Windows Server 2008 Directory Services Lab Manual

Windows Server 2008 Directory Services

Lab Manual

Microsoft Confidential - For Internal Use Only

DISCLAIMER

THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY

AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS

FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND

MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN

THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE

RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.

Terms of Use

Microsoft Confidential - For Internal Use Only © 2008 Microsoft Corporation. All rights reserved.

This content is proprietary and is intended only for use as described in the content provided in this

document. No part of the text or software included in this training package may be reproduced or

transmitted in any form or by any electronic or mechanical means, including photocopying,

recording, or copying to any information storage and retrieval system, without express written

permission from Microsoft.

For more information about use of licensed and copyrighted materials, please visit the Use of

Microsoft Copyrighted Content Web page at http://www.microsoft.com/about/legal/permissions/.

Trademarks

Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

12/04/2008

http://www.microsoft.com/about/legal/permissions/

Windows Server 2008 Directory Services

Lab Manual

Microsoft Confidential - For Internal Use Only

DISCLAIMER

THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY

AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS

FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND

MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN

THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE

RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.

Terms of Use

Microsoft Confidential - For Internal Use Only © 2008 Microsoft Corporation. All rights reserved.

This content is proprietary and is intended only for use as described in the content provided in this

document. No part of the text or software included in this training package may be reproduced or

transmitted in any form or by any electronic or mechanical means, including photocopying,

recording, or copying to any information storage and retrieval system, without express written

permission from Microsoft.

For more information about use of licensed and copyrighted materials, please visit the Use of

Microsoft Copyrighted Content Web page at http://www.microsoft.com/about/legal/permissions/.

Trademarks

Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

12/04/2008

http://www.microsoft.com/about/legal/permissions/

Lab1

Lab 1: Implementing Windows Server 2008

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

©2008 Microsoft Corporation Microsoft Confidential

1

During this lab, you will prepare the forest and domain for the introduction of

Windows Server 2008 domain controllers. You will be introduced to Server

Manager and some of the functions that can be performed using this tool.

Estimated time to complete this lab: 20 minutes

Before You Begin

Before starting this lab, you should:

■ Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn

After completing this lab, you will be able to:

■ Use Server Manager to perform tasks related to add roles and features.

Lab Environment

To complete this lab, you will need the following Virtual Machines:

■ 2008-01

Important

You must log on as an administrative user in order to perform all of the tasks in

this lab.

■ Administrative username and password

□ Username: Contoso\Administrator

□ Password: P@ssw0rd1

□ Domain: Contoso


2

Exercise 1: Introduction to Server Manager

Scenario

Use the Initial Configuration Tasks console and Server Manager to perform common tasks.

Tasks

In the following steps, we will examine some of the different types of tasks and

information that can be accessed through Server Manager. We will first examine the

IP address of the network adapter, and then we will enable Remote Desktop through

the Initial Configuration Tasks console. Following that, we will use Server Manager

to add the Terminal Services Role and then the Windows Server Backup Feature.

Lastly, we will view Diagnostics information provided under Server Manager.

Note

If Initial Configuration Tasks has been closed you can run oobe.exe to open it again.

1. Explore the Initial Configuration Tasks console on 2008-01.

a. View the Network Connection properties for the computer.

1) Under section 1. Provide Computer Information, click Configure

networking to display the Network Connections dialog box.

2) Right-click Local Area Connection and select Properties

3) Select Internet Protocol Version 4 (TCP/IPv4) and click

Properties

4) View the IP address of this adapter.

5) Close all and return to the Initial Configuration Tasks screen.

b. Enable Remote Desktop

1) Under section 3. Customize This Server click Enable Remote

Desktop. This brings up the Remote tab of System Properties.

2) Select the 2nd option: Allow connections from computers

running any version of Remote Desktop (less secure)


3

3) Read the Firewall exception warning message, click OK, and then

click OK in System Properties.

4) Notice Remote Desktop now shows as Enabled.

5) Close Initial Configuration Tasks console. Server Manager

should launch automatically after several seconds.

2. Add the Windows Server Backup Feature from Server Manager

1) Click Features under Server Manager in left pane.

2) Click Add Features in right pane. This will launch the Add

Features Wizard.

3) Review the available features, expand Windows Server Backup

Features, and then select Windows Server Backup.

From the Pop-up message, what additional feature is required for Windows Server Backup to be installed? ____________________________________________________________________________________________1

Click Add Required Features and then select Command-line

Tools.

From the Pop-up message, what additional feature is required for Command-line Tools? ____________________________________________________________________________________________2

Select Add Required Features and then click Next. On the

Confirm Installation Selections page, click Install. Once the

installation finishes the Installation Results will be displayed,

confirm the Installation succeeded and click Close.

4) Confirm that Windows Server Backup is listed under the

Features Summary in the right pane.

3.

1 Windows Recovery Disc

2 Windows PowerShell

Lab2


1

Lab 2: Installing Active Directory Domain Services


1






Version 1.0


2

During this lab, you will promote a Windows Server 2008 machine that is in a

workgroup, to a Domain Controller in a Windows Server 2003 domain.


Before You Begin



What You Will Learn


■ Use new DCPROMO GUI features available in Windows Server 2008

Lab Environment


□ 2003-01

□ 2008-01

Important


this lab.


□ Username: Administrator


□ Domain: Contoso


3

Exercise 1: Prepare domain and forest for the introduction of a Windows Server 2008 domain controller

Scenario

You are the administrator of Contoso.com, a Windows 2003 domain. You are given the task of introducing a Windows Server 2008 domain controller into your environment.

Pre-Tasks

■ Start the 2003-DC1 Virtual Machine

■ Start the 2008-01 Virtual Machine

Tasks

First, prepare the forest by running adprep /forestprep on 2003-DC1. Then raise the

domain functional level to Windows Server 2003 mode. Finally, prepare the domain

by running domainprep and gpprep.

1. On 2003-01, at the “Welcome to the Windows Setup Wizard” screen, click Next

At the “License Agreement” screen, check the “I accept this agreement” radio button, click

Next

At the “Date and Time Settings” screen, click Next

At the “Network configuration popup”, click “Ok”

Allow time for 2003-01 to boot up completely

2. First, prepare the forest by running adprep /forestprep on 2003-DC1

a. Log on to the Schema Master, 2003-DC1, as Contoso\Administrator.

b. Open a command prompt on 2003-DC1, and change directories to the

Adprep folder:

C:\Sources\ADPrep


4

c. At the command prompt, type the following and then press ENTER

adprep /forestprep

d. You will be prompted with an ADPREP WARNING message requesting

confirmation that all Windows 2000 Active Directory Domain Controllers

in the forest are upgraded to Windows 2000 SP4 or later.

a. Type C and then press ENTER. When the process finishes you will

receive a message that Adprep successfully updated the forest-

wide information.

Note

The domain must be in at least Windows 2000 native mode before you can run adprep /domainprep.

3. Run Adprep /rodcprep

a. Open a command prompt, and then change directories to the

Adprep folder: C:\sources\adprep

b. At the command prompt, type the following and then press ENTER

adprep /rodcprep

c. When the command completes the last entry should report:

"Adprep completed without errors. All partitions are updated.

See the ADPrep.log in directory

c:\windows\debug\adprep\logs\<numerical value> for more

information. "

d. Review the adprep.log to review the changes made by running

adprep /rodcprep.


5

4. Prepare the domain by running domainprep and gpprep on 2003-DC.

a. At the command prompt, type the following and then press ENTER

adprep /domainprep /gpprep

b. When the process finishes you will receive the message, Adprep

successfully updated the domain-wide information. Adprep

successfully updated the Group Policy Object <GPO> information.

c. Close command prompt


6

Exercise 2: Promote a Windows Server 2008 machine to a Domain Controller in an existing Windows Server 2003 domain.

Scenario

You are an administrator for your domain and would like to introduce a Window

Server 2008 domain controller in your existing Windows Server 2003 domain.

Tasks

1. Promote 2008-01 as a replica domain controller in the Contoso domain by

adding the Active Directory Domain Services role via Server Manager. Then

from a command prompt run DCPromo.exe to start the domain controller

promotion. Use the advanced mode installation option to make the domain

controller a DNS server as well as a Global Catalog. Lastly, export these

dcpromo settings to a text file to be used later in the promotion of another

domain controller. Name the text file 2008-answer.txt and place it in C:\.

a. Add AD DS role via Server Manager.

1) Log on to 2008-01 as local Administrator.

2) Launch Server Manager if it is not already open.

a) Click Start , Administrative Tools, and then Server

Manager

3) Select Roles and click on Add Roles in the right pane. The Add

Roles Wizard will start.

4) On the Before you Begin page click on Next

5) On the Select Server Roles page, select Active Directory Domain

Services. Read the Add Roles Wizard pop-up and select the

second option Install AD DS anyway click Next.

6) Click on Next and review the information on the Active Directory

Domain Services page then click Next.

7) Review the information on the Confirm Installation Selections

page and then click Install.


7

8) When the Installation Results are displayed, verify that the

installation succeeded.

Note

You can now launch DCPROMO directly from the Installation Results page. There is a link in blue that states – Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). You decide to start either with a. or with b. – since b. includes a. automatically.

9) Click Close.

10) Notice Active Directory Domain Services is listed under Roles in

Server Manager now but has a Red X. Click Active Directory

Domain Services and read the Summary.

Note

Please note that Active Directory snap-ins was not installed when the role was added. Adding the role installs the AD DS binaries only and does not automatically start the dcpromo process.

b. Promote the new domain controller.

1) Open a command prompt, type DCPROMO, and then press

ENTER. A check runs to determine if Active Directory Domain

Services binaries are installed. If not, they are installed and the AD

DS installation wizard launches automatically.

a) ALTERNATIVELY, you can promote the domain controller

from the Roles Summary by clicking Active Directory

Domain Services with the Red X and then under Summary

click Run the Active Directory Domain Services

Installation Wizard (dcrpomo.exe).

Note

Since Terminal Services was installed on this computer during the previous lab the ACTIVE DIRECTORY DOMAIN SERVICES INSTALLATION WIZARD displays a message requesting confirmation for changes in security policy on this computer that allows only Administrator to log on to the computer with Terminal Server.

2) Click OK to the dialog. On Welcome page, check Use advanced

mode installation and then click Next.


8

3) On the Choose a Deployment Configuration page, select Existing

forest, and Add a domain controller to an existing domain then

click Next.

4) On the Network Credentials page, type Contoso.com in window

for Type the name of any domain in the forest where you plan

to install this domain controller.

5) Click Set..., enter the following information as your Network

Credentials, and then click OK.

a) User name: Contoso\Administrator

b) Password: P@ssw0rd1

6) Click Next

7) On the Select a Domain page Select Contoso.com (forest root

domain) and click Next

8) In the Select a Site dialog check Use the site that corresponds to

the IP address of this computer.

Note

The Windows Server 2008 Active Directory Domain Services Installation Wizard has a new dialog for Additional Domain Controller Options. The options available are:

■ DNS Server

■ Global Catalog

■ Read-only domain controller (RODC)

9) Read Additional information and confirm that both the DNS

server and Global catalog options are checked and then click

Next.

10) Read the warning message about delegation for this DNS Server

and click Yes.


9

Note

The informational message that is displayed indicates that a delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS Server… In our case, this occurs since contoso.com is our top-level domain and .com cannot be found because it does not exist. The goal of this informational message is to help ensure IT professionals correctly configure their DNS settings during the DCPROMO process.

11) On the Install from Media screen ensure the first option Replicate

data over the network from an existing domain controller is

selected and then click Next.

Note

The second new dialog page added to the Windows Server 2008 Active Directory Domain Services Installation Wizard provides the option to select a source domain controller. Note that the source domain controller must be writable.

12) On the Source Domain Controller screen, select Let the wizard

choose an appropriate domain controller option and then click

Next.

13) On the Location for Database, Log Files, and Sysvol leave the

default settings and click Next.

14) Provide the Password of P@ssw0rd1 on Directory Services

Restore Mode Administrator Password page and click Next.

15) On the Summary page, click Export settings... to create an answer

file for use later.

a) Type C:\2008-answer.txt when prompted for location to

save unattended file and then click Save and OK.

16) Click Next on the Summary page to begin configuration Active

Directory Domain Services.

17) Check the Reboot on completion box on the Active Directory

Domain Services Installation Wizard. Once the configuration

completes the server will reboot automatically.


10

2. Confirm the domain controller is functioning properly.

1) Logon as Contoso\administrator after the reboot completes.

2) Initial Configuration Tasks will open automatically. Notice under

section 1. Provide Computer Information, the Full Computer

Name and Domain is listed.

3) Close Initial Configuration Tasks and Server Manager should

start automatically.

4) Confirm Active Directory Domain Services is listed under Roles.

5) From a command prompt type: Net share and confirm that both

sysvol and netlogon are shared out.

6) Select Active Directory Domain Services and review the

information in right pane.

7) Expand Active Directory Domain Services in the left pane and

examine the following:

a) Expand Active Directory Users and Computers

(1) Confirm 2008-01 is listed under Domain Controllers

container

b) Expand Active Directory Sites and Services

(1) Confirm 2008-01 is added in East site

(2) Confirm that the 2008-01 NTDS Settings have been

created

8) Verify DNS record registration and DNS

a) Verify the following records exist for 2008-01. Expand DNS

Server, DNS, 2008-01, Forward Lookup Zones,

Contoso.com, and then highlight _tcp. In the right hand

window, ensure that the following records exist for 2008-01.

(1) _LDAP._TCP.Contoso.com

(2) _Kerberos._TCP.Contoso.com

(3) _Kpasswd._TCP.Contoso.com


11

(4) _GC._TCP.Contoso.com

b) Check Primary and Alternate DNS server settings

(1) Highlight Server Manager at the top of the left hand

window.

(2) Under Server Summary click View Network

Connections

(3) View the properties of the Internet Protocol Version 4

(TCP/IPv4) of the Local Area Connection and notice

which IP address is being used as the Alternate DNS

server.

(4) Close these properties and return to Server Manager.

9) Under Diagnostics expand Event Viewer and then Windows Logs

a) Select the Application log and confirm SceCli event 1704 is

reported.

b) Under the Applications and Services log select the File

Replication Service log and confirm NtFrs event 13516.

Tip

It may take several minutes for the sysvol to share out and for the above events to appear. If you cannot verify these steps after five minutes stop and start the NTFRS service to resolve this issue.

c) Close Server Manager

10) Open dssite.msc and examine the security descriptor on the DC

object. It will display an unresolved security identifier -498

which is by design. It was inherited from the configuration

container.

2. View dcpromo.log and note the day, month and year this machine was

promoted to be a domain controller.

a. Open C:\Windows\Debug\DCPROMO.LOG file

b. Note that the log now records day, month and year under the first

column

1) Example:


12

10/01/2007 11:03:20 [INFO] Promotion request…

Note The DCPROMO.LOG in Windows Server 2008 now displays the year in addition to day and

month that the domain controller was promoted.

Lab3


1

Lab 3: Windows Server 2008 DNS


2






Version 1.0


3

During this lab, you will configure and Troubleshoot DNS


Before You Begin


■ Have a basic understanding of DNS

What You Will Learn


■ Configure and Troubleshoot DNS using NSLOOKUP, and NLTEST

Lab Environment


■ 2003-01

■ 2008-01

Important


this lab.


Username: Administrator

Password: P@ssw0rd1

Domain: Contoso

Exercise 1: Use NSLOOKUP to gather IP Information

Task 1: Use NSLOOKUP to retrieve the IP Address of you current logon server and to test that to see if forward lookup capabilities are working or not.

1. Log on to 2008-01 as Contoso\Administrator.

2. Open a command prompt, type SET and press Enter.


4

3. What is your logon server? __________________________1

4. Resolve the IP Address of your logon server using NSLOOKUP. Type the

following statement and press enter:

NSLOOKUP 2008-01

5. What are the IP Addresses?__________________________________2

Exercise 2: Using NSlookup, IPConfig, and NLTEST to test DNS settings

Task 1: Verify the new domain controller SRV records using NSLlookup

1. Still from 2008-01 type the following command at the command prompt and

then press Enter:

NSLOOKUP

2. Type the following command and press enter:

set type=all

3. Type the following command and press enter:

_ldap._tcp.dc._msdcs.Contoso.com

4. You should see the result in Figure 2:

5. Close the command prompt


5

Figure 2: LDAP Servers for Contoso

Task 2: Verify whether you are using a domain controller in your site using NLTEST and test the next closest site Group Policy Setting

1. On 2008-01, enable next closest site lookups for domain controllers:

a. Open gpedit.msc from the run line.

b. Navigate to Computer Configuration\Administrative

Templates\System\Net Logon\DC Locator DNS Records. Select Try

next closest site, change the setting to Enabled, and then click OK.

Close the Local Group Policy Editor.

c. Open a command prompt and run GPUPDATE /Force.

2. Use the following statement to call and test the DSGetDCName function of the

DClocator service from command line. This will show the enumerated or cached

DC.

NLTEST /DSGETDC:Contoso.com

More info: http://msdn2.microsoft.com/en-us/library/ms675983.aspx

DC name of current DC: _____________________________________________________3

3. Use the following statement to call and test the DSGetDCOpen function of the

DClocator service from command line. This will show you a list of DC’s in a

pseudo-random order taking into consideration priorities and weights.

http://msdn2.microsoft.com/en-us/library/ms675983.aspx


6

NLTEST /DNSGETDC:Contoso.com

More info: http://msdn2.microsoft.com/en-us/library/ms675985.aspx

DC names of All DC’s ________________________________________________________

__________________________________________________________________________________4

4. Use the following statement to locate a writable DC within a set of DCs in the

next closest AD site from the client's perspective that could authenticate the

client:

NLTEST /DSGETDC:Contoso.com /Writable /Try_Next_Closest_Site

Note

Since both DC’s are in the same site, you will not actually see a next closest site resolution, but during the RODC labs you can test this command to see a populate response. This command would be useful during a support call to show you where DCLocator will look for the next closest DC based on ISTG topology data.

5. Use the following statement to force a rediscovery of DCs and clear the cached

DC and site. This command is useful if a DC goes down in the client’s site and

forces the client to use a DC in another site. The sticky behavior of the DClocator

will cause the client to continue to use the remote DC until it becomes

unavailable or the client is restarted. However, in Windows Server 2008 and

Vista, whenever DsGetDcName retrieves a domain controller name from its

cache, it checks to see if this cached entry has expired and if so, discards that

domain controller name and tries to rediscover a domain controller name.

NLTEST /DSGETDC:Contoso.com /force

Exercise 3: GlobalNameZones

Enable the GlobalNames Zone functionality

Using the command line

1. Log onto 2008-01

2. Open a command prompt:

Click Start, right-click Command Prompt, and then click Run as Administrator.

http://msdn2.microsoft.com/en-us/library/ms675985.aspx


7

3. Type the following, and then press Enter:

Dnscmd 2008-01.contoso.com/config /Enableglobalnamessupport 1

Create the GlobalNames Zone

Using the Windows Interface

1. Open the DNS console.

2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard.

3. Create a new zone and give it the name GlobalNames.

Note This is not case sensitive: globalnames is also supported.

4. Choose an appropriate storage method and replication scope for the zone

Note We recommend that you store the zone in AD DS and replicate it to all domain controllers that are DNS servers in the Forest. This will create a new AD DS-integrated zone called GlobalNames which is stored in the forest-wide DNS application partition.

Create a Shortname Resource Record

1. Right click globalnamezones and select New Host (A or AAA)

2. In Name type test

3. In IP Address type 10.10.10.55

4. Click Add Host

Use NSLOOKUP to query Global Name Zones

1. Open a command prompt

2. Type NSLOOKUP

3. Type set type=all

4. Type server 2003-01


8

5. Type test and see the result

6. Type server 2008-01

7. Type test and see if query displays correct results


9

1 LOGONSERVER=\2008-01

2 172.24.1.2

3 DC:\\2008-01.contoso.com

4 2003-dc1.contoso.com, 2008-01.contoso.com

Lab4

Lab 4: Implementing RODC






Version 1.0

0

Version 1.0


1

During this lab, you will prepare the forest and domain for the introduction of

Windows Server 2008 Read Only Domain Controllers. You will also install the RODC

and understand its features.


Before You Begin



What You Will Learn


■ Understand preparation and installation of a Windows Server 2008 Read Only

Domain Controller.

■ Understand new features and functionality of RODC

Lab Environment


■ 2003-01

■ 2008-01

■ 2008-02

■ Vista-01

Important

You must log on as an administrative user in order to perform some of the tasks

in this lab.




□ Domain: Contoso


2

Exercise 1: Prepare Windows Server 2003 domain for the installation of a Read Only Domain Controller

Scenario

You are the administrator of Contoso.com domain and have branch offices where

physical security cannot be guaranteed. You have decided to install a Read Only

Domain Controller (RODC) in your branch office.

Tasks

1. Prepare the contoso.com domain (Windows 2003 domain) for the RODC

installation.

a. Ensure that the forest functional Level is Windows Server 2003.

1) Log onto the domain controller 2003-DC1 as the

contoso\administrator.

2) Open Active Directory Domains and Trusts. Click the Action

menu and choose Raise Forest Functional Level. When the Raise

forest functional level dialog opens check the forest function level

is set to Windows Server 2003.

Exercise 2: Install an RODC on a full installation of Windows Server 2008

Scenario

Now that you have prepared your domain for RODC installation, you want to

delegate the ability to attach the server that will be the RODC in your branch office

to a user, Susan Burk. You have therefore decided to perform a staged installation

of the RODC and use this method to add Users, Computers and Groups to the

Password Replication Policy.

Tasks

1. Configure network settings on 2008-02 and Vista-01 to place them in the

10.1.2.x subnet that maps to the West site, then join Vista-01 to the

Contoso.com domain.

2. Log onto Vista-01 using Local Administrator account


3

User: Administrator

Password: P@ssw0rd1

a. Disable Cached Credentials on Vista-01.

1) Launch Regedit.exe on Vista-01.

2) Expand HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon

3) Set the cachedlogonscount value to 0, and then close regedit.exe.

b. Join Vista-01 to contoso.com and reboot the client afterwards.

3. Pre-create a Read Only Domain Controller account using Active Directory Users

and computers on 2008-01.

a. Log onto the domain controller 2008-01 as Contoso\administrator

b. Launch Server Manager if it is not already open.

c. Expand Roles, Active Directory Domain Services, Active Directory

Users and Computers and then Contoso.com.

d. Right click the Domain Controllers container and select Pre-create

Read-only Domain Controller account.

e. Select the check box for Use advanced mode installation and click

Next.

f. On the Network Credentials page verify My current logged on

credentials (CONTOSO\administrator) is selected and click Next.

g. On the Specify Computer Name page provide 2008-02 as the computer

name and click Next.

h. On the Select a Site page select West and click Next.

i. On the Additional Domain Controller Options page, ensure DNS

server and Global Catalog are checked and that Read-only domain

controller (RODC) is checked but grayed out. Click Next.

j. On the Specify the Password Replication Policy page notice only the

Allowed RODC Password Replication Group is set to Allow under

Settings. Click Add.


4

k. On the Add Groups, Users and Computers dialog choose Allow

passwords for the account to replicate to this RODC and click OK.

1) Add user Don Hall and computer Vista-01 and click OK. Ensure

Don Hall and Vista-01 has been added with the setting of Allow.

Click Next.

l. On the Delegation of RODC Installation and Administration page click

Set…, on the Select User or Group dialog add Susan Burk, and click OK.

Click Next and then Next again to create the Read Only Domain

Controller computer account. Click Finish.

m. Notice the computer account created in the Domain Controller container

is listed as type: Unoccupied DC Account (Read-only, GC)

4. Install the Active Directory Domain Services role.

a. Log onto 2008-01 and reset password for Susan Burk to P@ssw0rd1

b. Log onto 2008-02 as local Administrator with password of

P@ssw0rd1

c. Launch Server Manager and select Roles. Click Add Roles in the right

pane. The Add Role Wizard starts. On the Before You Begin page click

Next.

d. On the Select Server Roles page select Active Directory Domain

Services and click Next.

e. Review information on Active Directory Domain Services page and

click Next.

f. On the Confirm Installation Selections page, click Install.

g. Once the installation finishes click Close.

4. Promote 2008-02 as a Read Only Domain Controller using the delegated

account.

a. Click Start, Run and type: dcpromo /UseExistingAccount:Attach and

then click OK.

b. On the Active Directory Domain Services Installation Wizard check

the box for Use advanced mode installation and click Next.


5

c. On the Network Credentials page, provide Contoso.com as the domain

name and click Set… Provide SBurk as the user name and password of

P@ssw0rd1 click OK and Next.

d. On the Select Domain Controller Account page select 2008-02 and

click Next.

e. Select Yes if it reports a message indicating this computer has one or

more network adapters without any static IP address settings… Click

Next

f. On the Install from Media page ensure Replicate data over the

network from an existing domain controller is selected and click

Next.

g. On the Source Domain Controller page ensure Let the wizard choose

an appropriate domain controller is selected and click Next.

h. On the Location for Database, Log Files, and SYSVOL page leave the

default entries and click Next.

i. On the Directory Services Restore Mode Administrator Password

provide the password of P@ssw0rd1 click Next.

j. On the Summary page click Next and choose Reboot on completion

from the Active Directory Domain Services Installation Wizard.

5. Verify Installation of Active Directory

a. After the computer reboots allow the replication to take place.

b. Logon as Contoso\SBurk

c. Start Server Manager and confirm that Active Directory Domain

Services is listed under Roles.

d. What happens if you attempt to add the user accounts for Susan Burk

and Don Hall to the Domain Admins group? Why?

__________________________________________________________________________________________

__________________________________________________________________________________________1


6

6. For the purpose of this lab confirm successful replication of 2008-02

a. Logon on 2008-01 as Contoso\Administrator

b. Force 2008-02 to inbound replicate the domain partition from 2008-01

using:

repadmin/replicate 2008-02 2008-01 dc=contoso,dc=com

c. Log on 2008-02 as Contoso\Administrator

Note: You may get an error when trying to log onto 2008-02 for first

time due to trust account not being valid. If so, force inbound replication

on 2008-02 before trying again.

d. Force frs to poll AD by running ntfrsutl poll /now on 2008-02

Exercise 3: Test the Password Replication Policy

Scenario

As an administrator for Contoso domain, you are curious to find out what new

attributes support Password Replication Policy. You understand that Password

Replication Policy is the mechanism for determining whether a user or computer's

credentials are allowed to replicate from a writable domain controller to an RODC.

The Password Replication Policy is always set on a writable domain controller

running Windows Server 2008.

Tasks

1. View the following attributes that have been added to the Active Directory

schema to expedite the functionality that is required for RODC caching

operations

msDS-Reveal-OnDemandGroup

msDS-NeverRevealGroup

msDS-RevealedList

msDS-AuthenticatedToAccountList

a. Log on to the 2008-01, as Contoso\administrator


Click Start , Administrative Tools, and then Server Manager


7

c. Navigate to Roles, Active Directory Domain Services, Active

Directory Users and Computers, Contoso.com and then select

Domain Controllers OU

d. Enable Advanced Features by clicking on view menu and then

Advanced Features

e. Select 2008-02 from right pane

f. Right click it and select Properties

g. Select Attribute Editor tab

h. Click on Filter and select Constructed and Backlinks

i. Now under Attributes list, you will see following attributes listed:

msDS-Reveal-OnDemandGroup: commonly known as the Allowed

List

msDS-NeverRevealGroup : commonly known as the Denied List

msDS-RevealedList : commonly known as the Revealed List

msDS-AuthenticatedToAccountList : commonly known as the

Authenticated to List

Scenario

During the installation of RODC you set a policy for the password of Vista-01

machine account and user Don Hall to be cached on the RODC. You now want Don

Hall, user in branch office, to log on to Vista-01. After the user and machine

successfully authenticates, you expect their passwords to be stored on RODC.

Tasks

1. Pause the 2003-01 Virtual Machine from within the Virtual Server

Administration website or Virtual PC settings. Since Windows Server 2003 does

not recognize the Windows Server 2008 RODC as a domain controller, the 2003

server will register DNS service records in the West site. We pause the 2003

Domain controller to prevent it from accepting authentication request from our

Vista-01 client.

2. Log onto 2008-01 and reset password for Don Hall to P@ssw0rd1

3. Restart Vista-01, then log on to Vista-01 as contoso\dhall


8

4. Log on to 2008-02 as contoso\SBurk. View current credentials that are

cached on the RODC. Ensure Don Hall and Vista-01 is cached. Review whose

accounts have been authenticated to an RODC.

a. Log on to the 2008-02 as Contoso\SBurk.


1) Click Start , Administrative Tools, and then Server Manager


Directory Users and Computers.

d. Expand Contoso.com and then select Domain Controllers container.

e. In the details pane, right click 2008-02 and select properties.

f. Click the Password Replication Policy tab.

g. Click on Advanced.

h. From the drop-down list, select Accounts whose passwords are stored

on this Read-only Domain Controller and ensure Don Hall and Vista-

01 are cached.

i. In the drop-down list, click Accounts that have been authenticated to

this Read-only Domain Controller and list the accounts that have been

authenticated to RODC.

5. Log off Vista-01

Scenario

Don Hall, a user in the branch office wants to log on to his machine, Vista-01.

However, the WAN connection is down and the branch office which belongs to site,

West, only contains an RODC. You understand that the RODC will be able to

authenticate Don Hall and Vista-01 because their credentials are successfully cached

on the RODC.

Tasks

1. Pause the 2008-01 to simulate a broken WAN link.

2. Log on to Vista-01 machine as Don Hall ( This should be successful)


9

3. Resume virtual machine 2008-01 and 2003-01


10

Exercise 4: Administrator Role Separation

Scenario

You are the administrator of the Contoso domain and would like to create a local

administrator role for the RODC and add a user to that role

Tasks

1. Configure Administrator Role Separation for an RODC

a. Log on to the 2008-02, as Contoso\administrator

b. Launch command prompt and type dsmgmt and then press ENTER

c. At the DSMGMT prompt, type local roles and then press ENTER

d. Type add contoso\bsmith Administrators. It will report a message

Successfully updated local role.

2. Type Quit two times

3. Close command prompt

4. Log onto 2008-02 using contoso\bsmith account

Exercise 5: Dump the RODC machine account

Scenario

You are the administrator of the Contoso domain. You want to quickly find out how

many RODC do you have in your domain. You want to achieve this by using a

command line.

Tasks

1. Use DSQuery and NLTest to discover the RODCs on the domain.

a. Open up a command prompt on 2008-01.

b. Type Dsquery server –isreadonly and view the results.

c. Type Nltest /dclist:Contoso.com and view the results.


11

Exercise 6: Reset the credentials cached on the stolen RODC and delete the RODC

Scenario

You are the administrator of the Contoso domain. You just found out that the RODC

in your branch office has been stolen. You are concerned that some of your user’s

passwords are cached on the RODC. You are going to take appropriate steps to reset

the current credentials cached on the RODC.

Tasks

1. Reset the current credentials that are cached on the RODC

a. Log on to the 2008-01, as Contoso\Administrator


Click Start , Administrative Tools, and then Server Manager


Directory Users and Computers

d. Expand Contoso.com and then select Domain Controllers container

e. In the details pane, right click 2008-02 and select Delete

f. To confirm deletion, click Yes

g. It will launch Deleting Domain controller dialog box

1) Review the following options:

○ Reset all passwords for user accounts that were cached on this

Read-only Domain Controller

○ Reset all passwords for computer accounts that were cached on

this Read-only Domain Controller

○ Uncheck Export the list of accounts that were cached on this Read-

only Domain Controller to this file

h. Click Cancel. Do NOT click on Delete! The RODC is needed for a later

lab.

1 The options are grayed out and the user is unable to make changes.

Lab5

Lab 5: Server Core






Version 1.0


1

During this lab, you will promote a Windows Server 2008 server core machine into

the contoso.com domain. You will also learn how to perform basic administrative

tasks from the command line.


Before You Begin


■ Have a basic understanding of Microsoft Virtual Server

What You Will Learn


■ Configure IPV4 addresses with Netsh

■ Add a Server Role with ocsetup

Lab Environment


■ 2008-core-01

■ 2008-01

■ 2003-01

You must log on as an administrative user in order to perform some of the tasks in

this lab.





2

Exercise 1: Configure the IP Address with Netsh

Scenario

You have a fresh install of Windows Server 2008 Core. You are tasked with setting

the IP address in a manner that is consistent with corporate guidelines.

Tasks

1. Use Netsh to configure TCP/IP properties

a. In command prompt type netsh and press ENTER

b. Type interface and press ENTER

c. Type ipv4 and press ENTER

d. Type show interfaces and press ENTER to show list of network

adapters

e. Note Idx is 2 for Local Area Connection network adapter.

f. Type following to set IP Address, Subnet and Default gateway:

set address “2” static 10.1.1.2 255.0.0.0

g. Type following to set primary DNS server:

add dnsserver “2” 10.1.1.4 1

h. Type exit and press ENTER

i. Verify IP configuration information

At the command prompt type the following and then press ENTER

Ipconfig /all

2. Change hostname to 2008-Core-01

a. In command prompt type the following:

netdom renamecomputer . /newname:2008-Core-01

b. Enter Y to confirm and press ENTER

c. Reboot machine typing:

shutdown /r


3

Exercise 2: Configure 2008-core-01 so that it can be controlled remotely

Scenario

2008-core-01 will be in a remote location. Make sure it will be possible to connect

to the server using RDP.

1. Enable Remote Desktop

a. At the command prompt type the following and then press ENTER

Cscript C:\Windows\System32\ Scregedit.wsf /ar 0

Note

Cscript C:\Windows\System32\ Scregedit.wsf /cli will show you several other options.

2. Connect to 2008-core-01 remotely

a. Log onto 2008-01 as contoso\administrator

b. Launch MSTSC

c. Type 2008-core-01 and click Connect

d. Right Click DNS; select Connect to DNS Server…

e. Select The following computer: and enter 2008-core-01 and click OK

f. Verify RDP is now available on 2008-core-01

Exercise 3: Add the Windows Server Backup Feature.

Scenario

All Servers need backup. Please add the Windows Server Backup feature to 2008-

core-01. We will use this feature in a later lab.

1. Add the Windows Server Backup Feature with OCsetup


Start /w ocsetup WindowsServerBackup

b. Once the process is completed, you will see command prompt again


4

c. Confirm if the feature is added by typing the following command

Oclist

d. Confirm it shows “Installed” for WindowsServerBackup

Exercise 4: Add the DNS server Role with OCsetup

Scenario

In preparation of promotion to a Domain Controller, add the DNS Server role to

2008-core-01.

1. Add the DNS Server Role with OCsetup


Start /w ocsetup DNS-Server-Core-Role

Note: Using the /w switch prevents the command prompt from returning

until the installation completes. Without the /w switch there is no

indication that the installation completed.

b. Once the process is completed, you will see command prompt again

c. Confirm if the role is added by typing the following

Oclist

d. Confirm it shows “Installed” for DNS-Server-Core-Role

2. Manage the DNS server role remotely

a. Log onto 2008-01 as contoso\administrator

b. Launch DNSMGMT.msc

c. Right click DNS; select Connect to DNS Server…

d. Select The following computer: and enter 2008-core-01 and click OK


5

Exercise 5: Promote the Server Core box into the contoso.com domain using the answer file that we created in a previous lab.

Scenario

You are testing the use of server core Domain Controllers in your enterprise. Please

promote 2008-core-01 as a new Domain Controller DC in contoso.com using an

unattend file (the unattend file was created in a previous lab).

1. Run Dcpromo with answer file.

a. Copy the unattended installation file created in lab 3 to 2008-core-01.

b. Open the file in notepad.exe.

c. Find the SafeModeAdminPassword field and set this to P@ssw0rd1

d. At the command prompt type the following and then press ENTER

dcpromo /unattend:2008-answer.txt

e. It will check if Active Directory Domain Services binaries are installed. If

not, it will install Domain Services binaries and will start Active directory

Domain Services setup.

f. When prompted, enter P@ssw0rd1 as the administrator password.

g. Once the installation completes, it will restart the Server.

h. Logon as contoso\administrator after the reboot completes.

i. At the command prompt type the following and then press ENTER

Netsh firewall show state. Notice the firewall is enabled.

j. At the command prompt, type the following and then press ENTER

net share.

k. Confirm Sysvol and Netlogon are shared.

Lab6

Lab 6: Directory Services Auditing Changes






Version 1.0


1

During this lab, you will perform hands on Windows Server 2008 Auditing.


Before You Begin


■ Have a basic understanding of directory service auditing changes.

What You Will Learn


■ Enable and disable auditing

■ Understand new auditing Event ID’s

Lab Environment


■ 2008-01

You must log on as an administrative user in order to perform all of the tasks in this

lab.




□ Domain: Contoso


2

Exercise 1: Review DS Auditing changes in Windows Server 2008

Scenario

You are an administrator of Contoso domain and would like to view changes to Auditing in

Windows Server 2008.

Tasks

1. Review the Audit Policy settings under Default Domain Policy.

a. Log on to 2008-01 as Contoso\administrator


c. Expand Features

d. Expand Group Policy Management

e. Expand Forest: Contoso.com

f. Expand Domains

g. Expand Contoso.com

h. Expand Group Policy Objects

i. Select Default Domain Policy

j. Right click it and select Edit...

k. In Group Policy Management Editor, Select Audit Policy under Computer

Configuration, Windows Settings, Security Settings, Local Policies

l. Review audit policies and policy setting in details pane

m. Close Group Policy Management Editor

2. Review the Audit Policy settings under Default Domain Controllers Policy. Ensure

the policy setting for directory service access audit policy is set to Success

a. Select Default Domain Controllers Policy under Group Policy Object in

Server Manager

b. Right click it and select Edit...


3

c. In Group Policy Management Editor, Select Audit Policy under Computer

Configuration, Windows Settings, Security Settings, Local Policies

d. Review audit policies and policy setting in details pane

e. Confirm Policy Setting for Audit directory service access is set to

Success.

f. Close Group Policy Management Editor

3. View the subcategories of DS Access via auditpol.cmd and ensure that Directory

Service Changes is set to Success

a. Launch a command prompt

1) Click on Start, type cmd and press ENTER

b. Type Auditpol /clear

c. Type Auditpol /set /category:"DS Access"

d. Type Auditpol /get /category:"DS Access"

e. List the subcategories and setting for each of the subcategory

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

f. Confirm Directory Service Changes is set to Success

g. Close command prompt

Exercise 2: DS Auditing Creation, Modification and Moving of AD Objects

Scenario

You are an administrator of Contoso domain and would like to audit creation and modification and

moving of AD objects.


4

Tasks

1. Ensure audit policy is enabled (completed in exercise 1)

2. Create an OU called AuditTest and set up auditing on the OU created

a. Launch Server Manager if it is not already open.

b. Expand Server Manager

c. Expand Roles

d. Expand Active Directory Domain Services

e. Expand Active Directory Users and Computers

f. Select Contoso.com

g. Right click it and select New, Organizational Unit

h. Type AuditTest in the Name of New Object and click on OK

i. Right click AuditTest in Contoso.com and click Properties

j. Confirm Advanced Features are enabled in the View menu in order for

you to view the Security tab.

k. Select Security tab, click on Advanced and select the Auditing tab.

l. Click on Add

m. Under Enter the object name to select, type Authenticated Users and

then click OK.

n. In Apply onto, confirm This object and all descendant objects is

selected.

o. Under Access, select the Successful check box for Write all properties,

Create all child objects and Delete all child objects. It will check

successful audit for several other accesses.

p. Click on OK until you exit the property sheet for the OU or other object.

3. Create a user called AuditTest1 in OU AuditTest

a. Right click OU AuditTest, select New, User

b. Type AuditTest1 in First name and User logon name


5

c. Click on Next

d. Type P@ssw0rd1 in Password and confirm password.

e. Click on Next and then Finish

4. View security logs to review audit event generated

a. In Server Manager, Expand Diagnostics and then Event Viewer

b. Expand Windows Logs

c. Select Security log

d. The log shows Directory Service Changes event 5137 indicating creation

of new directory service object:

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 11:50:48 AM Event ID: 5137 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was created. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: cn=AuditTest1,ou=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Operation: Correlation ID: {57586991-b6fd-49e8-b52b-6cdb19067268} Application Correlation ID: -

5. Rename the user’s First Name to Test1000

a. Switch back to Active Directory Users and Computers in Server

Manager


6

b. Select user AuditTest1

c. Right click it and select Properties

d. Change First name to Test1000

e. Click on OK

6. Review the security logs to review audit event generated




d. The log shows two Directory Service Changes events 5136. The first one

shows Operation type: Value deleted for givenName AuditTest1 and the

second one shows Operation type: Value added for givenName with value

Test1000.

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 2:04:51 PM Event ID: 5136 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was modified. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Attribute: LDAP Display Name: givenName Syntax (OID): 2.5.5.12 Value: AuditTest1


7

Operation: Type: Value Deleted Correlation ID: {b87e4c30-c6cd-44cf-947b-09ee52dd25e9} Application Correlation ID: - Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 2:04:51 PM Event ID: 5136 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was modified. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Attribute: LDAP Display Name: givenName Syntax (OID): 2.5.5.12 Value: Test1000 Operation: Type: Value Added Correlation ID: {b87e4c30-c6cd-44cf-947b-09ee52dd25e9} Application Correlation ID: -

7. Create a new user in the users container called AuditTest2

a. Switch back to Active Directory Users and Computers in Server

Manager

b. Select Users container from Contoso.com

c. Right click Users container and select New, User

d. Type AuditTest2 in First name and User logon name


8

e. Click on Next

f. Type P@ssw0rd1 in Password and Confirm password

g. Click on Next

h. Click on Finish

8. Move AuditTest2 in AuditTest OU

a. Select newly created user account AuditTest2

b. Right click it and select Move...

c. Select OU AuditTest when prompted to select a container to move object

into

d. Click on OK

e. Select AuditTest OU and confirm that the user object is moved

9. Review the security logs to view audit event generated




The log shows Directory Service Changes event 5139 indicating successful move.

Please note that the event shows Old and New DN showing original and new location of

an object.

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 2:28:02 PM Event ID: 5139 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was moved. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator


9

Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: Old DN: CN=AuditTest2,CN=Users,DC=Contoso,DC=com New DN: CN=AuditTest2,OU=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest2,OU=AuditTest,DC=Contoso,DC=com Class: user Operation: Correlation ID: {2fe1228d-d0a4-45d1-bdfc-48d64d7802be} Application Correlation ID: -

Lab7

Lab 7: DFSR and SYSVOL Migration






Version 1.0


1

During this lab, you will migrate SYSVOL from FRS to DFSR as the replication engine.


Before You Begin


■ Have a basic understanding of Microsoft Virtual Server

What You Will Learn


■ Understand migration of SYSVOL from FRS to DFSR in Windows Server 2008

domain

Lab Environment


■ 2008-01

■ 2008-02

■ 2008-Core-01


lab.




□ Domain: Contoso


2

Exercise 1: Migrate SYSVOL from using NTFRS to DFSR

Scenario

You are the administrator of Contoso.com domain. You understand that in your

current environment SYSVOL is using NTFRS as its replication engine. However, you

have read that DFSR provides substantial improvements over FRS and several key

new features. Therefore, you wish to perform a DFSR migration and you are ready

to demote any domain controller that is not running Windows Server 2008 to

perform this migration.

Tasks

1. Transfer all FSMO roles to from 2003-01 to 2008-01 and demote 2003-01.

Note: Dcrpromo will try to transfer roles automatically if not done before.

a. Transfer all the FSMO roles to 2008-01

1. Log on to 2008-01 as Contoso\administrator

2. Launch a Command Prompt

3. Type ntdsutil and then press ENTER

4. Type Roles and then press ENTER

5. Type Connections and then press ENTER

6. Type Connect to Server 2008-01 and then press ENTER

7. Type Quit and then press ENTER

8. Type Transfer PDC and then press ENTER

9. It will prompt you to confirm if you want to transfer the role to 2008-01

10. Click on Yes

11. Transfer rest of the roles by typing

Transfer Schema Master

Transfer naming master

Transfer infrastructure master

Transfer RID master

12. Type quit and press ENTER


3

13. Type quit and press ENTER

14. At the command prompt, type netdom query fsmo and then press

ENTER

15. Confirm 2008-01 holds all the FSMO roles


b. Demote 2003-01 back to a member server.

1. While logged on to 2003-01 as Contoso\Administrator

2. Start | Run and type DCPROMO

3. Remove Active Directory from 2003-01

4. Reboot

5. Make sure 2003-01 is no longer referred to as a DNS server in TCP/IP

properties of any domain member.

2. Raise the Contoso.com Domain Functional Level to Windows Server 2008.

a. While logged onto 2008-01 as Contoso\Administrator, run DSA.msc.

b. Right click on the domain and select Raise Domain Functional Level.

c. Raise the domain functional level to Windows Server 2008

d. Stay logged on to 2008-01 as Contoso\Administrator

3. Verify that your SYSVOL is currently healthy and replicating

a. Log on to the Schema Master, 2008-01, as Contoso\administrator.

b. Open a command prompt.

c. At the command prompt, type the following and then press ENTER

net share

d. Confirm SYSVOL and NETLOGON are shared and are pointing to

C:\Windows\SYSVOL\Sysvol

e. Close command prompt


4

f. Launch Adsiedit.msc

g. Connect to Default naming context

h. Expand OU=Domain Controllers ,DC=Contoso, DC=com

i. Expand each of the Domain Controllers and select CN=NTFRS Subscriptions

j. Confirm that the right pane shows an NTFRS Subscriber object called

CN=Domain System Volume (SYSVOL share)

k. Expand CN=File Replication Service,CN=System, DC=Contoso, DC=Com

l. Select CN=Domain System Volume (SYSVOL share)

m. Confirm right pane contains NTFRS member objects for all the Domain

Controllers. NTFRS member object name is same as the domain controller

name.

n. Close Adsiedit.msc

o. Click on Start, Programs, Administrative Tools and Event Viewer.

p. Check the File Replication Service log and confirm that no errors or

warnings are reported for Sysvol.

4. Backup data in the Sysvol folder.

a. It is recommended to take a backup of the data in the SYSVOL folder before

beginning the process of migrating from FRS to DFS Replication.

b. On 2008-01, copy C:\Windows\SYSVOL\domain folder to Desktop

1. At the command prompt, run xcopy /x /e /h /r C:\Windows\SYSVOL\domain %userprofile%\desktop

c. Confirm that Policies and Scripts folders are copied correctly.

5. Verify that the DFS Replication service is installed and is set to Automatic start

a. On 2008-01, launch Server Manager if it is not already open.

Click on Start, Administrative Tools, and then Server Manager

b. Expand Configuration and select Services

c. Confirm DFS Replication service is started and startup Type is set to

Automatic


5

d. If the service is not installed:

1. Expand Roles in left pane and select File Services

2. Right click File Services and select Add Role Services

3. It will launch the Add role Services wizard

4. Expand Windows Server 2003 File Services and select File

Replication Service

5. Click on Install

6. Once the process completes, it will display a message confirming File

Replication Service installed successfully.

7. Select File Services from left pane.

8. Review details pane.

9. Now DFS Replication service is listed under System Services.

10. Status shows Running and Startup Type is Auto.

6. Run DfsrMig tool on PDC to create DFSR-GlobalSettings object

a. On 2008-01, launch a command prompt

b. Type DfsrMig /CreateGlobalObjects and then press ENTER

c. It will report following.

Current DFSR global state: Start Succeeded.

d. The DfsrMig performs following actions:

1. Creates the ReplicationGroup, Content object, ContentSet, and Topology

objects.

2. msDFSR-GlobalSettings object under System container is created.

a) Launch Adsiedit.msc or LDP

b) Connect to Default naming context

c) Expand DC=Contoso, DC=Com

d) Select CN=System


6

e) Notice in details pane, CN=DFSR-GlobalSettings object of class

msDFSR-GlobalSettings is created under CN=System.

3. msDFSR-ReplicationGroup object under msDFSR-GlobalSettings.

msDFSR-ReplicationGroupType is set to a value of 1.

a) Expand CN=System and select CN=DFSR-GlobalSettings

b) Notice in details pane, CN=Domain System volume object of class

msDFSR-ReplicationGroup is created under CN=DFSR-

Globalsettings

c) Right click CN=Domain System volume and select properties

d) Under Attributes, select msDFSR-ReplicationGroupType

e) Confirm the value is set to 1

f) Click on Cancel

4. msDFSR-Content and msDFSR-Topology objects are created under the

msDFSR-ReplicationGroup object.

a) Expand CN=DFSR-Globalsettings in left pane.

b) Select CN=Domain System volume.

c) Notice the CN=Content and CN=Topology objects are created.

5. msDFSR-ContentSet object under msDFSR-Content object is created.

a) Expand CN=Domain System volume in left pane and select

CN=Content.

b) Notice in details pane, CN=SYSVOL Share object of class msDFSR-

ContentSet is created.

6. For NTFRS compatibility, the content set is set to filter out the

DO_NOT_REMOVE_NtFrs_PreInstall_Directory and

NtFrs_PreExisting___See_EventLog folders.

a) Right click CN=SYSVOL Share and select Properties.

b) From the list of attributes, select msDFSR-DirectoryFilter.


7

c) Confirm the value is set to

DO_NOT_REMOVE_NtFrs_PreInstall_Directory,

NtFrs_PreExisting___See_EventLog.

d) Click on Cancel.

7. Creates member objects for each existing RODC.

a) Select CN=Topology in left pane

b) Notice in details pane, CN=2008-02 object of msDFSR-Member

class is created.

c) Close Adsiedit.msc.

8. Sets GlobalState to 0.

e. Launch a Command prompt

f. Type DfsrMig /GetGlobalState and then press ENTER

1. It will report the following: Current DFSR global state: ‘Start’

Succeeded.

7. Run DfsrMig.exe on PDC to enter the Prepare phase

a. Launch a Command prompt

b. Type DFSRMig /SetGlobalState 1 and then press ENTER

1. It will report: Current DFSR global state: Start

New DFSR global state: ‘Prepared’

Migration will proceed to ‘Prepared’ state. DFSR service

will copy the contents of SYSVOL to SYSVOL_DFSR folder.

If any DC is unable to start migration then try manual

polling.

OR Run with option /CreateGlobalObjects.

Migration can start anytime between 15 min to 1 hour.

Succeeded.

c. The DfsrMig performs following actions:


8

1. Creates SYSVOL_DFSR, and its immediate subfolders, copying the ACLs

from the original SYSVOL.

a) Launch Windows Explorer.

b) Confirm SYSVOL_DFSR folder is created under %SystemRoot%.

c) Confirm ACLs are identical for Policies and Scripts folders under

%SystemRoot%\SYSVOL\Domain and

%SystemRoot%\SYSVOL_DFSR\Domain

2. ROBOCOPY copies SYSVOL\domain to SYSVOL_DFSR\domain.

a) Confirm the contents of %SystemRoot%\SYSVOL_DFSR\Domain

is same as the contents of %SystemRoot%\SYSVOL\Domain.

3. The output of ROBOCOPY is saved in

%SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt.

a) Review file %SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt.

4. Creates the SYSVOL junction.

a) Launch command prompt

b) Type following command and then press ENTER

cd %SystemRoot%\SYSVOL_DFSR\Sysvol

c) Type Dir /a and then press ENTER

d) Confirm a Junction Contoso.com is created for

%SystemRoot%\SYSVOL_DFSR\domain.

e) Close Command prompt

5. msDFSR-Member object under msDFSR-Topology object was populated

with msDFSR-ComputerReference, ServerReference, and

ServerReferenceBL attribute values.

a) Launch Adsiedit.msc.

b) Connect to Default naming context.

c) Expand CN=Domain System Volume,CN=DFSR-

GlobalSettings,CN=System ,DC=Contoso, DC=com.

d) Select CN=Topology.


9

e) Details pane shows CN=2008-02 object of class msDFSR-Member.

f) Right click 2008-02 and select Properties.

g) Review attributes msDFSR-ComputerReference, ServerReference,

and ServerReferenceBL. To see the ServerReferenceBL value you

must enable Backlink values.

(1) Click Filter, then click Backlinks

h) Click on Cancel

6. msDFSR-LocalSettings object under OU=Domain Controllers is created.

a) Expand OU=Domain Controllers under DC=Contoso,DC=com.

b) Expand CN=2008-01.

c) Notice CN=DFSR-LocalSettings object is created under

CN=2008-01.

7. msDFSR-Subscriber object under msDFSR-LocalSettings object is

populated with msDFSR-MemberReference and msDFSR-

ReplicationGroupGuid attribute values.

a) Select CN=DFSR-LocalSettings.

b) Details pane shows CN=Domain System Volume object of class

msDFSR-Subscriber.

c) Right click CN=Domain System Volume and select Properties.

d) Review attributes msDFSR-MemberReference and msDFSR-

ReplicationGroupGuid.

e) Click on Cancel.

8. msDFSR-Subscription object under msDFSR-Subscriber object is

populated with msDFSR-RootPath, msDFSR-StagingPath, msDFSR-

ReplicationGroupGuid, msDFSR-ContentSetGuid, msDFSR-ReadOnly,

and msDFSR-Options attribute values.

a) Select CN=Domain System Volume in left pane.

b) Details pane shows CN=SYSVOL Subscription object of class

msDFSR-Subscription.


10

c) Right click CN=SYSVOL Subscription and select Properties.

d) Review attributes msDFSR-RootPath, msDFSR-StagingPath,

msDFSR-ReplicationGroupGuid, msDFSR-ContentSetGuid,

msDFSR-ReadOnly, and msDFSR-Options.

e) Click on Cancel.

f) Close Adsiedit.msc.

9. Creates and populates this key in the registry:

HKLM\System\CurrentControlSet\Services\DFSR\Parameters\SysVols

\Migrating SysVols.

a) Launch regedit.

b) Navigate to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

\DFSR\Parameters\SysVols\Migrating SysVols

c) Confirm the value of Local State is set to 1.

d) Close Registry Editor.

d. Confirm the global state is set to Prepared now.

1. Launch Command prompt

2. Type DfsrMig /GetGlobalState and then press ENTER

3. It will report: Current DFSR global state: ‘Prepared’

Succeeded.

e. Confirm all Domain Controllers are synchronized with Global State

(Prepared). It is highly recommended not to initiate migration to the

REDIRECTED state until this is done.

1. At the command prompt, type DfsrMig /GetMigrationState and then

press ENTER

2. It will list Domain Controllers that are not in sync with Global State.

Example:


11

3. If any of the Domain Controllers are listed there, then force Active

Directory replication using following command:

Repadmin /syncall 2008-01 /AdeP

Repadmin /syncall 2008-02 /Ade

4. Check for success with:

repadmin /showattr * "CN=DFSR-

GlobalSettings,CN=System,DC=contoso,DC=com" /atts:msDFSR-

Flags

5. Manually poll Active Directory on a Domain Controller using:

DfsrDiag PollAD

OR Remotely from any other Domain Controller using:

DfsrDiag PollAD /Member:<Domain Controller name>

8. Run DfsrMig.exe on PDC to enter the Re-Directed phase

a. Launch a command prompt


c. It will report: Current DFSR global state: ‘Prepared’


12

New DFSR global state: ‘Redirected’

Migration will proceed to ‘Redirected’ state. The SYSVOL share

will be changed to SYSVOL_DFSR folder.

If any changes have been made to the SYSVOL share during the

state transition from ‘Prepared’ to ‘Redirected’ please

robocopy the changes from SYSVOL to SYSVOL_DFSR on any

replicated RWDC.

Succeeded.

d. Verify that DFS Replication global migration state is set to REDIRECTED

1. Launch command prompt if it is not already open.

2. Type DfsrMig /GetGobalState and then press ENTER

3. It will report Current DFSR global state: Redirected

Succeeded.

e. Verify that SYSVOL and NETLOGON shares are now pointing to paths under

SYSVOL_DFSR.

1. At the command prompt, type net share and then press ENTER

2. Confirm SYSVOL and NETLOGON shares are pointing to paths under

SYSVOL_DFSR.

f. Confirm all Domain Controllers are in sync with global state or in

REDIRECTED state. It is recommended not to initiate migration to the

ELIMINATED state until this is done.


press ENTER


3. If any of the Domain Controllers are listed there, then

Force Active Directory replication using following command

Repadmin /syncall /AeD

Manually poll Active Directory on a Domain Controller using

DfsrDiag PollAD

OR Remotely from any other Domain Controller using


9. Run DfsrMig.exe on PDC to enter Eliminate phase


13

a. Launch a Command prompt


c. It will report Current DFSR global state: ‘Redirected’

New DFSR global state: ‘Eliminated’

Migration will proceed to ‘Eliminated’ state. It is not

possible to revert this step.

If any RODC is stuck in the ‘Eliminating’ state for too long

then run with option /DeleteRoNtfrsMembers.

Succeeded.

d. Verify that DFS Replication global migration state is set to ELIMINATED.

1. Type DfsrMig /GetGlobalState and then press ENTER

2. It will report Current DFSR global state: Eliminated

Succeeded.

e. Confirm all Domain Controllers are in sync with global state or in

ELIMINATED state.


press ENTER


3. If any of the Domain Controllers are listed there, then

Force Active Directory replication using following command

Repadmin /syncall /Ade

Manually poll Active Directory on a Domain Controller using

DfsrDiag PollAD

OR Remotely from any other Domain Controller using


f. The DfsrMig performs following actions:

1. Deletes the NTFRS SYSVOL Active Directory configuration objects.

a) Launch Adsiedit.msc and connect to Default naming context.

b) Expand CN=DFSR-LocalSettings,CN=2008-01,OU=Domain

Controllers DC=Contoso, DC=com.


14

c) Select CN=Domain System Volume.

d) Details pane shows CN=SYSVOL Subscription object of class

msDFSR-Subscription.

e) Confirm there is no more CN=NTFRS Subscriptions object for

SYSVOL under CN=2008-01.

f) Expand CN=File Replication Service,CN=System.

g) Select CN=Domain System volume (SYSVOL share).

h) Confirm it does not have any nTFRSMember objects.

i) Close Adsiedit.msc.

2. Deletes content under SYSVOL folder.

a) Start Windows Explorer.

b) Navigate to %SystemRoot%.

c) Confirm there is no Policies or Scripts inside the SYSVOL folder.

d) Close Windows Explorer.

g. Verify that SYSVOL and NETLOGON shares are pointing to paths under

SYSVOL_DFSR.

1. Launch command prompt.

2. Type net share and then press ENTER.

3. Confirm NETLOGON and SYSVOL shares point to

%SystemRoot%\SYSVOL_DFSR.


5. Start Regedit and navigate to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon

\Parameters

6. Confirm the value of SysVol is %SystemRoot%\SYSVOL_DFSR\Sysvol.

7. Close regedit.exe.

10. Review the DFS Replication Event log for DFSR SYSVOL migration events.


15

a. Click on Start, Programs, Administrative Tools and Event Viewer.

b. Check the DFS Replication log and examine the SYSVOL migration events.

Lab8

Lab 8: Fine Grained Password Policy






Version 1.0


1

During this lab, you will learn about Group Policy changes and FGPP.


Before You Begin


■ Have an understanding of FGPP

Lab Environment


■ 2008-01

■ 2003-DC1


lab.




□ Domain: Contoso


2

Exercise 1: Create a New Password Settings Object (PSO)

Scenario

You are the administrator of Contoso.com domain. You have been asked to set up a

password policy for your users in Managers group with password’s minimum length

to be of 10 characters.

Tasks

1. On 2008-01, verify the domain functional level is set to Windows Server 2008.

a. Log on to 2008-01 as Contoso\administrator



c. Expand Roles | Active Directory Domain Services | Active Directory

Users and computers | Contoso.com.

d. Right click Contoso.com and select Raise domain functional level...

e. Confirm Current domain functional level is set to Windows Server 2008

f. Click on Close

2. Create a new Password Settings Object and name it managers. Specify Password Length to be of 10 characters.

a. Click on Start, Run, type Adsiedit.msc and click on OK.

b. Connect to Default naming context.

c. Expand CN=System,DC=Contoso,DC=com

d. Right click CN=Password Settings and select New, Object...

e. It will launch Create Object wizard.

f. Confirm msDS-PasswordSettings class is selected and click Next.


3

g. For different attributes, type the corresponding values from the

following list and click Next (the times are entered in d:hh:mm:ss

format):

Attribute

Value

cn Managers

msDS-PasswordSettingsPrecedence 10

msDS-PasswordReversibleEncryptionEnabled FALSE

msDS-PasswordHistoryLength 24

msDS-PasswordComplexityEnabled TRUE

msDS-MinimumPasswordLength 10

msDS-MinimumPasswordAge 0

msDS-MaximumPasswordAge 20:00:00:00 (20 days)

msDS-LockoutThreshold 0

msDS-LockoutObservationWindow 0:00:30:00 (30 minutes)

msDS-LockoutDuration 0:00:30:00 (30 minutes)

h. Click Finish to complete the creation of this object.

3. Apply the PSO to Managers group

a. In the CN=Password Settings container, right click on the

CN=Managers object in the details pane and select Properties.

b. Select msDS-PSOAppliesTo attribute from the list of attributes.

c. Click Edit.

d. Click Add Windows Account…

e. Type Managers in the Select Users, Computers, or Groups dialog and

click OK.

f. Click OK in the Multi-valued Distinguished Name with Security Principal

Editor dialog box.

g. Confirm correct value is set for msDS-PSOAppliesTo attribute.


4

h. Click OK.

i. Close Adsiedit.msc.

4. Test the password policy by resetting the password of Lisa Miller in Managers group to seven characters from AD users and computers. It should fail. Test it by setting to 10 or more characters.

a. Launch Server Manager if it is not already open.


b. Expand Roles | Active Directory Domain Services | Active Directory

Users and computers | Contoso.com.

c. Select Lisa Miller in the Training Organizational Unit.

d. Right click the Lisa Miller account and select Properties. Click on the

MemberOf tab and verify Lisa Miller is a member of the Managers group.

Click OK to close the user properties.

e. Right click on the user account and select “Reset Password…”

f. Type a password with seven characters.

g. It will report an error informing Windows cannot complete the

password change because the password does not meet the password

policy requirements.

h. Click OK.

i. Right click on the user account again and select “Reset Password…”

j. Type a password that has 10 or more characters and click on OK.

k. It will report, “The password has been changed.”

l. Click OK.


5

Exercise 2: How to determine which PSO is effective on a user

Tasks

1. On 2008-01, query the msDS-ResultantPSO attribute for the user in question.

This will indicate the distinguished name of the PSO that is ultimately applied to

that user.

a. In Active Directory Users and Computers, click on View and confirm

that Advanced Features are enabled.

b. Select the user account for which you would like to examine the effective

PSO.

c. Right click on the user account and select Properties.

d. Select the Attribute Editor tab.

e. Click Filter, confirm that Show attributes: Optional, and Show read-

only attributes: Constructed are checked.

f. From the list of attributes, select the msDs-ResultantPSO attribute. It

will show distinguished name of the PSO that is applied to the user.

g. If multiple PSO’s are applied to a user, which one will take effect? How

can you tell?

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

h. If a PSO is applied to a user and a group, which one takes precedence?

How can you tell?

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

2. Run the following command:

dsget user “cn=lmiller,ou=training,dc=contoso,dc=com” –effectivepso


6

What does the output show?

Lab9

Lab 9: Group Policy Changes and Enhancements






Version 1.0


1

During this lab, you will learn about Group Policy changes and FGPP.


Before You Begin


■ Have an understanding of new group policy changes

■ Have an understanding of FGPP

What You Will Learn


■ Create a Central Store

■ Configure and use GPEdit logging

■ Create and use Starter GPOs

■ Use folder redirection to share data between V1 and V2 user profiles

■ Understand what password policies and account lockout policies are

Lab Environment


■ 2008-01


lab.




□ Domain: Contoso


2

Exercise 1: Enabling GPEDIT logging and Create a Central Store

Task 1: Enable GPEDIT logging

1. Logon to 2008-01 as Contoso\Administrator

2. Run Regedit.exe

3. Enable GPEDIT logging:

a. Debug Logging is provided for GPEDIT, and may be enabled via the

following Registry key.

b. Create the following registry key

HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\GPEditDebugLevel(REG_DWORD)

1) Change the Value to Hexadecimal 10002

2) Close the Registry Editor.

Task 2: Creating and Using a Central Store

Note

There is no user interface for populating the central store in Windows Vista or

Windows Server 2008 at this time. This procedure shows how to populate the

central store using command line syntax.

1. To populate the Central Store, open a command window on server 2008-01.

2. To copy all the language-neutral and specific ADMX files from your Windows

Server 2008-01 system to the central store on your domain controller using the

xcopy command, type:

Xcopy /S %systemroot%\PolicyDefinitions\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions

3. When prompted for file or directory, enter D

4. To edit administrative template policy settings using ADMX files open the

Group Policy Management Console. Click Start, click Run, then type GPMC.msc.

5. To create a new GPO right-click Contoso.com under Domains and select

Create a GPO in this domain, and link it here.


3

6. Type a name for the GPO and click OK.

7. Expand the Group Policy Objects node.

8. Right-click the name of the GPO you created and click Edit.

9. Select Administrative Templates under Computer Configurations, Policies. In

the right pane, view the message stating Administrative Templates: Policy

definitions (ADMX files) retrieved from the central store

10. Click on Printers under Administrative Templates and select Web-based

Printing

11. Select Enabled and click OK

12. Close Group Policy Management Editor

13. Open c:\windows\debug\usermode\gpedit.log

14. Review the log and notice the information stating Successfully wrote:

Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting

Important

The Group Policy Object Editor automatically reads all ADMX files stored in the

central store. When there is no central store, the Group Policy Object Editor reads

the local versions of the ADMX files used by the local GPO on your Windows Vista™

administrative machine.

Exercise 2: Creating and Using Starter GPO’s

Scenario

As an administrator for Contoso.com, you plan on delegating permissions to other

users to administer specific Organizational Units in the future. To aid the other

users in Group Policy creation, you are going to prepare a Starter GPO that contains

helpful pre-configured Administrative Template settings.

Task 1:

1. On 2008-01 create a new Starter GPO

a. Logon to 2008-01 as contoso\administrator.

b. In Server Manager, expand Features | Group Policy Management |

Forest: contoso.com | Domains | contoso.com | Starter GPOs.


4

c. Right click Starter GPOs and then click New.

d. In the New Starter GPO dialog box, type Contoso Base in the Name box

and click OK.

e. Right click Contoso Base and select Edit. Notice only Administrative

templates are available to manage in a Starter GPO. Change an

administrative template setting under User or Computer configuration;

then close the Group Policy Editor window.

2. Create a new policy from the Starter GPO.

a. Right Click Contoso Base and then click New GPO from Starter GPO.

b. In the New GPO dialog box, type Training Policy in the Name box and

click OK.

Exercise 4: Create a network share for all computers in the domain via Preferences in group policy

Task 1:

1. Logon as contoso\administrator on 2008-01.

2. Create a folder C:\scripts.

3. Edit the Default Domain Policy

a. Click on Start | Run and type gpmc.msc

b. Double click Domains and then Contoso.com

c. Right click the Default Domain Policy and click Edit

4. Click on Computer Configuration | Preferences | Windows Settings |

Network Shares

a. Under Group Policy Management Editor click on Computer

Configuration, Preferences, Windows Settings and Network Shares

5. Create a new network share Preference setting

a. Right Click Network Shares and select New and Network Shares

b. In the New Network Share properties window, select the following:


5

1) Action : Create

2) Share name: 2008TEST

3) Folder Path: C:\scripts

4) Leave rest as Default settings

5) Click OK

6. Force Group Policy application by typing gpupdate /force in the command

prompt. Select Y when prompted to re-login

7. Re-login and open up a command prompt and type net share. You will see a

share by the name 2008TEST pointing to an existing folder, in this case to the C

drive on 2008-01.

Exercise 5: Create a mapped drive for users in the Domain Admins group via Preferences in group policy

Task 1:

1. On 2008-01, edit the Default Domain Policy

a. Logon to 2008-01. Click on Start | Run and type gpmc.msc



2. Click on User Configuration | Preferences | Windows Settings | Drive Maps

a. Under Group Policy Management Editor click on User Configuration,

Preferences, Windows Settings and Drive Maps

3. Create a new mapped drive preference setting

a. Right Click Drive Maps and select New and Map Drives

b. In the New Drive properties window, select the following:

1) Action : Create

2) Location: \\2008-01\c$

3) Label as: MyDrive


6

4) Drive Letter: Use first available starting at: E

5) Keep rest of the settings as default

6) Click on the Common Tab and select item-level targeting and

select Targeting

7) Click New Item and select Security Group and click on Browse

8) Type Domain Admins and click on Check Names. Click OK

9) Click OK



5. Re-login and open My Computer and view MyDrive pointing to \\2008-01\C$

6. (Optional) Test via logging to Vista-01 as a Domain Admin and a non admin

and confirm if the drive is mapped.

Exercise 6: Disable a preference setting

Task 1:

1. On 2008-01, edit the Default Domain Policy

a. Logon to 2008-01. Click on Start | Run and type gpmc.msc



2. Click on User Configuration | Preferences | Windows Settings | Drive Maps

a. Under Group Policy Management Editor click on User Configuration,

Preferences, Windows Settings and Drive Maps

3. Click on Drive letter in the right console to select the preference and click the

red circle with a slash on the toolbar to disable it



5. Re-login and open My Computer and view MyDrive is not available anymore

Lab10

Lab 10: Windows Server 2008 Backup and Recovery






Version 1.0


1

During this lab, you will use the Windows Server 2008 Backup features to backup,

view, and restore Active Directory data.


Before You Begin



What You Will Learn


■ Backup Windows Server 2008 System State data.

■ Create a snapshot and mount the snapshot so that the backup directory

information can be viewed in an LDAP browser.

■ Restore the System State backup.

Lab Environment


■ 2008-01

Important

You must log on as an administrative user in order to perform some of the tasks

in this lab.




□ Domain: Contoso


2

Exercise 1: Use Windows Server Backup to backup and restore System State data

Scenario

As an administrator of Active Directory in Contoso.com, you need to test the correct

Disaster Recovery procedures used for Active Directory in Windows Server 2008.

Tasks

1. Use Windows Server backup to backup the Windows System State.

a. Verify Windows Backup is installed, or install the Windows Backup

feature.

1) Log onto 2008-01 as contoso\Administrator.

2) Launch Server Manager.

a) Click Start, Administrative Tools, then Server Manager

3) Select Features and verify Windows Server Backup is installed

by looking at the list under Features Summary.

4) If not installed, click Add Features in right pane under Features

Summary. This will launch the Add Features Wizard.

5) On the Select Features page, select Windows Server Backup

Features. Expand Windows Server Backup Features and make

sure Command-line Tools is checked and click Next.

6) On Confirm Installation Selections, select Install.

7) Click Close on the Installation Results page.

b. Create a system state backup.

1) At the command prompt, type wbadmin start

SystemStateBackup –backuptarget:D:, then press Enter

Important

The backup target location must contain a drive letter and colon, followed by no

folder path (such as D: , F: , etc). The backup target cannot be the system drive, and

cannot be a mapped drive.


3

2) When prompted, enter C and press Enter, then enter Y and press

Enter.

Important

The backup could take up to 90 minutes to complete; depending on hardware resources.

3) Examine the contents of D:\WindowsImageBackup\2008-

01\SystemStateBackup\Backup\<date>

a) Notice the backup file has a .vhd extension.

2. Create a Snapshot using NTDSUtil.exe

a. At the command prompt type ntdsutil snapshot

b. At the snapshot prompt, type activate instance ntds

c. At the snapshot prompt, type Create

3. Mount the snapshot created in step 2 using DSMain.exe.

a. Mount the System State using ntdsutil.exe

1) At the snapshot prompt, type List All

2) At the snapshot prompt, type mount 1

b. View the contents of C:\$SNAP_<datetime>_VOLUMEC$\

1) Notice you can browse to the ntds.dit file at

C:\$SNAP_<datetime>_VOLUMEC$\Windows\NTDS\ntds.dit

4. Load the ntds.dit copy created in the snapshot and connect to the offline

directory using an ldap browser

a. Use DSAMain.exe to load the snapshot

1) At another command prompt, type dsamain –dbpath

C:\$SNAP_<datetime>_VOLUMEC$\Windows\NTDS\ntds.dit –

ldapport 5000

b. Launch LDP.exe and view the contents of the ntds.dit database

1) Launch ldp.exe

2) Click Connection | Connect


4

3) Change the port to 5000 and click OK

4) Click Connection | Bind

5) Click View | Tree

a) Notice you can view the directory data

6) In the DSAMain command window, enter Control-C and press

Enter

5. Delete the contoso\bsmith user account

a. Launch Server Manager.

1) Click Start, Administrative Tools, then Server Manager


Users and Computers | contoso.com | Training.

c. Find Ben Smith, and delete this account.

Note

The above steps are necessary to un-mount the Windows Server 2008 ISO to prevent accidently selecting “Boot from CD or DVD” during the reboot.

d. Restart the server

e. Enter Directory Services Restore mode

1) Press F8 to enter Advanced Boot options

2) Select Directory Services Restore mode and press Enter

6. Use Windows Server backup to restore the Windows System State backup.

a. Obtain the version of the store system state

1) At the command prompt, type wbadmin get versions

2) Note the Version identifier value

b. Restore the system state


5

1) At the command prompt, type wbadmin start

systemstaterecovery –version:<datetime as found in previous

step>

2) Type Y when prompted at Do you want to start the system state

recovery operation.

3) Type Y when prompted at:

The replication engine used at backup time was `FRS`. You cannot

use System State Recovery if the replication engine for SYSVOL

changed from the backup time.

If the replication engine has changed, abort this recovery and contact

support.

Do you want to proceed?

[Y] Yes [N] No

Note

If you are going to perform a restore after a SYSVOL migration to DFSR has been performed, you cannot use a system state backup taken while FRS was the replication engine for SYSVOL.

7. Using ntdsutil.exe, authoritatively restore the User object

a. At the command prompt, type ntdsutil and press enter

b. Type activate instance ntds and press enter

c. Type authoritative restore and press enter

d. Type restore object “CN=Ben

Smith,OU=Training,DC=Contoso,DC=com” and press enter

e. Type quit and press enter, then type quit again and press enter

8. Restart the Server into normal mode

9. Verify the contoso\bsmith account is available after the restore.

a. Launch Server Manager.

1) Click Start, Administrative Tools, then Server Manager


Users and Computers | contoso.com | Training.

c. Find Ben Smith.

Date post:	18-Nov-2014
Category:	Documents
Upload:	fhermb
View:	13,497 times
Download:	10 times

Windows Server 2008 Directory Services Lab Manual

Documents