could you accomplish this?


Additional Reading • Microsoft Technet article: How Core Group Policy Works


Demonstration: Configuring Group Policy Settings Using the Group Policy Editor

Question: How could you prevent a lower-level policy from reversing the setting of a higher-level policy?


Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy

Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers. You can also redirect folders that the user’s profile includes, from the user’s local hard disks to a central server.


What Are Group Policy Scripts?

Key Points You can use Group Policy scripts to perform any number of tasks. There may be actions that you need performed every time a computer starts or shuts down, or when users log off or on. For example, you can use scripts to clean up desktops when users log off and shut down computers, or delete the contents of temporary directories, or clear the pagefile to make the environment more secure.

Question: You keep logon scripts in a shared folder on the network. How could you ensure that the scripts will always be available to users from all locations?


Additional Reading • Microsoft Technet article: The Two Sides of Group Policy Script Extension

Processing

• Microsoft Technet article: The Two Sides of Group Policy Script Extension Processing (Part2)

• Microsoft Support: Overview of Logon, Logoff, Startup, and Shutdown Scripts in Windows 2000


Demonstration: Configuring Scripts with Group Policy

Question: What other method could you use to assign logon scripts to users?


What Is Folder Redirection?

Key Points When you redirect folders, you change the folder’s storage location from the user’s computer local hard disk to a shared folder on a network file server. After you redirect a folder to a file server, it still appears to the user as if it is stored on the local hard disk.

Folder Redirection makes it easier for you to manage and back up data. By redirecting folders, you can ensure user access to data regardless of the computers to which they log on.

Question: List some disadvantages of folder redirection.

Additional Reading • Microsoft Technet article: Folder Redirection Feature in Windows

• MSDN: IE7 in Vista: Folder Redirection for Favorites on the Same Machine

• Microsoft Download: Managing Roaming User Data Deployment Guide


Folder Redirection Configuration Options

Key Points There are three available settings for Folder Redirection: none, basic, and advanced. Basic folder redirection is for users who must redirect their folders to a common area or users who need their data to be private. Advanced redirection allows you to specify different network locations for different Active Directory security groups.

Question: Users in the same department often log on to different computers. They need access to their My Documents folder. They also need the data to be private. What folder redirection setting would you choose?

Additional Reading • Microsoft Technet article: Recommendations for Folder Redirection


Options for Securing Redirected Folders

Key Points While you must manually create a shared network folder in which to store the redirected folders, Folder Redirection can create the user’s redirected folders for you. When you use this option, the correct permissions are set automatically. If you manually create folders, you must know the correct permissions.

Question: What steps could you take to protect the data while it is in transit between the client and the server?

Additional Reading • Microsoft Support: Folder Redirection feature in Windows

• Windows Server Library: Security Considerations when Configuring Folder Redirection


Demonstration: Configuring Folder Redirection

Question: Users in the same department want to have each others Internet favorites available to everyone in the department. What folder redirection options would you choose?


Lesson 3: Configuring Administrative Templates

The Administrative Template files provide the majority of available policy settings, which are designed to modify specific registry keys. This is known as registry-based policy. For many applications, the use of registry-based policy that the Administrative Template files deliver is the simplest and best way to support centralized management of policy settings. In this lesson, you will learn how to configure Administrative Templates.


What Are Administrative Templates?

Key Points Administrative Templates allow you to control the environment of the operating system and user experience. There are two sets of Administrative Templates: one for users, and one for computers.

Administrative Templates are the primary means of configuring the client computer’s registry settings through Group Policy. Administrative Templates are a repository of registry-based changes. By using the administrative template sections of the GPO, you can deploy hundreds of modifications to the computer (the HKEY_LOCAL_MACHINE hive in the registry,) and user (the HKEY_CURRENT_USER hive in the registry) portions of the Registry.

Question: What sections of the Administrative Templates will you find most useful in your environment?


Additional Reading • Microsoft Technet article: Using Administrative Template Files with Registry-

Based Group Policy

• Microsoft Technet article: Administrative Templates Extension Technical Reference


Demonstration: Configuring Administrative Templates

Question: You need to ensure that Windows Messenger is never allowed to run on a particular computer. How could you use Administrative Templates to implement this?


Modifying Administrative Templates

Key Points Because ADMX files are XML based, you can use any text editor to edit or create new ADMX files. However, there also are programs that are XML-aware, (such as Microsoft Visual Studio,) that administrators or developers can use to create or modify ADMX files.

Once you have a valid ADMX file, you need only to place it in the Policy Definitions folder, or in the Central Store, if one exists.

Additional Reading • Microsoft Technet article: Creating a Custom Base ADMX File

• Microsoft Downloads: Group Policy Sample ADMX Files


Demonstration: Adding Administrative Templates for Office Applications

Question: Can you still use custom ADM files to deliver Group Policy settings in Windows Server 2008?


Discussion: Options for Using Administrative Templates


Lesson 4: Configuring Group Policy Preferences

Many common settings that affect the user and computer environment could not be delivered through Group Policy, for example, mapped drives. These settings were usually delivered through logon scripts or imaging solutions. Windows Server 2008 includes the new Group Policy preferences built-in to the Group Policy Management Console (GPMC). Additionally, administrators can configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer running Windows Vista Service Pack 1 (SP1). This allows many common settings to be delivered through Group Policy.


What Are Group Policy Preferences

Key Points Group Policy preference extensions are more than twenty Group Policy extensions that expand the range of configurable settings within a GPO. The main difference between policy settings and preference settings is that preference settings are not enforced. This means the end user can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them.


Difference Between Group Policy Settings and Preferences

Key Points

The key difference between preferences and Group Policy settings is enforcement.


Group Policy Preference Features

Key Points Most Group Policy preference extensions support the following actions for each preference item

• Create. Create a new item on the targeted computer.

• Delete. Remove an existing item from the targeted computer.

• Replace. Delete and recreate an item on the targeted computer. The result is that Group Policy preferences replace all existing settings and files associated with the preference item.

• Update. Modify an existing item on the targeted computer.


Deploying Group Policy Preferences

Key Points Group Policy preferences do not require you to install any services on servers. Windows Server 2008 includes Group Policy preferences by default as part of the Group Policy Management Console (GPMC). Administrators can configure and deploy Group Policy preferences in a Windows Server 2003 environment by installing the RSAT on a computer running Windows Vista with SP1.


Demonstration: Deploying Group Policy Preferences

Question: You have deployed a number of Group Policy preferences. Users report that they are unable to modify some of those settings. What would you suspect is the problem?


Lesson 5 Deploying Software Using Group Policy

Windows Server 2008 includes a feature called Software Installation and Maintenance that AD DS, Group Policy, and the Windows® Installer service to install, maintain, and remove software on your organization’s computers.


Options for Deploying and Managing Software Using Group Policy

Key Points The software life cycle consists of four phases: preparation, deployment, maintenance, and removal. You can apply Group Policy settings to users or computers in a site, domain, or an organizational unit to automatically: install, upgrade, or remove software. By applying Group Policy settings to software, you can manage the various phases of software deployment without deploying software on each computer individually.

Question: What types of applications would you deploy via Group Policy in your environment?


Additional Reading • Microsoft Support: How to use Group Policy to install software remotely in

Windows 2000

• Microsoft Technet article: Use Group Policy Software Installation to deploy the 2007 Office system


How Software Distribution Works

Key Points To enable Group Policy to deploy and manage software, Windows Server 2008 uses the Windows Installer service. This component automates the installation and removal of applications by applying a set of centrally defined setup rules during the installation process.

Question: What are some disadvantages of deploying software through Group Policy?

Additional Reading • Microsoft Support: How to use Group Policy to install software remotely in

Windows 2000


Options for Installing Software

Key Points There are two deployment types available for delivering software to clients. Administrators can either install software for users or computers in advance, or give users the option to install the software when they require it. Users do not share deployed applications, meaning an application you install for one user through Group Policy will not be available to that computer’s other users. All users need their own instance of the application.

Question: What is an advantage of publishing an application over assigning it?

Additional Reading • Microsoft Technet article: Group Policy Software Installation overview


Demonstration: Configuring Software Distribution

Question: What types of applications would be useful to assign to the computer rather than the user?


Options for Modifying the Software Distribution

Key Points Software Installation in Group Policy includes options for configuring deployed software. You can categorize programs that are published in Control Panel and associate file name extensions with applications. You also can add modifications to deployed software.

Additional Reading • Microsoft Technet article: Specify categories for applications to be managed

• Microsoft Technet article: Best practices for Group Policy Software Installation, Specify automatic installation options based on file name extension section

• Microsoft Technet article: Add or remove modifications for an application package


Demonstration: Modifying Software Distribution

Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this?


Maintaining Software Using Group Policy

Key Points Occasionally a software package will need to be upgraded to a newer version. The Upgrades tab allows you to upgrade a package using the GPO. You also may redeploy a package if the original Windows Installer file has been modified. You can remove software packages if they were delivered originally using Group Policy. Removal can be mandatory or optional.

Question: Your organization is upgrading to a newer version of a software package. Some users in the organization require the old version. How would you deploy the upgrade?

Additional Reading • Microsoft Technet article: Set Group Policy Software Installation defaults


Discussion: Evaluating the Use of Group Policy to Deploy Software

Question: You want to deploy an administrative utility to members of the Domain Admins security group. These utilities should be available from any computer that an administrator logs onto, but only installed when necessary. What is the best approach to accomplish this?


Lab: Configuring User Environments Using Group Policy

Scenario Woodgrove Bank has decided to implement Group Policy to manage user desktops. The organization has already implemented an organizational unit (OU) configuration that includes top-level OUs grouped by location, with additional OUs within each location for different departments. User accounts are located in the same container as their workstation computer accounts. Server computer accounts are spread throughout various OUs.

The enterprise administrator has created a GPO design that will be used to manage the user desktop environment. You have been asked to configure Group Policy objects so that specific settings are applied to user desktops and computers.

Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings, but may not always follow best practices.


Exercise 1: Configuring Scripts and Folder Redirection

Scenario You have been tasked to create a script that will map a network drive to the shared folder named Data on NYC-DC1. Then you will use Group Policy to assign the script to all users in Toronto, Miami, and NYC OUs. The script needs to be stored in a highly available location. You also will set permissions to share and secure a folder on NYC-DC1. The Documents folder for all members of the Executive OU will be redirected there.

The main tasks for this exercise are:


2. Create a logon script to map to the Data shared folder.

3. Use Group Policy to copy the script to the NetLogon share, and then assign the script to the appropriate OUs.

4. Share and secure a folder for the Executives group.

5. Redirect the Documents folder for the Executives group.






Task 2: Create a logon script to map to the Data shared folder 1. Launch Notepad.exe.

2. In Notepad, type Net Use J: \\NYC-DC1\Data.

3. Close and save the file as C:\Map.bat.

4. Ensure the Save as type field is All Files.


Task 3: Use Group Policy to copy the script to the NetLogon share, and then assign the script to the appropriate OUs 1. Open a Windows Explorer window, copy C:\map.bat to the clipboard and

then close Windows Explorer.

2. Launch the GPMC, and then create a new Group Policy named Logon Script.

3. Edit the policy by expanding User Configuration, expanding Windows Settings, and then clicking Scripts (Logon/Logoff).

4. Open the Properties of the Logon Script GPO, click Show Files, right-click, click Paste, to copy the script from the clipboard to the scripts folder, and then close Explorer.

5. In the Logon Properties dialog box, click Add.

6. In the Add a Script dialog box, click Browse.

7. In the Browse dialog box, select the Map.bat file.

8. Close the Group Policy Management editor.

9. Link the Logon Script policy to the Miami, NYC, and Toronto OUs.

Task 4: Share and secure a folder for the Executives group 1. In Windows Explorer, open the Properties of the Execs folder.

2. Click the Sharing tab and then click Advanced Sharing.

3. Check the Share this folder checkbox, and then click Permissions.

4. Remove the Everyone group.

5. Add the Executives Woodgrove GG, Redirect the Documents folder for the Executives group and then grant them Full Control.

6. Click the Security tab, and then click Advanced.

7. On the Permissions tab, click Edit, clear the check box beside Include inheritable permissions from this object’s parent, and then copy the permissions.


8. Remove all users and groups except Creator Owner, and System.

9. Add the Executives_WoodgroveGG, and then assign List folder/Read data and Create Folders/Append data permissions to This Folder only.

10 Close the properties, and then close Windows Explorer.

Task 5: Redirect the Documents folder for the Executives group 1. Create a new GPO named Executive Redirection.

2. Edit the policy: expand User Configuration, expand Policies, expand Windows Settings, expand Folder Redirection, right-click Documents and then click Properties.

3. On the Target tab, configure the Setting to be Basic-Redirect everyone’s folder to the same location.

4. Leave the target folder location at the default settings and then type \\NYC-DC1\Execs in the Root Path field.

5. Link the policy to the Executives OU.

Result: At the end of this exercise, you will have configured scripts and folders redirection.


Exercise 2: Configuring Administrative Templates

Scenario You have been asked to create and assign Group Policy Administrative Templates to control the computer and user environment. All computers will have the following settings applied:

• Allow remote inbound administration.

• Slow link detection set to 800 kps.

Computers in the Miami, Toronto, and NYC OUs will prevent the installation of removable devices.

Computers in the Executive OU will have offline files encrypted.

All domain users will have the following settings applied:

• The registry editing tools will be prohibited.

• The clock will be removed from the taskbar.

Additionally, users in the Miami, Toronto, and NYC OUs will have the following settings applied:

• Profiles will be limited to 1gigbyte (GB).

• Windows Sidebar will be turned off.

The main tasks in this exercise are:

1. Modify the Default Domain Policy to contain the settings for all computers.

2. Create and assign a GPO to prevent the installation of removable devices for branch computers.

3. Create and assign a GPO to encrypt offline files for executive computers.

4. Create and assign a domain-level GPO for all domain users.

5. Create and assign a GPO to limit profile size and turn off Windows Sidebar for branch users.


Task 1: Modify the Default Domain Policy to contain the settings for all computers 1. In the GPMC, edit the Default Domain Policy: expand Computer

Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then expand Domain Profile. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception.

2. Enable the policy for the localsubnet in the Allow unsolicited incoming messages from these IP addresses:.

3. Expand Computer Configuration, expand Administrative Templates, expand System, and then expand Group Policy.

4. Enable Group Policy slow link detection to be 800kps.

Task 2: Create and assign a GPO to prevent the installation of removable devices for branch computers 1. Create a new GPO named Prevent Removable Devices.

2. Edit the GPO by expanding Computer Configuration, expanding Administrative Templates, expanding System, expanding Device Installation, and then expanding Device Installation Restrictions.

3. Enable the Prevent installation of removable devices setting.

4. Link the Prevent Removable Devices policy to the Miami, NYC, and Toronto OUs.

Task 3: Create and assign a GPO to encrypt offline files for executive computers 1. Create a new GPO named Encrypt Offline Files.

2. Edit the policy by expanding Computer Configuration, expanding Administrative Templates, expanding Network, and then expanding Offline Files.

3. Enable the Encrypt the Offline Files cache.

4. Link the GPO to the Executives OU.


Task 4: Create and assign a domain level GPO for all domain users 1. Create a new GPO named All Users Policy.

2. Expand User Configuration, expand Policies, expand Administrative Templates, and then expand System.

3. Enable the Prevent access to registry editing tools setting.

4. Click Start Menu and Taskbar.

5. Enable the Remove Clock from the system notification area.

6. Link the GPO to the Woodgrovebank.com domain.

Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users 1. Create a new GPO named Branch Users Policy.

2. Edit the GPO by expanding User Configuration, expanding Policies, expanding Administrative Templates, expanding System, and then expanding User Profiles.

3. Enable the Limit profile size with a value of 1000000.

4. Expand User Configuration, expand Administrative Templates, expand Windows Components, and then expand Windows Sidebar.

5. Enable the Turn off Windows Sidebar setting.

6. Link the Branch Users Policy GPO to the Miami, NYC, and Toronto OUs.

Result: At the end of this exercise, you will have configured Administrative Templates.


Exercise 3: Configuring Preferences

Scenario You have been tasked to create and assign Group Policy preferences to control the computer and user environment.

You will add a shortcut to Notepad.exe to the NYC-DC1 desktop.

You will create a new folder named Reports on the C: drive of all computers running.

You will configure the Start menu for Windows Vista computers.


1. Add a shortcut to Notepad.exe to the NYC-DC1 desktop.

2. Create a new folder named Reports on the C: drive of all computers running Windows Server 2008.

3. Configure the Start menu for Windows Vista computers.

Task 1: Add a shortcut to Notepad.exe to the NYC-DC1 desktop 1. In the GPMC, edit the Default Domain Policy preferences.

2. Edit the Windows Settings preferences to create a new shortcut named Notepad with the following parameters:

Location = All Users Desktop

Target Path = C:\Windows\System32\Notepad.exe

3. On the Common tab, configure Item level targeting for the computer name NYC-DC1.

Task 2: Create a new folder named Reports on the C: drive of all computers running Windows Server 2008 1. In the Computer Configuration, Windows Settings preferences, create a new

folder.

2. Configure the path to be C:\Reports.

3. On the Common tab, configure item level targeting to target the Windows Server 2008 operating system.


Task 3: Configure the Start Menu for Windows Vista computers 1. Expand User Configuration, expand Preferences, expand Windows Setup,

expand Control Panel Settings, and then create a new Start menu object for Windows Vista.

2. Configure the Start menu to remove the Games folder, and to add the system administrative tools to the All Programs menu.

Result: At the end of this exercise, you will have configured preferences.


Exercise 4: Verifying GPO Application

Scenario You will log on as various domain users to test the application of Group Policy. You will also use Group Policy Resultant Set of Policy (RSoP) to verify that GPOs are being applied correctly.


1. Verify that the preferences have been applied.

2. Start the 6425A-NYC-CL1 virtual machine, and then log on as Woodgrovebank\Administrator, and then observe the applied settings.

3. Log on as a user in the Executives OU and observe the applied settings.

4. Log on as a user in a Branch Office and observe the applied settings.

5. Use the GPMC on NYC-DC1 to review Group Policy results.


Task 1: Verify that the preferences have been applied 1. Log off NYC-DC1, and then log on as Administrator using a password of

Pa$$w0rd.

2. On the desktop, verify that a shortcut has been created for Notepad.

3. Verify that a folder named Reports has been created on the C: drive.

4. Verify that Administrative Tools are listed on the Start menu and that the Games folder is not displayed.

Task 2: Start the 6425A-NYC-CL1 virtual machine, and then log on as Woodgrovebank\Administrator and observe the applied settings 1. Open the Virtual Server Remote Control Client and then double-click 6425A-

NYC-CL1.

2. Log on to NYC-CL1 as Administrator using the password Pa$$w0rd. Log off and log on again as Administrator.


Note: Two logons are required because of cached credentials.

3. Ensure that the Clock is not displayed in the Notification area.

4. Right-click the Taskbar, click Properties, and then click the Notification Area tab. Verify that you do not have the option to display the clock, and then click OK.

5. Logoff NYC-CL1.

Task 3: Log on as a user in the Executives OU and observe the applied settings 1. Log on to NYC-CL1 as Tony using the password Pa$$w0rd. Ensure that the

Clock is not displayed in the Notification area.

2. Click Start, right-click the Documents folder and then click Properties. Ensure the location is \\nyd-dc1\execdata\tony.

3. Click Start, type Regedt32 in the search box, and then press ENTER. Ensure that Registry editing has been disabled.

4. Ensure that the Windows Sidebar is not displayed.

5. Log off NYC-CL1.

Task 4: Log on as a user in a Branch Office and observe the applied settings 1. Log on to NYC-CL1 as Roya, using the password Pa$$w0rd. Ensure that the

Clock is not displayed in the Notification area.

2. Click Start, right-click the Documents folder, and then click Properties. Ensure the location is C:\Users\Roya.

3. Click Start, type Regedt32 in the search box, and then press ENTER. Ensure that Registry editing has been disabled.


5. Click Start, and then open Computer. Ensure that the J: drive is mapped to the Data share.

6. Log off NYC-CL1.


Task 5: Use the NYC-DC1 GPMC to review Group Policy results 1. On NYC-DC1, restore the GPMC.

2. Right-click Group Policy Results, and then click Group Policy Results Wizard.

3. Select the Woodgrovebank\NYC-CL1 computer.

4. Select Woodgrovebank\Tony as the user.

5. On the Summary screen, click Next, and then click Finish.

6. In the Group Policy Results report summary, expand the Group Policy Objects section.

7. Click the Settings tab, and then expand Administrative Templates.

8. Close the GPMC.

9. Delete the changes on all virtual machines, and then shutdown.

Task 6: Close all virtual machines and discard undo disks 1. For each virtual machine that is running, close the Virtual Machine Remote

Control window.

2. In the Close box, select Turn off machine and discard changes, and then. click OK.


Result: At the end of this exercise, you will have verified a GPO application.



Considerations When configuring user environments using Group Policy, consider the following:

• Policy settings that are Enabled enforce a setting.

• Policy settings that are Disabled reverse a setting.

• Policy settings that are Not Configured are not affected by Group Policy.

• Scripts can be applied to the user or computer via Group Policy.

• Scripts can be written in multiple languages.

• Storing scripts in the NetLogon share makes them highly available.

• Certain folders can be redirected from the users profile to a shared folder on the network.

• Different security groups can be redirected to different network locations.

• Administrative Templates apply settings by modifying the registry for the user and computer.


• ADMX files can be customized.

• Software can be distributed via Group Policy through .MSI files.

• Software can be published to users or assigned to users or computers.

• Software assigned to users is specific to that user.

• Software assigned to computers is available to all users on that computer.

• Software can be modified and maintained through Group Policy.

• Software can be removed through Group Policy.

Review Questions 1. You have assigned a logon script to an OU via Group Policy. The script is

located in a shared network folder named Scripts. Some OU users receive the script while others do not. What might be causing this?

2. What steps could you take to prevent these types of problems from reoccurring?

3. You have two logon scripts assigned to users -- script1 and script2. Script2 depends on script1 completing successfully. Your users report that script2 never runs. What is the problem and how would you correct it?

Implementing Security Using Group Policy 7-1

Module 7 Implementing Security Using Group Policy

Contents: Lesson 1: Configuring Security Policies 7-3

Lesson 2: Implementing Fine-Grained Password Policy 7-13

Lesson 3: Restricting Group Membership and Access to Software 7-18

Lesson 4: Managing Security Using Security Templates 7-25

Lab: Implementing Security Using Group Policy 7-33


Module Overview

Failure to have adequate security policies can lead to many risks for an organization. A well designed security policy helps to protect an organization’s investment in business information and internal resources, like hardware and software. Having a security policy in itself is not enough, however. You must implement the policy for it to be effective. You can leverage Group Policy to standardize security to control the environment.


Lesson 1: Configuring Security Policies

Group Policy provides settings you can use to implement security in your organization. For example, you can use Group Policy settings to secure passwords, startup, and permissions for system services.

In this lesson, you will learn the knowledge and skills necessary to configure security policies.


What Are Security Policies?

Key Points Security policies are rules that protect resources on computers and networks. Group Policy allows you to configure many of these rules as Group Policy settings. For example, you can configure password policies as part of Group Policy.

Group Policy has a large security section to configure security for both users and computers. This way, you can apply security consistently across organizational units (OUs) in Active Directory® Domain Services (AD DS), by defining security settings in a Group Policy object that is associated with a site, domain, or OU.

Additional Reading • Microsoft Technet article: Security Settings

• Microsoft Technet article: Group Policy Security Settings


What Is the Default Domain Security Policy?

Key Points The default domain policy is linked to the domain, and therefore affects all objects in the domain unless a GPO that you applied at a lower level blocks or overrides these settings. This policy has very few settings configured by default.

Although the Default Domain Policy has all the settings and capabilities of any GPO, it is recommended that you use this policy only to deliver Account Policies. You should create other GPOs to deliver other settings.

Additional Reading • Microsoft Technet article: Windows Server 2003 Security Guide Chapter 3:

The Domain Policy


What Are the Account Policies?

Key Points Account policies protect your organization’s accounts and data by mitigating the threat of brute force guessing of account passwords. In Windows operating systems, and many other operating systems, the most common method for authenticating a user’s identity is to use a secret password. Securing your network environment requires that all users utilize strong passwords. Password policy settings control the complexity and lifetime of passwords. You can configure password policy settings through Group Policy.

Additional Reading • Microsoft Technet article: Account Passwords and Policies


What Are Local Policies?

Key Points Every Windows°2000 Server or later computer has exactly one Local Group Policy Object (LGPO). In this object, Group Policy settings are stored on individual computers, regardless of whether they are part of an Active Directory environment. The LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This folder does not exist until you configure an LGPO.


What Are Network Security Policies?

Key Points Automating client computer configuration settings is an essential step to reduce the cost of deploying networking security, and minimize support issues that result from incorrectly configured settings.

Starting with Windows Server 2003, you were able to automate client wireless configuration using the Wireless Networking Policies settings in Group Policy. Windows Server 2008 and Windows Vista include new features for network policies, and Group Policy support for 802.1X authentication settings for wired and wireless connections.


Additional Reading: • Microsoft Technet article: Joining a Windows Vista Wired Client to a Domain

• Microsoft Technet article: Chapter 6: Designing the Wireless LAN Security Using 802.1X

• Microsoft Technet article: Wireless Group Policy Settings for Windows Vista

• Microsoft Technet article: Define Active Directory-based Wireless Network Policies


Windows Firewall with Advanced Security

Key Points Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. The new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration.

Additional Reading • Microsoft Technet article: The New Windows Firewall in Windows Vista and

Windows Longhorn


Demonstration: Overview of Additional Security Settings

Question: You need to ensure that a particular service is not allowed to run on any of your network servers. How would you accomplish this?


Demonstration: What Is the Default Domain Controller Security Policy?

Question: What is the default Group Policy refresh interval for domain controllers?


Lesson 2: Implementing Fine-Grained Password Policies

In Windows Server 2008, using fine-grained password policies, you can allow different password requirements and account lockout policies for different Active Directory users or groups.

In this lesson, you will learn the knowledge and skills to implement fine-grained password policies.


What Are Fine-Grained Password Policies?

Key Points In previous versions of AD DS, you could apply only one password and account lockout policy to all users in the domain. Fine-grained password policies allow you to have different password requirements and account lockout policies for different Active Directory users or groups. This is desirable when you want different sets of users to have different password requirements, but do not want separate domains. For example, the Domain Admins group may need strict password requirements to which you do not want to subject ordinary users. If you do not implement fine-grained passwords, then the normal default domain account policies apply to all users.

Question: How would you use fine-grained passwords in your environment?

Additional Reading • Microsoft Technet article: AD DS: Fine-Grained Password Policies


How Fine-Grained Password Policies Are Implemented

Key Points To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory schema. They are:

• Password Settings Container (PSC)

• Password Settings Object (PSO)

The PSC object class is created by default under the System container in the domain, which stores that domain’s PSOs. You cannot rename, move, or delete this container.

Question: How could you view the Password Settings Container in Active Directory Users and Computers?

Additional Reading • Microsoft Technet article: AD DS: Fine-Grained Password Policies


Implementing Fine-Grained Password Policies

Key Points There are three major steps involved in implementing fine-grained passwords:

• Create necessary groups, and add the appropriate users.

• Create PSOs for all defined password policies.

• Apply PSOs to the appropriate users or global security groups.

Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort?

Additional Reading • Microsoft Technet article: Step by Step Guide for Fine-Grained Password and

Account Lockout Policy Configuration


Demonstration: Implementing Fine-Grained Password Policies

Question: What utilities can be used to manage PSOs? Choose all that apply.

a. ADSI edit

b. GPMC

c. CSVDE

d. LDIFDE

e. NTDSUtil

f. Active Directory Users and Computers


Lesson 3: Restricting Group Membership and Access to Software

In a large network environment, one of the challenges of network security is controlling the membership of built-in groups in the directory and on workstations. Another concern is preventing access to unauthorized software on workstations.


What Is Restricted Group Membership?

Key Points In some cases, you may want to control the membership of certain groups in a domain to prevent addition of other user accounts to those groups, such as the local administrators group.

You can use the Restricted Groups policy to control group membership. Use the policy to specify what members are placed in a group. If you define a Restricted Groups policy and refresh Group Policy, any current member of a group that is not on the Restricted Groups policy members list is removed. This can include default members, such as domain administrators.

Although you can control domain groups by assigning Restricted Groups policies to domain controllers, you should use this setting primarily to configure membership of critical groups like Enterprise Admins and Schema Admins. You also can use this setting to control the membership of built-in local groups on workstations and member servers. For example, you can place the Helpdesk group into the local Administrators group on all workstations.


You cannot specify local users in a domain GPO. Any local users who currently are in the local group that the policy controls will be removed. The only exception is that the local Administrators account will always be in the local Administrators group.

Question: Your company has five Web servers physically located across North America. The Web server’s computer accounts are all located in a single OU. You want to grant all the users in the global group named Web_Backup the right to backup and restore the web servers. How could you use Group Policy to accomplish this?

Additional Reading • Microsoft Technet article: Restricted Groups

• Microsoft Technet article: Group Policy Security Settings


Demonstration: Configuring Restricted Group Membership

Question: You created a Group Policy that adds the Helpdesk group to the local Administrators group and you linked the policy to an OU. Now the Domain Administrators no longer have any administrative authority on the computers in that OU. What is the most likely problem and how would you solve it?


What Is a Software Restriction Policy?

Key Points You may want to restrict access to software to prevent users from running particular applications or types of applications, like VBscripts. Software restriction policy provides administrators with a policy-driven mechanism for identifying software and controlling its ability to run on a client computer.

Question: You have a number of computers in a workgroup. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. How would you accomplish this?

Additional Reading • Microsoft Technet article: Using Software Restriction Policies to Protect

Against Unauthorized Software


Options for Configuring Software Restriction Policies

Key Points Software Restriction policies use rules to determine whether an application is allowed to run. When you create a rule, you first identify the application. Next you identify it as an exception to the default policy setting of Unrestricted or Disallowed. The enforcement engine queries the rules in the software restriction policy before allowing a program to run.

Question: You need to restrict access to a certain application no matter into what directory location the application is installed. What type of rule should you use?

Additional Reading • Microsoft Technet article: Using Software Restriction Policies to Protect

Against Unauthorized Software


Demonstration: Configuring Software Restriction Policies

Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run. What type of rule should you use?


Lesson 4: Managing Security Using Security Templates

A security policy is a group of security settings that affect a computer’s security. You can use a security policy to establish account and local policies on your local computer, and in Active Directory. You can create security templates to assist in creating security policies to meet your company’s security needs. You can then use these templates to configure the security settings assigned to computers either manually, or through Group Policy.


What Are Security Templates?

Key Points A security template is a collection of configured security settings. You can use predefined security templates as a base to create security policies that you customize to meet your needs, or you can create new templates. You use the Security Templates snap-in to create or customize templates. After you create a new template or customize a predefined security template, you can use it to configure security on an individual computer or thousands of computers. Security templates contain security settings for all security areas.

Additional Reading • Microsoft Technet article: Security Templates


Demonstration Applying Security Templates

Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers?


What Is the Security Configuration Wizard?

Key Points The Security Configuration Wizard (SCW) is an attack-surface reduction tool that was introduced with Windows Server 2003 with Service Pack 1 (SP1). SCW assists administrators in creating security policies, and determines the minimum functionality that is required for a server’s role or roles, and then disables functionality that is not required.

SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the server’s selected roles. The security policies that you create with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS).

Question: What types of server roles exist in your organization?


Additional Reading • Microsoft Technet Article: Security Templates

• Microsoft Technet Article: Security Configuration Wizard for Windows Server 2003


Demonstration: Configuring Server Security Using the Security Configuration Wizard

Question: What is the main advantage of the SCW?


Options for Integrating the Security Configuration Wizard and Security Templates

Key Points Security policies that you create with the SCW can also include custom security templates. Some of the settings that you can configure using the SCW partially overlap the settings that you can configure using security templates alone. Neither set of configuration changes is completely inclusive of the other. For example, the SCW includes IIS settings that are not included in any security template. Conversely, security templates can include such items as Software Restriction policies, which you cannot configure through SCW.

Additional Reading • Microsoft Technet article: Security Configuration Wizard Overview

• Microsoft Technet article: Security Watch: The Security Configuration Wizard


Demonstration: Importing Security Configuration Policies into Security Templates

Question: You need to open a port on your Windows Vista client computers for a custom application. Should you use the SCW or create a security template and use a GPO?


Lab: Implementing Security Using Group Policy

Scenario Woodgrove Bank has decided to implement Group Policy to configure security for users and computers in the organization. The company recently upgraded all of the workstations to Windows Vista, and all of the servers to Windows Server 2008. The organization wants to utilize Group Policy to implement security settings for the workstations, servers, and users. The enterprise administrator created a design that includes modifications to the default domain security policy, and additional GPOs for configuring security. The company wants to have the flexibility to assign different password policies for specific users. The company also wants to automate the configuration of security settings as much as possible.

Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings, and may not always follow best practices.


Exercise 1: Configuring Account and Security Policy Settings You have been tasked to implement a domain account policy with the following criteria:

• Domain passwords will be eight characters.

• Strong passwords will be enforced.

• Passwords will be changed exactly every 20 days.

• Accounts will be locked out for 30 minutes after five invalid logon attempts.

You also will configure a local policy on the Windows Vista client that enables the local Administrator account, and prohibits access to the Run menu for Non-Administrators.

Then you will create a wireless network policy for Windows Vista that creates a profile for the Corp wireless network. This profile will define 802.1x as the authentication method. This policy also will deny access to a wireless network named Research.

Finally, you will configure a policy to prevent the Remote Registry service from running on any domain controller.


1. Start the virtual machine, and log on as Administrator.

2. Create an account policy for the domain.

3. Configure local policy settings for a Windows Vista client.

4. Create a wireless network GPO for Windows Vista clients.

5. Configure a GPO that prohibits a service on all domain controllers.

Task 1: Start the virtual machine, and log on as Administrator 1. On your host machine, click Start, point to All Programs, point to Microsoft






Task 2: Create an account policy for the domain 1. Launch the Group Policy Management Console.

2. Edit the Account Policy in the Default Domain Policy with the following values:

• Password Policy:

• Domain passwords: 8 characters in length

• Strong passwords: enforced

• Minimum password age: 19 days

• Maximum password age: 20 days

• Account lockout policy:

• Account Lockout Threshold: 5 invalid logon attempts

• Account lockout duration: 30 minutes

• Lockout counter: reset after 30 minutes

Task 3: Configure local policy settings for a Windows Vista client 1. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the

password Pa$$w0rd.

2. Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the Local Computer.

3. Open Computer Configuration’s Windows Settings, open Security Settings, open Local Policies, open Security Options, and then enable the Accounts: Administrator Account Status setting.

4. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse.

5. Click the Users tab, select the Non-Administrators group, click OK, and then Finish.

6. Open User Configuration, Administrative Templates, click the Start Menu and Taskbar folder, and then enable the Remove Run from Start Menu setting.

7. Close the MMC without saving the changes.


Task 4: Create a wireless network GPO for Windows Vista clients 1. In the GPMC, create a new GPO named Vista Wireless.

2. Edit the GPO by right-clicking Wireless Network (IEEE 802.11) Policies, and then clicking Create a New Windows Vista Policy.

3. In the New Vista Wireless Network Policy dialog box, click Add, and then click Infrastructure.

4. Create a new profile named Corporate, and then in the Network Name (SSID) field, type Corp.

5. Click the Security tab, change the Authentication method to Open with 802.1X, and then click OK.

6. Click the Network Permissions tab, and then click Add.

7. Type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK twice.

8. Close the Group Policy Management Editor, and then leave the GPMC open.

Task 5: Configure a policy that prohibits a service on all domain controllers 1. Edit the following to disable the Remote Registry service: Default Domain

Controller Policy, Computer Configuration, Policies, Windows Settings, Security Settings, and System Services.

2. Close the Group Policy Management Editor and leave the GPMC open.

Result: At the end of this exercise, you will have configured account and security policy settings.


Exercise 2: Implementing Fine-Grained Password Policies Your corporate security policy dictates that members of the IT Administrative group will have strict password policies. The passwords must meet the following criteria:

• 30 passwords will be remembered in password history.

• Domain passwords will be 10 characters.

• Strong passwords will be enforced.

• Passwords will not be stored with reversible encryption.

• Passwords will be changed every seven days exactly.

• Accounts will be locked out for 30 minutes after three invalid logon attempt.

You will create a fine-grained password policy to enforce these policies for the IT Admins global group.


1. Create a PSO using ADSI Edit.

2. Assign the ITAdmin PSO to the IT Admins global group.

Task 1: Create a PSO using ADSI Edit 1. In the Run menu, type adsiedit.msc, and then press ENTER.

2. Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults.

3. Navigate to DC=woodgrovebank, DC=com, CN=System, CN=Password Settings Container, right-click CN=Password Settings Container, and then create a new object.

4. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next.

5. In Value box type ITAdmin.

6. In the msDS-PasswordSettingsPrecedence value, type 10.

7. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE.

8. In the msDS-PasswordHistoryLength value, type 30.

9. In the msDS-PasswordComplexityEnabled value, type TRUE.


10. In the msDS-MinimumPasswordLength value, type 10.

11. In the msDS-MinimumPasswordAge value, type -5184000000000.

12. In the msDS-MaximumPasswordAge value, type -6040000000000.

13. In the msDS-LockoutThreshold value, type 3.

14. In the msDS-LockoutObservationWindow value, type -18000000000.

15. In the msDS-LockoutDuration value, type -18000000000 and then click Finish.

16. Close the ADSI Edit MMC without saving changes.

Task 2: Assign the ITAdmin PSO to the IT Admins global group 1. Open Active Directory Users and Computers.

2. Click View, and then click Advanced Features.

3. Expand Woodgrovebank.com, expand System, and then click Password Settings Container.

4. In the details pane, right-click the ITAdmin PSO, and then click Properties.

5. Click the Attribute Editor tab, scroll down, select the msDS-PSOAppliesTo attribute, and then click Edit.

6. Add the ITAdmins_WoodgroveGG group.

7. Close Active Directory Users and Computers.

Result: At the end of this exercise, you will have implemented fine-grained password policies.


Exercise 3: Configuring Restricted Groups and Software Restriction Policies You need to ensure that the ITAdmins global group is included in the local Administrators group for all of the organization’s computers. Domain controllers are considered high security, and Internet Explorer will not be allowed to run on domain controllers. You also will prevent any Visual Basic scripts (VBS) from running on the C: drive of domain controllers.


1. Configure restricted groups for the local administrators group.

2. Create a GPO that prohibits Internet Explorer and VBS scripts from running on domain controllers.

Task 1: Configure restricted groups for the local administrators group 1. If required, open the GPMC, open the Group Policy Objects folder and then

edit the Default Domain Policy.

2. Navigate to Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, right-click Restricted Groups. and then click Add Group.

3. Add the Administrators group, and then click OK.

4. In the Administrators Properties dialog box, add the following groups:

• Woodgrovebank\ITAdmins_WoodgroveGG

• Woodgrovebank\Domain Admins

5. Close the Group Policy Management Editor.

Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controllers 1. Edit the Default Domain Controllers Policy.

2. Navigate to Windows Settings, expand Security Settings, right-click Software Restriction Policies, and then click New Software Restriction Policy.

3. Right-click Additional Rules, and then click New Hash Rule.


4. Browse and navigate to C:\Program Files\Internet Explorer\iexplore.exe, and then click Open. Ensure that the Security level is Disallowed.

5. Right-click Additional Rules, and then click New Path Rule.

6. In the Path field, type *.vbs and then click OK.


Result: At the end of this exercise, you will have configured restricted groups and software restriction policies.


Exercise 4: Configuring Security Templates You will create a security template for file and print servers that will rename the Administrator account, and does not display the last user name that logged on. You then will use the Security Configuration Wizard to create a security policy that hardens the file and print server, and includes the security template. You will use the SCW interface to apply the policy to the file and NYC-SVR1print server. Finally, you will transform the policy into a GPO named FPSecurity.


1. Create a security template for the file and print servers.

2. Start NYC-SVR1, join the domain, and disable the Windows Firewall.

3. Run the Security Configuration Wizard and import the FPSecurity template.

4. Transform the FPPolicy into a GPO.

Task 1: Create a security template for the file and print servers 1. Create a new MMC, and then add the snap-in for Security Templates.

2. Expand Security Templates, right-click C:\Users\Administrators\Documents\Security\Templates, and then click New Template.

3. Name the template FPSecurity.

4. Navigate to Local Polices, and then Security Options. Define the Accounts: Rename administrator account with the value FPAdmin.

5. Set the Interactive Logon: Do not display last user name to be Enabled.

6. In the folder pane, right-click FPSecurity, and then click Save.



Task 2: Start NYC-SVR1, join the domain, and disable the Windows Firewall 1. Start NYC-SVR1 and log on as LocalAdmin with the password Pa$$w0rd.

2. Join NYC-SVR1 to the WoodgoveBank.com domain.

3. Restart the computer, and log on as Administrator.

4. Disable the Windows Firewall.

Note: This step is performed to simplify the lab and is not a recommended practice.

Task 3: Run the Security Configuration Wizard and import the FPSecurity template 1. On NYC-DC1, launch the Security Configuration Wizard.

2. On the Welcome page, click Next.

3. On the Configuration Action screen, click Next.

4. On the Select Server screen type NYC-SVR1.woodgrovebank.com, and then click Next.

5. After the configuration databases processes, click Next.

6. On the Role-Based service Configuration screen, click Next.

7. On the Select server Roles screen, clear the checkbox beside DNS Server.

8. Select the checkbox beside File Server.

9. Select the checkbox beside Print Server and then click Next.

10. On the Select Client Features screen, click Next.

11. On the Select Administration and Other Options screen, click Next.

12. On the Select Additional Services screen, click Next.

13. On the Handling Unspecified Services screen, continue clicking Next until you reach the Security Policy File Name screen.


14. On the Security Policy File Name screen, type FPPolicy at the end of the C:\Windows\security\msscw\policies\ path.

15. Click Include Security Templates, and then click Add.

16. Add the Documents\Security\Templates\FPSecurity policy.

17. On the Apply Security Policy screen, click Apply Now, and then click Next.

18. On the Applying Security Policy screen, click Next, and then click Finish.

Task 4: Transform the FPPolicy into a GPO 1. On NYC-DC1, launch the Command Prompt and type scwcmd transform

/p:”C:\Windows\security\msscw\Policies\FPpolicy.xml” /g:FileServerSecurity.

2. Open the GPMC if necessary and then open the Group Policy Objects folder. Double click the FilesServerSecurity GPO and then examine the settings.

3. Close the GPMC and log off NYC-DC1.

Result: At the end of this exercise, you will have configured security templates.


Exercise 5: Verifying the Security Configuration You will log on as various users to test the results of Group Policy.


1. Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group.

2. Log on to the Windows Vista computer as an ordinary user and test the account policy.

3. Log on to the domain controller as the domain administrator and test software restrictions and services.

4. Use Group Policy modeling to test the settings on the file and print server.


Task 1: Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group 1. Log on to NYC-CLI as NYC-CL1\administrator with the password

Pa$$w0rd.

2. Launch a Command Prompt, and run the GPupdate /force command.

3. Ensure that the Run menu appears in the Accessories folder on the Start menu.

4. Open Control Panel, click User Accounts, click User Accounts, click Manage User Accounts, click the Advanced tab, click Advanced, click Groups, open the Administrators group, and then ensure that the Domain Admins and the ITAdmins global groups are present.

5. Restart NYC-CL1.

Task 2: Log on to the Windows Vista computer as an ordinary user and test the policy 1. Log on to NYC-CL1 as Woodgrovebank\Roya with the password Pa$$w0rd.

2. Ensure that the Run menu does not appear in the Accessories folder on the Start menu.


3. Press Right-ALT + DELETE, and then click Change a password.

4. In the Old Password field, type Pa$$w0rd.

5. In the New Password and Confirm password fields, type w0rdPa$$. You will not be able to update the password because the minimum password age has not expired.

6. Log off NYC-CL1.

Task 3: Log on to the domain controller as the domain administrator and test software restrictions and services 1. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.

2. Launch a Command Prompt, and then run the GPupdate /force command.

3. Attempt to launch Internet Explorer, read the error message, and then click OK.

4. Navigate to D:\6425\mod07\labfiles, double-click Hello.vbs, read the error message, and then click OK.

5. Open the Services MMC in Administrative Tools. Scroll down to the Remote Registry service, and ensure that it is set up Disabled.

Task 4: Use Group Policy modeling to test the settings on the file and print server 1. Open the GPMC, and then launch the Group Policy Modeling Wizard.

2. Accept all the defaults except on the User and Computer Selection window.

3. Click Computer, and then type Woodgrovebank\NYC-SVR1.

4. After completing the wizard, observe the policy settings.



Control window.



Result: At the end of this exercise, you will have verified the security configuration.



Considerations for Implementing Security Using Group Policy Consider the following when implementing security using Group Policy.

• Security policies are rules that protect resources on computers and networks and can be enforced using Group Policy.

• The Default Domain Policy and the Default Domain Controllers Policy are created by default.

• Account policies must be implemented at the domain level.

• Any domain level policy is capable of delivering account policies.

• Clients receive account policies from domain controllers.

• Local policies generally affect all users of the local computer, including domain users.

• Network security policies can control wireless configuration for Windows XP and later.


• Network security policies can control wired configuration for Windows Vista and later.

• Windows Firewall supports outbound rules.

• Network awareness can automatically determine your firewall profile.

• Firewall settings and IPsec settings are now integrated.

• Fine-grained passwords allow different users or global groups to have different account policies.

• Fine-grained policies are not delivered through Group Policy.

• Fine-grained policies must be created using ADSIedit or LDIFDE.

• Both domain and local group membership can be controlled through Group Policy.

• Access to software can be controlled through Group Policy.

• Local administrators can be exempted from software restrictions.

• There are four rule types to control access to software.

• Security templates can be used to provide a consistent set of security settings.

• The Security Configuration Wizard can be used to assist in creating security policies.

• Preferences can replace many of the functions of logon scripts.

• Preferences are applied once, but are not enforced and can be modified by users.

• Preferences can be set to be refreshed on the same schedule as Group Policy.

• Preferences can be targeted to objects.


Review Questions 1. You want to place a software restriction policy on a new type of executable file.

What must you do before you can create a rule for this executable code?

2. What setting must you configure to ensure that users are only allowed 3 invalid logon attempts?

3. You want to provide consistent security settings for all client computers in the organization. The computer accounts are scattered across multiple OUs. What is the best way to provide this?

4. An administrator in your organization has accidentally modified the Default Domain Controller Policy. You need to restore the policy to its original default settings. How would you accomplish this?

Implementing an Active Directory Domain Services Monitoring Plan 8-1

Module 8 Implementing an Active Directory Domain Services Monitoring Plan

Contents: Lesson 1: Monitoring AD DS Using Event Viewer 8-3

Lesson 2: Monitoring Active Directory Domain Servers Using Reliability and Performance Monitor 8-10

Lesson 3: Configuring AD DS Auditing 8-19

Lab: Monitoring AD DS 8-25


Module Overview

To manage and administer an organization’s operating system, it is important to understand the tools that you can use to monitor the system’s health. By using tools like Event Viewer, Reliability and Performance Monitor, and audit policies, you will be better able to anticipate issues and manage everyday events.


Lesson 1: Monitoring AD DS Using Event Viewer

Monitoring server performance is an important part of maintaining and administering an operating system. The Event Viewer is an application that enables you to browse, manage, and monitor events recorded in event logs.


Event Viewer Features

Key Points One of the first places you should turn to when troubleshooting problems in Microsoft Windows is the Event Viewer. A number of new features are built into the Event Viewer for Windows Vista® and Windows Server®°2008.

Event Viewer is rewritten completely with a new user interface that makes it easier to filter and sort events, and control which events are logged. Additionally, you now can perform some basic diagnostic tasks from within Event Viewer. Event Viewer also provides many new logs files.

Additional Reading • Microsoft Technet article: Event Viewer

• Microsoft Technet article: Online Event Information


Demonstration: Overview of the Event Viewer

Question: You have an issue with Group Policy. What log should you view for detailed Group Policy events?


AD DS Logs

Key Points The System and Application logs still provide general information and log events from many areas, but the Event Viewer now provides a wide range of application and service logs. These logs can provide granular information about Active Directory Domain Services (AD DS), and other services like Group Policy, offline files, Windows Update client, and many others.


What Are Custom Views?

Key Points Custom views are filters that are named and saved. After creating and saving a custom view, you are able to reuse it without recreating its underlying filter. To reuse a custom view, navigate to the Custom Views category in the console, tree and select the custom view’s name. By selecting the custom view, you apply the underlying filter, and the results are displayed. You can import and export custom views, enabling you to share them between users and computers.

Additional Reading • Microsoft Technet article: Create a Custom View


What Are Subscriptions?

Key Points Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Event Viewer provides the ability to collect copies of events from multiple remote computers, and store them locally. To specify which events to collect, you create an event subscription. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

Question: Where would subscriptions be most useful on in your organization?

Additional Reading • Microsoft Technet article: Event Subscriptions

• Microsoft Technet article: Configure Computers to Forward and Collect Events


Demonstration: Configuring Custom Views and Subscriptions

Question: You want to monitor a particular group of events across multiple Web servers. What is the best way to accomplish this?


Lesson 2: Monitoring Active Directory Domain Servers Using Reliability and Performance Monitor

In general, performance is the measure of how quickly a computer completes application and system tasks. You can use performance monitoring to track a range of processes and display the results. You can also use performance monitoring to assist you with upgrade planning, tracking processes that need to be optimized, and understanding a workload and its effect on resource usage in order to identify bottlenecks. Overall system performance might be limited by the access speed of the physical hard disks, the amount of available memory, the speed of the processor, or the throughput of the network interfaces.


Reliability and Performance Monitor Features

Key Points The Windows Reliability and Performance Monitor enables you to track the performance impact of applications and services, and to generate alerts or take action when user-defined thresholds for optimum performance are exceeded. The Windows Reliability and Performance Monitor provides the features outlined below.

• Resource view

• Reliability Monitor

• Data Collector Sets

• Track applications and services performance

• Wizards and templates for creating logs

• Generate alerts and take action when thresholds are reached

• Generate reports

• Access to Reliability and Performance Monitor


Additional Reading • Microsoft Technet article: Windows Reliability and Performance Monitor


Demonstration: Overview of the Reliability and Performance Monitor

Question: Where can you find real-time information about network activity?


Monitoring AD DS Using Performance Monitor

Key Points Monitoring the distributed AD DS service and the services that it relies upon, helps maintain consistent directory data and the necessary level of service throughout the forest. You can monitor important indicators to discover and resolve minor problems before they develop into potentially lengthy service outages.

In addition to the normal baseline counters that you monitor for all servers, there are objects and dozens of counters that are specific to AD DS.

Additional Reading • Microsoft Technet article: Monitoring Active Directory


What Is an Active Directory Baseline?

Key Points A computer’s baseline is a measure of specified resource behavior during normal activity that indicates how the resource, or a collection of system resources, performs. This information is then compared to later activity, to monitor system usage and system response to changing conditions.

Additional Reading • Microsoft Technet article: Deploying Active Directory for Branch Office

Environments, Chapter 9 - Post Deployment Monitoring of Domain Controllers


Monitoring Service Availability with Reliability Monitor

Key Points A system’s reliability is the measure of how often it deviates from configured, expected behavior. The Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced the system’s reliability. A graph of the Stability Index over time quickly identifies dates when problems began to occur.

Question: You want to see a historical record of software that has been added or removed from the computer. Where would you find that information?

Additional Reading • Microsoft Technet article: Windows Vista Performance and Reliability

Monitoring Step-by-Step Guide


Monitoring AD DS Using Data Collector Sets

Key Points A new feature in Windows Reliability and Performance Monitor is the Data Collector Set, which groups data collectors into reusable elements for use with different performance monitoring scenarios.

Question: You want to create an alert to notify you when free disk space is low. How would you create one?

Additional Reading • Microsoft Technet article: Creating Data Collector Sets


Demonstration: Monitoring AD DS

Question: What is the easiest way to log the same set of data across multiple computers?


Lesson 3: Configuring AD DS Auditing

In any secure environment, you should actively monitor AD DS. As part of your overall security strategy, you should determine the level of auditing appropriate for your environment. Auditing should identify actions, either successful or not, that have modified or attempted to modify, Active Directory objects.


What Is AD DS Auditing?

Key Points An audit log records an entry whenever users perform certain specified actions. For example, modifying an object or a policy can trigger an audit entry that shows the action that was performed, the associated user account, and the date and time of the action. You can audit both successful and failed attempts at actions.

Before you implement auditing policy, you must decide which event categories you want to audit. The auditing settings that you choose for the event categories define your auditing policy. On member servers and workstations that are joined to a domain, auditing settings for the event categories are by default undefined. On domain controllers, some auditing is turned on by default.


Additional Reading • Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS

Changes Step-by-Step Guide

• Microsoft Support: How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain

• Microsoft Technet article: Auditpol Set


Demonstration: Configuring an Audit Policy

Question: What log shows you the results of auditing?


Types of Events to Audit

Key Points While the Directory Service Access category still provides information about all the events that occur in the directory, and is enabled by default, more detailed information can be delivered from the subcategories.

Question: You want to track details about any modifications made to Active Directory objects for a particular organizational unit (OU) and any child OUs. Which ACE should you set to capture that information?

Additional Reading • Microsoft Technet article: Windows Server 2008 Auditing AD DS Changes

Step-by-Step Guide


Demonstration: Configuring AD DS Auditing

Question: How would enable the tracking of failure events for the directory service change subcategory?


Lab: Monitoring AD DS

Scenario Woodgrove Bank has completed their deployment of AD DS. As the AD DS administrator, you must monitor AD DS availability and performance. The server administrator has provided a monitoring plan that includes service availability, performance, and Event log monitoring components. Using Performance and Reliability Monitoring, Event Viewer, and other tools, you will monitor AD DS domain controllers.


Exercise 1: Monitoring AD DS Using Event Viewer As the network administrator, you want to collect Event Viewer information from all domain controllers’ directory service. You will create a custom view to capture the Critical, Error and Warning events for AD DS and the DNS Server. Then you will export the view to a shared network folder, and import the custom view to NYC-DC2. You also want to monitor when services stop and start on NYC-DC2. You will create a subscription to forward event 7036 from NYC-DC2 to NYC-DC1, and then test the result. Finally, you will attach a task to the Windows Setup log to notify you whenever an event is generated in the setup log on NYC-DC1, so that you can track application installations. You will also attach a task to the 7036 event to inform you of problems with services.



2. Create a custom view to capture the relevant events.

3. Export a custom view.

4. Import a custom view.

5. Configure computers to forward and collect events.

6. Create a subscription to forward events from NYC-DC2 to NYC-DC1.

7. Attach a task to an event log and attach a task to an event.









Task 2: Create a custom view to capture the relevant events 1. On NYC-DC1, log on as Administrator with the password Pa$$w0rd.

2. Launch Event Viewer from the Administrative Tools folder.

3. Right-click Custom Views, and then click Create Custom View.

4. Select the checkboxes beside Critical, Warning and Error.

5. Click the drop-down arrow beside Event Logs, expand Application and Services Logs, select Directory Service and DNS Server, and then click OK.

6. Name the custom view Directory Service.

Task 3: Export a custom view 1. Right-click the Directory Service custom view, and then click Export Custom

View.

2. Save the exported view as C:\Data\ Active Directory.

Task 4: Right-click Custom Views and then click Create Custom View 1. Log on to NYC-DC2 as Administrator with the password Pa$$w0rd.

2. Launch Event Viewer from the Administrative Tools folder.

3. Right-click Custom Views, and then click Import Custom View.

4. Import the custom view from \\NYC-DC1\Data\Active Directory.xml.

Task 5: Configure computers to forward and collect events 1. On NYC-DC1 (the collector computer), open a Command Prompt, type

wecutil qc and Y, and then press ENTER to make the changes.

2. Close the command prompt.

3. Switch to NYC-DC2 (the source computer).

4. Open the Command Prompt, type winrm quickconfig and Y, and then press ENTER to make the changes.



Task 6: Create a subscription to forward events from NYC-DC2 to NYC-DC1 1. On NYC-DC1, in Event Viewer, right-click Subscriptions, and then click

Create Subscription.

2. Name the subscription Service Events, click Collector Initiated, and then click Select Computers.

3. Click Add Domain Computers, and then add NYC-DC2.

4. Click Select Events, and then select Information events.

5. Click the drop-down arrow beside Event Logs, expand Windows Logs, and then select the System log.

6. In the Event ID field, type 7036, and then click OK.

7. Click Advanced, click Specific User, and then click User and Password.

8. Ensure the user name is Woodgrovebank\Administrator, and then enter the password Pa$$w0rd.

9. Click Minimize Latency, and then click OK twice. Click Yes to the Event Viewer messages if they appear.

10. In the folder pane, click the Subscriptions folder, and ensure that the Service Events subscription status is Active.

11. On NYC-DC2, open the Command Prompt.

12. In the Command Prompt, type Net Stop DNS, and then press ENTER.

13. Type Net Start DNS, and then press ENTER.

14. On NYC-DC1, click the Forwarded Events log. Examine the information events.

Note: Actual events may take a few minutes to show up in the Forwarded Events log. Start and stop the DNS service again if required.


Task 7: Attach a task to an event log and to an event 1. On NYC-DC1, expand Windows Logs, right-click the Setup log, and then click

Attach a Task to this Log.

2. In the Create a Basic Task Wizard, click Next.

3. In the When a Specific Event is Logged window, click Next.

4. In the Action window, click Send an e-mail, and then click Next.

5. In the Send an E-mail window, type Event Viewer in the From field.

6. Type [email protected] in the To field.

7. Type Application Installation in the Subject field.

8. Type Mail.Woodgrovebank.com in the SMTP Server field, click Next, and then click Finish. Click OK.

9. Click the Forwarded Events log to open it.

10. Right-click one of the 7036 events, and then click Attach Task To This Event.

11. On the Create a Basic Task screen, click Next.

12. On the When a Specific Event is Logged screen, click Next.

13. On the Action screen, click Display a Message, and then click Next.

14. On the Display a Message screen, type Service Event in the Title field, type A service stopped or started in the Message field, click Next, click Finish, and then click OK to acknowledge the Event Viewer message.

15. Switch to NYC-DC2 and repeat the steps to stop and start the DNS service.

16. When the message box appears displaying your message, click OK to acknowledge the message.

Note: The message box may be hidden behind the Event Viewer window. Look for it on the task bar.

17. Close all open windows.

Result: At the end of this exercise, you will have monitored AD DS using Event Viewer.


Exercise 2: Monitoring AD DS Using Performance and Reliability Monitor As the network administrator, you will configure Performance and Reliability Monitor to monitor some of the directory service counters. You also will create Data Collector Sets, monitor server performance using Performance Monitor, and configure an alert to be triggered when free disk space is low.

The main tasks are for these exercises are:

1. Configure Performance and Reliability Monitor to monitor AD DS. 2. Create a data collector set.

Task 1: Configure Performance and Reliability Monitor to monitor AD DS 1. On NYC-DC1, open the Reliability and Performance Monitor in

Administrative Tools, and then click Performance Monitor.

2. Click the green Plus sign on the toolbar to add objects and counters.

3. In the Add Counters dialog box, expand the Directory Services object, and then add the DRA Inbound Bytes Total/sec counter.

4. Repeat the previous step to add the following counters:

• DRA Outbound Bytes Total/sec

• DS Threads In Use

• DS Directory Reads/sec

• DS Directory Writes/sec

5. Expand Security System-Wide Statistics, and then add the Kerberos Authentications counter.

6. Expand DNS, and then add the UDP Query Received counter.

Task 2: Create a data collector set 1. In the folder pane, right-click Performance Monitor, click New, and then click

Data Collector Set.

2. Name the data collector set Active Directory.

3. Leave the Root directory as the default path, and then click Finish.


4. Expand Data Collector Sets, expand User Defined, right-click the Active Directory data collector set, and then click Start.


5. Expand Reports, expand User Defined, expand Active Directory, and then click System Monitor Log.blg. The Report Status shows that the log is collecting data.

6. Right-click the Active Directory data collector set, and then click Stop.

7. Click the System Monitor Log.blg. The chart of the log is displayed in the details pane.

Result: At the end of this exercise, you will have monitored AD DS using Performance and Reliability Monitor.


Exercise 3: Configuring AD DS Auditing As the network administrator, you have been tasked with implementing an audit policy to track specific events occurring in AD DS. First, you will examine the audit policy’s current state. Then you will configure auditing as required to track successful and unsuccessful modifications made to Active Directory objects, including the old and new attributes values. Finally, you will test the policy.


1. Examine the current state of the audit policy. 2. Enable Audit Directory Service Access on domain controllers. 3. Set the SACL for the domain. 4. Test the policy. 5. Close all virtual machines and discard undo disks.

Task 1: Examine the current state of the audit policy 1. On NYC-DC1, open the Command Prompt.

2. In the command-prompt window, type Auditpol.exe /get /category:*, and then press ENTER. Examine the default audit-policy settings.

3. Minimize the command prompt.

Task 2: Enable Audit Directory Service Access on domain controllers 1. On NYC-DC1, open Group Policy Management.

2. Open the Group Policy Objects folder, and then edit the Default Domain Controllers Policy.

3. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. Notice that all policy settings are set to Not Defined.

4, Double-click Audit Directory Service Access, define the policy settings for both Success and Failure, and then click OK.

5. Close the Group Policy Management Editor, and then close the Group Policy Management console.


6. Restore the Command Prompt, and then type Gpupdate.

7. When the update completes, run the Auditpol.exe /get /category:* command again, and then examine the default audit-policy settings.


Task 3: Set the SACL for the domain 1. Open Active Directory Users and Computers.

2. Click the View menu, and then click Advanced Features.

3. Right-click the woodgrovebank.com domain object, and then click Properties.

4. In the Properties dialog box, click the Security tab, click Advanced, click the Auditing tab, and then click Add.

5. In the Select Users dialog box, type Everyone, and then click OK.

6. In the Auditing Entry for Woodgrovebank dialog box, select the check box to audit both Successful and Failed for Write all Properties, and then click OK twice.

Task 4: Test the policy 1. Rename the Toronto OU to GTA.

2. Open Event Viewer, expand Windows Logs, and then click Security.

3. Open event 4662 and examine the event.

4. Return to Active Directory Users and Computers, and edit any user account to change the phone number.

5. Return to Event Viewer, and examine the resulting directory service changes events.


7. Shut down all virtual machines without saving any changes.



Control window.



Result: At the end of this exercise, you will have configured AD DS Auditing.



Review Questions 1. What kinds of events are logged in the Setup log?

2. For what event ID would you filter to see deleted user accounts?

3. What service must you enable on computers collecting subscription events from remote computers?

4. Where can you get up to date information about event IDs?

5. Where can you get historical information about application failures?

6. The NTDS\DRA Pending Replication Synchronizations counter is now consistently higher than the established baseline value for that counter. What might this indicate?

7. You want to view all the occurrences of a particular event ID across multiple logs. What is the best way to accomplish this?


Considerations for Implementing an AD DS Monitoring Plan Consider the following when implementing an AD DS monitoring plan:

• Event viewer enables you to save filters as reusable custom views.

• Cross-log queries allow you to display data from multiple logs in a single view.

• Subscriptions allow you to gather events from remote computers.

• Application and Services Logs provide more detailed logs that pertain to specific Windows services.

• Event logs online provide up-to-date information about events.

• Application and service logs include admin, operational, analytic, and debug logs.

• A log will be created for each server role you install.

• You can import and export custom views.

• Subscriptions require configuration on both the collecting and source computers.

• Windows Reliability and Performance Monitor provides real-time information in the resource view.

• The Reliability Monitor provides a graphical display of system stability over time.

• You can generate user-friendly reports.

• Performance monitor provides a wide range of AD DS objects and counters.

• You should establish baselines to determine a computer’s performance under a normal workload.

• The System Stability Report tracks multiple categories of events and keeps a historical record.

• Data Collector Sets allow you to group data collectors into reusable elements.

• There are a number of built-in Data Collector Sets, or you can define your own.

• AD DS auditing can track all events that happen in the AD DS.

• Audit directory service access is divided into four subcategories.


• The Directory service changes subcategory, provides old and new values when you modify attributes.

• You must use Auditpol.exe to configure subcategories.

• SACLs must be set on objects to allow auditing before you can collect any results.

• Directory service changes subcategory provides old and new values when attributes are modified.

• Auditpol.exe must be used to configure subcategories.

• SACLs must be set on objects to allow auditing before any results can be collected.

Implementing an Active Directory Domain Services Maintenance Plan 9-1

Module 9 Implementing an Active Directory Domain Services Maintenance Plan

Contents: Lesson 1: Maintaining the AD DS Domain Controllers 9-3

Lesson 2: Backing Up Active Directory Domain Services 9-14

Lesson 3: Restoring AD DS 9-18

Lab: Implementing an AD DS Maintenance Plan 9-28


Module Overview

As a Windows Server®°2008 administrator, one of your tasks will be to maintain your organization’s Active Directory® Domain Services (AD DS) domain controllers. An important component in maintaining the domain controllers is managing, backing up, and restoring the AD DS data store.


Lesson 1: Maintaining the AD DS Domain Controllers

Maintaining the AD DS database is an important administrative task that you must regularly schedule to ensure that, in the case of disaster, you can recover lost or corrupted data and repair the AD DS database.

AD DS has its own database engine, the Extensible Storage Engine (ESE), which manages the storage of all AD DS objects in an AD DS database. By understanding how changes to attributes in AD DS are written to the database, you will understand how data modification affects database performance and fragmentation, and data integrity.


AD DS Database and Log Files

Key Points The AD DS database engine, ESE, stores all of the AD DS objects. The ESE uses transactions and log files to ensure the AD DS database’s integrity.

Additional Reading • Microsoft Technet article: How the Data Store Works


How the AD DS Database Is Modified

Key Points The key points of AD DS data-modification process are as follows:

• A transaction is a set of changes made to the AD DS database and the associated metadata.

• The basic data modification process consists of six steps:

1. The write request initiates a transaction.

2. AD DS writes the transaction to the transaction buffer in memory.

3. AD DS writes the transaction in the transaction log.

4. AD DS writes the transaction from the memory buffer to the database.

5. AD DS compares the database and log files to ensure that the transaction was committed to the database.

6. AD DS updates the checkpoint file.


• Caching and logging improves database performance by enabling AD DS to process additional transactions before writing them to the database.

Questions:

What other Microsoft services use a transactional model for making database changes?

How does the AD DS model compare to these other services?

Additional Reading • Microsoft Technet article: How the Data Store Works


Managing the Active Directory Database Using NTDSUtil Tool

Key Points Ntdsutil.exe is a command-line tool that you can use to manage AD DS. You can perform many maintenance tasks that cannot be done in the graphical user interface (GUI), including offline database defragmentation, moving the database and its transaction log, removing and restoring deleted objects from AD DS, seizing operations master (also known as flexible single master operations or FSMO) roles, and manage snapshots of the database. You also can include these commands in a batch file.

Question: You have forgotten the directory services restore-mode password for your domain controller. How can you recover the password?


Additional Reading • NTDSUtil Help

• Data Store Tools and Settings


What Is an AD DS Database Defragmentation?

Key Points Over time, fragmentation occurs as records in the AD DS database are deleted and new records are added or expanded. When records become fragmented, the computer must search the disk to find and reassemble all pieces each time the database is opened. If many changes to the AD DS database are made, fragmentation could slow the performance of it.

Question: How often will you need to perform an offline defragmentation of your AD DS databases in your environment?

Additional Reading • Performing offline defragmentation of the AD DS database

• Data Store Tools and Settings


What Are Restartable Active Directory Domain Services?

Key Points AD DS in Windows Server 2008 can be stopped and restarted while the machine is booted up. In previous versions, if an administrator wanted to start a domain controller without loading AD DS, the server had to be rebooted into Active Directory Restore Mode. This would start the server as a stand-alone server, without AD DS. You then could perform offline maintenance tasks, such as an offline defragmentation, or moving the database and log files. With Windows Server 2008, the directory service can be taken offline while the machine is running, with minimal disruption to other services.

Additional Reading • AD DS: Restartable AD DS Domain Services

• Windows Server 2008 Technical Library


Demonstration: Performing AD DS Database Maintenance Tasks

Demonstration steps To perform these steps, you must be a member of the built-in Administrators group on the domain controller.

1. Stop AD DS.

2. Open a command prompt.

3. Start ntdstuil.

4. At the ntdsutil: prompt, type Activate Instance NTDS, and then press ENTER.

5. At the ntdsutil: prompt, type files, and then press ENTER.

6. Compact the database, using a temporary directory for the new ntds.dit.

7. Overwrite the old ntds.dit with the new compacted version, and then delete any log files (*.log) in the %systemroot%\NTDS\ folder.


8. In the ntdsutil File Maintenance command window, type integrity to check the integrity of the new compacted database.

9. In the File Maintenance command window, type move db to pathname and then press ENTER. The ntds.dit file is moved to the new location and permissions are set accordingly.

10. Start AD DS.

Questions:

Why is it necessary to stop the AD DS before defragmenting?

Why is it necessary to compact the database to a temporary directory first?

Additional Reading • Compact the directory database file (offline defragmentation)


Locking Down Services on AD DS Domain Controllers

Key Points As part of a comprehensive security plan, you can increase a domain controller’s security by removing all unnecessary services and features. This reduces both the attack surface, and improves performance.

Additional Reading • Security Configuration Wizard Overview


Lesson 2 Backing Up Active Directory Domain Services

Because of the importance of AD DS for most organizations, it is critical that you can restore AD DS functionality in the event of database corruption, server failure, or a more serious disaster, such as the failure of a data center that contains multiple servers. To prepare for disaster recovery, you must implement a consistent policy of backing up the AD DS information on domain controllers.


Introduction to Backing Up AD DS

Key Points You can use Windows Server Backup to back up AD DS. Windows Server Backup is not installed by default. You must install it using Add Features in Server Manager before you can use the Wbadmin.exe command-line tool or Backup tool in Administrative Tools.

Question: What other process could you use to back up the system state data on a domain controller?

Additional Reading • Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain

Services Backup and Recovery


Windows Server Backup Features

Key Points Windows Server Backup is the new backup utility that Windows Server 2008 provides. To use Windows Server Backup, you must install it as a feature. If you want to use the Windows Server Backup command-line tools, you also must install the Windows PowerShell feature.

Additional Reading • Windows Server 2008 Technical Library


Demonstration: Backing Up AD DS

Questions:

Why should backups be scheduled?

How often should a full backup be performed? How often should an incremental or differential backup be performed?




Lesson 3 Restoring AD DS

After implementing an AD DS backup system, you can move to planning and implementing AD DS restore. In Windows Server 2008, you have several options available for restoring AD DS information. This lesson describes when and how to use each option.


Overview of Restoring AD DS

Key Points In Windows Server 2008, you have several options available for restoring AD DS. The option that you choose depends on the disaster recovery scenario that you need to address.




What Is a Nonauthoritative AD DS Restore?

Key Points You can use a backup to perform a nonauthoritative restore of a domain controller. A nonauthoritative restore returns the directory service to its state at the time that the backup was created. After the restore operation completes, AD DS replication updates the domain controller with changes that have occurred since the time that the backup was created. In this way, the domain controller is recovered to a current state.

Question: What would happen if you did not enter the second bcdedit command after restoring the AD DS database?

Additional reading • Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain



What Is an Authoritative AD DS Restore?

Key Points An authoritative restore provides a method to recover objects and containers that have been deleted from AD DS. When an object is marked for authoritative restore, its version number is changed so that it is higher than the existing version number of the (deleted) object in the AD DS replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to the forest’s other domain controllers.

Question: What would happen if you did not enter the second bcdedit command after restoring the AD DS database?



• Performing an Authoritative Restore of Active Directory Objects


What Is the Database Mounting Tool?

Key Points The Database Mounting Tool (Dsamain.exe) allows administrators to view and compare data in database snapshots (backups) without having to restore those backups. This saves on downtime, and speeds the domain-recovery process.

Additional Reading • AD DS: Database Mounting Tool

• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3


Demonstration: Using the Database Mounting Tool

Demonstration Steps To perform this procedure, you must be logged on to a domain controller as a member of either the Enterprise Admins group or the Domain Admins group.

1. Start a command prompt in administrative privilege.

2. At the command prompt, type ntdsutil and then press ENTER.

3. At the ntdsutil prompt, type snapshot and then press ENTER.

4. At the snapshot prompt, type activate instance ntds and then press ENTER.

5. At the snapshot prompt, type create and then press ENTER. The command returns the following output: Snapshot set {GUID} generated successfully.

6. At the snapshot prompt, type mount {GUID}. The mounted snapshot will appear in the file system.

Note: Be sure to include the curly braces in around your GUID number).


7. Type quit twice to return to the command prompt.

8. At the command prompt, type the following (on one line), and then press ENTER:

Dsamain -dbpath:C:\$SNAP_200708311630_VOLUMEC$\WINDOWS\NTDS\ntds.dit -ldapport:51389 -sslport:51390 -gcport:51391 -gcsslport:51392

Note: Your snapshot path will probably be different.

9. A message indicates that Active Directory Domain Services startup is complete. leave Dsamain.exe running. Do not close the command prompt.

10. At the run line, type LDP, and then click OK.

11. Click Connection, and then click Connect.

12. In Server, type localhost; and in Port, type 51389, and then click OK.

13. Click Connection, and then click Bind.

14. In Bind type, click Bind as currently logged on user, and then click OK.

15. Click View, and then click Tree.

16. In BaseDN, type dc=woodgrovebank,dc=com.

17. Browse the containers for a user object, and then double-click the user to view its properties.

18. Close LDP.exe.

19. Stop Dsamain.exe by pressing CTRL+C.

Questions:

When would it be useful to mount multiple snapshots at the same time?

Why is it necessary to specify different LDAP, SSL and GC ports for each mounted instance of the database?


Additional Reading • Step-by-Step Guide for Using the Active Directory Database Mounting Tool in

Windows Server 2008 Beta 3


Reanimating Tombstoned AD DS Objects

Key Points A tombstoned object is one that is marked as deleted in AD DS. When an administrator deletes an object, it is converted into a tombstone. The tombstone remains in the AD DS database in a deactivated state for 180 days (default Tombstone Lifetime). The tombstone is replicated to the entire domain’s other controllers and then deleted on each domain controller at the tombstone lifetime’s end.

When an object is marked as a tombstone, the isDeleted attribute on the object is set to True and most of the other attributes are deleted. Only a few critical attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are retained. This means that even if the administrator reanimates the object, it no longer has all the information it once had. You must recreate the missing attribute values manually.


Note: The Database Mounting Tool can be used to view the attributes for the deleted object in a snapshot that was made before the object was deleted. This makes it easier to recover the deleted item.

Additional Reading • How to restore deleted user accounts and their group memberships in Active

Directory


Lab: Implementing an AD DS Maintenance Plan

Scenario Woodgrove Bank has completed its AD DS deployment. To ensure high availability and performance for the AD DS servers, the organization is implementing a maintenance plan that includes ongoing AD DS database maintenance and implementation of a disaster-recovery plan. The server administrator has prepared a backup plan that includes daily system volume of a domain controller in each domain. The server administrator also has prepared plans for recovering AD DS data in several scenarios. You need to implement these plans.


Exercise 1: Maintaining AD DS domain controllers In this exercise, you will implement a plan for maintaining AD DS domain controllers. Tasks include running the SCW to disable all services that are not required on the domain controllers, moving the AD DS databases to an alternate hard disk, and performing an offline defragmentation of the AD DS database.

The main tasks in this exercise are as follows:

1. Start the virtual machine, and then log on.

2. Use the Security Configuration Wizard to lock down services and configure the firewall on NYC-DC1.

3. Perform an offline defragmentation of the AD DS database.

4. Move the AD DS database.

Task 1: Start the virtual machine and then log on

1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6425A. The Lab Launcher starts.




Task 2: Use the Security Configuration Wizard to lock down services and configure the firewall on NYC-DC1 1. Start the Security Configuation Wizard from Server Manager.

2. Choose the option to create a new security policy for NYC-DC1.

3. Run the Security Configuration Wizard with the following options:

• Ensure that the Domain Controller (Active Directory) server role is selected.

• Enable the Active Directory – RsoP Planning Mode service.

4. Accept the defaults for the Windows Firewall configuration.


5. Configure the Registry settings as follows.

• Require: SMB Security Signatures.

• Enable only Windows 2000 Service Pack 3 or later client computers.

• Allow only Windows NT 4.0 Service Pack 6a or later operating systems and Clocks that are synchronized with the selected server’s clock.

• Do not allow Computers that require LAN Manager authentication, and Computers that have not been configured to use NTLMv2 authentication to connect.

6. Configure the Audit Policy to Audit successful and unsuccessful activities.

7. Save the security policy using a file name of c:\windows\security\msscw\ policies\NYC-DC1.xml.

8. Choose the option to apply the policy later.

Task 3: Perform an offline defragmentation of the AD DS database 1. On NYC-DC1, stop the Active Directory Domain Services.

2. Open a command prompt and start the ntdsutil tool.

3. Activate the NTDS instance.

4. Use the files command to compact the AD DS database to C:\temp.

5. Check the integrity of the defragmented database.

6. Copy the c:\temp\ntds.dit file to c:\Windows\NTDS\ntds.dit.

7. Delete all the log files in the C:\Windows\NTDS folder.

8. Start the Active Directory Domain Services.


Task 4: Move the AD DS database 1. On NYC-DC1, stop the Active Directory Domain Services.

2. Open a command prompt, and then start the ntdsutil tool.

3. Activate the NTDS instance.

4. Use the file-maintenance command to move the AD DS database to C:\DSData.

5. Start the Active Directory Domain Services.

Result: At the end of this exercise, you will have installed the SCW to lock down services on an AD DS domain controller, and performed AD DS database maintenance tasks.


Exercise 2 Backing Up AD DS In this exercise, you will install the Windows Server Backup feature, and then use it to schedule a backup of the AD DS information. You also will perform an on-demand backup of the system volume.

The main tasks for this exercise are as follows:

1. Install the Windows Server Backup Features.

2. Create a Scheduled Backup.

3. Complete an On-Demand Backup.

Task 1: Install the Windows Server Backup feature • In Server Manager, install all of the Windows Server Backup features.

Task 2: Create a scheduled backup 1. Start Windows Server Backup and create a schedule back up with the

following settings:

• Backup type: Custom

• Backup items: C: drive only

• Backup time: 12:00 am every day

• Destination disk: Disk 1

2. Open the Task Scheduler and review the scheduled backup task you just created.

Task 3: Complete an on-demand backup 1. In the Windows Server Backup window, in the Actions pane, click Backup

Once.

2. Configure the backup to use the following settings:

• Backup type: Custom

• Backup items: C: drive only

• Advanced option: VSS full backup


3. The backup will take about 10-15 minutes to complete. When the backup is complete, close Windows Server Backup.

Result: At the end of this exercise, you will have installed the Windows Server Backup feature, and used it to schedule a backup of the AD DS information, and to perform an on-demand backup.


Exercise 3: Performing an Authoritative Restore of the AD DS Database In this exercise, you will perform an authoritative restore of the AD DS database. You will then verify that replication does not overwrite the restored data.


1. Delete the Toronto OU.

2. Restart NYC-DC1 in Directory Services Restore Mode.

3. Restore the system state data.

4. Mark the restored information as authoritative, and then restart the server.

5. Verify that the deleted data has been restored.


Task 1: Delete the Toronto OU 1. On NYC-DC1, open Active Directory Users and Computers.

2. Delete the Toronto OU.

Task 2: Restart NYC-DC1 in Directory Services Restore Mode 1. Start a command prompt with administrator permissions.

2. Use the bcdedit /set safeboot dsrepair to configure the server to start in Directory Services Restore Mode.

3. Restart the server.

Task 3: Restore the system state data 1. Log on as Administrator using the password Pa$$w0rd.

2. Start a command prompt with administrator permissions.

3. Use the wbadmin get versions -backuptarget:D: -machine:NYC-DC1 command to get the version information for the backup you created.

4. Restore the system state information by using the wbadmin start systemstaterecovery -version:version -machine:NYC-DC1 command.


Task 4: Mark the restored information as authoritative and restart the server 1. At the command prompt, use NTDS to perform an authoritative restore on

“OU=Toronto,DC=Woodgrovebank,DC=com”

2. To restart the server normally after you perform the restore operation, type bcdedit /deletevalue safeboot, and then press ENTER.

3. Restart the server.

Task 5: Verify that the deleted data has been restored 1. After the server restarts, log on as Administrator.

2. Open Active Directory Users and Computers, and verify that the Toronto OU was restored.

3. On NYC-DC2, open Active Directory Users and Computers. Verify that the Toronto OU has also been restored on this server.


Control window.



Result: At the end of this exercise, you will have performed an authoritative restore of AD DS information.


Exercise 4: Restoring Data Using the AD DS Database Mounting Tool (optional) In this exercise, you will use the AD DS Database Mounting Tool to assist in restoring data from a deleted AD DS object. Tasks include using NTDSUtil to create a snapshot of AD DS volume, deleting a user account from AD DS, and using NTDSUtil to mount the snapshot. Then you will restore the account using LDP and view the account’s details from the snapshot.

The main tasks in this exercise are as follows:

1. Start the virtual machine, and then log on.

2. Create and mount a snapshot of the AD DS information.

3. Modify and then delete a user account in AD DS.

4. Use LDP to restore the deleted user account.

5. View the information for the deleted user account in the mounted snapshot.

Task 1: Start the virtual machine, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft





Task 2: Create and mount a snapshot of the AD DS information 1. On NYC-DC1, in Active Directory Users and Computers, in the ITAdmins OU,

right-click Axel Delgado, and then click Properties. Add the following information to the user-account properties, and then click OK:

• Description: IT Administrator


• Telephone Number: 555-5555

2. Start a command prompt, with administrative permissions.

3. At the command prompt, type ntdsutil, then press ENTER.


4. At the ntdsutil prompt, type snapshot, and then press ENTER.

5. At the snapshot prompt, type activate instance ntds, and then press ENTER.

6. At the snapshot prompt, type create, and then press ENTER. The command returns the following output: Snapshot set {GUID} generated successfully. Leave this window open.

7. At the snapshot prompt, type mount {GUID} and then press ENTER. The GUID is the GUID displayed in the previous command. The mounted snapshot will appear in the file system.

8. At the snapshot prompt, type list all, and then press ENTER. Identify the number assigned to the snapshot you just created.

9. At the snapshot prompt, type mount number, and then press ENTER. The number is the number displayed in the previous command. The mounted snapshot will appear in the file system.

10. Exit NTDSUtil, but keep the command prompt open.

Task 3: Delete a user account • Delete Axel Delgado’s account.

Task 4: Use LDP to restore the deleted user account 1. At the command prompt, type the following command and press ENTER:

Dsamain -dbpath <path to snapshot ntds.dit> -ldapport 51389

2. Do not close the command prompt.

3. Start LDP, and then connect and bind to the local server.

4. On the Options menu, add the Return Deleted Objects control.

5. On the View menu, click Tree, and then click OK.

6. Expand DC=Woodgrove Bank,DC=com, and then click CN=Deleted Items,DC=Woodgrove Bank,DC=com.

7. Right-click CN=Axel Delgado and then click Modify.

8. In the Attribute box, type isDeleted, under Operation, click Delete and then press ENTER.

9. In the Attribute box, type distinguishedName.


10. In the Values box, type CN=Axel Delgado,ou=ITAdmins,dc=woodgrovebank,dc=com.

11. Under Operation, click Replace and then press ENTER.

12. Select the Extended check box, and then click Run.

13. Open Active Directory Users and Computers, and verify that Axel Delgado’s account has been restored do the ITAdmins OU and that the account is disabled.

Task 5: View the information for the deleted user account in the mounted snapshot 1. Click Start, click Run, type LDP, and then click OK.

2. Connect and bind to the localhost, using port 51389.

3. In BaseDN, type dc=woodgrovebank,dc=com.

4. Browse to the ITAdmins OU, and then double-click CN=Axel Delgado. View the Description, physicalDeliveryOfficeName, and Telephone Number Attributes. You now can add the information in these attributes to the user object in Active Directory Users and Computers. Close LDP.exe.


Control window.



Result: At the end of this exercise, you will have restored a deleted user account and viewed the restored user properties using the DS Database Mounting tool.



Review Questions 1. One of your domain controllers is running out of hard-drive space. You modify

the domain controller so that it is no longer a global catalog server, but notice that the size of the AD DS database does not decrease. What should you do to reclaim hard-drive space on the server?

2. You are concerned about the amount of disk space that the AD DS database and log files are using. How do you determine the size of the database and log files?

3. You install Windows Server Backup on your domain controller. You only have two drives on the computer, and both are being used for data or system files. What types of backup should you use to back up your AD DS environment?

4. All of the domain controllers in your domain have failed. You are trying to rebuild the domain from the AD DS backup on one domain controller. Which type of restore must you use to rebuild the domain?

5. You accidentally deleted a user account in AD DS. What options do you have to make the account available again?


Considerations for Maintaining AD DS Supplement or modify the following best practices for your own work situations:

• An essential component to maintaining an AD DS environment is monitoring. An effective monitoring program can alert you to situations where you need to perform maintenance tasks before the situation becomes critical.

• Compare the effort involved in restoring AD DS objects with the effort involved in restoring the objects or reanimating deleted objects. If a single user account has been deleted, it often is much easier just to recreate the account rather than restore the account. If an entire OU has been deleted, performing an authoritative restore is usually much faster than recreating all of the OU’s accounts.

• The most important step in preparing for a domain controller’s failure is to deploy more than one domain controller in a domain. If you have a second domain controller available, AD DS services will continue to be available, and you can easily install an additional domain controller to replace the failed server. If you have only one domain controller in the domain, and that domain controller fails, you must restore AD DS from backup.

• If you anticipate needing to use Database Mounting Tool snapshots on a consistent basis, consider creating a scheduled task that will create a snapshot regularly.


Tools Use the following tools when configuring AD DS sites and replication:


Windows Server Backup

• Backing up and restoring AD DS information or other data on a Windows Server 2008 computer

Must be installed as a Windows Server 2008 feature.

Click Start, point to Administrative Tools, and then click Windows Server Backup.

LDP.exe • Viewing and modifying information about AD DS objects and for reanimating deleted objects


NTDSUtil • Managing the AD DS data store and managing AD DS operation master roles


Database Mounting Tool

• Used to create and mount snapshots of the AD DS data store

Can be accessed through NTDSUtil.

Troubleshooting AD DS, DNS, and Replication Issues 10-1

Module 10 Troubleshooting AD DS, DNS, and Replication Issues

Contents: Lesson 1: Troubleshooting Active Directory Domain Services 10-3

Lesson 2: Troubleshooting DNS Integration with AD DS 10-9

Lesson 3: Troubleshooting AD DS Replication 10-15

Lab: Troubleshooting AD DS, DNS and Replication Issues 10-23


Module Overview

As a Windows Server®°2008 operating system administrator, you are likely to be called upon to troubleshoot issues related to Active Directory® Domain Services (AD DS). When AD DS is well designed and implemented, it provides a very stable directory services infrastructure. However, even in the most stable environments, you will occasionally need to troubleshoot AD DS issues related to authentication, authorization, replication, or the Domain Name System (DNS) configuration.


Lesson 1: Troubleshooting Active Directory Domain Services

Whenever users cannot authenticate to the network or cannot gain access to network resources, you must determine whether the cause of the problem is an AD DS issue. The problem may be network connectivity, a network services error, or an AD DS issue. In this lesson you will learn how to identify and troubleshoot AD DS issues.


Introduction to AD DS Troubleshooting

Key Points AD DS is a distributed system comprised of many different services that it depends on to function properly. When troubleshooting AD DS issues, you need to identify the source of the problem, and then resolve the specific issue.

Additional Reading • Overview of Active Directory Troubleshooting

• Active Directory Product Operations Guide


Discussion: How to Troubleshoot AD DS Issues

Questions:

What tools would you use?

How would you verify your solution worked?


Troubleshooting User Access Errors

Key Points There are many possible reasons why a user cannot access network resources. These can be divided up into three basic categories.


Demonstration: Tools for Troubleshooting User Access Errors

Questions:

From your experience, what is the most common reason for user access error in your organization?

What steps can you take to reduce the number of user access errors while still maintaining network security?


Troubleshooting Domain Controller Performance Issues

Key Points As a distributed service, AD DS depends on many interdependent services that are distributed across many devices and many remote locations. As you increase the size of your network to take advantage of AD DS scalability, domain controller performance could become an issue.

Additional Reading • Windows Server 2003 Active Directory Branch Office Guide

• Analyzing performance data


Lesson 2 Troubleshooting DNS Integration with AD DS

AD DS cannot function without DNS. Clients and application servers such as Microsoft Exchange Server use DNS to find domain controllers and services. Domain controllers and global catalog servers use DNS to locate each other, and then to replicate to each other. Because of this tight integration of AD DS and DNS, you will often begin your AD DS troubleshooting, by troubleshooting DNS.


Overview of DNS and AD DS Troubleshooting

Key Points One of the most common reasons for AD DS issues is a problem with the DNS infrastructure. In particular, you should begin DNS troubleshooting when you see the issues listed in the slide.


Troubleshooting DNS Name Resolution

Key Points To verify that clients can resolve names and records, perform the following steps:

• Verify network connectivity on all computers.

• Use Ipconfig to make sure all computers, including clients, member servers, domain controllers, and DNS servers, are using a DNS server that is authoritative for the Active Directory domain. Sometimes computers are manually misconfigured to use the wrong DNS server, such as an Internet caching server, or an ISP’s DNS server.

• Use NetDiag to test DNS connectivity.

• Ensure that the DNS server is working correctly. You can perform the Simple self-test in the DNS server’s properties to verify that the database is responding. Clear the DNS server’s cache as well, to ensure that the cache is not polluted, and that it has the latest zone information.

• Use ipconfig /flushdns to clear the client’s DNS resolver cache.


• If the zone seems to be corrupt, restore from backup. If necessary, clear any dynamic registrations from the DNS zone and rebuild the database.

• Check the DNS Server log in Event Viewer for errors.

• Use DNSLint or NSlookup to see what results the DNS server returns. The following DNS records are required for proper Active Directory functionality.

Question: What are the most common DNS related issues in your organization?

Additional Reading • Diagnosing Name Resolution Problems


Troubleshooting DNS Name Registration

Key Points All servers must have at least an A (host) and possibly PTR (reverse lookup) records in DNS. In addition, all domain controllers must have their SRV resource records updated in DNS. The following lists which service is responsible for dynamically updating DNS:

• A records are updated by the computer’s DNS client service.

• PTR records are manually configured.

• SRV records are updated by the DC’s Netlogon service.

Question: What are PTR records used for? What errors will you see if you do not have the PTR records registered for domain controllers?


Troubleshooting DNS Zone Replication

Key Points Whenever a DNS record is updated, either in a traditional Primary (Master) zone, or in an AD DS-integrated zone, that update must be replicated in a zone transfer to all DNS servers that are authoritative for that zone. An administrator may choose to favor conserving bandwidth during heavy network usage hours by delaying replication to less busy times. Even so, the record will have to be replicated at some point, for the DNS database to be consistent.

When DNS-related issues are not consistent for all users, and you can trace the issues to a specific DNS server, you should consider DNS zone replication as a possible cause of the problem.

Additional Reading • Troubleshooting zone problems


Lesson 3: Troubleshooting AD DS Replication

AD DS uses a multi master replication topology that depends on all domain controllers on the network being available. Replication is important to ensure that all users experience a consistent response from the domain controllers, regardless of which domain controller the user is connecting to.

In this lesson, you will learn how to troubleshoot AD DS replication.


AD DS Replication Requirements

Key Points Refer to the requirements listed on the slide for AD DS replication to occur successfully.


Common Replication Issues

Key Points When you encounter replication problems in AD DS, your first step is to identify the symptoms and possible causes.

Question: What is the most common reason for replication errors in your organization?

Additional Reading • Troubleshooting Active Directory Replication Problems


What Is the Repadmin Tool?

Key Points You use the Repadmin.exe command-line tool to view replication topology from the perspective of each domain controller. You can also use Repadmin.exe to manually create the replication topology, force replication events between domain controllers, and view the replication metadata, which is information about the data, and the up-to-date state of vectors.

Additional Reading • Troubleshooting Active Directory Replication Problems


What Is the DCDiag Tool?

Key Points The dcdiag.exe tool performs a series of tests to verify different aspects of the system. These tests include connectivity, replication, topology integrity, and inter-site health.


Identifying the Cause of Replication Errors

Key Points AD DS replication problems can have several different sources. For example, DNS problems, networking issues, or security problems can all cause AD DS replication to fail. You can perform tests by using the Repadmin.exe and DCDiag.exe command-line tools to determine the root cause of the problem.


Discussion: Troubleshooting Inter-Site AD DS Replication Issues

As a class, discuss the questions on the slide.


Troubleshooting Distributed File Replication Issues

SYSVOL folder contents are replicated to every domain controller in a domain. If the domain is at Windows Server 2003 or a lower functional level, the FRS is responsible for replicating the SYSVOL folder contents between domain controllers. When you upgrade the functional level to Windows Server 2008, DFSR is used to replicate the SYSVOL folder contents. In both cases, the connection object topology and schedule that the KCC creates for AD DS replication is used to manage replication between domain controllers.

Both FRS and DFRS require LDAP and RPC connectivity between domain controllers. To troubleshoot FRS replication, use the Ntfrsutl and the FRSDiag commands. To troubleshoot DFSR replication, use the DFRSAdmin tool.


Lab: Troubleshooting AD DS, DNS and Replication Issues

Scenario Woodgrove Bank has completed its deployment of Windows Server 2008. As the AD DS administrator, one of your primary tasks now is troubleshooting AD DS issues that have been escalated to you from the company help desk. You are responsible for resolving issues related to user access to resources, the integration of DNS and AD DS, and AD DS replication.


Exercise 1: Troubleshooting Authentication and Authorization Errors

Scenario In this exercise, you will troubleshoot authentication and authorization errors. You will review trouble tickets and resolve the issues related to the trouble tickets.

Lab Preparation: Make sure NYC-DC1, NYC-DC2, and NYC-CL1 are started and running. Shut down any other virtual machines.


1. Start the virtual servers.

2. Run the Lab10_Prep.bat file.

3. Resolve Trouble Tickets.

Task 1: Start the virtual servers 1. On your host machine, click Start, point to All Programs, point to Microsoft



3. Log on to NYC-DC1 as Administrator using the password Pa$$w0rd.





Task 2: Run the Lab10_Prep.bat file 1. On NYC-DC1, open a Windows Explorer window, and then browse to

d:\6425\Mod10\Labfiles.

2. Double-click Lab10_Prep.bat.


Task 3: Resolve Trouble Tickets Trouble Ticket #1: A user named Chris McGurk is having trouble logging on her computer with Windows Vista® operating system. She has been away on a research assignment for several months, and now needs access to the network to prepare her report for senior management. Her desktop computer had been turned off during the time she was away. The matter has been escalated to you.

1. Attempt to log onto NYC-CL1 as Chris with the password Pa$$w0rd.

2. Was the logon successful? Note the error message below:

_________________________________________________________________

3. Verify that the NYC-CL1 computer account still exists in the domain.

4. What do you think is the issue? How will you resolve the issue?

_________________________________________________________________

5. Log on to NYC-CL1 as NYC-CL1\LocalAdmin with the password Pa$$w0rd.

6. Complete your troubleshooting steps.

7. Log off NYC-CL1 as LocalAdmin, and log on as Chris.

8. Were you successful?

_________________________________________________________________

9. Log off NYC-CL1.

Trouble Ticket #2: A Help Desk staff member named Markus Breyer has been given the task to add new hires to the NYC BranchManagers OU in the Woodgrovebank.com domain. Markus is a HelpDesk global group member. All members of the HelpDesk group should be able to manage users accounts from client workstations by using Remote Desktop. When Markus attempts to add new hires, he is unsuccessful. The matter has been escalated to you.

1. Log onto NYC-CL1as Markus, with the password Pa$$w0rd.

2. Try to connect to NYC-DC1 by using Remote Desktop. Were you successful? What, if any, error messages did you receive?

_________________________________________________________________

3. What do you think is the problem?

_________________________________________________________________


4. Take the required steps to resolve the error message.

5. Try connecting to Remote Desktop again. Were you successful this time? If not, take the next steps for troubleshooting the issue.

_________________________________________________________________

6. After you successfully connect to Remote Desktop, try opening Active Directory Users and Computers. If you are not successful, complete steps to troubleshoot the issue.

7. In Active Directory Users and Computers, try to create a test user account in the Branch Managers OU. Were you successful? What, if any, error messages did you receive?

_________________________________________________________________

8. What additional step(s), if any, do you think you will need to take?

_________________________________________________________________

9. Resolve any remaining problems.

10. Log off NYC-CL1.

Result: At the end of this exercise, you will have resolved two trouble tickets with authentication and authorization issues.


Exercise 2: Troubleshooting the Integration of DNS and AD DS

Scenario In this exercise, you will resolve issues identified in the troubleshooting tickets escalated to the server team regarding DNS integration and AD DS. You will identify the issue in each ticket, resolve the problem, and then verify that the resolution was successful.

The main task in this exercise is to resolve the trouble ticket.

Task 1: Resolve the trouble ticket Trouble Ticket #3: Some users at WoodgroveBank.com are complaining that they are having trouble accessing network resources. The help desk has already established that all of the client computers exhibiting this problem are using NYC-DC2 as the preferred DNS server. You will use NYC-CL1 to test all solutions, and ensure that users can log on to the domain using both NYC-DC1 and NYC-DC2 as the primary DNS servers.

1. What do you think may be the problem(s)?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

2. What steps will you take to test and resolve the problem(s)?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

3. Use NSlookup to verify the DNS records for the WoodgroveBank.com zone on both NYC-DC1 and NYC-DC2.

4. Use DNS Manager to examine the configuration for the WoodgroveBank.com and the _msdcs.WoodgroveBank.com zones on both DNS servers.


5. Take the required steps to troubleshoot the issue.

6. What was the actual problem(s), and how did you resolve it?

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

Result: At the end of this exercise, you will have resolved a trouble ticket with DNS integration and AD DS issues.


Exercise 3: Troubleshooting AD DS Replication

Scenario In this exercise, you will resolve issues identified in the troubleshooting tickets escalated to the server team. Potential issues include user accounts that are not replicated to other domain controllers, replication failures, and AD DS file replication failures. You will identify the issue in each ticket, resolve the problem, and then verify that the resolution was successful.

The main task in this exercise is to resolve the trouble tickets.

Task 1: Resolve the trouble tickets Trouble Ticket #4: The help desk has been tasked with creating user accounts for new hires. Because the new employees will be traveling between the branch offices, it is critical that they can log on at any location. The help desk has noticed that replication between NYC-DC1 and NYC-DC2 is not working. When a member of the team creates a user account on the NYC-DC1 domain controller, the user account is not displayed on the NYC-DC2 domain controller. The matter has been escalated to you.

1. Verify that AD DS replication is not working.

What do you think might be the problem(s)?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

What troubleshooting step(s) will you take to resolve the problem(s)?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

2. Implement your troubleshooting steps. You are successful when you are able to create a test user on either domain controller, and then replicate the account to the other domain controller.


Trouble Ticket #5: The Help Desk has noticed that when some users in the WoodgroveBank.com New York branch log on, they are not getting the expected automatic drive mappings. All users should get a drive mapping that maps the H: drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy Object (GPO) is configured correctly. The logon script is called MapDataDir.bat and is supposed to be located in the Netlogon share.

1. What do you think might be the problem(s)?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

2. What troubleshooting step(s) will you take to resolve the problem(s)?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

3. How will you verify that the problem(s) has been resolved?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

4. Implement your troubleshooting steps. What was the actual problem(s), and how did you resolve it?

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________



window.



Result: At the end of this exercise, you will have resolved a trouble ticket with AD DS replication issues.



Considerations for Maintaining AD DS

Supplement or modify the following best practices for your own work situations:

• When troubleshooting AD DS issues, always start at the network layer. In most cases, it will be fast and easy to verify network connectivity.

• Use the Event Viewer when troubleshooting AD DS issues. Many AD DS errors will be logged in the Event Viewer logs, and the error details often provide valuable information for resolving the issues.

• In a large organization, consider deploying Microsoft® System Center Operations Manager with the Active Directory Management Pack. The Operations Manager can monitor all of the domain controllers in the environment, and provide detailed guidance on how to resolve AD DS issues. Microsoft System Center Operations Manager is an upgrade of Microsoft Operations Manager.


Tools

Use the following tools when troubleshooting AD DS issues:

Tool Used for Where to find it

Server Manager Accessing the AD DS management tools in a single console.

Click Start, point to Administrative Tools, and then click Server Manager.

Active Directory Sites and Services

Creating and configuring sites, subnets, moving domain controllers between sites, and forcing replication.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

DNS Configuring and viewing DNS zones

Click Start, point to Administrative Tools, and then click DNS.

Repadmin Gathering data about the current replication topology and status and creating new replication objects


DCDiag Gathering data about domain controllers including replication partners and status


NSlookup Reviewing information stored in DNS zone files


Ntfrsutl Displays detailed information about the active FRS replicas on the domain controller and can be used to force replication



(continued)

Tool Used for Where to find it

FRSDiag Provides a graphical user interface (GUI) for gathering detailed information about FRS performance and issues and analyzes the results to identify common FRS and Active Directory problems.

Can be downloaded from the Microsoft download center

Dfsradmin Provides detailed information about the current state of DFSR replication in the domain. Can also be used to configure DFSR replication

Installed on Windows Server 2008 computers when you install the file management features.

Review Questions 1. A user is able to log on their computer, but whenever the user tries to access a

network resource, the user is prompted for a user name and password. How would you ensure that the user can access network resources without being prompted for the user name and password after logon?

2. You need to verify that all of the domain controller SRV records are registered in DNS. All DNS servers in your organization are using a 3rd party DNS product rather than using Windows Server 2008 DNS. How can you view the records in DNS?


3. Users in a branch office in your organization are experiencing very slow logon times. You create a domain controller in your main office, and then ship the domain controller to the branch office. You configure the branch office as a second site in your forest. You modified the domain controller’s IP address configuration, have confirmed network connectivity, and confirmed that the domain controller’s IP address has been updated in DNS. However, some of the users in the branch office are still experiencing very slow logon times. What else should you do?

4. Your organization has five office locations, with each location configured as a separate site in AD DS. At least one domain controller has been deployed in each office. All user account management is performed in the main office. You notice that when you create a new user account in the main office, it can take up to 3 hours before the user can log on using that account in the branch office. What should you do to make sure the user can log on right after the account has been created?

Troubleshooting Group Policy Issues 11-1

Module 11 Troubleshooting Group Policy Issues

Contents: Lesson 1: Introduction to Group Policy Troubleshooting 11-3

Lesson 2: Troubleshooting Group Policy Application 11-10

Lesson 3: Troubleshooting Group Policy Settings 11-17

Lab: Troubleshooting Group Policy Issues 11-25

11-2 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services

Module Overview

This module describes troubleshooting procedures for Group Policy processing clients and computers. These troubleshooting procedures may include incorrect or incomplete policy settings, or lack of policy application to the computer or user. In this module, you will learn the knowledge and skills necessary for troubleshooting these issues.


Lesson 1: Introduction to Group Policy Troubleshooting

Group Policy can be complex to deploy and manage, and sometimes a setting can cause unintended consequences for users or computers. This lesson provides details about Group Policy processing and common problem areas, and describes some of the troubleshooting tools available.


Scenarios for Group Policy Troubleshooting

Additional Reading • Microsoft Technet article: Group Policy Troubleshooting


Preparing to Troubleshoot Group Policy

Key Points The first step in troubleshooting Group Policy is to determine the source of the issue. Group Policy issues may be a symptom of other, unrelated issues, such as network connectivity, authentication problems, domain controller availability, or Domain Name Service (DNS) configuration errors. For example, the failure of a router or DNS server could prevent clients contacting a domain controller.

Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address issued to a client computer?


Additional Reading • Troubleshooting Your Systems with Network Diagnostics

• Using NSlookup.exe

• Microsoft Technet article: Unable to access domain controller

• Kerbtray.exe: Kerberos Tray


Tools for Troubleshooting Group Policy

Key Points There are a number of diagnostic tools and logs that you can use to verify whether you can trace a problem to core Group Policy.

Group Policy Logging If other tools do not provide the information you need to identify the problems affecting Group Policy application, you can enable verbose logging and examine the resulting log files. Log files can be generated on both the client and the server to provide detailed information.

Question: What diagnostic tool will quickly display the current Group Policy slow link threshold?


Additional Reading • Group Policy Modeling and Results

• How to manually create Default Domain GPOs

• GPOTool (from Win2K Server Resource Kit)

• Microsoft Technet article: Refresh Group Policy settings with GPUpdate.exe

• Fixing Group Policy problems by using log files


Demonstration: Using Group Policy Diagnostic Tools

Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer?


Lesson 2 Troubleshooting Group Policy Application

When troubleshooting Group Policy issues, you need a firm understanding of the interactions between Group Policy and its supporting technologies, and the ways in which you manage, deploy, and apply Group Policy objects.


Troubleshooting Group Policy Inheritance

Key Points Blocking inheritance will prevent all higher-level settings from affecting the OUs and their child OUs. You can block inheritance only for entire OUs, not for individual objects. Blocking inheritance can complicate troubleshooting, because it counteracts the usual inheritance rules.

Question: Are there scenarios in your organization that would benefit from blocking inheritance?

Additional Reading • Microsoft Technet article: Fixing Group Policy problems by using log files


Troubleshooting Group Policy Filtering

Key Points Group Policy filtering determines which users and computers will receive the GPO’s settings. Group Policy object (GPO) filtering is based on two factors:

• The security filtering on the GPO

• Any Windows Management Instrumentation (WMI) filters on the GPO

Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this by setting the following GPO permissions:

• Authenticated Users are denied the Apply Group Policy permission.

• The Managers group has been granted Read and Apply Group Policy permission.

• None of the managers are receiving the GPO settings. What is the problem?


Additional Reading • Microsoft Technet article: Fixing Group Policy scoping issues


Troubleshooting Group Policy Replication

Key Points In a domain that contains more than one domain controller, Group Policy information takes time to propagate, or replicate, from one domain controller to another. A GPO consists of two parts; the Group Policy template (GPT) and the Group Policy container (GPC). Changes to GPOs are tracked using version numbers. Every change increments the version number of the GPT and the GPC.

Question: What tool can be used to force replication across all domain controllers in the domain?

Additional Reading • Troubleshooting File Replication Service

• Microsoft Technet article: Replication of Group Policy settings between domain controllers fails


Troubleshooting Group Policy Refresh

Key Points Group Policy refresh refers to a client’s periodic retrieval of GPOs. During Group Policy refresh, the client contacts an available domain controller. If any GPOs changed, the domain controller provides a list of all the appropriate GPOs. By default, GPOs are processed at the computer only if the version number of at least one GPO has changed on the domain controller that the computer is accessing.

Question: You have implemented folder redirection for a particular OU. Some users report that their folders are not redirecting to the network share. What is the first step you should take to resolve the problem?

Additional Reading • Group Policy does not refresh


Discussion: Troubleshooting Group Policy Configuration

Question: One user is getting settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting?


Lesson 3: Troubleshooting Group Policy Settings

Group Policy settings issues are usually due to slow-link detection or incorrect configuration. Understanding how the CSEs work, and how slow links are determined, assists in troubleshooting these issues.


How Client Side Extension Processing Works

Key Points CSEs are dynamic-link libraries (DLLs) that perform the actual processing of Group Policy settings. Policy settings are grouped into different categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. Each category’s settings require a specific CSE to process them, and each CSE has its own rules for processing settings. The core Group Policy process calls the appropriate CSEs to process those settings.

Some CSEs behave differently under different circumstances. For example, a number of CSEs do not process if a slow link is detected. Security settings and Administrative Templates always are applied, and you cannot turn them off. You can control the behavior of other CSEs across slow links.

As Group Policy is processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension. The extension uses the list to process the appropriate policy when applicable.


Question: Users in a branch office log on across a slow modem connection. You want folder redirection to be applied to them even across the slow link. How would you accomplish this?

Additional Reading • Identifying Group Policy Client-Side Extensions

• Computer Policy for Client-side Extensions

• Group Policy and Network Bandwidth


Troubleshooting Administrative Template Policy Settings

Key Points Some Administrative Template settings may be preferences, rather than policies, that you cannot remove easily, while older operating systems might not accept other administrative settings.

Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured the Administrative Template to remove the games link from the Start Menu, but only the Windows Vista computers are enforcing the setting. What is the problem?

Additional Reading • Microsoft Technet article: Fixing Administrative Template policy setting

problems


Troubleshooting Security Policy Settings

Key Points Security policies protect the integrity of the computing environment by controlling many aspects of it, such as password policies, security options, restricted groups, network policies, services, public key policies, and so on.

Characteristics of Security Policies • Security policies are refreshed every 16 hours even if they have not changed.

• Security policies are always processed, even across slow connections.


Question: You have configured a password policy in a GPO and linked that policy to the Research OU. The policy is not affecting domain users in the OU. What is the problem?

Additional Reading • Troubleshooting Group Policy application problems


Troubleshooting Script Policy Settings

Key Points The Scripts CSE updates the registry with the location of script files so that the UserInit process can find those values during its normal processing. When a CSE reports success, it might mean only that the script’s location is placed in the registry. Even though the setting is in the registry, there could be problems preventing the setting from being applied to the client. For example, if a script specified in a Script setting has an error that prevents it from completing, the CSE does not detect an error.

Group Policy processes a GPO and stores the script information in the registry, in these locations:

• HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts)

• HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine Scripts)


Question: A logon script is assigned to an OU. The script executes properly for all users, but some users report that they get an access-denied message when they try to access the mapped drive. What is the problem?

Additional Reading • Microsoft Technet article: Fixing Scripts policy settings problems


Lab: Troubleshooting Group Policy Issues

Scenario Woodgrove Bank has completed its Windows Server 2008 deployment. As the AD DS administrator, one of your primary tasks is troubleshooting AD DS issues that the company help desk escalates to you. You are also responsible for resolving issues related to Group Policy application and configuration.

Note: Some of the tasks in this lab are designed to illustrate GPO troubleshooting techniques, and may not always follow best practices.


Exercise 1: Troubleshooting Group Policy Scripts You will create and link a GPO that performs the following, to all domain users and computers:

• Set the homepage in Internet Explorer® to http://WoodgroveBank.com.

• Force the classic Start menu.

• Force the client to wait for the network to initialize at startup, and then log on.

• Configure the Windows Firewall to allow inbound remote administration.

Next you will apply to all domain users, a preconfigured GPO that maps a drive to the Data shared folder, and then observe and troubleshoot the results.

All domain users will have a drive mapping to a shared folder named Data. The GPO is already created, and is backed up. You will restore and apply the GPO that delivers that policy to the domain, and troubleshoot any issues with the policy.

A user in the Miami OU has submitted the following help-desk ticket:

• User Name: Roya Asbari

• Computer Name: NYC-CL1

• Description of Problem: There is no drive mapping to the Data folder.

This ticket has been escalated to the server team for resolution.

The main tasks are:

1. Start the 6425A-NYC-DC1 virtual machine, and log on as Administrator.

2. Create and link a domain Desktop policy.

• Set the Internet Explorer homepage to http://WoodgroveBank.com.

• Force the classic Start menu for all domain users.

• Force the client computer to wait for the network to initialize at startup and logon.

• Configure the Windows Firewall to allow inbound remote administration.

3. Restore the Lab11A GPO.

4. Link the Lab11A GPO to the domain.

5. Start the 6425A-NYC-CL1 virtual machine and log on as Administrator.


6. Test the GPO.

7. Troubleshoot the GPO.

8. Resolve the issue and test the resolution.

Task 1: Start the 6425A-NYC-DC1 virtual machine, and log on as Administrator 1. Open the Virtual Server Remote Control Client, and then double-click 6425A-

NYC-DC1.


Task 2: Create and link a domain Desktop policy 1. Open Group Policy Management.

2. Create and link a GPO named Desktop to the WoodgroveBank domain.

3. Edit the policy as follows:

a. Navigate to Computer Configuration, then Administrative Templates, then System, and then Logon. Enable the Always wait for the network at computer startup and logon policy.

b. Navigate to Network, then Network Connections, then Windows Firewall, and then Domain Profile. Enable the Windows Firewall: Allow inbound remote administration exceptions policy, then type localsubnet in the field, and then click OK.

c. Navigate to User Configuration, then Windows Settings, then Internet Explorer Maintenance, then URLs, and then Important URLs.

d. In the Important URLs dialog box, customize the home page URL to be http://WoodgroveBank.com.

e. Navigate to Administrative Templates, then Start menu and Taskbar, and then enable the Force classic Start Menu setting.



Task 3: Restore the Lab11A GPO 1. In the GPMC, right-click the Group Policy Objects folder and then click

Manage Backups.

2. In the Manage Backups dialog box, type D:\6425 in the Backup location field.

3. Select the Lab 11A GPO, click Restore and then click OK twice.

4. Close the Manage Backups dialog box.

Task 4: Link the Lab11A GPO to the domain 1. In the GPMC, right-click the WoodgroveBank.com domain and then click

Link an existing GPO.

2. In the Select GPO dialog box, select the Lab 11A GPO and then click OK.

Task 5: Start the 6425A-NYC-CL1 virtual machine, and then log on as Administrator • Start NYC-CL1 and log on as WoodgroveBank\Administrator with the

password Pa$$w0rd.

Task 6: Test the GPO 1. Log off and then log on again as Administrator.

Note: Two logons are required to see the group policy settings because Administrator is logging on with cached credentials.

2. Click the Start button and ensure you see the classic Start menu.

3. Double click Internet Explorer and then click the red X to stop the connection attempt to the default startup page. Click the home icon on the toolbar and ensure that http://WoodgroveBank.com is the homepage.

4. Double click Internet Explorer and then click the red X to stop the connection attempt to the default startup page. Click the home icon on the toolbar and ensure that http://WoodgroveBank.com is the homepage.

5. Close Internet Explorer.

6. Double click Computer on the desktop and ensure that you have a mapped drive to the shared folder named Data.


7. Log off.

8. Log on to NYC-CL1 as Roya with the password Pa$$w0rd.

9. Close the Welcome Center.

10. Click the Start button, and ensure Roya gets the classic Start menu.

11. On the desktop, double-click Internet Explorer, and then click the Home icon on the toolbar to ensure that http://WoodgroveBank.com is the home page.


13. On the desktop, double-click Computer, and check for the mapped drive to the shared folder named Data.

Task 7: Troubleshoot the GPO 1. Switch back to NYC-DC1.

2. In the GPMC, right-click Group Policy Results, and then click Group Policy Results Wizard.

3. On the Computer Selection screen, click Another Computer, and then type NYC-CL1 in the field.

4. On the User Selection window, select WoodgroveBank\Roya, and then click Finish.

5. In the User Configuration Summary section, click Group Policy Objects, and then click Applied GPOs.

6. Click the Settings tab.

7. Expand Windows Settings, expand Scripts, and then expand Logon.

8. Switch back to NYC-CL1 as Roya.

9. Test Roya’s permission to the scripts location by opening a Run command, typing \\nyc-dc1\scripts, and then pressing ENTER.

10. Click OK to dismiss the error dialog box.


Note: If time permits, you can view the Group Policy operational log as Administrator on NYC-CL1. If you filter the view to show events that Roya generates, you would see that the log does not detect any errors or warnings for this user. This is because the GPO only sets a value in the registry that defines the scripts folder’s location. Group Policy is unaware if the user has access to the location, and the write to the registry was successful. Therefore, the Group Policy log does not see any errors. You would have to audit Object Access for the scripts folder to determine access issues.

Task 8: Resolve and test the solution 1. Switch back to NYC-DC1 and open Windows Explorer.

2. Navigate to the D:\6425\scripts folder.

3. Add Authenticated Users to the Share permission list and grant them Read permission

4. Switch to NYC-CL1 as Roya, log off and then log on.

5. On the desktop, double-click Computer.

Note: Another way to resolve the issue would be to move the script to the Netlogon share.

6. Log off.

Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.


Exercise 2: Troubleshooting GPO-Lab11B Domain users in the Miami OU and all sub OUs should not have access to Control Panel. You will restore and apply the GPO that delivers that policy to the Miami OU.

The local onsite technician has submitted a help-desk ticket and escalated the following issue to the server team:

• User Name: Local Onsite Technician




• Description of Problem: No users should be able to access the Control Panel. However, some users do have access to Control Panel, while others do not. Particularly, Roya, a Miami branch manager, has access to Control Panel.



1. Restore the Lab11B GPO.

2. Link the Lab11B GPO to the Miami OU.

3. Test the GPO as various users.

4. Troubleshoot the GPO using RSoP.

5. Resolve and test the resolution.

Task 1: Restore the Lab11B GPO 1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder, and

then click Manage Backups.

2. In the Manage Backups dialog box, type D:\6425\GPOBackup in the Backup location field.

3. Restore the Lab 11B GPO.


Task 2: Link the Lab11B GPO to the Miami OU 1. In the GPMC, right-click the Miami OU, and then click Link an existing GPO.

2. In the Select GPO dialog box, select the Lab 11B GPO, and then click OK.

Task 3: Test the GPO 1. Log on to NYC-CL1 as Rich with the password Pa$$w0rd.

2. Ensure that the settings from the Desktop GPO are applied.

3. Ensure that the Control Panel icon does not appear on the desktop or Start menu.

4. Log off.

5. Log on to NYC-CL1 as Roya.

6. Log off.



3. In the Computer Selection window, click Another Computer, and then type NYC-CL1 in the field.

4. In the User Selection window, select WoodgroveBank\Rich, and then click Finish.



7. Expand Windows Settings, and then expand Control Panel.

8. Right-click the Group Policy Results, query Roya on NYC-CL1 in the left pane, and then click Rerun Query.


10. Click Denied GPOs.


Task 5: Resolve and test the resolution 1. In the GPMC, expand the Group Policy Objects folder, click the Lab 11B

GPO, click the Delegation tab and then click Advanced.

2. On the Security tab, click the Miami_BranchManagersGG.

3. Remove the Miami_BranchManagersGG from the permission list. and then click OK.

4. Switch to NYC-CL1 and log on again as Roya.

Result: At the end of this exercise, you will have resolved a Group Policy objects issue.


Exercise 3: Troubleshooting GPO Lab11C Users in the Miami OU should not have access to the Run command on the Start Menu. You will restore and link the Lab 11C GPO to apply this setting.

The local desktop technician has escalated the following issue to the server team:



• Description of Problem: No users should be able to access the Run command on the Start Menu, but all users in the Miami OU have access to the Run command.



1. Restore the Lab11C GPO.

2. Link the Lab11C GPO to the Miami OU.

3. Test the GPO.


5. Resolve and test the resolution.

Task 1: Restore the Lab11C GPO 1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder, and



3. Restore the Lab 11C GPO.

Task 2: Link the Lab11C GPO to the Miami OU 1. In the GPMC, right-click the Miami OU, and then click Link an existing GPO.

2. Select the Lab 11C GPO, and then click OK.


Task 3: Test the GPO 1. Log on to NYC-CL1 as Roya.

2. Log off.

Task 4: Troubleshoot the GPO 1. Switch to NYC-DC1.

2. In the GPMC, rerun the query Roya on NYC-CL1.



5. In the User Configuration section, expand Administrative Templates, and then click Start Menu and Taskbar.

Task 5: Resolve and test the resolution 1. Expand the Group Policy Objects folder, right-click the Lab 11C GPO, and

then click Edit.

2. Navigate to User Configuration, then Administrative Templates, then Start Menu, and then Taskbar.

3. Double-click the Add the Run command to the Start Menu setting, click Not Configured, and then click OK.

4. Locate the Remove Run menu from the Start Menu, and enable the setting.

5. Close the Group Policy Object Editor.

6. Log on to NYC-CL1 as Roya.

7. Do not log off.



Exercise 4: Troubleshooting GPO Lab11D You will restore the Lab 11D GPO and link it to the Loopback folder. This GPO is designed to enhance security.

A user in the Miami OU has submitted the following helpdesk ticket:

• User Name: Roya Asbari


• Description of Problem: Since the application of the GPO, Roya no longer have the classic Start Menu or drive mapping, and no longer can run Internet Explorer.



1. Create a new OU named Loopback.

2. Restore the Lab11D GPO.

3. Link the Lab11D GPO to the Loopback OU.

4. Move NYC-CL1 to the Loopback OU.

5. Test the GPO.


7. Resolve the issue and test the resolution.

Task 1: Create a new OU named Loopback • Use Active Directory Users and Computers to create a new OU named

Loopback in the WoodgroveBank.com domain.

Task 2: Restore the Lab11D GPO 1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder, and



3. Restore the Lab 11D GPO.


Task 3: Link the Lab11D GPO to the Loopback OU 1. In the GPMC, right-click the Loopback OU, and then click Link an existing

GPO.

2. In the Select GPO dialog box, select the Lab 11D GPO, and then click OK.

Task 4: Move NYC-CL1 to the Loopback OU 1. Click Start, click Administrative Tools, and then click Active Directory Users

and Computers.

2. Expand the WoodgroveBank.com domain, and then click the Computers container.

3. Right-click the NYC-CL1 computer account, and then click Move.

4. Select the Loopback OU, and then click OK.

Task 5: Test the GPO 1. Switch to NYC-CL1, and then restart the computer.

2. Log on as WoodgroveBank\Roya with the password Pa$$w0rd.


4. Click the Start button.

5. Double-click Internet Explorer.



2. In the GPMC, run the Group Policy Results Wizard.

3. In the Computer Selection window, click Another Computer, type NYC-CL1 in the text box, and then click Next.

4. In the User Selection window, select WoodgroveBank\Roya, and then click Finish.


5. In the Computer Configuration Summary section, click Group Policy Objects, and then click Applied GPOs.

6. In the Computer Configuration section, click Administrative Templates, and then click System/Group Policy.

Task 7: Resolve and test the resolution 1. In the GPMC, right-click the Admins OU, and disable the link to Lab 11D

GPO.

2. Restart the NYC-CL1 computer.

3. Log on as Roya.




Considerations Consider the following when implementing an AD DS monitoring plan:

• Client-side extensions handle application of Group Policy at regular, configurable intervals.

• GPO version numbers determine if a Group Policy has changed.

• Not all CSEs process across a slow link.

• Security settings refresh every 16 hours.

• Windows XP and earlier versions log to the Userenv log for most Group-Policy issues. You can modify the registry to enable other CSE logs.

• Windows Vista logs to operational logs in Event Viewer.

• Blocking inheritance will block all higher level polices from being applied, unless those policies are enforced.

• You can filter Group Policy to apply only to certain security principles by using security settings, or WMI scripts.


• Group Policy is made up of two parts: Group Policy templates, and Group Policy containers. Group Policy replicates these objects on separate schedules using different mechanisms.

• Windows XP and later versions log on users with cached credentials by default. Many users’ settings will require two logons because of this.

• Windows XP and earlier use the ICMP to determine link speed. Windows Vista and later versions use network awareness to determine link speed.

• Security principles need permission to access script locations, so that they can execute scripts.

• Computer startup scripts run synchronously by default.

• User logon scripts run asynchronously by default.

Tools Use the following tools when troubleshooting Group Policy issues:

Ping • Testing network connectivity.

NSlookup • Testing DNS lookups.

DCdiag • Testing domain controllers.

Set • Displaying, setting, or removing environment variables.

Kerbtray • Displaying Kerberos ticket information.

Group policy reporting RSoP • Reporting information about the current policies being delivered to clients.

GPResult • A command-line utility that dDisplaying RSoP information.

GPOTool • Checking Group Policy object stability, and monitors policy replication.

GPResult • Refreshing local and AD DS-based Group Policy settings.


(continued)

Dcgpofix • Restoring the default Group Policy objects to their original state after initial installation.

GPOLogView • Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions.

Group Policy Management scripts • Sample scripts that perform a number of different troubleshooting and maintenance tasks.

Review Questions 1. What tool can test DNS name resolution?

a. NSlookup

b. DCdiag

c. GPResult

d. Ping

2. What log will give details of folder redirection?

________________________________________________________________

3. What visual indicator in the GPMC designates that inheritance has been blocked?

________________________________________________________________

4. What GPO settings are applied across slow links by default? Choose all that apply:

a. Scripts policies

b. Security settings

c. Administrative settings

d. Internet Explorer Maintenance

e. EFS Recovery Policy

f. IPSec Policy

Implementing an Active Directory Domain Services Infrastructure 12-1

Module 12 Implementing an Active Directory Domain Services Infrastructure

Contents: Lesson 1: Overview of the AD DS Domain 12-3

Lesson 2: Planning a Group Policy Strategy 12-7

Lab A: Deploying Active Directory Domain Services 12-9

Lab B: Configuring Forest Trust Relationships 12-23

Lab C: Designing a Group Policy Strategy 12-31


Module Overview

This module explains how to implement an Active Directory® Domain Services (AD DS) infrastructure. The module consists of five exercises that make up the three labs. These exercises will re-enforce concepts from the course, and will give you the opportunity to perform different operations that were not performed in the prior labs. Each exercise is independent of the other exercises.


Lesson 1: Overview of the AD DS Domain

In this lesson, you will view the AD DS domain components of which you will work with in the lab.


Overview of the Current AD DS Domain Design

Key Points The graphic on the slide depicts the current domain configuration at Woodgrove Bank.


Overview of the Required AD DS Domain Design

Key Points The graphic on the slide depicts the required domain configuration at Woodgrove Bank. The Contoso domain will join the Woodgrove Bank forest as a separate tree in the same forest.


Overview of the AD DS Site Design

Key Points The graphic on the slide shows the current site configuration at Woodgrove Bank. A new branch office has been created in New York, and a new site will be created to control logon traffic.

The following two new sites will be created:

• The Contoso.com site will contain the 192.168.0.0 subnet

• The NYC-Branch-Office site will contain the 10.30.0.0 subnet


Lesson 2: Planning a Group Policy Strategy

In this lesson, you will plan Group Policy, and implement them in the labs.


Overview of Domain Controller Deployment

Key Points The graphic depicts the new domain controller deployment at Woodgrove Bank.

• The NYC-SRV2 server core computer will be renamed to NYC-DC3 to reflect the new role and the read-only domain controller (RODC) role will be installed on NYC-DC3.

• The NYC-SRV1 computer will be renamed to ContosoDC to reflect the new role and then promoted to become the Contoso domain controller.


Lab A: Deploying Active Directory Domain Services

Scenario Woodgrove Bank is deploying Windows Server®°2008 operating system AD DS. The enterprise administrator has created a design for the deployment. As the AD DS administrator, you will be implementing this design and verifying that all components in the design work correctly.

Site Info There will be two new sites; NYC Branch Office and Contoso.

• Site Name – NYC-Head-Office

• Subnet – 10.10.0.0

• Gateway – 10.10.0.1

• Domain Controller – NYC-DC1 10.10.0.10

• Site Name – NYC-Branch-Office


• Subnet – 10.30.0.0

• Gateway – 10.30.0.1

• Domain Controller – NYC-DC3 (RODC) (change the name of NYC-SRV2) 10.30.0.10

• Site Name – Contoso

• Subnet – 192.168.0.0

• Gateway – 192.168.0.1

• Domain Controller – ContosoDC (change the name of NYC-SRV1) 192.168.0.10

Domain Info There will be two domains; WoodgroveBank.com and Contoso.com.

WoodgroveBank and Contoso belong to the same forest. WoodgroveBank is the root domain of the forest and Contoso is a separate tree in the forest.

WoodgroveBank.com Domain Controllers – NYC-DC1, NYC-DC2, NYC-DC3 (RODC) (change the name of NYC-SRV2)

Contoso.com Domain Controller – ContosoDC (change the name of NYC-SRV1)

Note: The following lab requires that four virtual machines be running at one time. We recommend that the student computers be configured with an additional one GB of RAM (for a total of 3 GB) to improve the virtual machine performance in this lab.


Exercise 1: Installing an RODC onto a Server Core and Creating a Branch Office Site

Scenario Woodgrove Bank has opened a new branch office in New York City. The branch office employee user accounts will be located in a separate organizational unit (OU). In order to control logon traffic, the decision has been made to create a separate site for the new branch office, and to create a read-only domain controller (RODC) on a server core installation in the site.

You have been tasked to create and configure the domain controller for the new branch office in New York City. You will use an existing server, NYC-SRV2, which is a server core installation. You will perform the following tasks in AD DS:

• Pre-configure the account for the RODC of the branch office.

• Create an OU named Branch Office Employees that will contain user accounts.

• Create user accounts for the branch office manager and branch office user.

• Create a global group named BranchUsersGG, and then add the branch office users to it.

Only the branch office employees will have their passwords cached on the RODC.

You will also create the site for the branch office, and create the subnet object 10.30.0.0 for the branch office. Then you will change the name of NYC-SRV2 to NYC-DC3, to reflect its now role. You will configure the IP address to reflect the subnet of the branch site. Then you will install RODC on to the server. Finally, you will configure replication with the head office site to occur every 30 minutes.

The main tasks for this exercise are as follows:

1. Start the virtual machines and log on.

2. Copy the unattended file and change the name of NYC-SRV2 to NYC-DC3.

3. Change the IP address of NYC-SRV2 to 10.30.0.10.

4. Create the NYC-Branch-Office site and rename the default site.

5. Create subnet objects for the NYC head office and branch office sites.

6. Configure the replication schedule.

7. Create an OU for branch office.

8. Create users and groups for the branch office.


9. Configure the DNS service on NYC-DC1 to allow zone transfers.

10. Pre-stage the computer account for the RODC.

11. Install the DNS role on NYC-DC3.

12. Install RODC on NYC-DC3, and verify the results.

13. Close NYC-SRV2 and discard undo disks







6. Log on to all computers as Administrator with the password Pa$$w0rd.


Task 2: Copy the unattend file, and change the name of NYC-SRV2 to NYC-DC3 1. Copy the NYC-Rodc.txt file from the D:\6425\Mod12\Labfiles folder to the C:

drive.

2. At the command prompt, type Netdom renamecomputer %computername% /newname:NYC-DC3 /force /reboot:5, and then press ENTER. The computer will automatically reboot after 5 seconds.


Task 3: Change the NYC-SRV2 IP address to 10.30.0.10 1. At the command prompt, type netsh interface ipv4 show interfaces. Note the

Idx number of the Local Area Connection interface.

2. At the command prompt, type netsh interface ipv4 set address name=<Idx number of the LAN interface> source=static address=10.30.0.10 mask=255.255.0.0 gateway=10.30.0.1, and then press ENTER.

3. At the command prompt, type IPconfig /all, and ensure the IP address information is correct, and that the DNS Server is 10.10.0.10.

Task 4: Create the NYC-Branch-Office site and rename the Default site 1. On NYC-DC1, open Active Directory Sites and Services.

2. Right-click Sites, and then click New Site named NYC-Branch-Office. Select the DefaultIPSiteLink, and then click OK.

3. Rename the Default-First-Site-Name to NYC-Head-Office.

Task 5: Create subnet objects for the NYC head office and branch office sites 1. Create a new subnet object for the 10.10.0.0/16 subnet. Select the NYC-Head-

Office site, and then click OK.

2. Create a new subnet object for the 10.30.0.0/16. Select the NYC-Branch-Office site, and then click OK.

Task 6: Configure the replication schedule 1. Open the properties of the DEFAULTIPSITELINK subnet..

2. Type 30 in the Replicate every field, and then click OK.

3. Close Active Directory Sites and Services.

Task 7: Create an OU for the branch office users 1. Open Active Directory Users and Computers.

2. Create a new OU named NYC Branch Office.


Task 8: Create users and groups for the branch office 1. Create a new user with the following parameters:

• Name – Branch Manager

• Logon Name – branchmanager

• Password – Pa$$w0rd

• Password never expires

2. Create a second user with the following parameters:

• Name – Branch User

• Logon Name – branchuser


• Password never expires

3. Create a new global group named BranchUsersGG.

4. Add the Branch Manager and the Branch User accounts to the BranchUsersGG global group.

Task 9: Configure the DNS service on NYC-DC1 to allow zone transfers 1. On NYC-DC1, open the DNS management console.

2. Configure the WoodgroveBank.com zone to Allow Zone Transfers.

3. Close the DNS Manager.

Task 10: Pre-stage the computer account for the RODC 1. Return to Active Directory Users and Computers, right-click the Domain

Controllers organization unit, and then click Pre-create Read-only Domain Controller account.

2. On the Welcome to the Active Directory Domain Services Installation Wizard page, select the Use advanced mode installation check box, and then click Next.

3. On the Operating System Compatibility page, click Next.

4. On the Network Credentials page, verify that My current logged on credentials is selected, and then click Next.


5. On the Specify the Computer Name page, in the Computer name field, type NYC-DC3, and then click Next.

6. On the Select a Site page, click NYC-Branch-Office, and then click Next.

7. On the Additional Domain Controller Options page, keep the defaults, and then click Next.

8. On the Specify the Password Replication Policy page, click Add, and then select Allow passwords for the account to replicate to the RODC.

9. Add the BranchUsersGG.

10. On the Delegation of RODC Installation and Administration page, click Set, and then add the BranchManager account.

11. Finish the wizard to create the RODC account. Notice that NYC-DC3 computer account is listed in AD DS, but the DC type is Unoccupied DC Account.

Task 11: Install DNS role on NYC-DC3 1. On NYC-DC3, type Oclist to view the currently installed roles. Notice that

there are no currently installed roles.

2. Type start /w ocsetup DNS-Server-Core-Role, and then press ENTER to install the DNS server. The server core role name is case sensitive.

Task 12: Install RODC on NYC-DC3 and verify the results 1. Type dcpromo.exe /UseExistingAccount:Attach /unattend:c:\nyc-rodc.txt.

The promotion will take several minutes to perform, and will automatically reboot to complete the installation.

2. Log on to NYC-DC3 as BranchManager.

3. Switch to NYC-DC1 and refresh the view of the Domain Controller’s OU. Notice the DC Type for NYC-DC3 is now set to Read-only, DC.

4. Open Active Directory Sites and Services, and examine the NYC-Branch-Office site. Notice that NYC-DC3 is now listed in the Servers container.

5. Open the DNS Manager and connect to the NYC-DC3 DNS server. Notice that NYC-DC3 hosts a copy of the WoodgroveBank.com zone.


Note: If the server is unavailable, wait a few minutes and try again. Notice that NYC-DC3 hosts a copy of the Woodgrovebank.com zone.

6. Close the DNS console.

Task 13: Close all virtual machines and discard undo disks 1. Close the 6425A-NYC-SRV2 Virtual Machine Remote Control window.


Result: At the end of this exercise, you will have created an RODC on a Server Core computer.


Exercise 2: Creating a Domain in a Separate Tree and Separate Site

Scenario Woodgrove Bank has acquired a small company named Contoso, Ltd. For legal reasons, this company must have a separate domain in a new domain tree in the same forest. This will allow them to maintain the Contoso.com namespace. The Contoso domain will also be in a separate site.

You have been tasked with creating the domain for Contoso, Ltd. The domain will be named Contoso.com, and will have a separate domain tree in the WoodgroveBank forest. You will use an existing server, NYC-SRV1, to become the new domain controller. You will rename the computer to be ContosoDC. You will also create a separate site for the Contoso domain that uses the 192.168.0.0 subnet, and you will configure the ContosoDC computer with the IP address of 192.168.0.10. You will configure replication between the New York site and the Contoso site to occur every 4 hours, between the hours of 1800. and 0600. You will install and configure the DNS service on ContosoDC to hold a secondary zone of WoodgroveBank.com. Finally, you will promote ContosoDC to become the domain controller for Contoso.com.


1. Start NYC-SRV1.

2. Create the Contoso site.

3. Create the subnet for the Contoso site.

4. Create and configure a new site link for replication.

5. Rename the NYC-SRV1 server to ContosoDC.

6. Change the IP address of ContosoDC.

7. Configure the DNS service on NYC-DC1 to allow zone transfers (If you completed Exercise 1, then this step has already been performed).

8. Install DNS on ContosoDC.

9. Configure the DNS Service on ContosoDC.

10. Promote the server to be the Contoso domain controller.

11. Close NYC-SRV1 and NYC-DC2 and discard undo disks.


Task 1: Start NYC-SRV1 1. In the Lab Launcher, next to 6425A-NYC-SRV1, click Launch.


Task 2: Create the Contoso site 1. On NYC-DC1, open Active Directory Sites and Services.

2. Create a new site named Contoso.

3. Select the DefaultIPSiteLink site link, click OK, and then click OK to acknowledge the message.

Task 3: Create the subnet for the Contoso site 1. Create a new subnet object for the 192.168.0.0/24 subnet. Select the Contoso

site, and then click OK.


Task 4: Create and configure a new site link for replication 1. Create a new site link named Contoso-NYC-HO.

2. Open the properties of the Contoso-NYC-HO site link, and add the Contoso and NYC-Head-Office sites to the site link.

3. Type 240 in the Replicate every field, and then click Change Schedule.

4. In the Schedule for Contoso-NYC-HO dialog box, click and drag to select the hours of 0600 TO 1800 Monday to Friday, click Replication Not Available, and then click OK twice.

Task 5: Rename the NYC-SRV1 server to ContosoDC 1. Log on to NYC-SRV1 as LocalAdmin with the password Pa$$w0rd.

2. Change the computer name to ContosoDC, and then restart the computer.


Task 6: Change the IP address for ContosoDC 1. Log on to ContosoDC as LocalAdmin with the password Pa$$w0rd.

2. Configure the IPV4 address as follows:

• IP address – 192.168.0.10

• Subnet mask – 255.255.255.0

• Default Gateway – 192.168.0.1

• DNS – 10.10.0.10

Task 7: Configure the DNS service on NYC-DC1 to allow zone transfers (If you completed Exercise 1, then this step has already been performed) 1. Switch to NYC-DC1.

2. Open the DNS management console.

3. Configure the Woodgrovebank.com zone to Allow Zone Transfers.


Task 8: Install the DNS Server Role on ContosoDC 1. Switch to ContosoDC.

2. Install the DNS server role.

3. Leave Server Manager open.

Task 9: Configure the DNS Service on ContosoDC 1. Open the DNS management console.

2. Create a secondary forward zone named WoodgroveBank.com.

3. Configure the Master DNS server as 10.10.0.10. It will take a few moments for the zone transfer to occur. You will have to refresh the console to see the changes.


4. Expand the Global Logs, and then click DNS Events. Examine the events that describe the zone transfer.


Task 10: Promote the server to become the Contoso domain controller 1. Use Server Manager to add the Active Directory Domain Services role.

2. Launch DCPromo.exe.

3. In the Active Directory Domain Services Installation Wizard, select Use advanced mode installation.


5. In the Choose a Deployment Configuration window, click Existing Forest, click Create a new domain in an existing forest, and then select Create a new domain tree root instead of a new child domain.

6. On the Network Credentials screen, type Woodgrovebank.com in the domain name field, click Set, and then use the credentials:

a. User: Administrator

b. Password: Pa$$w0rd

7. Name the new domain tree root Contoso.com.

8. On the Domain NetBIOS Name screen, click Next.

9. Set the domain functional level to Windows Server 2008.

10. In the Select a Site window, click Next.

11. In the Additional Domain Controller Options window, select the check box for Global Catalog, and then click Next.

12. In the Static IP Assignment message box, click Yes, the computer will use a dynamically assigned IP address, and then click Yes to continue.

Note: This message refers to the IPV6 interface, which is set to use DHCP.

13. In the Source Domain Controller window, click Next.

14. In the Location for Database, Log Files and SYSVOL window, click Next.


15. Set the directory services restore mode administrator password to Pa$$w0rd.

16. In the Summary window, click Next, and then select Reboot on completion.

17. Log on to the ContosoDC computer as Contoso\Administrator.

18. Open the DNS management console, and examine the forward lookup zones. Notice the Contoso.com zone.

19. Use the IPconfig /all command to examine the IP configuration. Notice that ContosoDC is using 127.0.0.1 as the preferred DNS server.

Task 11: Close NYC-SRV1 and NYC-DC2 and discard undo disks 1. Close the 6425A-NYC-SRV1 Virtual Machine Remote Control window.


3. Close the 6425A-NYC-DC2 Virtual Machine Remote Control window.


Result: At the end of this exercise, you will have created a domain in a separate tree and separate site.


Overview of the Forest Trust Relationship

Key Points This topic introduces the information you need for the next lab.

By the end of the next lab, the Fabrikam forest will be upgraded to Windows Server 2008 level, and a Windows Server 2008 server will be promoted to become an additional domain controller in the domain. The Fabrikam.com forest will have a forest trust relationship with the WoodgroveBank forest. The trust will use selective authentication such that only the WoodgroveBank Domain Admins group will be allowed to authenticate to resources in the Fabrikam domain.


Lab B: Configuring Forest Trust Relationships

Scenario Woodgrove Bank has recently purchased a new subsidiary named Fabrikam, Inc. Fabrikam is currently running Windows Server®°2003 operating system domain controllers. One of the first tasks for Woodgrove Bank administrators will be to upgrade the domain controllers to Windows Server 2008. Fabrikam Inc will remain in a separate forest, and will trust the Woodgrove Bank forest.


Exercise: Upgrading the Fabrikam Domain and Create a Forest Trust with Woodgrove Bank

Scenario You have been tasked to prepare the Fabrikam 2003 forest and domain to accept Windows Server 2008 domain controllers. You will also configure DNS zone transfers between the Fabrikam forest and the WoodgroveBank forest. Then you will promote a Windows Server 2008 server to become a domain controller in the Fabrikam domain. Finally, you will configure a forest trust between WoodgroveBank.com and Fabrikam.com. The trust will use selective authentication such that only the WoodgroveBank Domain Admin group will be allowed to authenticate to Fabrikam domain resources.

Use the following information in this exercise:

• Site Name – Fabrikam

• Subnet – 10.20.0.0

• Gateway – 10.20.0.1

• Domain Controller – FabrikamDC 10.20.0.10


1. Start VAN-DC1 and NYC-SVR1.

2. Prepare the forest and domain to allow the Fabrikam.Com forest to accept Windows Server 2008 domain controllers.

3. Configure reciprocating DNS zone transfers using stub zones between WoodgroveBank.com and Fabrikam.com.

4. Rename the NYC-SRV1 to VAN-DC2.

5. Promote the Windows Server 2008 server to a domain controller in the Fabrikam domain.

6. Configure a forest trust between WoodgroveBank.com and Fabrikam.com for selective authentication.

7. Configure selective authentication for the WoodgroveBank Domain Admins group.

8. Shut down servers.


Task 1: Start VAN-DC1 and NYC-SVR1 1. In the Lab Launcher, next to 6425A-VAN-DC1, click Launch.



Task 2: Prepare the forest and domain to allow the Fabrikam.com forest to accept Windows Server 2008 domain controllers 1. Log on to VAN-DC1 as Administrator, with the password Pa$$w0rd.

2. Open Active Directory Users and Computers.

3. Right-click Fabrikam.com, and then click Raise Domain Functional Level.

4. Raise the domain functional level to Windows Server 2003.

5. Open Active Directory Domains and Trusts.

6. Right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

7. Raise the forest functional level to Windows Server 2003.

8. Copy the Windows Server 2008 ADPrep files from the D:\6425\Mod12\Adprep folder on NYC-DC1 to C:\Adprep on VAN-DC1.

9. From a command prompt, enter the command C:\Adprep\adprep /forestprep. Read the warning message, and then type C to continue. Forestprep will take a few moments to complete.

10. In the command prompt window, type C:\ Adprep\adprep /domainprep.


Task 3: Configure reciprocating DNS zone transfers using stub zones between Woodgrovebank.com and Fabrikam.com 1. On VAN-DC1, launch the DNS management console.

2. Configure the Fabrikam.com zone to allow zone transfers.

3. On NYC-DC1, launch the DNS management console.

4. Launch the New Zone Wizard.


5. In the Zone Type window, click Stub Zone.

6. In the Active Directory Zone Replication Scope window, click Next.

7. In the Zone Name window, type Fabrikam.com.

8. In the Master DNS Servers window, type 10.20.0.10, and then finish the wizard. The zone transfer will take a few moments to occur. You must refresh the console to see the changes.


10. Switch to VAN-DC1.

11. Launch the New Zone Wizard.

12. In the Zone Type window, click Stub Zone.

13. In the Active Directory Zone Replication Scope window, click Next.

14. In the Zone Name window, type WoodgroveBank.com.

15. In the Master DNS Servers window, type 10.10.0.10, and then finish the wizard. The zone transfer will take a few moments to occur. You will have to refresh the console to see the changes.


Task 4: Rename the NYC-SRV1 to VAN-DC2 1. Log on to NYC-SRV1 as LocalAdmin with the password Pa$$w0rd.

2. Change the IP address configuration for the Local Area Connection to:

• IP address – 10.20.0.11

• Subnet mask – 255.255.0.0

• Default gateway – 10.20.0.1

• Preferred DNS server – 10.20.0.10

3. In Server Manager, click Change System Properties.

4. Change the name of the computer to VAN-DC2, and then restart the computer.


Task 5: Promote the Windows Server 2008 server to a domain controller in the Fabrikam domain 1. Log on to VAN-DC2 as LocalAdmin with the password Pa$$w0rd.

2. Add the Active Directory Domain Services role.

3. Launch DCPromo.exe.

4. In the Choose a Deployment Configuration window, click Existing forest, and keep the default choice of Add a domain controller to an existing domain.

5. In the Network Credentials window, type Fabrikam.com in the domain name field, click Set, and use the credentials:

• User – Fabrikam\Administrator

• Password: Pa$$w0rd

6. In the Select a Domain window, click Fabrikam.com, and then click Yes to acknowledge the message about RODCs.

7. In the Select a Site window, click Next.

8. On the Additional Domain Controller options, clear the DNS Server and Global Catalog check boxes.

9. In the Infrastructure Master Configuration Conflict window, click Transfer the infrastructure master role to this domain controller.

10. In the Location for Database, Log Files and Sysvol window, click Next.

11. On the Directory Services Restore Mode Administrator Password, type Pa$$w0rd in the Password fields.

12. On the Summary page, click Next, and then click Reboot on completion.

Task 6: Configure a forest trust between WoodgroveBank.com and Fabrikam.com for selective authentication 1. Switch to NYC-DC1.

2. Open Active Directory Domains and Trusts.

3. On the properties of WoodgroveBank.com, click the Trusts tab, and then click New Trust.

4. In the New Trust Wizard, click Next.


5. Name the trust Fabrikam.com.

6. Create a Forest Trust.

7. Configure the trust to be One-way: incoming.

8. In the Sides of Trust window, select Both this domain and the specified domain.

9. Use the following credentials:

• User name – Administrator


10. In the Outgoing Trust Authentication Level-Specified Forest window, click Selective Authentication.

11. In the Trust Selections Complete window, click Next.

12. In the Confirm Incoming Trust window, click Next, and then finish the wizard.

Task 7: Configure selective authentication for the WoodgroveBank Domain Admins group 1. Switch to VAN-DC1.

2. Open Active Directory Users and Computers.

3. Enable the Advanced View feature.

4. In the Domain Controllers OU, open the properties of VAN-DC1.

5. In the VAN-DC1 Properties window, click the Security tab, and then click Add.

6. Grant the WoodgroveBank\Domain Admins group the Allowed to Authenticate permission.

Task 8: Close NYC-SRV1, NYC-RAS, and VAN-DC1, and discard undo disks 1. Close NYC-SRV1, NYC-RAS, and VAN-DC1, and discard undo disks.

2. Close the 6425A-NYC-SRV1 Virtual Machine Remote Control window.



4. Close the 6425A-NYC-RAS Virtual Machine Remote Control window.


6. Close the 6425A-VAN-DC1 Virtual Machine Remote Control window.


Result: At the end of this exercise, you will have created a forest trust.


Overview of the AD DS Group Policy Object Design

Key Points The graphic on the slide depicts the current organization unit configuration at Woodgrove Bank.


Lab C: Designing a Group Policy Strategy

Scenario As the network administrator for WoodgroveBank.Com, you are responsible for developing a desktop and security policy that can be centrally managed through Group Policy.


Exercise 1: Planning Group Policy

Scenario You have been tasked to create a computer security policy that can be delivered through Group Policy. You will create any required OUs, and then create and link the appropriate policies to them. The corporate policy dictates that servers will be located in a separate OU tree structure based on their role. There are File and Print servers, SQL™ servers, and Web servers to consider.

Use the domain diagram to help you plan the Group Policy and OU structure.

Fill in the table to describe the Group Policy Objects (GPOs) that must be created, what settings each will contain, and where the GPOs will be linked.


1. Create a global security policy to be enforced on all computers in the domain as follows:

• All computers will have the built in Administrator account renamed to Admin

• The IT Admins global group will be added to the local Administrators group

• Windows Updates will come from an internal Web server named http://updates

2. Create a security policy to be enforced on all servers, with further security settings based on the server role as follows:

• All member servers will have the built- in Administrator account renamed to SRVAdmin

• Account logon events will be audited on all servers

• Internet Explorer® will not be allowed to run on any server

• SQL servers will prevent the installation of any removable devices

3. Configure a corporate desktop policy as follows:

• Access to screen saver settings will be blocked to all domain users

• Users in Toronto and Miami will not be allowed to run Windows® Messenger

• Domain users will not be allowed to add new printers. Users in the Admin OU will be exempt from this setting


• Encryption of offline files will be enforced for the Executives OU

• Access to Control Panel will be prohibited for all users except domain administrators


GPO Name Settings Linked to …


Exercise 2: Implementing the Corporate Desktop Policy

Scenario You have been tasked to implement the Corporate Desktop Policy for the Woodgrove Bank domain. You will create and link the appropriate GPOs.

This exercises main tasks are:

1. Create and Link the Domain Desktop Policy

2. Create and link the Prohibit Control Panel GPO

3. Create and link the Force Offline File Encryption GPO

4. Create and link the Block Windows Messenger GPO

5. Create and link the Allow Adding Printers GPO

Task 1: Create and link the Domain Desktop Policy 1. On NYC-DC1, open the Group Policy Management console.

2. Create and link a GPO named Domain Desktop Policy to the WoodgroveBank.com domain.

3. Edit the Domain Desktop Policy as follows:

• Expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then expand Printers.

• Enable the Prevent additions of printers setting.

4. In Control Panel, click Display, and then enable the Hide Screen Saver tab setting.


Task 2: Create and link the Prohibit Control Panel GPO 1. Expand User Configuration, expand Policies, expand Administrative

Templates, and then expand Control Panel.

2. Enable the Prohibit access to the Control Panel setting.



4. Double-click the Prohibit access to the Control Panel GPO, click the Delegation tab in the details pane, and then click Advanced.

5. In the Prohibit access to the Control Panel Security Settings dialog box, select Domain Admins, and then select the check box to Deny the Apply group policy permission, and then click OK.

6. Click Yes to acknowledge the message. This will exempt the Domain Admins group from the policy.

Task 3: Create and link the Force Offline File Encryption GPO 1. Right-click Executives OU, and then click Create a GPO in this domain, and

link it here.

2. In the New GPO dialog box, type Force Offline File Encryption in the Name field, and then click OK.

3. Right-click the Force Offline File Encryption, and then click Edit.

4. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click Offline Files.

5. In the detail pane, double-click Encrypt the Offline Files cache.

6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled, and then click OK.


Task 4: Create and link the Block Windows Messenger GPO 1. Right-click Miami OU, and then click Create a GPO in this domain, and link

it here.

2. In the New GPO dialog box, type Block Windows Messenger in the Name field, and then click OK.

3. Right-click the Block Windows Messenger, and then click Edit.

4. Expand User Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then double-click Windows Messenger.


5. In the details pane, double-click Do not allow Windows Messenger to be run.

6. In the Do not allow Windows Messenger to be run Properties dialog box, click Enabled, and then click OK.


8. Right-click the Toronto OU, and then click Link and Existing GPO.

9. In the select GPO dialog box, click Block Windows Messenger, and then click OK.

Task 5: Create and link the Allow Adding Printers GPO 1. Right-click IT Admins OU, and then click Create a GPO in this domain, and

link it here.

2. In the New GPO dialog box, type Allow Adding Printers in the Name field, and then click OK.

3. Right-click the Allow Adding Printers, and then click Edit.

4. Expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Printers. In the details pane, double-click Prevent additions of printers.

5. In the Prevent Addition of Printers Properties dialog box, click Disabled, and then click OK.


7. Close the GPMC.

8. Shut down all virtual machines, and delete any changes.

Result: At the end of this exercise, you will have implemented a Group Policy strategy.



Considerations Consider the following when implementing an AD DS infrastructure:

• Sites can be used to control the scope of logon traffic.

• Separate trees in the forest allow multiple DNS namespaces to exist.


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential, and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles L1-1

Module 1: Implementing Active Directory® Domain Services

Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC

Task 1: Start 6425A-NYC-DC1 and log on as Administrator 1. On your host machine, click Start, point to All Programs, point to Microsoft





5. Log on to NYC-DC1 and NYC-DC2 as Administrator with the password Pa$$w0rd.

6. Log on to NYC-SVR1 as LocalAdmin with the password Pa$$w0rd.


Task 2: Verify the forest and domain functional level are compatible with an RODC deployment 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Active Directory Users and Computers.

2. Right-click WoodgroveBank.com, and click Properties.

3. In the WoodgroveBank.com Properties dialog box, verify that the domain functional level and the forest functional level are set to Windows Server 2003.

4. Click Cancel.

L1-2 Module 1: Implementing Active Directory® Domain Services

Task 3: Verify the availability of a writeable domain controller running Windows Server 2008 1. In Active Directory Users and Computers, expand WoodgroveBank.com and

then click Domain Controllers.

2. Right-click NYC-DC1, and click Properties.

3. On the Operating System tab, ensure that the operating system name is Windows Server 2008 Enterprise.

4. Click OK, and then close Active Directory Users and Computers.

Task 4: Configure the computer account settings for the RODC 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click

Server Manager.


3. On the Computer Name tab, click Change.

4. In the Computer Name field, type TOR-DC1, and then click OK.

5. In the Computer Name/Domain Changes dialog box, click OK.

6. Click Close, and then click Restart Now.

Result: At the end of this exercise you will have verified that the domain and the computer are ready to install an RODC.

Exercise 2: Installing and Configuring an RODC

Task 1: Prestage the computer account for the RODC 1. On NYC-DC1, click Start, point to Administrative Tools, and then click


2. Expand WoodgroveBank.com, right-click the Domain Controllers organization unit, and then click Pre-create Read-only Domain Controller account.




5. On the Network Credentials page, ensure My current logged on credentials is selected, and then click Next.

6. On the Specify the Computer Name page, in the Computer name field, type TOR-DC1, and then click Next.

7. On the Select a Site page, click Next.

8. On the Additional Domain Controller Options page, clear the Global Catalog check box, and then click Next.

9. On the Specify the Password Replication Policy page, confirm that all users and groups except the Allowed RODC Password Replication Group are configured to deny credential caching, and then click Next.

10. On the Delegation of RODC Installation and Administration page, click Set.

11. In the Select User or Group dialog box, in the Enter the object name to select text box, type Axel, click OK, and then click Next.

12. On the Summary page, review your selections, and then click Next to create the RODC account.

13. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

Task 2: Log on to the TOR-DC1 virtual machine as LocalAdmin • Log on as LocalAdmin using the password Pa$$w0rd.

Task 3: Install the RODC using the existing account and use WoodgroveBank\Axel as the account with credentials to perform the installation 1. Open a command prompt.

2. Type dcpromo /UseExistingAccount:Attach, and then press ENTER.

3. On the Welcome to the Active Directory Domain Services Installation Wizard page, select the Use advanced mode installation check box and then click Next.


4. On the Network Credentials page, type WoodgroveBank.com. Under Specify the account credentials to use to perform the installation, click Alternate credentials, and then click Set.

5. In the Windows Security dialog box, type Axel as the User name, and Pa$$w0rd as the Password. Click OK, and then click Next.

6. On the Select Domain Controller Account page, confirm that TOR-DC1 is selected, and then click Next. On the Static IP assignment message box, click Yes, the computer will use a dynamically assigned IP address (not recommended). Note: This message refers to the IPv6 adapter and will not affect the exercise.

7. On the Install from Media page, click Next.

8. On the Source Domain Controller page, click Use this specific domain controller. Click NYC-DC1.WoodgroveBank.com, and then click Next.

9. On the Location for Database, Log Files, and SYSVOL page, click Next.

10. On the Directory Services Restore Mode Administrator Password page, type Pa$$w0rd in the Password and Confirm Password boxes, and then click Next.

11. On the Summary page, review your selections and click Next to install AD DS.

12. Select the Reboot on completion check box. Wait for the installation to finish and for the server to restart automatically.

Task 4: Verify the successful installation of the domain controller 1. After TOR-DC1 restarts, log on as Axel with a password of Pa$$w0rd.

2. In Server Manager, expand Roles, and then verify that Active Directory Domain Services server role is installed.


3. Click Active Directory Domain Services, view System Services information in the right hand pane, and then verify that the following services are running:

a. Active Directory Domain Services

b. DFS Namespace

c. DFS Replication

d. File Replication Service

e. Kerberos Key Distribution Center

f. Netlogon

g. Windows Time

h. Workstation

4. In left pane, expand Active Directory Domain Services.

5. Click Active Directory Users and Computers, expand WoodgroveBank.com, and then click Domain Controllers. Verify that TOR-DC1 is listed in the Domain Controllers organizational unit.

6. Click the Toronto OU.

7. In the Actions pane, click More Actions, and verify that you do not have permission to add or remove domain objects.

8. In left pane, expand Active Directory Sites and Services, expand Sites, and then expand Default-First-Site-Name.

9. Click Servers and ensure that TOR-DC1 is listed in the Servers list.

10. Double-click TOR-DC1, and then double-click NTDS Settings. In the middle pane, confirm that connection objects have been created.

11. In the Servers container, double-click NYC-DC1, and then double-click NTDS Settings. In the middle pane, confirm that no connection objects have been created from TOR-DC1, but that an RODC connection has been created from NYC-DC1.

12. Close Server Manager and log off TOR-DC1.


Task 5: Configure a password replication policy that enables credential caching for all user accounts in Toronto 1. On NYC-DC1, click Administrative Tools, and then click Active Directory

Users and Computers.

2. Expand the Domain Controllers OU, right-click TOR-DC1, and then click Properties.

3. On the Password Replication Policy tab, click Add.

4. In the Add Groups, Users and Computers dialog box, click Allow passwords for the account to replicate to this RODC, and then click OK.

5. In the Select Users, Computers, or Groups dialog box, type Tor, and then click Check Names.

6. Hold down the CTRL key, click all 4 group names, and then click OK twice.

7. On the Password Replication Policy tab, click OK.


Result: At the end of the exercise you will have installed an RODC and configured its password replication policy.

Exercise 3: Configuring AD DS Domain Controller Roles

Task 1: Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server 1. On NYC-DC1, open Active Directory Sites and Services.

2. Expand Sites, expand Default-First-Site-Name, expand Servers, and then click TOR-DC1.

3. In the details pane, right-click NTDS Settings, and then click Properties.

4. Select the Global Catalog check box, and then click OK.


Task 2: Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain 1. On NYC-DC1, open Active Directory Users and Computers.

2. In the console tree, right-click Active Directory Users and Computers, and then click Change Domain Controller.

3. Under Change to, click This Domain Controller or AD LDS instance, click NYC-DC2.WoodgroveBank.com, and then click OK.

4. In the console tree, right-click WoodgroveBank.com, and then click Operations Masters.

5. On the Infrastructure tab, ensure that NYC-DC1.WoodgroveBank.com is listed in the Operations master box, and NYC-DC2.WoodgroveBank.com is listed as the domain controller to which the role will be transferred. Click Change and then click Yes. Click OK to acknowledge the successful transfer and then click Close.

6. On NYC-DC2, open Active Directory Domains and Trusts.

7. In the console tree, right-click Active Directory Domains and Trusts, and then click Change Active Directory Domain Controller.

8. Under Change to, click This Domain Controller or AD LDS instance, click NYC-DC2.WoodgroveBank.com, and then click OK.

9. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.

10. In the Operations Master dialog box, ensure that NYC-DC1.WoodgroveBank.com is listed in the Domain naming operations master box, and NYC-DC2.WoodgroveBank.com is listed as the domain controller to which the role will be transferred. Click Change, and then click Yes. Click OK to acknowledge the successful transfer, and then click Close.


Task 3: Add the Department attribute to the global catalog 1. On NYC-DC1, click Start, click Run, type regsvr32 schmmgmt.dll, and then

click OK. Wait for the dll to be registered, and then click OK.

2. Click Start, click Run, type mmc, and then press ENTER.

3. On the File menu, click Add/Remove Snap-in.

4. In the Add/Remove Snap-in dialog box, click Active Directory Schema, and then click Add. Click OK.

5. In the console tree, expand Active Directory Schema, and then click Attributes.

6. In the details pane, right-click Department, and then click Properties.

7. Select the Replicate this attribute to the Global Catalog check box, and then click OK.

8. Close Console1 without saving changes.


Control window.



Result: At the end of the exercise you will have configured a global catalog server and configured AD DS domain controller roles.

Lab: Configuring AD DS and DNS Integration L2-9

Module 2: Configuring Domain Name Service for Active Directory® Domain Services

Lab: Configuring AD DS and DNS Integration Exercise 1: Configuring Active Directory Integrated Zones

Task 1: Start NYC-DC1 and log on as Administrator • Start NYC-DC1 and log on as Administrator with a password of Pa$$w0rd.

Task 2: Examine the SRV records 1. Click Start, point to Administrative Tools, click DNS and then expand

Forward Lookup Zones. Navigate to _msdsc.woodgrovebank.com>GC>_TCP.

2. Expand the DC>_TCP folder.

3. Right click _msdsc.woodgrovebank.com, and then click Properties.

4. Close the Properties page.

Task 3: Create a new SRV record to support the Telnet protocol on NYC-SRV2 1. Right click the _msdsc.woodgrovebank.com zone, and then click Other New

Records.

2. In the Select a resource record type section, select the Service Location (SRV) record type, and then click Create Record.

3. In the Service field, select _telnet from the drop-down list.

4. In the Host offering this service field, type NYC-SRV2.woodgrovebank.com, click OK, and then click Done.

L2-10 Module 2: Configuring Domain Name Service for Active Directory® Domain Services

Task 4: Create two new zones based on the zone files for Fabrikam and Contoso 1. Use Windows Explorer to copy the Contoso.com.dns and the

Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to C:\Windows\System32\DNS. Leave Windows Explorer open.

2. Return to the DNS Manager console, right-click Forward Lookup Zones, and then click New Zone.

3. In the New Zone Wizard click Next. On the Zone Type page, ensure that Primary Zone is selected, clear the checkbox to Store the zone in Active Directory, and then click Next.

4. On the Zone Name page, type Contoso.com, and then click Next.

5. On the Zone File page, select Use this existing file, ensure that Contoso.com.dns appears in the field, and then click Next.

6. On the Dynamic Updates page, ensure that Do not allow dynamic updates is selected, click Next, and then click Finish.


Task 5: Configure the Contoso and Fabrikam zones to be Active Directory–integrated, and ensure that no dynamic updates are allowed 1. In the DNS management console, right-click the Contoso.com zone, and then

click Properties.

2. On the General tab, click Change.

3. Select the checkbox to Store the zone in Active Directory, and then click OK.

4. Click Yes to the DNS message, and then click OK.

5. Return to Windows Explorer. Notice the Contoso.com.dns zone file is no longer in the DNS folder. It is now stored in Active Directory Domain Services.

6. Return to the Property page for the Contoso.com zone, and ensure that Dynamic updates are set to be None.



Task 6: Configure the scope of replication for the Contoso zone to be forest-wide, and the Fabrikam zone to be domain-wide 1. In the DNS management console, right-click the Contoso.com zone, and then

click Properties.

2. Click Change beside Replication.

3. In the Change Zone Replication Scope dialog box, click To all DNS servers in this forest, and then click OK twice.

4. Open the Property page for Fabrikam.com.

5. Ensure the scope of replication for the Fabrikam zone is set To all DNS servers in this domain.

Task 7: Use ADSI Edit.exe to view the Active Directory-integrated DNS zones 1. From Start, point to Run, and then launch the adsiedit.msc.

2. Right-click ADSI Edit, and then click Connect to…

3. In the Connection Point section, choose Select or type a Distinguished Name or Naming Context.

4. Type DC=DomainDNSZones,DC=WoodgroveBank,DC=Com, and then click OK.

5. Expand the naming context, expand CN=MicrosoftDNS, click DC=Woodgrovebank.com and examine the records.

6. Double-click the NYC-DC1 record.

7. Close all Property pages and the ADSI Management console.

L2-12 Module 2: Configuring Domain Name Service for Active Directory® Domain Services

Exercise 2: Configuring Read-Only DNS Zones

Task 1: Start and log on to the MIA-RODC as Administrator • Start and log on to MIA-RODC as Administrator with a password of

Pa$$w0rd.

Task 2: Install the DNS Server service • In the Command Prompt window, type Start /w Ocsetup DNS-Server-Core-

Role and press ENTER.


Task 3: Configure the DNS server to support all domain-wide and forest-wide zones. 1. In the Command Prompt window, type the following command and press

ENTER: Dnscmd /enlistdirectorypartition DomainDnsZones.woodgrovebank.com.

2. Then type the following command and press ENTER: Dnscmd /enlistdirectorypartition ForestDnsZones.woodgrovebank.com.

3. Switch to NYC-DC1, and open the DNS management console.

4. Right-click DNS, and then click Connect to DNS Server.


5. In the Connect to DNS Server dialog box, click The following computer, type MIA-RODC in the field, and then click OK.

6. Expand MIA-RODC, expand Forward Lookup Zones, and ensure that all the DNS zones appear.

Note: If the DNS zones do not appear, open Active Directory Sites and Services on NYC-DC1. Expand Sites, expand Default-First-Site-Name, expand Servers, expand MIA-RODC, and click NTDS Settings. Right-click RODC-Connection (FRS) and click Replicate Now. Click OK. In the DNS Manager console, right-click Forward Lookup Zones and click Refresh. Verify that the zones now appear. If the zones do not appear, wait a few minutes and click Refresh again.

Task 4: Shut down all virtual machines and discard any changes 1. On the host computer, click Start, point to All Programs, point to Microsoft

Virtual Server, and then click Virtual Server Administration Website.

2. Under Navigation, click Master Status. For each virtual machine that is running, click the virtual machine name, and in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.

Lab A: Configuring Active Directory Objects L3-15

Module 3: Configuring Active Directory Objects and Trusts

Lab A: Configuring Active Directory Objects Exercise 1: Configuring AD DS Objects






5. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd.


Task 2: Create new user accounts in AD DS 1. On NYC-DC1, click Start, point to Administrative Tools, and then click


2. Expand WoodgroveBank.com, right-click the ITAdmins OU, point to New, and then click User.

3. In the New Object – User dialog box, enter the following parameters:

• First name - Kerim

• Last name - Hanif

• Full name - Kerim Hanif

• User logon name – Kerim

L3-16 Module 3: Configuring Active Directory Objects and Trusts

4. Click Next.

5. In the Password and Confirm password fields, enter Pa$$w0rd.

6. Clear the User must change password at next logon check box, click Next, and then click Finish.

7. On NYC-DC1, open a command prompt window.

8. At the command prompt, type the following command and then press ENTER. dsadd user "cn=Jun Cao,ou=itadmins,dc=WoodgroveBank,dc=com" -samid Jun -pwd Pa$$w0rd –desc Administrator

You should see a “dsadd succeeded” message.

9. In Active Directory Users and Computers, confirm that Jun Cao’s account has been added to the IT Admins OU.

Task 3: Modify existing user accounts in AD DS 1. Open Windows Explorer, and then create a new folder on the D drive named

HomeDirs.

2. Right-click HomeDirs, and then click Share.

3. In the File Sharing dialog box, type Domain Users, and then click Add. In the Permission Level column, click Contributor. Click Share, and then click Done.

4. In the HomeDirs folder, create a new folder named Marketing.

5. In Active Directory Users and Computers, right-click WoodgroveBank.com, and then click Find.

6. In the Find Users, Contacts and Groups dialog box, in the Name box, type Dana, and then click Find Now.


7. Right-click Dana Birkby, and then click Properties. Modify the user properties as follows:

a. On the General tab, set:

• Telephone number - 555-555-0100

• Office - Head Office

• E-mail - [email protected]

b. On the Dial-in tab, set Network Access Permission to Allow access.

c. On the Account tab, click Logon Hours. Configure logon hours to be permitted between 8:00 A.M. and 5:00 P.M, and then click OK.

d. On the Profile tab, under Home folder, click Connect. Select H as the drive letter, and in the To box, type \\NYC-DC1\HomeDirs\Marketing\%username%

e. Click OK.

8. In Windows Explorer, browse to D:\HomeDirs\Marketing. Ensure that a folder named Dana was created in the folder.

9. Close Windows Explorer.

10. Close the Find Users, Contacts, and Groups dialog box, and then close Active Directory Users and Computers.

11. On NYC-CL1, log off and then log on as Dana using a password of Pa$$w0rd.

12. Open Windows Explorer and confirm that drive H has been mapped to the \\NYC-DC1\HomeDirs\Marketing\Dana folder. Create a new text document in the folder.

13. Close Windows Explorer.

Result: At the end of this exercise, you will have configured AD DS objects.

Exercise 2: Implementing an AD DS Group Strategy

Task 1: Start the LON-DC1 virtual machine, and then log on 1. In the Lab Launcher, next to 6425A-LON-DC1, click Launch.




Task 2: Review the group requirements documentation and create a group implementation strategy The following is a Global Group Planning Table, with suggested answers:

Organizational group Group name

Executives with accounts in the WoodgroveBank.com domain

Woodgrove_ExecutivesGG

Executives with accounts in the EMEA.WoodgroveBank.com domain

EMEA_ExecutivesGG

Executives with accounts in the Asia.WoodgroveBank.com domain

ASIA_ExecutivesGG

Executives from all domains WGB_ExecutivesUG

Miami branch managers MIA_BranchManagersGG

New York branch managers NYC_BranchManagersGG

Toronto branch managers TOR_BranchManagersGG

London branch managers LON_BranchManagersGG

Tokyo branch managers TOK_BranchManagersGG

Branch managers from all domains WGB_BranchManagersUG


The following is a Local Group Planning Table with suggested answers:

Resource Access Requirement Group Names

ExecData\HeadOfficeReports Full control EX_HOReports_FC

ExecData\BranchReports\NYC Full control Read only

EX_NYC_BranchReportsFC

EX_NYC_BranchReportsRO

ExecData\BranchReports\Toronto Full control Read only

EX_TOR_BranchReportsFC

EX_TOR_BranchReportsRO

ExecData\BranchReports\Miami Full control Read only

EX_MIA_BranchReportsFC

EX_MIA_BranchReportsRO

ExecData\BranchReports\London Full control Read only

EX_LON_BranchReportsFC

EX_LON_BranchReportsRO

ExecData\BranchReports\Tokyo Full control Read only

EX_TOK_BranchReportsFC

EX_TOK_BranchReportsRO

ExecData\Corp Full control EX_CorpFC


The following is a Group Nesting Planning Table with suggested answers:

Domain local group name Nested groups

EX_HOReports_FC WGB_ExecutivesUG

EX_NYC_BranchReportsFC NYC_BranchManagersGG

EX_NYC_BranchReportsRO WGB_ExecutivesUG

EX_TOR_BranchReportsFC TOR_BranchManagersGG

EX_TOR_BranchReportsRO WGB_ExecutivesUG

EX_MIA_BranchReportsFC MIA_BranchManagersGG

EX_MIA_BranchReportsRO WGB_ExecutivesUG

EX_LON_BranchReportsFC LON_BranchManagersGG

EX_LON_BranchReportsRO WGB_ExecutivesUG

EX_TOK_BranchReportsFC TOK_BranchManagersGG

EX_TOK_BranchReportsRO WGB_ExecutivesUG

EX_CorpFC WGB_ExecutivesUG

WGB_BranchManagersUG

Note: The easiest way to configure access to the ExecData folder is to grant the executive’s universal group and the branch manager’s universal group Contributor permissions. You then can control permissions for subfolders by using NTFS file system permissions.

Task 3: Discuss the group implementation strategy • Be prepared to contribute your suggestions for how you would implement the

groups based on the organization’s requirements.


Task 4: Create groups required by the group implementation strategy

Note: To simplify the implementation process, some of the required groups already may have been created. Additionally, configure the required groups for only the WoodgroveBank.com and the EMEA.WoodgroveBank.com.

1. On NYC-DC1, open Active Directory Users and Computers.

2. Verify that all of the global groups required to assign permission are created. Groups are located in the Executives OU, and in the BranchManagers OU for each location OU.

3. On LON-DC1, open Active Directory Users and Computers. Verify that all of the global groups required to assign permission are created. Groups are located in the Executives OU and in the BranchManagers OU.

4. On NYC-DC1, create the required universal groups based on the group implementation strategy. Create the universal groups in the Executives OU. To create a group, complete these steps:

a. Right-click the appropriate OU, point to New, and then click Group. In the Group name box, type the name of the group that you are using to nest the executive global groups.

b. Click the group scope, and then click OK.

5. Create the required domain local groups based on the group implementation strategy. Use the following table to determine where to create each group.

Resource Group Location

ExecData\HeadOfficeReports Executives OU

ExecData\BranchReports\NYC NYC\BranchManagers OU

ExecData\BranchReports\Toronto Toronto\BranchManagers OU

ExecData\BranchReports\Miami Miami\BranchManagers OU

ExecData\BranchReports\London Executives OU

ExecData\Corp Executives OU


Task 5: Nest groups required by the group implementation strategy 1. On NYC-DC1, nest the groups required to meet the group implementation

strategy.

2. To nest a group, right-click the group that will be nested in another group, and click Add to a group.

3. In the Select Groups dialog box, type the name of the group that will contain the other groups, and then click OK.

Task 6: Close LON-DC2 and discard undo disks 1. Close the 6425A-LON-DC1 Virtual Machine Remote Control (VMRC) window.


Result: At the end of this exercise, you will have implemented a group implementation strategy.

Exercise 3: Automating Management of AD DS Objects

Task 1: Modify and use the Importusers.csv file to prepare to import a group of users into AD DS 1. On NYC-DC1, open Windows Explorer, and then browse to

D:\6425\Mod03\Labfiles\.

2. Open ImportUsers.csv with Notepad. Examine the header information required to create OUs and user accounts.

3. Open ImportUsers.txt with Notepad.

4. Copy the contents of the Users.txt file, and then paste the contents into the ImportUsers.csv file, starting with the second line.

5. On the File menu, click Save As, and then type C:\import.csv. In the Save as type box, click All files.

6. Click Save to save the file.


7. Open a command prompt.

8. At the command prompt, type CSVDE –I –F C:\import.csv and then press ENTER.

9. Open Active Directory Users and Computers, and then browse to the Houston OU. Confirm that five child OUs were created, and that several user accounts were created in each OU.

Task 2: Modify and run the ActivateUser.vbs script to enable the imported user accounts, and then assign a password to each account 1. On NYC-DC1, in D:\6425\Mod03\Labfiles, right-click Activateusers.vbs,

and then click Edit.

2. Modify the container value in the second line to OU=BranchManagers,OU=Houston,DC=WoodgroveBank,DC=com.

3. Modify the container values in the additional lines at the end of the script to include the following OUs:

• OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com

• OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com

• OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com

• OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com

4. On the File menu, click Save As, and then type C:\activateusers.vbs. In the Save as type box, click All files.

5. Click Save to save the file.

6. In Windows Explorer, browse to the C:\ drive. Double-click Activateusers.vbs.

7. In Active Directory Users and Computers, browse to the Houston OU. Confirm that user accounts in all child OUs are activated.


Task 3: Modify the Modifyusers.ldf file to prepare to modify the properties for a group of users in AD DS 1. On NYC-DC1, at the command prompt, type

LDIFDE –f c:\Modifyusers.ldf –d "OU=Houston,DC=WoodgroveBank,DC =com" –r "objectClass=user" –l physicalDeliveryOfficeName and then press ENTER.

This command exports all of the user accounts in the Houston and child OUs. Because the Office attribute is blank for each object, the attribute is not exported.

2. Use Notepad to open the C:\Modifyusers.ldf file.

3. On the Edit menu, use the Replace option to replace all instances of changetype: add with changetype: modify.

4. After each changetype line, add the following lines: replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston

5. At the end of the entry for each user, add a dash (–) followed by a blank line.

6. When you are done, the entry for each user should be similar to:

• dn: CN=Kendall Keil,OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com changetype: modify replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston

7. Save the file as C:\Modifyusers.ldf.

8. At the command prompt, type ldifde –I –f c:\Modifyusers.ldf, and then press ENTER.

9. In Active Directory Users and Computers, verify that the Office attribute for the user accounts in Houston has been updated with the Houston location.


Task 4: Modify and run the CreateMultipleUsers.ps1 script to add new users to AD DS 1. On NYC-DC1, in D:\6425 \Mod03\Labfiles, right-click

CreateMultipleUsers.ps1, and then click Edit.

2. In the Create an OU section, change $strOUName = “OU=ADOUName” to $strOUName = “OU=R&D”.

3. In the Assign the OU where the accounts will be created section, change: $strOU=[ADSI]"LDAP://ou=AddOUName,dc=WoodgroveBank,dc=com" to: $strOU=[ADSI]"LDAP://ou=R&D,dc=WoodgroveBank,dc=com".

4. In the Get the user information from the .csv file section, change Path to CSV file to D:\6425\ Mod03\Labfiles\Createusers.csv.

5. Save the changes to the file.

6. Click Start, click All Programs, click Windows PowerShell 1.0, and then click Windows PowerShell.

7. At the PS prompt, type D:\6425 \Mod03\Labfiles\Createmultipleusers.ps1, and then press ENTER.

8. At the password prompt, type Pa$$w0rd, and then press ENTER.

9. In Active Directory Users and Computers, verify that the R&D OU was created, and that the OU has been populated with user accounts with the correct attributes.

Result: At the end of this exercise, you will have examined several options for automating the management of user objects.


Lab B: Configuring Active Directory Delegation and Trusts Exercise 1: Delegating Control of AD DS Objects

Task 1: Assign full control of users and groups in the Toronto OU 1. On NYC-DC1, open Active Directory Users and Computers, right-click

Toronto, and then click Delegate Control.

2. In the Delegation of Control Wizard, on the Welcome page, click Next.

3. On the Users or Groups page, click Add.

4. In the Select Users, Computers and Groups dialog box, type Tor_BranchManagersGG, click OK, and then click Next.

5. In the Tasks to Delegate page, select the Create, delete and manage user accounts and the Create, delete and manage groups check boxes.

6. Click Next, and then click Finish.

Task 2: Assign rights to reset passwords and configure private user information in the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, right-click Toronto,

and then click Delegate Control.


3. On the Users or Groups page, click Add.

4. In the Select Users, Computers and Groups dialog box, type Tor_CustomerServiceGG, click OK, and then Click Next.

5. In the Tasks to Delegate page, select the Reset user passwords and force password change at next logon check box.

6. Click Next, and then click Finish.

7. Right-click Toronto, and then click Delegate Control.


9. On the Users or Groups page, add Tor_CustomerServiceGG, click OK, and then click Next.

Lab B: Configuring Active Directory Delegation and Trusts L3-27

10. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

11. On the Active Directory Object Type page, click Only the following objects in the folder, select the User objects check box, and then click Next.

12. On the Permissions page, ensure that the General check box is selected.

13. Under Permissions, select the Read and write personal information check box, click Next, and then click Finish.

Task 3: Verify the effective permissions assigned for the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, on the View menu,

click Advanced Features.

2. Expand WoodgroveBank.com, right-click the Toronto OU, and then click Properties.

3. In the Toronto Properties dialog box, on the Security tab, click Advanced.

4. In the Advanced Security Settings for Toronto dialog box, on the Effective Permissions tab, click Select.

5. In the Select Users, Computer, and Group dialog box, type Sven, and then click OK. Sven Buck is a member of the Tor_BranchManagersGG group.

6. Review Sven’s effective permissions. Verify that Sven has permissions to create and delete user and group accounts, click Cancel, and then click OK.

7. Expand the Toronto OU, expand the Customer Service OU, right-click Matt Berg, and then click Properties.

8. In the Matt Berg Properties dialog box, on the Security tab, click Advanced.

9. In the Advanced Security Settings for Matt Berg dialog box, on the Effective Permissions tab, click Select.

10. In the Select Users, Computer, and Group dialog box, type Helge, and then click OK. Helge Hoeing is a member of the Tor_CustomerServiceGG group.

11. Review Helge’s effective permissions. Verify that Helge has permissions to reset passwords and to write personal attributes. Click Cancel, and then click OK.




1. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management.

2. If required, expand Forest:WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then expand Domain Controllers.

3. Right-click Default Domain Controllers Policy, and click Edit.

4. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and click User Rights Assignment.


6. In the Add User or Group dialog box, type Domain Users, and click OK twice. Close all open windows.

7. Open a command prompt, and type GPUpdate /force, and then press ENTER. Wait for the command to complete, and then log off.

Task 5: Test the delegated permissions for the Toronto OU 1. Log on to NYC-DC1 as Sven with the password of Pa$$w0rd.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.


4. Right-click the Toronto organizational unit, and then create a new user with the following properties:

• First name - Test1

• User logon name - Test1

• Password - Pa$$w0rd

This task will succeed because Sven Buck was delegated the authority to perform that task.

5. Right-click the Toronto OU, and then create a new group named Group 1. This task will succeed because Sven Buck was delegated the authority to perform that task.

6. Right-click the ITAdmins OU, and review the menu options. Verify that Sven does not have permissions to create any new objects in the ITAdmins OU.

7. Log off and then log on to NYC-DC1 as Helge with the password of Pa$$w0rd.



10. Right-click the Toronto OU, and review the menu options. Verify that Helge does not have permissions to create any new objects in the Toronto OU.

11. Expand Toronto, expand CustomerService, right-click Matt Berg, and then click Reset Password.

12. In the Reset Password dialog box, in the New password and Confirm password boxes, type Pa$$w0rd, and then click OK twice.

13. Right-click Matt Berg, and then click Properties. In the Matt Berg Properties dialog box, confirm that Helge has permission to set some user properties such as Office and Telephone number, but not settings such as Description and E-mail.

14. Close Active Directory Users and Computers, and then log off.

Result: At the end of this exercise you will have delegated the administrative tasks for the Toronto office.


Exercise 2: Configuring AD DS Trusts

Task 1: Start the VAN-DC1 virtual machines, and then log on 1. In the Lab Launcher, next to 6425A-VAN-DC1, click Launch.

2. Log on to VAN-DC1 as Administrator with the password Pa$$w0rd.


Task 2: Configure the Network and DNS Settings to enable the forest trust 1. On VAN-DC1, click Start, point to Control Panel, point to Network

Connections, and click Local Area Connection.

2. Click Properties, click Internet Protocol (TCP/IP) , and then click Properties.

3. Change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred DNS server to 10.10.0.110. Click OK, and close the open dialog boxes.

4. Click Start, and click Run. In the Open box, type cmd, and press ENTER.

5. At the command prompt, type Net time \\10.10.0.10 /set /y and press ENTER. This command synchronizes the time between VAN-DC1 and NYC-DC1. Close the command prompt.

6. Start DNS Manager from the Administrative Tools folder.

7. In the DNS Manager console, expand VAN-DC1.

8. Right-click VAN-DC1, and click Properties.

9. On the Forwarders tab, click New. In the DNS domain field, type Woodgrovebank.com, and then click OK.

10. In the Seleted domain’s forwarder IP address list, type 10.10.0.10, and then click Add. Click OK, and close the DNS Manager console.

11. Start Active Directory Domains and Trusts from the Administrative Tools folder.

12. In Active Directory Domains and Trusts, right-click Fabrikam.com, and then click Raise Domain Functional Level.


13. Select Windows Server 2003, click Raise, and then click OK twice.


15. Select Windows Server 2003, click Raise, and then click OK twice.

16. On NYC-DC1, log on as Administrator.

17. Start DNS Manager from the Administrative Tools folder.

18. In the DNS Manager console, expand NYC-DC1.

19. Under NYC-DC1, right-click Conditional Forwarders, and then click New Conditional Forwarder.

20. In the DNS Domain field, type Fabrikam.com, click under IP Address, type 10.10.0.110, press ENTER, and then click OK.

21. Close the DNS Manager console.

Task 3: Configure a forest trust between WoodgroveBank.com and Fabrikam.com 1. On NYC-DC1, start Active Directory Domains and Trusts from the

Administrative Tools folder.

2. In Active Directory Domains and Trusts, right-click WoodgroveBank.com, and then click Properties.

3. On the Trusts tab, click New Trust.

4. On the Welcome to the New Trust Wizard page, click Next.

5. On the Trust Name page, type Fabrikam.com, and then click Next.

6. On the Trust Type page, click Forest trust, and then click Next.

7. On the Direction of Trust page, click Two-way, and then click Next.

8. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

9. On the User Name and Password page, type [email protected] as the User name, and Pa$$w0rd as the Password, and then click Next.

10. On the Outgoing Trust Authentication Level- Local Forest page, accept the default of Forest-wide authentication, and then click Next.


11. On the Outgoing Trust Authentication Level- Specified Forest page, accept the default of Forest-wide authentication, and then click Next.

12. On the Trusts Selections Complete page, click Next.

13. On the Trust Creation Complete page, click Next.

14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.

15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.

16. On the Completing the New Trust Wizard page, click Finish.

17. Read the Active Directory message, and then click OK.

18. Click OK to close the WoodgroveBank.com Properties dialog box.

Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2 1. In Active Directory Domains and Trusts, click WoodgroveBank.com, and

then on the Action menu, click Properties.

2. In the WoodgroveBank.com Properties dialog box, click the Trusts tab.

3. Under Domains that trust this domain (incoming trusts), click Fabrikam.com, and then click Properties.

4. In the Fabrikam.com Properties dialog box, on the Authentication tab, click Selective Authentication, click OK twice, and then close Active Directory Domains and Trusts.

5. Open Active Directory Users and Computers, and on the View menu, ensure that Advanced Features is selected.

6. Expand Domain Controllers.

7. Click NYC-DC2, and on the Action menu, click Properties.

8. In the NYC-DC2 Properties dialog box, click the Security tab, and then click Add.

9. In the Select Users, Computers, or Groups dialog box, click Locations, click Fabrikam.com, and then click OK.

10. In the Select Users, Computers, or Groups dialog box, type MarketingGG, and then click OK.


11. In the NYC-DC2 Properties dialog box, select the Allowed to Authenticate permission check box in the Allow column.

12. Click OK to close the NYC-DC2 Properties dialog box.

13. Expand Computers.

14. Click NYC-CL1, and on the Action menu, click Properties.

15. In the NYC-CL1 Properties dialog box, click the Security tab, and then click Add.

16. In the Select Users, Computers, or Groups dialog box, click Locations, click Fabrikam.com, and then click OK.

17. In the Select Users, Computers, or Groups dialog box, type MarketingGG, and then click OK.

18. In the NYC-CL1 Properties dialog box, select the Allowed to Authenticate permission check box in the Allow column.

19. Click OK to close the NYC-CL1 Properties dialog box.

Task 5: Test the selective authentication 1. Log on to the NYC-CL1 virtual machine as [email protected] using the

password Pa$$w0rd.

Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to a computer in the WoodgroveBank.com domain because of the trust between the two forests, and because he has been allowed to authenticate to NYC-CL1.

2. Click Start, click All Programs, click Accessories, click Run, type \\NYC-DC2 \netlogon, and then press ENTER. Adam should be able to access to the folder.

3. Click Start, click All Programs, click Accessories, click Run, type \\NYC-DC1 \Netlogon, and then press ENTER. Adam should not be able to access the folder because the server is not configured for selective authentication.



window.



Result: At the end of this exercise you will have configured trusts based on a trust configuration design.

Lab: Configuring Active Directory Sites and Replication L4-35

Module 4: Configuring Active Directory Domain Sites and Replication

Lab: Configuring Active Directory Sites and Replication Exercise 1: Configuring AD DS Sites and Subnets




3. In the Lab Launcher, next to 6425A-LON-DC1, click Launch.

4. In the Lab Launcher, next to 6425A-MIA-RODC, click Launch.




8. Log on to MIA-RODC as Administrator with the password Pa$$w0rd.

9. Log on to NYC-RAS as Administrator with the password Pa$$w0rd.


Task 2: Verify the current site configuration and replication topology 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Active Directory Sites and Services.

2. Expand Sites, expand Default-First-Site-Name, expand Servers, expand NYC-DC1, click NTDS Settings, right-click NTDS Settings, and then click Properties.

3. In the NTDS Settings Properties dialog box, on the Connections tab, note the replication partners for your computer, and then click Cancel.

4. In the Details pane, right-click one of the connection object listed, and then click Properties.

L4-36 Module 4: Configuring Active Directory Domain Sites and Replication

5. In the <automatically generated> Properties dialog box, on the General tab, note the Replicated Naming Context(s).

6. Click Change Schedule, note the replication schedule, and then click Cancel twice.

The schedule of once per hour means that if a domain controller does not receive any change notifications from the replication partner, it will check for updates every hour.

7. Expand MIA-RODC, click NTDS Settings, right-click NTDS Settings, and then click Properties.

8. In the NTDS Settings Properties dialog box, on the Connections tab, verify that the read-only domain controller (RODC) has inbound (Replicate From) replication partners and no outbound (Replicate To) replication partners. Click Cancel.

Task 3: Create the AD DS sites 1. In Active Directory Sites and Services, right-click Default-First-Site-Name, and

then click Rename.

2. Type NewYork-Site, and then press ENTER.

3. Right-click Sites, and then click New Site.

4. In the New Object-Site dialog box, in the Name field, type Miami-Site, click DEFAULTIPSITELINK, and then click OK.

5. In the Active Directory Domain Services dialog box, click OK.

6. Create two more sites with the site names Tokyo-Site, and London-Site.

7. Right-click Subnets, and then click New Subnet.

8. In the New Object-Subnet dialog box, in the Prefix box, type 10.10.0.0/16. Click NewYork-Site, and then click OK.

9. Create another three subnets with the following attributes:

• Prefix: 10.20.0.0/16, Site: London-Site

• Prefix: 10.30.0.0/16, Site: Miami-Site

• Prefix: 10.40.0.0/16, Site: Tokyo-Site


10. Right-click London-Site, and then click Properties. Verify that the correct subnet is associated with this site, and then click OK.

Result: At the end of this exercise you will configure AD DS sites and subnets and linked the subnets to the appropriate sites.

Exercise 2: Configuring AD DS Replication

Task 1: Create site link objects 1. In Active Directory Sites and Services, expand Inter-Site Transports, and then

click IP.

2. In the details pane, right-click DEFAULTIPSITELINK, and then click Rename.

3. Type NewYork-London-Site-Link, and then press ENTER.

4. Right-click NewYork-London-Site-Link, and then click Properties.

5. On the General tab, in the Sites in this site link list, click Tokyo-Site, and then click Remove. Click Miami-Site, and then click Remove.

6. In the Replicate every box, type 30, and then click OK.

7. Right-click IP, and then click New Site Link.

8. In the New Object – Site Link dialog box, type NewYork-Tokyo-Site-Link.

9. In the Sites not in this site link list, click NewYork-Site, and then click Add. Click Tokyo-Site, click Add, and then click OK.

10. Right-click NewYork-Tokyo-Site-Link, and then click Properties.

11. In the Replicate every box, type 30, and then click OK.

12. Create another new site link named NewYork-Miami-Site-Link. Add the NewYork-Site and Miami-Site to the site link, and then click OK.

13. Right-click NewYork-Miami-Site-Link, and then click Properties.

14. On the General tab, click Change Schedule.

15. In the Schedule for NewYork-Miami-Site-Link dialog box, select the time from 7 am to 7 pm, Monday to Friday, click Replication Not Available, and then click OK twice.


Task 2: Configure site link bridging 1. In Active Directory Sites and Services, right-click IP, and then click Properties.

2. On the IP Properties dialog box, clear the Bridge all site links check box, and then click OK.

3. Right-click IP, and then click New Site Link Bridge.

4. In the New Object – Site Link Bridge dialog box, in the Name box, type NewYork-London-Tokyo-Site-Link-Bridge.

5. Press the CTRL key, and in the Site links not in this site link bridge list, click NewYork-London-Site-Link and NewYork-Tokyo-Site-Link, click Add, and then click OK.

Task 3: Modify the domain controller IP address configuration 1. On LON-DC1, in the Server Manager window, click View Network

Connections.

2. In the Network Connections window, right-click Local Area Connection, and then click Properties.

3. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, change the IP address to 10.20.0.110, change the Default gateway to 10.20.0.1, click OK, and then click Close.

5. Open a command prompt, type Ping 10.10.0.10, and then press ENTER. Verify that the ping is successful.

6. At the command prompt, type ipconfig /registerdns, and then press ENTER.

7. On MIA-RODC, in the command prompt window, type Netsh interface ipv4 show interfaces, and then press ENTER. Record the Idx value assigned to the Local Area Connection.

8. Type netsh interface ipv4 set address name="ID" source=static address=10.30.0.15 mask=255.255.0.0 gateway=10.30.0.1, (where ID is the IDx number assigned to the Local Area Connection), and then press ENTER.

9. Open a command prompt, type Ping 10.10.0.10, and then press ENTER. Verify that the ping is successful.


10. At the command prompt, type ipconfig /registerdns, and then press ENTER.

11. On NYC-DC1, click Start, point to Administration Tools, and then click DNS.

12. Expand NYC-DC1, expand Forward Lookup Zones, and then click WoodgroveBank.com. Verify that the IP address for MIA-RODC has been updated.

13. Expand WoodgroveBank.com, select and then right-click EMEA, and then click Properties.

14. On the Name Servers tab, click Edit.

15. In the Edit Name Server Record dialog box, click 10.10.0.110, type 10.20.0.110, and then click OK three times.

16. Close the DNS management console.

Task 4: Move the domain controllers into the appropriate sites 1. On NYC-DC1, in Active Directory Sites and Services, under NewYork-Site, click

Servers.

2. In the details pane, right-click LON-DC1, and then click Move.

3. In the Move Server dialog box, click London-Site, and then click OK.

4. Move MIA-RODC to the Miami-Site.

Task 5: Configure global catalog caching for the Miami site 1. On NYC-DC1, in Active Directory Sites and Services, click Miami-Site.

2. In the details pane, right-click NTDS Site Settings, and then click Properties.

3. In the NTDS Site Settings Properties dialog box, select the Enable Universal Group Membership Caching check box.

4. In the Refresh cache from list, click CN=NewYork-Site, and then click OK.

Result: At the end of this exercise you will have configured AD DS replication.


Exercise 3: Monitoring AD DS Replication

Task 1: Verify that the replication topology has been updated 1. On NYC-DC1, in Active Directory Sites and Services, if required, expand

NewYork-Site, expand Servers, and then expand NYC-DC1.

2. Right-click NTDS Settings, point to All Tasks, and then click Check Replication Topology.

3. In the Check Replication Topology dialog box, click OK.

4. Access the NTDS Setting for MIA-RODC in the Miami-Site, and force it to check the replication topology. This will take a few moments to complete. Click OK.

5. Click NewYork-Site, and in the details pane, right-click NTDS Site Settings, and then click Properties.

6. Verify that NYC-DC1 is configured as the Inter-Site Topology Generator. Click OK.

7. Access the NTDS Site Settings for the Miami-Site, and verify that MIA-RODC is not listed as the Inter-Site Topology Generator (ISTG). Because MIA-RODC is a RODC, it cannot operate as a bridgehead server or an ISTG. Click OK.

Task 2: Verify that replication is working between sites 1. On NYC-DC1, in Active Directory Sites and Services, expand NewYork-Site,

expand Servers, expand NYC-DC1, and then click NTDS Settings.

2. In the details pane, verify that a connection object has been created between NYC-DC1 and LON-DC1.

3. Right-click the connection object, and then click Replicate Now.

4. Read the Replicate Now message and then click OK.

5. On LON-DC1, open Active Directory Sites and Services. expand Sites, expand London-Site, expand Servers, expand LON-DC1, and then click NTDS Settings.

6. Right-click the connection object configured on LON-DC1 between LON-DC1 and NYC-DC1, and then click Replicate Now.

7. On NYC-DC1, open Active Directory Users and Computers, and expand WoodgroveBank.com.


8. Right-click the Users container, point to New and click User. Create a new user with a first name and logon name of TestUser, and a password of Pa$$w0rd.

9. In Active Directory Sites and Services, click Miami-Site, expand MIA-RODC, and click NTDS Settings. Right-click the connection object between NYC-DC1 and MIA-RODC, and click Replicate Now. Click OK to close the Replicate Now dialog box.

Note: If you receive an error message when forcing replication on the connection object, under MIA-RODC, right-click NTDS Settings, point to All Tasks, and click Check Replication Topology. Expand NYC-DC1, right-click NTDS Settings, point to All Tasks, and click Check Replication Topology. Wait one minute and try step 9 again.

10. In Active Directory Users and Computers, right-click WoodgroveBank.com, and then click Change Domain Controller.

11. In the Change Directory Server dialog box, click MIA-RODC.WoodgroveBank.com, and then click OK.

12. In the Active Directory Domain Services message, click OK.

13. Expand WoodgroveBank.com, and then expand Users. Verify that the TestUser account has been replicated to MIA-RODC.


Task 3: Use DCDiag to verify the replication topology 1. On NYC-DC1, open a command prompt.

2. At the command prompt, type DCDiag /test:replications, and then press ENTER.

3. Verify that NYC-DC1 passed the connectivity test, but that there a several replication errors. Replication errors will be listed because NYC-DC2 and TOK-DC1 are not running, and replication has been attempted.


Task 4: Use Repadmin to verify successful replication 1. On NYC-DC1, at the command prompt, type repadmin /showrepl, and then

press ENTER. Verify that replication with LON-DC1 succeeded during the last replication update.

2. At the command prompt, type repadmin /showrepl MIA-RODC.WoodgroveBank.com, and then press ENTER. Verify that all directory partitions updated successfully during the last replication update.

3. At the command prompt, type repadmin /bridgeheads, and then press ENTER. Verify that NYC-DC1 and LON-DC1 are listed as bridgehead servers for their site.

4. At the command prompt, type repadmin /replsummary, and then press ENTER.

5. Examine replication summary and close the command prompt.


Control window.



Result: At the end of this exercise you will have verified that AD DS replication is working.

Lab: Creating and Configuring GPOs L5-43

Module 5: Creating and Configuring Group Policy

Lab: Creating and Configuring GPOs Exercise 1: Creating and Configuring Group Policy Objects






Task 2: Create the group policies 1. Click Start, point to Administrative Tools and then launch the Group Policy

Management MMC.

2. Expand the Forest by clicking WoodgroveBank.com, Domains, WoodgroveBank.com, and Group Policy Objects.


4. In the New GPO dialog box, type Restrict Control Panel in the Name field, and then click OK.

L5-44 Module 5: Creating and Configuring Group Policy

5. Repeat the previous steps to create the following GPOs:

• Create a group policy named Restrict Desktop Display.

• Create a group policy named Restrict Run Command.

• Create a group policy named Baseline Security.

• Create a group policy named Vista and XP Security.

• Create a group policy named Admin Favorites.

• Create a group policy named Kiosk Computer Security.

6. Leave the GPMC open to perform the next task.

Task 3: Configure the policies 1. Configure the Baseline Security policy:

a. In the GPMC, open the Group Policy Objects folder, right-click the Baseline Security policy, and then click Edit.

b. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Options, and then double-click Interactive logon: Do not display last user name.

c. Select the check box to Define the policy setting, click Enabled, and then click OK.

d. Close the Group Policy Management Editor.

2. Configure the Admin Favorites policy:

a. In the Group Policy Objects folder, right-click the Admin Favorites policy, and then click Edit.

b. In the Group Policy Management Editor, expand User Configuration by clicking: Policies, Windows Settings, Internet Explorer Maintenance, and URLs. In the details pane, double-click Favorites and Links.

c. In the Favorites and Links dialog box, click Add URL. In the Details dialog box, type Tech Support in the Name field, type http://support.microsoft.com, in the URL field and then click OK twice.



3. Configure the Restrict Desktop Display policy:

a. In the Group Policy Objects folder, right-click the Restrict Desktop Display policy, and then click Edit.

b. In the Group Policy Management Editor, expand User Configuration by clicking: Policies, Administrative Templates, Control Panel, and Display, and then double-click Remove Display in Control Panel.

c. In the Remove Display dialog box, click Enabled, and then click OK.


4. Configure the Kiosk Computer Security policy:

a. In the Group Policy Objects folder, right-click the Kiosk Computer Security policy and then click Edit.

b. In the Group Policy Management Editor, expand Computer Configuration by clicking: Policies, Administrative Templates, System, and Group Policy, and then in the details pane, double-click the User Group Policy loopback processing mode setting.

c. In the Loopback processing properties dialog box, click Enabled, ensure the Mode is set to Replace, and then click OK.

d. Expand User Configuration by clicking: Policies, Administrative Templates, and Desktop.

e. Double-click Hide and Disable all items on the desktop. In the Hide and Disable all items on the desktop dialog box, click Enabled, and then click OK.

f. Close the Group Policy Management Editor.

5. Configure the Restrict Control Panel policy:

a. In the Group Policy Objects folder, right-click the Restrict Control Panel policy and then click Edit.

b. In the Group Policy Management Editor, expand User Configuration by clicking: Policies, Administrative Templates, and Control Panel, and then double-click Prohibit Access to Control Panel.

c. In the Prohibit Access to Control Panel dialog box, click Enabled, and then click OK.



6. Configure the Restrict Run Command policy:

a. In the Group Policy Objects folder, right-click the Restrict Run Command policy, and then click Edit.

b. In the Group Policy Management Editor, expand User Configuration by clicking: Policies, Administrative Templates, Start Menu and Taskbar, and then in the details pane, double-click Remove Run menu from the Start Menu.

c. In the Remove Run Menu dialog box, click Enabled, and then click OK.


7. Configure the Vista and XP Security policy:

a. In the Group Policy Objects folder, right-click the Vista and XP Security policy, and then click Edit.

b. In the Group Policy Management Editor, expand Computer Configuration by clicking: Policies, Administrative Templates, System, and Logon, and then double-click Always wait for the network at computer startup.

c. In the Always wait for the network at computer startup dialog box, click Enabled, and then click OK.

d. Close the Group Policy Management Editor. Leave the GPMC open for the next task.

Task 4: Link the GPOs to the appropriate containers 1. In the GPMC, right click the WoodgroveBank.com domain, and then click

Link an Existing GPO…

2. In the Select GPO dialog box, click the Baseline Security GPO. Hold down the Control key and select the following GPOs:

• Restrict Run Command GPO

• Vista and XP Security GPO

• Kiosk Computer Security GPO

3. Click OK.

4. Right-click the ITAdmins OU, and then click Link and Existing GPO…

5. In the Select GPO dialog box, click the Admin Favorites GPO, and then click OK.


6. Right-click the Executives OU, and then click Link and Existing GPO…

7. In the Select GPO dialog box, click the Restrict Desktop Display GPO, and then click OK.

8. Right click the Miami OU, click Link an Existing GPO…, and then select the Restrict Control Panel policy.

9. Repeat the previous step to link the Restrict Control Panel policy to the Toronto and NYC OUs.

Result: At the end of this exercise you will have created and configured GPOs.

Exercise 2: Managing the Scope of GPO Application

Task 1: Configure group policy management for the domain container 1. In the GPMC, expand the WoodgroveBank.com domain to expose the linked

policies.

2. Right-click the Baseline Security link, and then click Enforced.

3. Click the Baseline Security link, and in the right pane, click the Details tab.

4. In the GPO Status drop-down list box, select User configuration settings disabled.

5. Click the Kiosk Computer Security link, and in the right pane, click the Delegation tab.

6. On the Delegation tab, click Advanced.

7. In the Security Settings properties, click the Authenticated Users group, and then click Remove.

8. Click Add, and then in the Select User, Computers or Groups dialog box, type kiosk computers, and then click OK.

9. Assign the Read and Apply Group Policy permission to the kiosk computers group, and then click OK.

Task 2: Configure group policy management for the IT Admin OU • Right-click the IT Admin OU, and then click Block Inheritance.


Task 3: Configure group policy management for the branch OUs 1. Open the Group Policy Objects folder, and in the tree view pane, click the

Restrict Control Panel policy.

2. Click the Delegation tab, and then on the Delegation tab, click Advanced.

3. In the Security Settings properties, click Add.

4. In the Select User, Computers or Groups dialog box, type: Mia_BranchManagersGG; NYC_BranchManagersGG; Tor_BranchManagersGG, and then click OK.

5. Deny the Apply Group Policy permission to these groups, and then click OK.

6. Click Yes to acknowledge the warning message.

Task 4: Create and apply a WMI filter for the Server Security GPO 1. In the GPMC, right-click the WMI Filters folder, and then click New.

2. In the Name field, type Windows Vista or XP operating system.

3. In the New WMI Filter dialog box, click Add.

4. In the WMI Query dialog box, type: Select * from Win32OperatingSystem where Caption = “Microsoft Windows Vista Enterprise” OR Caption = “Microsoft Windows XP Professional”.

5. Click OK, and then click Save.

6. In the Group Policy Objects folder, click the Vista or XP Security policy, and then click the Scope tab.

7. In the WMI Filtering section, select the Windows Vista or XP operating system query from the drop-down list.

8. Click Yes to confirm the operation.

Result: At the end of this exercise you will have configured the scope of GPO settings.



Task 1: Start NYC-CL1 • Log on to NYC-CL1as Anton with the password Pa$$w0rd.

Task 2: Verify that a Miami branch user is receiving the correct policy 1. Log on to NYC-CL1 as Anton with a password of Pa$$w0rd.


3. Ensure that there is no link to Control Panel on the Start Menu.

4. Log off.

Task 3: Verify that a Miami Branch Manager is receiving the correct policy 1. Log on to NYC-CL1 as Roya with a password of Pa$$w0rd.


3. Click Start, and ensure that a link to Control Panel appears on the Start Menu.

4. Log off.

Task 4: Verify that a user in the IT Admin OU is receiving the correct policy 1. Log on to NYC-CL1 as Betsy with a password of Pa$$w0rd.

2. Ensure that a link to the Run menu appears in the Accessories folder on the Start Menu.

3. Ensure that a link to Control Panel appears on the Start Menu.

4. Launch Internet Explorer, and open the Favorites folder. Ensure that the link to Tech Support appears.

5. Log off.


Task 5: Verify that a user in the Executive OU user is receiving the correct policy 1. Log on to NYC-CL1 as Chase with a password of Pa$$w0rd.

2. Click Start, point to Accessories, and ensure that there is no link to the Run menu in the Accessories folder.

3. Click Start, and ensure that a link to Control Panel appears on the Start Menu.

4. Ensure that there is no access to the desktop display settings.

Hint: When you attempt to access display settings, you will receive a message informing you that this has been disabled.

5. Log off.

Task 6: Verify that the last logged on username does not appear • Verify that the last logged on username does not appear.

Task 7: Use group policy modeling to test kiosk computer settings 1. Log on to NYC-DC1 as Administrator, with a password of Pa$$w0rd.

2. Launch the GPMC, right-click the Group Policy Modeling folder, click Group Policy Modeling Wizard, and then click Next.

3. On the Domain Controller Selection page, click Next.

4. On the User and Computer Selection screen, click Computer, enter Woodgrovebank\NYC-CL1, and then click Next.

5. On the Advanced Simulation Options screen, click Next.

6. On the Alternate Active Directory Paths screen, click Next.

7. On the Computer Security Groups screen, click Add.

8. In the Select Groups dialog box, type Kiosk Computers, click OK, and then click Next.


9. On the WMI Filters for Computers screen, click Next.

10. On the Summary of Selections screen, click Next, click Finish, and then view the report. This will take a few moments to process.

Result: At the end of this exercise you will have tested and verified a GPO application.

Exercise 4: Managing GPOs

Task 1: Back up an individual policy 1. In the GPMC, open the Group Policy Objects folder.

2. Right-click the Restrict Control Panel policy, and then click Backup.

3. In the Backup dialog box, browse to D:\6425\GPOBackup, click Backup, and then click OK after the backup succeeds.

Task 2: Back up all GPOs 1. Right-click the Group Policy Objects folder and then click Back Up All.

2. Ensure that D:\6425\GPOBackup is the selected location, click Back Up, and then click OK when the backup succeeds.

Task 3: Delete and restore an individual GPO 1. In the Group Policy Objects folder, right-click the Admin Favorites policy, and

then click Delete. Click Yes to confirm the operation, and then click OK when the deletion succeeds.

2. Right-click the Group Policy Objects folder, and then click Manage Backups.

3. In the Manage Backups dialog box, select the Admin Favorites GPO, and then click Restore. Click OK to confirm the operation.

4. Click OK when the restore succeeds, and then close the Manage Backups dialog box.

5. Confirm that the Admin Favorites policy appears in the Group Policy Objects folder.


Task 4: Import a GPO 1. Right-click the Group Policy Objects folder, and then click New.

2. Name the new GPO Import, and then click OK.

3. Right-click the Import GPO, and then click Import Settings.

4. In the Import Settings Wizard, click Next.

5. On the Backup GPO page, click Next.

6. Ensure the Backup folder location is D:\6425\GPOBackup, and then click Next.

7. On the Source GPO screen, click Restrict Control Panel, and then click Next.

8. On the Scanning Backup screen, click Next, and then click Finish.

9. Click OK when the import succeeds.

10. Click the Import GPO, click the Settings tab, and then ensure that the Restrict Access to Control Panel setting is Enabled.

Result: At the end of this exercise you will have backed up restored and imported GPOs.

Exercise 5: Delegating Administrative Control of GPOs

Task 1: Grant Betsy the right to create GPOs in the domain 1. Select the Group Policy Objects folder, click the Delegation tab, and then

click Add.

2. In the Select Users dialog box, type Betsy in the Object name field, and then click OK.

Task 2: Delegate the right to edit the Import GPO to Betsy 1. In the Group Policy Objects folder, select Import GPO, click the Delegation

tab, and then click Add.


3. In the Add Group or User dialog box, select Edit Settings from the drop-down list, and then click OK.


Task 3: Delegate the right to link GPOs to the Executives OU to Betsy 1. Select the Executives OU, click the Delegation tab, and then click Add.


3. In the Add Group or User dialog box, select This container only, and then click OK.


Note: This step is included in the lab to allow you to test the delegated permissions. As a best practice, you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.

1. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management.

2. If required, expand Forest:WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then expand Domain Controllers.

3. Right-click Default Domain Controllers Policy, and then click Edit.

4. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

5. Double-click Allow log on locally, and then in the Allow log on locally Properties dialog box, click Add User or Group.

6. In the Add User or Group dialog box, type Domain Users, and click OK twice. Close all open windows.

7. Open a command prompt, and type GPUpdate /force, and then press ENTER. Wait for the command to complete, and then log off.


Task 5: Test the delegation 1. Log on to NYC-DC1 as Betsy.

2. From the Start menu, click Search, type MMC in the Search box, and then press ENTER. Enter Pa$$word when prompted for credentials.

3. From the File drop-down menu, click Add/Remove Snap-in.

4. Select the Group Policy Management Console, click Add, and then click OK.


6. Create a new policy named Test. This operation will succeed.

7. Right-click the Import GPO, and then click Edit. This operation will succeed.

8. Right-click the Executives OU, and then link it to Test GPO. This operation will succeed.

9. Right-click the Admin Favorites policy, and attempt to edit it. This operation is not possible.

10. Close the GPMC.


Control window.



Result: At the end of this exercise you will have backed up restored and imported GPOs.

Lab: Configuring User Environments Using Group Policy L6-55

Module 6: Configuring User Environments Using Group Policy

Lab: Configuring User Environments Using Group Policy Exercise 1: Configuring Scripts and Folder Redirection






Task 2: Create the logon script to map to the Data shared folder 1. Click Start, click Search, type Notepad in the Search box, and then press

ENTER.

2. In Notepad, type Net Use J: \\NYC-DC1\Data.

3. Close Notepad and save the file as C:\Map.bat. Ensure the Save as type field is All Files.

Task 3: Copy the script to the NetLogon share, and assign it to the Miami, Toronto, and NYC OUs 1. Click Start, and then click Computer.

2. In the right pane, double-click Local Disk (C:).

3. Right-click the Map.bat script, click Copy to copy the script to the clipboard, and then close the Windows Explorer window.

4. Click Start, point to Administrative Tools, and then click Group Policy Management.

L6-56 Module 6: Configuring User Environments Using Group Policy

5. Expand Forest, expand Domains, expand WoodgroveBank.com, right-click the Group Policy Objects folder, and then click New.

6. In the New GPO dialog box, type Logon Script in the Name field, and then click OK.

7. Expand Group Policy Objects, right-click the Logon Script policy, and then click Edit.

8. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff).

9. In the Details pane, right-click Logon, and then click Properties.

10. In the Logon Properties dialog box, click Show Files.

11. In the Details pane, right-click and then click Paste to copy the script from the clipboard to the scripts folder, and then close Windows Explorer.

12. In the Logon Properties dialog box, click Add.

13. In the Add a Script dialog box, click Browse.

14. In the Browse dialog box, select the Map.bat file, click Open, and then click OK twice. Close the Group Policy Management Editor.

15. In the Group Policy Management Console (GPMC), right-click the Miami OU, and then click Link an Existing GPO.

16. In the Select GPO dialog box, select the Logon Script GPO, and then click OK.

17. Repeat steps 15 and 16 to link the Logon Script GPO to the Toronto and NYC OUs.

18. Minimize the Group Policy Management Console (GPMC) to the taskbar.

Task 4: Share and secure a folder for the Executives group 1. Click Start, click Computer, and then navigate to D:\6425.

2. Right-click the ExecData folder, and then click Properties.

3. On the ExecData Properties dialog box, click the Sharing tab, and then click Advanced Sharing.

4. Select the Share this folder check box, and then click Permissions.

5. Click Remove to remove the Everyone group.


6. Click Add, in the Select Users field, type Executives_WoodgroveGG, and then click OK.

7. Select the check box to allow Full Control permission, and then click OK twice.

8. Click the Security tab, and then click Advanced.

9. On the Permissions tab, click Edit, and then clear the Include inheritable permissions from this object’s parent check box.

10. In the Windows Security dialog box, click Copy.

11. Remove all users and groups except Creator Owner and System.

12. Click Add, in the Select Users field, type Executives_WoodgroveGG, and then click OK.

13. Change the Apply to: field to This Folder Only, select the check boxes to allow List folder/read data, and Create folders/append data to the Executives Woodgrove GG, and then click OK.

14. Click OK twice, click Close to close the ExecData Property dialog box, and then close Windows Explorer.

Task 5: Redirect the Documents folder for the Executives group 1. Restore the GPMC from the taskbar, right-click the Group Policy Objects

folder, and then click New.

2. In the New GPO dialog box, type Executive Redirection in the Name field, and then click OK.

3. Right-click the Executive Redirection GPO, and then click Edit.

4. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, expand Folder Redirection, right-click Documents, and then click Properties.

5. On the Target tab, configure the setting to Basic-Redirect everyone’s folder to the same location.

6. Leave the target folder location at the default settings, and then type \\NYC-DC1\ExecData in the Root Path field.


7. Click the Settings tab, examine the current settings, and then click OK. Click Yes to acknowledge the Warning message, and then close the Group Policy Management Editor.

8. Right-click the Executives OU, and then click Link an existing GPO. Select the Executive Redirection GPO, and then click OK.

Result: At the end of this exercise you will have configured scripts and folders redirection.

Exercise 2: Configuring Administrative Templates

Task 1: Modify the Default Domain Policy to contain the settings for all computers 1. In the GPMC, click the Group Policy Objects folder, right-click the Default

Domain Policy and then click Edit.

2. Under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall. and then click Domain Profile. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception.

3. In the Allow inbound remote administration exception dialog box, click Enabled, type localsubnet in the Allow unsolicited incoming messages from these IP addresses text box, and then click OK.

4. Under Administrative Templates, expand System, and then click Group Policy. In the details pane, double-click Group Policy slow link detection.

5. In the Properties dialog box, click Enabled, type 800 in the Connection speed (kbps) field, and then click OK.



Task 2: Create and assign a GPO to prevent the installation of removable devices 1. Right-click the Group Policy Objects folder, and then click New.

2. In the New GPO dialog box, type Prevent Removable Devices in the Name field, and then click OK.

3. Right-click the Prevent Removable Devices GPO, and then click Edit.

4. Edit the policy by expanding Computer Configuration, expanding Policies, expanding Administrative Templates, expanding System, expanding Device Installation, and then clicking Device Installation Restrictions. Double-click Prevent installation of removable devices, click Enabled, and then click OK.


6. Right-click the Miami OU, click Link an existing GPO, select the Prevent Removable Devices GPO, and then click OK.

7. Repeat the previous step to link the Prevent Removable Devices GPO to the Toronto and NYC OUs.

Task 3: Create and assign a GPO to encrypt offline files 1. Right-click the Group Policy Objects folder, and then click New.

2. In the New GPO dialog box, type Encrypt Offline Files in the Name field, and then click OK.

3. Right-click the Encrypt Offline Files GPO, and then click Edit.

4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand Network and then click Offline Files. In the details pane, double-click Encrypt the Offline Files cache, click Enabled, and then click OK.


6. Right-click the Executives OU, click Link an existing GPO, select the Encrypt Offline Files GPO, and then click OK.


Task 4: Create and assign a domain-level GPO for all domain users 1. Right-click the Group Policy Objects folder, and then click New.

2. In the New GPO dialog box, type All Users Policy in the Name field, and then click OK.

3. Right-click the All Users Policy GPO, and then click Edit.

4. Under User Configuration, expand Policies, expand Administrative Templates, and then click System. In the Details pane, double-click the Prevent access to registry editing tools setting, click Enabled, and then click OK.

5. Click Start Menu and Taskbar. In the details pane, double-click Remove Clock from the system notification area, click Enabled, and then click OK.


7. Right-click the WoodgroveBank.com domain, click Link an existing GPO, select the All Users Policy GPO, and then click OK.

Task 5: Create and assign a GPO for branch users 1. Right-click the Group Policy Objects folder, and then click New.

2. In the New GPO dialog box, type Branch Users Policy in the Name field, and then click OK.

3. Right-click the Branch Users Policy GPO, and then click Edit.

4. Under User Configuration, expand Policies, expand Administrative Templates, expand System, and then click User Profiles.

5. In the details pane, double-click Limit profile size, click Enabled, type 1000000 in the size field, and then click OK.

6. Under Administrative Templates, expand Windows Components, and then click Windows Sidebar.

7. In the details pane, double-click Turn off Windows Sidebar, click Enabled, and then click OK.


9. Right-click the Miami OU, click Link an existing GPO, select the Branch Users Policy GPO, and then click OK.


10. Repeat the previous step to link the Branch Users Policy GPO to the Toronto and NYC OUs.

11. Minimize the Group Policy Management Console.

Result: At the end of this exercise you will have configured Administrative Templates.

Exercise 3: Configuring Preferences

Task 1: Add a Notepad.exe shortcut to the desktop on NYC-DC1 1. In the GPMC, click the Group Policy Objects folder, right-click the Default

Domain Policy, and then click Edit.

2. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, and point to New, and click Shortcut.

3. In the New Shortcut dialog box, select Create from the Actions drop down list.

4. In the Name field, type Notepad.

5. In the Location field, click the drop-down arrow, and then select All Users Desktop.

6. In the Target Path field, type C:\Windows\System32\Notepad.exe.

7. Click the Common tab, select the Item-level targeting check box, and then click Targeting.

8. In the Targeting Editor dialog box, click New Item, and then click Computer Name.

9. In the Computer name field, type NYC-DC1, and then click OK twice.

Task 2: Create a new folder named Reports on the C: drive of all computers running Windows Server 2008 1. Under Windows Settings, right click Folders, point to New, and click Folder.

2. In the New Folder dialog box, select Create from the Actions drop down list.

3. In the Path field, type C:\Reports.


4. Click the Common tab, check the Item-level targeting check box, and then click Targeting.

5. In the Targeting Editor dialog box, click New Item, and then click Operating System.

6. In the Product list, click Windows Server 2008, and then click OK twice.

Task 3: Configure the Start menu 1. Under User Configuration, expand Preferences, expand Control Panel

Settings, right-click Start Menu, point to New, and click Start Menu (Windows Vista).

2. In the New Start Menu (Windows Vista) Properties dialog box, under Games, click Don’t display this item.

3. Under System administrative tools, click Display on the All Programs menu, and then click OK.

4. Close the Group Policy Management Editor and the GPMC.

Result: At the end of this exercise you will have configured preferences.


Task 1: Verify that the preferences have been applied 1. Log off NYC-DC1, and then log on as Administrator using a password of

Pa$$w0rd.

2. On the desktop, verify that a shortcut has been created for Notepad.

3. Open Windows Explorer and browse to the C: drive. Verify that a folder named Reports has been created on the C: drive.


4. Click Start, and click All Programs. Verify that Administrative Tools are listed on the Start menu and that the Games folder is not displayed. Preferences assigned to Windows Vista computers are also applied to Windows Server 2008 computers.


Note: To apply group policy preferences to Windows Vista computers, you must download and install Group Policy Preference Client Side Extensions for Windows Vista (KB943729).

Task 2: Start the 6425A-NYC_CL1 virtual machine, log on as Administrator, and observe Group Policy settings 1. Open the Virtual Server Remote Control Client, and then double-click

6425A-NYC-CL1.

2. Log on to NYC-CL1 as Woodgrovebank\Administrator using the password Pa$$w0rd. Log off and log on again as Administrator.

Note: Two logons are required because of cached credentials.

3. Ensure that the clock is not displayed in the Notification area.

4. Right-click the Taskbar, click Properties, and then click the Notification Area tab. Verify that you do not have the option to display the clock, and then click OK.

5. Log off NYC-CL1.


Task 3: Log on as a user in the Executives OU, and observe the applied settings 1. Log on to NYC-CL1 as Tony using the password Pa$$w0rd.

2. Close the Welcome Center windows. Ensure that the clock is not displayed in the Notification area.

3. Click Start, right-click the Documents folder, and then click Properties. Ensure the location is \\nyc-dc1\execdata\tony.

4. Click Start, click Search, type Regedt32 in the Search box, and then press ENTER. Ensure that Registry editing is disabled.


6. Log off NYC-CL1.

Task 4: Log on as a user in a Branch Office and observe the applied settings 1. Log on to NYC-CL1 as Roya using the password Pa$$w0rd. Ensure that the

clock is not displayed in the Notification area.

2. Click Start, right-click the Documents folder, and then click Properties. Ensure the location is C:\Users\Roya.

3. Click Start, click Search, type Regedt32 in the search box, and then press ENTER. Ensure that Registry editing is disabled.


5. Click Start, and then click Computer. Ensure that the J: drive is mapped to the Data share.

6. Log off NYC-CL1.


Task 5: Use the NYC-DC1 GPMC to review Group Policy results 1. On NYC-DC1, click Start, click All Programs, click Administrative Tools, and

then click Group Policy Management.

2. Right-click Group Policy Results, and then click Group Policy Results Wizard. Click Next.

3. On the Computer Selection page, click Another computer, type WoodgroveBank\NYC-CL1 and click Next.

4. On the User Selection page, click WOODGROVEBANK\Tony, and then click Next.

5. On the Summary of Selections page, click Next, and then click Finish.

6. In the Internet Explorer dialog box, click Add, click Add again, and then click Close.

7. In the Group Policy Results report summary, click Group Policy Objects under Computer Configuration Summary.

8. Beside Applied GPOs, click show.

Question: What policies were applied to the computer?

Answer: Only the Default Domain Policy.

9. In the Group Policy Results report summary, click Group Policy Objects under User Configuration Summary.

10. Beside Applied GPOs, click show.

Question: What policies were applied to the user?

Answer: All Users Policy, Default Domain Policy, Executive Redirection


11. Click the Settings tab. Under Computer Configuration, click Administrative Templates. Expand each of the settings.

Question: What settings were delivered to the computer?

Answer: Windows Firewall: Allow inbound remote administration exception, Slow Link Detection speed set to 800 kps.

12. Under User Configuration, expand each of the settings.

Question: What settings were delivered to the user?

Answer: The Executive Redirection policy delivers folder redirection settings. The All Users Policy delivers settings to remove the clock and disable registry editing.


Control window.



Result: At the end of this exercise you will have verified the GPO application.

Lab: Implementing Security Using Group Policy L7-67

Module 7: Implementing Security Using Group Policy

Lab: Implementing Security Using Group Policy Exercise 1: Configure account and security policy settings






Task 2: Create an account policy for the domain 1. Click Start, point to Administrative Tools, and then click Group Policy

Management.

2. Expand Forest, click Domains, click WoodgroveBank.com, and then click the Group Policy Objects folder.

3. In the details pane, right-click the Default Domain Policy, and then click Edit.

4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy.

5. In the details pane, double-click Maximum password length, set the value to be 8, characters and then click OK.

6. Double-click the Minimum password age setting, set the value to be 19 days, and then click OK.

7. Double-click the Maximum password age setting, set the value to be 20 days, and then click OK.

8. In the left pane, click Account Lockout Policy.

L7-68 Module 7: Implementing Security Using Group Policy

9. In the details pane, double-click the Account lockout threshold setting, set the value to be 5 invalid logon attempts, and then click OK.

10. In the Suggested Value Changes dialog box, click OK to accept the values of 30 minutes, and then click OK.

11. Close the Group Policy Management Editor, and leave the GPMC open.

Task 3: Configure local policy settings for a Windows Vista client 1. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the

password Pa$$w0rd.

2. Click Start, and then type MMC in the Search box. Press ENTER to open a new Microsoft Management Console.

3. Click File, and then click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, select the Group Policy Object Editor, click Add, click Finish and then click OK.

5. Expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the details pane, double-click Accounts: Administrator Account Status, click Enabled, and then click OK.


7. In the Add or Remove Snap-ins dialog box, select the Group Policy Object Editor, click Add, and then click Browse.

8. In the Browse for a Group Policy Object dialog box, click the Users tab, select the Non-Administrators group, click OK, click Finish, and then click OK.

9. Expand Local Computer\Non-Administrators Policy, expand User Configuration, expand Administrative Templates, click Start Menu and Taskbar, double-click Remove Run menu from Start Menu, click Enabled, and then click OK.

10. Close the MMC and do not save the changes.


Task 4: Create a wireless network policy for Windows Vista clients 1. Switch to NYC-DC1.

2. In the Group Policy Management Console (GPMC), right-click the Group Policy Object folder, and then click New.

3. In the New GPO dialog box, type Vista Wireless in the Name field, and then click OK.

4. Right-click the Vista Wireless policy, and then click Edit.

5. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, right-click Wireless Network (IEEE 802.11) Policies, and then click Create a New Windows Vista Policy.

6. In the New Vista Wireless Network Policy Properties dialog box, on the General tab, click Add, and then click Infrastructure.

7. In the New Profiles properties dialog box, type Corporate in the Profile Name field.

8. In the Network Name (SSID) field, type Corp, and then click Add.

9. Click the Security tab, set the Authentication to be Open with 802.1X, and then click OK.

10. Click the Network Permissions tab, and then click Add.

11. In the New Permission Entry dialog box, type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK twice.


13. Right-click the Woodgrovebank.com domain container, and then click Link an existing GPO.

14. In the Select GPO dialog box, select the Vista Wireless GPO, and then click OK.


Task 5: Configure a policy that prohibits a service on all domain controllers 1. In the GPMC, open the Group Policy Object folder, right-click the Default

Domain Controller Policy, and then click Edit.

2. Expand Computer Configuration, expand Policies, Windows Settings, expand Security Settings, and then click System Services.

3. In the details pane, double-click Remote Registry, select the check box to Define this policy setting, click Disabled, and then click OK.

4. Close the Group Policy Management Editor and leave the GPMC open.

Result: At the end of this exercise you will have configured account and security policy settings.

Exercise 2: Implementing Fine-Grained Password Policies

Task 1: Create a PSO using ADSI edit 1. On NYC-DC1, click Start, click Run, type adsiedit.msc, and then click OK.

2. In the ADSI Edit console, right-click ADSI Edit, and then click Connect to.

3. In the Connection Settings dialog box, click OK.

4. Expand the Default Naming Context, expand DC=woodgrovebank, DC=com, expand CN=System, right-click CN=Password Settings Container, point to New, and then click Object.

5. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next.

6. In Value, type ITAdmin, and then click Next.

7. In the msDS-PasswordSettingsPrecedence value, type 10, and then click Next.

8. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE, and then click Next.

9. In the msDS-PasswordHistoryLength value, type 30, and then click Next.

10. In the msDS-PasswordComplexityEnabled value, type TRUE, and then click Next.


11. In the msDS-MinimumPasswordLength value, type 10, and then click Next.

12. In the msDS-MinimumPasswordAge value, type -5184000000000, and then click Next.

13. In the msDS-MaximumPasswordAge value, type -6040000000000, and then click Next.

14. In the msDS-LockoutThreshold value, type 3, and then click Next.

15. In the msDS-LockoutObservationWindow value, type -18000000000, and then click Next.

16. In the msDS-LockoutDuration value type -18000000000, click Next, and then click Finish.

17. Close the ADSI Edit MMC without saving changes.

Task 2: Assign the ITAdmin password policy to the IT Admins global group 1. Click Start, click Administrative Tools, and then click Active Directory Users

and Computers.

2. Click View, and then click Advanced Features.

3. Expand woodgrovebank.com, expand System, and then click Password Settings Container. In the details pane, right-click the ITAdmin PSO, and then click Properties.

4. In the ITAdmin Properties dialog box, click the Attribute Editor tab. Scroll down, select the msDS-PSOAppliesTo attribute, and then click Edit.

5. In the Multi-valued Distinguished Name With Security Principle Editor dialog box, click Add Windows Account.

6. Type ITAdmins_WoodgroveGG, and then click OK three times.


Result: At the end of this exercise, you will have implemented fine grained password policies.


Exercise 3: Configuring Restricted Groups and Software Restriction Policies

Task 1: Configure restricted groups for the local administrators group 1. If required, click Start, point to Administrative Tools, and then click Group

Policy Management.

2. Expand Forest, expand Domains, expand WoodgroveBank.com, and then click the Group Policy Objects folder.

3. In the details pane, right-click the Default Domain Policy, and then click Edit.

4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, click Restricted Groups, then right-click Restricted Groups and click Add Group.

5. In the Add Group dialog box, type Administrators and then click OK.

6. In the Administrators Properties dialog box, click Add.

7. In the Add Members dialog box, type: Woodgrovebank\ITAdmins_WoodgroveGG, and then click OK.

8. In the Administrators Properties dialog box, click Add.

9. In the Add Members dialog box, type Woodgrovebank\Domain Admins, and then click OK twice.


Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controllers 1. In the Group Policy Management Console, in the details pane, right-click the

Default Domain Controllers Policy, and then click Edit.

2. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Software Restriction Policies.

3. Right-click Software Restriction Policies, and then click New Software Restriction Policy.

4. In the details pane, right-click Additional Rules, and then click New Hash Rule.


5. In the New Hash Rule dialog box, click Browse, navigate to C:\Program Files\Internet Explorer\iexplore.exe, and then click Open.

6. Ensure that the Security level is Disallowed, and then click OK.

7. Right-click Additional Rules, and then click New Path Rule.

8. In the Path field, type *.vbs, and then click OK.


Result: At the end of this exercise you will have configured restricted groups and software restriction policies.

Exercise 4: Configuring Security Templates

Task 1: Create a security template for the file and print servers 1. Click Start, type MMC in the Search box, and then press ENTER.


3. In the Add or Remove Snap-ins dialog box, scroll down, click Security Templates, click Add, and then click OK.

4. Expand Security Templates, right-click C:\Users\Administrators\Documents\Security\Templates, and then click New Template.

5. In the C:\Users\Administrators\Documents\Security\Templates dialog box, type FPSecurity in the Template name field, and then click OK.

6. Expand FPSecurity, expand Local Polices, and then click Security Options.

7. In the details pane, double-click Accounts: Rename administrator account, select the check box to define this policy setting in the template, type FPAdmin in the Define this policy setting field, and then click OK.

8. In the details pane, double-click Interactive Logon: Do not display last user name, check the Define this policy setting in the template check box, click Enabled, and then click OK.

9. In the folder pane, right-click FPSecurity, and then click Save.



Task 2: Start NYC-SVR1 and join the domain and disable the Windows Firewall 1. Start NYC-SVR1. Log on as LocalAdmin with a password of Pa$$w0rd.

2. If required, open Server Manager. Click Change System Properties.


4. In the Member of section, click Domain, type WoodgroveBank.com in the field, and then click OK.

5. Enter the credentials of Administrator and Pa$$w0rd, and then click OK.

6. Click OK to restart the computer.

7. Log on as Woodgrovebank\Administrator, with the password Pa$$w0rd.

8. Click Start, click Control Panel, double-click Windows Firewall, and then click Change settings.

9. In the Windows Firewall Settings dialog box, click Off, and then click OK to disable the Windows Firewall.

Note: This next step is performed to simplify the lab, and is not a recommended practice.

10. Close Windows Firewall, and then close Control Panel.

Task 3: Run the Security Configuration Wizard and import the FPSecurity template 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Security Configuration Wizard.

2. On the Welcome screen, click Next.

3. On the Configuration Action screen, click Next.

4. On the Select Server screen, type NYC-SVR1.woodgrovebank.com, and then click Next.

5. After the configuration databases processes, click Next.

6. On the Role-Based service Configuration screen, click Next.


7. On the Select server Roles screen, clear the DNS Server check box.

8. Check the File Server check box.

9. Check the Print Server check box, and then click Next.

10. On the Select Client Features window, click Next.

11. On the Select Administration and Other Options screen, click Next.

12. On the Select Additional Services screen, click Next.

13. On the Handling Unspecified Services screen, click Next.

14. On the Confirm Service Changes screen, examine the changes, and then click Next.

15. On the Network Security screen, click Next.

16. On the Network Security Rules screen, click Next.

17. On the Registry Settings screen, click Next.

18. On the Require SMB security Signatures screen, click Next.

19. On the Outbound Authentication Methods screen, click Next.

20. On the Outbound Authentication using Domain Accounts screen, check the Clocks that are synchronized with the selected server’s clock check box, and then click Next.

21. On the Inbound Authentication Methods screen, click Next.

22. On the Registry Settings summary screen, click Next.

23. On the Audit Policy screen, click Next.

24. On the System Audit Policy screen, click Next

25. On the Audit Policy Summary screen, click Next.

26. On the Save Security Policy screen, click Next.

27. On the Security Policy File Name screen, type FPPolicy at the end of the C:\Windows\security\msscw\policies\ path, and then click Include Security Templates.

28. On the Include Security Templates dialog box, click Add.

29. Navigate to Documents\Security\Templates\FPSecurity, click Open, click OK, and then click Next.


30. On the Apply Security Policy screen, click Apply Now, and then click Next.

31. On the Applying Security Policy screen, click Next, and then click Finish.

Task 4: Transform the FPPolicy into a GPO 1. On NYC-DC1, click Start and then click the Command Prompt.

2. In the Administrators Command Prompt, type scwcmd transform /p:”C:\Windows\security\msscw\Policies\FPpolicy.xml” /g:FileServerSecurity, and then press ENTER.

3. Open the GPMC if necessary, and then click the Group Policy Object folder. Double-click the FilesServerSecurity GPO, and click the Settings tab.

4. In the Internet Explorer dialog box, click Add, click Add again, and then click Close. Examine the Group Policy settings.

5. Close the GPMC and log off NYC-DC1.

Result: At the end of this exercise you will have configured security templates.

Exercise 5: Verifying the Security Configuration

Task 1: Log on as the Local Administrator of the Windows Vista computer, and check the membership of the local administrators group 1. Log on to NYC-CL1 as NYC-CL1\administrator with the password

Pa$$w0rd.

2. Click Start, click Search, type CMD in the Search box, and then press ENTER.

3. At the command prompt, type GPupdate /force, and then press ENTER.

4. Click Start, click All Programs and then click Accessories. Ensure that the Run menu appears.

5. Click Start, click Control Panel, click User Accounts, click User Accounts again, click Manage User Accounts, click the Advanced tab, click Advanced, click Groups, and then double-click Administrators. Ensure that the Domain Admins and the ITAdmins global groups are present.

6. Restart NYC-CL1.


Task 2: Log on to the Windows Vista computer as an ordinary user, and test the policy 1. Log on to NYC-CL1 as Woodgrovebank\Roya, with a password of

Pa$$w0rd.

2. Click Start, click All Programs, and then click Accessories. Ensure that the Run menu does not appear.

3. Press Right-ALT+DELETE, and then click Change a password.

4. In the Old Password field, type Pa$$w0rd.

5. In the New Password and Confirm password fields, type w0rdPa$$. You will not be able to update the password because the minimum password age has not expired.

6. Log off NYC-CL1.

Task 3: Log on to the domain controller as the domain administrator, and test software restrictions and services 1. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd.

2. Click Start, and then click Command Prompt. In the command prompt, type gpupdate /force, and then press ENTER.

3. Click Start, click Internet Explorer, read the error message, and then click OK.

4. Click Start click Computer, navigate to D:\6425 \mod07\labfiles, and then double-click Hello.vbs. Read the error message, and then click OK.

5. Click Start, click Administrative Tools,` and then click Services. In the details pane, scroll down to the Remote Registry service, and ensure that it is Disabled.

Task 4: Use group policy modeling to test the settings on the file and print server 1. Open the GPMC, right-click Group Policy Modeling, and then click Group

Policy Modeling Wizard,

2. On the Welcome screen, click Next.


3. On the Domain Controller Selection screen, click Next.

4. On the User and Computer Selection screen, click Computer, type Woodgrovebank\NYC-SVR1, and then click Next.

5. On the Advance Simulation Options screen, click Next.

6. On the Alternate Active Directory Paths screen, click Next.

7. On the Computer Security Groups screen, click Next.

8. On the WMI Filters for Computers screen, click Next.

9. On the Summary of Selections screen, click Next, and then click Finish. Observe the policy settings.


Control window.



Result: At the end of this exercise you will have verified the security configuration.

Lab: Monitoring AD DS L8-79

Module 8: Implementing an Active Directory® Domain Services Monitoring Plan

Lab: Monitoring AD DS Exercise 1: Monitor AD DS by Using Event Viewer




3. In the Lab Launcher, next to 6425A-NYC-DC2, click Launch




Task 2: Create a custom view to capture the relevant events 1. On NYC-DC1, log on as Administrator with the password Pa$$w0rd.

2. Click Start, click Administrative Tools, and then click Event Viewer.

3. Right-click Custom Views, and then click Create Custom View.

4. In the Create Custom View dialog box, select the three check boxes for Critical, Warning, and Error.

5. Click the Event Logs drop-down arrow, expand Application and Services Logs, select the two check boxes for Directory Service and DNS Server, and then click OK.

6. In the Save Filter to Custom View dialog box, type Directory Service in the Name field, and then click OK.

L8-80 Module 8: Implementing an Active Directory® Domain Services Monitoring Plan

Task 3: Export the custom view 1. Right-click the Directory Service custom view and then click Export Custom

View.

2. In the Save As dialog box, navigate to D:\6425\data, type Active Directory in the File Name field, and then click Save.

Task 4: Import the custom view 1. Log on to NYC-DC2 as Administrator with the password Pa$$w0rd.

2. Click Start, click Administrative Tools, and then click Event Viewer.

3. Right-click Custom Views, and then click Import Custom View.

4. In the Import Custom View dialog box, type \\NYC-DC1\Data\Active Directory.xml, and then click Open.

5. In the Import Custom View File dialog box, click OK.

Task 5: Configure computers to forward and collect events 1. On NYC-DC1 (the collector computer), click Start, and then click Command

Prompt.

2. In the command-prompt window, type wecutil qc, press ENTER, type Y, and then press ENTER to make the changes.


4. Switch to NYC-DC2 (the source computer).

5. Click Start, and then click Command Prompt.

6. In the command-prompt window, type winrm quickconfig, press ENTER, type Y, and then press ENTER to make the changes.



Task 6: Create a subscription to forward system events to NYC-DC1 1. On NYC-DC1, in Event Viewer, right-click Subscriptions, and then click

Create Subscription.

2. In the Subscription Properties dialog box, type Service Events in the Subscription Name field, click Collector Initiated, and then click Select Computers.

3. In the Computers dialog box, click Add Domain Computers.

4. In the Select Computers dialog box, type NYC-DC2, and then click OK twice.

5. Click Select Events, and then in the Query Filter dialog box, select the Information check box.

6. Click the drop-down arrow beside Event Logs, expand Windows Logs and then select the System log check box.

7. In the Event ID field, type 7036, and then click OK.

8. Click Advanced, click Specific User, and then click User and Password.

9. In the Credentials for Subscriptions Source, ensure the user name is Woodgrovebank\Administrator, enter a password of Pa$$w0rd, and then click OK.

10. Click Minimize Latency, and then click OK twice. Click Yes if the Event Viewer messages appear.

11. In the folder pane, click the Subscriptions folder, and ensure that the Service Events subscription status is Active.

12. On NYC-DC2, click Start, and then click Command Prompt.

13. In the Command Prompt, type Net Stop DNS, and then press ENTER.

14. Type Net Start DNS, and then press ENTER.

15. On NYC-DC1, in Windows Logs, click the Forwarded Events log. Examine the information events.

Note: Actual events may take a few minutes to show up in the Forwarded Events log. Start and stop the DNS service again, if required.


Task 7: Attach a task to an event log and to an event 1. On NYC-DC1, expand Windows Logs, right-click the Setup log, and then click

Attach a Task to this Log.

2. In the Create a Basic Task wizard, click Next.


4. On the Action screen, click Send an e-mail, and then click Next.

5. On the Send an E-mail screen, type Event Viewer in the From field.

6. Type [email protected] in the To field.

7. Type Application Installation in the Subject field.

8. Type Mail.Woodgrovebank.com in the SMTP Server field, and then click Next.

9. On the Summary page, click Finish. In the Event Viewer message box, click OK.

10. Click the Forwarded Events log to open it.

11. Right-click one of the 7036 events, and then click Attach Task To This Event.

12. On the Create a Basic Task screen, click Next.


14. On the Action screen, click Display a Message, and then click Next.

15. On the Display a Message screen, type Service Event in the Title field, and then type A service stopped or started in the Message field. Click Next, and then click Finish. Click OK to acknowledge the Event Viewer message.


16. Switch to NYC-DC2, and repeat the steps to stop and start the DNS service. The message box will appear, displaying your message. Click OK to acknowledge the message.

Note: The message box may be hidden behind the Event Viewer window. Look for it on the Task Bar.


Result: At the end of this exercise you will have monitored AD DS using Event Viewer.

Exercise 2: Monitor AD DS by Using Performance and Reliability Monitor

Task 1: Configure the Performance and Reliability Monitor to monitor AD DS 1. On NYC-DC1, click Start, click Administrative Tools, click Reliability and

Performance Monitor, and then click Performance Monitor.

2. Click the green Plus sign on the toolbar to add objects and counters.

3. In the Add Counters dialog box, expand the Directory Services object, select the DRA Inbound Bytes Total/sec counter, and then click Add.

4. Repeat the previous step to add the following counters:

• DRA Outbound Bytes Total/sec

• DS Threads In Use

• DS Directory Reads/sec

• DS Directory Writes/sec

5. Expand Security System-Wide Statistics, and add the Kerberos Authentications counter.

6. Expand DNS, add the UDP Query Received counter, and then click OK.


Task 2: Create a data collector set 1. In the folder pane, right-click Performance Monitor, click New, and then click

Data Collector Set.

2. In the Create New Data Collector Set dialog box, type Active Directory in the Name field, and then click Next.

3. Leave the Root directory as the default path, click Next, and then click Finish.

4. Expand Data Collector Sets, expand User Defined, right-click the Active Directory data collector set, and then click Start.

5. Expand Reports, expand User Defined, expand Active Directory, and then click System Monitor Log.blg. The Report Status shows that the log is collecting data.

6. In the Data Collector Sets section, right-click the Active Directory data collector set, and then click Stop.

7. Click the System Monitor Log.blg. The log chart is displayed in the details pane.

Result: At the end of this exercise you will monitor AD DS using the Performance and Reliability Monitor.

Exercise 3: Configure AD DS Auditing

Task 1: Examine the current state of the audit policy 1. On NYC-DC1, click Start, and then click Command Prompt.

2. In the command-prompt window, type Auditpol.exe /get /category:*, press ENTER, and then examine the default audit-policy settings.

3. Minimize the command prompt.


Task 2: Enable DS Access auditing on domain controllers 1. On NYC-DC1, click Start, click Administrative Tools, and then click Group

Policy Management.

2. Open the Group Policy Objects folder, right-click the Default Domain Controllers Policy, and then click Edit.

3. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. Notice that all policy settings are set to Not Defined.

4. Double-click Audit Directory Service Access, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK.

5. Close the Group Policy Management Editor, and then close the Group Policy Management console.

6. Restore the Command Prompt, and then type Gpupdate and press ENTER.

7. When the update completes, run the Auditpol.exe /get /category:* command again, and then examine the audit policy.


Task 3: Set the SACL for the domain 1. Click Start, click Administrative Tools, and then click Active Directory Users

and Computers.

2. Click the View menu, and then click Advanced Features.

3. Right-click the woodgrovebank.com, and then click Properties.

4. In the Properties dialog box, click the Security tab, click Advanced, click the Auditing tab, and then click Add.

5. In the Select Users, Computers, and Groups dialog box, type Everyone, and then click OK.

6. In the Auditing Entry for Woodgrovebank dialog box, select both the Successful and Failed Write all Properties check boxes, and then click OK three times.


Task 4: Test the policy 1. Right-click the Toronto OU, click Rename, and then rename the OU to GTA.

2. Open Event Viewer, expand Windows Logs, and then click Security.

3. Open event 4662, and examine the event.

4. Return to Active Directory Users and Computers, and edit any user account to change the phone number.

5. Return to Event Viewer, and examine the resulting directory service changes events.


7. Shut down all virtual machines without saving any changes.


Control window.



Result: At the end of this exercise you will have configured AD DS Auditing.

Lab: Implementing an AD DS Maintenance Plan L9-87

Module 9: Implementing an Active Directory Domain Services Maintenance Plan

Lab: Implementing an AD DS Maintenance Plan Exercise 1: Maintaining AD DS domain controllers






Task 2: Use the Security Configuration Wizard to lock down services and configure the firewall on NYC-DC1 1. Click Start, point to Administrative Tools, and then click Server Manager.

2. In the Server Manager window, in the Security Information section, click Run Security Configuration Wizard. The Security Configuration Wizard opens.

3. On the Welcome to the Security Configuration Wizard page, click Next.

4. On the Configuration Action page, ensure that Create a new security policy is selected, and then click Next.

5. On the Select Server page, click Next.

6. On the Processing Security Configuration Database page, click View Configuration Database. In the Internet Explorer dialog box, click Yes.

7. In the SCW Viewer window, expand Server Roles, and then expand Domain Controller (Active Directory).

8. Expand Client Features, and then expand DNS Client.

L9-88 Module 9: Implementing an Active Directory Domain Services Maintenance Plan

9. Expand Windows Firewall, expand Firewall Rules, and then expand Active Directory Domain Controller – LDAP for Global Catalog (TCP-In).

10. Close the SCW Viewer window, and then click Next.

11. On the Role-Based Service Configuration page, click Next.

12. On the Select Server Roles page, ensure the Domain Controller (Active Directory) check box is selected, and then click Next.

13. On the Select Client Features page, click Next.

14. In the Select Administration and Other Options page, select the Active Directory – RsoP Planning Mode check box. Leave the other options selected, and then click Next.

15. In the Select Additional Services page, click Next.

16. On the Handling Unspecified Services page, ensure that Do not change the startup mode of the service is selected, and then click Next.

17. On the Confirm Service Changes page, review the service configurations that will be changed, and then click Next.

18. On the Network Security page, click Next.

19. On the Network Security Rules page, review the firewall rules that will be configured on the server, and then click Next.

20. On the Registry Settings page, click Next.

21. On the Require SMB Security Signatures page, click Next.

22. On the Require LDAP Signing page, select the Windows 2000 Service Pack 3 or later check box, and then click Next.

23. On the Outbound Authentication Methods page, click Next.

24. On the Outbound Authentication using Domain Accounts page, ensure that Windows NT 4.0 Service Pack 6a or later operating systems and Clocks that are synchronized with the selected server’s clock are selected, and then click Next.

25. On the Inbound Authentication Methods page, clear the Computers that require LAN Manager authentication and Computers that have not been configured to use NTLMv2 authentication check boxes, and then click Next.

26. On the Registry Settings Summary page, review the changes, and then click Next.

27. On the Audit Policy page, click Next.


28. On the System Audit Policy page, select Audit successful and unsuccessful activities, and then click Next.

29. On the Audit Policy Summary page, click Next.

30. On the Save Security Policy page, click Next.

31. On the Security Policy File Name page, type c:\windows\security\msscw\ policies\NYC-DC1.xml as the policy file name, and then click Next.

32, In the Security Configuration Warning, click OK.

33. On the Apply Security Policy page, ensure that Apply Later is selected, and then click Next.

34. Click Finish to complete the Security Configuration Wizard.

Task 3: Perform an offline defragmentation of the AD DS database 1, Click Start, point to Administrative Tools, and then click Services.

2. Right-click Active Directory Domain Services, and then click Stop.

3. In the Stop Other Services dialog box, click Yes.

4. Click Start, and then click Command Prompt.

5. Type ntdstuil, and then press ENTER.

6. At the ntdsutil: prompt, type Activate Instance NTDS, and then press ENTER.

7. Type files, and then press ENTER.

8. At the file maintenance prompt, type compact to C:\temp, and then press ENTER. A new database named Ntds.dit is created in the path you specified.

9. At the file maintenance prompt, type integrity, and then press ENTER.

10. Type quit, and then press ENTER.

11. Type quit, and then press ENTER again to return to the command prompt.

12. Type copy “c:\temp\ntds.dit” “c:\Windows\NTDS\ntds.dit”, and then press ENTER.

13. Type y, and then press ENTER.

14. Delete all the log files in the log directory by typing the following command and then pressing ENTER: del C:\Windows\NTDS\*.log


Task 4: Moving the AD DS database 1. At the command prompt, type ntdsutil, and then press ENTER.

2. At the ntdsutil: prompt, type activate instance ntds, and then press ENTER.

3. Type files, and then press ENTER.

4. At the file maintenance: prompt, type move db to C:\DSData, and then press ENTER.

5. When the move has completed successfully, type quit, and then press ENTER.

6. Type quit, and then press ENTER again to return to the command prompt.

7. At the command prompt type net start “Active Directory Domain Services” , and then press ENTER.

8. Close the command prompt and all open Windows.

Result: At the end of this exercise, you will have run the SCW to lock down services on an AD DS domain controller, and performed AD DS database maintenance tasks.

Exercise 2: Backing Up AD DS

Task 1: Install the Windows Server Backup Feature 1. From the Administrative Tools, start Server Manager.

2. In Server Manager, click Features, and then click Add Features.

3. On the Select Features page, expand Windows Server Backup Features, and then select the Windows Server Backup and Command-line Tools check boxes.

4. Click Next, and then click Install.

5. When the installation finishes, click Close.


Task 2: Create a Scheduled Backup 1. Click Start, point to Administrative Tools, and then click Windows Server

Backup.

2. In the Actions pane, click Backup Schedule.

3. On the Getting Started page, click Next.

4. In the Windows Server Backup dialog box, click Yes.

5. On the Select backup configuration page, click Custom, and then click Next.

6. On the Select backup items page, clear the Allfiles (D:) drive check box, and then click Next.

7. On the Specify backup time page, under Once a day, in the Select time of day list, click 12:00 am, and then click Next.

8. On the Select destination disk page, click Show All Available Disks.

9. In the Show All Available Disks dialog box, select the Disk 1 check box, and then click OK.

10. On the Select destination disk page, select the Disk 1 check box, and then click Next.

11. In the Windows Server Backup dialog box, click Yes to continue, and then click Next.

12. On the Label destination disk page, select the Disk 1 check box, and then click Next.

13. On the Confirmation page, click Cancel to avoid formatting the D: drive.

14. Close Windows Server Backup.

Task 3: Complete an On-Demand Backup 1. In the Windows Server Backup window, in the Actions pane, click Backup

Once.

2. On the Backup options page, ensure Different options is selected, and then click Next.

3. On the Select backup configuration page, click Custom, and then click Next.

4. On the Select backup items page, ensure that the Enable system recover check box is selected, and click Next.


5. On the Specify destination type page, click Next.

6. On the Select backup destination page, click Next.

On the Specify advanced option page, click VSS full backup, and then click Next.

7. On the Confirmation page, click Backup. The backup will take about 10-15 minutes to complete. When the backup is complete, close Windows Server Backup.

Result: At the end of this exercise, you will have installed the Windows Server Backup feature, used it to schedule a backup of the AD DS information, and performed an on demand backup.

Exercise 3: Performing an Authoritative Restore of the AD DS Database

Task 1: Delete the Toronto OU 1. On NYC-DC1, open Active Directory Users and Computers.

2. Expand WoodgroveBank.com, right-click Toronto, and then click Delete.

3. In the Active Directory Domain Services dialog box, click Yes.

4. In the Confirm Subtree Deletion dialog box, click Yes.

Task 2: Restart NYC-DC1 in Directory Services Restore mode 1. On NYC-DC1, click Start, right-click Command Prompt, and then click Run

as administrator.

2. Type bcdedit /set safeboot dsrepair, and then press ENTER.


Task 3: Restore the system state data 1. Type shutdown -t 0 -r, and then press ENTER. The computer will restart.

2. After the server restarts, press Right-Alt and Del. On the logon screen, click Switch User, and then click Other User.

3. Log on as Administrator using a password of Pa$$w0rd.

4. Click Start, right-click Command Prompt, and then click Run as administrator.

5. At the command prompt, type wbadmin get versions -backuptarget:D: -machine:NYC-DC1, and then press ENTER. Note the version information.

6. Type wbadmin start systemstaterecovery -version:version, (where version is the number that you recorded in the previous step) and then press ENTER.

7. Type Y, and then press ENTER. The restore will take about 30-35 minutes.

Note: When entering the version number, do not include a leading “/”. The format for the recovery command will be similar to wbadmin start systemstaterecovery –version:04/27/2008-15:49.

Task 4: Mark the restored information as authoritative and restart the server 1. At the command prompt, type ntdsutil, and then press ENTER.

2. At the ntdsutil: prompt, type Activate instance ntds, and then press ENTER.

3. Type authoritative restore, and then press ENTER.

4. Type restore subtree “OU=Toronto,DC=Woodgrovebank,DC=com” , press ENTER, and then click Yes.

5. Type quit, and then press ENTER.

6. Type quit, and then press ENTER again.


Task 5: Verify that the deleted data has been restored 1. To restart the server normally after you perform the restore operation, type

bcdedit /deletevalue safeboot, and then press ENTER.

2. Type shutdown -t 0 –r, and then press ENTER.

3. After the server restarts, log on as Administrator.

4. Open Active Directory Users and Computers, and verify that the Toronto OU was restored.


Control window.



Result: At the end of this exercise you will have performed an authoritative restore of AD DS information.

Exercise 4: Restoring Data Using the AD DS Database Mounting Tool (Optional)







Task 2: Create and mount a snapshot of the AD DS information 1. On NYC-DC1, in Active Directory Users and Computers, in the ITAdmins

OU, right-click Axel Delgado, and then click Properties. Add the following information to the user-account properties, and then click OK:

• Description: IT Administrator


• Telephone Number: 555-5555

2. Click Start, right-click Command Prompt, and then click Run as administrator.

3. At the command prompt, type ntdsutil, and then press ENTER.

4. At the ntdsutil prompt, type snapshot, and then press ENTER.

5. At the snapshot prompt, type activate instance ntds, and then press ENTER.

6. At the snapshot prompt, type create, and then press ENTER. The command returns the following output: Snapshot set {GUID} generated successfully.

7. At the snapshot prompt, type mount number, and then press ENTER. The number is the GUID displayed in the previous command. The mounted snapshot will appear in the file system.

8. Type Quit, and then press ENTER.

9. Type Quit, and then press ENTER again. Keep the command prompt open.

Task 3: Delete a user account in AD DS • In Active Directory Users and Computers, right-click Axel Delgado and click

Delete, and then click Yes.


Task 4: Use LDP to restore the deleted user account 1. At the command prompt, type the following information, and then press

ENTER: Dsamain -dbpath <path to snapshot ntds.dit> -ldapport 51389. The path to snapshot ntds.dit file was displayed in the mount command. Append windows\ntds\ntds.dit to the path.

Note: Path to the snapshot ntds.dit file will be similar to C:\$SNAP_200804270943_VolumeC$\windows\ntds\ntds.dit.

A message indicates that Active Directory Domain Services startup is complete. Leave Dsamain.exe running. Do not close the command prompt.

2. Click Start, click Run, type LDP, and then click OK.

3. On the Connection menu, click Connect, and then click OK.

4. On the Connection menu, and then click Bind, and then click OK.

5. On the Options menu, click Controls.

6. In the Load Predefined list, click Return Deleted Objects, and then click OK.

7. On the View menu, click Tree, and then click OK.

8. Expand DC=Woodgrove Bank,DC=com and then double-click CN=Deleted Objects,DC=Woodgrove Bank,DC=com.

9. Right-click CN=Axel Delgado, and then click Modify.

10. In the Attribute box, type isDeleted. Under Operation, click Delete, and then click ENTER.

11. In the Attribute box, type distinguishedName.

12. In the Values box, type CN=Axel Delgado,ou=ITAdmins,dc=woodgrovebank,dc=com.

13. Under Operation, click Replace, and then click ENTER.

14. Select the Extended check box, and then click Run.

15. Click Close, and then close LDP.

16. Open Active Directory Users and Computers, and then verify that Axel Delgado’s account has been restored to the ITAdmins OU, and that the account is disabled.


Task 5: View the information for the deleted user account in the mounted snapshot 1. Click Start, click Run, type LDP, and then click OK.

2. On the Connection menu, click Connect.

3. In Server, type localhost, in Port, type 51389, and then click OK.

4. On the Connection menu, click Bind.

5. In Bind, ensure that Bind as currently logged on user is selected, and then click OK.

6. On the View menu, click Tree.

7. In BaseDN, type dc=woodgrovebank,dc=com and then click OK.

8. Browse to the ITAdmins OU, and then double-click CN=Axel Delgado. View the Description, physicalDeliveryOfficeName, and Telephone Number Attributes. You now can add this attribute information to the user object in Active Directory Users and Computers.

9. Close LDP.exe.

10. In the command prompt, stop Dsamain.exe by pressing CTRL+C.




Control window.



Result: At the end of this exercise, you will have restored a deleted user account and viewed the restored user properties by using the AD DS data mining tool.

Lab: Troubleshooting AD, DNS and Replication Issues L10-99

Module 10: Troubleshooting AD DS, DNS, and Replication Issues

Lab: Troubleshooting AD, DNS and Replication Issues Exercise 1: Troubleshooting Authentication and Authorization errors

Task 1: Start the virtual servers 1. On your host machine, click Start, point to All Programs, point to Microsoft








Task 2: Run the Lab10_Prep.bat file 1. On NYC-DC1, open Windows Explorer, and then browse to

d:\6425\Mod10\Labfiles.

2. Double-click Lab10_Prep.bat.

L10-100 Module 10: Troubleshooting AD DS, DNS, and Replication Issues

Task 3: Resolve trouble tickets Trouble Ticket #1: A user named Chris McGurk is having trouble logging on her computer with the Windows Vista® operating system. She has been away on a research assignment for several months, and now needs access to the network to prepare her report for senior management. Her desktop computer had been turned off during the time she was away. The matter has been escalated to you.

1. Attempt to log onto NYC-CL1 as Chris with the password of Pa$$w0rd.

Question: Was the logon successful?

Answer: No, it was not. Note the following error message: The trust relationship between this workstation and the primary domain failed.

2. On NYC-DC1, open Active Directory Users and Computers, and click Computers. Verify that the NYC-CL1 computer account still exists in AD DS.

Question: What do you think is the issue? How will you resolve the issue?

Answer: The computer account for NYC-CL1 was reset. Therefore you will need to rejoin the computer to the domain.

3. Log on to NYC-CL1 as NYC-CL1\LocalAdmin with the password Pa$$w0rd.

4. Click Start, right click Computer, and then click Properties.

5. In the System window, click Advanced system settings.

6. In the User Account Control dialog box, click Continue.


8. In the Computer Name/Domain Changes dialog box, click Workgroup, type WORKGROUP in the Workgroup field, and then click OK.

9. In the Computer Name/Domain Changes dialog box, type Administrator as the user name and Pa$$w0rd as the password, and then click OK.

10. In the Computer Name/Domain Changes dialog box, click OK twice, and then click Close.

11. In the Microsoft Windows message, click Restart Later.

12. In the System window, click Advanced system settings.

13. In the User Account Control dialog box, click Continue.



15. In the Computer Name/Domain Changes dialog box, click Domain, type WoodgroveBank.com in the Domain field, and then click OK.

16. In the Computer Name/Domain Changes dialog box, type Administrator as the user name and Pa$$w0rd as the password, and then click OK twice.

17. In the Computer Name/Domain Changes dialog box, click OK twice, and then click Close.

18. In the Microsoft Windows message, click Restart Now.

19. After the computer restarts, attempt to log on to NYC-CL1 as Chris using the password Pa$$w0rd.

Question: Was the logon successful?

Answer: Yes.

20. Log off NYC-CL1.

Trouble Ticket #2: A Help Desk staff member named Markus Breyer has been given the task to add new hires to the NYC BranchManagers organizational unit in the Woodgrovebank.com domain. Markus is a HelpDesk global group member. All members of the HelpDesk group should be able to manage user accounts from client workstations by using Remote Desktop. Yet when Markus attempts to add new hires, he is unsuccessful. The matter has been escalated to you.

1. Log onto NYC-CL1 as Markus, using the password Pa$$w0rd.

2. Click Start, click All Programs, click Accessories, and then click Remote Desktop Connection.

3. In the Remote Desktop Connection box, type NYC-DC1, and click Connect.

Question: Were you successful in connecting to the remote computer? What, if any, error messages did you receive?

Answer: No. The error message indicates that computer cannot connect to the remote computer.

Question: What do you think is the problem?

Answer: We need to ensure that Remote Desktop is enabled on NYC-DC1.

4. On NYC-DC1, open Server Manager.

5. In the Computer Information section, click Configure Remote Desktop.


6. In the System Properties dialog box, click Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).

7. In the Remote Desktop dialog box, click OK.

8. Click Select Users. In the Remote Desktop Users dialog box, click Add, type HelpDesk, and then click OK three times.

9. On NYC-CL1, in the Remote Desktop Connection dialog box, click Connect.

10. In the Windows Security dialog box, type WoodgroveBank\Markus as the user name and Pa$$w0rd as the password, and then click OK.

Question: Were you successful? What, if any, error messages did you receive?

Answer: No. The error message says that the user has not been granted the right to log on through Terminal Services.

Question: How will you attempt to resolve this problem?

Answer: We must grant the user rights to using Terminal Services to NYC-DC1.

11. Close the Remote Desktop window.

12. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.

13. Expand Forest:WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, click Group Policy Objects, right-click Default Domain Controllers Policy, and then click Edit.

14. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

15. Double-click the Allow log on through Terminal Services Properties, select the Define these policy settings check box, and then click Add User or Group.

16. Type HelpDesk, and then click OK twice.

17. Open a command prompt, type gpupdate /force, and then press ENTER.

18. On NYC-CL1, in the Remote Desktop Connection dialog box, click Connect.


19. In the Windows Security dialog box, type WoodgroveBank\Markus as the user name, and Pa$$w0rd as the password, and then click OK.

Question: Were you successful? What, if any, error messages did you receive?

Answer: Yes. There was no error message.

20. In the Remote Desktop window, open Active Directory Users and Computers.


Question: What error message do you get?

Answer: The error message says that the user has not been granted the requested logon type at this computer.

Question: Why do you think you are getting the error message?

Answer: The user requires the right to log on interactively to run an administrative tool through Remote Desktop.

22. Click Cancel, and log off the Remote Desktop session.

23. On NYC-DC1, in Group Policy Management Editor, double-click the Allow log on locally setting.

24. Click Add User or Group, type HelpDesk, and then click OK twice.

25. In a command prompt window, type gpupdate /force, and then press ENTER.

26. On NYC-CL1, open the Remote Desktop Connection, and then click Connect.

27. In the Windows Security dialog box, type the password Pa$$w0rd, and then click OK.

28. In the Remote Desktop window, open Active Directory Users and Computers.



30. Expand WoodgroveBank.com, click NYC, click BranchManagers, and then double-click the BranchManagers OU.

Question: Can you open the organizational unit (OU)? What, if any, error messages did you receive?

Answer: No. The error message says that the object cannot be displayed.

Question: What additional step(s), if any, do you think you will need to take?

Answer: Markus or the Helpdesk group must not have the proper permissions over the BranchManagers OU. We will need to check the permissions on the BranchManagers OU.

31. On NYC-DC1, in Active Directory Users and Computers, on the View menu, click Advanced Features.

32. Expand NYC, right-click BranchManagers, and then click Properties.

33. On the Security tab, click Advanced.

34. Check the permissions assigned to the HelpDesk group. Verify that the group has permission to create and delete user and group accounts.

35. Check the permissions assigned to Markus. Verify that he has been denied permission on the OU. Click the permission entry that is denying permission, click Remove, and then click OK twice.

36. On NYC-CL1, in the Active Directory Users and Computer window, click Refresh. Verify that Markus now has access to the BranchManagers OU.

37. Try to create a test user in the Branch Managers OU.

Question: Were you successful?

Answer: Yes.

38. On NYC-CL1, log off Remote Desktop, and then log off of NYC-CL1.

Result: At the end of this exercise you will have resolved two trouble tickets with authentication and authorization issues.


Exercise 2: Troubleshooting the Integration of DNS and AD DS

Task 1: Resolve trouble ticket Trouble Ticket #3: Some users at WoodgroveBank.com are complaining that they are having trouble accessing network resources. The help desk has already established that all of the client computers exhibiting the problem are using NYC-DC2 as the preferred DNS server. You will use NYC-CL1 to test all solutions, and ensure that users can log on to the domain using NYC-DC1 and NYC-DC2 as the primary DNS servers.

Question: What do you think may be the problem(s)?

Answer: DNS must not be configured properly.

1. Log on to NYC-CL1, as Woodgrovebank\Administrator using the password Pa$$w0rd.

2. Open a command prompt, type NSLookup, and then press ENTER.

3. Type server 10.10.0.10, and then press ENTER.

4. Type Set type=SOA, and then press ENTER.

5. Type WoodgroveBank.com, and then press ENTER. Verify that the SOA record exists and that it references NYC-DC1.WoodgroveBank.com.

6. Type set type=SRV, and then press ENTER.

7. Type _ldap._tcp.woodgrovebank.com, and then press ENTER. Verify that SRV records for NYC-DC1 and NYC-DC2 are listed.

8. Type _gc._tcp.woodgrovebank.com, and then press ENTER. Verify that SRV records for NYC-DC1 and NYC-DC2 are listed.


10. Type Set type=SOA, and then press ENTER.


11. Type WoodgroveBank.com, and then press ENTER. Verify that no results are returned.

Question: What steps will you take to resolve this issue?

Answer: Make sure there is basic connectivity between the two domain controllers. On NYC-DC1, verify that the DNS service is running, and check to see if the zone has replicated. Determine what types of zones are running on both DNS servers. Ensure that NYC-DC1 is permitting zone transfers to NYC-DC2, and that the zone transfers successfully.

12. On NYC-DC2, click Start, point to Administrative Tools, and then click Services.

13. In the Services console, ensure that the DNS service is Started.

14. Start the DNS management console from Administrative Tools.

15. Expand Forward Lookup Zones, and then click WoodgroveBank.com.

Question: What error do you get?

Answer: Zone not loaded by DNS Server.

16. Expand NYC-DC2, expand Forward Lookup Zones, right-click WoodgroveBank.com, and then click Properties.

Question: What type of zone is WoodgroveBank.com? Verify the zone settings.

Answer: WoodgroveBank.com is a secondary zone, configured to use 10.10.0.10 as the master server.

17. On NYC-DC1, start the DNS management console from the Administrative Tools.

18. Expand NYC-DC1, expand Forward Lookup Zones, select, and then right-click WoodgroveBank.com, and then click Properties.

Question: What type of zone is WoodgroveBank.com?

Answer: WoodgroveBank.com is a primary zone.

19. On the Zone Transfers tab, select the Allow zone transfers check box.

20. Click To any server, and then click OK.

21. Repeat the previous steps to enable zone transfers for the _msdcs.woodgrovebank.com zone.


22. On NYC-DC2, in the DNS Manager, right-click Woodgrovebank.com, and then click Reload from Master. Press F5 to see if the zone information has transferred.

Note: If the zone is not transferred immediately, wait one minute, and then press F5 again.

23. Select, and then right-click _msdcs.Woodgrovebank.com, and then click Reload from Master. Press F5 to see if the zone information has transferred.

24. On NYC-CL1, in the command prompt window, type WoodgroveBank.com, and then press ENTER. Verify that the SOA record exists, and that it references NYC-DC1.WoodgroveBank.com.

25. Type set type=SRV, and then press ENTER.

26. Type _ldap._tcp.woodgrovebank.com, and then press ENTER. Verify that SRV records for NYC-DC1 and NYC-DC2 are listed.

27. Type _gc._tcp.woodgrovebank.com, and then press ENTER. Verify that SRV records for NYC-DC1 and NYC-DC2 are listed.

Question: What was the actual problem(s), and how did you resolve it?

Answer: NYC-DC1 was not permitting zone transfers. NYC-DC2 did not have a copy of the zone. Correcting all of these problems allowed NYC-DC2 to successfully request a copy of the zone.

Result: At the end of this exercise you will have resolved a trouble ticket with DNS integration and AD DS issues.


Exercise 3: Troubleshooting AD DS Replication

Task 1: Resolve trouble tickets Trouble Ticket #4: The help desk has been tasked with creating user accounts for new hires. Because the new employees will be travelling between the branch offices, it is critical that they can log on at any location. The help desk has noticed that replication between NYC-DC1 and NYC-DC2 is not working. When a member of the team creates a user account on the NYC-DC1 domain controller, the user account is not displayed on the NYC-DC2 domain controller. The matter has been escalated to you.

1. On NYC-DC1, open Active Directory Users and Computers from Administrative Tools.

2. In the NYC OU, click Branch Managers. Verify that the test user account that you created in Exercise 1 is displayed.

3. On NYC-DC2, open Active Directory Users and Computers from Administrative Tools.

4. In the NYC OU, click Branch Managers. Verify that the test user account you created in Exercise 1 is not displayed.

5. On NYC-DC2, open Active Directory Sites and Services from Administrative Tools. Expand Sites, expand Default-First-Site-Name, expand Servers, expand NYC-DC2, and then click NTDS Settings.

6. Right-click the connection object with NYC-DC1, and then click Replicate Now.

Question: Was the replication successful, and if not, what error message did you receive?

Answer: The replication was not successful. The error message reported that the RPC server is not available.

Question: What do you think might be the problem(s)?

Answer: There may be a network problem between the two domain controllers, including firewall rules. DNS records for either domain controller may be missing. The AD DS might not be running on one or both of the DCs.

7. On NYC-DC2, open a command prompt. Type repadmin /replsummary, and then press ENTER.

8. Review the replication summary.


9. In the command prompt, type ping NYC-DC1, and then press ENTER.

Question: Was the ping successful?

Answer: Yes.

10. In the command prompt, type ping NYC-DC2, and then press ENTER.

Question: Was the ping successful?

Answer: Yes, but the ping used the IPv6 address.

11. In the command prompt, type NSLookup, and then press ENTER.


13. Type NYC-DC2.Woodgrovebank.com, and then press ENTER. Verify that the NYC-DC2 address is listed as 10.11.0.11. Type Exit and press ENTER.

14. On NYC-DC1, open DNS Manager, and then delete the record for NYC-DC2 in the WoodgroveBank.com domain.

15. Right-click WoodgroveBank.com, and then click Properties.

16. In the Dynamic updates field, click Nonsecure and secure, and then click OK.

17. On NYC-DC2, in the command prompt, type Ipconfig /registerdns, and then press ENTER.

18. Type net stop netlogon & net start netlogon, and then press ENTER.

19. On NYC-DC1, in DNS Manager, refresh the view, and then verify that the NYC-DC2 record has been added with an IP address of 10.10.0.11.

20. On NYC-DC1, in the command prompt, type dnscmd /clearcache, and then press ENTER.

21. In the command prompt, type IPConfig /flushdns, and then press ENTER.

22. Open Active Directory Sites and Services. Expand Sites, expand Default-First-Site-Name, expand Servers, expand NYC-DC2, and then click NTDS Settings.


23. Right-click the connection object with NYC-DC1, and then click Replicate Now.

Question: Was the replication successful? What error message did you receive?

Answer: Yes, the replication was successful. No error message was received.

24. On NYC-DC2, in Active Directory Users and Computers, under NYC, in the Branch Managers OU, verify that the test user account you created in Exercise 1 is now displayed.

Trouble Ticket #5: The Help Desk has noticed that when some users in the Woodgrovebank.com New York branch log on, they are not getting the expected automatic drive mappings. All users should get a drive mapping that maps the H: drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy Object is configured correctly. The logon script is called MapDataDir.bat, and is supposed to be located in the Netlogon share.

Question: What do you think might be the problem(s)?

Answer: If the policy is configured correctly, then perhaps the policy or the script is not being replicated properly between the domain controllers. Because replication is working properly between NYC-DC1 and NYC-DC2, we should verify that the logon script is being replicated between the domain controllers.

Question: What troubleshooting step(s) will you take to resolve the problem(s)?

Answer: Check the Netlogon shares on both NYC-DC1 and NYC-DC2 to check if the MapDataDir.bat file is located in both locations. If not, then we will need to determine why replication is failing. Start by making sure the FRS and DFSR services are running on both domain controllers in Services applet of Control Panel. If they are, then we will need to troubleshoot network issues between the two domain controllers.

1. On NYC-DC1, open Windows Explorer, and then browse to C:\Windows\SYSVOL\sysvol\WoodgroveBank.com\Scripts. Confirm that the MapDataDir.bat file is located in the folder.

2. Click Start, click Search, and then in the search box, type \\NYC-DC2\Netlogon, and then press ENTER.

Question: Is the MapDataDir.bat file in the folder?

Answer: No, it is not.


3. Open a command prompt, type ntfrsutl forcerepl nyc-dc2 /p NYC-DC1.woodgrovebank.com, and then press ENTER.

Question: Did replication succeed? If not, what error message did you get?

Answer: No, replication did not succeed. The error message indicates that access is denied.

4. On NYC-DC1, open Services console from the Administrative Tools.

Question: Are the File Replication Service and the DFS Replication services running? Start the services if required, and set them to start automatically.

Answer: Yes, the services are running, and are set to start automatically.

5. On NYC-DC2, open Services console from the Administrative Tools.

Question: Are the File Replication Service and the DFS Replication services running? Start the services if required, and set them to start automatically.

Answer: No, the services need to be started. The startup status for the services is disabled, so the services must be set to automatically start first, and then started.

6. On NYC-DC2, in the command prompt, type ntfrsutl forcerepl nyc-dc2 /p NYC-DC1.woodgrovebank.com, and then press ENTER.


Answer: Yes, replication succeeded, and no error message was received.

7. Click Start, and then in the search box, type \\NYC-DC2\Netlogon, and then press ENTER.


Answer: No, it is not in the folder.

8. On NYC-DC1, click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

9. Click Inbound Rules, right-click File Replication (RPC), and then click Enable Rule.

10. Right-click File Replication (RPC-EPMAP), and then click Enable Rule.


11. In the command prompt, type ntfrsutl forcerepl nyc-dc2 /p NYC-DC1.woodgrovebank.com, and then press ENTER.


Answer: Yes, replication succeeded, and no error message was received.

12. Click Start, click Search, and then in the search box, type \\NYC-DC2\Netlogon, and then press ENTER.


Answer: Yes, the file is in the folder.

Note: If the file does not appear in the folder, wait one minute and refresh the view. If it still does not appear, restart the File Replication Service on NYC-DC2.

Question: What was the actual problem(s), and how did you resolve it?

Answer: The File Replication Service and the DFS Replication Service on NYC-DC2 were shut down. The Windows Firewall on NYC-DC1 was also blocking file replication traffic.


window.



Result: At the end of this exercise you will have resolved a trouble ticket with AD DS replication issues.

Lab: Troubleshooting Group Policy Issues L11-113

Module 11: Troubleshooting Group Policy Issues

Lab: Troubleshooting Group Policy Issues Exercise 1: Troubleshooting Group Policy Scripts

Task 1: Start the 6425A-NYC-DC1 virtual machine and log on as Administrator 1. Open the Virtual Server Remote Control Client, and then double-click

6425A-NYC-DC1.


Task 2: Create and link a domain Desktop policy 1. Click Start, click Administrative Tools, and then click Group Policy

Management.

2. In the GPMC, expand Forest:WoodgroveBank.com, expand Domains, right-click the WoodgroveBank.com domain, and then click Create a GPO in this domain and link it here. Name the new policy Desktop, and then click OK.

3. Right-click the Desktop policy, and then click Edit.

4. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Logon. In the details pane, double-click Always wait for the network at computer startup and logon, click Enabled, and then click OK.

5. In the left pane, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile. In the details pane, double-click Windows Firewall: Allow inbound remote administration exceptions.

6. In the Windows Firewall: Allow inbound remote administration exceptions dialog box, click Enabled, type localsubnet, and then click OK.

7. Expand User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and then click URLs. In the details pane, double click Important URLs.

L11-114 Module 11: Troubleshooting Group Policy Issues

8. In the Important URLs dialog box, select the check box to Customize Home page URL, type http://WoodgroveBank.com, and then click OK.

9. Expand Administrative Templates, click Start Menu and Taskbar, double-click Force classic Start Menu, click Enabled, and then click OK.


Task 3: Restore the Lab11A GPO 1. In the Group Policy Management Console (GPMC), expand

WoodgroveBank.com, right-click the Group Policy Objects (GPOs) folder, and then click Manage Backups.

2. In the Manage Backups dialog box, in the Backup location field, type D:\6425\GPOBackup.

3. Select the Lab 11A GPO, click Restore, and then click OK twice.


Task 4: Link the Lab11A GPO to the domain 1. In the GPMC, right-click the WoodgroveBank.com domain, and then click

Link an existing GPO.

2. In the Select GPO dialog box, select the Lab 11A GPO, and then click OK.

Task 5: Start NYC-CL1 and log on as Administrator • Start and log on to NYC-CL1 as WoodgroveBank\Administrator with the

password Pa$$w0rd.


Task 6: Test the GPO 1. On NYC-CL1, log off and then log on again as Administrator.

Note: Two logons are required to see the group policy settings because Administrator is logging on with cached credentials.

2. Click the Start menu, and ensure you see the classic Start menu.

3. Double click Internet Explorer, and then click the red X to stop the connection attempt to the default startup page. Click the home symbol on the toolbar, and ensure that http://WoodgroveBank.com is the homepage.

Hint: Look on the status bar at the bottom.


5. Double-click Computer on the desktop, ensure that you have a mapped drive to the shared folder named Data, and then log off.

6. Log on to NYC-CL1 as Roya with a password of Pa$$w0rd.


8. Click the Start menu, and ensure Roya gets the classic Start menu.

9. On the desktop, double-click Internet Explorer, and then click the Home icon on the toolbar to ensure that http://WoodgroveBank.com is the homepage.


11. On the desktop, double-click Computer, and then check for the mapped drive to the shared folder named Data.

12. Log off of NYC-CL1.




3. In the Group Policy Results Wizard, click Next.

4. On the Computer Selection page, click Another Computer, type NYC-CL1 in the field, and then click Next.

5. On the User Selection screen, select WoodgroveBank\Roya, and then click Next.

6. On the Summary of Selections screen, click Next, and then click Finish.

7. In the Internet Explorer dialog box, click Add, click Add again, and then click Close.



10. Expand Windows Settings, expand Scripts, and then expand Logon.

11. Switch back to NYC-CL1 and log on as Roya.

12. Test Roya’s permission to the scripts location by opening a Run command, typing \\nyc-dc1\scripts, and pressing ENTER.

13. Click OK to dismiss the error dialog box.

14. Log off as Roya.

Note: If time permits, you can view the Group Policy operational log as Administrator on NYC-CL1. If you filter the view to show events that Roya generates, you would see that the log does not detect any errors or warnings for this user. This is because the GPO only sets a registry value that defines the location of the scripts folder. Group Policy is unaware if the user has access to the location. The write to the registry was successful. Therefore, the Group Policy log does not see any errors. You would have to audit Object Access for the scripts folder to determine access issues.


Task 8: Resolve the issue and test the resolution 1. Switch back to NYC-DC1, click Start, and then click Computer.

2. Navigate to and right-click D:\6425\scripts, and then click Share.

3. In the File Sharing dialog box, click Change sharing permissions.

4. Type Authenticated Users in the Enter the object names to be selected field, click Add, click Share, and then click Done.

5. Switch to NYC-CL1 and log on as Roya.

6. On the desktop, double-click Computer. Ensure that the drive mapping exists.

7. Log off.

Note: Another way to resolve the issue would be to move the script to the Netlogon share.

Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.

Exercise 2: Troubleshooting GPO Lab11B

Task 1: Restore the Lab11B GPO 1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder, and



3. Select the Lab 11B GPO, click Restore, and then click OK twice.



Task 2: Link the Lab11B GPO to the Miami OU 1. In the GPMC, right-click the Miami OU, and then click Link an existing GPO.

2. In the Select GPO dialog box, select the Lab 11B GPO, and then click OK.

Task 3: Test the GPO 1. Log on to NYC-CL1 as Rich with a password of Pa$$w0rd.

2. Ensure that the settings from the Desktop GPO are being applied.

3. Ensure that the Control Panel icon does not appear on the desktop or Start menu.

4. Log off.

5. Log on to NYC-CL1 as Roya. Does the Control Panel icon appear on the Desktop?

6. Log off.




4. On the Computer Selection screen, click Another Computer, type NYC-CL1 in the Name field, and then click Next.

5. On the User Selection screen, select WoodgroveBank\Rich, and then click Next.



8. Click the Settings tab, expand Windows Settings, and then expand Control Panel.


9. Right-click the Group Policy Results, query Roya on NYC-CL1 in the left pane, and then click Rerun Query.


11. Click Denied GPOs.

Task 5: Resolve the issue and test the resolution 1. In the GPMC, expand the Group Policy Objects folder, click the Lab 11B

GPO, click the Delegation tab, and then click Advanced.

2. On the Security tab, click the Miami_BranchManagersGG.

3. Click Remove to remove the Miami_BranchManagersGG from the permission list, and then click OK.

4. Switch to NYC-CL1, and log on again as Roya.

Result: At the end of this exercise you will have resolved a Group Policy Object issue.

Exercise 3: Troubleshooting GPO Lab11C

Task 1: Restore the Lab11C GPO 1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder, and



3. Select the Lab 11C GPO, click Restore, and then click OK twice.


Task 2: Link the Lab11C GPO to the Miami OU 1. In the GPMC, right-click the Miami OU, and then click Link an existing GPO.

2. In the Select GPO dialog box, select the Lab 11C GPO, and then click OK.


Task 3: Test the GPO 1. Log on to NYC-CL1 as Roya. The Run command appears on the Start menu. It

should not appear there.

2. Log off.

Task 4: Troubleshoot the GPO 1. Switch to NYC-DC1.

2. In the GPMC, right-click the Group Policy Results, query Roya on NYC-CL1 in the left pane, and then click Rerun Query.



5. In the User Configuration section, expand Administrative Templates, and then click Start Menu and Taskbar.

Task 5: Resolve the issue and test the resolution 1. Expand the Group Policy Objects folder, right-click the Lab 11C GPO, and

then click Edit.

2. In User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar.

3. Double-click the Add the Run command to the Start Menu setting, click Not Configured, and then click OK.

4. Locate and double-click Remove Run menu from the Start Menu, click Enabled, and then click OK.

5. Close the Group Policy Object Editor.

6. Log on to NYC-CL1 as Roya. The Run command appears on the Start menu. It should not be there.

7. Do not log off.

Result: At the end of this exercise you will have resolved a Group Policy object issue.


Exercise 4: Troubleshooting GPO Lab11D

Task 1: Create a new OU named Loopback 1. Open Active Directory Users and Computers from the Administrative

Tools, right-click the WoodgroveBank domain click New and then click Organizational Unit.

2. In the New Object dialog box, type Loopback in the Name field, and then click OK.

Task 2: Restore the Lab11D GPO 1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder, and



3. Select the Lab 11D GPO, click Restore, and then click OK twice.


Task 3: Link the Lab11D GPO to the Loopback OU 1. In the GPMC, on the Action menu, click Refresh, right-click the Loopback

OU, and then click Link an existing GPO.

2. In the Select GPO dialog box, select the Lab 11D GPO, and then click OK.

Task 4: Move NYC-CL1 to the Loopback OU 1. Return to Active Directory Users and Computers.

2. Expand the WoodgroveBank.com domain, and then click the Computers container.

3. Right-click the NYC-CL1 computer account, and then click Move.

4. Select the Loopback OU, and then click OK.


Task 5: Test the GPO 1. Switch to NYC-CL1, and restart the computer.

2. Log on as WoodgroveBank\Roya with a password of Pa$$w0rd.


4. Click Start. Roya now has access to the Run command, and the Control Panel icon now appears on the desktop.

5. Double-click Internet Explorer. Internet Explorer does not launch.




4. On the Computer Selection screen, click Another Computer, type NYC-CL1 in the field, and then click Next.

5. On the User Selection screen, select WoodgroveBank\Roya, and then click Next.


7. In the Computer Configuration Summary section, click Group Policy Objects, and then click Applied GPOs.

8. On the Settings tab, in the Computer Configuration section, click Administrative Templates, and then click System/Group Policy.

Task 7: Resolve the issue and test the resolution 1. In the GPMC, click the Loopback OU, and disable the link to Lab 11D GPO

by right-clicking Lab 11D GPO, and clicking Link Enabled to clear the check mark.

2. Restart the NYC-CL1 computer, and log on as Roya. The Control Panel and Run command restrictions return, and Internet Explorer will now launch successfully.

Lab A: Deploying Active Directory Domain Services L12-123

Module 12: Implementing an Active Directory Domain Services Infrastructure

Lab A: Deploying Active Directory Domain Services

Note: Some of the tasks in this lab are designed to illustrate Active Directory deployment and management techniques, and may not always follow best practices.

Exercise 1: Installing RODC onto a Server Core







6. Log on to all computers as Administrator with the password Pa$$w0rd.


Task 2: Copy the Unattend file and change the name of NYC-SRV2 to NYC-DC3 1. On NYC-SVR2, at the command prompt, type

copy \\10.10.0.10\D$\6425\Mod12\Labfiles\NYC-Rodc.txt C:\ and press ENTER.

2. Type Netdom renamecomputer %computername% /newname:NYC-DC3 /force /reboot:5, and then press ENTER. The computer will automatically reboot after 5 seconds.

3. After the server reboots, log on as Administrator with a password of Pa$$w0rd.

L12-124 Module 12: Implementing an Active Directory Domain Services Infrastructure

Task 3: Change the NYC-SRV2 address to 10.30.0.10 1. On NYC-SVR2, at a command prompt, type netsh interface ipv4 show

interfaces, and then press ENTER. Note the Idx number of the Local Area Connection interface.

2. Type netsh interface ipv4 set address name=”Idx number of the LAN interface” source=static address=10.30.0.10 mask=255.255.0.0 gateway=10.30.0.1, and then press ENTER. The Idx number is the digit assigned to the Local Area Connection.

3. Type IPconfig /all, press ENTER, and ensure the IP address information is correct. Also ensure that the DNS Server is 10.10.0.10.

Task 4: Create the NYC-Branch-Office site and rename the Default site 1. On NYC-DC1, click Start, click Administrative Tools, and then click Active

Directory Sites and Services.

2. Expand Sites, then right-click Sites and then click New Site.

3. In the New Object – Site dialog box, type NYC-Branch-Office in the Name field. Select the DefaultIPSiteLink, and then click OK. Click OK again to acknowledge the message.

4. Right-click the Default-First-Site-Name, and then click Rename.

5. Type NYC-Head-Office, and then press ENTER.

Task 5: Create subnet objects for the NYC head office and branch office 1. Right-click Subnets, and then click New Subnet.

2. In the New Object- Subnet dialog box, in the Prefix text field, type 10.10.0.0/16, select the NYC-Head-Office site, and then click OK.

3. Right-click Subnets, and then click New Subnet.

4. In the New Object- Subnet dialog box, in the Prefix text field, type 10.30.0.0/16, select the NYC-Branch-Office site, and then click OK.


Task 6: Configure the replication schedule 1. Expand Inter-site transports, click IP and then double-click

DEFAULTIPSITELINK.

2. Type 30 in the Replicate every field, and then click OK.


Task 7: Create an OU for the branch office users 1. Click Start, click Administrative Tools, and then click Active Directory Users

and Computers.

2. Right-click the WoodgroveBank.com domain, click New, and then click Organizational Unit.

3. In the New Object- Organizational Unit dialog box, type NYC Branch Office, and then click OK.

Task 8: Create users and groups for the branch office 1. Right-click the NYC Branch Office OU, click New, and then click User.

2. Create a user with the following parameters:

• Name – Branch Manager

• Logon Name – branchmanager

• Clear the check box for User must change password at next logon

• Select the check box for Password never expires


3. Create a second user with the following parameters:

• Name – Branch User

• Logon Name – branchuser

• Clear the check box for User must change password at next logon

• Select the check box for Password never expires


4. Right-click the NYC Branch Office OU, click New, and then click Group.


5. In the New Object- Group dialog box, type BranchUsersGG. Verify that you are creating a global security group, and then click OK.

6. Press the CTRL key, and then click to select both the Branch Manager and the Branch User accounts

7. Right-click the selected accounts, and then click Add to a group.

8. In the Select Groups dialog box, type BranchUsersGG, and then click OK twice.

Task 9: Configure the DNS service on NYC-DC1 to allow zone transfers 1. On NYC-DC1, click Start, click Search, type DNSmgmt.msc in the search box,

and then press ENTER to launch the DNS management console.

2. Expand NYC-DC1, expand Forward Lookup Zones, right-click WoodgroveBank.com, and then click Properties.

3. In the WoodgroveBank.com Properties dialog box, click the Zone Transfers tab.

4. Select the Allow Zone Transfers check box, and then click OK.


Task 10: Pre-stage the computer account for the RODC 1. In Active Directory Users and Computers, right-click the Domain Controllers

organization unit, and then click Pre-create Read-only Domain Controller account.



4. On the Network Credentials page, verify that My current logged on credentials is selected, and then click Next.

5. On the Specify the Computer Name page, in the Computer name field, type NYC-DC3, and then click Next.

6. On the Select a Site page, click NYC-Branch-Office, and then click Next.


7. On the Additional Domain Controller Options page, accept the defaults, and then click Next.

8. On the Specify the Password Replication Policy page, click Add, click Allow passwords for the account to replicate to this RODC, and then click OK.

9. Type BranchUsersGG, click OK, and then click Next.

10. On the Delegation of RODC Installation and Administration page, click Set. In the Select User or Group dialog box, type BranchManager, click OK, and then click Next.

11. On the Summary page, review your selections, click Next, and then click Finish to create the RODC account. Notice that NYC-DC3 computer account is listed in Active Directory, but the DC type is Unoccupied DC Account.

Task 11: Install DNS role on NYC-DC3 1. On NYC-DC3, type Oclist to view the currently installed roles. Notice that

there are no currently installed roles.

2. Type start /w ocsetup DNS-Server-Core-Role, and then press ENTER to install the DNS server. The server core role name is case sensitive.

Task 12: Install RODC on NYC-DC3 and verify the results 1. Type dcpromo.exe /UseExistingAccount:Attach /unattend:C:\nyc-rodc.txt.

The promotion will take several minutes to perform, and will automatically reboot to complete the installation.

2. Log on to NYC-DC3 as BranchManager using a password of Pa$$w0rd.

Note: If you receive an error message when you log on, wait one minute and try to log on again.

3. On NYC-DC1, refresh the view of the Domain Controllers OU. Notice the DC Type for NYC-DC3 is now set to Read-only, DC.

4. Open Active Directory Sites and Services, and then examine the NYC-Branch-Office site. Notice that NYC-DC3 is now listed in the Servers container.


5. Open the DNS Manager, right-click DNS, and then click Connect to DNS Server.

6. In the Connect to DNS Server dialog box, click The following server, type NYC-DC3 in the field, and then click OK.

Note: If the server is unavailable, wait a few moments and try again.

7. Expand NYC-DC3, expand Forward Lookup Zones, and then click WoodgroveBank.com. Verify that NYC-DC3 hosts a copy of the WoodgroveBank.com zone.

8. Close the DNS console.

Task 13: Close NYC-SRV2 and discard undo disks 1. Close the 6425A-NYC-SRV2 Virtual Machine Remote Control window.


Result: At the end of this exercise you will have created an RODC on a Server Core computer.

Exercise 2: Creating the Contoso Domain and Site

Task 1: Start NYC-SRV1 1. In the Lab Launcher, next to 6425A-NYC-SRV1, click Launch.



Task 2: Create and configure a new site link for replication 1. On NYC-DC1, click Start, click Administrative Tools, and then click Active

Directory Sites and Services.

2. Right-click Sites, and then click New Site.

3. In the New Object – Site dialog box, type Contoso in the Name field. Select the DefaultIPSiteLink, and then click OK. Click OK to acknowledge the message.

Task 3: Create the subnet for the Contoso site 1. Right-click Subnets, and then click New Subnet.

2. In the New Object- Subnet dialog box, in the Prefix text field, type 192.168.0.0/24, select the Contoso site, and then click OK.

Task 4: Create and configure a new site link for replication 1. Expand Inter-Site Transports, right-click IP, and then click New Site Link.

2. In the New Object – Site Link dialog box, type Contoso-NYC-HO in the Name field.

3. In the Sites not in this site link area, hold the Ctrl key, click to select both Contoso and NYC-Head-Office, click Add, and then click OK.

4. Click IP, right-click the Contoso-NYC-HO site link, and then click Properties.

5. On the General tab, type 240 in the Replicate every field.

6. Click Change Schedule.

7. In the Schedule for Contoso-NYC-HO dialog box, click and drag to select the hours of 6 AM to 6 PM, Monday to Friday, click Replication Not Available, and then click OK twice.

8. Double-click the DefaultIPSiteLink, and in the Sites in the site link area, click Contoso, click Remove, and then click OK.



Task 5: Rename the NYC-SRV1 server to ContosoDC 1. Log on to NYC-SRV1 as LocalAdmin with the password Pa$$w0rd.

2. Click Start, right-click Computer, and then click Properties.

3. In System Properties, click Advanced system settings.

4. Click the Computer Name tab, and then click Change.

5. Type ContosoDC in the Computer Name field, and then click OK.

6. Click OK to acknowledge the message, click Close, and then click Restart Now to restart the computer.

Task 6: Change the IP address for ContosoDC 1. Log on to ContosoDC as LocalAdmin with the password Pa$$w0rd. Server

Manager will automatically launch.

2. In Server Manager, in the Server Summary pane, click View Network Connections.

3. Right-click Local Area Connection, and then click Properties.

4. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

5. Configure the IP address as follows:

• IP address – 192.168.0.10

• Subnet mask – 255.255.255.0

• Default Gateway – 192.168.0.1

• DNS – 10.10.0.10

6. Click OK, click Close, and then close the Network Connections window.


Task 7: Configure the DNS service on NYC-DC1 to allow zone transfers (If you completed Exercise 1, then this step has already been performed.) 1. Switch to NYC-DC1.

2. Click Start, click Search, type DNSmgmt.msc in the search box, and then press ENTER to launch the DNS management console.

3. Expand NYC-DC1, expand Forward Lookup Zones, click WoodgroveBank.com, right-click WoodgroveBank.com, and then click Properties.

4. In the WoodgroveBank.com Properties dialog box, click the Zone Transfers tab.

5. Select the check box to Allow Zone Transfers, and then click OK.


Task 8: Install the DNS Service on ContosoDC 1. On ContosoDC, in Server Manager, in the left pane, right-click Roles, and then

click Add Roles.

2. On the Before You Begin page, click Next, select the DNS Server check box, and then click Next.

3. On the DNS Server page, click Next, and then click Install. After installation succeeds, click Close.

4. Leave Server Manager open.

Task 9: Configure the DNS Service on ContosoDC 1. Click Start, click Search, type DNSmgmt.msc in the search box, and then

press ENTER to launch the DNS management console.

2. Click ContosoDC to select it, right-click ContosoDC, and then click New Zone.

3. In the New Zone Wizard, click Next.

4. On the Zone Type page, click Secondary Zone, and then click Next.


5. On the Forward or Reverse Lookup Zone page, ensure that Forward lookup zone is selected, and then click Next.

6. On the Zone Name page, type WoodgroveBank.com, and then click Next.

7. On the Master DNS Servers page, type 10.10.0.10, press ENTER, click Next, and then click Finish.

8. Expand Forward Lookup Zones, and then click WoodgroveBank.com. Wait for the zone transfer to finish. You will have to refresh the console to see the changes.

9. Expand the Global Logs, and then click DNS Events. Examine the events that describe the zone transfer.

Question: What version of the WoodgroveBank.com zone was transferred?

Answer: Answers will vary.


Task 10: Promote the server to be the Contoso domain controller 1. In Server Manager, right-click Roles, and then click Add Roles.

2. In the Add Roles Wizard, click Next, select the Active Directory Domain Services check box, and then click Next.

3. On the Active Directory Domain Services page, click Next, and then click Install. After the installation finishes, click Close.

4. Click Start, click Search, type DCPromo in the search box, and then press ENTER.

5. In the Active Directory Domain Services Installation Wizard, select the Use advanced mode installation check box, and then click Next.


7. On the Choose a Deployment Configuration page, click Existing Forest, click Create a new domain in an existing forest, select the Create a new domain tree root instead of a new child domain check box, and then click Next.

8. On the Network Credentials window type WoodgroveBank.com, and then click Set. In the Windows Security dialog box, type administrator with a password of Pa$$w0rd, click OK, and then click Next.

9. On the Name the New Domain Tree Root screen, type Contoso.com, and then click Next.


10. On the Domain NetBIOS Name screen, click Next.

11. On the Set Domain Functional Level screen, select Windows Server 2008 from the drop-down list, and then click Next.

12. On the Select a Site screen, verify that Contoso is selected, and then click Next.

13. On the Additional Domain Controller Options screen, select the check box for Global Catalog, and then click Next.

14. On the Static IP Assignment message box, click Yes, the computer will use a dynamically assigned IP address (not recommended).

Note: This message refers to the IPV6 interface, which has a dynamically assigned address.

15. In the message box, click Yes to continue.

16. On the Source Domain Controller screen, click Next.

17. On the Location for Database, Log Files and SYSVOL screen, click Next.

18. On the Directory Services Restore Mode Administrator Password screen, type Pa$$w0rd in the fields, and then click Next.

19. On the Summary screen, click Next, and then select the check box to Reboot on completion. The domain controller installation will finish, and then the computer will reboot.

20. Log on to ContosoDC as Contoso\LocalAdmin with the password Pa$$w0rd.

21. Open the DNS management console. Examine the Forward Lookup Zones. Notice that Contoso.com is hosted on the local computer.

22. Open a command prompt, type IPConfig /all, and then press ENTER. Notice that ContosoDc is using 127.0.0.1 as the preferred DNS server.

Task 11: Close NYC-SRV1 and NYC-DC2 and discard undo disks 1. Close the 6425A-NYC-SRV1 Virtual Machine Remote Control window.



3. Close the 6425A-NYC-DC2 Virtual Machine Remote Control window.


Result: At the end of this exercise you will have created a domain and a site.

Lab B: Configuring Forest Trust Relationships L12-135

Lab B: Configuring Forest Trust Relationships Exercise: Upgrade the Fabrikam Domain and Create a Forest Trust with Woodgrove Bank

Task 1: Start VAN-DC1 and NYC-SVR1 1. In the Lab Launcher, next to 6425A-VAN-DC1, click Launch.



Task 2: Prepare the Fabrikam.Com forest and domain 1. Log on to VAN-DC1 as Administrator with the password Pa$$w0rd.


3. Right-click Fabrikam.com, and then click Raise Domain Functional Level.

4. In the Raise Domain Functional Level dialog box, select Windows Server 2003 from the drop-down list, and then click Raise. Click OK to acknowledge the action, and then click OK to acknowledge the successful operation.


6. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.


8. In the Raise Forest Functional Level dialog box, select Windows Server 2003 from the drop down list, and then click Raise. Click OK to acknowledge the action, and then click OK to acknowledge the successful operation.

9. Close Active Directory Domains and Trusts.

10. Open a Command Prompt.

11. Type xcopy \\10.10.0.10\D$\6425\Mod12\Adprep\*.* c:\Adprep\ /E, and then press ENTER.


12. In the command prompt window, type C: \Adprep\adprep /forestprep, and then press ENTER.

13. Read the warning message, type C, and then press ENTER. Forestprep will take a few moments to complete.

14. In the command prompt window, type C:\ Adprep\adprep /domainprep, and then press ENTER.


Task 3: Configure reciprocating DNS zone transfers using stub zones 1. On VAN-DC1, click Start, click Run, type DNSmgmt.msc in the Run menu,

and then press ENTER.

2. Expand VAN-DC1, expand Forward Lookup Zones, and then click Fabrikam.com to select it.

3. Right-click Fabrikam.com, and then click Properties.

4. On the Fabrikam.com Properties page, click the Zone Transfers tab.

5. Select the check box to Allow Zone Transfers, and then click OK.

6. Switch to NYC-DC1.

7. Click Start, click Search, type DNSmgmt.msc in the Search field, and then press ENTER to launch the DNS management console.

8. Right-click Forward Lookup Zones, and then click New Zone.


10. On the Zone Type screen, click Stub Zone, and then click Next.

11. On the Active Directory Zone Replication Scope screen, click Next.

12. On the Zone Name screen, type Fabrikam.com, and then click Next.

13. On the Master DNS Servers screen, type 10.20.0.10, press ENTER, click Next, and then click Finish.

14. Click Fabrikam.com. It may take a few moments for the zone transfer to occur. You will have to refresh the console to see the changes.


16. Switch back to VAN-DC1.


17. Right-click Forward Lookup Zones, and then click New Zone.


19. On the Zone Type screen, click Stub Zone, and then click Next.

20. On the Active Directory Zone Replication Scope screen, click Next.

21. On the Zone Name screen, type WoodgroveBank.com, and then click Next.

22. On the Master DNS Servers screen, type 10.10.0.10, click Add, click Next, and then click Finish.

23. Click WoodgroveBank.com. It may take a few moments for the zone transfer to occur. You will have to refresh the console to see the changes.


Task 4: Rename NYC-SRV1 to VAN-DC2 1. Log on to NYC-SRV1 as LocalAdmin with the password Pa$$w0rd.

2. In Server Manager, click View Network Connections.

3. Right-click Local Area Connection, and then click Properties.

4. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

5. Change the IP address configuration to the following:

IP address: 10.20.0.11

Subnet mask: 255.255.0.0

Default gateway: 10.20.0.1

Preferred DNS server: 10.20.0.10

6. Click OK, click Close, and close the Network Connections window.


8. In the System Properties dialog box, on the Computer Name tab, click Change.

9. Type VAN-DC2 in the Computer name field, and then click OK.

10. Click OK to acknowledge the message, click Close, and then click Restart Now.


Task 5: Promote the Windows Server 2008 server to a domain controller in the Fabrikam domain 1. Log on to VAN-DC2 as LocalAdmin with the password Pa$$w0rd.

2. In Server Manager, right-click Roles, and then click Add Roles

3. In the Add Roles Wizard, click Next, select the check box for Active Directory Domain Service, and then click Next.

4. On the Active Directory Domain Service screen, click Next, and then click Install. After the installation finishes, click Close.

5. Click Start, click Search, type DCPromo in the search box, and then press ENTER.

6. In the Active Directory Domain Services Installation Wizard, click Next.


8. On the Choose a Deployment Configuration page, click Existing forest, keep the default choice of Add a domain controller to an existing domain, and then click Next.

9. On the Network Credentials page, type Fabrikam.com, click Set, in the Windows Security dialog box, type administrator with a password of Pa$$w0rd, click OK, and then click Next.

10. On the Select a Domain page, click Fabrikam.com, click Next, and then click Yes to acknowledge the message about RODCs.

11. On the Select a Site page, click Next.

12. On the Additional Domain Controller options page, clear the DNS Server and Global Catalog check boxes, and then click Next.

13. On the Infrastructure Master Configuration Conflict page, click Transfer the infrastructure master role to this domain controller.

14. On the Location for Database, Log Files and Sysvol page, click Next.

15. On the Directory Services Restore Mode Administrator Password page, type Pa$$w0rd in the fields, and then click Next.

16. On the Summary page, click Next, and then select the check box to Reboot on completion.


Task 6: Configure a forest trust between WoodgroveBank.com and Fabrikam.com for selective authentication 1. Switch to NYC-DC1.

2. Click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

3. Right-click WoodgroveBank.com, and then click Properties.

4. In the WoodgroveBank.com Properties dialog box, click the Trusts tab, and then click New Trust.

5. In the New Trust Wizard, click Next.

6. On the Trust Name page, type Fabrikam.com in the Name field, and then click Next.

6. On the Trust Type page, click Forest Trust, and then click Next.

7. On the Direction of Trust page, select One-way: incoming, and then click Next.

8. On the Sides of Trust page, select Both this domain and the specified domain, and then click Next.

9. On the User Name and Password page, type Administrator in the User name field and Pa$$word in the password field.

10. On the Outgoing Trust Authentication Level-Specified Forest page, click Selective authentication, and then click Next.

11. On the Trust Selections Complete page, click Next.

12. On the Routed Name Suffixes – Local forest page, click Next.

13. On the Trust Creation Complete page, click Next.

14. On the Confirm Incoming Trust page, click Next, click Finish, and then click OK.

Task 7: Configure selective authentication for the WoodgroveBank Domain Admins group 1. Switch to VAN-DC1.

2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.


3. On the View menu, click Advanced Features.

4. Expand Fabrikam.com, click Domain Controllers, right-click VAN-DC1, and then click Properties.

5. On the VAN-DC1 Properties dialog box, click the Security tab, and then click Add.

6. In the Select Users, Computers or Groups dialog box, click Locations.

7. In the Locations dialog box, click WoodgroveBank.com, and then click OK.

8. Type Domain Admins, and then click OK.

9. Click the Domain Admins group in the WoodgroveBank.com domain, and then click OK.

10. Select the check box to Allow the Allowed to Authenticate permission, and then click OK.

Task 8: Close NYC-SRV1, NYC-RAS, and VAN-DC1, and discard undo disks 1. Close the 6425A-NYC-SRV1 Virtual Machine Remote Control window.


3. Close the 6425A-NYC-RAS Virtual Machine Remote Control window.


5. Close the 6425A-VAN-DC1 Virtual Machine Remote Control window.


Result: At the end of this exercise you will have upgraded the Fabrikam domain and created a forest trust with Woodgrove Bank.

Lab C: Designing a Group Policy Strategy L12-141

Suggested answer for OU structure

WoodgroveBank.com

Executives

Toronto

IT Admins

Miami

NYC

Member Servers

Web Servers

File and Print Servers

SQL Servers

Lab C: Designing a Group Policy Strategy Exercise 1: Planning Group Policy


Suggested answer for GPO configuration:

GPO name Settings Linked to

Domain Desktop Policy

• Prohibit screen saver tab access

• Prohibit users from adding printers

WoodgroveBank domain

Domain Computer Policy

• Rename local Administrator account to SRVAdmin

• Add the ITAdminGG to the local Administrators group

• Configure Windows Update to use the intranet address Http://Updates

WoodgroveBank domain

Prohibit Control Panel (Security filtered to exempt the Domain Admins group)

• Prohibit Control Panel access WoodgroveBank domain

Member Server Security Policy (Policy will be enforced)

• Audit account logins

• Prohibit Internet Explorer from running

• Rename local Administrator account to SRVAdmin

Member Servers OU

SQL Security (Policy will be enforced)

• Prevent removable devices installation

SQL Servers OU

Force Offline File Encryption (Policy will be enforced)

• Force offline files encryption Executives OU

Block Windows Messenger

• Prohibit Windows Messenger from running

Toronto OU

Miami OU

Allow Adding Printers • Allow the addition of printers IT Admins OU


Exercise 2: Implementing the Corporate Desktop Policy

Task 1: Create and Link the Domain Desktop Policy 1. On NYC-DC1, click Start, click Administrative Tools, and then click Group

Policy Management.

2. If required, expand Domains, right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here.

3. In the New GPO dialog box, type Domain Desktop Policy in the Name field, and then click OK.

4. Right-click the Domain Desktop Policy, and then click Edit.


6. In the Prevent Addition of Printers Properties dialog box, click Enabled, and then click OK.

7. In the left pane, click Display, and then double-click Hide Screen Saver tab.

8. In the Hide Screen Saver tab Properties dialog box, click Enabled, and then click OK.


Task 2: Create and link the Prohibit Control Panel GPO 1. Right-click WoodgroveBank.com, and then click Create a GPO in this

domain, and Link it here.

2. In the New GPO dialog box, type Prohibit Control Panel in the Name field, and then click OK.

3. Right-click the Prohibit Control Panel, and then click Edit.

4. Expand User Configuration, expand Policies, expand Administrative Templates, click Control Panel, and then double-click Prohibit access to the Control Panel.

5. In the Prohibit access to the Control Panel Properties dialog box, click Enabled, and then click OK.



7. Double-click the Prohibit access to the Control Panel GPO, click the Delegation tab in the details pane, and then click Advanced.

8. In the Prohibit access to the Control Panel Security Settings dialog box, select Domain Admins, select the Deny the Apply group policy permission check box, and then click OK. Click Yes to acknowledge the message. This will exempt the Domain Admins group from the policy.

Task 3: Create and link the Force Offline File Encryption GPO 1. Right-click Executives OU, and then click Create a GPO in this domain, and

Link it here.

2. In the New GPO dialog box, type Force Offline File Encryption in the Name field, and then click OK.

3. Right-click the Force Offline File Encryption, and then click Edit.

4. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click Offline Files.

5. In the detail pane, double-click Encrypt the Offline Files cache.

6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled, and then click OK.


Task 4: Create and link the Block Windows Messenger GPO 1. Right-click Miami OU, and then click Create a GPO in this domain, and Link

it here.

2. In the New GPO dialog box, type Block Windows Messenger in the Name field, and then click OK.

3. Right-click the Block Windows Messenger, and then click Edit.

4. Expand User Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then double-click Windows Messenger.

5. In the details pane, double-click Do not allow Windows Messenger to be run.


6. In the Do not allow Windows Messenger to be run Properties dialog box, click Enabled, and then click OK.


8. Right-click the Toronto OU, and then click Link and Existing GPO.

9. In the select GPO dialog box, click Block Windows Messenger, and then click OK.

Task 5: Create and link the Allow Adding Printers GPO 1. Right-click IT Admins OU, and then click Create a GPO in this domain, and

Link it here.

2. In the New GPO dialog box, type Allow Adding Printers in the Name field, and then click OK.

3. Right-click Allow Adding Printers, and then click Edit.


5. In the Prevent Addition of Printers Properties dialog box, click Disabled, and then click OK.


7. Close the Group Policy Management Console (GPMC).


Control window.

