6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol2

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6419A Configuring, Managing and Maintaining Windows Server® 2008 Servers

Volume 2

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

ii Configuring, Managing and Maintaining Windows Server® 2008 Servers

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft Press, Active Directory, ActiveX, BitLocker, Excel, Hyper-V, Internet Explorer, MS, MSDN, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Product Number: 6419A

Part Number: X15-47115

Released: 02/2009

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2009 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Configuring, Managing and Maintaining Windows Server® 2008 Servers xi

Acknowledgement Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Aaron Clutter – Lead Developer Aaron Clutter has been developing and leading the development of content for Aeshen since 2002. He has a background as a Windows administrator and network engineer.

Michael Cassens – Content Developer Michael Cassens is a Senior Content Developer at Aeshen and joined in 2006. He earned his MCSD and MCP+Site Building certifications in 2000 and a Masters in Computer Science in 2003. He has also worked as an independent software consultant and an Adjunct Professor at the University of Montana since 1998.

Sean Masters – Content Developer Sean Masters joined Aeshen in 2007. He has worked in SMB technical operations for nearly 10 years including 4 years as manager of information technology at a property management firm and 4 years as a private consultant to various legal and financial firms in the New England area.

Valerie Lee – Content Developer Valerie Lee joined Aeshen in 2006, and has gained extensive knowledge of Microsoft technologies by working on Microsoft TechNet Content, Webcasts, White Papers, and Microsoft Learning Courses. Prior to joining Aeshen, she worked as a consultant in positions providing desktop and network troubleshooting and training support.

Joel Barker – Content Developer Joel Barker has been developing content for Microsoft server products for five years; prior to that he has held a variety of positions in the IT industry.

xii Configuring, Managing and Maintaining Windows Server® 2008 Servers

Philip Morgan - Subject Matter Expert Philip Morgan is a Senior Product Analyst at Aeshen and joined the company in 2007. He has been an MCT since 1996 and has worked as a trainer, consultant, and network administrator helping people learn, implement, and use Microsoft products.

Conan Kezema – Technical Reviewer Conan Kezema, MCSE, MCT is an educator, consultant, network systems architect, and author who specializes in Microsoft technologies.

Configuring, Managing and Maintaining Windows Server® 2008 Servers xiii

Contents

Module 1: Introduction to Managing Microsoft Windows Server 2008 Environment

Lesson 1: Server Roles 1-3

Lesson 2: Overview of Active Directory 1-15

Lesson 3: Using Windows Server 2008 Administrative Tools 1-28

Lesson 4: Using Remote Desktop for Administration 1-36

Lab: Administering Windows Server 2008 1-44

Module 2: Creating Active Directory Domain Services User and Computer Objects

Lesson 1: Managing User Accounts 2-3

Lesson 2: Creating Computer Accounts 2-17

Lesson 3: Automating AD DS Object Management 2-24

Lesson 4: Using Queries to Locate Objects in AD DS 2-33

Lab: Creating AD DS User and Computer Accounts 2-39

Module 3: Creating Groups and Organizational Units

Lesson 1: Introduction to AD DS Groups 3-3

Lesson 2: Managing Groups 3-17

Lesson 3: Creating Organizational Units 3-22

Lab: Creating an OU Infrastructure 3-29

Module 4: Managing Access to Resources in Active Directory Domain Services

Lesson 1: Managing Access Overview 4-3

Lesson 2: Managing NTFS File and Folder Permissions 4-11

Lesson 3: Assigning Permissions to Shared Resources 4-20

Lesson 4: Determining Effective Permission 4-33

Lab: Managing Access to Resources 4-44

xiv Configuring, Managing and Maintaining Windows Server® 2008 Servers

Module 5: Configuring Active Directory Objects and Trusts

Lesson 1: Delegate Administrative Access to Active Directory Objects 5-3

Lab A: Configuring Active Directory Delegation 5-12

Lesson 2: Configure Active Directory Trusts 5-16

Lab B: Configuring Active Directory Trusts 5-24

Module 6: Creating and Configuring Group Policy

Lesson 1: Overview of Group Policy 6-3

Lesson 2: Configuring the Scope of Group Policy Objects 6-18

Lesson 3: Evaluating the Application of Group Policy Objects 6-31

Lesson 4: Managing Group Policy Objects 6-37

Lesson 5: Delegating Administrative Control of Group Policy 6-47

Lab A: Creating and Configuring GPOs 6-51

Lab B: Verifying and Managing GPOs 6-57

Module 7: Configure User and Computer Environments By Using Group Policy

Lesson 1: Configuring Group Policy Settings 7-3

Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy 7-7

Lab A: Configuring Logon Scripts and Folder Redirection Using

Group Policy 7-13

Lesson 3: Configuring Administrative Templates 7-17

Lab B: Configuring Administrative Templates 7-23

Lesson 4: Deploying Software Using Group Policy 7-28

Lab C: Deploying Software with Group Policy 7-36

Lesson 5: Configuring Group Policy Preferences 7-39

Lab D: Configuring Group Policy Preferences 7-44

Lesson 6: Introduction to Group Policy Troubleshooting 7-48

Lesson 7: Troubleshooting Group Policy Application 7-55

Lesson 8: Troubleshooting Group Policy Settings 7-67

Lab E: Troubleshooting Group Policy Issues 7-71

Configuring, Managing and Maintaining Windows Server® 2008 Servers xv

Module 8: Implementing Security Using Group Policy

Lesson 1: Configuring Security Policies 8-3

Lesson 2: Implementing Fine-Grained Password Policies 8-15

Lab A: Implementing Security Using Group Policy 8-20

Lesson 3: Restricting Group Membership and Access to Software 8-26

Lesson 4: Managing Security Using Security Templates 8-34

Lab B: Configuring and Verifying Security Policies 8-43

Module 9: Configuring Server Security Compliance

Lesson 1: Securing a Windows Infrastructure 9-3

Lesson 2: Overview of EFS 9-9

Lesson 3: Configuring an Audit Policy 9-13

Lesson 4: Overview of Windows Server Update Services (WSUS) 9-20

Lesson 5: Managing WSUS 9-32

Lab: Manage Server Security 9-40

Module 10: Configuring and Managing Storage Technologies

Lesson 1: Windows Server 2008 Storage Management Overview 10-3

Lesson 2: Managing Storage Using File Server Resource Manager 10-13

Lab A: Installing the FSRM Role Service 10-20

Lesson 3: Configuring Quota Management 10-22

Lab B: Configuring Storage Quotas 10-29

Lesson 4: Implementing File Screening 10-31

Lab C: Configuring File Screening 10-38

Lesson 5: Managing Storage Reports 10-40

Lab D: Generating Storage Reports 10-45

Lesson 6: Understanding Storage Area Networks 10-47

xvi Configuring, Managing and Maintaining Windows Server® 2008 Servers

Module 11: Configuring and Managing Distributed File System

Lesson 1: Distributed Files System (DFS) Overview 11-3

Lesson 2: Configuring DFS Namespaces 11-13

Lab A: Installing the Distributed File System Role Service and

Creating a DFS Namespace 11-22

Lesson 3: Configuring DFS Replication 11-26

Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-42

Module 12: Configuring Network Access Protection

Lesson 1: Overview of Network Access Protection 12-3

Lesson 2: How NAP Works 12-18

Lesson 3: Configuring NAP 12-25

Lesson 4: Monitoring and Troubleshooting NAP 12-33

Lab: Configuring NAP for DHCP and VPN 12-37

Module 13: Configuring Availability of Network Content and Resources

Lesson 1: Configuring Shadow Copies 13-3

Lab A: Configuring Shadow Copying 13-11

Lesson 2: Providing Server and Service Availability 13-14

Lab B: Configuring Network Load Balancing 13-26

Module 14: Monitoring and Maintaining Windows Server 2008 Servers

Lesson 1: Planning Monitoring Tasks 14-3

Lesson 2: Calculating a Server Baseline 14-9

Lesson 3: Measuring Performance Objects 14-14

Lab A: Identifying Windows Server 2008 Monitoring Requirements 14-24

Lesson 4: Selecting Appropriate Monitoring Tools 14-29

Lesson 5: Planning Notification Methods 14-37

Lesson 6: Overview of Windows Server 2008 Management Tasks 14-41

Lesson 7: Automating Windows Server 2008 Management 14-45

Lab B: Configuring Windows Server 2008 Monitoring 14-49

Configuring, Managing and Maintaining Windows Server® 2008 Servers xvii

Module 15: Managing Windows Server 2008 Backup and Restore

Lesson 1: Planning Backups with Windows Server 2008 15-3

Lesson 2: Planning Backup Policy on Windows Server 2008 15-15

Lesson 3: Planning a Server Restore Policy 15-20

Lesson 4: Planning an EFS Restore Policy 15-29

Lesson 5: Troubleshooting Windows Server 2008 Startup 15-40

Lab A: Planning Windows Server 2008 Backup Policy 15-51

Lab B: Planning Windows Server 2008 Restore 15-58

Lab Answer Keys

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Administering Windows Server 2008 L1-1

Module 1: Introduction to Managing Windows Server 2008 Environment

Lab: Administering Windows Server 2008 Exercise 1: Install the DNS Server Role

Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft

Learning, and then click 6419A. The Lab Launcher starts.

2. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.

3. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch.

4. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch.

5. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd.

6. Log on to NYC-SVR1 as NYC-SVR1\Administrator with the password Pa$$w0rd.

7. Log on to NYC-CL1 as NYC-CL1\LocalAdmin with the password Pa$$w0rd.

8. Minimize the Lab Launcher window.

Task 2: Install the DNS Server role 1. On NYC-SVR1, click Start and then click Server Manager.

2. The Server Manager window opens. In the console pane, click Roles.

3. In the details pane, click Add Roles.

4. The Add Roles Wizard appears. Click Next.

5. On the Server Roles page, select DNS Server and then click Next.

6. On the DNS Server page, click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L1-2 Module 1: Introduction to Managing Windows Server 2008 Environment

7. On the Confirmation page, click Install.

8. Allow the role installation to complete.

9. On the Results page, click Close.

10. Close Server Manager.

Task 3: Verify domain membership 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Active Directory Users and Computers.

2. In the console pane, click Computers.

3. Notice the NYC-SVR1 exists here. Member server computer accounts are added to the Computers container by default.

4. Close Active Directory Users and Computers.

5. On NYC-SVR1, click Start, and click Server Manager.

6. In the console pane, expand Configuration, expand Local Users and Groups, and then click Groups.

7. Double-click Administrators.

Note: Notice that WOODGROVEBANK\Domain Admins is a member of this group because this server is joined to the domain.

8. Click Cancel and close Server Manager.

Results: After this exercise, you should have successfully installed the DNS Server role and successfully verified domain membership.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring Remote Desktop for Administration

Task 1: Enable Remote Desktop for Administration 1. On NYC-SVR1, click Start, right-click Computer, and then click Properties.

2. Under Tasks, click Remote settings.

3. In the System Properties dialog box, select Allow connections from computers running Remote Desktop with Network Level Authentication (more secure).

4. A confirmation dialog box appears. Click OK.

Task 2: Grant Axel Delgado access to Remote Desktop for Administration on NYC-SVR1 1. In the System Properties dialog box, click Select Users.

2. In the Remote Desktop Users dialog box, click Add, type Axel Delgado, click Check Names, and then click OK.

3. Click OK to close the Remote Desktop Users dialog box.

4. Click OK to close the System Properties dialog box.

5. Close the System window.

Task 3: Configure security for Remote Desktop for Administration 1. On NYC-SVR1, click Start, point to Administrative Tools, point to Terminal

Services, and then click Terminal Services Configuration.

2. In the details pane, right-click RDP-Tcp and click Properties.

3. In the Security layer list, click SSL (TLS 1.0).

4. In the Encryption level list, click High.

5. Verify that Allow connections only from computers running Remote Desktop with Network Level Authentication is selected.

6. Click OK to save the changes.

7. Close Terminal Services Configuration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L1-4 Module 1: Introduction to Managing Windows Server 2008 Environment

Task 4: Give Axel Delgado rights to run Reliability and Performance Monitor 1. On NYC-SVR1, click Start, and then click Server Manager.

2. In the console pane, expand Configuration, expand Local Users and Groups, and then click Groups.

3. Double-click Performance Log Users.

4. In the Performance Log Users Properties window, click Add, type Axel Delgado, click Check Names, and then click OK.

5. Click OK to close the Performance Log Users Properties window.


Task 5: Verify Remote Desktop for Administration Functionality 1. On NYC-CL1, click Start, point to All Programs, click Accessories, and then

click Remote Desktop Connection.

2. In the Computer field, type NYC-SVR1.woodgrovebank.com, and then click Connect.

3. In the User name field, type woodgrovebank\Axel.

4. In the Password box, type Pa$$w0rd, and then click OK.

5. In the Remote Desktop Connection window, click Start, point to Administrative Tools, and then click Reliability and Performance Monitor.

Note: Notice that there is no data in the Resource Overview screen because Axel Delgado is not a local Administrator.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. In the console pane, click Performance Monitor.

7. Notice that Axel Delgado is able to use Performance Monitor to view server statistics. By default, % Processor Time is listed.

8. Close Reliability and Performance Monitor.

9. Log off NYC-SVR1 in Remote Desktop.

Task 6: Close all virtual machines and discard undo disks 1. For each virtual machine that is running, close the Virtual Machine Remote

Control window.

2. In the Close box, select Turn off machine and discard changes. Click OK.

3. Close the 6419A Lab Launcher.

Results: After this exercise, you should have successfully used Axel Delgado's account to remotely access NYC-SVR1 and run Reliability and Performance Monitor.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Creating AD DS User and Computer Accounts L2-7

Module 2: Creating AD DS User and Computer Accounts

Lab: Creating AD DS User and Computer Accounts Exercise 1: Creating and Configuring User Accounts

Task 1: Start the virtual machines, and then log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.




Task 2: Create a new user account 1. On NYC-DC1, click Start, point to Administrative Tools, and then click


2. In the console pane, expand WoodgroveBank.com, right-click the ITAdmins OU, point to New, and then click User.

3. In the New Object – User dialog box, enter the following information:

a. First name: Kerim

b. Last name: Hanif

c. Full name: Kerim Hanif

d. User logon name: Kerim

4. Click Next.

5. In the Password and Confirm password fields, type Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L2-8 Module 2: Creating AD DS User and Computer Accounts

6. Verify that the User must change password at next logon check box is selected.

7. Click Next, and then click Finish.

8. On NYC-CL1, test the user account that you just created by logging on to NYC-CL1 as WOODGROVEBANK\Kerim with the password of Pa$$w0rd.

9. When prompted, click OK, type Pa$$w0rd1 as the new password, type Pa$$w0rd1 in the Confirm password field, click the right arrow button, and then click OK.

10. Log off from NYC-CL1.

Task 3: Modify Kerim Hanif’s user account properties 1. On NYC-DC1, in Active Directory Users and Computers, in the details pane,

right-click Kerim Hanif, and then click Properties.

2. Modify the user properties as follows:

a. On the General tab, enter the following information:

i. Office: Downtown

ii. Telephone number: 204-555-0100

iii. E-mail: [email protected]

b. On the Dial-in tab, under Network Access Permission, click Allow access.

c. On the Account tab, click Logon Hours. Configure logon hours to be permitted Monday through Friday between 8:00 A.M. and 5:00 P.M and then click OK.

d. On the Member Of tab, click Add.

e. In the Select Groups dialog box, type ITAdmins_WoodgroveGG, and then click OK twice.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Create a template for the New York Customer Service department 1. On NYC-DC1, in Active Directory Users and Computers, click on the NYC

OU, and then expand the CustomerService OU.

2. In the CustomerService OU, create and configure a user account with the property settings in the following table:

Property Value

First name CustomerService

Last name Template

Full name CustomerService Template

User logon name _ CustomerServiceTemplate

Password Pa$$w0rd

Account is disabled Selected

User must change password at next logon

Selected

Description Customer Service Representative

Office New York Main Office

Member Of NYC_CustomerServiceGG

Department Customer Service

Logon Hours 6:00 A.M – 6:00 P.M. Monday to Friday

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Create a new user account based on the customer service template 1. Right-click the CustomerService Template user, and then click Copy.

2. In the Copy Object – User dialog box, enter the following information:

a. First Name: Sunil

b. Last Name: Koduri

c. User Logon Name: Sunil

3. Click Next.

4. In the Password and Confirm Password fields, type Pa$$w0rd and then click OK.


6. Right-click Sunil Koduri, and then click Enable Account. Click OK.

7. Double-click Sunil Koduri, and verify that the group membership and logon hours are correct. Review the settings on the General and Organization tabs.

Question: What values did not transfer from the template?

Answer: The Description and Office attributes.

Task 6: Modify the user account properties for all customer service representatives in New York 1. Select the top user in the details pane, hold SHIFT, and then click the last user

in the details pane.

2. Hold CTRL, and then click NYC_CustomerServiceGG.

3. Right-click the highlighted user accounts, and then click Properties.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. On the General tab, select the appropriate check boxes, and enter the following information:

a. Description: Customer Service Representative

b. Office: New York Main Office

5. On the Organization tab, select the Department checkbox, enter Customer Service, and then click OK.

6. Double-click Eli Bowen, and verity that the Description, Office, and Department attributes have been updated. Click OK.

Task 7: Modify the user account properties for all Branch Managers 1. On NYC-DC1, in Active Directory Users and Computers, right-click

WoodgroveBank.com, and then click Find.

2. In the Find Users, Contacts, and Groups dialog box, click the Advanced tab.

3. Click Field, point to User, and then click Job Title.

4. In the Condition list, click Is (exactly), and in the Value field, type Branch Manager.

5. Click Add, and then click Find Now.

6. Select all of the user accounts in the Search Results, right-click the highlighted user accounts, and then click Add to a group.

7. In the Select Groups dialog box, type BranchManagersGG, and then click OK twice.

8. Close the Find Users, Contacts, and Groups dialog box.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 8: Create a saved query to find all investment users 1. In Active Directory Users and Computers, right-click the Saved Queries

folder, point to New, and then click Query.

2. In the New Query dialog box, in the Name field, type Find Investment Users.

3. Click Define Query.

4. In the Find list, click Users, Contacts and Groups.

5. Click the Advanced tab.

6. Click Field, point to User and then click Department.

7. In the Condition list, verify that Starts with is selected, and in the Value field, type Investments.

8. Click Add, and then click OK twice.

9. Under Saved Queries, click Find Investment Users.

10. The query should display all the users in the Investment departments in each city.

Results: At the end of this exercise you will have created and configured user accounts; created a template and a user account based on the template; and created a saved query and verified its ability to return expected search results.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Creating and Configuring Computer Accounts

Task 1: Create a computer account by using Active Directory Users and Computers 1. On NYC-DC1, in Active Directory Users and Computers, right-click

Computers, point to New, and then click Computer.

2. In the New Object-Computer dialog box, in the Computer name field, type Vista1.

3. Click Change.

4. In the Select User or Group dialog box, type Doris, click Check Names, and then click OK twice.

Task 2: Delete a computer account in AD DS 1. On NYC-DC1, in Active Directory Users and Computers, click Computers.

2. Right-click NYC-CL1, and then click Delete.

3. In the Active Directory Users and Computers dialog box, click Yes.

4. On NYC-CL1, press the right ALT key and DELETE. Click Switch User.

5. Click Other User, then log on as Axel with the password of Pa$$w0rd.

6. Press ENTER, read the error message, and then click OK.

Task 3: Join a computer to an AD DS domain 1. Log in as NYC-CL1\LocalAdmin with a password of Pa$$w0rd.

2. Click Start, right-click Computer, and then click Properties.

3. In the System control panel, click Change settings. In the User Account Control dialog box, click Continue.

4. On the Computer Name tab, click Change.

5. In the Computer Name/Domain Changes dialog box, for Computer name, type NYC-CL3.

6. Under Member of, click Workgroup, and then type WORKGROUP. Click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the Windows Security dialog box, in the User name field, type Administrator and in the Password field, type Pa$$w0rd.

8. Click OK twice.

9. In Computer Name/Domain Changes dialog box, click OK twice, and then click Close.

10. Click Restart Now.

11. After the computer restarts, log in as LocalAdmin with a password of Pa$$w0rd.

12. Click Start, right-click Computer, and then click Properties.

13. In the System control panel, click Change settings.

14. In the User Account Control dialog box, click Continue.

15. On the Computer Name tab, click Change.

16. In the Computer Name/Domain Changes dialog box, under Member of, click Domain, and then type WoodgroveBank.com. Click OK.

17. In the Windows Security dialog box, in the User name field, type Administrator and in the Password field, type Pa$$w0rd.

18. Click OK twice.

19. In the Computer Name/Domain Changes dialog box, click OK twice, and then click Close.

20. Click Restart Now.

21. On NYC-DC1, in Active Directory Users and Computers, click Computers or press F5 to refresh the view. Verify that the NYC-CL3 account has been added to the container object.

22. After NYC-CL3 restarts, verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd.

Results: At the end of this exercise you will have created and configured computer accounts deleted a computer account and joined a computer to an AS DS domain.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Automating Management of AD DS Objects

Task 1: Modify and use the Importusers.csv file to prepare to import a group of users into AD DS 1. On NYC-DC1, open Windows Explorer, and then browse to

E:\Mod02\Labfiles\.

2. Open ImportUsers.csv with Notepad. Examine the header information required to create OUs and user accounts and leave this file open.

3. Open ImportUsers.txt with Notepad.

4. Select all text in ImportUsers.txt and then copy and paste the contents into ImportUsers.csv file, under the first line of text.

5. On the File menu, click Save As, and then type C:\import.csv. In the Save as type list, click All Files (*.*).

6. Click Save to save the file.

7. Close both Notepad windows.

8. Click Start, and then click Command Prompt.

9. Type CSVDE –I –F C:\import.csv and then press ENTER.

10. Open Active Directory Users and Computers, and then browse to the Houston OU. Confirm that five child OUs were created, and that several user accounts were created in each OU.

Task 2: Modify and run the ActivateUser.vbs script to enable the imported user accounts, and then assign a password to each account 1. On NYC-DC1, in E:\Mod02\Labfiles, right-click Activateusers.vbs, and then

click Edit.

2. Modify the container value in the second line to read OU=BranchManagers,OU=Houston,DC=WoodgroveBank,DC=com.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Modify the container values in the additional lines at the end of the script to include the following OUs:

• OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com

• OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com

• OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com

• OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com

4. On the File menu, click Save As, and then type C:\activateusers.vbs. In the Save as type list, click All Files (*.*).

5. Click Save to save the file.

6. Close Notepad.

7. In Command Prompt, type Cscript C:\ActivateUsers.vbs and then press ENTER.

8. In Active Directory Users and Computers, browse to the Houston OU. Confirm that user accounts in all child OUs are enabled.

Note: There is no confirmation when the script is complete.

Task 3: Modify the Modifyusers.ldf file to prepare to modify the properties for a group of users in AD DS 1. On NYC-DC1, at the command prompt, type

LDIFDE –f c:\Modifyusers.ldf –d "OU=Houston,DC=WoodgroveBank,DC =com" –r "objectClass=user" –l physicalDeliveryOfficeName and then press ENTER.

This command exports all of the user accounts in the Houston and child OUs. Because the Office attribute is blank for each object, the attribute is not exported.

2. Type Notepad C:\Modifyusers.ldf and then press ENTER.

3. On the Edit menu, click Replace.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. In the Find what field, type changetype: add and in the Replace with field, type changetype: modify and then click Replace All.

5. Click Cancel.

6. Under each changetype line, add the following lines: replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston

7. At the end of the entry for each user, add a dash (–) followed by a blank line.

8. When you are done, the entry for each user should be similar to:

dn: CN=Dieter Massalsky,OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com changetype: modify replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston -

9. On the File menu, click Save and then close Notepad.

10. At the command prompt, type LDIFDE–I –f c:\Modifyusers.ldf, and then press ENTER.

11. In Active Directory Users and Computers, in the ITAdmins OU under the Houston OU, double-click Dieter Massalsky.

12. Verify that the Office attribute for the user accounts in Houston has been updated with the Houston location.

Task 4: Run the CreateUser.ps1 script to add new users to AD DS 1. On NYC-DC1, in E:\Mod02\Labfiles, right-click CreateUser.ps1, and then

click Edit.

2. Under #Assign the location where the user account will be created, note the entry $objADSI = [ADSI]"LDAP://ou=ITAdmins,DC=WoodgroveBank,DC=com".

3. Close Notepad.

4. Select Start | All Programs | Windows PowerShell 1.0, and then click Windows PowerShell.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Type Set-ExecutionPolicy AllSigned and then press ENTER.

6. Type E:\Mod02\Labfiles\CreateUser.ps1, and then press ENTER.

7. When the prompt appears, press R and then press ENTER.

8. In Active Directory Users and Computers, in the ITAdmins OU, verify that the user Jesper has been created.


Control window.



Results: At the end of this exercise you will have examined several options for automating the management of user objects.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Creating an Organizational Unit Infrastructure L3-19

Module 3: Creating Groups and Organizational Units

Lab: Creating an Organizational Unit Infrastructure Exercise 1: Creating AD DS Groups





Task 2: Create three groups using Active Directory Users and Computers 1. On NYC-DC1, click Start, point to Administrative Tools, and then click


2. In the console pane, expand WoodgroveBank.com, right-click Users, point to New, and then click Group.

3. In the New Object – Group dialog box, add the following information into the appropriate fields:

• Group name: VAN_BranchManagersGG

• Scope: Global

• Type: Security

4. Click OK.

5. Repeat the previous two steps to create two more groups that have the same scope and type named:

• VAN_CustomerServiceGG

• VAN_InvestmentsGG

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L3-20 Module 3: Creating Groups and Organizational Units

Task 3: Create a group using the Dsadd command-line tool 1. On NYC-DC1, click Start, and then click Command Prompt.

2. At the command prompt, type dsadd group “cn=VAN_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com” –samid VAN_MarketingGG –secgrp yes –scope g and then press ENTER.

3. The command line will display either of the following messages:

a. “dsadd failed…” :

If you receive this error, carefully type the command again.

b. “dsadd succeeded…”:

If you receive this message, type exit, and then press ENTER to close the command line window.

4. Click the Users OU.

5. In Active Directory Users and Computers, under WoodgroveBank.com, right-click Users, and then click Refresh.

6. Note the presence of the VAN_MarketingGG as well as the other Vancouver groups inside the Users container.

Task 4: Add members to the new groups 1. In Active Directory Users and Computers, right-click WoodgroveBank.com,

and then click Find.

2. In the Find Users, Contacts, and Groups dialog box, type Neville and then click Find Now.

3. In the Search results pane, right-click Neville Burdan, and then click Add to a group.

4. In the Select Groups dialog box, type VAN_BranchManagersGG, and then click OK twice.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Repeat the previous three steps, adding the users found in the following table to their corresponding groups:

Find Add to group

Suchitra Mohan VAN_BranchManagersGG

Anton Kirilov VAN_CustomerServiceGG

Shelley Dyck VAN_CustomerServiceGG

Barbara Moreland VAN_InvestmentsGG

Nate Sun VAN_InvestmentsGG

Yvonne McKay VAN_MarketingGG

Monika Buschmann VAN_MarketingGG

Bernard Duerr VAN_MarketingGG

Task 5: Inspect the contents of the Vancouver groups 1. In Active Directory Users and Computers, in the Users container, right-click

VAN_BranchManagersGG, and then click Properties.

2. In the VAN_BranchManagersGG Properties dialog box, click the Members tab, and verify that Neville Burdan and Suchitra Mohan are now members.

3. Click Cancel, and then close Active Directory Users and Computers.

Results: At the end of this exercise you will have created three new groups by using Active Directory Users and Computers and you will have created one group by using Dsadd. You also will have added users to the groups and inspected the results.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning an OU Hierarchy (Discussion) Here are possible answers for the discussion questions.

Scenario A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have the following departments:

• Management

• Customer Service

• Marketing

• Investments

The organizational unit (OU) hierarchy has to support delegation of administrative tasks to users within that organizational unit.

Discussion questions: 1. Which approach to extending the organizational hierarchy of

WoodgroveBank.com is most likely to be applied in creating the new subsidiary’s resources: Geographic, Organizational, or Functional? Why?

Answer: The Geographical approach to naming top level OUs (those that already exist within the domain hierarchy) should be extended in order to keep that logic. Geographic naming and organization is permanent, allows for future expansion, and its name easily identifies its functionality.

2. What would be the most logical way to further subdivide the subsidiary’s organizational unit: Geographic, Organizational, or Functional?

Answer: Four new OUs inside the Vancouver OU that are based on the organizations departments would best support the operations of the new subsidiary. Organizations can use these OUs to handle groupings of similar user, computer, and other AD DS resources, according to their similarities. This also supports the need to delegate administrative roles over those resources, as somebody within each group will be able to respond to most needs in a timely manner.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. What does the pattern of naming second level OUs in other centers suggest for the new Vancouver OU?

Answer: The naming convention being applied consistently to upper level OUs across the AD DS recognizes the company’s geographic divisions. Second level OUs at each location match the organizational divisions in those locations. Therefore, the new subsidiary should name its second level OUs as: Managers, Customer Support, Marketing, and Investment.

4. What would be a simple but effective way of delegating administrative tasks—including adding users and computers to the domain, and changing user properties such as password resets, and employee contact details-- to certain users within a department?

Answer: You can use the “Delegation of control” wizard to delegate administrative rights at the OU level. Both users and groups can be added to the delegation list. Additionally, you can use a list of rights to customize administrative capabilities.

Results: At the end of this exercise you will have discussed and determined how to plan an OU hierarchy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Creating an OU Hierarchy

Task 1: Create OUs using Active Directory Users and Computers 1. On NYC-DC1, click Start, click Administrative Tools, and then click Active

Directory Users and Computers.

2. In the console pane, right-click WoodgroveBank.com, point to New, and then click Organizational Unit.

3. In the New Object – Organizational Unit dialog box, type Vancouver.

4. Verify that the Protect container from accidental deletion check box is selected, and then click OK.

5. Right-click Vancouver OU, point to New, and then click Organizational Unit.

6. In the New Object – Organizational Unit dialog box, type BranchManagers, and then click OK.

7. Repeat the previous two steps to create two more OUs named:

• CustomerService

• Marketing

Task 2: Create an OU using Dsadd 1. On NYC-DC1, click Start, and then click Command Prompt.

2. At the command prompt, type dsadd ou “ou=Investments,dc=WoodgroveBank,dc=com” -desc “Investment department” -d WoodgroveBank.com -u Administrator -p Pa$$w0rd and then press ENTER.

3. In Active Directory Users and Computers, right-click WoodgroveBank.com, and then click Refresh.

4. Note the presence of the new Investments OU.

Task 3: Nest an OU inside another OU 1. In Active Directory Users and Computers, right-click Investments, and then

click Move.

2. In the Move dialog box, click Vancouver, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Move groups that you created in Exercise 1 into the appropriate OUs 1. In Active Directory Users and Groups, click Users, and note the groups that

you created in Exercise 1.

2. Move the following groups into the following Vancouver OUs (see methods later in this section):

• VAN_BranchManagersGG group to Vancouver\BranchManagers OU

• VAN_CustomerServiceGG group to Vancouver\CustomerService OU

• VAN_InvestmentsGG group to Vancouver\Investments OU

• VAN_MarketingGG group to Vancouver\Marketing OU

• You may select any of the following methods to move these groups:

a. Drag the group into the appropriate Vancouver OU object. When the AD DS warning appears, click Yes.

b. Use Cut and Paste to move the group into the appropriate Vancouver OU:

i. Right-click the group, and then click Cut.

ii. Locate and expand the Vancouver OU.

iii. Right-click the appropriate subordinate OU, and then click Paste.

iv. When the AD DS warning appears, click Yes.

c. Use the Move command to move the group into the appropriate Vancouver OU:

i. Right-click the group, and then click Move.

ii. In the Move object into container dialog box, expand the Vancouver OU.

iii. Click the appropriate subordinate OU, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Find and move users into Vancouver OUs Use Active Directory Users and Computers to find and move the following users into the OUs noted next to their names:

Find Move to Vancouver OU

Neville Burdan BranchManagers

Suchitra Mohan BranchManagers

Anton Kirilov CustomerService

Shelley Dyck CustomerService

Barbara Moreland Investments

Nate Sun Investments

Yvonne McKay Marketing

Monika Buschmann Marketing

Bernard Duerr Marketing

1. Right-click WoodgroveBank domain, and then click Find.

2. In the Find Users, Contacts, and Groups dialog box, type Neville, and then click Find Now.

3. In the Search results pane, right-click Neville Burdan, and then click Move.

4. In the Move dialog box, expand Vancouver, click BranchManagers, and then click OK.

5. Repeat the previous three steps for each name in the chart and then close the Find Users, Contacts, and Groups dialog box.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Delegate control over an OU 1. In Active Directory Users and Computers, in the Vancouver OU, right-click

Marketing, and then click Delegate control.

2. In the Delegation of Control Wizard, click Next.

3. On the Users or Groups page, click Add.

4. In the Select Users, Computers, or Groups dialog box, type Yvonne, and then click OK.

5. Click Next.

6. On the Tasks to Delegate page, select the check boxes next to the following common tasks:

• Create, delete, and manage user accounts

• Reset user passwords and force password change at next logon

• Create, delete and manage groups

• Modify the membership of a group

7. Click Next.

8. On the Completing the Delegation of Control Wizard page, click Finish.

Task 7: Test delegated user rights 1. Log on to NYC-SVR1 as WOODGROVEBANK\Yvonne with the password

Pa$$w0rd.

2. Click Start, right-click Server Manager, and then click Run as administrator.

3. In the User Account Control dialog box, in the User name field, type Administrator, and in the Password field, type Pa$$w0rd, and then click OK.

4. In the console tree, right-click Features, and then click Add Features.

5. In the Add Features Wizard, expand Remote Server Administration Tools, expand Role Administration Tools, and then select the Active Directory Domain Services Tools check box.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Click Next, and then click Install.

7. When the installation is complete, click Close, and then click Yes to restart the computer.

8. Log on to NYC-SVR1 as WOODGROVEBANK\Yvonne with the password Pa$$w0rd.

9. Click Start, right-click Server Manager and then click Run as administrator.

10. In the User Account Control dialog box, in the User name field, type Administrator, and in the Password field, type Pa$$w0rd, and then click OK.

11. Wait for the installation to finish, and then click Close.

12. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

13. In the console pane, right-click WoodgroveBank.com, and then click Find.

14. In the Find Users, Contacts, and Groups dialog box, type Monika, and then click Find Now.

15. In the Search results pane, right-click Monika Buschmann, and then click Reset Password.

16. In the Reset Password dialog box, in the New password and Confirm password fields, type Pa$$w0rd and then click OK.

17. In the Active Directory Domain Services dialog box, click OK.

Note: This message indicates that Yvonne McKay’s account has the authorization to reset passwords of fellow users in the Marketing OU.

18. Close the Find Users, Contacts, and Groups dialog box.

19. In the console pane, expand WoodgroveBank.com, expand Miami, and then click BranchManagers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


20. In the details pane, right-click William Vong, and then click Move.

21. In the Move dialog box, expand Vancouver.

22. Click Marketing, and then click OK.

23. In the Active Directory Domain Services dialog box, click OK.

Note: This warning appears because user Yvonne McKay does not have delegated control over the Miami OU.

Task 8: Close all virtual machines, and discard undo disks 1. For each virtual machine that is running, close the Virtual Machine Remote

Control window.



Results: At the end of this exercise you will have created OUs by using Active Directory Users and Computers and Dsadd. You also will have delegated and tested administrative permissions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Managing Access to Resources L4-31

Module 4: Managing Access to Resources

Lab: Managing Access to Resources Exercise 1: Planning a Shared Folder Implementation (Discussion)

Answer: On their domain controller (or member server), use Windows Explorer to create a folder for each department. Right-click each folder, and set Sharing permissions. Remove the Everyone group, and add the global group for which the shared folder is intended. Give the global groups Contributor status.

Answer: Create a new folder named Company. Assign it a shared permissions level of Read for all Domain Users. Next, add the Branch Managers global group as Contributors. Inside the Company folder, create a folder for: News, Staffing, and Projections.

Answer: You should create a new global group for this project, and a new shared folder that has as its only member, in addition to Administrator, the new global group that you create. You should set their permission level to Contributors.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L4-32 Module 4: Managing Access to Resources

Exercise 2: Implementing a Shared Folder Implementation





Task 2: Create four new folders by using Windows Explorer 1. On NYC-DC1, click Start, and then click Computer.

2. Double-click Local Disk (C:).

3. On the File menu, point to New and then click Folder.

4. Name the folder Marketing.

5. Repeat the previous two steps to create three additional folders named:

• Managers

• Investments

• CustomerService

Task 3: Set share properties for the folders 1. In the Windows Explorer window, right-click the folder named Marketing,

and then click Share.

2. In the File Sharing dialog box, type TOR_MarketingGG and then click Add. TOR_MarketingGG will appear in the list window underneath the name box.

3. Click TOR_MarketingGG and then click Contributor.

4. Click Share, and then click Done.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. To assign file-sharing properties for each of the other folders that you created in Task 2, repeat the previous four steps by using the groups listed:

• TOR_BranchManagersGG (Managers folder)

• TOR_InvestmentsGG (Investments folder)

• TOR_CustomerServiceGG (CustomerService folder)

6. Close Windows Explorer.

Task 4: Create another shared folder by using Share and Storage Management MMC 1. Click Start, click Administrative Tools, and then click Share and Storage

Management.

2. In the Actions pane, click Provision Share.

3. The Provision a Shared Folder Wizard will start. Click Browse.

4. In the Browse For Folder dialog box, click the c$ location and then click Make New Folder.

5. Type CompanyNews, press ENTER, and then click OK.

6. Accept all default values by clicking Next until you get to the Review Settings and Create Share page. Click Create.

7. On the confirmation page, click Close.

8. In the Share and Storage Management MMC details pane, right-click CompanyNews, and then click Properties.

9. In the CompanyNews Properties dialog box, click the Permissions tab.

10. Click Share Permissions. In the Permissions for CompanyNews dialog box, click Add.

11. In the Select Users, Computers, or Groups dialog box, type Domain Users, and then click OK.

12. In the Permissions for CompanyNews dialog box, Domain Users (Woodgrovebank\Domain Users) now should be listed in the Group or user names window. When you click it, in the Permissions for Domain Users pane, the Read option should be set to Allow.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


13. Repeat the previous three steps to add TOR_BranchManagersGG to the Group or user names pane.

14. In Permissions for TOR_BranchManagersGG pane, next to Full Control, select Allow.

15. Click Everyone, and then click Remove.

16. Click Apply, and then click OK twice.

17. Close Share and Storage Management.

Task 5: Create a new group and shared folder for an interdepartmental project 1. Click Start, click Administrative Tools, and then click Active Directory Users

and Computers.

2. In console pane, expand WoodgroveBank.com, right-click the Toronto OU, point to New, and then click Group.

3. In the New Object – Group dialog box, in the Group name field, type TOR_SpecialProjectGG, and then click OK.

4. In the console pane, expand the Toronto OU, and then click the Marketing OU.

5. In the details pane, right-click Aidan Delaney, and then click Add to a group.

6. In the Select Groups dialog box, type TOR_SpecialProjectGG and then click OK twice.

7. Add other members to the TOR_SpecialProjectGG group by following previous steps. Use the users listed in the following table:

Look inside Toronto OUs: Find Names:

Investment Aaron Con

BranchManagers Sven Buck

CustomerService Dorena Paschke


9. Click Start, click Computer, and then double-click Local drive(C:).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



11. Name the folder SpecialProjects.

12. Right-click SpecialProjects, and then click Share.

13. In the File Sharing dialog box, type TOR_ SpecialProjectGG and then click Add.

14. Click TOR_ SpecialProjectGG and then click Contributor.


Results: TOR_SpecialProjectGG group should now have Contributor rights to the SpecialProjects folder.

Task 6: Block inheritance of a folder in a shared folder 1. Double-click SpecialProjects.


3. Name the folder Unshared.

4. Right-click the Unshared folder and select Properties.

5. In the Unshared Properties dialog box, click the Security tab.

6. Click the Advanced button.

7. In the Advanced Security Settings for Unshared dialog box, click Edit.

8. Clear the Include inheritable permissions from this object’s parent check box.

9. In the Windows Security dialog box, click Remove.

10. Click OK.

11. In the Advanced Security Settings for Unshared dialog box, click Add.

12. In the Select User, Computer, or Group dialog box, for the Enter the object name to select field, type Administrators and click OK.

13. In the Permissions Entry for Unshared dialog box, for Full Control, check Allow and click OK four times.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Evaluating the Shared Folder Implementation

Task 1: Log on to NYC-CL1 as Sven • Log on to NYC-CL1 as WOODGROVEBANK\Sven, with password

Pa$$w0rd.

Task 2: Check permissions for Company News 1. Click Start, type \\NYC-DC1, and then press ENTER.

2. Double-click the CompanyNews folder.

3. Right-click inside the open window, point to New, and then click Folder.

4. Type News, and then press ENTER.

5. Right-click inside the open window again, point to New, and then click Text document.

6. Type Welcome, and then press ENTER.

7. Drag and drop the Welcome file onto the News folder.

8. Click Start, then point to the right-arrow and then click Log Off.

Results: Sven, a member of the BranchManagersGG, should have ownership of the CompanyNews folder. He should be able to create files and folders in both locations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Check permissions of interdepartmental share Special Projects 1. On NYC-CL1, log on as WOODGROVEBANK\Dorena with password

Pa$$w0rd.

2. Click Start, type \\NYC-DC1, and then press ENTER.

3. Double-click the SpecialProjects folder.

Results: Since the permissions of the Unshared folder were blocked, Dorena will not be able to view or access the Unshared folder.

4. Right-click inside the details pane of Windows Explorer, point to New, and

then click Text Document.

5. On the navigation bar in Windows Explorer, click the Back button.

6. Double-click CompanyNews and then double-click the News folder.

7. Double-click Welcome.

8. Click Start, then point to the right-arrow and then click Log Off.

Results: Dorena has permissions to create new files inside the SpecialFolders folder and also view existing files in the News folder.


Control window.



MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Configuring Active Directory Delegation L5-39

Module 5: Configuring Active Directory Objects and Trusts

Lab A: Configuring Active Directory Delegation Exercise 1: Delegating Control of AD DS Objects

Task 1: Start the virtual machine, and then log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.

2. Log on to NYC-DC1 as WOODGROVEBANK \Administrator with the password Pa$$w0rd.


Task 2: Assign full control of users and groups in the Toronto OU 1. On NYC-DC1, click Start, point to Administrative Tools, and then click


2. In the console pane, right-click Toronto, and then click Delegate Control.



5. In the Select Users, Computers, or Groups dialog box, type TOR_BranchManagersGG, and then click OK.

6. Click Next.

7. On the Tasks to Delegate page, select the Create, delete, and manage user accounts and the Create, delete and manage groups check boxes.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L5-40 Module 5: Configuring Active Directory Objects and Trusts

Task 3: Assign rights to reset passwords and configure private user information in the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, right-click Toronto,

and then click Delegate Control.



4. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, click OK.

5. Click Next.

6. On the Tasks to Delegate page, select the Reset user passwords and force password change at next logon check box.


8. Right-click Toronto, and then click Delegate Control.



11. In the Select Users, Computers, or Groups dialog box, type TOR_CustomerServiceGG, click OK.

12. Click Next.

13. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

14. On the Active Directory Object Type page, click Only the following objects in the folder, and then select the User objects check box.

15. Click Next.

16. On the Permissions page, ensure that the General check box is selected.

17. Under Permissions, select the Read and write personal information check box, and then click Next.

18. Click Finish.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Verify the effective permissions assigned for the Toronto OU 1. On NYC-DC1, in Active Directory Users and Computers, on the View menu,

click Advanced Features.

2. In the console pane, right-click the Toronto OU, and then click Properties.

3. In the Toronto Properties dialog box, on the Security tab, click Advanced.

4. In the Advanced Security Settings for Toronto dialog box, on the Effective Permissions tab, click Select.

5. In the Select User, Computer, and Group dialog box, type Sven, and then click OK. Sven Buck is a member of the TOR_BranchManagersGG group.

6. Review Sven’s effective permissions. Verify that Sven has permissions to create and delete user and group objects.

7. Click Cancel twice.

8. Expand the Toronto OU, and then click the Customer Service OU.

9. In the details pane, right-click Matt Berg, and then click Properties.

10. In the Matt Berg Properties dialog box, on the Security tab, click Advanced.

11. In the Advanced Security Settings for Matt Berg dialog box, on the Effective Permissions tab, click Select.

12. In the Select User, Computer, and Group dialog box, type Helge, and then click OK. Helge Hoeing is a member of the TOR_CustomerServiceGG group.

13. Review Helge’s effective permissions. Verify that Helge has permissions to reset passwords and to write personal information.

14. Click Cancel twice.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Test the delegated permissions for the Toronto OU 1. Log on to NYC-DC1 as WOODGROVEBANK\Sven with the password of

Pa$$w0rd.


3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.

4. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and then point to New, and then click User.

5. Create a new user with the following properties:

a. First name: Test1

b. User logon name: Test1

c. Password: Pa$$w0rd

6. This task will succeed because Sven Buck was delegated the authority to perform that task.

7. Right-click the Toronto OU, and then point to New, and then click Group.

8. Create a new global security group named Group1. This task will succeed because Sven Buck was delegated the authority to perform that task.

9. Right-click the ITAdmins OU, and review the menu options. Verify that Sven does not have permissions to create any new objects in the ITAdmins OU.

10. Log off and then log on to NYC-DC1 as WOODGROVEBANK\Helge with the password of Pa$$w0rd.



13. In the console pane, expand WoodgroveBank.com, right-click the Toronto OU, and review the menu options. Verify that Helge does not have permissions to create any new objects in the Toronto OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


14. Expand Toronto, click CustomerService, right-click Matt Berg, and then click Reset Password.

15. In the Reset Password dialog box, in the New password and Confirm password fields, type Pa$$w0rd, and then click OK twice.

16. Right-click Matt Berg, and then click Properties.

17. In the Matt Berg Properties dialog box, verify that Helge has permission to set some user properties such as Office and Telephone number, but not settings such as Description and E-mail.

18. Click Cancel.

19. Close Active Directory Users and Computers, and then log off.

Result: At the end of this exercise you will have delegated the administrative tasks for the Toronto office.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab B: Configuring Active Directory Trusts Exercise 1: Configuring AD DS Trusts

Task 1: Start the virtual machines, and then log on 1. In the Lab Launcher, next to 6419A-VAN-DC1, click Launch.


3. In the Lab Launcher, next to 6419A-NYC-DC2, click Launch.

4. Log on to VAN-DC1 as FABRIKAM\Administrator with the password Pa$$w0rd.


Task 2: Configure the Network and DNS Settings to enable the forest trust 1. On VAN-DC1, click Start, point to Control Panel, point to Network

Connections, and then click Local Area Connection.

2. In the Local Area Connection Status dialog box, click Properties.

3. Click Internet Protocol (TCP/IP), and then click Properties.

4. Change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred DNS server to 10.10.0.110.

5. Click OK, and then click Close twice.

6. Click Start, and then click Run.

7. In the Open box, type cmd, and then click OK.

8. At the command prompt, type net time \\10.10.0.10 /set /y and then press ENTER. This command synchronizes the time between VAN-DC1 and NYC-DC1.

9. Type exit and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Active Directory Trusts L5-45

10. Click Start, point to Administrative Tools, and then click DNS.

11. In the console pane, expand VAN-DC1.

12. Right-click VAN-DC1, and then click Properties.

13. On the Forwarders tab, click New.

14. Type Woodgrovebank.com, and then click OK.

15. In the Selected domain’s forwarder IP address list field, type 10.10.0.10, and then click Add.

16. Click OK, and then close the DNS management console.

17. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

18. In console pane, right-click Fabrikam.com, and then click Raise Domain Functional Level.

19. In the Raise Domain Functional Level dialog box, in the Select an available domain functional level list, click Windows Server 2003.

20. Click Raise, and then click OK twice.

21. Right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

22. In the Raise Forest Functional Level dialog box, click Raise, and then click OK twice.

23. Close Active Directory Domains and Trusts.

24. On NYC-DC1, log on as WOODGROVEBANK\Administrator.

25. Click Start, point to Administrative Tools, and then click DNS.

26. In the console pane, expand NYC-DC1.

27. Right-click Conditional Forwarders, and then click New Conditional Forwarder.

28. In the DNS Domain field, type Fabrikam.com.

29. Click under IP Address, and then type 10.10.0.110.

30. Press ENTER, and then click OK.

31. Close DNS Manager.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Configure a forest trust between WoodgroveBank.com and Fabrikam.com 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Active Directory Domains and Trusts.

2. In then console pane, right-click WoodgroveBank.com, and then click Properties.

3. On the Trusts tab, click New Trust.

4. In the New Trust Wizard, click Next.

5. On the Trust Name page, type Fabrikam.com, and then click Next.

6. On the Trust Type page, click Forest trust, and then click Next.

7. On the Direction of Trust page, click Two-way, and then click Next.

8. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

9. On the User Name and Password page, in the User name field, type [email protected], and in the Password field, type Pa$$w0rd, and then click Next.

10. On the Outgoing Trust Authentication Level- Local Forest page, click Forest-wide authentication, and then click Next.

11. On the Outgoing Trust Authentication Level- Specified Forest page, click Forest-wide authentication, and then click Next.

12. On the Trust Selections Complete page, click Next.

13. On the Trust Creation Complete page, click Next.

14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.

15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.

16. On the Completing the New Trust Wizard page, click Finish and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Active Directory Trusts L5-47

Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2 1. In Active Directory Domains and Trusts, right-click WoodgroveBank.com, and

then click Properties.

2. On the Trusts tab, under Domains that trust this domain (incoming trusts), click Fabrikam.com, and then click Properties.

3. In the Fabrikam.com Properties dialog box, on the Authentication tab, click Selective Authentication.

4. Click OK twice, and then close Active Directory Domains and Trusts.


6. On the View menu, ensure that Advanced Features is selected.

7. In the console pane, click Domain Controllers.

8. In the details pane, double-click NYC-DC2.

9. In the NYC-DC2 Properties dialog box, on the Security tab, click Add.

10. In the Select Users, Computers, or Groups dialog box, click Locations, click Fabrikam.com, and then click OK.

11. In the Select Users, Computers, or Groups dialog box, type MarketingGG, and then click OK.

12. Under Permissions for MarketingGG, next to Allowed to authenticate, select the Allow check box, and then click OK.

13. In the console pane, click Computers.

14. In the details pane, double-click NYC-CL1.

15. In the NYC-CL1 Properties dialog box, on the Security tab, click Add.

16. In the Select Users, Computers, or Groups dialog box, click Locations, click Fabrikam.com, and then click OK.

17. In the Select Users, Computers, or Groups dialog box, type MarketingGG, and then click OK.

18. Under Permissions for MarketingGG, next to Allowed to authenticate, select the Allow check box, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Test the selective authentication 1. Log on to NYC-CL1 as FABRIKAM\Adam with the password Pa$$w0rd.

Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to a computer in the WoodgroveBank.com domain because of the trust between the two forests, and because he has been allowed to authenticate to NYC-CL1.

2. Click Start, type \\NYC-DC2\netlogon, and then press ENTER. Adam should be able to access to the folder.

3. Click Start, \\NYC-DC1\netlogon, and then press ENTER. Adam should not be able to access the folder because the server is not configured for selective authentication.

Task 6: Close all virtual machines and discard undo disks 1. For each running virtual machine, close the Virtual Machine Remote Control

window.

2. In the Close box, select Turn off machine and discard changes, and then click OK.


Result: At the end of this exercise you will have configured trusts based on a trust configuration design.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Creating and Configuring GPOs L6-49

Module 6: Creating and Configuring GPOs

Lab A: Creating and Configuring GPOs

Exercise 1: Creating and Configuring Group Policy Objects


2. Log on to NYC-DC1as WOODGROVEBANK\Administrator with the password Pa$$w0rd.


Task 2: Create the group policy settings 1. Click Start, point to Administrative Tools and then click Group Policy

Management.

2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then expand Group Policy Objects.

3. Right-click the Group Policy Objects folder, and then click New.

4. In the New GPO dialog box, in the Name field, type Restrict Control Panel, and then click OK.

5. Repeat the previous two steps create the following GPOs:

• Restrict Desktop Display

• Restrict Run Command

• Baseline Security

• Vista and XP Security

• Admin Favorites

• Kiosk Computer Security

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L6-50 Module 6: Creating and Configuring GPOs

Task 3: Configure the policy settings

A. Configure the Baseline Security policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Baseline Security policy, and then click Edit.

2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

3. In the details pane, double-click Interactive logon: Do not display last user name.

4. In the Interactive logon: Do not display last user name Properties dialog box, select the Define this policy setting check box, click Enabled, and then click OK.

5. Close Group Policy Management Editor.

B. Configure the Admin Favorites policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Admin Favorites policy, and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and then click URLs.

3. In the details pane, double-click Favorites and Links.

4. In the Favorites and Links dialog box, click Add URL.

5. In the Details dialog box, in the Name field, type Tech Support.

6. In the URL field, type http://support.microsoft.com.

7. Click OK twice.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


C. Configure the Restrict Desktop Display policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Restrict Desktop Display policy, and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then click Display.

3. In the details pane, double-click Remove Display in Control Panel.

4. In the Remove Display in Control Panel Properties dialog box, click Enabled, and then click OK.


D. Configure the Kiosk Computer Security policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Kiosk Computer Security policy and then click Edit.

2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Group Policy.

3. In the details pane, double-click User Group Policy loopback processing mode.

4. In the User Group Policy loopback processing mode Properties dialog box, click Enabled, ensure the Mode is set to Replace, and then click OK.

5. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Desktop.

6. In the details pane, double-click Hide and Disable all items on the desktop.

7. In the Hide and Disable all items on the desktop Properties dialog box, click Enabled, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


E. Configure the Restrict Control Panel policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Restrict Control Panel policy and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Control Panel.

3. In the details pane, double-click Prohibit access to the Control Panel.

4. In the Prohibit Access to Control Panel Properties dialog box, click Enabled, and then click OK.


F. Configure the Restrict Run Command policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Restrict Run Command policy, and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar.

3. In the details pane, double-click Remove Run menu from the Start Menu.

4. In the Remove Run menu from Start Menu Properties dialog box, click Enabled, and then click OK.


G. Configure the Vista and XP Security policy 1. In the Group Policy Management window, in the Group Policy Objects folder,

right-click the Vista and XP Security GPO, and then click Edit.

2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Logon.

3. In the details pane, double-click Always wait for the network at computer startup and logon.

4. In the Always wait for the network at computer startup and logon Properties dialog box, click Enabled, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Link the GPOs to the appropriate containers 1. In the Group Policy Management window, right-click the

WoodgroveBank.com domain, and then click Link an Existing GPO.

2. In the Select GPO dialog box, click the Baseline Security GPO. Hold down CTRL and then click the following GPOs:

• Kiosk Computer Security

• Restrict Run Command

• Vista and XP Security

3. Click OK.

4. Right-click the ITAdmins OU, and then click Link and Existing GPO.

5. In the Select GPO dialog box, click the Admin Favorites GPO, and then click OK.

6. Right-click the Executives OU, and then click Link and Existing GPO.

7. In the Select GPO dialog box, click the Restrict Desktop Display GPO, and then click OK.

8. Right click the Miami OU, and then click Link an Existing GPO.

9. In the Select GPO dialog box, click the Restrict Control Panel GPO, and then click OK.

10. Repeat the previous two steps to link the Restrict Control Panel policy to the NYC and Toronto OUs.

Result: At the end of this exercise you will have created and configured GPOs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Managing the Scope of GPO Application

Task 1: Configure Group Policy management for the domain container 1. In the Group Policy Management window, expand the WoodgroveBank.com

domain to expose the linked policies (denoted by the shortcut icons).

2. Right-click the Baseline Security link, and then click Enforced.

Result: A lock appears next to the Baseline Security link.

3. Click the Baseline Security link.

4. When the Group Policy Management Console dialog appears, select Do not show this message again, and then click OK.

5. In the details pane, click the Details tab.

6. In the GPO Status list, click User configuration settings disabled.

7. When the Group Policy Management dialog appears, click OK.

8. Click the Kiosk Computer Security link.

9. In the details pane, click the Delegation tab.

10. Click Advanced.

11. In the Kiosk Computer Security Security Settings dialog box, click the Authenticated Users group, and then click Remove.

12. Click Add, and then in the Select User, Computers, or Groups dialog box, type Kiosk Computers, and then click OK.

13. Under Permissions for Kiosk Computers, next to Apply group policy, select Allow, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure Group Policy management for the IT Admin OU • In the Group Policy Management window, right-click the ITAdmins OU, and

then click Block Inheritance.

Task 3: Configure Group Policy management for the branch OUs 1. In the Group Policy Management window, in the console pane under the

Group Policy Objects folder, click the Restrict Control Panel policy.

2. In the details pane, click the Delegation tab, and then on the Delegation tab click Advanced.

3. In the Restrict Control Panel Security Settings dialog box, click Add.

4. In the Select Users, Computers, or Groups dialog box, type MIA_BranchManagersGG; NYC_BranchManagersGG; TOR_BranchManagersGG.

5. Click OK.

6. Under Group or user names, click MIA_BranchManagersGG.

7. Under Permissions for MIA_BranchManagersGG pane, next to Apply group policy, select Deny.

8. Repeat the previous two steps for NYC_BranchManagersGG and Tor_BranchManagersGG.

9. Click OK.

10. In the Windows Security dialog, click Yes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Create and apply a WMI filter for the Server Security GPO 1. In the Group Policy Management window console pane, right-click the WMI

Filters folder, and then click New.

2. In the New WMI Filter dialog box, in the Name field, type Windows Vista or XP operating system.

3. Click Add.

4. In the WMI Query dialog box, in the Query field, type Select * from Win32OperatingSystem where Caption = “Microsoft Windows Vista Enterprise” OR Caption = “Microsoft Windows XP Professional”.

5. Click OK, and then click Save.

6. In the Group Policy Objects folder, click the Vista or XP Security policy, and then in the details pane, click the Scope tab.

7. In the WMI Filtering list, click Windows Vista or XP operating system.

8. In the Group Policy Management dialog, click Yes.

Result: At the end of this exercise you will have configured the scope of GPO settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Verifying and Managing GPOs L6-57

Lab B: Verifying and Managing GPOs Exercise 1: Verifying GPO Application

Task 1: Start NYC-CL1 • Log on to NYC-CL1 as WOODGROVEBANK\Anton with the password

Pa$$w0rd.

Task 2: Verify that a Miami branch user is receiving the correct policy 1. Click Start and then verify that the Control Panel is not present on the Start

menu.

2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu.

3. Log off.

Task 3: Verify that a Miami Branch Manager is receiving the correct policy 1. Log on to NYC-CL1 as WOODGROVEBANK\Roya with a password of

Pa$$w0rd.

2. Click Start and then verify that the Control Panel is present on the Start menu.


4. Log off.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Verify that a user in the IT Admin OU is receiving the correct policy 1. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with a password of

Pa$$w0rd.


3. Click Start, point to All Programs, point to Accessories and then verify that Run is present in the Start menu.

4. Click Start and then click Internet.

5. In the Internet Explorer window, click the Favorites Center button, and then verify that the link to Tech Support is present.

6. Log off.

Task 5: Verify that a user in the Executive OU user is receiving the correct policy 1. Log on to NYC-CL1 as WOODGROVEBANK\Chase with a password of

Pa$$w0rd.



4. Click Start and then click Control Panel.

5. In the Control Panel window, under Appearance and Personalization, click Change desktop background and then verify that there is no access to the Desktop Display Settings.

6. Log off.

Hint: When you attempt to access display settings you will receive a message informing you that this has been disabled.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Verify that the last logged on username does not appear • Verify that the last logged on username does not appear.

Note: To see this information, press CTRL-ALT-DEL to see the logon screen.

Task 7: Use Group Policy modeling to test kiosk computer settings 1. On NYC-DC1, in the Group Policy Management window, right-click the

Group Policy Modeling folder, and then click Group Policy Modeling Wizard.

2. In the Group Policy Modeling Wizard, click Next.

3. On the Domain Controller Selection page, click Next.

4. On the User and Computer Selection page, under Computer information, click Computer.

5. In the Computer field, type WOODGROVEBANK\NYC-CL1, and then click Next.

6. On the Advanced Simulation Options page, click Loopback Processing, and then click Next.

7. On the Alternate Active Directory Paths page, click Next.

8. On the User Security Groups page, click Next.

9. On the Computer Security Groups page, click Add.

10. In the Select Groups dialog box, type Kiosk Computers, click OK, and then click Next.

11. On the WMI Filters for Users page, click Next.

12. On the WMI Filters for Computers page, click Next.

13. On the Summary of Selections page, click Next.

14. On the Completing the Group Policy Modeling Wizard page, click Finish.

15. In Group Policy Management window, view the report. This will take a few moments to process.

Result: At the end of this exercise you will have tested and verified a GPO application

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Managing GPOs

Task 1: Back up an individual policy 1. On NYC-DC1, in the Group Policy Management window, under the Group

Policy Objects folder, right-click the Restrict Control Panel policy, and then click Back Up.

2. In the Back Up Group Policy Object dialog box, click Browse.

3. Browse to C:\ and then click Make New Folder.

4. Type GPO Backup, and then press ENTER.

5. Click OK, and then click Back Up.

6. When the backup completes, click OK.

Task 2: Back up all GPOs 1. In the console pane, right-click the Group Policy Objects folder and then click

Back Up All.

2. In the Back Up Group Policy Object dialog box, in the Location field, type C:\GPO Backup and then click Back Up.

3. When the backup completes, click OK.

Task 3: Delete and restore an individual GPO 1. In the Group Policy Objects folder, right-click the Admin Favorites policy,

and then click Delete.

2. In the Group Policy Management dialog box, click Yes.

3. Right-click the Group Policy Objects folder, and then click Manage Backups.

4. In the Manage Backups dialog, click the Admin Favorites GPO, and then click Restore.

5. In the Group Policy Management dialog box, click OK.

6. In the Restore dialog box, click OK and then click Close.

7. Verify that the Admin Favorites GPO appears in the Group Policy Objects folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Import a GPO 1. Right-click the Group Policy Objects folder, and then click New.

2. In the New GPO dialog box, in the Name field, type Import, and then click OK.

3. Right-click the Import GPO, and then click Import Settings.

4. In the Import Settings Wizard, click Next.

5. On the Backup GPO page, click Next.

6. On the Backup location page, verify the Backup folder is C:\GPO Backup, and then click Next.

7. On the Source GPO page, click Restrict Control Panel, and then click Next.

Note: If more than one copy of the Restrict Control Panel GPO appears, choose the newer one.

8. On the Scanning Backup page, click Next, and then click Finish.

9. When the import completes, click OK.

10. In the Group Policy Objects folder, click the Import GPO, and then in the details pane, click the Settings tab.

11. Click show all.

12. Verify that the Prohibit access to the Control Panel policy setting is enabled.

Result: At the end of this exercise you will have backed up restored and imported GPOs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Delegating Administrative Control of GPOs

Task 1: Grant Betsy the right to create GPOs in the domain 1. On NYC-DC1, in the Group Policy Management window, click the Group

Policy Objects folder.

2. In the details pane, click the Delegation tab, and then click Add.

3. In the Select User, Computer, or Group dialog box, type Betsy, and then click OK.

Task 2: Delegate the right to edit the Import GPO to Betsy 1. In the Group Policy Objects folder, click the Import GPO.



4. In the Add Group or User dialog box, in the Permissions list, click Edit settings, and then click OK.

Task 3: Delegate the right to link GPOs to the Executives OU to Betsy 1. In the WoodgroveBank.com domain, click the Executives OU.



4. In the Add Group or User dialog box, in the Permissions, list, click This container only, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Enable Domain Users to log on to domain controllers

Note: This step is included in the lab to allow you to test the delegated permissions. As a best practice you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.

1. In the Group Policy Management window, expand Domain Controllers.

2. Right-click Default Domain Controllers Policy, and then click Edit.

3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

4. In the details pane, double-click Allow log on locally.

5. In the Allow log on locally Properties dialog box, click Add User or Group.

6. In the Add User or Group dialog box, type Domain Users, and click OK twice.

7. Close all open windows.

8. Click Start, and then click Command Prompt.

9. In the Command Prompt window, type GPUpdate /force and press ENTER.

10. Wait for the command to complete, type exit, and then press ENTER.

11. Log off.

Task 5: Test the delegation 1. Log on to NYC-DC1 as WOODGROVEBANK\Betsy.

2. Click Start, type MMC, and then press ENTER.


4. On the File menu, click Add/Remove Snap-in.

5. In the Add or Remove Snap-ins dialog, click Group Policy Management, click Add, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Expand Group Policy Management, expand Forest: WoodgroveBank.com, expand Domains, and then expand WoodgroveBank.com.

7. Right-click the Group Policy Objects folder, and then click New.

8. In the New GPO dialog box, type Test, and then click OK. This operation will succeed.

9. Expand the Group Policy Objects folder, and right-click the Import GPO, and then click Edit. This operation will succeed.


11. Right-click the Executives OU, and then click Link an Existing GPO.

12. In the Select GPO dialog box, click Test and click OK. This operation will succeed.

13. Right-click the Admin Favorites GPO, and then click Edit. This operation is not possible because the Edit link is grayed out.


Control window.

2. In the Close dialog box, click Turn off machine and discard changes, and then click OK.


Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Configuring Scripts and Folder Redirection with Group Policy L7-65

Module 7: Configure User and Computer Environments by Using Group Policy

Lab A: Configuring Scripts and Folder Redirection with Group Policy Exercise 1: Configure Logon Scripts and Folder Redirection

Task 1: Start the 6419A-NYC-DC1 virtual machine and log 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.

2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator using the password Pa$$w0rd.


Task 2: Review the logon script to map a network drive 1. On NYC-DC1, click Start, and then click Computer.

2. In the Computer window, browse to E:\Mod07\LabFiles\Scripts.

3. Right-click Map.bat, and then click Edit.

4. In the Notepad window, review the script and then close Notepad.

5. Right-click Map.bat, and then click Copy.


Task 3: Configure and link the Logon Script GPO 1. Click Start, point to Administrative Tools, and then click Group Policy

Management.

2. In the Group Policy Management console pane, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, right-click Group Policy Objects, and then click New.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L7-66 Module 7: Configure User and Computer Environments by Using Group Policy

3. In the New GPO dialog box, in the Name field, type Logon Script, and then click OK.

4. Expand Group Policy Objects, right-click Logon Script, and then click Edit.

5. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff).

6. In the details pane, double-click Logon.

7. In the Logon Properties dialog box, click Show Files.

8. In the Logon window details pane, right-click and then click Paste to copy the Map.bat script from the clipboard to the scripts folder.

9. Close the Logon window.

10. In the Logon Properties dialog box, click Add.

11. In the Add a Script dialog box, click Browse.

12. In the Browse dialog box, click Map.bat, and then click Open.

13. Click OK twice.


15. In the Group Policy Management window console pane, right-click WoodgroveBank.com, and then click Link an Existing GPO.

16. In the Select GPO dialog box, click Logon Script, and then click OK.

Task 4: Share and secure a folder for the Executives group 1. In Windows Explorer, browse to E:\Mod07\Labfiles.

2. Right-click ExecData, and then click Properties.

3. In the ExecData Properties dialog box, on the Sharing tab, click Advanced Sharing.

4. In the Advanced Sharing dialog box, select the Share this folder check box, and then click Permissions.

5. In the Permissions for ExecData dialog box, click Remove to remove the Everyone group.

6. Click Add.

7. In the Select Users, Computers, or Groups dialog box, type Executives_WoodgroveGG, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Configuring Scripts and Folder Redirection with Group Policy L7-67

8. Under Permissions for WoodgroveGG, next to Full Control, select the Allow check box, and then click OK twice.

9. In the ExecData Properties dialog box, on the Security tab, click Advanced.

10. In the Advanced Security Settings for ExecData dialog box, click Edit.

11. In the Advanced Security Settings for ExecData dialog box, clear the Include inheritable permissions from this object’s parent check box.

12. In the Windows Security dialog box, click Copy.

13. In the Advanced Security Settings for ExecData dialog box, click Remove.

14. Repeat the above step to remove all users and groups except CREATOR OWNER and SYSTEM.

15. Click Add.

16. In the Select User, Computer, or Group dialog box, type Executives_WoodgroveGG, and then click OK.

17. In the Permission Entry for ExecData dialog box, in the Apply to list, click This folder only.

18. Under Permissions, next to List folder / read data and Create folders / append data, select the Allow check boxes.

19. Click OK three times, and then click Close.


Task 5: Redirect the Documents folder for the Executives group 1. In the Group Policy Management window console pane, right-click Group

Policy Objects, and then click New.

2. In the New GPO dialog box, in the Name field, type Executive Redirection, and then click OK.

3. Right-click Executive Redirection, and then click Edit.

4. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, expand Folder Redirection, right-click Documents, and then click Properties.

5. In the Documents Properties dialog box, in the Setting list, click Basic - Redirect everyone’s folder to the same location.

6. In the Root Path field, type \\NYC-DC1\ExecData.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. On the Settings tab, review the current settings, and then click OK.

8. In the Warning dialog box, click Yes.


10. In the Group Policy Management console pane, right-click Executives, and then click Link an Existing GPO.

11. In the Select GPO dialog box, click Executive Redirection, and then click OK.

Task 6: Start the 6419A-NYC-CL1 virtual machine, and then log on as WOODGROVEBANK\Tony 1. Turn on the 6419A-NYC-CL1 VM.

2. Log on to NYC-CL1 as WOODGROVEBANK\Tony using the password Pa$$w0rd.

Task 7: Observe the applied settings while logged on as a user in the Executives OU 1. Click Start, and then click Computer.

2. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1.

Note: It may take 2 to 3 minutes before this drive appears.

3. Close Computer.

4. Click Start, right-click Documents, and then click Properties.

5. In the Documents Properties dialog box, verify the location is \\NYC-DC1\ExecData\Tony, and then click Cancel.

6. Log off NYC-CL1.

Result: At the end of this exercise, you will have configured logon scripts and folders redirection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Administrative Templates L7-69

Lab B: Configuring Administrative Templates Exercise 1: Configure Administrative Templates

Task 1: Modify the Default Domain Policy allow remote administration through the firewall for all domain computers 1. On NYC-DC1, in the Group Policy Management console pane, right-click

Default Domain Policy and then click Edit.

2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

3. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception.

4. In the Windows Firewall: Allow inbound remote administration exception dialog box, click Enabled, and then click OK.

5. In the console pane, under Administrative Templates, expand System, and then click Group Policy.

6. In the details pane, double-click Group Policy slow link detection.

7. In the Group Policy slow link detection Properties dialog box, click Enabled.

8. In the Connection speed (Kbps) field, type 800, and then click OK.


Result: At the end of this task, you will have enabled remote administration through the firewall. This allows the Group Policy Results Wizard to query target computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create and assign a GPO to prevent the installation of removable devices 1. In the Group Policy Management console pane, right-click Group Policy

Objects, and then click New.

2. In the New GPO dialog box, in the Name field, type Prevent Removable Devices, and then click OK.

3. Right-click Prevent Removable Devices, and then click Edit.

4. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, expand Device Installation, and then click Device Installation Restrictions.

5. In the details pane, double-click Prevent installation of removable devices.

6. In the Prevent installation of removable devices Properties dialog box, click Enabled, and then click OK.


8. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO.

9. In the Select GPO dialog box, click Prevent Removable Devices, and then click OK.

10. Repeat the previous two steps to link the Prevent Removable Devices GPO to the NYC and Toronto OUs.

Task 3: Create and assign a GPO to encrypt offline files for executive computers 1. In the Group Policy Management console pane, right-click Group Policy


2. In the New GPO dialog box, in the Name field, type Encrypt Offline Files, and then click OK.

3. Right-click Encrypt Offline Files, and then click Edit.

4. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network and then click Offline Files.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. In the details pane, double-click Encrypt the Offline Files cache.

6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled, and then click OK.


8. In the Group Policy Management console pane, right-click Executives, and then click Link an Existing GPO.

9. In the Select GPO dialog box, click Encrypt Offline Files, and then click OK.

Task 4: Create and assign a domain-level GPO for all domain users 1. In the Group Policy Management console pane, right-click Group Policy


2. In the New GPO dialog box, in the Name field, type All Users Policy, and then click OK.

3. Right-click All Users Policy, and then click Edit.

4. In the Group Policy Management Editor console pane, under User Configuration, expand Policies, expand Administrative Templates, and then click System.

5. In the details pane, double-click Prevent access to registry editing tools.

6. In the Prevent access to registry editing tools Properties dialog box, click Enabled, and then click OK.

7. In the console pane, click Start Menu and Taskbar.

8. In the details pane, double-click Remove Clock from the system notification area.

9. In the Remove Clock from the system notification area Properties dialog box, click Enabled, and then click OK.


11. In the Group Policy Management console pane, right-click WoodgroveBank.com, and then click Link an Existing GPO.

12. In the Select GPO dialog box, click All Users Policy, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users 1. In the Group Policy Management console pane, right-click Group Policy


2. In the New GPO dialog box, in the Name field, type Branch Users Policy, and then click OK.

3. Right-click Branch Users Policy, and then click Edit.

4. In the Group Policy Management Editor console pane, under User Configuration, expand Policies, expand Administrative Templates, expand System, and then click User Profiles.

5. In the details pane, double-click Limit profile size.

6. In the Limit profile size Properties dialog box, click Enabled.

7. In the Max Profile size (KB) field, type 1000000 and then click OK.

8. In the console pane, under Administrative Templates, expand Windows Components, and then click Windows Sidebar.

9. In the details pane, double-click Turn off Windows Sidebar.

10. In the Turn off Windows Sidebar Properties dialog box, click Enabled, and then click OK.


12. In the Group Policy Management console pane, right-click Miami, and then click Link an Existing GPO.

13. In the Select GPO dialog box, click Branch Users Policy, and then click OK.

14. Repeat the previous two steps to link the Branch Users Policy GPO to the NYC and Toronto OUs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Verify GPO Application

Task 1: Verify that the settings for Executives have been applied 1. On NYC-CL1, log on as WOODGROVEBANK\Tony using the password

Pa$$w0rd.

Note: Some user settings can only be applied during logon or may not apply due to cached credentials. These include roaming user profile path, Folder Redirection path, and Software Installation settings. If the user is already logged on when these settings are detected, they will not be applied until the next time the user is logged on.

2. Verify that the Windows Sidebar is not displayed.

3. In the notification area, verify that the clock is not displayed.

4. Right-click the Taskbar, and then click Properties.

5. In the Taskbar and Start Menu Properties dialog box, on the Notification Area tab, verify that you do not have the option to display the clock, and then click Cancel.

6. Click Start, type regedit, and then press ENTER.

7. In the Registry Editor dialog box, review the error, and then click OK.

8. Log off NYC-CL1.

Task 2: Log on as a user in a Branch Office and observe the applied settings 1. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password

Pa$$w0rd.

2. Verify that the Windows Sidebar is not displayed.

3. In the notification area, verify that the clock is not displayed.

4. In the notification area, double-click the Available profile space icon.

5. In the Profile Storage Space dialog box, review the information and then click OK.

6. Click Start, right-click Documents, and then click Properties.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the Documents Properties dialog box, verify the location is C:\Users\Roya, and then click Cancel.

8. Click Start, type regedit, and then press ENTER.

9. In the Registry Editor dialog box, review the error, and then click OK.

10. Click Start, and then click Computer.


12. Log off NYC-CL1.

Task 3: Use the Group Policy Results Wizard to review Group Policy application for a target user and computer 1. On NYC-DC1, in the Group Policy Management console pane, right-click

Group Policy Results, and then click Group Policy Results Wizard.

2. In the Group Policy Results Wizard, click Next.

3. On the Computer Selection page, click Another computer, type WoodgroveBank\NYC-CL1 and click Next.

Note: If you receive an error after the step above, retry the step above in 2 minutes.

4. On the User Selection page, click WOODGROVEBANK\Tony, and then click Next.

5. On the Summary of Selections page, click Next, and then click Finish.

6. In the details pane, click show all.

7. Review the list of applied computer and user GPOs.

Question: Which GPOs were applied to the computer?

Answer: Only the Default Domain Policy.

Question: Which GPOs were applied to the user?

Answer: All Users Policy, Login Script, and Executive Redirection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


8. On the Settings tab, under Computer Configuration, click Administrative Templates, and then expand each of the settings.

Question: What settings were delivered to the computer?

Answer: Windows Firewall: Allow inbound remote administration exception.

9. Under User Configuration, expand each of the settings.

Question: What settings were delivered to the user?

Answer: The Executive Redirection policy delivers folder redirection settings. The All Users Policy delivers settings to remove the clock and disable registry editing.

Result: At the end of this exercise, you will have configured several Administrative Templates policy settings for various OUs in the organization and then verified successful GPO application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab C: Deploying Software with Group Policy Exercise 1: Deploy a Software Package with Group Policy

Task 1: Copy a software package to the Data share 1. On NYC-DC1, click Start, and then click Computer.

2. In the Computer window, browse to E:\Mod07\LabFiles.

3. Right-click PPVIEWER.MSI, and then click Copy.

4. Double-click Data.

5. In the details pane, right-click, and then click Paste.


Task 2: Configure and review the software deployment GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click

WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here.

2. In the New GPO dialog box, in the Name field, type Software Deployment and then click OK.

3. Right-click Software Deployment, and then click Edit.

4. In the Group Policy Management Editor, in the console pane, under Computer Configuration, expand Policies, expand Software Settings, and then click Software installation.

5. Right-click Software installation, point to New, and then click Package.

6. In the Open dialog box, type \\NYC-DC1\Data\ppviewer.msi and then click Open.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab C: Deploying Software with Group Policy L7-77

7. In the Deploy Software dialog box, review the configuration options. When you are done, verify that Assigned is selected, and then click OK.

8. Right-click Microsoft Office PowerPoint Viewer 2003, and then click Properties.

9. In the Microsoft Office PowerPoint Viewer 2003 Properties dialog box, review the options on the following tabs:

• General

• Deployment

• Upgrades

• Categories

• Modifications

• Security

10. When done, click Cancel, and then close Group Policy Management Editor.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Verify Software Installation

Task 1: Verify that the software package has been installed 1. On NYC-CL1, log on as WOODGROVEBANK\Administrator using the

password Pa$$w0rd.

2. Click Start | All Programs | Accessories, and then click Command Prompt.

3. In the Command Prompt window, type GPUpdate /force and then press ENTER.

4. When the update completes, read the warning that appears. When you are done, press Y, and then press ENTER.

5. In the You are about to be logged off dialog box, click Close.

6. When the computer restarts, log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd.

7. Click Start, and then click Control Panel.

8. In the Control Panel window, click Uninstall a program.

9. Notice that the Microsoft Office PowerPoint Viewer 2003 program has been successfully installed.

10. Double-click Microsoft Office PowerPoint Viewer 2003.

11. In Programs and Features dialog box, click Yes to uninstall the program.

12. When the process completes, press F5 and notice that even though you can uninstall the program, it comes back because the program is assigned through Group Policy.

13. Close Control Panel.

Result: At the end of this exercise, you will have successfully deployed an assigned software package using Group Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab D: Configuring Group Policy Preferences L7-79

Lab D: Configuring Group Policy Preferences Exercise 1: Configure Group Policy Preferences

Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1 1. On NYC-DC1, in the Group Policy Management console pane, right-click

Default Domain Policy, and then click Edit.

2. In the Group Policy Management Editor console pane, under Computer Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, point to New, and then click Shortcut.

3. In the New Shortcut Properties dialog box, in the Action list, click Create.

4. In the Name field, type Notepad.

5. In the Location list, click All Users Desktop.

6. In the Target path field, type C:\Windows\System32\Notepad.exe.

7. On the Common tab, select the Item-level targeting check box, and then click Targeting.

8. In the Targeting Editor dialog box, on the New Item menu, click Computer Name.

9. In the Computer name field, type NYC-DC1, and then click OK twice.

Task 2: Create a new folder named Reports on the C: drive of all computers running Windows Server 2008 1. In the Group Policy Management Editor console pane, under Windows

Settings, right click Folders, point to New, and then click Folder.

2. In the New Folder Properties dialog box, in the Action list, click Create.

3. In the Path field, type C:\Reports.

4. On the Common tab, select the Item-level targeting check box, and then click Targeting.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. In the Targeting Editor dialog box, on the New Item menu, click Operating System.

6. In the Product list, click Windows Server 2008, and then click OK twice.

Task 3: Configure drive mapping 1. In the Group Policy Management Editor console pane, under User

Configuration, expand Preferences, expand Windows Settings, and then click Drive Maps.

2. Right-click Drive Maps, point to New, and then click Mapped Drive.

3. In the New Drive Properties dialog box, in the Action list, click Create.

4. In the Location field, type \\NYC-DC1\Data.

5. Select the Reconnect check box.

6. In the Label as field, type Data.

7. In the Drive Letter list, click P.

8. Review the remaining configuration options, and then click OK.


Task 4: Remove old Logon Script GPO 1. In the Group Policy Management console pane, under WoodgroveBank.com,

right-click Logon Script, and then click Delete.

2. In the Group Policy Management dialog box, review the message and then click OK.

Note: You aren’t actually deleting the GPO, just the link to it in the domain.

3. Close Group Policy Management.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab D: Configuring Group Policy Preferences L7-81

Exercise 2: Verify Group Policy Preferences Application

Task 1: Verify that the preferences have been applied 1. On NYC-DC1, log off, and then log back on as

WOODGROVEBANK\Administrator using the password of Pa$$w0rd.


3. In the Computer window, verify that the P: drive is mapped to the Data share on NYC-DC1.

4. Browse to C: and then verify that the Reports folder exists.

Note: It may take a few moments for this folder to appear.


Note: To apply Group Policy preferences to Windows Vista computers, you must download and install Group Policy Preference Client Side Extensions for Windows Vista (KB943729).


Control window.


Result: At the end of this exercise, you will have configured and tested Group Policy Preferences and verified their application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab E: Troubleshooting Group Policy Issues Exercise 1: Troubleshoot Group Policy Scripts

Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.

2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator using the password Pa$$w0rd.

Task 2: Create and link a domain Desktop policy 1. On NYC-DC1, click Start, point Administrative Tools, and then click Group

Policy Management.

2. In the Group Policy Management console pane, expand Forest:WoodgroveBank.com, and then expand Domains.

3. Right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here.

4. In the New GPO dialog box, in the Name field, type Desktop, and then click OK.

5. Expand WoodgroveBank.com, expand Group Policy Objects, right-click Desktop, and then click Edit.

6. In the Group Policy Management Editor console pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Logon.

7. In the details pane, double-click Always wait for the network at computer startup and logon.

8. In the Always wait for the network at computer startup and logon Properties dialog box, click Enabled, and then click OK.

9. In the console pane, under Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab E: Troubleshooting Group Policy Issues L7-83

10. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception.

11. In the Windows Firewall: Allow inbound remote administration exceptions Properties dialog box, click Enabled, and then click OK.

12. In the console pane, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and then click URLs.

13. In the details pane, double click Important URLs.

14. In the Important URLs dialog box, select the Customize Home page URL check box, type http://WoodgroveBank.com, and then click OK.

15. In the console pane, expand Administrative Templates, and then click Start Menu and Taskbar.

16. In the details pane, double-click Force classic Start Menu.

17. In the Force classic Start Menu Properties dialog box, click Enabled, and then click OK.


Task 3: Restore the Lab7A GPO 1. In the Group Policy Management console pane, right-click Group Policy

Objects, and then click Manage Backups.

2. In the Manage Backups dialog box, in the Backup location field, if not already present, type E:\Mod07\Labfiles\GPOBackup, and then press ENTER.

3. Click the Lab 7A GPO, and then click Restore.

4. Click OK twice, and then click Close.

Task 4: Link the Lab7A GPO to the domain 1. In the Group Policy Management console pane, right-click

WoodgroveBank.com, and then click Link an Existing GPO.

2. In the Select GPO dialog box, click Lab 7A, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Start NYC-CL1 and log on as WOODGROVEBANK\Administrator 1. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch.

2. Log on to NYC-CL1 as WOODGROVEBANK\Administrator using the password Pa$$w0rd.

3. Click Start and then click Control Panel.

4. The Control Panel window opens.

5. Click Security.

6. Under Windows Firewall, click Turn Windows Firewall on or off.

7. The Windows Firewall Settings dialog box appears.

8. Click Off (not recommended) and then click OK.

9. Close Control Panel.

Task 6: Test the GPO

Note: The changes you are looking for below may not appear until the second logon.

1. On NYC-CL1, click Start, and then verify you see the classic Start menu.

2. On the desktop, double click Internet Explorer.

3. In the Windows Internet Explorer window, click the Home button. After a moment the WoodgroveBank.com IIS7 home page will load.

4. Close Internet Explorer.

5. On the desktop, double-click Computer.


7. Log off, and then log back on to as WOODGROVEBANK\Roya using the password Pa$$w0rd.

8. Click Start, and then verify you see the classic Start menu.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



10. In the Windows Internet Explorer window, click the Home button. After a moment the WoodgroveBank.com IIS7 home page will load.

11. Close Windows Internet Explorer.


13. In the Computer window, notice that the J: drive is not correctly mapped to the Data share on NYC-DC1.


Task 7: Troubleshoot the GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click



3. On the Computer Selection page, click Another computer, type NYC-CL1, and then click Next.

4. On the User Selection page, click WOODGROVEBANK\Roya, and then click Next.

5. On the Summary of Selections page, click Next, and then click Finish.

6. In the details pane, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the settings for both the Desktop GPO and the Lab 7A GPO were applied successfully.

7. Click the Settings tab.

8. Under User Configuration, under Windows Settings, click Scripts, and then expand Logon. Notice that the Lab 7A GPO was applied correctly.

9. On NYC-CL1 log on WOODGROVEBANK\Roya with a password of Pa$$w0rd.

10. To test Roya’s permission to the scripts location, click Start, click Run, type \\NYC-DC1\Scripts, and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


11. In the Network Error dialog box, click Cancel.


Note: If time permits, you can view the Group Policy operational log as Administrator on NYC-CL1. If you filter the view to show events that Roya generates, you would see that the log does not detect any errors or warnings for this user. This is because the GPO only sets a registry value that defines the location of the scripts folder. Group Policy is unaware if the user has access to the location. The write to the registry was successful. Therefore, the Group Policy log does not see any errors. You would have to audit Object Access for the scripts folder to determine access issues.

Task 8: Resolve the issue and test the resolution 1. On NYC-DC1, click Start, and then click Computer.

2. In the Computer window, browse to E:\Mod07\Labfiles\Scripts.

3. Right-click Scripts, and then click Share.

4. In the File Sharing dialog box, click Change sharing permissions.

5. Type Authenticated Users, and then click Add.



8. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd.


10. In the Computer window, verify that the J: drive is mapped to the Data share on NYC-DC1.


Note: Another way to resolve the issue would be to move the script to the Netlogon share, or to eliminate the need for such a logon script altogether you could configure a Group Policy Preference.

Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Troubleshoot GPO Lab-7B

Task 1: Restore the Lab7B GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click

Group Policy Objects, and then click Manage Backups.

2. In the Manage Backups dialog box, click Lab 7B, and then click Restore.


Task 2: Link the Lab7B GPO to the Miami OU 1. In the Group Policy Management console pane, right-click Miami, and then

click Link an Existing GPO.

2. In the Select GPO dialog box, click Lab 7B, and then click OK.

Task 3: Test the GPO 1. On NYC-CL1, log on as WOODGROVEBANK\Rich using the password

Pa$$w0rd.

Note: Rich is a member of the Miami OU.

2. Click Start, and then verify you see the classic Start menu.


4. In the Internet Explorer window, click the Home button. After a moment the WoodgroveBank.com IIS7 home page will load.

5. Close Internet Explorer.


7. In the Computer window, verify that the K: drive is mapped to the Data share on NYC-DC1

8. Notice that the Control Panel does not appear on the desktop or Start menu. This is a setting from the Lab 7B GPO that was applied to the Miami OU.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


9. Log off NYC-CLI, and then log back on as WOODGROVEBANK\Roya using the password Pa$$w0rd.

10. Notice that even though the GPO should prevent it, the Control Panel is still present on the desktop and Start menu.


Task 4: Troubleshoot the GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click



3. On the Computer Selection screen, click Another computer, type NYC-CL1, and then click Next.

4. On the User Selection screen, click WOODGROVEBANK\Rich, and then click Next.

5. On the Summary of Selections screen, click Next, and then click Finish.

6. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice the Lab 7B GPO was applied.

7. On the Settings tab, under User Configuration, click Administrative Templates, and then click Control Panel. Notice that the policy setting to prohibit access to the Control Panel is enabled.

8. In the console pane, right-click Roya on NYC-CL1, and then click Rerun Query.

9. Click Roya on NYC-CL1.

10. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Lab 7B GPO has not been applied.

11. Click Denied GPOs. Notice that the Lab 7B GPO is listed amongst the denied GPO.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Resolve the issue and test the resolution 1. In the Group Policy Management console pane, under Group Policy Objects,

click Lab 7B.

2. In the details pane, on the Delegation tab, and then click Advanced.

3. In the Lab 7B Security Settings dialog box, click the MIA_BranchManagersGG.

4. Under Permissions for MIA_BranchManagerGG, notice that the Apply group policy setting is set to Deny.

5. Click Remove to remove the Miami_BranchManagersGG from the permission list, and then click OK.

6. On NYC-CLI, log on as WOODGROVEBANK\Roya using password Pa$$w0rd.

7. Notice that the Control Panel now correctly does not appear on the desktop or Start menu.

8. Log off NYC-CL1.

Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Troubleshoot GPO Lab-7C

Task 1: Restore the Lab7C GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click


2. In the Manage Backups dialog box, click Lab 7C, and then click Restore.


Task 2: Link the Lab7C GPO to the Miami OU 1. In the Group Policy Management console pane, right-click Miami, and then

click Link an Existing GPO.

2. In the Select GPO dialog box, click Lab 7C, and then click OK.

Task 3: Test the GPO 1. On NYC-CLI, log on as WOODGROVEBANK\Roya using the password

Pa$$w0rd.

2. Click Start, and then notice the presence of the Run command. It is not supposed to be there.

3. Log off NYC-CL1.

Task 4: Troubleshoot the GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click Roya

on NYC-CL1, and then click Rerun Query.

2. Click Roya on NYC-CL1.

3. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Lab 7C GPO is being applied.

4. On the Settings tab, under User Configuration, click Administrative Templates, and then click Start Menu and Taskbar. Notice that the Add the Run command to the Start Menu setting is enabled.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Resolve the issue and test the resolution 1. In the Group Policy Management console pane, under Group Policy Objects,

right-click Lab 7C, and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar.

3. In the details pane, double-click Add the Run command to the Start Menu.

4. In the Add the Run command to the Start Menu Properties dialog box, click Not Configured, and then click OK.

5. Double-click Remove Run menu from the Start Menu.


7. Close Group Policy Object Editor.

8. On NYC-CLI, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd.

9. Click Start, and then notice that the Run command is no longer present.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Troubleshoot GPO Lab-7D

Task 1: Create a new OU named Loopback 1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active

Directory Users and Computers.

2. In the Active Directory Users and Computers console pane, right-click WoodgroveBank.com, point to New and then click Organizational Unit.

3. In the New Object – Organizational Unit dialog box, type Loopback, and then click OK.

Task 2: Restore the Lab7D GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click


2. In the Manage Backups dialog box, click Lab 7D, and then click Restore.


Task 3: Link the Lab7D GPO to the Loopback OU 1. In the Group Policy Management console pane, right-click Group Policy

Management, and then click Refresh.

2. Right-click Loopback, and then click Link an Existing GPO.

3. In the Select GPO dialog box, click Lab 7D, and then click OK.

Task 4: Move NYC-CL1 to the Loopback OU 1. In the Active Directory Users and Computers console pane, expand

WoodgroveBank.com, and then click Computers.

2. In the details pane, right-click NYC-CL1, and then click Move.

3. In the Move dialog box, click Loopback, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Test the GPO 1. On NYC-CL1, restart the computer.

2. When the computer restarts, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd.

3. Click Start and notice that the Run command is present once again.

4. Notice that Control Panel is present on the desktop and Start menu. These changes are not intentional.

5. On the desktop, double-click Internet Explorer. Notice that nothing happens, and Internet Explorer does not launch.

Task 6: Troubleshoot the GPO 1. On NYC-DC1, in the Group Policy Management console pane, right-click Roya

on NYC-CL1, and then click Rerun Query.

2. In the details pane, on the Summary tab, under Computer Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Lab 7D GPO has been applied.

3. On the Settings tab, under Computer Configuration, click Administrative Templates, and then click System/Group Policy. Notice that loopback processing mode is enabled.

Note: Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 7: Resolve the issue and test the resolution 1. In the Group Policy Management console pane, expand the Loopback OU,

right-click Lab 7D, and then click Link Enabled to clear the check mark.

Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there were other settings in the GPO that you did wish to have applied.


3. On NYC-CL1, restart the computer.

4. When the computer restarts, log on as WOODGROVEBANK\Roya using the password Pa$$w0rd.

5. Click Start and notice that the Run command is no longer present.

6. Notice that Control Panel is again absent from the desktop and Start menu.

7. On the desktop, double-click Internet Explorer. Notice that Internet Explorer again opens properly.


Control window.




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Implementing Security Using Group Policy L8-95

Module 8: Implementing Security Using Group Policy

Lab A: Implementing Security Using Group Policy Exercise 1: Configuring Account and Security Policy Settings




Task 2: Create an account policy for the domain 1. Click Start, point to Administrative Tools, and then click Group Policy

Management.

2. In the Group Policy Management console pane, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects.

3. In the details pane, right-click Default Domain Policy, and then click Edit.

4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy.

5. In the details pane, double-click Minimum password length.

6. In the Minimum password length Properties dialog box, in the Password must be at least field, type 8, and then click OK.

7. Double-click Minimum password age.

8. In the Minimum password age Properties dialog box, in the Password can be changed after field, type 19, and then click OK.

9. Double-click Maximum password age.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L8-96 Module 8: Implementing Security Using Group Policy

10. In the Maximum password age Properties dialog box, in the Password will expire in field, type 20, and then click OK.

11. In the console pane, click Account Lockout Policy.

12. In the details pane, double-click Account lockout threshold.

13. In the Account lockout threshold Properties dialog box, under Account will not lock out, type 5, and then click OK.

14. In the Suggested Value Changes dialog box, click OK to accept the values of 30 minutes.


Task 3: Configure local policy settings for a Windows Vista client 1. Start NYC-CL1 and log on as WOODGROVEBANK\Administrator using the

password Pa$$w0rd.

2. Click Start, type MMC, and then press ENTER.

3. In the Console1 window, on the File menu, click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, click Finish and then click OK.

5. In the console pane, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

6. In the details pane, double-click Accounts: Administrator account status.

7. In the Accounts: Administrator account status Properties dialog box, click Enabled, and then click OK.

8. On the File menu, click Add/Remove Snap-in.

9. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, and then click Browse.

10. In the Browse for a Group Policy Object dialog box, click the Users tab.

11. Click Non-Administrators, click OK, click Finish, and then click OK.

12. In then console pane, expand Local Computer\Non-Administrators Policy, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.

13. In the details pane, double-click Remove Run menu from Start Menu.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



15. Close the MMC window and do not save changes.

16. Restart NYC-CL1.

Task 4: Create a wireless network GPO for Windows Vista clients 1. On NYC-DC1, in the Group Policy Management console pane, right-click

Group Policy Objects, and then click New.

2. In the New GPO dialog box, in the Name field, type Vista Wireless, and then click OK.

3. In the details pane, right-click Vista Wireless, and then click Edit.

4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings.

5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Windows Vista Policy.

6. In the New Vista Wireless Network Policy Properties dialog box, click Add, and then click Infrastructure.

7. In the New Profiles properties dialog box, in the Profile Name field, type Corporate.

8. In the Network Name(s) (SSID) field, type Corp, and then click Add.

9. On the Security tab, in the Authentication list, click Open with 802.1X, and then click OK.

10. On the Network Permissions tab, click Add.

11. In the New Permission Entry dialog box, in the Network Name (SSID): field, type Research, verify that Permission is set to Deny, and then click OK twice.


13. In the Group Policy Management console pane, right-click Woodgrovebank.com, and then click Link an existing GPO.

14. In the Select GPO dialog box, click Vista Wireless, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Configure a policy that prohibits a service on all domain controllers 1. In the Group Policy Management console pane, expand Group Policy

Objects, right-click Default Domain Controllers Policy, and then click Edit.

2. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click System Services.

3. In the details pane, double-click Windows Installer.

4. In the Windows Installer Properties dialog box, select the Define this policy setting check box, verify that Disabled is selected, and then click OK.


Result: At the end of this exercise you will have configured account and security policy settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Implementing Fine-Grained Password Policies

Task 1: Create a PSO using ADSI edit 1. On NYC-DC1, click Start, type adsiedit.msc, and then press ENTER.

2. In the ADSI Edit window, in the console pane, right-click ADSI Edit, and then click Connect to.

3. In the Connection Settings dialog box, click OK.

4. In the console pane, expand Default naming context [NYC-DC1.WoodgroveBank.com], expand DC=WoodgroveBank, DC=com, expand CN=System, right-click CN=Password Settings Container, point to New, and then click Object.

5. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next.

6. On the Attribute: cn page, in the Value field, type ITAdmin, and then click Next.

7. On the Attribute: msDS-PasswordSettingsPrecedence page, in the Value field, type 10, and then click Next.

8. On the Attribute: msDS-PasswordReversibleEncryptionEnabled page, in the Value field, type false, and then click Next.

9. On the Attribute: msDS-PasswordHistoryLength page, in the Value field, type 30, and then click Next.

10. On the Attribute: msDS-PasswordComplexityEnabled page, in the Value field, type true, and then click Next.

11. On the Attribute: msDS-MinimumPasswordLength page, in the Value field, type 10, and then click Next.

12. On the Attribute: msDS-MinimumPasswordAge page, in the Value field, type -5184000000000, and then click Next.

Note: PSO values are time-based values entered using the integer8 format. Integer8 is a 64-bit number that represents the amount of time, in 100-nanosecond intervals, that has passed since 12:00 AM January 1, 1601.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


13. On the Attribute: msDS-MaximumPasswordAge page, in the Value field, type -6040000000000, and then click Next.

14. On the Attribute: msDS-LockoutThreshold page, in the Value field, type 3, and then click Next.

15. On the Attribute: msDS-LockoutObservationWindow page, in the Value field, type -18000000000, and then click Next.

16. On the Attribute: msDS-LockoutDuration page, in the Value field, type -18000000000, click Next, and then click Finish.

17. Close the ADSI Edit.

Task 2: Assign the ITAdmin password policy to the IT Admins global group 1. Click Start, point to Administrative Tools, and then click Active Directory

Users and Computers.

2. In the Active Directory Users and Computers window, on the View menu, click Advanced Features.

3. In the console pane, expand WoodgroveBank.com, expand System, and then click Password Settings Container.

4. In the details pane, right-click ITAdmin, and then click Properties.

5. In the ITAdmin Properties dialog box, on the Attribute Editor tab, scroll down, click msDS-PSOAppliesTo, and then click Edit.

6. In the Multi-valued Distinguished Name With Security Principle Editor dialog box, click Add Windows Account.

7. In the Select Users, Computers, or Groups dialog box, type ITAdmins_WoodgroveGG, and then click OK three times.


Result: At the end of this exercise, you will have implemented fine grained password policies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring and Verifying Security Policies L8-101

Lab B: Configuring and Verifying Security Policies Exercise 1: Configuring Restricted Groups and Software Restriction Policies

Task 1: Configure restricted groups for the local administrators group 1. On NYC-DC1, in the Group Policy Management console pane, right-click

Default Domain Policy, and then click Edit.

2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Restricted Groups.

3. Right-click Restricted Groups and then click Add Group.

4. In the Add Group dialog box, type Administrators and then click OK.

5. In the Administrators Properties dialog box, next to Members of this group, click Add.

6. In the Add Member dialog box, type WOODGROVEBANK\ITAdmins_WoodgroveGG, and then click OK.

7. Next to Members of this group, click Add.

8. In the Add Member dialog box, type WOODGROVEBANK\Domain Admins, and then click OK twice.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controllers 1. In the Group Policy Management details pane, right-click Default Domain

Controllers Policy, and then click Edit.

2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Software Restriction Policies.

3. Right-click Software Restriction Policies, and then click New Software Restriction Policies.

4. In the details pane, right-click Additional Rules, and then click New Hash Rule.

5. In the New Hash Rule dialog box, click Browse.

6. In the Open dialog box, browse to C:\Program Files\Internet Explorer.

7. Click iexplore.exe, and then click Open.

8. Verify that the Security level is Disallowed, and then click OK.

9. Right-click Additional Rules, and then click New Path Rule.

10. In the New Path Rule dialog box, in the Path field, type *.vbs, and then click OK.

11. Close Group Policy Management Editor, and then close Group Policy Management.

Result: At the end of this exercise you will have configured restricted groups and software restriction policies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring Security Templates

Task 1: Create a security template for the file and print servers 1. On NYC-DC1, click Start, type MMC, and then press ENTER.

2. In the Console1 window, on the File menu, click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, scroll down, click Security Templates, click Add, and then click OK.

4. In the console pane, expand Security Templates, right-click C:\Users\Administrator\Documents\Security\Templates, and then click New Template.

5. In the C:\Users\Administrator\Documents\Security\Templates dialog box, in the Template name field, type FPSecurity, and then click OK.

6. Expand C:\Users\Administrator\Documents\Security\Templates, expand FPSecurity, expand Local Polices, and then click Security Options.

7. In the details pane, double-click Accounts: Rename administrator account.

8. In the Accounts: Rename administrator account Properties dialog box, select the Define this policy setting in the template check box.

9. In the Define this policy setting in the template field, type FPAdmin, and then click OK.

10. In the details pane, double-click Interactive Logon: Do not display last user name.

11. In the Interactive logon: Do not display last user name Properties dialog box, select the Define this policy setting in the template check box, click Enabled, and then click OK.

12. In the console pane, right-click FPSecurity, and then click Save.

13. Close the MMC window and do not save changes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Start NYC-SVR1 and disable the Windows Firewall 1. Start NYC-SVR1. Log on as WOODGROVEBANK\Administrator, with the

password Pa$$w0rd.


3. In the Control Panel window, double-click Windows Firewall.

4. In the Windows Firewall window, click Change settings.

5. In the Windows Firewall Settings dialog box, click Off, and then click OK.

Note: This next step is performed to simplify the lab and is not a recommended practice.

6. Close Windows Firewall, and then close Control Panel.

Task 3: Run the Security Configuration Wizard and import the FPSecurity template 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Security Configuration Wizard.

2. On the Security Configuration Wizard dialog box, click Next.

3. On the Configuration Action page, click Next.

4. On the Select Server page, type NYC-SVR1.WoodgroveBank.com, and then click Next.

5. When the security configuration databases process completes, click Next.

6. On the Role-Based service Configuration page, click Next.

7. On the Select Server Roles page, clear the DNS Server check box.

8. Verify that the File Server check box is selected.

9. Select the Print Server check box, and then click Next.

10. On the Select Client Features page, click Next.

11. On the Select Administration and Other Options page, click Next.

12. On the Select Additional Services page, click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


13. On the Handling Unspecified Services page, click Next.

14. On the Confirm Service Changes page, review the changes, and then click Next.

15. On the Network Security page, click Next.

16. On the Network Security Rules page, click Next.

17. On the Registry Settings page, click Next.

18. On the Require SMB security Signatures page, click Next.

19. On the Outbound Authentication Methods page, click Next.

20. On the Outbound Authentication using Domain Accounts page, select the Clocks that are synchronized with the selected server’s clock check box, and then click Next.

21. On the Inbound Authentication Methods page, click Next.

22. On the Registry Settings Summary page, click Next.

23. On the Audit Policy page, click Next.

24. On the System Audit Policy page, click Next.

25. On the Audit Policy Summary page, click Next.

26. On the Save Security Policy page, click Next.

27. On the Security Policy File Name page, type FPPolicy at the end of the C:\Windows\security\msscw\Policies\ path, and then click Include Security Templates.

28. In the Include Security Templates dialog box, click Add.

29. In the Open dialog box, browse to C:\Users\Administrator\Documents\Security\Templates.

30. Click FPSecurity.inf, and then click Open.

31. Click OK, and then click Next.

32. On the Apply Security Policy page, click Apply now, and then click Next.

33. When the security policy application process completes, click Next, and then click Finish.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Transform the FPPolicy into a GPO 1. On NYC-DC1, click Start and then click the Command Prompt.

2. At the command prompt, type scwcmd transform /p:C:\Windows\security\msscw\Policies\FPpolicy.xml /g:FileServerSecurity, and then press ENTER.

3. When the process completes, type exit and then press ENTER.

4. Click Start, point to Administrative Tools, and then click Group Policy Management.

5. In the Group Policy Management console pane, expand Group Policy Objects.

6. Click FilesServerSecurity, and then in the details pane, click the Settings tab.

7. In the details pane, click show all and review the Group Policy settings.


Result: At the end of this exercise you will have configured security templates.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Verifying the Security Configuration

Task 1: Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group 1. Log on to NYC-CL1 as WOODGROVEBANK\Administrator with the

password Pa$$w0rd.

2. Click Start, type GPupdate /force, and then press ENTER.

3. When this process completes, click Start, point to All Programs, point to Accessories, and verify that the Run menu appears.


5. In the Control Panel window, click User Accounts, and then click User Accounts again.

6. Click Manage User Accounts.

7. In the User Accounts dialog box, on the Advanced tab, click Advanced.

8. In the Local Users and Groups window, in the console pane, click Groups.

9. In the details pane, double-click Administrators. Verify that the Domain Admins and the ITAdmins global groups are present.

10. Click Cancel and close all windows.


Task 2: Log on to the Windows Vista computer as an ordinary user, and test the policy 1. Log on to NYC-CL1 as WOODGROVEBANK\Roya, with a password of

Pa$$w0rd.

2. Click Start, point to All Programs, and then click Accessories. Ensure that the Run menu does not appear.

3. Press Right-ALT+DELETE, and then click Change a password.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. In the Old Password field, type Pa$$w0rd.

5. In the New Password and Confirm password fields, type w0rdPa$$, and then press ENTER. You will not be able to update the password because the minimum password age has not expired.

6. In the Old Password field, type Pa$$w0rd.

7. In the New Password and Confirm password fields, type pa, and then press ENTER. You will not be able to update the password because the minimum password length has not been met.

8. Click Cancel.

Task 3: Log on to the domain controller as the domain administrator, and test software restrictions and services 1. On NYC-DC1, click Start, type GPUpdate /force, and then press ENTER.

2. Click Start, then point to All Programs, and then click Internet Explorer.

3. Review the error message, and then click OK.

Note: This error message may not appear until the second logon.


5. In the Computer window, browse to E:\Mod08\LabFiles, and then double-click hello.vbs.

6. Click OK.

7. Review the error message, and then click OK.

8. Click Start, point to Administrative Tools, and then click Services.

9. In the Services window details pane, scroll down to the Windows Installer service, and verify that it is set to Disabled.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Use Group Policy modeling to test the settings on the file and print server 1. Click Start, point to Administrative Tools, and then click Group Policy

Management.

2. In the Group Policy Management window console pane, right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.

3. In the Group Policy Modeling Wizard dialog box, click Next.

4. On the Domain Controller Selection page, click Next.

5. On the User and Computer Selection page, in the Computer information section, click Computer.

6. In the Computer field, type WOODGROVEBANK\NYC-SVR1, and then click Next.

7. On the Advance Simulation Options page, click Next.

8. On the Alternate Active Directory Paths page, click Next.

9. On the Computer Security Groups page, click Next.

10. On the WMI Filters for Computers page, click Next.

11. On the Summary of Selections page, click Next.

12. When the process completes, click Finish.

13. In the details pane, click show all and review the Group Policy settings.


Control window.



Result: At the end of this exercise, you will have verified the security configuration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Manage Server Security L9-111

Module 9: Configuring Server Security Compliance

Lab: Manage Server Security Exercise 1: Configuring Windows Software Update Services (WSUS)

Task 1: Start the virtual machines, and log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.


3. In the Lab Launcher, next to 6419A-NYC-CL2, click Launch

4. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd.


Task 2: Use the Group Policy Management Console to create and link a Group Policy Object (GPO) to the domain to configure client updates 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Group Policy Management.

2. In the console pane, expand Forest: WoodgroveBank.com, expand Domains, and then click WoodgroveBank.com.

3. Right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here.

4. In the New GPO dialog box, type WSUS, and then click OK.

5. In the details pane, right-click WSUS, and then click Edit.

6. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L9-112 Module 9: Configuring Server Security Compliance

7. In the details pane, double-click Configure Automatic Updates.

Note: the order of the settings below may be different and you may need to locate and open each one separately.

8. In the Configure Automatic Updates Properties dialog box, click Enabled, and then click Next Setting.

9. On the Specify intranet Microsoft update service location Properties dialog box, click Enabled.

10. In the Set the intranet update service for detecting updates field, type http://NYC-SVR1.

11. In the Set the intranet statistics server field, type http://NYC-SVR1, and then click Next Setting.

12. On the Automatic Updates detection frequency Properties dialog box, click Enabled, and then click OK.

13. Close Group Policy Management Editor, and then close Group Policy Management.

14. On NYC-CL2, click Start | All Programs |Accessories | Command Prompt.

15. In the Command Prompt, type GPUpdate /force, and then press ENTER.

16. Allow the GPUpdate command to complete.

17. Click Start, click the right-arrow button, and then click Restart.

18. Allow NYC-CL2 to restart.

19. Log on to NYC-CL2 virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd.

Task 3: Use the WSUS administration tool to view WSUS properties 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click

Microsoft Windows Server Update Services 3.0 SP1.

2. In the Update Services window, in the console pane expand NYC-SVR1, and then click Options.

3. In the details pane, click Update Source and Proxy Server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. Review the options on both tabs, and then click Cancel.

5. In the details pane, click Products and Classifications.

6. Review the options for product support and update classifications, and then click Cancel.

7. In the details pane, click Update Files and Languages.

8. Review the options for downloading updates and support for languages, and then click Cancel.

9. In the details pane, click Synchronization Schedule.

10. Review the options for synchronizing content, and then click Cancel.

Task 4: Create a computer group, and add NYC-CL2 to the new group 1. In the console pane, expand Computers, and then click All Computers.

2. In the Actions pane, click Add Computer Group.

3. In the Add Computer Group dialog box, type HO Computers, and then click Add.

4. In the console pane, expand All Computers, and then click Unassigned Computers.

5. In the details pane, in the Status list, click Any, and then click Refresh.

6. Right-click nyc-cl2.woodgrovebank.com, and then click Change Membership.

7. In the Set Computer Group Membership dialog box, select the HO Computers check box, and then click OK.

Task 5: Approve an update for Windows Vista clients 1. In the console pane, expand Updates, and then click Security Updates.

2. In the details pane, in the Approval list, click Any Except Declined.

3. In the Status list, click Any, and then click Refresh.

Note: Notice all of the updates available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. In the details pane, click Title to sort the results by title.

5. Scroll down, right-click Security Update for Windows Vista (KB957095), and then click Approve.

6. In the Approve Updates dialog box, click the arrow next to All Computers, click Approved for Install, and then click OK.

7. On the Approval Progress page, when the process is complete, click Close.

8. In the details pane, right-click Security Update for Windows Vista (KB957097), and then click Approve.

9. In the Approve Updates dialog box, click the arrow next to All Computers, point to Deadline, and then click Custom.

10. In the Choose Deadline dialog box, in the Date field, type in yesterday’s date, and then click OK twice.

Note: Entering yesterday’s date will cause the update to be installed as soon as the client computers contact the server. Note that because these VMs use the Microsoft Lab Launcher environment, their date will not correspond with the actual date. This is by design. Take note of the VMs configured date and enter a date one day before the VMs configured date.

11. In the Approval Progress dialog box, click Close.

Task 6: Install an update on the Windows Vista client 1. On NYC-CL2, click Start, type cmd, and then press ENTER.

2. At the Command Prompt, type GPUpdate /force, and then press ENTER.

Note: Wait for the policy to finish updating.

3. At the command prompt, type wuauclt /detectnow, and then press ENTER.

4. The Windows Update dialog box will appear notifying you that the update is being installed and the computer needs to restart. Click Restart now.

Note: It may take several minutes for the Window Update dialog box to appear.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Log on to NYC-CL2 as WOODGROVEBANK\Administrator with the password of Pa$$w0rd.

6. Click Start, point to All Programs, and then click Windows Update.

7. In the Windows Update window, in the left pane, click View Update History.

8. On the Review your update history page, locate the Security Update for Windows Vista (KB957097).

Note: Due to the limitations of the lab environment, the KB957097 update is pre-loaded on the WSUS server to demonstrate the update process.


Task 7: View WSUS reports 1. On NYC-SVR1, in the Update Services console pane, click Reports.

2. Review the various reports available in WSUS.

3. In the details pane, click Computer Detailed Status.

4. In the Computers Report for NYC-SVR1 window, click Run Report.

5. On the completed report, note how many updates are listed under nyc-cl2.woodgrovebank.com.

6. Close the Computers Report for NYC-SVR1 window.

7. Close Update Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configure Auditing

Task 1: Examine the current state of the audit policy 1. On NYC-DC1, click Start, and then click Command Prompt.

2. At the command prompt, type Auditpol.exe /get /category:*, press ENTER, and then examine the default audit policy settings.

3. Minimize the command prompt.

Task 2: Enable DS Access auditing on domain controllers 1. On NYC-DC1, click Start, click Administrative Tools, and then click Group

Policy Management.

2. In the console pane, expand WoodgroveBank.com, expand Group Policy Objects, and then right-click the Default Domain Controllers Policy, and then click Edit.

3. In the Group Policy Management Editor console pane, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. Notice that all policy settings are set to Not Defined.

4. Double-click Audit directory service access.

5. In the Audit directory service access Properties dialog box, select Define these policy settings.

6. Select both the Success and Failure check boxes, and then click OK.

7. Close the Group Policy Management Editor, and then close the Group Policy Management console.

8. Restore the Command Prompt, type Gpupdate and then press ENTER.

9. When the update completes, run the Auditpol.exe /get /category:* command again, and then examine the audit policy.

10. Close Command Prompt.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Set the SACL for the domain 1. Click Start, point to Administrative Tools, and then click Active Directory

Users and Computers.

2. On the View menu, click Advanced Features.

3. In the console pane, right-click WoodgroveBank.com, and then click Properties.

4. In the WoodgroveBank.com Properties dialog box, click the Security tab.

5. Click Advanced.

6. On the Advanced Security Settings for WoodgroveBank dialog box, click the Auditing tab, and then click Add.

7. In the Select Users, Computers, and Groups dialog box, type Everyone, and then click OK.

8. In the Auditing Entry for WoodgroveBank dialog box, for Write all properties select the Successful and Failed check boxes.

9. Click OK three times.

Task 4: Test the policy 1. In the console tree, right-click Toronto, and then click Rename.

2. Type GTA, and then press ENTER.

3. Minimize Active Directory Users and Computers.

4. Click Start, and then click Server Manager.

5. In the Server Manager console pane, expand Diagnostics, expand Event Viewer, expand Windows Logs, and then click Security.

6. In the details pane, locate the event with the 4662 ID. Double-click then event, and then examine the event.

7. Close the Event Properties dialog box.

8. Minimize Server Manager.

9. Restore Active Directory Users and Computers.

10. In the console pane, click Users.

11. In the details pane, double-click Administrator.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. In the Administrator Properties dialog box, click the Telephones tab.

13. In the Mobile field, type 555-555-5555, and then click OK.

14. Close Active Directory Users and Computers, and then restore Server Manager.

15. In the details pane, locate the newest 4662 event, and double-click to view details.

Note: You may have to wait a minute for the event to appear.

16. Close all open windows.


Control window.



MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Installing the FSRM Role Service L10-119

Module 10: Configuring and Managing Storage Technologies

Lab A: Installing the FSRM Role Service Exercise 1: Installing the File Server Resource Manager (FSRM) Role Service

Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.


3. Log on to both virtual machines as Woodgrovebank\Administrator with the password Pa$$w0rd.


Task 2: Install the FSRM role service on NYC-SVR1 1. On NYC-SVR1, click Start, and then click Server Manager.

2. In the Server Manager console pane, expand Roles. Notice that the File Services role already has been installed.

3. Right-click File Services, and then click Add Role Services.

4. In the Select Role Services dialog box, select File Server Resource Manager, and then click Next.

5. On the Configure Storage Usage Monitoring page, select the Allfiles (E:) check box, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L10-120 Module 10: Configuring and Managing Storage Technologies

6. On the Set Report Options page, review the default options, and then click Next.

7. On the Confirm Installation Selections page, click Install.

8. When the installation is complete, click Close.


Results: After this exercise, you should have successfully installed the FSRM role service on NYC-SVR1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Storage Quotas L10-121

Lab B: Configuring Storage Quotas Exercise 1: Configuring Storage Quotas

Task 1: Create a quota template 1. On NYC-SVR1, click Start, point to Administrative tools, and then click File

Server Resource Manager.

2. In the File Server Resource Manager console pane, expand Quota Management, and then click Quota Templates.

3. Right-click Quota Templates, and then click Create Quota Template.

4. In the Create Quota Template dialog box, in the Template Name field, type 100 MB Limit Log to Event Viewer.

5. Under Notifications Thresholds, click Add.

6. In the Add Threshold dialog box, click the Event log tab.

7. Select the Send warning to event log check box, and then click OK.

8. In the Create Quota Template dialog box, click Add.

9. In the Add Threshold dialog box, in the Generate notification when the usages reaches field, type 100.

10. Click the Event Log tab, and then select the Send warning to event log check box.

11. Click OK twice.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure a quota based on the quota template 1. In the File Server Resource Manager console pane, click Quotas.

2. Right-click Quotas, and then click Create Quota.

3. On the Create Quota dialog box, in the Quota path field, type E:\Mod10\Labfiles\Users.

4. Click Auto apply template and create quotas on existing and new subfolders.

5. In the Derive properties from this quota template (recommended) list, click 100MB Limit Log to Event Viewer, and then click Create.

6. In the details pane, verify that the E:\Mod10\Labfiles\Users\* path has been configured with its own quota entry. You may have to refresh the Quotas folder to view the changes.

7. Right-click Start, and then click Explorer.

8. In Windows Explorer, browse to E:\Mod10\Labfiles\Users.

9. Create a new folder named Roya.

10. In File Server Resource Manager, on the Action menu, click Refresh.

11. In the details pane, notice that the newly created folder appears in the list.

Task 3: Test that the Quota is working by generating several large files 1. Click Start, and then click Command Prompt.

2. Type E:, and then press ENTER.

3. Type cd \Mod10\Users\Roya, and then press ENTER.

4. Type fsutil file createnew file1.txt 89400000, and then press ENTER. This creates a file that is over 85 MB, which will generate a warning in Event Viewer.

5. Click Start, point to Administrative Tools, and then click Event Viewer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Storage Quotas L10-123

6. In the Event Viewer console pane, expand Windows Logs, and then click Application.

7. In the details pane, note the event with Event ID of 12325.

8. In the Command Prompt window, type fsutil file createnew file2.txt 16400000, and then press ENTER. Notice that the file cannot be created because it would surpass the quota limit.

9. In Windows Explorer, right-click the Users folder, and then click Properties.

10. In the Users Properties dialog box, click Advanced.

11. In the Advanced Attributes dialog box, select the Compress contents to save disk space check box, and then click OK twice.

Important: When the Users folder is compressed, you reduced the file’s actual space. If you were to specify this using NTFS file system quotas, the actual file size would be calculated and not the compressed size.

12. In the Confirm Attribute Changes dialog box, verify that Apply changes to this folder, subfolders and files is selected and then click OK.

13. In the File Server Resource Manager details pane, right-click Quotas, and then click Refresh. Notice that the amount of used space is reduced significantly.

14. In the Command Prompt window, type fsutil file createnew file2.txt 16400000, and then press ENTER. The file will now be successfully created.

Important: When creating files, you are specifying the number of bytes they will be. This is why they are not exactly 85000000, because a byte is only eight bits.

15. Type exit, and then press ENTER.

Results: After this exercise, you should have seen the effect of a quota template that imposes a 100MB limit on user storage on the E:\Mod10\Labfiles\Labfiles\Users folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab C: Configuring File Screening Exercise 1: Configuring File Screening

Task 1: Create a File screen 1. On NYC-SVR1, in the File Server Resource Manager console pane, expand File

Screening Management, and then click File Screens.

2. Right-click File Screens, and then click Create File Screen.

3. In the Create File Screen dialog box, in the File screen path field, type E:\Mod10\Labfiles\Users.

4. Click Define custom file screen properties, and then click Custom Properties.

5. In the File Screen Properties dialog box, click Passive screening.

6. Under Select file groups to block, select the Executable Files check box.

7. On the Event Log tab, select the Send warning to event log check box, and then click OK.

8. In the Create File Screen dialog box, click Create.

9. In the Save Custom Properties as a Template dialog box, in the Template name field, type Monitor Executables, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab C: Configuring File Screening L10-125

Task 2: Test the file screen 1. In Windows Explorer, browse to to the E:\Mod10\Labfiles.

2. Right-click Example.bat file, and then click Copy.

3. Browse to E:\Mod10\Labfiles\Users\Roya.

4. Right-click Roya, and then click Paste.

5. In the Event Viewer console pane, under Windows Logs, right-click Application, and then click Refresh.

6. In the details pane, note the event with Event ID of 8215.

7. Close Event Viewer, and then close Windows Explorer.

Results: After this exercise, you should have successfully implemented a file screen that logs attempts to save executable files in E:\Mod10\Labfiles\Labfiles\Users.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab D: Generating Storage Reports Exercise 1: Generating Storage Reports

Task 1: Generate an on-demand storage report 1. On NYC-SVR1, in the File Server Resource Manager console pane, click

Storage Reports Management.

2. Right-click Storage Reports Management, and then click Generate Reports Now.

3. In the Storage Reports Task Properties dialog box, click Add.

4. In the Browse For Folder dialog box, browse to E:\Mod10\Labfiles\Users, and then click OK.

5. Under Select reports to generate, select the File Screening Audit and Quota Usage check boxes, and then click OK.

6. In the Generate Storage Reports dialog box, verify that Wait for reports to be generated and then display them is selected, and then click OK.

7. In the Windows Internet Explorer window, review the generated reports.


Control (VMRC) window.



Results: After this exercise, you should have successfully generated an on-demand storage report.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace L11-127

Module 11: Configuring and Managing Distributed File System

Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace Exercise 1: Installing the Distributed File System (DFS) Role Service

Task 1: Start each virtual machine and log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.


3. Log on to both virtual machines as Woodgrovebank\Administrator with the password Pa$$w0rd.


Task 2: Install the Distributed File System Role Service on NYC-DC1 1. On NYC-DC1, click Start, and then click Server Manager.

2. In the console pane, click Roles.

3. In the details pane, under Roles Summary, notice that the File Services role has been installed. You now must add specific role services for this role.

4. Scroll down to the File Services section, and then under Role Services, click Add Role Services.

5. On the Select Role Services page, select Distributed File System, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L11-128 Module 11: Configuring and Managing Distributed File System

6. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next.


8. When the installation is complete, click Close

9. In Server Manager, verify that File Server, Distributed File System, DFS Namespaces, and DFS Replication all are installed.


Task 3: Install the Distributed File System Role Service on NYC-SVR1 1. On NYC-SVR1, click Start, and then click Server Manager.

2. In the console pane, click Roles.

3. In the details pane, under Roles Summary, notice that the File Services role has been installed. You now must add specific role services for this role.

4. Scroll down to the File Services section, and then under Role Services, click Add Role Services.

5. On the Select Role Services page, select Distributed File System, and then click Next.

6. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next.


8. When the installation is complete, click Close.

9. In Server Manager, verify that File Server, Distributed File System, DFS Namespaces, and DFS Replication are all installed.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace L11-129

Exercise 2: Creating a DFS Namespace

Task 1: Use the New Namespace Wizard to create a new namespace 1. On NYC-DC1, click Start, point to Administrative Tools, and then click DFS

Management.

2. In the DFS Management console pane, click Namespaces.

3. Right-click Namespaces, and then click New Namespace.

4. On the Namespace Server page, in the Server field, type NYC-DC1, and then click Next.

5. On the Namespace Name and Settings page, in the Name field, type CorpDocs, and then click Next.

6. On the Namespace Type page, verify that Domain-based namespace is selected, and then click Next.

7. On the Review Settings and Create Namespace page, review the settings, and then click Create.

8. On the Confirmation page, verify that the Status column shows Success, and then click Close. The CorpDocs namespace has now been created.

9. In the console pane, expand Namespaces, and then click \\WoodgroveBank.com\CorpDocs.

10. In the details pane, click the Namespace Servers tab. Notice that the CorpDocs namespace is hosted on a single namespace server (NYC-DC1).

Task 2: Add an additional namespace server to host the namespace 1. On NYC-DC1, in the DFS Management console pane, right-click

\\WoodgroveBank.com\CorpDocs, and then click Add Namespace Server.

2. In the Add Namespace Server dialog box, in the Namespace server field, type NYC-SVR1, and then click OK.

3. If you receive a warning dialog box that states the Distributed File System service is not running, click Yes to start the service automatically.

4. Verify from the Details pane that that the CorpDocs namespace is now hosted on both NYC-DC1 and NYC-SVR1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab B: Configuring Folder Targets and Viewing Diagnostic Reports Exercise 1: Configuring Folder Targets and Folder Replication

Task 1: Create the HRTemplates folder, and configure a folder target on NYC-DC1 1. On NYC-DC1, in the DFS Management console pane, right-click

\\WoodgroveBank.com\CorpDocs, and then click New Folder.

2. In the New Folder dialog box, in the Name field, type HRTemplates.

3. Click Add.

4. In the Add Folder Target dialog box, click Browse.

5. In the Browse for Shared Folders dialog box, click New Shared Folder.

6. In the Create Share dialog box, in the Share name field, type HRTemplateFiles.

7. In the Local path of shared folder field, type C:\HRTemplateFiles.

8. Under Shared folder permissions, click Administrators have full access; other users have read-only permissions, and then click OK.

9. In the Warning dialog box, click Yes to create the C:\HRTemplateFiles folder.

10. In the Browse for Shared Folders dialog box, click OK.

11. In the Add Folder Target dialog box, verify that the path shows \\NYC-DC1\HRTemplateFiles, and then click OK.

12. In the New Folder dialog box, verify that HRTemplates is listed for the Name and \\NYC-DC1\HRTemplateFiles is listed for the Folder targets, and then click OK.

13. In the console pane, click \\WoodgroveBank.com\CorpDocs.

14. In the details pane, click the Namespace tab. Notice that HRTemplates is listed as an entry in the namespace.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Folder Targets and Viewing Diagnostic Reports L11-131

15. In the console pane, expand \\WoodgroveBank.com\CorpDocs, and then click HRTemplates. In the details pane, notice that on the Folder Targets tab, one folder target is configured.

16. Click the Replication tab, and notice that replication is not configured.

Task 2: Create the PolicyFiles folder, and configure a folder target on NYC-SVR1 1. On NYC-DC1, in the DFS Management console pane, right-click

\\WoodgroveBank.com\CorpDocs, and then click New Folder.

2. In the New Folder dialog box, in the Name field, type PolicyFiles.

3. Click Add.

4. In the Add Folder Target dialog box, click Browse.

5. In the Browse for Shared Folders dialog box, in the Server field, type NYC-SVR1, and then click Show Shared Folders.

6. Click New Shared Folder.

7. In the Create Share dialog box, in the Share name field, type PolicyFiles.

8. In the Local path of shared folder field, type C:\PolicyFiles.


10. In the Warning dialog box, click Yes to create the C:\PolicyFiles folder.

11. In the Browse for Shared Folders dialog box, click OK.

12. In the Add Folder Target dialog box, verify that the path shows \\NYC-SVR1\PolicyFiles, and then click OK.

13. In the New Folder dialog box, verify that PolicyFiles is listed for the Name and \\NYC-SVR1\PolicyFiles is listed for the Folder targets, and then click OK.

14. In the console pane, click PolicyFiles. In the details pane, notice that on the Folder Targets tab, one folder target is configured.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Verify the CorpDocs namespace functionality 1. On NYC-DC1, click Start, type \\WoodgroveBank.com\CorpDocs, and then

press ENTER.

2. In the Windows Explorer window that opens, notice that the HRTemplates and PolicyFiles folders both are visible.

Note: If they are not visible, you may need to wait up to five minutes for the configuration to complete.

3. Double-click HRTemplates.

4. On the File menu, point to New, and then click Rich Text Document.

5. Type Vacation Request, and then press ENTER.

6. On the navigation bar, click the Back button.

7. Double-click PolicyFiles.

8. On the File menu, point to New, and then click Rich Text Document.

9. Type Order Policies, and then press ENTER.

10. Close the PolicyFiles window.

11. On NYC-SVR1, click Start, type \\WoodgroveBank.com\CorpDocs, and then press ENTER.

12. In the Windows Explorer window that opens, notice that the HRTemplates and PolicyFiles folders both are visible.

13. Browse both folders and verify that you can access the files. Close the window when complete.

Task 4: Create additional folder targets for the HRTemplates folder, and configure folder replication 1. On NYC-DC1, in the DFS Management console pane, right-click

HRTemplates, and then click Add Folder Target.

2. In the New Folder Target dialog box, in the Path to folder target field, type \\NYC-SVR1\HRTemplates, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. In the Warning box, click Yes to create the \\NYC-SVR1\HRTemplates shared folder.

4. In the Create Share dialog box, in the Local path of shared folder field, type C:\HRTemplates.


6. In the Warning dialog box, click Yes to create the C:\HRTemplates folder.

7. In the Replication dialog box, click Yes to create a replication group.

8. On the Replication Group and Replicated Folder Name page, verify that woodgrovebank.com\corpdocs\hrtemplates is listed as the Replication group name and that HRTemplates is listed as the Replicated folder name, and then click Next.

9. On the Replication Eligibility page, verify that both NYC-DC1 and NYC-SVR1 are listed, and then click Next.

10. On the Primary Member page, in the Primary Member list, click NYC-DC1, and then click Next.

11. On the Topology Selection page, verify that Full mesh is selected, and then click Next.

12. On the Replication Group Schedule and Bandwidth page, verify that Replicate continuously using the specified bandwidth is selected and that in the Bandwidth list, Full is selected, and then click Next.

13. On the Review Settings and Create Replication Group page, review the settings, and then click Create.

14. On the Confirmation page, verify that all tasks completed successfully, and then click Close.

15. Read the Replication Delay message, and then click OK.

16. In the console pane, expand Replication, and then click woodgrovebank.com\corpdocs\hrtemplates.

17. In the details pane, on the Memberships tab, verify that both NYC-DC1 and NYC-SVR1 are listed and enabled.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Create additional folder targets for the PolicyFiles folder, and configure folder replication 1. On NYC-DC1, in the DFS Management console pane, right-click PolicyFiles,

and then click Add Folder Target.

2. In the New Folder Target dialog box, in the Path to folder target field, type \\NYC-DC1\PolicyFiles, and then click OK.

3. In the Warning dialog box, click Yes to create the \\NYC-DC1\PolicyFiles shared folder.

4. In the Create Share dialog box, in the Local path of shared folder field, type C:\PolicyFiles.


6. In the Warning box, click Yes to create the C:\PolicyFiles folder.

7. In the Replication dialog box, click Yes to create a replication group.

8. On the Replication Group and Replicated Folder Name page, verify that woodgrovebank.com\corpdocs\policyfiles is listed as the Replication group name and that PolicyFiles is listed as the Replicated folder name, and then click Next.

9. On the Replication Eligibility page, verify that both NYC-DC1 and NYC-SVR1 are listed, and then click Next.

10. On the Primary Member page, in the Primary member list, click NYC-SVR1, and then click Next.

11. On the Topology Selection page, verify that Full mesh is selected, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. On the Replication Group Schedule and Bandwidth page, verify that Replicate continuously using the specified bandwidth is selected and that in the Bandwidth list, Full is selected, and then click Next.

13. On the Review Settings and Create Replication Group page, review the settings, and then click Create.

14. On the Confirmation page, verify that all tasks completed successfully, and then click Close.

15. Read the Replication Delay message, and then click OK.

16. In the console pane, click woodgrovebank.com\corpdocs\policyfiles.

17. In the details pane, on the Memberships tab, verify that both NYC-DC1 and NYC-SVR1 are listed and enabled.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Viewing Diagnostic Reports for Replicated Folders

Task 1: Create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates 1. On NYC-DC1, in the DFS Management console pane, under Replication,

right-click woodgrovebank.com\corpdocs\hrtemplates, and then click Create Diagnostic Report.

2. On the Type of Diagnostic Report or Test page, verify that Health report is selected, and then click Next.

3. On the Path and Name page, click Next.

4. On the Members to Include page, verify that both NYC-DC1 and NYC-SVR1 are listed in the Included members column, and then click Next.

5. On the Options page, verify that Yes, count backlogged files in this report is selected.

6. Select Count the replicated files and their sizes on each member, and then click Next.

7. On the Review Settings and Create Report page, review the settings, and then click Create.

8. The DFS Replication Health Report Web page opens. Read through the report and take note of any errors or warnings. Errors will appear if replication is still in process or has not taken place yet. When you are finished, close the Internet Explorer window.

9. Repeat the above steps to create a diagnostic report for the policyfiles replication group. Read through the report, and take note of any errors or warnings. When you are finished, close the Internet Explorer window. Note that there may be errors reported if replication has not begun or finished yet.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED






MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Module 12: Configuring Network Access Protection L12-139

Module 12: Configuring Network Access Protection Since NAP is a new technology in Windows Server 2008, detailed steps have been provided for each of the tasks in the module itself. For this reason, there is no separate lab answer key for this module.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Configuring Shadow Copying L13-141

Module 13: Configuring Availability of Network Resources and Content

Lab A: Configuring Shadow Copying Exercise 1 Configuring Shadow Copying




4. Log on to each virtual machine as WOODGROVEBANK\Administration with the password Pa$$w0rd.


Task 2: Enable shadow copies on a volume 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Computer Management.

2. In the Computer Management console pane, right-click Shared Folders, point to All Tasks, and then click Configure Shadow Copies.

3. In the Shadow Copies dialog box, click E:\, and then click Enable.

4. In the Enable Shadow Copies dialog box, click Yes.

5. Click Create Now, and then click OK.

6. Leave the Computer Management console open.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L13-142 Module 13: Configuring Availability of Network Resources and Content

Task 3: Change a file in a share location 1. On NYC-CL1, click Start, type \\NYC-DC1\Shadow, and then press ENTER.

2. In the Shadow window, double-click ShadowTest.txt.

3. In the Notepad window, type This is my text that I am adding to the file.

4. On the File menu, click Save.

5. Close Notepad, but leave the Windows Explorer window open.

6. In the Shadow window, double-click ShadowTest.txt.

7. In the Notepad window, type This is my second modification to the file.

8. On the File menu, click Save.

9. Close Notepad, but leave the Windows Explorer window open.

Task 4: Manually create a shadow copy 1. On NYC-DC1, in the Computer Management console pane, right-click Shared

Folders, point to All Tasks, and then click Configure Shadow Copies.

2. In the Shadow Copies dialog box, click E:\, and then click Create Now.

3. The Shadow copies of selected volume pane should now have two entries listed. Click OK.

4. Close Computer Management.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Configuring Shadow Copying L13-143

Task 5: View the previous file versions, and restore to a previous version 1. On NYC-CL1, in Windows Explorer, right-click ShadowTest.txt, and then

click Properties.

2. In the ShadowTest.txt Properties dialog box, click the Previous Versions tab.

3. Under File versions, you should see the last shadow copy that was created. Click Open to view the file contents.

4. In the Notepad window, review the file contents. The file you are viewing should be a blank file.

5. Close Notepad.

6. In the ShadowTest.txt Properties dialog box, click Restore.

7. In the Previous Versions dialog box, click Restore, and then click OK twice.


Results: After this exercise, you should have established shadow copies on a share, changed a file, and then restored the original version.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab B: Configuring Network Load Balancing Exercise 1: Configuring Network Load Balancing with IIS

Task 1: Install NLB

Note: Perform these steps on both NYC-DC1 and NYC-SVR1. First perform the steps on NYC-DC1. Then perform the steps on NYC-SVR1.

1. Click Start | Server Manager. The Server Manager window opens.

2. In the Server Manager console tree, click Features.

3. In the details pane, click Add Features.

4. In the Add Features Wizard, select Network Load Balancing, and then click Next.


6. On the Installation Results page, click Close.


Task 2: Create an NLB cluster

Note: Perform these steps on NYC-DC1

1. Click Start | Administrative Tools | Network Load Balancing Manager.

2. The Network Load Balancing Manager window opens. Maximize the window.

3. In the console tree, right-click Network Load Balancing Clusters and then click New Cluster.

4. In the New Cluster: Connect dialog box, in the Host field, type NYC-DC1 and then click Connect.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Network Load Balancing L13-145

5. Under Interfaces available for configuring a new cluster, click the interface on the 10.10.0 network, and then click Next.

6. On the Host Parameters page, click Add.

7. In the Add IP Address dialog box, in the IPv4 address field, type 10.10.0.80, press TAB and the Subnet mask field will automatically fill.


9. In the Cluster IP Addresses page, click Add.



12. On the Cluster Parameters page, in the Full Internet name field, type webfarm.woodgrovebank.com.

13. Click Multicast and then click Next.

14. On the Port Rules page, click Edit.

15. In the Add/Edit Port Rule dialog box, in the From field, type 80, and in the To field, type 80.

16. Under Protocols click TCP.

17. For Affinity click None.

18. Click OK, and then click Finish.

Note: Do not begin the steps below until after the previous change has completed. Use the log entries in the bottom pane to determine when the previous change has completed.

19. In the console tree, right-click webfarm.woodgrovebank.com and then click Add Host to Cluster.

20. In the Add Host to Cluster: Connect dialog box, in the Host field, type NYC-SVR1 and then click Connect.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


21. Under Interfaces available for configuring a new cluster, click the interface with the 10.10.0.24 IP address, and then click Next.

22. On the Host Parameters page, click Add.



25. On the Port Rules page, click Finish.

Note: It may take three minutes for the NLB cluster hosts to converge. Wait for both NLB hosts to display a status of Converged before moving to the steps below.

Task 3: Test the NLB cluster

Note: Perform these steps on NYC-DC1

1. Click Start | All Programs | Internet Explorer.

2. In the Internet Explorer address bar, type http://10.10.0.70, and then press ENTER.

3. The IIS 7.0 default page appears.

4. Turn off NYC-SVR1.

5. On NYC-DC1, in the Internet Explorer address bar, type http://10.10.0.70, and then press ENTER.

Results: Even though a NLB Cluster member is unavailable, the web site is still available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Identifying Windows Server 2008 Monitoring Requirements L14-147

Module 14: Monitoring and Maintaining Windows Server 2008 Servers

Lab A: Identifying Windows Server 2008 Monitoring Requirements Exercise 1: Evaluating Performance Metrics

Task 1: Start each virtual machine and log on 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.


3. Log on to both virtual machines as WOODGROVEBANK\Administrator with the password Pa$$w0rd.


Task 2: Identify performance problems with Windows Server 2008 - Part A 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click

Reliability and Performance Monitor.

2. In the Reliability and Performance Monitor console pane, expand Monitoring Tools, and then click Performance Monitor.

3. In details pane, click the View Log Data button (CTRL+L).

4. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add.

5. In the Select Log File dialog box, browse to E:\Mod14\Labfiles\Ex1A.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L14-148 Module 14: Monitoring and Maintaining Windows Server 2008 Servers

6. Click 6419A-NYC-SVR1-LAB14-EX1A.blg and then click Open.

7. In the Performance Monitor Properties dialog box, click OK.

8. In the Performance Monitor details pane, click Add (CTRL+I).

9. In the Add Counters dialog box, under Available counters, expand Processor, and then click % Processor Time.

10. Under Instances of selected object, click 0, and then click Add.

11. In the Add Counters dialog box, under Available counters, expand System, click Processor Queue Length, click Add, and then click OK.

12. At the bottom of the window, click % Processor Time to view the graph of the CPU usage on NYC-SVR1 and notice that:

• The minimum value is 34 percent

• The maximum value is 100 percent.

• The average value is 82.58 percent.

13. Click Add (CTRL+I).

14. In the Add Counters dialog box, under Available counters, expand Process, and then click % Processor Time.

15. Under Instances of selected object, click <All Instances>, click Add, and then click OK.

16. Review the % Processor Time used by each process. It is useful to use the Highlight button (CTRL+ H) to view each instance. Identify the process that is consuming the CPU.

Answer: The cpustres process is consuming most of the CPU time.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Identify performance problems with Windows Server 2008 – Part B 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click



3. In the details pane, click View Log Data (CTRL+L).


5. In the Select Log File dialog box, browse to E:\Mod14\Labfiles\Ex1B.

6. Click 6419A-NYC-SVR1-LAB14-EX1B.blg and then click Open.



9. In the Add Counters dialog box, under Available counters, expand PhysicalDisk, and then click Avg. Disk Queue Length.

10. Under Instances of selected object, click 0 C:, and then click Add.

11. Under Available counters, click Current Disk Queue Length.


13. Under Available counters, click Disk Transfers/sec.


15. Under Available counters, expand Process, and then click IO Data Bytes/sec.

16. Under Instances of selected object, click <All Instances>, click Add, and then click OK.

17. Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button (Ctrl+H) to view each instance. Identify the process that is consuming the disk transfer capacity.

Answer: The explorer process is consuming the disk resources.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Identify performance problems with Windows Server 2008 – Part C 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click



3. In the details pane, click View Log Data (CTRL+L).


5. In the Select Log File dialog box, browse to E:\Mod14\Labfiles\Ex1C.

6. Click 6419A-NYC-SVR1-LAB14-EX1C.blg and then click Open.



9. In the Add Counters dialog box, under Available counters, expand Process, and then click Working Set -Private.

10. Under Instances of selected object, click <All Instances>, and then click Add.

11. Under Available counters, expand Paging File, click % Usage, hold down CTRL, and then click % Usage Peak.

12. Under Instances of selected object, click \??\C:\pagefile.sys, and then click Add.

13. Under Available counters, expand Memory, click % Committed Bytes In Use, hold down CTRL and click Available MBytes, Committed Bytes, Page Faults/sec, Pages/sec, Pool Nonpaged Bytes, Pool Paged Bytes, click Add, and then click OK.

14. View the graph of the memory and process usage on NYC-SVR1. Review the minimum and maximum values for each process to locate the problem. (The value for Available Mbytes drops to 4 MB.). Review the Working Set - Private value for each process. It is useful to use the highlight button (CTRL+H) to view each instance. Determine which process is consuming memory.

Answer: The leakyapp processes are consuming memory.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Monitoring Performance Metrics

Task 1: Create a data collector set to measure server requirements 1. On NYC-SVR1, in Reliability and Performance Monitor, expand Data

Collector Sets, and then click User Defined.

2. On the Action menu, point to New, and then click Data Collector Set.

3. In the Create new Data Collector Set dialog box, in the Name field, type File Server Monitoring and then click Next.

4. On the Which template would you like to use? page, verify that System Performance is selected, and then click Next.

5. On the Where would you like the data to be saved? page review the default path, and then click Next.

6. On the Create the data collector set? page review the options, and then click Finish.

7. In the Reliability and Performance Monitor details pane, double-click File Server Monitoring, and then double-click Performance Counter.

8. In the Performance Counter Properties dialog box, review the objects and counters, and then click OK.

9. In the console pane, right-click File Server Monitoring, and then click Properties.

10. In the File Server Monitoring Properties dialog box, on the Stop Condition tab, in the Overall duration field type 2 and then click OK.

11. In the console pane, right-click File Server Monitoring, and then click Start.

Note: If you receive an error, click OK, and attempt to start the collector set again.

12. On the Action menu, click Latest Report.

13. After about two minutes, the data will be collected and the report should be shown. Review the collected data.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab B: Configuring Windows Server 2008 Monitoring Exercise 1: Configuring Data Collector Sets

Task 1: Generate an alert by using a data collector set 1. On NYC-SVR1, in the Reliability and Performance Monitor console pane,

under Data Collector Sets, click User Defined.

2. On the Action menu, point to New, and then click Data Collector Set.

3. In the Create new Data Collector Set dialog box, in the Name field, type High CPU Monitoring

4. Click Create manually (Advanced), and then click Next.

5. On the What type of data do you want to include? page, click Performance Counter Alert, and then click Next.

6. On the Which performance counters would you like to monitor? page, click Add.

7. Under Available counters, expand Processor, and then click % Processor Time.

8. Under Instances of selected object, click 0, click Add, and then click OK.

9. On the Which performance counters would you like to monitor? page, in the Limit field, type 95 and then click Next.

10. On the Create the data collector set? page, click Finish.

11. In the details pane, double-click High CPU Monitoring, and then double-click DataCollector01.

12. In the DataCollector01 Properties dialog box, on the Alert Action tab, select the Log an entry in the application event log check box, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Windows Server 2008 Monitoring L14-153

Exercise 2: Monitoring Extension Exercise

Task 1: Create a tailored data collector set • Use the Reliability and Performance Monitor to create a data collector set for a

server in your organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Automating Maintenance Tasks

Task 1: Forward Directory Service replication error messages to a central location 1. On NYC-DC1, click Start, point to Administrative Tools, and then click


2. In the Active Directory Users and Computers console pane, expand WoodgroveBank.com, and then click Builtin.

3. In the details pane, right-click Administrators, and then click Properties.

4. In the Administrators Properties dialog box, on the Members tab, click Add.

5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types.

6. In the Object Types dialog box, select the Computers check box, and then click OK.

7. In the Select Users, Contacts, Computers, or Groups dialog box, type NYC-SVR1, and then click OK twice.


9. On NYC-SVR1, click Start, point to Administrative Tools, and then click Event Viewer.

10. In the Event Viewer console pane, click Subscriptions.

11. In the Event Viewer dialog box, click Yes.

12. In the console pane, right-click Subscriptions, and then click Create Subscription.

13. In the Subscription Properties dialog box, in the Subscription name field, type Replication Errors.

14. Verify that in the Destination log list, Forwarded Events is selected and then click Select Computers.

15. In the Computers dialog box, click Add Domain Computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Configuring Windows Server 2008 Monitoring L14-155

16. In the Select Computer dialog box, type NYC-DC1 and then click OK twice.

17. In the Subscription Properties dialog box, click Select Events.

18. In the Query Filter dialog box, on the XML tab, select the Edit query manually check box.

19. In the Event Viewer dialog box, click Yes.

20. In the Query Filter dialog box, type the following, and then click OK.

<QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(Level=2 or Level=3) and (EventID=1308 or EventID=1864)]]</Select> </Query> </QueryList>

21. In the Subscription Properties dialog box, click OK.

22. Close Event Viewer.

Task 2: Run a script to review disk space 1. On NYC-SVR1, click Start, point to All Programs, click Accessories, and then

click Notepad.

2. Type the following code example into Notepad:

$aryComputers = "NYC-DC1","NYC-SVR1" Set-Variable -name intDriveType -value 3 -option constant foreach ($strComputer in $aryComputers) {"Hard drives on: " + $strComputer Get-WmiObject -class win32_logicaldisk -computername $strComputer | Where {$_.drivetype -eq $intDriveType} | Format-table}

3. On the File menu, click Save As.

4. In the Save As dialog box, in the File name field, type DriveReport.ps1.

5. In the Save as type list, click All Files, and then click Save.

6. Close Notepad.


7. Click Start, point to All Programs, click Windows PowerShell 1.0, and then click Windows PowerShell.

8. In the Windows PowerShell window, type Set-ExecutionPolicy unrestricted and then press ENTER.

Note: This command allows you to run scripts that are unsigned.

9. Type C:\Users\Administrator.Woodgrovebank\Documents \DriveReport.ps1 and then press ENTER.

10. Review the results of the script.

11. Type exit, and then press ENTER.




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab A: Planning Windows Server 2008 Backup Policy L15-157

Module 15: Planning for Windows Server 2008 Backup

Lab A: Planning Windows Server 2008 Backup Policy Before you start the exercises, start the following virtual machines:

• 6419A-NYC-DC1

• 6419A-NYC-SVR1

Ensure that the 6419A-NYC-DC1 virtual machine has fully started before you start the 6419A-NYC-SVR1 virtual machine.

Exercise 1: Evaluating the Existing Backup Plan

Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.




Task 2: Review the existing backup plan 1. You have agreed that no more than one day's data should be lost in the event

of a disaster. Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet this requirement?

Answer: No. The current weekly backup plan means that, if data is lost, the data that is restored could be up to a week old.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L15-158 Module 15: Planning for Windows Server 2008 Backup

2. Currently, you copy the Human Resources confidential data onto a removable hard disk that is attached to a computer in the Human Resources office. This task is performed weekly by using a script to preserve the encryption on the files. What are the consequences of this process and how would you address them?

Answer: The issue is that the confidential files are on an easily removable device in an unsecured office. You could provide a secure data storage device, or you could place the removable hard disk in a secure area after the backup job is complete.

3. You have also agreed that, if a server fails, you should be able to restore that server, including all installed roles, features, applications, and security identity, in six hours. Does the current backup plan enable you to restore the servers in this way?

Answer: No. No system state backups are being performed on the servers, so the servers must be rebuilt in the event of a failure. This would make restoring the original configuration very difficult.

Task 3: Propose changes to the backup plan 1. Propose an appropriate backup frequency for the shares in the following table:

Backup Frequency

Sales Daily

Finance Daily

Human Resources Daily

Technical Library Weekly

Projects Daily, or perhaps more frequently

2. How would you address the requirement to restore the servers and how

frequently would you back up the servers?

Answer: Back up the system state data on the servers so that you can restore them later. The backup should be at an appropriate frequency, so this will depend on how often the server configuration is changed. Typical schedules may be weekly or monthly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Updating the Backup Policy

Task 1: Create a backup strategy to comply with the SLA 1. You should be able to restore critical data, which includes the Sales, Finance,

and Projects shares, as quickly as possible in the event of a disaster. What factors affect how quickly you can restore data?

Answer: The size of the backed-up data and the backup hardware and media both affect how quickly you can restore data.

2. Given that you have a limited budget to meet the SLA requirements, how could you maximize your budget while providing backup for the entire network data for which you are responsible?

Answer: Consider using a tiered approach to back up and restore: use faster backup hardware and media for critical data, which costs more, but use slower backup hardware and media for noncritical data to reduce costs.

Task 2: Create a backup strategy to comply with legal requirements • How will you ensure that the required data is stored for the minimum legal

requirement period and that the data is available for audit purposes when it is required?

Answer: Various approaches are valid, such as:

• Create separate archive backups for legal compliance purposes. Include only the required data in these archives. A user who has restore privilege is required to access the data if an audit is performed. You must also consider the storage lifetime of the media—a tape may not retain seven-year-old data if it is not refreshed.

• Store the legal compliance data on a separate network device such as another server or archive device. This device may offer policies to help you control retention requirements.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Reviewing Backup Policy and Plans The main task for this exercise is to discuss your solutions with the class.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Implementing the Backup Policy

Task 1: Initialize the backup storage volume 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click

Computer Management.

2. In the Computer Management console pane, click Disk Management.

3. In the Initialize Disk dialog box, click OK.

4. In the details pane, next to Disk 2, right-click Unallocated, and then click New Simple Volume.

5. In the New Simple Volume Wizard, click Next.

6. On the Specify Volume Size page, review the configuration options, and then click Next.

7. On the Assign Drive Letter or Path page, review the configuration options, and then click Next.

8. On the Format Partition page, in the Volume label field, type Backup.

9. Select the Perform a quick format check box, and then click Next.

10. On the Completing the New Simple Volume Wizard page, click Finish.

11. When the format operation is complete, close Computer Management.

Task 2: Create the new backup schedule 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click

Windows Server Backup.

2. In the Windows Server Backup window, on the Action menu, click Backup Schedule.

3. In the Backup Schedule Wizard, click Next.

4. On the Select backup configuration page, click Custom, and then click Next.

5. On the Select backup items page, clear the Allfiles (E:) and Backup (F:) check boxes, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. On the Specify backup time page, click More than once a day.

7. Under Available time, click 12:30 PM, click Add, and then click Next.

8. On the Select destination disk page, click Show All Available Disks.

9. In the Show All Available Disks dialog box, select the Disk 2 check box, and then click OK.

10. On the Select destination disk page, select the Disk 2 check box, and then click Next.

11. In the Windows Server Backup dialog box, click Yes.

12. On the Label destination disk page, click Next.

13. On the Confirmation page, click Finish.

14. On the Summary page, click Close.

15. Close Windows Server Backup.

Task 3: Backup the Domain Recovery Agent’s Private Key 1. On NYC-DC1, click Start, point to Administrative Tools, and then click

Group Policy Management.

2. In the Group Policy Management window, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects.

3. In the details pane, right-click Default Group Policy and click Edit.

4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.

5. In the details pane, right-click Administrator, point to All Tasks, and then click Export.

6. In the Certificate Export Wizard, click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. On the Export Private Key page, select the Yes, export the private key radio button, and then click Next.

8. On the Export File Format page, click Next.

9. On the Password page, in the Password and Type and confirm password (mandatory) fields, type Pa$$w0rd, and then click Next.

10. On the File to Export page, in the File Name field, type C:\AdminKey.pfx, and then click Next.

11. On the Completing the Certificate Export Wizard page, click Finish.

12. In the information dialog box, click OK.

13. Close all windows

Task 4: Lab Shutdown 1. For each virtual machine that is running, close the Virtual Machine Remote




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L15-164 Managing Windows Server 2008 Restore

Managing Windows Server 2008 Restore

Lab B: Planning Windows Server 2008 Restore Exercise 1: Evaluating Backup Data

Task 1: Start the NYC-DC1, NYC-SVR1, and NYC-INF virtual machines 1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.


3. In the Lab Launcher, next to 6419A-NYC-INF, click Launch



Task 2: Evaluate file restoration On Thursday, a member of the HR department asks you to restore an important file, which he created two days ago but someone subsequently deleted.

1. Why can you not restore the file?

Answer: The file was created after the last backup was performed, so the file cannot be restored.

2. How could you change the backup strategy so that it is possible to restore files that have changed more recently?

Answer: You could perform daily backups to enable you to restore files that are more recent. However, because a full backup takes 20 hours, you must perform incremental backups to reduce the backup time. You can configure this by creating a schedule in Windows Server Backup.

3. What other effects would a change in backup strategy cause?

Answer: Backup time would be significantly reduced after the first backup. Backup storage requirements would be reduced because subsequent backups store only changes instead of all the data.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab B: Planning Windows Server 2008 Restore L15-165

Task 3: Restore EFS files Members of the HR department have encrypted some of the files that are stored on the HR share by using EFS. The HR director asks you to restore some encrypted confidential files that were originally written by Tommy Hartono, who has since left the company. After you have restored the files, how can you provide access to the files for the HR director?

To provide access to the restored encrypted files, you require either the key of the authorized user who encrypted the file (Tommy Hartono) or the key of a designated data recovery agent (DRA).

Task 3: Evaluate server restore On Wednesday, the server, NYC-FS1, suffers a hardware failure. Both the C: and E: volumes are lost.

1. How can you restore the server and data?

Answer: To restore the server, you must perform the following tasks:

a. Reinstall the Windows Server 2008 operating system.

b. Reinstall any required Windows Server 2008 roles and features such as the file server role and the Windows Server Backup feature.

c. Reinstall any previously installed applications such as management tools or antivirus software.

d. Reconfigure the E: volume.

e. Restore the data to the E: volume.

2. How could you make the restore process easier?

Answer: Regularly backing up the C: volume, including the system state data, would make the server restore easier because you could restore the server from the Windows Recovery Environment (Windows RE).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Planning a Restore

Task 1: Plan a trial restore 1. In the following table, list the hardware and software requirements for

performing a trial restore.

Requirements

Additional server (physical or virtual)

Backup hardware; for example, tape drive, connection to network, or connection to storage area network (SAN)

Access to backup media; for example, tapes

Windows Server 2008 source (DVD)

Backup software such as third-party backup software

2. What additional consideration must you make for performing a trial restore of

the HR data on NYC-FS1?

Answer: You must retrieve the off-site backup media for testing.

3. With what types of backup data should you perform a trial restore?

Answer: You should perform trial restores on all types of backup, including volume backups, complete server backups, and database backups.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Investigating a Failed Restore

Task 1: Determine the reason for the wrong file version 1. On NYC-SVR1, click Start, and then click Server Manager.

2. In the Server Manager console pane, expand Diagnostics, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, expand Backup, and then click Operational.

This is where you can view any issues that occur with a restore operation.

Task 2: Create a Restore Operators group 1. In the Server Manager console pane, expand Configuration, expand Local

Users and Groups, and then click Groups.

2. Right-click Groups, and then click New Group.

3. In the New Group dialog box, in the Group name field, type Restore Operators, click Create, and then, click Close.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Separate the Backup and Restore roles 1. Click Start, point to Administrative Tools, and then click Local Security

Policy.

2. In the Local Security Policy console pane, expand Local Policies, and then click User Rights Assignment.

3. In the details pane, double-click Restore files and directories.

4. In the Restore files and directories Properties dialog box, on the Local Security Setting tab, click Backup Operators, and then click Remove.

5. Click Add User or Group.

6. In the Select Users, Computers, or Groups dialog box, click Locations.

7. In the Locations dialog box, click NYC-SVR1, and then click OK.

8. In the Select Users or Groups dialog box, click Object Types.

9. In the Object Types dialog box, select the Groups check box, and then click OK.

10. In the Select Users or Groups dialog box, type Restore Operators and then click OK twice.

11. Close Local Security Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Restoring System State Data

Task 1: Backup and restore specific files and folders 1. Click Start, point to Administrative Tools, and then click Windows Server

Backup.

2. In the Windows Server Backup window, in the Actions pane, click Backup Once.

3. On the Backup options page, verify that Different options is selected, and then click Next.

4. On the Select backup configuration page, click Custom, and then click Next.

5. On the Select backup items page, clear the Enable system recovery check box.

6. Select the Allfiles (E:) check box, and then click Next.

7. On the Specify destination type page, click Remote shared folder, and then click Next.

8. On the Specify remote folder page, type \\NYC-DC1\Data, and then click Next.

9. On the Specify advanced option page, click VSS full backup, and then click Next.

10. On the Confirmation page, click Backup.

11. The backup will take up to 10 minutes to complete. When it is finished, click Close.

Results: You should have a full backup of the E drive now.

12. Click Start and then click Computer.

13. In the Computer window, browse to E:\Mod15.

14. Right-click Document 3.txt and then click Delete.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


15. In the Delete File dialog box, click Yes.

16. In the Windows Server Backup window, in the Actions pane, click Recover.

17. On the Getting started page, click Next.

18. On the Select backup date, click Next.

19. On the Select recovery type page, verify that Files and folders is selected, and then click Next.

20. On the Select items to recover page, under Available items, expand NYC-INF, expand Allfiles (E:), and then click Mod15.

21. In the details pane, click Document 3.txt, and then click Next.

22. On the Specify recovery options page, review the configuration options, and then click Next.

23. On the Confirmation page, click Recover.

24. When the restore operation is complete, click Close.

25. Close Windows Server Backup.

26. In Windows Explorer, note that Document 3.txt is present.


Task 2: Check the state of the DHCP service 1. On NYC-INF, click Start, point to Administrative Tools, and then click

Services.

2. In the Services details pane, double-click DHCPServer.

3. In the Services dialog box, review the error message, and then click OK.

4. In the second Services dialog box, review the error message, and then click OK.

5. Close Services.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Perform a system state restore 1. Click Start, and then click Command Prompt.

2. In the Administrator: Command Prompt window, type wbadmin get versions -backuptarget:e: and then press ENTER.

3. Take note of the version identifier.

4. Type wbadmin start systemstaterecovery -version:<version identifier> -backuptarget:e: and then press ENTER.

5. When prompted to start the system state recovery operation, press Y, and then press ENTER.

6. After a short while, you may press Ctrl+C to cancel the restore.

Note: A full system restore would take a considerable amount of time to complete, but once it is done, the DHCP Server service will start successfully.

Results: You have successfully backed up and restored files using the Windows Server Backup utility.

Task 4: Lab Shutdown 1. For each virtual machine that is running, close the Virtual Machine Remote




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol2

Documents

Transcript of 6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol2