6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol2

OFFICIAL MICROSOFT LEARNING PRODUCT
6419A
Configuring, Managing and
Maintaining Windows Server 2008 ®
Servers
Volume 2
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
ii Configuring, Managing and Maintaining Windows Server® 2008 Servers
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Active Directory, ActiveX, BitLocker, Excel, Hyper-V, Internet Explorer, MS,
MSDN, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows
Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 6419A

Part Number: X15-47115
Released: 02/2009
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
• you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont
exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Configuring, Managing and Maintaining Windows Server® 2008 Servers xi
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Aaron Clutter – Lead Developer

Aaron Clutter has been developing and leading the development of content for
Aeshen since 2002. He has a background as a Windows administrator and
network engineer.
Michael Cassens – Content Developer

Michael Cassens is a Senior Content Developer at Aeshen and joined in 2006. He
earned his MCSD and MCP+Site Building certifications in 2000 and a Masters in
Computer Science in 2003. He has also worked as an independent software
consultant and an Adjunct Professor at the University of Montana since 1998.
Sean Masters – Content Developer

Sean Masters joined Aeshen in 2007. He has worked in SMB technical operations
for nearly 10 years including 4 years as manager of information technology at a
property management firm and 4 years as a private consultant to various legal and
financial firms in the New England area.
Valerie Lee – Content Developer

Valerie Lee joined Aeshen in 2006, and has gained extensive knowledge of
Microsoft technologies by working on Microsoft TechNet Content, Webcasts,
White Papers, and Microsoft Learning Courses. Prior to joining Aeshen, she
worked as a consultant in positions providing desktop and network
troubleshooting and training support.
Joel Barker – Content Developer

Joel Barker has been developing content for Microsoft server products for five
years; prior to that he has held a variety of positions in the IT industry.
xii Configuring, Managing and Maintaining Windows Server® 2008 Servers
Philip Morgan - Subject Matter Expert

Philip Morgan is a Senior Product Analyst at Aeshen and joined the company in
2007. He has been an MCT since 1996 and has worked as a trainer, consultant,
and network administrator helping people learn, implement, and use Microsoft
products.
Conan Kezema – Technical Reviewer

Conan Kezema, MCSE, MCT is an educator, consultant, network systems architect,
and author who specializes in Microsoft technologies.
Configuring, Managing and Maintaining Windows Server® 2008 Servers xiii
Contents
Module 1: Introduction to Managing Microsoft Windows Server 2008
Environment
Lesson 1: Server Roles 1-3
Lesson 2: Overview of Active Directory 1-15
Lesson 3: Using Windows Server 2008 Administrative Tools 1-28
Lesson 4: Using Remote Desktop for Administration 1-36
Lab: Administering Windows Server 2008 1-44
Module 2: Creating Active Directory Domain Services User and Computer

Objects
Lesson 1: Managing User Accounts 2-3
Lesson 2: Creating Computer Accounts 2-17
Lesson 3: Automating AD DS Object Management 2-24
Lesson 4: Using Queries to Locate Objects in AD DS 2-33
Lab: Creating AD DS User and Computer Accounts 2-39
Module 3: Creating Groups and Organizational Units

Lesson 1: Introduction to AD DS Groups 3-3
Lesson 2: Managing Groups 3-17
Lesson 3: Creating Organizational Units 3-22
Lab: Creating an OU Infrastructure 3-29
Module 4: Managing Access to Resources in Active Directory Domain Services

Lesson 1: Managing Access Overview 4-3
Lesson 2: Managing NTFS File and Folder Permissions 4-11
Lesson 3: Assigning Permissions to Shared Resources 4-20
Lesson 4: Determining Effective Permission 4-33
Lab: Managing Access to Resources 4-44
xiv Configuring, Managing and Maintaining Windows Server® 2008 Servers
Module 5: Configuring Active Directory Objects and Trusts

Lesson 1: Delegate Administrative Access to Active Directory Objects 5-3
Lab A: Configuring Active Directory Delegation 5-12
Lesson 2: Configure Active Directory Trusts 5-16
Lab B: Configuring Active Directory Trusts 5-24
Module 6: Creating and Configuring Group Policy

Lesson 1: Overview of Group Policy 6-3
Lesson 2: Configuring the Scope of Group Policy Objects 6-18
Lesson 3: Evaluating the Application of Group Policy Objects 6-31
Lesson 4: Managing Group Policy Objects 6-37
Lesson 5: Delegating Administrative Control of Group Policy 6-47
Lab A: Creating and Configuring GPOs 6-51
Lab B: Verifying and Managing GPOs 6-57
Module 7: Configure User and Computer Environments By Using Group

Policy
Lesson 1: Configuring Group Policy Settings 7-3
Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy 7-7
Lab A: Configuring Logon Scripts and Folder Redirection Using
Group Policy 7-13
Lesson 3: Configuring Administrative Templates 7-17
Lab B: Configuring Administrative Templates 7-23
Lesson 4: Deploying Software Using Group Policy 7-28
Lab C: Deploying Software with Group Policy 7-36
Lesson 5: Configuring Group Policy Preferences 7-39
Lab D: Configuring Group Policy Preferences 7-44
Lesson 6: Introduction to Group Policy Troubleshooting 7-48
Lesson 7: Troubleshooting Group Policy Application 7-55
Lesson 8: Troubleshooting Group Policy Settings 7-67
Lab E: Troubleshooting Group Policy Issues 7-71
Configuring, Managing and Maintaining Windows Server® 2008 Servers xv
Module 8: Implementing Security Using Group Policy

Lesson 1: Configuring Security Policies 8-3
Lesson 2: Implementing Fine-Grained Password Policies 8-15
Lab A: Implementing Security Using Group Policy 8-20
Lesson 3: Restricting Group Membership and Access to Software 8-26
Lesson 4: Managing Security Using Security Templates 8-34
Lab B: Configuring and Verifying Security Policies 8-43
Module 9: Configuring Server Security Compliance

Lesson 1: Securing a Windows Infrastructure 9-3
Lesson 2: Overview of EFS 9-9
Lesson 3: Configuring an Audit Policy 9-13
Lesson 4: Overview of Windows Server Update Services (WSUS) 9-20
Lesson 5: Managing WSUS 9-32
Lab: Manage Server Security 9-40
Module 10: Configuring and Managing Storage Technologies

Lesson 1: Windows Server 2008 Storage Management Overview 10-3
Lesson 2: Managing Storage Using File Server Resource Manager 10-13
Lab A: Installing the FSRM Role Service 10-20
Lesson 3: Configuring Quota Management 10-22
Lab B: Configuring Storage Quotas 10-29
Lesson 4: Implementing File Screening 10-31
Lab C: Configuring File Screening 10-38
Lesson 5: Managing Storage Reports 10-40
Lab D: Generating Storage Reports 10-45
Lesson 6: Understanding Storage Area Networks 10-47
xvi Configuring, Managing and Maintaining Windows Server® 2008 Servers
Module 11: Configuring and Managing Distributed File System

Lesson 1: Distributed Files System (DFS) Overview 11-3
Lesson 2: Configuring DFS Namespaces 11-13
Lab A: Installing the Distributed File System Role Service and
Creating a DFS Namespace 11-22
Lesson 3: Configuring DFS Replication 11-26
Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-42
Module 12: Configuring Network Access Protection

Lesson 1: Overview of Network Access Protection 12-3
Lesson 2: How NAP Works 12-18
Lesson 3: Configuring NAP 12-25
Lesson 4: Monitoring and Troubleshooting NAP 12-33
Lab: Configuring NAP for DHCP and VPN 12-37
Module 13: Configuring Availability of Network Content and Resources

Lesson 1: Configuring Shadow Copies 13-3
Lab A: Configuring Shadow Copying 13-11
Lesson 2: Providing Server and Service Availability 13-14
Lab B: Configuring Network Load Balancing 13-26
Module 14: Monitoring and Maintaining Windows Server 2008 Servers

Lesson 1: Planning Monitoring Tasks 14-3
Lesson 2: Calculating a Server Baseline 14-9
Lesson 3: Measuring Performance Objects 14-14
Lab A: Identifying Windows Server 2008 Monitoring Requirements 14-24
Lesson 4: Selecting Appropriate Monitoring Tools 14-29
Lesson 5: Planning Notification Methods 14-37
Lesson 6: Overview of Windows Server 2008 Management Tasks 14-41
Lesson 7: Automating Windows Server 2008 Management 14-45
Lab B: Configuring Windows Server 2008 Monitoring 14-49
Configuring, Managing and Maintaining Windows Server® 2008 Servers xvii
Module 15: Managing Windows Server 2008 Backup and Restore

Lesson 1: Planning Backups with Windows Server 2008 15-3
Lesson 2: Planning Backup Policy on Windows Server 2008 15-15
Lesson 3: Planning a Server Restore Policy 15-20
Lesson 4: Planning an EFS Restore Policy 15-29
Lesson 5: Troubleshooting Windows Server 2008 Startup 15-40
Lab A: Planning Windows Server 2008 Backup Policy 15-51
Lab B: Planning Windows Server 2008 Restore 15-58
Lab Answer Keys

Lab: Administering Windows Server 2008 L1-1
MCT USE ONLY. STUDENT USE PROHIBITED

Module 1: Introduction to Managing Windows
Server 2008 Environment
Lab: Administering Windows
Server 2008
Exercise 1: Install the DNS Server Role
Task 1: Start the virtual machines, and then log on
1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6419A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch.
4. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch.
5. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the
password Pa$$w0rd.
6. Log on to NYC-SVR1 as NYC-SVR1\Administrator with the password
Pa$$w0rd.
7. Log on to NYC-CL1 as NYC-CL1\LocalAdmin with the password Pa$$w0rd.
8. Minimize the Lab Launcher window.
Task 2: Install the DNS Server role

1. On NYC-SVR1, click Start and then click Server Manager.
2. The Server Manager window opens. In the console pane, click Roles.
3. In the details pane, click Add Roles.
4. The Add Roles Wizard appears. Click Next.
5. On the Server Roles page, select DNS Server and then click Next.
6. On the DNS Server page, click Next.
L1-2 Module 1: Introduction to Managing Windows Server 2008 Environment

7. On the Confirmation page, click Install.
8. Allow the role installation to complete.
9. On the Results page, click Close.
10. Close Server Manager.
Task 3: Verify domain membership

1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In the console pane, click Computers.
3. Notice the NYC-SVR1 exists here. Member server computer accounts are
added to the Computers container by default.
4. Close Active Directory Users and Computers.
5. On NYC-SVR1, click Start, and click Server Manager.
6. In the console pane, expand Configuration, expand Local Users and Groups,
and then click Groups.
7. Double-click Administrators.
Note: Notice that WOODGROVEBANK\Domain Admins is a member of this group

because this server is joined to the domain.
8. Click Cancel and close Server Manager.
Results: After this exercise, you should have successfully installed the DNS Server role
and successfully verified domain membership.

Exercise 2: Configuring Remote Desktop for Administration
Task 1: Enable Remote Desktop for Administration
1. On NYC-SVR1, click Start, right-click Computer, and then click Properties.
2. Under Tasks, click Remote settings.
3. In the System Properties dialog box, select Allow connections from
computers running Remote Desktop with Network Level Authentication
(more secure).
4. A confirmation dialog box appears. Click OK.
Task 2: Grant Axel Delgado access to Remote Desktop for

Administration on NYC-SVR1
1. In the System Properties dialog box, click Select Users.
2. In the Remote Desktop Users dialog box, click Add, type Axel Delgado, click
Check Names, and then click OK.
3. Click OK to close the Remote Desktop Users dialog box.
4. Click OK to close the System Properties dialog box.
5. Close the System window.
Task 3: Configure security for Remote Desktop for Administration

1. On NYC-SVR1, click Start, point to Administrative Tools, point to Terminal
Services, and then click Terminal Services Configuration.
2. In the details pane, right-click RDP-Tcp and click Properties.
3. In the Security layer list, click SSL (TLS 1.0).
4. In the Encryption level list, click High.
5. Verify that Allow connections only from computers running Remote
Desktop with Network Level Authentication is selected.
6. Click OK to save the changes.
7. Close Terminal Services Configuration.
L1-4 Module 1: Introduction to Managing Windows Server 2008 Environment

Task 4: Give Axel Delgado rights to run Reliability and Performance
Monitor
1. On NYC-SVR1, click Start, and then click Server Manager.
2. In the console pane, expand Configuration, expand Local Users and Groups,
and then click Groups.
3. Double-click Performance Log Users.
4. In the Performance Log Users Properties window, click Add, type Axel
Delgado, click Check Names, and then click OK.
5. Click OK to close the Performance Log Users Properties window.
Task 5: Verify Remote Desktop for Administration Functionality

1. On NYC-CL1, click Start, point to All Programs, click Accessories, and then
click Remote Desktop Connection.
2. In the Computer field, type NYC-SVR1.woodgrovebank.com, and then click
Connect.
3. In the User name field, type woodgrovebank\Axel.
4. In the Password box, type Pa$$w0rd, and then click OK.
5. In the Remote Desktop Connection window, click Start, point to
Administrative Tools, and then click Reliability and Performance Monitor.
Note: Notice that there is no data in the Resource Overview screen because Axel
Delgado is not a local Administrator.

6. In the console pane, click Performance Monitor.
7. Notice that Axel Delgado is able to use Performance Monitor to view server
statistics. By default, % Processor Time is listed.
8. Close Reliability and Performance Monitor.
9. Log off NYC-SVR1 in Remote Desktop.
Task 6: Close all virtual machines and discard undo disks

1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes. Click OK.
3. Close the 6419A Lab Launcher.
Results: After this exercise, you should have successfully used Axel Delgado's account
to remotely access NYC-SVR1 and run Reliability and Performance Monitor.
Lab: Creating AD DS User and Computer Accounts L2-7

Module 2: Creating AD DS User and Computer
Accounts
Lab: Creating AD DS User and
Computer Accounts
Exercise 1: Creating and Configuring User Accounts
password Pa$$w0rd.
Task 2: Create a new user account

2. In the console pane, expand WoodgroveBank.com, right-click the ITAdmins
OU, point to New, and then click User.
3. In the New Object – User dialog box, enter the following information:
a. First name: Kerim
b. Last name: Hanif
c. Full name: Kerim Hanif
d. User logon name: Kerim
4. Click Next.
5. In the Password and Confirm password fields, type Pa$$w0rd.
L2-8 Module 2: Creating AD DS User and Computer Accounts

6. Verify that the User must change password at next logon check box is
selected.
7. Click Next, and then click Finish.
8. On NYC-CL1, test the user account that you just created by logging on to
NYC-CL1 as WOODGROVEBANK\Kerim with the password of Pa$$w0rd.
9. When prompted, click OK, type Pa$$w0rd1 as the new password, type
Pa$$w0rd1 in the Confirm password field, click the right arrow button, and
then click OK.
10. Log off from NYC-CL1.
Task 3: Modify Kerim Hanif’s user account properties

1. On NYC-DC1, in Active Directory Users and Computers, in the details pane,
right-click Kerim Hanif, and then click Properties.
2. Modify the user properties as follows:
a. On the General tab, enter the following information:
i. Office: Downtown
ii. Telephone number: 204-555-0100
iii. E-mail: Kerim@WoodgroveBank.com
b. On the Dial-in tab, under Network Access Permission, click Allow
access.
c. On the Account tab, click Logon Hours. Configure logon hours to be
permitted Monday through Friday between 8:00 A.M. and 5:00 P.M and
then click OK.
d. On the Member Of tab, click Add.
e. In the Select Groups dialog box, type ITAdmins_WoodgroveGG, and
then click OK twice.

Task 4: Create a template for the New York Customer Service
department
1. On NYC-DC1, in Active Directory Users and Computers, click on the NYC
OU, and then expand the CustomerService OU.
2. In the CustomerService OU, create and configure a user account with the
property settings in the following table:
Property Value
First name CustomerService
Last name Template
Full name CustomerService Template
User logon name _ CustomerServiceTemplate
Password Pa$$w0rd
Account is disabled Selected
User must change password at Selected

next logon
Description Customer Service Representative
Office New York Main Office
Member Of NYC_CustomerServiceGG
Department Customer Service
Logon Hours 6:00 A.M – 6:00 P.M. Monday to Friday


Task 5: Create a new user account based on the customer service
template
1. Right-click the CustomerService Template user, and then click Copy.
2. In the Copy Object – User dialog box, enter the following information:
a. First Name: Sunil
b. Last Name: Koduri
c. User Logon Name: Sunil
3. Click Next.
4. In the Password and Confirm Password fields, type Pa$$w0rd and then click
OK.
6. Right-click Sunil Koduri, and then click Enable Account. Click OK.
7. Double-click Sunil Koduri, and verify that the group membership and logon
hours are correct. Review the settings on the General and Organization tabs.
Question: What values did not transfer from the template?
Answer: The Description and Office attributes.
Task 6: Modify the user account properties for all customer service
representatives in New York
1. Select the top user in the details pane, hold SHIFT, and then click the last user
in the details pane.
2. Hold CTRL, and then click NYC_CustomerServiceGG.
3. Right-click the highlighted user accounts, and then click Properties.

4. On the General tab, select the appropriate check boxes, and enter the
following information:
a. Description: Customer Service Representative
b. Office: New York Main Office
5. On the Organization tab, select the Department checkbox, enter Customer
Service, and then click OK.
6. Double-click Eli Bowen, and verity that the Description, Office, and
Department attributes have been updated. Click OK.
Task 7: Modify the user account properties for all Branch Managers
1. On NYC-DC1, in Active Directory Users and Computers, right-click
WoodgroveBank.com, and then click Find.
2. In the Find Users, Contacts, and Groups dialog box, click the Advanced tab.
3. Click Field, point to User, and then click Job Title.
4. In the Condition list, click Is (exactly), and in the Value field, type Branch
Manager.
5. Click Add, and then click Find Now.
6. Select all of the user accounts in the Search Results, right-click the highlighted
user accounts, and then click Add to a group.
7. In the Select Groups dialog box, type BranchManagersGG, and then click
OK twice.
8. Close the Find Users, Contacts, and Groups dialog box.

Task 8: Create a saved query to find all investment users
1. In Active Directory Users and Computers, right-click the Saved Queries
folder, point to New, and then click Query.
2. In the New Query dialog box, in the Name field, type Find Investment Users.
3. Click Define Query.
4. In the Find list, click Users, Contacts and Groups.
5. Click the Advanced tab.
6. Click Field, point to User and then click Department.
7. In the Condition list, verify that Starts with is selected, and in the Value field,
type Investments.
8. Click Add, and then click OK twice.
9. Under Saved Queries, click Find Investment Users.
10. The query should display all the users in the Investment departments in
each city.
Results: At the end of this exercise you will have created and configured user
accounts; created a template and a user account based on the template; and created a
saved query and verified its ability to return expected search results.

Exercise 2: Creating and Configuring Computer Accounts
Task 1: Create a computer account by using Active Directory Users and
Computers
1. On NYC-DC1, in Active Directory Users and Computers, right-click
Computers, point to New, and then click Computer.
2. In the New Object-Computer dialog box, in the Computer name field,
type Vista1.
3. Click Change.
4. In the Select User or Group dialog box, type Doris, click Check Names, and
then click OK twice.
Task 2: Delete a computer account in AD DS

1. On NYC-DC1, in Active Directory Users and Computers, click Computers.
2. Right-click NYC-CL1, and then click Delete.
3. In the Active Directory Users and Computers dialog box, click Yes.
4. On NYC-CL1, press the right ALT key and DELETE. Click Switch User.
5. Click Other User, then log on as Axel with the password of Pa$$w0rd.
6. Press ENTER, read the error message, and then click OK.
Task 3: Join a computer to an AD DS domain

1. Log in as NYC-CL1\LocalAdmin with a password of Pa$$w0rd.
2. Click Start, right-click Computer, and then click Properties.
3. In the System control panel, click Change settings. In the User Account
Control dialog box, click Continue.
4. On the Computer Name tab, click Change.
5. In the Computer Name/Domain Changes dialog box, for Computer name,
type NYC-CL3.
6. Under Member of, click Workgroup, and then type WORKGROUP.
Click OK.

7. In the Windows Security dialog box, in the User name field, type
Administrator and in the Password field, type Pa$$w0rd.
8. Click OK twice.
9. In Computer Name/Domain Changes dialog box, click OK twice, and then
click Close.
10. Click Restart Now.
11. After the computer restarts, log in as LocalAdmin with a password of
Pa$$w0rd.
12. Click Start, right-click Computer, and then click Properties.
13. In the System control panel, click Change settings.
14. In the User Account Control dialog box, click Continue.
15. On the Computer Name tab, click Change.
16. In the Computer Name/Domain Changes dialog box, under Member of,
click Domain, and then type WoodgroveBank.com. Click OK.
17. In the Windows Security dialog box, in the User name field, type
Administrator and in the Password field, type Pa$$w0rd.
18. Click OK twice.
19. In the Computer Name/Domain Changes dialog box, click OK twice, and
then click Close.
20. Click Restart Now.
21. On NYC-DC1, in Active Directory Users and Computers, click Computers or
press F5 to refresh the view. Verify that the NYC-CL3 account has been added
to the container object.
22. After NYC-CL3 restarts, verify that you can log on as WoodgroveBank\Axel
with a password of Pa$$w0rd.
Results: At the end of this exercise you will have created and configured computer
accounts deleted a computer account and joined a computer to an AS DS domain.

Exercise 3: Automating Management of AD DS Objects
Task 1: Modify and use the Importusers.csv file to prepare to import a
group of users into AD DS
1. On NYC-DC1, open Windows Explorer, and then browse to
E:\Mod02\Labfiles\.
2. Open ImportUsers.csv with Notepad. Examine the header information
required to create OUs and user accounts and leave this file open.
3. Open ImportUsers.txt with Notepad.
4. Select all text in ImportUsers.txt and then copy and paste the contents into
ImportUsers.csv file, under the first line of text.
5. On the File menu, click Save As, and then type C:\import.csv. In the Save as
type list, click All Files (*.*).
6. Click Save to save the file.
7. Close both Notepad windows.
8. Click Start, and then click Command Prompt.
9. Type CSVDE –I –F C:\import.csv and then press ENTER.
10. Open Active Directory Users and Computers, and then browse to the
Houston OU. Confirm that five child OUs were created, and that several user
accounts were created in each OU.
Task 2: Modify and run the ActivateUser.vbs script to enable the

imported user accounts, and then assign a password to each account
1. On NYC-DC1, in E:\Mod02\Labfiles, right-click Activateusers.vbs, and then
click Edit.
2. Modify the container value in the second line to read
OU=BranchManagers,OU=Houston,DC=WoodgroveBank,DC=com.

3. Modify the container values in the additional lines at the end of the script to
include the following OUs:
• OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com
• OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com
• OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com
• OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com
4. On the File menu, click Save As, and then type C:\activateusers.vbs. In the
Save as type list, click All Files (*.*).
5. Click Save to save the file.
6. Close Notepad.
7. In Command Prompt, type Cscript C:\ActivateUsers.vbs and then press
ENTER.
8. In Active Directory Users and Computers, browse to the Houston OU.
Confirm that user accounts in all child OUs are enabled.
Note: There is no confirmation when the script is complete.
Task 3: Modify the Modifyusers.ldf file to prepare to modify the

properties for a group of users in AD DS
1. On NYC-DC1, at the command prompt, type
LDIFDE –f c:\Modifyusers.ldf –d "OU=Houston,DC=WoodgroveBank,DC
=com" –r "objectClass=user" –l physicalDeliveryOfficeName
and then press ENTER.
This command exports all of the user accounts in the Houston and child OUs.
Because the Office attribute is blank for each object, the attribute is not
exported.
2. Type Notepad C:\Modifyusers.ldf and then press ENTER.
3. On the Edit menu, click Replace.

4. In the Find what field, type changetype: add and in the Replace with field,
type changetype: modify and then click Replace All.
5. Click Cancel.
6. Under each changetype line, add the following lines:
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName: Houston
7. At the end of the entry for each user, add a dash (–) followed by a blank line.
8. When you are done, the entry for each user should be similar to:
dn: CN=Dieter
Massalsky,OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com
changetype: modify
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName: Houston
-
9. On the File menu, click Save and then close Notepad.

10. At the command prompt, type LDIFDE–I –f c:\Modifyusers.ldf, and then
press ENTER.
11. In Active Directory Users and Computers, in the ITAdmins OU under the
Houston OU, double-click Dieter Massalsky.
12. Verify that the Office attribute for the user accounts in Houston has been
updated with the Houston location.
Task 4: Run the CreateUser.ps1 script to add new users to AD DS

1. On NYC-DC1, in E:\Mod02\Labfiles, right-click CreateUser.ps1, and then
click Edit.
2. Under #Assign the location where the user account will be created,
note the entry
$objADSI = [ADSI]"LDAP://ou=ITAdmins,DC=WoodgroveBank,DC=com".
3. Close Notepad.
4. Select Start | All Programs | Windows PowerShell 1.0, and then click
Windows PowerShell.

5. Type Set-ExecutionPolicy AllSigned and then press ENTER.
6. Type E:\Mod02\Labfiles\CreateUser.ps1, and then press ENTER.
7. When the prompt appears, press R and then press ENTER.
8. In Active Directory Users and Computers, in the ITAdmins OU, verify that
the user Jesper has been created.

Control window.
Results: At the end of this exercise you will have examined several options for
automating the management of user objects.
Lab: Creating an Organizational Unit Infrastructure L3-19

Module 3: Creating Groups and Organizational
Units
Lab: Creating an Organizational
Unit Infrastructure
Exercise 1: Creating AD DS Groups
password Pa$$w0rd.
Task 2: Create three groups using Active Directory Users and

Computers
2. In the console pane, expand WoodgroveBank.com, right-click Users, point to
New, and then click Group.
3. In the New Object – Group dialog box, add the following information into the
appropriate fields:
• Group name: VAN_BranchManagersGG
• Scope: Global
• Type: Security
4. Click OK.
5. Repeat the previous two steps to create two more groups that have the same
scope and type named:
• VAN_CustomerServiceGG
• VAN_InvestmentsGG
L3-20 Module 3: Creating Groups and Organizational Units

Task 3: Create a group using the Dsadd command-line tool
1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type dsadd group
“cn=VAN_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com” –samid
VAN_MarketingGG –secgrp yes –scope g and then press ENTER.
3. The command line will display either of the following messages:
a. “dsadd failed…” :
If you receive this error, carefully type the command again.
b. “dsadd succeeded…”:
If you receive this message, type exit, and then press ENTER to close the
command line window.
4. Click the Users OU.
5. In Active Directory Users and Computers, under WoodgroveBank.com, right-
click Users, and then click Refresh.
6. Note the presence of the VAN_MarketingGG as well as the other Vancouver
groups inside the Users container.
Task 4: Add members to the new groups

1. In Active Directory Users and Computers, right-click WoodgroveBank.com,
and then click Find.
2. In the Find Users, Contacts, and Groups dialog box, type Neville and then
click Find Now.
3. In the Search results pane, right-click Neville Burdan, and then click Add to a
group.
4. In the Select Groups dialog box, type VAN_BranchManagersGG, and then
click OK twice.

5. Repeat the previous three steps, adding the users found in the following table
to their corresponding groups:
Find Add to group
Suchitra Mohan VAN_BranchManagersGG
Anton Kirilov VAN_CustomerServiceGG
Shelley Dyck VAN_CustomerServiceGG
Barbara Moreland VAN_InvestmentsGG
Nate Sun VAN_InvestmentsGG
Yvonne McKay VAN_MarketingGG
Monika Buschmann VAN_MarketingGG
Bernard Duerr VAN_MarketingGG
Task 5: Inspect the contents of the Vancouver groups

1. In Active Directory Users and Computers, in the Users container, right-click
VAN_BranchManagersGG, and then click Properties.
2. In the VAN_BranchManagersGG Properties dialog box, click the Members
tab, and verify that Neville Burdan and Suchitra Mohan are now members.
3. Click Cancel, and then close Active Directory Users and Computers.
Results: At the end of this exercise you will have created three new groups by using
Active Directory Users and Computers and you will have created one group by
using Dsadd. You also will have added users to the groups and inspected the results.

Exercise 2: Planning an OU Hierarchy (Discussion)
Here are possible answers for the discussion questions.
Scenario
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have
the following departments:
• Management
• Customer Service
• Marketing
• Investments
The organizational unit (OU) hierarchy has to support delegation of administrative

tasks to users within that organizational unit.
Discussion questions:
1. Which approach to extending the organizational hierarchy of
WoodgroveBank.com is most likely to be applied in creating the new
subsidiary’s resources: Geographic, Organizational, or Functional? Why?
Answer: The Geographical approach to naming top level OUs (those that
already exist within the domain hierarchy) should be extended in order to
keep that logic. Geographic naming and organization is permanent, allows for
future expansion, and its name easily identifies its functionality.
2. What would be the most logical way to further subdivide the subsidiary’s
organizational unit: Geographic, Organizational, or Functional?
Answer: Four new OUs inside the Vancouver OU that are based on the
organizations departments would best support the operations of the new
subsidiary. Organizations can use these OUs to handle groupings of similar
user, computer, and other AD DS resources, according to their similarities.
This also supports the need to delegate administrative roles over those
resources, as somebody within each group will be able to respond to most
needs in a timely manner.

3. What does the pattern of naming second level OUs in other centers suggest for
the new Vancouver OU?
Answer: The naming convention being applied consistently to upper level
OUs across the AD DS recognizes the company’s geographic divisions. Second
level OUs at each location match the organizational divisions in those
locations. Therefore, the new subsidiary should name its second level OUs as:
Managers, Customer Support, Marketing, and Investment.
4. What would be a simple but effective way of delegating administrative tasks—
including adding users and computers to the domain, and changing user
properties such as password resets, and employee contact details-- to certain
users within a department?
Answer: You can use the “Delegation of control” wizard to delegate
administrative rights at the OU level. Both users and groups can be added to
the delegation list. Additionally, you can use a list of rights to customize
administrative capabilities.
Results: At the end of this exercise you will have discussed and determined how to plan
an OU hierarchy.

Exercise 3: Creating an OU Hierarchy
Task 1: Create OUs using Active Directory Users and Computers
1. On NYC-DC1, click Start, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the console pane, right-click WoodgroveBank.com, point to New, and then
click Organizational Unit.
3. In the New Object – Organizational Unit dialog box, type Vancouver.
4. Verify that the Protect container from accidental deletion check box is
selected, and then click OK.
5. Right-click Vancouver OU, point to New, and then click Organizational Unit.
6. In the New Object – Organizational Unit dialog box, type BranchManagers,
and then click OK.
7. Repeat the previous two steps to create two more OUs named:
• CustomerService
• Marketing
Task 2: Create an OU using Dsadd

2. At the command prompt, type dsadd ou
“ou=Investments,dc=WoodgroveBank,dc=com” -desc “Investment
department” -d WoodgroveBank.com -u Administrator -p Pa$$w0rd and
then press ENTER.
3. In Active Directory Users and Computers, right-click WoodgroveBank.com,
and then click Refresh.
4. Note the presence of the new Investments OU.
Task 3: Nest an OU inside another OU

1. In Active Directory Users and Computers, right-click Investments, and then
click Move.
2. In the Move dialog box, click Vancouver, and then click OK.

Task 4: Move groups that you created in Exercise 1 into the
appropriate OUs
1. In Active Directory Users and Groups, click Users, and note the groups that
you created in Exercise 1.
2. Move the following groups into the following Vancouver OUs (see methods
later in this section):
• VAN_BranchManagersGG group to Vancouver\BranchManagers OU
• VAN_CustomerServiceGG group to Vancouver\CustomerService OU
• VAN_InvestmentsGG group to Vancouver\Investments OU
• VAN_MarketingGG group to Vancouver\Marketing OU
• You may select any of the following methods to move these groups:
a. Drag the group into the appropriate Vancouver OU object. When the
AD DS warning appears, click Yes.
b. Use Cut and Paste to move the group into the appropriate Vancouver
OU:
i. Right-click the group, and then click Cut.
ii. Locate and expand the Vancouver OU.
iii. Right-click the appropriate subordinate OU, and then click
Paste.
iv. When the AD DS warning appears, click Yes.
c. Use the Move command to move the group into the appropriate
Vancouver OU:
i. Right-click the group, and then click Move.
ii. In the Move object into container dialog box, expand the
Vancouver OU.
iii. Click the appropriate subordinate OU, and then click OK.

Task 5: Find and move users into Vancouver OUs
Use Active Directory Users and Computers to find and move the following users
into the OUs noted next to their names:
Find Move to Vancouver OU
Neville Burdan BranchManagers
Suchitra Mohan BranchManagers
Anton Kirilov CustomerService
Shelley Dyck CustomerService
Barbara Moreland Investments
Nate Sun Investments
Yvonne McKay Marketing
Monika Buschmann Marketing
Bernard Duerr Marketing
1. Right-click WoodgroveBank domain, and then click Find.

2. In the Find Users, Contacts, and Groups dialog box, type Neville, and then
click Find Now.
3. In the Search results pane, right-click Neville Burdan, and then click Move.
4. In the Move dialog box, expand Vancouver, click BranchManagers, and then
click OK.
5. Repeat the previous three steps for each name in the chart and then close the
Find Users, Contacts, and Groups dialog box.

Task 6: Delegate control over an OU
1. In Active Directory Users and Computers, in the Vancouver OU, right-click
Marketing, and then click Delegate control.
2. In the Delegation of Control Wizard, click Next.
3. On the Users or Groups page, click Add.
4. In the Select Users, Computers, or Groups dialog box, type Yvonne, and
then click OK.
5. Click Next.
6. On the Tasks to Delegate page, select the check boxes next to the following
common tasks:
• Create, delete, and manage user accounts
• Reset user passwords and force password change at next logon
• Create, delete and manage groups
• Modify the membership of a group
7. Click Next.
8. On the Completing the Delegation of Control Wizard page, click Finish.
Task 7: Test delegated user rights

1. Log on to NYC-SVR1 as WOODGROVEBANK\Yvonne with the password
Pa$$w0rd.
2. Click Start, right-click Server Manager, and then click Run as administrator.
3. In the User Account Control dialog box, in the User name field, type
Administrator, and in the Password field, type Pa$$w0rd, and then click OK.
4. In the console tree, right-click Features, and then click Add Features.
5. In the Add Features Wizard, expand Remote Server Administration Tools,
expand Role Administration Tools, and then select the Active Directory
Domain Services Tools check box.

6. Click Next, and then click Install.
7. When the installation is complete, click Close, and then click Yes to restart the
computer.
8. Log on to NYC-SVR1 as WOODGROVEBANK\Yvonne with the password
Pa$$w0rd.
9. Click Start, right-click Server Manager and then click Run as administrator.
10. In the User Account Control dialog box, in the User name field, type
Administrator, and in the Password field, type Pa$$w0rd, and then click OK.
11. Wait for the installation to finish, and then click Close.
12. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
13. In the console pane, right-click WoodgroveBank.com, and then click Find.
14. In the Find Users, Contacts, and Groups dialog box, type Monika, and then
click Find Now.
15. In the Search results pane, right-click Monika Buschmann, and then click
Reset Password.
16. In the Reset Password dialog box, in the New password and Confirm
password fields, type Pa$$w0rd and then click OK.
17. In the Active Directory Domain Services dialog box, click OK.
Note: This message indicates that Yvonne McKay’s account has the authorization to reset
passwords of fellow users in the Marketing OU.
18. Close the Find Users, Contacts, and Groups dialog box.
19. In the console pane, expand WoodgroveBank.com, expand Miami, and then
click BranchManagers.

20. In the details pane, right-click William Vong, and then click Move.
21. In the Move dialog box, expand Vancouver.
22. Click Marketing, and then click OK.
23. In the Active Directory Domain Services dialog box, click OK.
Note: This warning appears because user Yvonne McKay does not have delegated
control over the Miami OU.
Task 8: Close all virtual machines, and discard undo disks

Control window.
Results: At the end of this exercise you will have created OUs by using Active
Directory Users and Computers and Dsadd. You also will have delegated and tested
administrative permissions.
Lab: Managing Access to Resources L4-31

Module 4: Managing Access to Resources
Lab: Managing Access to Resources
Exercise 1: Planning a Shared Folder Implementation
(Discussion)
Answer: On their domain controller (or member server), use Windows Explorer to
create a folder for each department. Right-click each folder, and set Sharing
permissions. Remove the Everyone group, and add the global group for which the
shared folder is intended. Give the global groups Contributor status.
Answer: Create a new folder named Company. Assign it a shared permissions level
of Read for all Domain Users. Next, add the Branch Managers global group as
Contributors. Inside the Company folder, create a folder for: News, Staffing, and
Projections.
Answer: You should create a new global group for this project, and a new shared
folder that has as its only member, in addition to Administrator, the new global
group that you create. You should set their permission level to Contributors.
L4-32 Module 4: Managing Access to Resources

Exercise 2: Implementing a Shared Folder Implementation
password Pa$$w0rd.
Task 2: Create four new folders by using Windows Explorer

1. On NYC-DC1, click Start, and then click Computer.
2. Double-click Local Disk (C:).
3. On the File menu, point to New and then click Folder.
4. Name the folder Marketing.
5. Repeat the previous two steps to create three additional folders named:
• Managers
• Investments
• CustomerService
Task 3: Set share properties for the folders

1. In the Windows Explorer window, right-click the folder named Marketing,
and then click Share.
2. In the File Sharing dialog box, type TOR_MarketingGG and then click Add.
TOR_MarketingGG will appear in the list window underneath the name box.
3. Click TOR_MarketingGG and then click Contributor.
4. Click Share, and then click Done.

5. To assign file-sharing properties for each of the other folders that you created
in Task 2, repeat the previous four steps by using the groups listed:
• TOR_BranchManagersGG (Managers folder)
• TOR_InvestmentsGG (Investments folder)
• TOR_CustomerServiceGG (CustomerService folder)
6. Close Windows Explorer.
Task 4: Create another shared folder by using Share and Storage

Management MMC
1. Click Start, click Administrative Tools, and then click Share and Storage
Management.
2. In the Actions pane, click Provision Share.
3. The Provision a Shared Folder Wizard will start. Click Browse.
4. In the Browse For Folder dialog box, click the c$ location and then click
Make New Folder.
5. Type CompanyNews, press ENTER, and then click OK.
6. Accept all default values by clicking Next until you get to the Review Settings
and Create Share page. Click Create.
7. On the confirmation page, click Close.
8. In the Share and Storage Management MMC details pane, right-click
CompanyNews, and then click Properties.
9. In the CompanyNews Properties dialog box, click the Permissions tab.
10. Click Share Permissions. In the Permissions for CompanyNews dialog box,
click Add.
11. In the Select Users, Computers, or Groups dialog box, type Domain Users,
and then click OK.
12. In the Permissions for CompanyNews dialog box, Domain Users
(Woodgrovebank\Domain Users) now should be listed in the Group or user
names window. When you click it, in the Permissions for Domain Users pane,
the Read option should be set to Allow.

13. Repeat the previous three steps to add TOR_BranchManagersGG to the
Group or user names pane.
14. In Permissions for TOR_BranchManagersGG pane, next to Full Control,
select Allow.
15. Click Everyone, and then click Remove.
16. Click Apply, and then click OK twice.
17. Close Share and Storage Management.
Task 5: Create a new group and shared folder for an interdepartmental

project
1. Click Start, click Administrative Tools, and then click Active Directory Users
and Computers.
2. In console pane, expand WoodgroveBank.com, right-click the Toronto OU,
point to New, and then click Group.
3. In the New Object – Group dialog box, in the Group name field, type
TOR_SpecialProjectGG, and then click OK.
4. In the console pane, expand the Toronto OU, and then click the Marketing
OU.
5. In the details pane, right-click Aidan Delaney, and then click Add to a group.
6. In the Select Groups dialog box, type TOR_SpecialProjectGG and then click
OK twice.
7. Add other members to the TOR_SpecialProjectGG group by following
previous steps. Use the users listed in the following table:
Look inside Toronto OUs: Find Names:
Investment Aaron Con
BranchManagers Sven Buck
CustomerService Dorena Paschke

9. Click Start, click Computer, and then double-click Local drive(C:).

11. Name the folder SpecialProjects.
12. Right-click SpecialProjects, and then click Share.
13. In the File Sharing dialog box, type TOR_ SpecialProjectGG and then click
Add.
14. Click TOR_ SpecialProjectGG and then click Contributor.
Results: TOR_SpecialProjectGG group should now have Contributor rights to the

SpecialProjects folder.
Task 6: Block inheritance of a folder in a shared folder

1. Double-click SpecialProjects.
3. Name the folder Unshared.
4. Right-click the Unshared folder and select Properties.
5. In the Unshared Properties dialog box, click the Security tab.
6. Click the Advanced button.
7. In the Advanced Security Settings for Unshared dialog box, click Edit.
8. Clear the Include inheritable permissions from this object’s parent check
box.
9. In the Windows Security dialog box, click Remove.
10. Click OK.
11. In the Advanced Security Settings for Unshared dialog box, click Add.
12. In the Select User, Computer, or Group dialog box, for the Enter the object
name to select field, type Administrators and click OK.
13. In the Permissions Entry for Unshared dialog box, for Full Control, check
Allow and click OK four times.

Exercise 3: Evaluating the Shared Folder Implementation
Task 1: Log on to NYC-CL1 as Sven
• Log on to NYC-CL1 as WOODGROVEBANK\Sven, with password
Pa$$w0rd.
Task 2: Check permissions for Company News

1. Click Start, type \\NYC-DC1, and then press ENTER.
2. Double-click the CompanyNews folder.
3. Right-click inside the open window, point to New, and then click Folder.
4. Type News, and then press ENTER.
5. Right-click inside the open window again, point to New, and then click Text
document.
6. Type Welcome, and then press ENTER.
7. Drag and drop the Welcome file onto the News folder.
8. Click Start, then point to the right-arrow and then click Log Off.
Results: Sven, a member of the BranchManagersGG, should have ownership of the

CompanyNews folder. He should be able to create files and folders in both locations.

Task 3: Check permissions of interdepartmental share Special Projects
1. On NYC-CL1, log on as WOODGROVEBANK\Dorena with password
Pa$$w0rd.
2. Click Start, type \\NYC-DC1, and then press ENTER.
3. Double-click the SpecialProjects folder.
Results: Since the permissions of the Unshared folder were blocked, Dorena will
not be able to view or access the Unshared folder.
4. Right-click inside the details pane of Windows Explorer, point to New, and
then click Text Document.
5. On the navigation bar in Windows Explorer, click the Back button.
6. Double-click CompanyNews and then double-click the News folder.
7. Double-click Welcome.
8. Click Start, then point to the right-arrow and then click Log Off.
Results: Dorena has permissions to create new files inside the SpecialFolders folder
and also view existing files in the News folder.

Control window.
Lab A: Configuring Active Directory Delegation L5-39

Module 5: Configuring Active Directory Objects
and Trusts
Lab A: Configuring Active
Directory Delegation
Exercise 1: Delegating Control of AD DS Objects
Task 1: Start the virtual machine, and then log on
2. Log on to NYC-DC1 as WOODGROVEBANK \Administrator with the
password Pa$$w0rd.
Task 2: Assign full control of users and groups in the Toronto OU

2. In the console pane, right-click Toronto, and then click Delegate Control.
5. In the Select Users, Computers, or Groups dialog box, type
TOR_BranchManagersGG, and then click OK.
6. Click Next.
7. On the Tasks to Delegate page, select the Create, delete, and manage user
accounts and the Create, delete and manage groups check boxes.
L5-40 Module 5: Configuring Active Directory Objects and Trusts

Task 3: Assign rights to reset passwords and configure private user
information in the Toronto OU
1. On NYC-DC1, in Active Directory Users and Computers, right-click Toronto,
and then click Delegate Control.
TOR_CustomerServiceGG, click OK.
5. Click Next.
6. On the Tasks to Delegate page, select the Reset user passwords and force
password change at next logon check box.
8. Right-click Toronto, and then click Delegate Control.
TOR_CustomerServiceGG, click OK.
12. Click Next.
13. On the Tasks to Delegate page, click Create a custom task to delegate, and
then click Next.
14. On the Active Directory Object Type page, click Only the following objects
in the folder, and then select the User objects check box.
15. Click Next.
16. On the Permissions page, ensure that the General check box is selected.
17. Under Permissions, select the Read and write personal information check
box, and then click Next.
18. Click Finish.

Task 4: Verify the effective permissions assigned for the Toronto OU
1. On NYC-DC1, in Active Directory Users and Computers, on the View menu,
click Advanced Features.
2. In the console pane, right-click the Toronto OU, and then click Properties.
3. In the Toronto Properties dialog box, on the Security tab, click Advanced.
4. In the Advanced Security Settings for Toronto dialog box, on the Effective
Permissions tab, click Select.
5. In the Select User, Computer, and Group dialog box, type Sven, and then
click OK. Sven Buck is a member of the TOR_BranchManagersGG group.
6. Review Sven’s effective permissions. Verify that Sven has permissions to create
and delete user and group objects.
7. Click Cancel twice.
8. Expand the Toronto OU, and then click the Customer Service OU.
9. In the details pane, right-click Matt Berg, and then click Properties.
10. In the Matt Berg Properties dialog box, on the Security tab, click Advanced.
11. In the Advanced Security Settings for Matt Berg dialog box, on the Effective
Permissions tab, click Select.
12. In the Select User, Computer, and Group dialog box, type Helge, and then
click OK. Helge Hoeing is a member of the TOR_CustomerServiceGG group.
13. Review Helge’s effective permissions. Verify that Helge has permissions to
reset passwords and to write personal information.
14. Click Cancel twice.

Task 5: Test the delegated permissions for the Toronto OU
1. Log on to NYC-DC1 as WOODGROVEBANK\Sven with the password of
Pa$$w0rd.
3. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.
4. In the console pane, expand WoodgroveBank.com, right-click the Toronto
OU, and then point to New, and then click User.
5. Create a new user with the following properties:
a. First name: Test1
b. User logon name: Test1
c. Password: Pa$$w0rd
6. This task will succeed because Sven Buck was delegated the authority to
perform that task.
7. Right-click the Toronto OU, and then point to New, and then click Group.
8. Create a new global security group named Group1. This task will succeed
because Sven Buck was delegated the authority to perform that task.
9. Right-click the ITAdmins OU, and review the menu options. Verify that Sven
does not have permissions to create any new objects in the ITAdmins OU.
10. Log off and then log on to NYC-DC1 as WOODGROVEBANK\Helge with the
password of Pa$$w0rd.
13. In the console pane, expand WoodgroveBank.com, right-click the Toronto
OU, and review the menu options. Verify that Helge does not have
permissions to create any new objects in the Toronto OU.

14. Expand Toronto, click CustomerService, right-click Matt Berg, and then click
Reset Password.
15. In the Reset Password dialog box, in the New password and Confirm
password fields, type Pa$$w0rd, and then click OK twice.
16. Right-click Matt Berg, and then click Properties.
17. In the Matt Berg Properties dialog box, verify that Helge has permission to set
some user properties such as Office and Telephone number, but not settings
such as Description and E-mail.
18. Click Cancel.
19. Close Active Directory Users and Computers, and then log off.
Result: At the end of this exercise you will have delegated the administrative tasks for
the Toronto office.

Lab B: Configuring Active
Directory Trusts
Exercise 1: Configuring AD DS Trusts
1. In the Lab Launcher, next to 6419A-VAN-DC1, click Launch.
4. Log on to VAN-DC1 as FABRIKAM\Administrator with the password
Pa$$w0rd.
Task 2: Configure the Network and DNS Settings to enable the

forest trust
1. On VAN-DC1, click Start, point to Control Panel, point to Network
Connections, and then click Local Area Connection.
2. In the Local Area Connection Status dialog box, click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and
the Preferred DNS server to 10.10.0.110.
5. Click OK, and then click Close twice.
6. Click Start, and then click Run.
7. In the Open box, type cmd, and then click OK.
8. At the command prompt, type net time \\10.10.0.10 /set /y and then press
ENTER. This command synchronizes the time between VAN-DC1 and NYC-
DC1.
9. Type exit and then press ENTER.
Lab B: Configuring Active Directory Trusts L5-45

10. Click Start, point to Administrative Tools, and then click DNS.
11. In the console pane, expand VAN-DC1.
12. Right-click VAN-DC1, and then click Properties.
13. On the Forwarders tab, click New.
14. Type Woodgrovebank.com, and then click OK.
15. In the Selected domain’s forwarder IP address list field, type 10.10.0.10,
and then click Add.
16. Click OK, and then close the DNS management console.
Domains and Trusts.
18. In console pane, right-click Fabrikam.com, and then click Raise Domain
Functional Level.
19. In the Raise Domain Functional Level dialog box, in the Select an available
domain functional level list, click Windows Server 2003.
20. Click Raise, and then click OK twice.
21. Right-click Active Directory Domains and Trusts, and then click Raise Forest
Functional Level.
22. In the Raise Forest Functional Level dialog box, click Raise, and then click
OK twice.
23. Close Active Directory Domains and Trusts.
24. On NYC-DC1, log on as WOODGROVEBANK\Administrator.
25. Click Start, point to Administrative Tools, and then click DNS.
26. In the console pane, expand NYC-DC1.
27. Right-click Conditional Forwarders, and then click New Conditional
Forwarder.
28. In the DNS Domain field, type Fabrikam.com.
29. Click under IP Address, and then type 10.10.0.110.
30. Press ENTER, and then click OK.
31. Close DNS Manager.

Task 3: Configure a forest trust between WoodgroveBank.com and
Fabrikam.com
Active Directory Domains and Trusts.
2. In then console pane, right-click WoodgroveBank.com, and then click
Properties.
3. On the Trusts tab, click New Trust.
4. In the New Trust Wizard, click Next.
5. On the Trust Name page, type Fabrikam.com, and then click Next.
6. On the Trust Type page, click Forest trust, and then click Next.
7. On the Direction of Trust page, click Two-way, and then click Next.
8. On the Sides of Trust page, click Both this domain and the specified
domain, and then click Next.
9. On the User Name and Password page, in the User name field, type
Administrator@Fabrikam.com, and in the Password field, type Pa$$w0rd,
and then click Next.
10. On the Outgoing Trust Authentication Level- Local Forest page, click
Forest-wide authentication, and then click Next.
11. On the Outgoing Trust Authentication Level- Specified Forest page, click
Forest-wide authentication, and then click Next.
12. On the Trust Selections Complete page, click Next.
13. On the Trust Creation Complete page, click Next.
14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust,
15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust,
16. On the Completing the New Trust Wizard page, click Finish and then click
OK.
Lab B: Configuring Active Directory Trusts L5-47

Task 4: Configure selective authentication for the forest trust to
enable access to only NYC-DC2
1. In Active Directory Domains and Trusts, right-click WoodgroveBank.com, and
then click Properties.
2. On the Trusts tab, under Domains that trust this domain (incoming trusts),
click Fabrikam.com, and then click Properties.
3. In the Fabrikam.com Properties dialog box, on the Authentication tab, click
Selective Authentication.
4. Click OK twice, and then close Active Directory Domains and Trusts.
6. On the View menu, ensure that Advanced Features is selected.
7. In the console pane, click Domain Controllers.
8. In the details pane, double-click NYC-DC2.
9. In the NYC-DC2 Properties dialog box, on the Security tab, click Add.
10. In the Select Users, Computers, or Groups dialog box, click Locations, click
Fabrikam.com, and then click OK.
11. In the Select Users, Computers, or Groups dialog box, type MarketingGG,
and then click OK.
12. Under Permissions for MarketingGG, next to Allowed to authenticate, select
the Allow check box, and then click OK.
13. In the console pane, click Computers.
14. In the details pane, double-click NYC-CL1.
15. In the NYC-CL1 Properties dialog box, on the Security tab, click Add.
16. In the Select Users, Computers, or Groups dialog box, click Locations, click
Fabrikam.com, and then click OK.
17. In the Select Users, Computers, or Groups dialog box, type MarketingGG,
and then click OK.
18. Under Permissions for MarketingGG, next to Allowed to authenticate, select
the Allow check box, and then click OK.

Task 5: Test the selective authentication
1. Log on to NYC-CL1 as FABRIKAM\Adam with the password Pa$$w0rd.
Adam is a member of the MarketingGG group at Fabrikam. He is able to log on
to a computer in the WoodgroveBank.com domain because of the trust
between the two forests, and because he has been allowed to authenticate to
NYC-CL1.
2. Click Start, type \\NYC-DC2\netlogon, and then press ENTER. Adam should
be able to access to the folder.
3. Click Start, \\NYC-DC1\netlogon, and then press ENTER. Adam should not
be able to access the folder because the server is not configured for selective
authentication.

1. For each running virtual machine, close the Virtual Machine Remote Control
window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
Result: At the end of this exercise you will have configured trusts based on a trust
configuration design.
Lab A: Creating and Configuring GPOs L6-49

Module 6: Creating and Configuring GPOs
Lab A: Creating and Configuring
GPOs
Exercise 1: Creating and Configuring Group Policy Objects
2. Log on to NYC-DC1as WOODGROVEBANK\Administrator with the
password Pa$$w0rd.
Task 2: Create the group policy settings

1. Click Start, point to Administrative Tools and then click Group Policy
Management.
2. In the Group Policy Management window, expand
Forest: WoodgroveBank.com, expand Domains, expand
WoodgroveBank.com, and then expand Group Policy Objects.
3. Right-click the Group Policy Objects folder, and then click New.
4. In the New GPO dialog box, in the Name field, type Restrict Control Panel,
and then click OK.
5. Repeat the previous two steps create the following GPOs:
• Restrict Desktop Display
• Restrict Run Command
• Baseline Security
• Vista and XP Security
• Admin Favorites
• Kiosk Computer Security
L6-50 Module 6: Creating and Configuring GPOs

Task 3: Configure the policy settings
A. Configure the Baseline Security policy

1. In the Group Policy Management window, in the Group Policy Objects folder,
right-click the Baseline Security policy, and then click Edit.
2. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand Local Policies, and then click Security Options.
3. In the details pane, double-click Interactive logon: Do not display last user
name.
4. In the Interactive logon: Do not display last user name Properties dialog
box, select the Define this policy setting check box, click Enabled, and then
click OK.
5. Close Group Policy Management Editor.
B. Configure the Admin Favorites policy

right-click the Admin Favorites policy, and then click Edit.
2. In the Group Policy Management Editor window, under User Configuration,
expand Policies, expand Windows Settings, expand Internet Explorer
Maintenance, and then click URLs.
3. In the details pane, double-click Favorites and Links.
4. In the Favorites and Links dialog box, click Add URL.
5. In the Details dialog box, in the Name field, type Tech Support.
6. In the URL field, type http://support.microsoft.com.
7. Click OK twice.

C. Configure the Restrict Desktop Display policy
right-click the Restrict Desktop Display policy, and then click Edit.
expand Policies, expand Administrative Templates, expand Control Panel,
and then click Display.
3. In the details pane, double-click Remove Display in Control Panel.
4. In the Remove Display in Control Panel Properties dialog box, click
Enabled, and then click OK.
D. Configure the Kiosk Computer Security policy

right-click the Kiosk Computer Security policy and then click Edit.
2. In the Group Policy Management Editor, under Computer Configuration,
expand Policies, expand Administrative Templates, expand System, and
then click Group Policy.
3. In the details pane, double-click User Group Policy loopback processing
mode.
4. In the User Group Policy loopback processing mode Properties dialog box,
click Enabled, ensure the Mode is set to Replace, and then click OK.
expand Policies, expand Administrative Templates, and then click Desktop.
6. In the details pane, double-click Hide and Disable all items on the desktop.
7. In the Hide and Disable all items on the desktop Properties dialog box, click

E. Configure the Restrict Control Panel policy
right-click the Restrict Control Panel policy and then click Edit.
expand Policies, expand Administrative Templates, and then click Control
Panel.
3. In the details pane, double-click Prohibit access to the Control Panel.
4. In the Prohibit Access to Control Panel Properties dialog box, click Enabled,
and then click OK.
F. Configure the Restrict Run Command policy

right-click the Restrict Run Command policy, and then click Edit.
expand Policies, expand Administrative Templates, and then click Start
Menu and Taskbar.
3. In the details pane, double-click Remove Run menu from the Start Menu.
4. In the Remove Run menu from Start Menu Properties dialog box, click
G. Configure the Vista and XP Security policy

right-click the Vista and XP Security GPO, and then click Edit.
Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Logon.
3. In the details pane, double-click Always wait for the network at computer
startup and logon.
4. In the Always wait for the network at computer startup and logon
Properties dialog box, click Enabled, and then click OK.

Task 4: Link the GPOs to the appropriate containers
1. In the Group Policy Management window, right-click the
WoodgroveBank.com domain, and then click Link an Existing GPO.
2. In the Select GPO dialog box, click the Baseline Security GPO. Hold down
CTRL and then click the following GPOs:
• Kiosk Computer Security
• Restrict Run Command
• Vista and XP Security
3. Click OK.
4. Right-click the ITAdmins OU, and then click Link and Existing GPO.
5. In the Select GPO dialog box, click the Admin Favorites GPO, and then click
OK.
6. Right-click the Executives OU, and then click Link and Existing GPO.
7. In the Select GPO dialog box, click the Restrict Desktop Display GPO, and
then click OK.
8. Right click the Miami OU, and then click Link an Existing GPO.
9. In the Select GPO dialog box, click the Restrict Control Panel GPO, and then
click OK.
10. Repeat the previous two steps to link the Restrict Control Panel policy to the
NYC and Toronto OUs.
Result: At the end of this exercise you will have created and configured GPOs.

Exercise 2: Managing the Scope of GPO Application
Task 1: Configure Group Policy management for the domain container
1. In the Group Policy Management window, expand the WoodgroveBank.com
domain to expose the linked policies (denoted by the shortcut icons).
2. Right-click the Baseline Security link, and then click Enforced.
Result: A lock appears next to the Baseline Security link.
3. Click the Baseline Security link.

4. When the Group Policy Management Console dialog appears, select Do not
show this message again, and then click OK.
5. In the details pane, click the Details tab.
6. In the GPO Status list, click User configuration settings disabled.
7. When the Group Policy Management dialog appears, click OK.
8. Click the Kiosk Computer Security link.
9. In the details pane, click the Delegation tab.
10. Click Advanced.
11. In the Kiosk Computer Security Security Settings dialog box, click the
Authenticated Users group, and then click Remove.
12. Click Add, and then in the Select User, Computers, or Groups dialog box,
type Kiosk Computers, and then click OK.
13. Under Permissions for Kiosk Computers, next to Apply group policy, select
Allow, and then click OK.

Task 2: Configure Group Policy management for the IT Admin OU
• In the Group Policy Management window, right-click the ITAdmins OU, and
then click Block Inheritance.
Task 3: Configure Group Policy management for the branch OUs

1. In the Group Policy Management window, in the console pane under the
Group Policy Objects folder, click the Restrict Control Panel policy.
2. In the details pane, click the Delegation tab, and then on the Delegation tab
click Advanced.
3. In the Restrict Control Panel Security Settings dialog box, click Add.
MIA_BranchManagersGG; NYC_BranchManagersGG;
TOR_BranchManagersGG.
5. Click OK.
6. Under Group or user names, click MIA_BranchManagersGG.
7. Under Permissions for MIA_BranchManagersGG pane, next to Apply group
policy, select Deny.
8. Repeat the previous two steps for NYC_BranchManagersGG and
Tor_BranchManagersGG.
9. Click OK.
10. In the Windows Security dialog, click Yes.

Task 4: Create and apply a WMI filter for the Server Security GPO
1. In the Group Policy Management window console pane, right-click the WMI
Filters folder, and then click New.
2. In the New WMI Filter dialog box, in the Name field, type Windows Vista or
XP operating system.
3. Click Add.
4. In the WMI Query dialog box, in the Query field, type
Select * from Win32OperatingSystem where Caption = “Microsoft
Windows Vista Enterprise” OR Caption = “Microsoft Windows XP
Professional”.
5. Click OK, and then click Save.
6. In the Group Policy Objects folder, click the Vista or XP Security policy, and
then in the details pane, click the Scope tab.
7. In the WMI Filtering list, click Windows Vista or XP operating system.
8. In the Group Policy Management dialog, click Yes.
Result: At the end of this exercise you will have configured the scope of GPO settings.
Lab B: Verifying and Managing GPOs L6-57

Lab B: Verifying and Managing
GPOs
Exercise 1: Verifying GPO Application
Task 1: Start NYC-CL1
• Log on to NYC-CL1 as WOODGROVEBANK\Anton with the password
Pa$$w0rd.
Task 2: Verify that a Miami branch user is receiving the correct policy
1. Click Start and then verify that the Control Panel is not present on the Start
menu.
2. Click Start, point to All Programs, point to Accessories and then verify that
Run is not present in the Start menu.
3. Log off.
Task 3: Verify that a Miami Branch Manager is receiving the correct

policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Roya with a password of
Pa$$w0rd.
2. Click Start and then verify that the Control Panel is present on the Start
menu.
4. Log off.

Task 4: Verify that a user in the IT Admin OU is receiving the correct
policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with a password of
Pa$$w0rd.
menu.
Run is present in the Start menu.
4. Click Start and then click Internet.
5. In the Internet Explorer window, click the Favorites Center button, and then
verify that the link to Tech Support is present.
6. Log off.
Task 5: Verify that a user in the Executive OU user is receiving the

correct policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Chase with a password of
Pa$$w0rd.
menu.
4. Click Start and then click Control Panel.
5. In the Control Panel window, under Appearance and Personalization, click
Change desktop background and then verify that there is no access to the
Desktop Display Settings.
6. Log off.
Hint: When you attempt to access display settings you will receive a message informing
you that this has been disabled.

Task 6: Verify that the last logged on username does not appear
• Verify that the last logged on username does not appear.
Note: To see this information, press CTRL-ALT-DEL to see the logon screen.
Task 7: Use Group Policy modeling to test kiosk computer settings

1. On NYC-DC1, in the Group Policy Management window, right-click the
Group Policy Modeling folder, and then click Group Policy Modeling
Wizard.
2. In the Group Policy Modeling Wizard, click Next.
3. On the Domain Controller Selection page, click Next.
4. On the User and Computer Selection page, under Computer information,
click Computer.
5. In the Computer field, type WOODGROVEBANK\NYC-CL1, and then click
Next.
6. On the Advanced Simulation Options page, click Loopback Processing, and
then click Next.
7. On the Alternate Active Directory Paths page, click Next.
8. On the User Security Groups page, click Next.
9. On the Computer Security Groups page, click Add.
10. In the Select Groups dialog box, type Kiosk Computers, click OK, and then
click Next.
11. On the WMI Filters for Users page, click Next.
12. On the WMI Filters for Computers page, click Next.
13. On the Summary of Selections page, click Next.
14. On the Completing the Group Policy Modeling Wizard page, click Finish.
15. In Group Policy Management window, view the report. This will take a few
moments to process.
Result: At the end of this exercise you will have tested and verified a GPO application

Exercise 2: Managing GPOs
Task 1: Back up an individual policy
1. On NYC-DC1, in the Group Policy Management window, under the Group
Policy Objects folder, right-click the Restrict Control Panel policy, and then
click Back Up.
2. In the Back Up Group Policy Object dialog box, click Browse.
3. Browse to C:\ and then click Make New Folder.
4. Type GPO Backup, and then press ENTER.
5. Click OK, and then click Back Up.
6. When the backup completes, click OK.
Task 2: Back up all GPOs

1. In the console pane, right-click the Group Policy Objects folder and then click
Back Up All.
2. In the Back Up Group Policy Object dialog box, in the Location field, type
C:\GPO Backup and then click Back Up.
3. When the backup completes, click OK.
Task 3: Delete and restore an individual GPO

1. In the Group Policy Objects folder, right-click the Admin Favorites policy,
and then click Delete.
2. In the Group Policy Management dialog box, click Yes.
3. Right-click the Group Policy Objects folder, and then click Manage Backups.
4. In the Manage Backups dialog, click the Admin Favorites GPO, and then
click Restore.
5. In the Group Policy Management dialog box, click OK.
6. In the Restore dialog box, click OK and then click Close.
7. Verify that the Admin Favorites GPO appears in the Group Policy Objects
folder.

Task 4: Import a GPO
2. In the New GPO dialog box, in the Name field, type Import, and then click
OK.
3. Right-click the Import GPO, and then click Import Settings.
4. In the Import Settings Wizard, click Next.
5. On the Backup GPO page, click Next.
6. On the Backup location page, verify the Backup folder is C:\GPO Backup,
7. On the Source GPO page, click Restrict Control Panel, and then click Next.
Note: If more than one copy of the Restrict Control Panel GPO appears, choose the
newer one.
8. On the Scanning Backup page, click Next, and then click Finish.
9. When the import completes, click OK.
10. In the Group Policy Objects folder, click the Import GPO, and then in the
details pane, click the Settings tab.
11. Click show all.
12. Verify that the Prohibit access to the Control Panel policy setting is enabled.
Result: At the end of this exercise you will have backed up restored and imported
GPOs.

Exercise 3: Delegating Administrative Control of GPOs
Task 1: Grant Betsy the right to create GPOs in the domain
1. On NYC-DC1, in the Group Policy Management window, click the Group
Policy Objects folder.
2. In the details pane, click the Delegation tab, and then click Add.
3. In the Select User, Computer, or Group dialog box, type Betsy, and then
click OK.
Task 2: Delegate the right to edit the Import GPO to Betsy

1. In the Group Policy Objects folder, click the Import GPO.
click OK.
4. In the Add Group or User dialog box, in the Permissions list, click Edit
settings, and then click OK.
Task 3: Delegate the right to link GPOs to the Executives OU to Betsy

1. In the WoodgroveBank.com domain, click the Executives OU.
click OK.
4. In the Add Group or User dialog box, in the Permissions, list, click This
container only, and then click OK.

Task 4: Enable Domain Users to log on to domain controllers
Note: This step is included in the lab to allow you to test the delegated permissions. As a
best practice you should install the administration tools on a Windows workstation rather
than enable Domain Users to log on to domain controllers.
1. In the Group Policy Management window, expand Domain Controllers.

2. Right-click Default Domain Controllers Policy, and then click Edit.
Settings, expand Local Policies, and then click User Rights Assignment.
4. In the details pane, double-click Allow log on locally.
5. In the Allow log on locally Properties dialog box, click Add User or Group.
6. In the Add User or Group dialog box, type Domain Users, and click OK
twice.
7. Close all open windows.
9. In the Command Prompt window, type GPUpdate /force and press ENTER.
10. Wait for the command to complete, type exit, and then press ENTER.
11. Log off.
Task 5: Test the delegation

1. Log on to NYC-DC1 as WOODGROVEBANK\Betsy.
2. Click Start, type MMC, and then press ENTER.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog, click Group Policy Management,
click Add, and then click OK.

6. Expand Group Policy Management, expand Forest: WoodgroveBank.com,
expand Domains, and then expand WoodgroveBank.com.
8. In the New GPO dialog box, type Test, and then click OK. This operation will
succeed.
9. Expand the Group Policy Objects folder, and right-click the Import GPO, and
then click Edit. This operation will succeed.
11. Right-click the Executives OU, and then click Link an Existing GPO.
12. In the Select GPO dialog box, click Test and click OK. This operation will
succeed.
13. Right-click the Admin Favorites GPO, and then click Edit. This operation is
not possible because the Edit link is grayed out.

Control window.
2. In the Close dialog box, click Turn off machine and discard changes, and
then click OK.
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.
Lab A: Configuring Scripts and Folder Redirection with Group Policy L7-65

Module 7: Configure User and Computer
Environments by Using Group Policy
Lab A: Configuring Scripts and
Folder Redirection with Group
Policy
Exercise 1: Configure Logon Scripts and Folder Redirection
Task 1: Start the 6419A-NYC-DC1 virtual machine and log
2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator using the
password Pa$$w0rd.
Task 2: Review the logon script to map a network drive

2. In the Computer window, browse to E:\Mod07\LabFiles\Scripts.
3. Right-click Map.bat, and then click Edit.
4. In the Notepad window, review the script and then close Notepad.
5. Right-click Map.bat, and then click Copy.
Task 3: Configure and link the Logon Script GPO

1. Click Start, point to Administrative Tools, and then click Group Policy
Management.
2. In the Group Policy Management console pane, expand Forest:
WoodgroveBank.com, expand Domains, expand WoodgroveBank.com,
right-click Group Policy Objects, and then click New.
L7-66 Module 7: Configure User and Computer Environments by Using Group Policy

3. In the New GPO dialog box, in the Name field, type Logon Script, and then
click OK.
4. Expand Group Policy Objects, right-click Logon Script, and then click Edit.
5. In the Group Policy Management Editor, under User Configuration, expand
Policies, expand Windows Settings, and then click Scripts (Logon/Logoff).
6. In the details pane, double-click Logon.
7. In the Logon Properties dialog box, click Show Files.
8. In the Logon window details pane, right-click and then click Paste to copy the
Map.bat script from the clipboard to the scripts folder.
9. Close the Logon window.
10. In the Logon Properties dialog box, click Add.
11. In the Add a Script dialog box, click Browse.
12. In the Browse dialog box, click Map.bat, and then click Open.
13. Click OK twice.
15. In the Group Policy Management window console pane, right-click
WoodgroveBank.com, and then click Link an Existing GPO.
16. In the Select GPO dialog box, click Logon Script, and then click OK.
Task 4: Share and secure a folder for the Executives group

1. In Windows Explorer, browse to E:\Mod07\Labfiles.
2. Right-click ExecData, and then click Properties.
3. In the ExecData Properties dialog box, on the Sharing tab, click Advanced
Sharing.
4. In the Advanced Sharing dialog box, select the Share this folder check box,
and then click Permissions.
5. In the Permissions for ExecData dialog box, click Remove to remove the
Everyone group.
6. Click Add.
Executives_WoodgroveGG, and then click OK.
Lab A: Configuring Scripts and Folder Redirection with Group Policy L7-67

8. Under Permissions for WoodgroveGG, next to Full Control, select the Allow
check box, and then click OK twice.
9. In the ExecData Properties dialog box, on the Security tab, click Advanced.
10. In the Advanced Security Settings for ExecData dialog box, click Edit.
11. In the Advanced Security Settings for ExecData dialog box, clear the Include
inheritable permissions from this object’s parent check box.
12. In the Windows Security dialog box, click Copy.
13. In the Advanced Security Settings for ExecData dialog box, click Remove.
14. Repeat the above step to remove all users and groups except CREATOR
OWNER and SYSTEM.
15. Click Add.
16. In the Select User, Computer, or Group dialog box, type
Executives_WoodgroveGG, and then click OK.
17. In the Permission Entry for ExecData dialog box, in the Apply to list, click
This folder only.
18. Under Permissions, next to List folder / read data and Create folders /
append data, select the Allow check boxes.
19. Click OK three times, and then click Close.
Task 5: Redirect the Documents folder for the Executives group

1. In the Group Policy Management window console pane, right-click Group
Policy Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Executive Redirection,
and then click OK.
3. Right-click Executive Redirection, and then click Edit.
4. In the Group Policy Management Editor, under User Configuration, expand
Policies, expand Windows Settings, expand Folder Redirection, right-click
Documents, and then click Properties.
5. In the Documents Properties dialog box, in the Setting list, click Basic -
Redirect everyone’s folder to the same location.
6. In the Root Path field, type \\NYC-DC1\ExecData.

7. On the Settings tab, review the current settings, and then click OK.
8. In the Warning dialog box, click Yes.
10. In the Group Policy Management console pane, right-click Executives, and
then click Link an Existing GPO.
11. In the Select GPO dialog box, click Executive Redirection, and then click OK.
Task 6: Start the 6419A-NYC-CL1 virtual machine, and then log on as

WOODGROVEBANK\Tony
1. Turn on the 6419A-NYC-CL1 VM.
2. Log on to NYC-CL1 as WOODGROVEBANK\Tony using the password
Pa$$w0rd.
Task 7: Observe the applied settings while logged on as a user in the

Executives OU
1. Click Start, and then click Computer.
2. In the Computer window, verify that the K: drive is mapped to the Data share
on NYC-DC1.
Note: It may take 2 to 3 minutes before this drive appears.
3. Close Computer.
4. Click Start, right-click Documents, and then click Properties.
5. In the Documents Properties dialog box, verify the location is
\\NYC-DC1\ExecData\Tony, and then click Cancel.
6. Log off NYC-CL1.
Result: At the end of this exercise, you will have configured logon scripts and folders
redirection.
Lab B: Configuring Administrative Templates L7-69

Lab B: Configuring Administrative
Templates
Exercise 1: Configure Administrative Templates
Task 1: Modify the Default Domain Policy allow remote administration
through the firewall for all domain computers
1. On NYC-DC1, in the Group Policy Management console pane, right-click
Default Domain Policy and then click Edit.
2. In the Group Policy Management Editor console pane, under Computer
Network, expand Network Connections, expand Windows Firewall, and
then click Domain Profile.
3. In the details pane, double-click Windows Firewall: Allow inbound remote
administration exception.
4. In the Windows Firewall: Allow inbound remote administration exception
dialog box, click Enabled, and then click OK.
5. In the console pane, under Administrative Templates, expand System, and
then click Group Policy.
6. In the details pane, double-click Group Policy slow link detection.
7. In the Group Policy slow link detection Properties dialog box, click Enabled.
8. In the Connection speed (Kbps) field, type 800, and then click OK.
Result: At the end of this task, you will have enabled remote administration through
the firewall. This allows the Group Policy Results Wizard to query target computers.

Task 2: Create and assign a GPO to prevent the installation of
removable devices
1. In the Group Policy Management console pane, right-click Group Policy
Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Prevent Removable
Devices, and then click OK.
3. Right-click Prevent Removable Devices, and then click Edit.
System, expand Device Installation, and then click Device Installation
Restrictions.
5. In the details pane, double-click Prevent installation of removable devices.
6. In the Prevent installation of removable devices Properties dialog box, click
8. In the Group Policy Management console pane, right-click Miami, and then
click Link an Existing GPO.
9. In the Select GPO dialog box, click Prevent Removable Devices, and then
click OK.
10. Repeat the previous two steps to link the Prevent Removable Devices GPO to
the NYC and Toronto OUs.
Task 3: Create and assign a GPO to encrypt offline files for executive
computers
2. In the New GPO dialog box, in the Name field, type Encrypt Offline Files,
and then click OK.
3. Right-click Encrypt Offline Files, and then click Edit.
Network and then click Offline Files.

5. In the details pane, double-click Encrypt the Offline Files cache.
6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled,
and then click OK.
8. In the Group Policy Management console pane, right-click Executives, and
then click Link an Existing GPO.
9. In the Select GPO dialog box, click Encrypt Offline Files, and then click OK.
Task 4: Create and assign a domain-level GPO for all domain users
2. In the New GPO dialog box, in the Name field, type All Users Policy, and
then click OK.
3. Right-click All Users Policy, and then click Edit.
4. In the Group Policy Management Editor console pane, under User
Configuration, expand Policies, expand Administrative Templates, and then
click System.
5. In the details pane, double-click Prevent access to registry editing tools.
6. In the Prevent access to registry editing tools Properties dialog box, click
7. In the console pane, click Start Menu and Taskbar.
8. In the details pane, double-click Remove Clock from the system notification
area.
9. In the Remove Clock from the system notification area Properties dialog
box, click Enabled, and then click OK.
11. In the Group Policy Management console pane, right-click
12. In the Select GPO dialog box, click All Users Policy, and then click OK.

Task 5: Create and assign a policy to limit profile size and turn off
Windows Sidebar for branch users
2. In the New GPO dialog box, in the Name field, type Branch Users Policy, and
then click OK.
3. Right-click Branch Users Policy, and then click Edit.
System, and then click User Profiles.
5. In the details pane, double-click Limit profile size.
6. In the Limit profile size Properties dialog box, click Enabled.
7. In the Max Profile size (KB) field, type 1000000 and then click OK.
8. In the console pane, under Administrative Templates, expand Windows
Components, and then click Windows Sidebar.
9. In the details pane, double-click Turn off Windows Sidebar.
10. In the Turn off Windows Sidebar Properties dialog box, click Enabled, and
then click OK.
13. In the Select GPO dialog box, click Branch Users Policy, and then click OK.
14. Repeat the previous two steps to link the Branch Users Policy GPO to the
NYC and Toronto OUs.

Exercise 2: Verify GPO Application
Task 1: Verify that the settings for Executives have been applied
1. On NYC-CL1, log on as WOODGROVEBANK\Tony using the password
Pa$$w0rd.
Note: Some user settings can only be applied during logon or may not apply due to
cached credentials. These include roaming user profile path, Folder Redirection path, and
Software Installation settings. If the user is already logged on when these settings are
detected, they will not be applied until the next time the user is logged on.
2. Verify that the Windows Sidebar is not displayed.

3. In the notification area, verify that the clock is not displayed.
4. Right-click the Taskbar, and then click Properties.
5. In the Taskbar and Start Menu Properties dialog box, on the Notification
Area tab, verify that you do not have the option to display the clock, and then
click Cancel.
6. Click Start, type regedit, and then press ENTER.
7. In the Registry Editor dialog box, review the error, and then click OK.
8. Log off NYC-CL1.
Task 2: Log on as a user in a Branch Office and observe the applied

settings
1. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password
Pa$$w0rd.
2. Verify that the Windows Sidebar is not displayed.
3. In the notification area, verify that the clock is not displayed.
4. In the notification area, double-click the Available profile space icon.
5. In the Profile Storage Space dialog box, review the information and then click
OK.
6. Click Start, right-click Documents, and then click Properties.

7. In the Documents Properties dialog box, verify the location is
C:\Users\Roya, and then click Cancel.
8. Click Start, type regedit, and then press ENTER.
9. In the Registry Editor dialog box, review the error, and then click OK.
on NYC-DC1.
12. Log off NYC-CL1.
Task 3: Use the Group Policy Results Wizard to review Group Policy
application for a target user and computer
Group Policy Results, and then click Group Policy Results Wizard.
2. In the Group Policy Results Wizard, click Next.
3. On the Computer Selection page, click Another computer, type
WoodgroveBank\NYC-CL1 and click Next.
Note: If you receive an error after the step above, retry the step above in 2 minutes.
4. On the User Selection page, click WOODGROVEBANK\Tony, and then click

Next.
5. On the Summary of Selections page, click Next, and then click Finish.
6. In the details pane, click show all.
7. Review the list of applied computer and user GPOs.
Question: Which GPOs were applied to the computer?
Answer: Only the Default Domain Policy.
Question: Which GPOs were applied to the user?
Answer: All Users Policy, Login Script, and Executive Redirection.

8. On the Settings tab, under Computer Configuration, click Administrative
Templates, and then expand each of the settings.
Question: What settings were delivered to the computer?
Answer: Windows Firewall: Allow inbound remote administration exception.
9. Under User Configuration, expand each of the settings.
Question: What settings were delivered to the user?
Answer: The Executive Redirection policy delivers folder redirection settings.
The All Users Policy delivers settings to remove the clock and disable registry
editing.
Result: At the end of this exercise, you will have configured several Administrative
Templates policy settings for various OUs in the organization and then verified
successful GPO application.

Lab C: Deploying Software with
Group Policy
Exercise 1: Deploy a Software Package with Group Policy
Task 1: Copy a software package to the Data share
2. In the Computer window, browse to E:\Mod07\LabFiles.
3. Right-click PPVIEWER.MSI, and then click Copy.
4. Double-click Data.
5. In the details pane, right-click, and then click Paste.
Task 2: Configure and review the software deployment GPO

WoodgroveBank.com, and then click Create a GPO in this domain, and
Link it here.
2. In the New GPO dialog box, in the Name field, type Software Deployment
and then click OK.
3. Right-click Software Deployment, and then click Edit.
4. In the Group Policy Management Editor, in the console pane, under
Computer Configuration, expand Policies, expand Software Settings, and
then click Software installation.
5. Right-click Software installation, point to New, and then click Package.
6. In the Open dialog box, type \\NYC-DC1\Data\ppviewer.msi and then click
Open.
Lab C: Deploying Software with Group Policy L7-77

7. In the Deploy Software dialog box, review the configuration options. When
you are done, verify that Assigned is selected, and then click OK.
8. Right-click Microsoft Office PowerPoint Viewer 2003, and then click
Properties.
9. In the Microsoft Office PowerPoint Viewer 2003 Properties dialog box,
review the options on the following tabs:
• General
• Deployment
• Upgrades
• Categories
• Modifications
• Security
10. When done, click Cancel, and then close Group Policy Management Editor.

Exercise 2: Verify Software Installation
Task 1: Verify that the software package has been installed
1. On NYC-CL1, log on as WOODGROVEBANK\Administrator using the
password Pa$$w0rd.
2. Click Start | All Programs | Accessories, and then click Command Prompt.
3. In the Command Prompt window, type GPUpdate /force and then press
ENTER.
4. When the update completes, read the warning that appears. When you are
done, press Y, and then press ENTER.
5. In the You are about to be logged off dialog box, click Close.
6. When the computer restarts, log on as WOODGROVEBANK\Administrator
using the password Pa$$w0rd.
7. Click Start, and then click Control Panel.
8. In the Control Panel window, click Uninstall a program.
9. Notice that the Microsoft Office PowerPoint Viewer 2003 program has been
successfully installed.
10. Double-click Microsoft Office PowerPoint Viewer 2003.
11. In Programs and Features dialog box, click Yes to uninstall the program.
12. When the process completes, press F5 and notice that even though you can
uninstall the program, it comes back because the program is assigned through
Group Policy.
13. Close Control Panel.
Result: At the end of this exercise, you will have successfully deployed an assigned
software package using Group Policy.
Lab D: Configuring Group Policy Preferences L7-79

Lab D: Configuring Group Policy
Preferences
Exercise 1: Configure Group Policy Preferences
Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1
Default Domain Policy, and then click Edit.
Configuration, expand Preferences, expand Windows Settings, right-click
Shortcuts, point to New, and then click Shortcut.
3. In the New Shortcut Properties dialog box, in the Action list, click Create.
4. In the Name field, type Notepad.
5. In the Location list, click All Users Desktop.
6. In the Target path field, type C:\Windows\System32\Notepad.exe.
7. On the Common tab, select the Item-level targeting check box, and then click
Targeting.
8. In the Targeting Editor dialog box, on the New Item menu, click Computer
Name.
9. In the Computer name field, type NYC-DC1, and then click OK twice.
Task 2: Create a new folder named Reports on the C: drive of all

computers running Windows Server 2008
1. In the Group Policy Management Editor console pane, under Windows
Settings, right click Folders, point to New, and then click Folder.
2. In the New Folder Properties dialog box, in the Action list, click Create.
3. In the Path field, type C:\Reports.
4. On the Common tab, select the Item-level targeting check box, and then click
Targeting.

5. In the Targeting Editor dialog box, on the New Item menu, click Operating
System.
6. In the Product list, click Windows Server 2008, and then click OK twice.
Task 3: Configure drive mapping

Configuration, expand Preferences, expand Windows Settings, and then
click Drive Maps.
2. Right-click Drive Maps, point to New, and then click Mapped Drive.
3. In the New Drive Properties dialog box, in the Action list, click Create.
4. In the Location field, type \\NYC-DC1\Data.
5. Select the Reconnect check box.
6. In the Label as field, type Data.
7. In the Drive Letter list, click P.
8. Review the remaining configuration options, and then click OK.
Task 4: Remove old Logon Script GPO

1. In the Group Policy Management console pane, under WoodgroveBank.com,
right-click Logon Script, and then click Delete.
2. In the Group Policy Management dialog box, review the message and then
click OK.
Note: You aren’t actually deleting the GPO, just the link to it in the domain.
3. Close Group Policy Management.

Lab D: Configuring Group Policy Preferences L7-81

Exercise 2: Verify Group Policy Preferences Application
Task 1: Verify that the preferences have been applied
1. On NYC-DC1, log off, and then log back on as
WOODGROVEBANK\Administrator using the password of Pa$$w0rd.
3. In the Computer window, verify that the P: drive is mapped to the Data share
on NYC-DC1.
4. Browse to C: and then verify that the Reports folder exists.
Note: It may take a few moments for this folder to appear.
Note: To apply Group Policy preferences to Windows Vista computers, you must
download and install Group Policy Preference Client Side Extensions for Windows Vista
(KB943729).

Control window.
click OK.
Result: At the end of this exercise, you will have configured and tested Group Policy
Preferences and verified their application.

Lab E: Troubleshooting Group
Policy Issues
Exercise 1: Troubleshoot Group Policy Scripts
Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as
WOODGROVEBANK\Administrator
2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator using the
password Pa$$w0rd.
Task 2: Create and link a domain Desktop policy

1. On NYC-DC1, click Start, point Administrative Tools, and then click Group
Policy Management.
2. In the Group Policy Management console pane, expand
Forest:WoodgroveBank.com, and then expand Domains.
3. Right-click WoodgroveBank.com, and then click Create a GPO in this
domain, and Link it here.
4. In the New GPO dialog box, in the Name field, type Desktop, and then click
OK.
5. Expand WoodgroveBank.com, expand Group Policy Objects, right-click
Desktop, and then click Edit.
System, and then click Logon.
7. In the details pane, double-click Always wait for the network at computer
startup and logon.
8. In the Always wait for the network at computer startup and logon
9. In the console pane, under Administrative Templates, expand Network,
expand Network Connections, expand Windows Firewall, and then click
Domain Profile.
Lab E: Troubleshooting Group Policy Issues L7-83

10. In the details pane, double-click Windows Firewall: Allow inbound remote
administration exception.
11. In the Windows Firewall: Allow inbound remote administration exceptions
12. In the console pane, under User Configuration, expand Policies, expand
Windows Settings, expand Internet Explorer Maintenance, and then click
URLs.
13. In the details pane, double click Important URLs.
14. In the Important URLs dialog box, select the Customize Home page URL
check box, type http://WoodgroveBank.com, and then click OK.
15. In the console pane, expand Administrative Templates, and then click Start
Menu and Taskbar.
16. In the details pane, double-click Force classic Start Menu.
17. In the Force classic Start Menu Properties dialog box, click Enabled, and
then click OK.
Task 3: Restore the Lab7A GPO

Objects, and then click Manage Backups.
2. In the Manage Backups dialog box, in the Backup location field, if not
already present, type E:\Mod07\Labfiles\GPOBackup, and then press
ENTER.
3. Click the Lab 7A GPO, and then click Restore.
4. Click OK twice, and then click Close.
Task 4: Link the Lab7A GPO to the domain

2. In the Select GPO dialog box, click Lab 7A, and then click OK.

Task 5: Start NYC-CL1 and log on as
WOODGROVEBANK\Administrator
2. Log on to NYC-CL1 as WOODGROVEBANK\Administrator using the
password Pa$$w0rd.
3. Click Start and then click Control Panel.
4. The Control Panel window opens.
5. Click Security.
6. Under Windows Firewall, click Turn Windows Firewall on or off.
7. The Windows Firewall Settings dialog box appears.
8. Click Off (not recommended) and then click OK.
9. Close Control Panel.
Task 6: Test the GPO
Note: The changes you are looking for below may not appear until the second logon.
1. On NYC-CL1, click Start, and then verify you see the classic Start menu.
2. On the desktop, double click Internet Explorer.
3. In the Windows Internet Explorer window, click the Home button. After a
moment the WoodgroveBank.com IIS7 home page will load.
4. Close Internet Explorer.
5. On the desktop, double-click Computer.
on NYC-DC1.
7. Log off, and then log back on to as WOODGROVEBANK\Roya using the
password Pa$$w0rd.
8. Click Start, and then verify you see the classic Start menu.

10. In the Windows Internet Explorer window, click the Home button. After a
moment the WoodgroveBank.com IIS7 home page will load.
11. Close Windows Internet Explorer.
13. In the Computer window, notice that the J: drive is not correctly mapped to
the Data share on NYC-DC1.
Task 7: Troubleshoot the GPO

3. On the Computer Selection page, click Another computer, type NYC-CL1,
4. On the User Selection page, click WOODGROVEBANK\Roya, and then click
Next.
5. On the Summary of Selections page, click Next, and then click Finish.
6. In the details pane, under User Configuration Summary, click Group Policy
Objects, and then click Applied GPOs. Notice that the settings for both the
Desktop GPO and the Lab 7A GPO were applied successfully.
7. Click the Settings tab.
8. Under User Configuration, under Windows Settings, click Scripts, and then
expand Logon. Notice that the Lab 7A GPO was applied correctly.
9. On NYC-CL1 log on WOODGROVEBANK\Roya with a password of
Pa$$w0rd.
10. To test Roya’s permission to the scripts location, click Start, click Run, type
\\NYC-DC1\Scripts, and then press ENTER.

11. In the Network Error dialog box, click Cancel.
Note: If time permits, you can view the Group Policy operational log as Administrator on
NYC-CL1. If you filter the view to show events that Roya generates, you would see that
the log does not detect any errors or warnings for this user. This is because the GPO only
sets a registry value that defines the location of the scripts folder. Group Policy is
unaware if the user has access to the location. The write to the registry was successful.
Therefore, the Group Policy log does not see any errors. You would have to audit Object
Access for the scripts folder to determine access issues.
Task 8: Resolve the issue and test the resolution

2. In the Computer window, browse to E:\Mod07\Labfiles\Scripts.
3. Right-click Scripts, and then click Share.
4. In the File Sharing dialog box, click Change sharing permissions.
5. Type Authenticated Users, and then click Add.
8. On NYC-CL1, log on as WOODGROVEBANK\Roya using the password
Pa$$w0rd.
10. In the Computer window, verify that the J: drive is mapped to the Data share
on NYC-DC1.
Note: Another way to resolve the issue would be to move the script to the Netlogon
share, or to eliminate the need for such a logon script altogether you could configure a
Group Policy Preference.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.

Exercise 2: Troubleshoot GPO Lab-7B
Task 1: Restore the Lab7B GPO
Group Policy Objects, and then click Manage Backups.
2. In the Manage Backups dialog box, click Lab 7B, and then click Restore.
Task 2: Link the Lab7B GPO to the Miami OU

2. In the Select GPO dialog box, click Lab 7B, and then click OK.

1. On NYC-CL1, log on as WOODGROVEBANK\Rich using the password
Pa$$w0rd.
Note: Rich is a member of the Miami OU.
2. Click Start, and then verify you see the classic Start menu.
4. In the Internet Explorer window, click the Home button. After a moment the
WoodgroveBank.com IIS7 home page will load.
5. Close Internet Explorer.
on NYC-DC1
8. Notice that the Control Panel does not appear on the desktop or Start menu.
This is a setting from the Lab 7B GPO that was applied to the Miami OU.

9. Log off NYC-CLI, and then log back on as WOODGROVEBANK\Roya using
the password Pa$$w0rd.
10. Notice that even though the GPO should prevent it, the Control Panel is still
present on the desktop and Start menu.

3. On the Computer Selection screen, click Another computer, type NYC-CL1,
4. On the User Selection screen, click WOODGROVEBANK\Rich, and then
click Next.
5. On the Summary of Selections screen, click Next, and then click Finish.
6. In the details pane, on the Summary tab, under User Configuration
Summary, click Group Policy Objects, and then click Applied GPOs. Notice
the Lab 7B GPO was applied.
7. On the Settings tab, under User Configuration, click Administrative
Templates, and then click Control Panel. Notice that the policy setting to
prohibit access to the Control Panel is enabled.
8. In the console pane, right-click Roya on NYC-CL1, and then click Rerun
Query.
9. Click Roya on NYC-CL1.
that the Lab 7B GPO has not been applied.
11. Click Denied GPOs. Notice that the Lab 7B GPO is listed amongst the denied
GPO.

1. In the Group Policy Management console pane, under Group Policy Objects,
click Lab 7B.
2. In the details pane, on the Delegation tab, and then click Advanced.
3. In the Lab 7B Security Settings dialog box, click the
MIA_BranchManagersGG.
4. Under Permissions for MIA_BranchManagerGG, notice that the Apply
group policy setting is set to Deny.
5. Click Remove to remove the Miami_BranchManagersGG from the
permission list, and then click OK.
6. On NYC-CLI, log on as WOODGROVEBANK\Roya using password
Pa$$w0rd.
7. Notice that the Control Panel now correctly does not appear on the desktop
or Start menu.
8. Log off NYC-CL1.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

Exercise 3: Troubleshoot GPO Lab-7C
Task 1: Restore the Lab7C GPO
2. In the Manage Backups dialog box, click Lab 7C, and then click Restore.
Task 2: Link the Lab7C GPO to the Miami OU

2. In the Select GPO dialog box, click Lab 7C, and then click OK.

1. On NYC-CLI, log on as WOODGROVEBANK\Roya using the password
Pa$$w0rd.
2. Click Start, and then notice the presence of the Run command. It is not
supposed to be there.
3. Log off NYC-CL1.

1. On NYC-DC1, in the Group Policy Management console pane, right-click Roya
on NYC-CL1, and then click Rerun Query.
2. Click Roya on NYC-CL1.
that the Lab 7C GPO is being applied.
4. On the Settings tab, under User Configuration, click Administrative
Templates, and then click Start Menu and Taskbar. Notice that the Add the
Run command to the Start Menu setting is enabled.

1. In the Group Policy Management console pane, under Group Policy Objects,
right-click Lab 7C, and then click Edit.
expand Policies, expand Administrative Templates, and then click Start
Menu and Taskbar.
3. In the details pane, double-click Add the Run command to the Start Menu.
4. In the Add the Run command to the Start Menu Properties dialog box, click
Not Configured, and then click OK.
5. Double-click Remove Run menu from the Start Menu.
7. Close Group Policy Object Editor.
8. On NYC-CLI, log on as WOODGROVEBANK\Roya using the password
Pa$$w0rd.
9. Click Start, and then notice that the Run command is no longer present.

Exercise 4: Troubleshoot GPO Lab-7D
Task 1: Create a new OU named Loopback
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active
Directory Users and Computers.
2. In the Active Directory Users and Computers console pane, right-click
WoodgroveBank.com, point to New and then click Organizational Unit.
3. In the New Object – Organizational Unit dialog box, type Loopback, and
then click OK.
Task 2: Restore the Lab7D GPO

2. In the Manage Backups dialog box, click Lab 7D, and then click Restore.
Task 3: Link the Lab7D GPO to the Loopback OU

Management, and then click Refresh.
2. Right-click Loopback, and then click Link an Existing GPO.
3. In the Select GPO dialog box, click Lab 7D, and then click OK.
Task 4: Move NYC-CL1 to the Loopback OU

1. In the Active Directory Users and Computers console pane, expand
WoodgroveBank.com, and then click Computers.
2. In the details pane, right-click NYC-CL1, and then click Move.
3. In the Move dialog box, click Loopback, and then click OK.

1. On NYC-CL1, restart the computer.
2. When the computer restarts, log on as WOODGROVEBANK\Roya using the
password Pa$$w0rd.
3. Click Start and notice that the Run command is present once again.
4. Notice that Control Panel is present on the desktop and Start menu. These
changes are not intentional.
5. On the desktop, double-click Internet Explorer. Notice that nothing happens,
and Internet Explorer does not launch.

1. On NYC-DC1, in the Group Policy Management console pane, right-click Roya
on NYC-CL1, and then click Rerun Query.
2. In the details pane, on the Summary tab, under Computer Configuration
that the Lab 7D GPO has been applied.
3. On the Settings tab, under Computer Configuration, click Administrative
Templates, and then click System/Group Policy. Notice that loopback
processing mode is enabled.
Note: Group Policy applies to the user or computer in a manner that depends on where
both the user and the computer objects are located in Active Directory. However, in
some cases, users may need policy applied to them based on the location of the
computer object alone. You can use the Group Policy loopback feature to apply Group
Policy Objects (GPOs) that depend only on which computer the user logs on to.

1. In the Group Policy Management console pane, expand the Loopback OU,
right-click Lab 7D, and then click Link Enabled to clear the check mark.
Note: Another alternative would be to disable loopback processing in the GPO itself,
especially if there were other settings in the GPO that you did wish to have applied.

3. On NYC-CL1, restart the computer.
4. When the computer restarts, log on as WOODGROVEBANK\Roya using the
password Pa$$w0rd.
5. Click Start and notice that the Run command is no longer present.
6. Notice that Control Panel is again absent from the desktop and Start menu.
7. On the desktop, double-click Internet Explorer. Notice that Internet Explorer
again opens properly.

Control window.
click OK.
Lab A: Implementing Security Using Group Policy L8-95

Module 8: Implementing Security Using Group
Policy
Lab A: Implementing Security
Using Group Policy
Exercise 1: Configuring Account and Security Policy
Settings
password Pa$$w0rd.
Task 2: Create an account policy for the domain

Management.
2. In the Group Policy Management console pane, expand Forest:
WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and
then click Group Policy Objects.
3. In the details pane, right-click Default Domain Policy, and then click Edit.
expand Policies, expand Windows Settings, expand Security Settings,
expand Account Policies, and then click Password Policy.
5. In the details pane, double-click Minimum password length.
6. In the Minimum password length Properties dialog box, in the Password
must be at least field, type 8, and then click OK.
7. Double-click Minimum password age.
8. In the Minimum password age Properties dialog box, in the Password can
be changed after field, type 19, and then click OK.
9. Double-click Maximum password age.
L8-96 Module 8: Implementing Security Using Group Policy

10. In the Maximum password age Properties dialog box, in the Password will
expire in field, type 20, and then click OK.
11. In the console pane, click Account Lockout Policy.
12. In the details pane, double-click Account lockout threshold.
13. In the Account lockout threshold Properties dialog box, under Account will
not lock out, type 5, and then click OK.
14. In the Suggested Value Changes dialog box, click OK to accept the values of
30 minutes.
Task 3: Configure local policy settings for a Windows Vista client

1. Start NYC-CL1 and log on as WOODGROVEBANK\Administrator using the
password Pa$$w0rd.
2. Click Start, type MMC, and then press ENTER.
3. In the Console1 window, on the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor,
click Add, click Finish and then click OK.
5. In the console pane, expand Local Computer Policy, expand Computer
Configuration, expand Windows Settings, expand Security Settings, expand
Local Policies, and then click Security Options.
6. In the details pane, double-click Accounts: Administrator account status.
7. In the Accounts: Administrator account status Properties dialog box, click
8. On the File menu, click Add/Remove Snap-in.
9. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor,
click Add, and then click Browse.
10. In the Browse for a Group Policy Object dialog box, click the Users tab.
11. Click Non-Administrators, click OK, click Finish, and then click OK.
12. In then console pane, expand Local Computer\Non-Administrators Policy,
expand User Configuration, expand Administrative Templates, and then
click Start Menu and Taskbar.
13. In the details pane, double-click Remove Run menu from Start Menu.

15. Close the MMC window and do not save changes.
16. Restart NYC-CL1.
Task 4: Create a wireless network GPO for Windows Vista clients

Group Policy Objects, and then click New.
2. In the New GPO dialog box, in the Name field, type Vista Wireless, and then
click OK.
3. In the details pane, right-click Vista Wireless, and then click Edit.
expand Policies, expand Windows Settings, and then expand Security
Settings.
5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create
A New Windows Vista Policy.
6. In the New Vista Wireless Network Policy Properties dialog box, click Add,
and then click Infrastructure.
7. In the New Profiles properties dialog box, in the Profile Name field, type
Corporate.
8. In the Network Name(s) (SSID) field, type Corp, and then click Add.
9. On the Security tab, in the Authentication list, click Open with 802.1X, and
then click OK.
10. On the Network Permissions tab, click Add.
11. In the New Permission Entry dialog box, in the Network Name (SSID): field,
type Research, verify that Permission is set to Deny, and then click OK twice.
Woodgrovebank.com, and then click Link an existing GPO.
14. In the Select GPO dialog box, click Vista Wireless, and then click OK.

Task 5: Configure a policy that prohibits a service on all domain
controllers
1. In the Group Policy Management console pane, expand Group Policy
Objects, right-click Default Domain Controllers Policy, and then click Edit.
expand Policies, expand Windows Settings, expand Security Settings, and
then click System Services.
3. In the details pane, double-click Windows Installer.
4. In the Windows Installer Properties dialog box, select the Define this policy
setting check box, verify that Disabled is selected, and then click OK.
Result: At the end of this exercise you will have configured account and security policy
settings.

Exercise 2: Implementing Fine-Grained Password Policies
Task 1: Create a PSO using ADSI edit
1. On NYC-DC1, click Start, type adsiedit.msc, and then press ENTER.
2. In the ADSI Edit window, in the console pane, right-click ADSI Edit, and then
click Connect to.
3. In the Connection Settings dialog box, click OK.
4. In the console pane, expand Default naming context [NYC-
DC1.WoodgroveBank.com], expand DC=WoodgroveBank, DC=com, expand
CN=System, right-click CN=Password Settings Container, point to New, and
then click Object.
5. In the Create Object dialog box, click msDS-PasswordSettings, and then click
Next.
6. On the Attribute: cn page, in the Value field, type ITAdmin, and then click
Next.
7. On the Attribute: msDS-PasswordSettingsPrecedence page, in the Value
field, type 10, and then click Next.
8. On the Attribute: msDS-PasswordReversibleEncryptionEnabled page, in the
Value field, type false, and then click Next.
9. On the Attribute: msDS-PasswordHistoryLength page, in the Value field,
type 30, and then click Next.
10. On the Attribute: msDS-PasswordComplexityEnabled page, in the Value
field, type true, and then click Next.
11. On the Attribute: msDS-MinimumPasswordLength page, in the Value field,
type 10, and then click Next.
12. On the Attribute: msDS-MinimumPasswordAge page, in the Value field, type
-5184000000000, and then click Next.
Note: PSO values are time-based values entered using the integer8 format. Integer8 is a
64-bit number that represents the amount of time, in 100-nanosecond intervals, that has
passed since 12:00 AM January 1, 1601.

13. On the Attribute: msDS-MaximumPasswordAge page, in the Value field, type
-6040000000000, and then click Next.
14. On the Attribute: msDS-LockoutThreshold page, in the Value field, type 3,
15. On the Attribute: msDS-LockoutObservationWindow page, in the Value
field, type -18000000000, and then click Next.
16. On the Attribute: msDS-LockoutDuration page, in the Value field, type
-18000000000, click Next, and then click Finish.
17. Close the ADSI Edit.
Task 2: Assign the ITAdmin password policy to the IT Admins global

group
2. In the Active Directory Users and Computers window, on the View menu,
click Advanced Features.
3. In the console pane, expand WoodgroveBank.com, expand System, and then
click Password Settings Container.
4. In the details pane, right-click ITAdmin, and then click Properties.
5. In the ITAdmin Properties dialog box, on the Attribute Editor tab, scroll
down, click msDS-PSOAppliesTo, and then click Edit.
6. In the Multi-valued Distinguished Name With Security Principle Editor
dialog box, click Add Windows Account.
ITAdmins_WoodgroveGG, and then click OK three times.
Result: At the end of this exercise, you will have implemented fine grained password
policies.
Lab B: Configuring and Verifying Security Policies L8-101

Lab B: Configuring and Verifying
Security Policies
Exercise 1: Configuring Restricted Groups and Software
Restriction Policies
Task 1: Configure restricted groups for the local administrators group
Default Domain Policy, and then click Edit.
Settings, and then click Restricted Groups.
3. Right-click Restricted Groups and then click Add Group.
4. In the Add Group dialog box, type Administrators and then click OK.
5. In the Administrators Properties dialog box, next to Members of this group,
click Add.
6. In the Add Member dialog box, type
WOODGROVEBANK\ITAdmins_WoodgroveGG, and then click OK.
7. Next to Members of this group, click Add.
8. In the Add Member dialog box, type WOODGROVEBANK\Domain Admins,
and then click OK twice.

Task 2: Prohibit Internet Explorer and VBS scripts from running on
domain controllers
1. In the Group Policy Management details pane, right-click Default Domain
Controllers Policy, and then click Edit.
Settings, and then click Software Restriction Policies.
3. Right-click Software Restriction Policies, and then click New Software
Restriction Policies.
4. In the details pane, right-click Additional Rules, and then click New Hash
Rule.
5. In the New Hash Rule dialog box, click Browse.
6. In the Open dialog box, browse to C:\Program Files\Internet Explorer.
7. Click iexplore.exe, and then click Open.
8. Verify that the Security level is Disallowed, and then click OK.
9. Right-click Additional Rules, and then click New Path Rule.
10. In the New Path Rule dialog box, in the Path field, type *.vbs, and then click
OK.
11. Close Group Policy Management Editor, and then close Group Policy
Management.
Result: At the end of this exercise you will have configured restricted groups and
software restriction policies.

Exercise 2: Configuring Security Templates
Task 1: Create a security template for the file and print servers
1. On NYC-DC1, click Start, type MMC, and then press ENTER.
2. In the Console1 window, on the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, scroll down, click Security
Templates, click Add, and then click OK.
4. In the console pane, expand Security Templates, right-click
C:\Users\Administrator\Documents\Security\Templates, and then click
New Template.
5. In the C:\Users\Administrator\Documents\Security\Templates dialog box,
in the Template name field, type FPSecurity, and then click OK.
6. Expand C:\Users\Administrator\Documents\Security\Templates, expand
FPSecurity, expand Local Polices, and then click Security Options.
7. In the details pane, double-click Accounts: Rename administrator account.
8. In the Accounts: Rename administrator account Properties dialog box,
select the Define this policy setting in the template check box.
9. In the Define this policy setting in the template field, type FPAdmin, and
then click OK.
10. In the details pane, double-click Interactive Logon: Do not display last user
name.
11. In the Interactive logon: Do not display last user name Properties dialog
box, select the Define this policy setting in the template check box, click
12. In the console pane, right-click FPSecurity, and then click Save.
13. Close the MMC window and do not save changes.

Task 2: Start NYC-SVR1 and disable the Windows Firewall
1. Start NYC-SVR1. Log on as WOODGROVEBANK\Administrator, with the
password Pa$$w0rd.
3. In the Control Panel window, double-click Windows Firewall.
4. In the Windows Firewall window, click Change settings.
5. In the Windows Firewall Settings dialog box, click Off, and then click OK.
Note: This next step is performed to simplify the lab and is not a recommended
practice.
6. Close Windows Firewall, and then close Control Panel.
Task 3: Run the Security Configuration Wizard and import the

FPSecurity template
Security Configuration Wizard.
2. On the Security Configuration Wizard dialog box, click Next.
3. On the Configuration Action page, click Next.
4. On the Select Server page, type NYC-SVR1.WoodgroveBank.com, and then
click Next.
5. When the security configuration databases process completes, click Next.
6. On the Role-Based service Configuration page, click Next.
7. On the Select Server Roles page, clear the DNS Server check box.
8. Verify that the File Server check box is selected.
9. Select the Print Server check box, and then click Next.
10. On the Select Client Features page, click Next.
11. On the Select Administration and Other Options page, click Next.
12. On the Select Additional Services page, click Next.

13. On the Handling Unspecified Services page, click Next.
14. On the Confirm Service Changes page, review the changes, and then click
Next.
15. On the Network Security page, click Next.
16. On the Network Security Rules page, click Next.
17. On the Registry Settings page, click Next.
18. On the Require SMB security Signatures page, click Next.
19. On the Outbound Authentication Methods page, click Next.
20. On the Outbound Authentication using Domain Accounts page, select the
Clocks that are synchronized with the selected server’s clock check box,
21. On the Inbound Authentication Methods page, click Next.
22. On the Registry Settings Summary page, click Next.
23. On the Audit Policy page, click Next.
24. On the System Audit Policy page, click Next.
25. On the Audit Policy Summary page, click Next.
26. On the Save Security Policy page, click Next.
27. On the Security Policy File Name page, type FPPolicy at the end of the
C:\Windows\security\msscw\Policies\ path, and then click Include
Security Templates.
28. In the Include Security Templates dialog box, click Add.
29. In the Open dialog box, browse to
C:\Users\Administrator\Documents\Security\Templates.
30. Click FPSecurity.inf, and then click Open.
31. Click OK, and then click Next.
32. On the Apply Security Policy page, click Apply now, and then click Next.
33. When the security policy application process completes, click Next, and then
click Finish.

Task 4: Transform the FPPolicy into a GPO
1. On NYC-DC1, click Start and then click the Command Prompt.
2. At the command prompt, type scwcmd transform
/p:C:\Windows\security\msscw\Policies\FPpolicy.xml
/g:FileServerSecurity, and then press ENTER.
3. When the process completes, type exit and then press ENTER.
Management.
5. In the Group Policy Management console pane, expand Group Policy
Objects.
6. Click FilesServerSecurity, and then in the details pane, click the Settings tab.
7. In the details pane, click show all and review the Group Policy settings.
Result: At the end of this exercise you will have configured security templates.

Exercise 3: Verifying the Security Configuration
Task 1: Log on as the Local Administrator of the Windows Vista
computer and check the membership of the local administrators
group
1. Log on to NYC-CL1 as WOODGROVEBANK\Administrator with the
password Pa$$w0rd.
2. Click Start, type GPupdate /force, and then press ENTER.
3. When this process completes, click Start, point to All Programs, point to
Accessories, and verify that the Run menu appears.
5. In the Control Panel window, click User Accounts, and then click User
Accounts again.
6. Click Manage User Accounts.
7. In the User Accounts dialog box, on the Advanced tab, click Advanced.
8. In the Local Users and Groups window, in the console pane, click Groups.
9. In the details pane, double-click Administrators. Verify that the Domain
Admins and the ITAdmins global groups are present.
10. Click Cancel and close all windows.
Task 2: Log on to the Windows Vista computer as an ordinary user,

and test the policy
1. Log on to NYC-CL1 as WOODGROVEBANK\Roya, with a password of
Pa$$w0rd.
2. Click Start, point to All Programs, and then click Accessories. Ensure that the
Run menu does not appear.
3. Press Right-ALT+DELETE, and then click Change a password.

4. In the Old Password field, type Pa$$w0rd.
5. In the New Password and Confirm password fields, type w0rdPa$$, and
then press ENTER. You will not be able to update the password because the
minimum password age has not expired.
6. In the Old Password field, type Pa$$w0rd.
7. In the New Password and Confirm password fields, type pa, and then press
ENTER. You will not be able to update the password because the minimum
password length has not been met.
8. Click Cancel.
Task 3: Log on to the domain controller as the domain administrator,

and test software restrictions and services
1. On NYC-DC1, click Start, type GPUpdate /force, and then press ENTER.
2. Click Start, then point to All Programs, and then click Internet Explorer.
3. Review the error message, and then click OK.
Note: This error message may not appear until the second logon.

5. In the Computer window, browse to E:\Mod08\LabFiles, and then double-
click hello.vbs.
6. Click OK.
7. Review the error message, and then click OK.
8. Click Start, point to Administrative Tools, and then click Services.
9. In the Services window details pane, scroll down to the Windows Installer
service, and verify that it is set to Disabled.

Task 4: Use Group Policy modeling to test the settings on the file and
print server
Management.
2. In the Group Policy Management window console pane, right-click Group
Policy Modeling, and then click Group Policy Modeling Wizard.
3. In the Group Policy Modeling Wizard dialog box, click Next.
4. On the Domain Controller Selection page, click Next.
5. On the User and Computer Selection page, in the Computer information
section, click Computer.
6. In the Computer field, type WOODGROVEBANK\NYC-SVR1, and then click
Next.
7. On the Advance Simulation Options page, click Next.
8. On the Alternate Active Directory Paths page, click Next.
9. On the Computer Security Groups page, click Next.
10. On the WMI Filters for Computers page, click Next.
11. On the Summary of Selections page, click Next.
12. When the process completes, click Finish.
13. In the details pane, click show all and review the Group Policy settings.

Control window.
click OK.
Result: At the end of this exercise, you will have verified the security configuration.
Lab: Manage Server Security L9-111

Module 9: Configuring Server Security
Compliance
Lab: Manage Server Security
Exercise 1: Configuring Windows Software Update Services
(WSUS)
Task 1: Start the virtual machines, and log on
3. In the Lab Launcher, next to 6419A-NYC-CL2, click Launch
4. Log on to each virtual machine as WOODGROVEBANK\Administrator with
Task 2: Use the Group Policy Management Console to create and link
a Group Policy Object (GPO) to the domain to configure client
updates
Group Policy Management.
2. In the console pane, expand Forest: WoodgroveBank.com, expand Domains,
and then click WoodgroveBank.com.
3. Right-click WoodgroveBank.com, and then click Create a GPO in this
domain, and Link it here.
4. In the New GPO dialog box, type WSUS, and then click OK.
5. In the details pane, right-click WSUS, and then click Edit.
Windows Components, and then click Windows Update.
L9-112 Module 9: Configuring Server Security Compliance

7. In the details pane, double-click Configure Automatic Updates.
Note: the order of the settings below may be different and you may need to locate and
open each one separately.
8. In the Configure Automatic Updates Properties dialog box, click Enabled,

and then click Next Setting.
9. On the Specify intranet Microsoft update service location Properties dialog
box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type
http://NYC-SVR1.
11. In the Set the intranet statistics server field, type http://NYC-SVR1, and then
click Next Setting.
12. On the Automatic Updates detection frequency Properties dialog box, click
13. Close Group Policy Management Editor, and then close Group Policy
Management.
14. On NYC-CL2, click Start | All Programs |Accessories | Command Prompt.
15. In the Command Prompt, type GPUpdate /force, and then press ENTER.
16. Allow the GPUpdate command to complete.
17. Click Start, click the right-arrow button, and then click Restart.
18. Allow NYC-CL2 to restart.
19. Log on to NYC-CL2 virtual machine as WOODGROVEBANK\Administrator
with the password Pa$$w0rd.
Task 3: Use the WSUS administration tool to view WSUS properties

1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Microsoft Windows Server Update Services 3.0 SP1.
2. In the Update Services window, in the console pane expand NYC-SVR1, and
then click Options.
3. In the details pane, click Update Source and Proxy Server.

4. Review the options on both tabs, and then click Cancel.
5. In the details pane, click Products and Classifications.
6. Review the options for product support and update classifications, and then
click Cancel.
7. In the details pane, click Update Files and Languages.
8. Review the options for downloading updates and support for languages, and
then click Cancel.
9. In the details pane, click Synchronization Schedule.
10. Review the options for synchronizing content, and then click Cancel.
Task 4: Create a computer group, and add NYC-CL2 to the new group
1. In the console pane, expand Computers, and then click All Computers.
2. In the Actions pane, click Add Computer Group.
3. In the Add Computer Group dialog box, type HO Computers, and then click
Add.
4. In the console pane, expand All Computers, and then click Unassigned
Computers.
5. In the details pane, in the Status list, click Any, and then click Refresh.
6. Right-click nyc-cl2.woodgrovebank.com, and then click Change
Membership.
7. In the Set Computer Group Membership dialog box, select the HO
Computers check box, and then click OK.
Task 5: Approve an update for Windows Vista clients

1. In the console pane, expand Updates, and then click Security Updates.
2. In the details pane, in the Approval list, click Any Except Declined.
3. In the Status list, click Any, and then click Refresh.
Note: Notice all of the updates available.


4. In the details pane, click Title to sort the results by title.
5. Scroll down, right-click Security Update for Windows Vista (KB957095),
and then click Approve.
6. In the Approve Updates dialog box, click the arrow next to All Computers,
click Approved for Install, and then click OK.
7. On the Approval Progress page, when the process is complete, click Close.
8. In the details pane, right-click Security Update for Windows Vista
(KB957097), and then click Approve.
9. In the Approve Updates dialog box, click the arrow next to All Computers,
point to Deadline, and then click Custom.
10. In the Choose Deadline dialog box, in the Date field, type in yesterday’s date,
and then click OK twice.
Note: Entering yesterday’s date will cause the update to be installed as soon as the client
computers contact the server. Note that because these VMs use the Microsoft Lab
Launcher environment, their date will not correspond with the actual date. This is by
design. Take note of the VMs configured date and enter a date one day before the VMs
configured date.
11. In the Approval Progress dialog box, click Close.
Task 6: Install an update on the Windows Vista client

1. On NYC-CL2, click Start, type cmd, and then press ENTER.
2. At the Command Prompt, type GPUpdate /force, and then press ENTER.
Note: Wait for the policy to finish updating.
3. At the command prompt, type wuauclt /detectnow, and then press ENTER.
4. The Windows Update dialog box will appear notifying you that the update is
being installed and the computer needs to restart. Click Restart now.
Note: It may take several minutes for the Window Update dialog box to appear.

5. Log on to NYC-CL2 as WOODGROVEBANK\Administrator with the
password of Pa$$w0rd.
6. Click Start, point to All Programs, and then click Windows Update.
7. In the Windows Update window, in the left pane, click View Update History.
8. On the Review your update history page, locate the Security Update for
Windows Vista (KB957097).
Note: Due to the limitations of the lab environment, the KB957097 update is pre-loaded
on the WSUS server to demonstrate the update process.
Task 7: View WSUS reports

1. On NYC-SVR1, in the Update Services console pane, click Reports.
2. Review the various reports available in WSUS.
3. In the details pane, click Computer Detailed Status.
4. In the Computers Report for NYC-SVR1 window, click Run Report.
5. On the completed report, note how many updates are listed under nyc-
cl2.woodgrovebank.com.
6. Close the Computers Report for NYC-SVR1 window.
7. Close Update Services.

Exercise 2: Configure Auditing
Task 1: Examine the current state of the audit policy
2. At the command prompt, type Auditpol.exe /get /category:*, press ENTER,
and then examine the default audit policy settings.
3. Minimize the command prompt.
Task 2: Enable DS Access auditing on domain controllers

1. On NYC-DC1, click Start, click Administrative Tools, and then click Group
Policy Management.
2. In the console pane, expand WoodgroveBank.com, expand Group Policy
Objects, and then right-click the Default Domain Controllers Policy, and
then click Edit.
3. In the Group Policy Management Editor console pane, expand Computer
Settings, expand Local Policies, and then click Audit Policy. Notice that all
policy settings are set to Not Defined.
4. Double-click Audit directory service access.
5. In the Audit directory service access Properties dialog box, select Define
these policy settings.
6. Select both the Success and Failure check boxes, and then click OK.
7. Close the Group Policy Management Editor, and then close the Group Policy
Management console.
8. Restore the Command Prompt, type Gpupdate and then press ENTER.
9. When the update completes, run the Auditpol.exe /get /category:* command
again, and then examine the audit policy.
10. Close Command Prompt.

Task 3: Set the SACL for the domain
2. On the View menu, click Advanced Features.
3. In the console pane, right-click WoodgroveBank.com, and then click
Properties.
4. In the WoodgroveBank.com Properties dialog box, click the Security tab.
5. Click Advanced.
6. On the Advanced Security Settings for WoodgroveBank dialog box, click the
Auditing tab, and then click Add.
7. In the Select Users, Computers, and Groups dialog box, type Everyone, and
then click OK.
8. In the Auditing Entry for WoodgroveBank dialog box, for Write all
properties select the Successful and Failed check boxes.
9. Click OK three times.
Task 4: Test the policy

1. In the console tree, right-click Toronto, and then click Rename.
2. Type GTA, and then press ENTER.
3. Minimize Active Directory Users and Computers.
4. Click Start, and then click Server Manager.
5. In the Server Manager console pane, expand Diagnostics, expand Event
Viewer, expand Windows Logs, and then click Security.
6. In the details pane, locate the event with the 4662 ID. Double-click then event,
and then examine the event.
7. Close the Event Properties dialog box.
8. Minimize Server Manager.
9. Restore Active Directory Users and Computers.
10. In the console pane, click Users.
11. In the details pane, double-click Administrator.

12. In the Administrator Properties dialog box, click the Telephones tab.
13. In the Mobile field, type 555-555-5555, and then click OK.
14. Close Active Directory Users and Computers, and then restore Server
Manager.
15. In the details pane, locate the newest 4662 event, and double-click to view
details.
Note: You may have to wait a minute for the event to appear.
16. Close all open windows.

Control window.
click OK.
Lab A: Installing the FSRM Role Service L10-119

Module 10: Configuring and Managing Storage
Technologies
Lab A: Installing the FSRM Role
Service
Exercise 1: Installing the File Server Resource Manager
(FSRM) Role Service
Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines
3. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
Task 2: Install the FSRM role service on NYC-SVR1

2. In the Server Manager console pane, expand Roles. Notice that the File
Services role already has been installed.
3. Right-click File Services, and then click Add Role Services.
4. In the Select Role Services dialog box, select File Server Resource Manager,
5. On the Configure Storage Usage Monitoring page, select the Allfiles (E:)
check box, and then click Next.
L10-120 Module 10: Configuring and Managing Storage Technologies

6. On the Set Report Options page, review the default options, and then click
Next.
7. On the Confirm Installation Selections page, click Install.
8. When the installation is complete, click Close.
Results: After this exercise, you should have successfully installed the FSRM role
service on NYC-SVR1.
Lab B: Configuring Storage Quotas L10-121

Lab B: Configuring Storage Quotas
Exercise 1: Configuring Storage Quotas
Task 1: Create a quota template
1. On NYC-SVR1, click Start, point to Administrative tools, and then click File
Server Resource Manager.
2. In the File Server Resource Manager console pane, expand Quota
Management, and then click Quota Templates.
3. Right-click Quota Templates, and then click Create Quota Template.
4. In the Create Quota Template dialog box, in the Template Name field, type
100 MB Limit Log to Event Viewer.
5. Under Notifications Thresholds, click Add.
6. In the Add Threshold dialog box, click the Event log tab.
7. Select the Send warning to event log check box, and then click OK.
8. In the Create Quota Template dialog box, click Add.
9. In the Add Threshold dialog box, in the Generate notification when the
usages reaches field, type 100.
10. Click the Event Log tab, and then select the Send warning to event log check
box.
11. Click OK twice.

Task 2: Configure a quota based on the quota template
1. In the File Server Resource Manager console pane, click Quotas.
2. Right-click Quotas, and then click Create Quota.
3. On the Create Quota dialog box, in the Quota path field, type
E:\Mod10\Labfiles\Users.
4. Click Auto apply template and create quotas on existing and new
subfolders.
5. In the Derive properties from this quota template (recommended) list, click
100MB Limit Log to Event Viewer, and then click Create.
6. In the details pane, verify that the E:\Mod10\Labfiles\Users\* path has been
configured with its own quota entry. You may have to refresh the Quotas
folder to view the changes.
7. Right-click Start, and then click Explorer.
8. In Windows Explorer, browse to E:\Mod10\Labfiles\Users.
9. Create a new folder named Roya.
10. In File Server Resource Manager, on the Action menu, click Refresh.
11. In the details pane, notice that the newly created folder appears in the list.
Task 3: Test that the Quota is working by generating several large files
2. Type E:, and then press ENTER.
3. Type cd \Mod10\Users\Roya, and then press ENTER.
4. Type fsutil file createnew file1.txt 89400000, and then press ENTER. This
creates a file that is over 85 MB, which will generate a warning in Event
Viewer.
5. Click Start, point to Administrative Tools, and then click Event Viewer.
Lab B: Configuring Storage Quotas L10-123

6. In the Event Viewer console pane, expand Windows Logs, and then click
Application.
7. In the details pane, note the event with Event ID of 12325.
8. In the Command Prompt window, type fsutil file createnew file2.txt
16400000, and then press ENTER. Notice that the file cannot be created
because it would surpass the quota limit.
9. In Windows Explorer, right-click the Users folder, and then click Properties.
10. In the Users Properties dialog box, click Advanced.
11. In the Advanced Attributes dialog box, select the Compress contents to save
disk space check box, and then click OK twice.
Important: When the Users folder is compressed, you reduced the file’s actual space. If
you were to specify this using NTFS file system quotas, the actual file size would be
calculated and not the compressed size.
12. In the Confirm Attribute Changes dialog box, verify that Apply changes to
this folder, subfolders and files is selected and then click OK.
13. In the File Server Resource Manager details pane, right-click Quotas, and then
click Refresh. Notice that the amount of used space is reduced significantly.
14. In the Command Prompt window, type fsutil file createnew file2.txt
16400000, and then press ENTER. The file will now be successfully created.
Important: When creating files, you are specifying the number of bytes they will be. This
is why they are not exactly 85000000, because a byte is only eight bits.
15. Type exit, and then press ENTER.
Results: After this exercise, you should have seen the effect of a quota template that
imposes a 100MB limit on user storage on the E:\Mod10\Labfiles\Labfiles\Users folder.

Lab C: Configuring File Screening
Exercise 1: Configuring File Screening
Task 1: Create a File screen
1. On NYC-SVR1, in the File Server Resource Manager console pane, expand File
Screening Management, and then click File Screens.
2. Right-click File Screens, and then click Create File Screen.
3. In the Create File Screen dialog box, in the File screen path field, type
E:\Mod10\Labfiles\Users.
4. Click Define custom file screen properties, and then click Custom
Properties.
5. In the File Screen Properties dialog box, click Passive screening.
6. Under Select file groups to block, select the Executable Files check box.
7. On the Event Log tab, select the Send warning to event log check box, and
then click OK.
8. In the Create File Screen dialog box, click Create.
9. In the Save Custom Properties as a Template dialog box, in the Template
name field, type Monitor Executables, and then click OK.
Lab C: Configuring File Screening L10-125

Task 2: Test the file screen
1. In Windows Explorer, browse to to the E:\Mod10\Labfiles.
2. Right-click Example.bat file, and then click Copy.
3. Browse to E:\Mod10\Labfiles\Users\Roya.
4. Right-click Roya, and then click Paste.
5. In the Event Viewer console pane, under Windows Logs, right-click
Application, and then click Refresh.
6. In the details pane, note the event with Event ID of 8215.
7. Close Event Viewer, and then close Windows Explorer.
Results: After this exercise, you should have successfully implemented a file screen
that logs attempts to save executable files in E:\Mod10\Labfiles\Labfiles\Users.

Lab D: Generating Storage Reports
Exercise 1: Generating Storage Reports
Task 1: Generate an on-demand storage report
1. On NYC-SVR1, in the File Server Resource Manager console pane, click
Storage Reports Management.
2. Right-click Storage Reports Management, and then click Generate Reports
Now.
3. In the Storage Reports Task Properties dialog box, click Add.
4. In the Browse For Folder dialog box, browse to E:\Mod10\Labfiles\Users,
and then click OK.
5. Under Select reports to generate, select the File Screening Audit and Quota
Usage check boxes, and then click OK.
6. In the Generate Storage Reports dialog box, verify that Wait for reports to be
generated and then display them is selected, and then click OK.
7. In the Windows Internet Explorer window, review the generated reports.

Control (VMRC) window.
click OK.
Results: After this exercise, you should have successfully generated an on-demand
storage report.
Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace L11-127

Module 11: Configuring and Managing
Distributed File System
Lab A: Installing the Distributed
File System Role Service and
Creating a DFS Namespace
Exercise 1: Installing the Distributed File System (DFS) Role
Service
Task 1: Start each virtual machine and log on
3. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
Task 2: Install the Distributed File System Role Service on NYC-DC1

1. On NYC-DC1, click Start, and then click Server Manager.
2. In the console pane, click Roles.
3. In the details pane, under Roles Summary, notice that the File Services role
has been installed. You now must add specific role services for this role.
4. Scroll down to the File Services section, and then under Role Services, click
Add Role Services.
5. On the Select Role Services page, select Distributed File System, and then
click Next.
L11-128 Module 11: Configuring and Managing Distributed File System

6. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
8. When the installation is complete, click Close
9. In Server Manager, verify that File Server, Distributed File System, DFS
Namespaces, and DFS Replication all are installed.
Task 3: Install the Distributed File System Role Service on NYC-SVR1

2. In the console pane, click Roles.
3. In the details pane, under Roles Summary, notice that the File Services role
has been installed. You now must add specific role services for this role.
4. Scroll down to the File Services section, and then under Role Services, click
Add Role Services.
5. On the Select Role Services page, select Distributed File System, and then
click Next.
6. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
8. When the installation is complete, click Close.
9. In Server Manager, verify that File Server, Distributed File System, DFS
Namespaces, and DFS Replication are all installed.
Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace L11-129

Exercise 2: Creating a DFS Namespace
Task 1: Use the New Namespace Wizard to create a new namespace
1. On NYC-DC1, click Start, point to Administrative Tools, and then click DFS
Management.
2. In the DFS Management console pane, click Namespaces.
3. Right-click Namespaces, and then click New Namespace.
4. On the Namespace Server page, in the Server field, type NYC-DC1, and then
click Next.
5. On the Namespace Name and Settings page, in the Name field, type
CorpDocs, and then click Next.
6. On the Namespace Type page, verify that Domain-based namespace is
selected, and then click Next.
7. On the Review Settings and Create Namespace page, review the settings, and
then click Create.
8. On the Confirmation page, verify that the Status column shows Success, and
then click Close. The CorpDocs namespace has now been created.
9. In the console pane, expand Namespaces, and then click
\\WoodgroveBank.com\CorpDocs.
10. In the details pane, click the Namespace Servers tab. Notice that the
CorpDocs namespace is hosted on a single namespace server (NYC-DC1).
Task 2: Add an additional namespace server to host the namespace

1. On NYC-DC1, in the DFS Management console pane, right-click
\\WoodgroveBank.com\CorpDocs, and then click Add Namespace Server.
2. In the Add Namespace Server dialog box, in the Namespace server field, type
NYC-SVR1, and then click OK.
3. If you receive a warning dialog box that states the Distributed File System
service is not running, click Yes to start the service automatically.
4. Verify from the Details pane that that the CorpDocs namespace is now hosted
on both NYC-DC1 and NYC-SVR1.

Lab B: Configuring Folder Targets
and Viewing Diagnostic Reports
Exercise 1: Configuring Folder Targets and Folder
Replication
Task 1: Create the HRTemplates folder, and configure a folder target
on NYC-DC1
\\WoodgroveBank.com\CorpDocs, and then click New Folder.
2. In the New Folder dialog box, in the Name field, type HRTemplates.
3. Click Add.
4. In the Add Folder Target dialog box, click Browse.
5. In the Browse for Shared Folders dialog box, click New Shared Folder.
6. In the Create Share dialog box, in the Share name field, type
HRTemplateFiles.
7. In the Local path of shared folder field, type C:\HRTemplateFiles.
8. Under Shared folder permissions, click Administrators have full access;
other users have read-only permissions, and then click OK.
9. In the Warning dialog box, click Yes to create the C:\HRTemplateFiles
folder.
10. In the Browse for Shared Folders dialog box, click OK.
11. In the Add Folder Target dialog box, verify that the path shows
\\NYC-DC1\HRTemplateFiles, and then click OK.
12. In the New Folder dialog box, verify that HRTemplates is listed for the Name
and \\NYC-DC1\HRTemplateFiles is listed for the Folder targets, and then
click OK.
13. In the console pane, click \\WoodgroveBank.com\CorpDocs.
14. In the details pane, click the Namespace tab. Notice that HRTemplates is
listed as an entry in the namespace.
Lab B: Configuring Folder Targets and Viewing Diagnostic Reports L11-131

15. In the console pane, expand \\WoodgroveBank.com\CorpDocs, and then
click HRTemplates. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.
16. Click the Replication tab, and notice that replication is not configured.
Task 2: Create the PolicyFiles folder, and configure a folder target on

NYC-SVR1
\\WoodgroveBank.com\CorpDocs, and then click New Folder.
2. In the New Folder dialog box, in the Name field, type PolicyFiles.
3. Click Add.
4. In the Add Folder Target dialog box, click Browse.
5. In the Browse for Shared Folders dialog box, in the Server field, type
NYC-SVR1, and then click Show Shared Folders.
6. Click New Shared Folder.
7. In the Create Share dialog box, in the Share name field, type PolicyFiles.
8. In the Local path of shared folder field, type C:\PolicyFiles.
10. In the Warning dialog box, click Yes to create the C:\PolicyFiles folder.
11. In the Browse for Shared Folders dialog box, click OK.
12. In the Add Folder Target dialog box, verify that the path shows
\\NYC-SVR1\PolicyFiles, and then click OK.
13. In the New Folder dialog box, verify that PolicyFiles is listed for the Name
and \\NYC-SVR1\PolicyFiles is listed for the Folder targets, and then
click OK.
14. In the console pane, click PolicyFiles. In the details pane, notice that on the
Folder Targets tab, one folder target is configured.

Task 3: Verify the CorpDocs namespace functionality
1. On NYC-DC1, click Start, type \\WoodgroveBank.com\CorpDocs, and then
press ENTER.
2. In the Windows Explorer window that opens, notice that the HRTemplates
and PolicyFiles folders both are visible.
Note: If they are not visible, you may need to wait up to five minutes for the
configuration to complete.
3. Double-click HRTemplates.
4. On the File menu, point to New, and then click Rich Text Document.
5. Type Vacation Request, and then press ENTER.
6. On the navigation bar, click the Back button.
7. Double-click PolicyFiles.
8. On the File menu, point to New, and then click Rich Text Document.
9. Type Order Policies, and then press ENTER.
10. Close the PolicyFiles window.
11. On NYC-SVR1, click Start, type \\WoodgroveBank.com\CorpDocs, and then
press ENTER.
12. In the Windows Explorer window that opens, notice that the HRTemplates
and PolicyFiles folders both are visible.
13. Browse both folders and verify that you can access the files. Close the window
when complete.
Task 4: Create additional folder targets for the HRTemplates folder,

and configure folder replication
HRTemplates, and then click Add Folder Target.
2. In the New Folder Target dialog box, in the Path to folder target field, type
\\NYC-SVR1\HRTemplates, and then click OK.

3. In the Warning box, click Yes to create the \\NYC-SVR1\HRTemplates
shared folder.
4. In the Create Share dialog box, in the Local path of shared folder field, type
C:\HRTemplates.
6. In the Warning dialog box, click Yes to create the C:\HRTemplates folder.
7. In the Replication dialog box, click Yes to create a replication group.
8. On the Replication Group and Replicated Folder Name page, verify that
woodgrovebank.com\corpdocs\hrtemplates is listed as the Replication
group name and that HRTemplates is listed as the Replicated folder name,
9. On the Replication Eligibility page, verify that both NYC-DC1 and NYC-SVR1
are listed, and then click Next.
10. On the Primary Member page, in the Primary Member list, click NYC-DC1,
11. On the Topology Selection page, verify that Full mesh is selected, and then
click Next.
12. On the Replication Group Schedule and Bandwidth page, verify that
Replicate continuously using the specified bandwidth is selected and that in
the Bandwidth list, Full is selected, and then click Next.
13. On the Review Settings and Create Replication Group page, review the
settings, and then click Create.
14. On the Confirmation page, verify that all tasks completed successfully, and
then click Close.
15. Read the Replication Delay message, and then click OK.
16. In the console pane, expand Replication, and then click
woodgrovebank.com\corpdocs\hrtemplates.
17. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.

Task 5: Create additional folder targets for the PolicyFiles folder, and
configure folder replication
1. On NYC-DC1, in the DFS Management console pane, right-click PolicyFiles,
and then click Add Folder Target.
2. In the New Folder Target dialog box, in the Path to folder target field, type
\\NYC-DC1\PolicyFiles, and then click OK.
3. In the Warning dialog box, click Yes to create the \\NYC-DC1\PolicyFiles
shared folder.
4. In the Create Share dialog box, in the Local path of shared folder field, type
C:\PolicyFiles.
6. In the Warning box, click Yes to create the C:\PolicyFiles folder.
7. In the Replication dialog box, click Yes to create a replication group.
8. On the Replication Group and Replicated Folder Name page, verify that
woodgrovebank.com\corpdocs\policyfiles is listed as the Replication group
name and that PolicyFiles is listed as the Replicated folder name, and then
click Next.
9. On the Replication Eligibility page, verify that both NYC-DC1 and NYC-
SVR1 are listed, and then click Next.
10. On the Primary Member page, in the Primary member list, click NYC-SVR1,
11. On the Topology Selection page, verify that Full mesh is selected, and then
click Next.

12. On the Replication Group Schedule and Bandwidth page, verify that
Replicate continuously using the specified bandwidth is selected and that in
the Bandwidth list, Full is selected, and then click Next.
13. On the Review Settings and Create Replication Group page, review the
settings, and then click Create.
14. On the Confirmation page, verify that all tasks completed successfully, and
then click Close.
15. Read the Replication Delay message, and then click OK.
16. In the console pane, click woodgrovebank.com\corpdocs\policyfiles.
17. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.

Exercise 2: Viewing Diagnostic Reports for Replicated
Folders
Task 1: Create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates
1. On NYC-DC1, in the DFS Management console pane, under Replication,
right-click woodgrovebank.com\corpdocs\hrtemplates, and then click
Create Diagnostic Report.
2. On the Type of Diagnostic Report or Test page, verify that Health report is
selected, and then click Next.
3. On the Path and Name page, click Next.
4. On the Members to Include page, verify that both NYC-DC1 and NYC-SVR1
are listed in the Included members column, and then click Next.
5. On the Options page, verify that Yes, count backlogged files in this report is
selected.
6. Select Count the replicated files and their sizes on each member, and then
click Next.
7. On the Review Settings and Create Report page, review the settings, and then
click Create.
8. The DFS Replication Health Report Web page opens. Read through the
report and take note of any errors or warnings. Errors will appear if replication
is still in process or has not taken place yet. When you are finished, close the
Internet Explorer window.
9. Repeat the above steps to create a diagnostic report for the policyfiles
replication group. Read through the report, and take note of any errors or
warnings. When you are finished, close the Internet Explorer window. Note
that there may be errors reported if replication has not begun or finished yet.

click OK.
Module 12: Configuring Network Access Protection L12-139

Module 12: Configuring Network Access
Protection
Since NAP is a new technology in Windows Server 2008, detailed steps have been
provided for each of the tasks in the module itself. For this reason, there is no
separate lab answer key for this module.
Lab A: Configuring Shadow Copying L13-141

Module 13: Configuring Availability of Network
Resources and Content
Lab A: Configuring Shadow
Copying
Exercise 1 Configuring Shadow Copying
4. Log on to each virtual machine as WOODGROVEBANK\Administration with
Task 2: Enable shadow copies on a volume

Computer Management.
2. In the Computer Management console pane, right-click Shared Folders, point
to All Tasks, and then click Configure Shadow Copies.
3. In the Shadow Copies dialog box, click E:\, and then click Enable.
4. In the Enable Shadow Copies dialog box, click Yes.
5. Click Create Now, and then click OK.
6. Leave the Computer Management console open.
L13-142 Module 13: Configuring Availability of Network Resources and Content

Task 3: Change a file in a share location
1. On NYC-CL1, click Start, type \\NYC-DC1\Shadow, and then press ENTER.
2. In the Shadow window, double-click ShadowTest.txt.
3. In the Notepad window, type This is my text that I am adding to the file.
4. On the File menu, click Save.
5. Close Notepad, but leave the Windows Explorer window open.
6. In the Shadow window, double-click ShadowTest.txt.
7. In the Notepad window, type This is my second modification to the file.
8. On the File menu, click Save.
9. Close Notepad, but leave the Windows Explorer window open.
Task 4: Manually create a shadow copy

1. On NYC-DC1, in the Computer Management console pane, right-click Shared
Folders, point to All Tasks, and then click Configure Shadow Copies.
2. In the Shadow Copies dialog box, click E:\, and then click Create Now.
3. The Shadow copies of selected volume pane should now have two entries
listed. Click OK.
4. Close Computer Management.
Lab A: Configuring Shadow Copying L13-143

Task 5: View the previous file versions, and restore to a previous
version
1. On NYC-CL1, in Windows Explorer, right-click ShadowTest.txt, and then
click Properties.
2. In the ShadowTest.txt Properties dialog box, click the Previous Versions tab.
3. Under File versions, you should see the last shadow copy that was created.
Click Open to view the file contents.
4. In the Notepad window, review the file contents. The file you are viewing
should be a blank file.
5. Close Notepad.
6. In the ShadowTest.txt Properties dialog box, click Restore.
7. In the Previous Versions dialog box, click Restore, and then click OK twice.
Results: After this exercise, you should have established shadow copies on a share,
changed a file, and then restored the original version.

Lab B: Configuring Network Load
Balancing
Exercise 1: Configuring Network Load Balancing with IIS
Task 1: Install NLB
Note: Perform these steps on both NYC-DC1 and NYC-SVR1. First perform the steps on
NYC-DC1. Then perform the steps on NYC-SVR1.
1. Click Start | Server Manager. The Server Manager window opens.

2. In the Server Manager console tree, click Features.
3. In the details pane, click Add Features.
4. In the Add Features Wizard, select Network Load Balancing, and then click
Next.
6. On the Installation Results page, click Close.
Task 2: Create an NLB cluster
Note: Perform these steps on NYC-DC1
1. Click Start | Administrative Tools | Network Load Balancing Manager.

2. The Network Load Balancing Manager window opens. Maximize the window.
3. In the console tree, right-click Network Load Balancing Clusters and then
click New Cluster.
4. In the New Cluster: Connect dialog box, in the Host field, type NYC-DC1 and
then click Connect.
Lab B: Configuring Network Load Balancing L13-145

5. Under Interfaces available for configuring a new cluster, click the interface
on the 10.10.0 network, and then click Next.
6. On the Host Parameters page, click Add.
7. In the Add IP Address dialog box, in the IPv4 address field, type 10.10.0.80,
press TAB and the Subnet mask field will automatically fill.
9. In the Cluster IP Addresses page, click Add.
12. On the Cluster Parameters page, in the Full Internet name field, type
webfarm.woodgrovebank.com.
13. Click Multicast and then click Next.
14. On the Port Rules page, click Edit.
15. In the Add/Edit Port Rule dialog box, in the From field, type 80, and in the
To field, type 80.
16. Under Protocols click TCP.
17. For Affinity click None.
18. Click OK, and then click Finish.
Note: Do not begin the steps below until after the previous change has completed. Use
the log entries in the bottom pane to determine when the previous change has
completed.
19. In the console tree, right-click webfarm.woodgrovebank.com and then click

Add Host to Cluster.
20. In the Add Host to Cluster: Connect dialog box, in the Host field, type NYC-
SVR1 and then click Connect.

21. Under Interfaces available for configuring a new cluster, click the interface
with the 10.10.0.24 IP address, and then click Next.
22. On the Host Parameters page, click Add.
25. On the Port Rules page, click Finish.
Note: It may take three minutes for the NLB cluster hosts to converge. Wait for both NLB
hosts to display a status of Converged before moving to the steps below.
Task 3: Test the NLB cluster
Note: Perform these steps on NYC-DC1
1. Click Start | All Programs | Internet Explorer.

2. In the Internet Explorer address bar, type http://10.10.0.70, and then press
ENTER.
3. The IIS 7.0 default page appears.
4. Turn off NYC-SVR1.
5. On NYC-DC1, in the Internet Explorer address bar, type http://10.10.0.70,
Results: Even though a NLB Cluster member is unavailable, the web site is still
available.
Lab A: Identifying Windows Server 2008 Monitoring Requirements L14-147

Module 14: Monitoring and Maintaining
Windows Server 2008 Servers
Lab A: Identifying Windows Server
2008 Monitoring Requirements
Exercise 1: Evaluating Performance Metrics
Task 1: Start each virtual machine and log on

3. Log on to both virtual machines as WOODGROVEBANK\Administrator with
Task 2: Identify performance problems with Windows Server 2008 -

Part A
Reliability and Performance Monitor.
2. In the Reliability and Performance Monitor console pane, expand Monitoring
Tools, and then click Performance Monitor.
3. In details pane, click the View Log Data button (CTRL+L).
4. In the Performance Monitor Properties dialog box, on the Source tab, click
Log files, and then click Add.
5. In the Select Log File dialog box, browse to E:\Mod14\Labfiles\Ex1A.
L14-148 Module 14: Monitoring and Maintaining Windows Server 2008 Servers

6. Click 6419A-NYC-SVR1-LAB14-EX1A.blg and then click Open.
7. In the Performance Monitor Properties dialog box, click OK.
8. In the Performance Monitor details pane, click Add (CTRL+I).
9. In the Add Counters dialog box, under Available counters, expand
Processor, and then click % Processor Time.
10. Under Instances of selected object, click 0, and then click Add.
11. In the Add Counters dialog box, under Available counters, expand System,
click Processor Queue Length, click Add, and then click OK.
12. At the bottom of the window, click % Processor Time to view the graph of the
CPU usage on NYC-SVR1 and notice that:
• The minimum value is 34 percent
• The maximum value is 100 percent.
• The average value is 82.58 percent.
13. Click Add (CTRL+I).
14. In the Add Counters dialog box, under Available counters, expand Process,
and then click % Processor Time.
15. Under Instances of selected object, click <All Instances>, click Add, and then
click OK.
16. Review the % Processor Time used by each process. It is useful to use the
Highlight button (CTRL+ H) to view each instance. Identify the process that is
consuming the CPU.
Answer: The cpustres process is consuming most of the CPU time.


Task 3: Identify performance problems with Windows Server 2008 –
Part B
2. In the Reliability and Performance Monitor console pane, expand Monitoring
Tools, and then click Performance Monitor.
3. In the details pane, click View Log Data (CTRL+L).
5. In the Select Log File dialog box, browse to E:\Mod14\Labfiles\Ex1B.
6. Click 6419A-NYC-SVR1-LAB14-EX1B.blg and then click Open.
9. In the Add Counters dialog box, under Available counters, expand
PhysicalDisk, and then click Avg. Disk Queue Length.
10. Under Instances of selected object, click 0 C:, and then click Add.
11. Under Available counters, click Current Disk Queue Length.
13. Under Available counters, click Disk Transfers/sec.
15. Under Available counters, expand Process, and then click IO Data Bytes/sec.
16. Under Instances of selected object, click <All Instances>, click Add, and then
click OK.
17. Review the IO Data Bytes/sec values for each process. It is useful to use the
Highlight button (Ctrl+H) to view each instance. Identify the process that is
consuming the disk transfer capacity.
Answer: The explorer process is consuming the disk resources.


Task 4: Identify performance problems with Windows Server 2008 –
Part C
2. In the Reliability and Performance Monitor console pane, expand
Monitoring Tools, and then click Performance Monitor.
3. In the details pane, click View Log Data (CTRL+L).
5. In the Select Log File dialog box, browse to E:\Mod14\Labfiles\Ex1C.
6. Click 6419A-NYC-SVR1-LAB14-EX1C.blg and then click Open.
9. In the Add Counters dialog box, under Available counters, expand Process,
and then click Working Set -Private.
10. Under Instances of selected object, click <All Instances>, and then click Add.
11. Under Available counters, expand Paging File, click % Usage, hold down
CTRL, and then click % Usage Peak.
12. Under Instances of selected object, click \??\C:\pagefile.sys, and then
click Add.
13. Under Available counters, expand Memory, click % Committed Bytes In
Use, hold down CTRL and click Available MBytes, Committed Bytes, Page
Faults/sec, Pages/sec, Pool Nonpaged Bytes, Pool Paged Bytes, click Add,
and then click OK.
14. View the graph of the memory and process usage on NYC-SVR1. Review the
minimum and maximum values for each process to locate the problem. (The
value for Available Mbytes drops to 4 MB.). Review the Working Set - Private
value for each process. It is useful to use the highlight button (CTRL+H) to
view each instance. Determine which process is consuming memory.
Answer: The leakyapp processes are consuming memory.


Exercise 2: Monitoring Performance Metrics
Task 1: Create a data collector set to measure server requirements
1. On NYC-SVR1, in Reliability and Performance Monitor, expand Data
Collector Sets, and then click User Defined.
2. On the Action menu, point to New, and then click Data Collector Set.
3. In the Create new Data Collector Set dialog box, in the Name field, type File
Server Monitoring and then click Next.
4. On the Which template would you like to use? page, verify that System
Performance is selected, and then click Next.
5. On the Where would you like the data to be saved? page review the default
path, and then click Next.
6. On the Create the data collector set? page review the options, and then click
Finish.
7. In the Reliability and Performance Monitor details pane, double-click File
Server Monitoring, and then double-click Performance Counter.
8. In the Performance Counter Properties dialog box, review the objects and
counters, and then click OK.
9. In the console pane, right-click File Server Monitoring, and then click
Properties.
10. In the File Server Monitoring Properties dialog box, on the Stop Condition
tab, in the Overall duration field type 2 and then click OK.
11. In the console pane, right-click File Server Monitoring, and then click Start.
Note: If you receive an error, click OK, and attempt to start the collector set again.
12. On the Action menu, click Latest Report.

13. After about two minutes, the data will be collected and the report should be
shown. Review the collected data.

Lab B: Configuring Windows
Server 2008 Monitoring
Exercise 1: Configuring Data Collector Sets
Task 1: Generate an alert by using a data collector set
1. On NYC-SVR1, in the Reliability and Performance Monitor console pane,
under Data Collector Sets, click User Defined.
2. On the Action menu, point to New, and then click Data Collector Set.
3. In the Create new Data Collector Set dialog box, in the Name field, type High
CPU Monitoring
4. Click Create manually (Advanced), and then click Next.
5. On the What type of data do you want to include? page, click Performance
Counter Alert, and then click Next.
6. On the Which performance counters would you like to monitor? page, click
Add.
7. Under Available counters, expand Processor, and then click % Processor
Time.
8. Under Instances of selected object, click 0, click Add, and then click OK.
9. On the Which performance counters would you like to monitor? page, in
the Limit field, type 95 and then click Next.
10. On the Create the data collector set? page, click Finish.
11. In the details pane, double-click High CPU Monitoring, and then double-click
DataCollector01.
12. In the DataCollector01 Properties dialog box, on the Alert Action tab, select
the Log an entry in the application event log check box, and then click OK.
Lab B: Configuring Windows Server 2008 Monitoring L14-153

Exercise 2: Monitoring Extension Exercise
Task 1: Create a tailored data collector set
• Use the Reliability and Performance Monitor to create a data collector set for a
server in your organization.

Exercise 3: Automating Maintenance Tasks
Task 1: Forward Directory Service replication error messages to a
central location
2. In the Active Directory Users and Computers console pane, expand
WoodgroveBank.com, and then click Builtin.
3. In the details pane, right-click Administrators, and then click Properties.
4. In the Administrators Properties dialog box, on the Members tab, click Add.
5. In the Select Users, Contacts, Computers, or Groups dialog box, click
Object Types.
6. In the Object Types dialog box, select the Computers check box, and then
click OK.
7. In the Select Users, Contacts, Computers, or Groups dialog box, type NYC-
SVR1, and then click OK twice.
Event Viewer.
10. In the Event Viewer console pane, click Subscriptions.
11. In the Event Viewer dialog box, click Yes.
12. In the console pane, right-click Subscriptions, and then click Create
Subscription.
13. In the Subscription Properties dialog box, in the Subscription name field,
type Replication Errors.
14. Verify that in the Destination log list, Forwarded Events is selected and then
click Select Computers.
15. In the Computers dialog box, click Add Domain Computers.
Lab B: Configuring Windows Server 2008 Monitoring L14-155

16. In the Select Computer dialog box, type NYC-DC1 and then click OK twice.
17. In the Subscription Properties dialog box, click Select Events.
18. In the Query Filter dialog box, on the XML tab, select the Edit query
manually check box.
19. In the Event Viewer dialog box, click Yes.
20. In the Query Filter dialog box, type the following, and then click OK.
<QueryList> <Query Id="0" Path="Directory Service"> <Select

Path="Directory Service">*[System[(Level=2 or Level=3) and
(EventID=1308 or EventID=1864)]]</Select> </Query> </QueryList>
21. In the Subscription Properties dialog box, click OK.

22. Close Event Viewer.
Task 2: Run a script to review disk space

1. On NYC-SVR1, click Start, point to All Programs, click Accessories, and then
click Notepad.
2. Type the following code example into Notepad:
$aryComputers = "NYC-DC1","NYC-SVR1"
Set-Variable -name intDriveType -value 3 -option constant
foreach ($strComputer in $aryComputers)

{"Hard drives on: " + $strComputer
Get-WmiObject -class win32_logicaldisk -computername $strComputer |
Where {$_.drivetype -eq $intDriveType} | Format-table}
3. On the File menu, click Save As.

4. In the Save As dialog box, in the File name field, type DriveReport.ps1.
5. In the Save as type list, click All Files, and then click Save.
6. Close Notepad.

7. Click Start, point to All Programs, click Windows PowerShell 1.0, and then
click Windows PowerShell.
8. In the Windows PowerShell window, type Set-ExecutionPolicy unrestricted
Note: This command allows you to run scripts that are unsigned.
9. Type C:\Users\Administrator.Woodgrovebank\Documents
\DriveReport.ps1 and then press ENTER.
10. Review the results of the script.
11. Type exit, and then press ENTER.

click OK.
Lab A: Planning Windows Server 2008 Backup Policy L15-157

Module 15: Planning for Windows Server 2008
Backup
Lab A: Planning Windows Server
2008 Backup Policy
Before you start the exercises, start the following virtual machines:
• 6419A-NYC-DC1
• 6419A-NYC-SVR1
Ensure that the 6419A-NYC-DC1 virtual machine has fully started before you start
the 6419A-NYC-SVR1 virtual machine.
Exercise 1: Evaluating the Existing Backup Plan

Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines
Task 2: Review the existing backup plan

1. You have agreed that no more than one day's data should be lost in the event
of a disaster. Critical data includes the Sales, Finance, and Projects data. Does
the current backup plan meet this requirement?
Answer: No. The current weekly backup plan means that, if data is lost, the
data that is restored could be up to a week old.
L15-158 Module 15: Planning for Windows Server 2008 Backup

2. Currently, you copy the Human Resources confidential data onto a removable
hard disk that is attached to a computer in the Human Resources office. This
task is performed weekly by using a script to preserve the encryption on the
files. What are the consequences of this process and how would you address
them?
Answer: The issue is that the confidential files are on an easily removable
device in an unsecured office. You could provide a secure data storage device,
or you could place the removable hard disk in a secure area after the backup
job is complete.
3. You have also agreed that, if a server fails, you should be able to restore that
server, including all installed roles, features, applications, and security identity,
in six hours. Does the current backup plan enable you to restore the servers in
this way?
Answer: No. No system state backups are being performed on the servers, so
the servers must be rebuilt in the event of a failure. This would make restoring
the original configuration very difficult.
Task 3: Propose changes to the backup plan

1. Propose an appropriate backup frequency for the shares in the following table:
Backup Frequency
Sales Daily
Finance Daily
Human Resources Daily
Technical Library Weekly
Projects Daily, or perhaps more frequently
2. How would you address the requirement to restore the servers and how
frequently would you back up the servers?
Answer: Back up the system state data on the servers so that you can restore
them later. The backup should be at an appropriate frequency, so this will
depend on how often the server configuration is changed. Typical schedules
may be weekly or monthly.

Exercise 2: Updating the Backup Policy
Task 1: Create a backup strategy to comply with the SLA
1. You should be able to restore critical data, which includes the Sales, Finance,
and Projects shares, as quickly as possible in the event of a disaster. What
factors affect how quickly you can restore data?
Answer: The size of the backed-up data and the backup hardware and media
both affect how quickly you can restore data.
2. Given that you have a limited budget to meet the SLA requirements, how
could you maximize your budget while providing backup for the entire
network data for which you are responsible?
Answer: Consider using a tiered approach to back up and restore: use faster
backup hardware and media for critical data, which costs more, but use slower
backup hardware and media for noncritical data to reduce costs.
Task 2: Create a backup strategy to comply with legal requirements

• How will you ensure that the required data is stored for the minimum legal
requirement period and that the data is available for audit purposes when it is
required?
Answer: Various approaches are valid, such as:
• Create separate archive backups for legal compliance purposes. Include
only the required data in these archives. A user who has restore privilege is
required to access the data if an audit is performed. You must also
consider the storage lifetime of the media—a tape may not retain seven-
year-old data if it is not refreshed.
• Store the legal compliance data on a separate network device such as
another server or archive device. This device may offer policies to help you
control retention requirements.

Exercise 3: Reviewing Backup Policy and Plans
The main task for this exercise is to discuss your solutions with the class.

Exercise 4: Implementing the Backup Policy
Task 1: Initialize the backup storage volume
Computer Management.
2. In the Computer Management console pane, click Disk Management.
3. In the Initialize Disk dialog box, click OK.
4. In the details pane, next to Disk 2, right-click Unallocated, and then click
New Simple Volume.
5. In the New Simple Volume Wizard, click Next.
6. On the Specify Volume Size page, review the configuration options, and then
click Next.
7. On the Assign Drive Letter or Path page, review the configuration options,
8. On the Format Partition page, in the Volume label field, type Backup.
9. Select the Perform a quick format check box, and then click Next.
10. On the Completing the New Simple Volume Wizard page, click Finish.
11. When the format operation is complete, close Computer Management.
Task 2: Create the new backup schedule

Windows Server Backup.
2. In the Windows Server Backup window, on the Action menu, click Backup
Schedule.
3. In the Backup Schedule Wizard, click Next.
4. On the Select backup configuration page, click Custom, and then click Next.
5. On the Select backup items page, clear the Allfiles (E:) and Backup (F:)
check boxes, and then click Next.

6. On the Specify backup time page, click More than once a day.
7. Under Available time, click 12:30 PM, click Add, and then click Next.
8. On the Select destination disk page, click Show All Available Disks.
9. In the Show All Available Disks dialog box, select the Disk 2 check box, and
then click OK.
10. On the Select destination disk page, select the Disk 2 check box, and then
click Next.
11. In the Windows Server Backup dialog box, click Yes.
12. On the Label destination disk page, click Next.
13. On the Confirmation page, click Finish.
14. On the Summary page, click Close.
15. Close Windows Server Backup.
Task 3: Backup the Domain Recovery Agent’s Private Key

Group Policy Management.
2. In the Group Policy Management window, expand Forest:
WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and
then click Group Policy Objects.
3. In the details pane, right-click Default Group Policy and click Edit.
Settings, expand Public Key Policies, and then click Encrypting File System.
5. In the details pane, right-click Administrator, point to All Tasks, and then
click Export.
6. In the Certificate Export Wizard, click Next.

7. On the Export Private Key page, select the Yes, export the private key radio
button, and then click Next.
8. On the Export File Format page, click Next.
9. On the Password page, in the Password and Type and confirm password
(mandatory) fields, type Pa$$w0rd, and then click Next.
10. On the File to Export page, in the File Name field, type C:\AdminKey.pfx,
11. On the Completing the Certificate Export Wizard page, click Finish.
12. In the information dialog box, click OK.
13. Close all windows
Task 4: Lab Shutdown

click OK.
L15-164 Managing Windows Server 2008 Restore

Managing Windows Server 2008 Restore
Lab B: Planning Windows Server
2008 Restore
Exercise 1: Evaluating Backup Data
Task 1: Start the NYC-DC1, NYC-SVR1, and NYC-INF virtual machines
3. In the Lab Launcher, next to 6419A-NYC-INF, click Launch
Task 2: Evaluate file restoration

On Thursday, a member of the HR department asks you to restore an important
file, which he created two days ago but someone subsequently deleted.
1. Why can you not restore the file?
Answer: The file was created after the last backup was performed, so the file
cannot be restored.
2. How could you change the backup strategy so that it is possible to restore files
that have changed more recently?
Answer: You could perform daily backups to enable you to restore files that
are more recent. However, because a full backup takes 20 hours, you must
perform incremental backups to reduce the backup time. You can configure
this by creating a schedule in Windows Server Backup.
3. What other effects would a change in backup strategy cause?
Answer: Backup time would be significantly reduced after the first backup.
Backup storage requirements would be reduced because subsequent backups
store only changes instead of all the data.
Lab B: Planning Windows Server 2008 Restore L15-165

Task 3: Restore EFS files
Members of the HR department have encrypted some of the files that are stored on
the HR share by using EFS. The HR director asks you to restore some encrypted
confidential files that were originally written by Tommy Hartono, who has since
left the company. After you have restored the files, how can you provide access to
the files for the HR director?
To provide access to the restored encrypted files, you require either the key of the
authorized user who encrypted the file (Tommy Hartono) or the key of a
designated data recovery agent (DRA).
Task 3: Evaluate server restore

On Wednesday, the server, NYC-FS1, suffers a hardware failure. Both the C: and E:
volumes are lost.
1. How can you restore the server and data?
Answer: To restore the server, you must perform the following tasks:
a. Reinstall the Windows Server 2008 operating system.
b. Reinstall any required Windows Server 2008 roles and features such as
the file server role and the Windows Server Backup feature.
c. Reinstall any previously installed applications such as management tools
or antivirus software.
d. Reconfigure the E: volume.
e. Restore the data to the E: volume.
2. How could you make the restore process easier?
Answer: Regularly backing up the C: volume, including the system state data,
would make the server restore easier because you could restore the server from
the Windows Recovery Environment (Windows RE).

Exercise 2: Planning a Restore
Task 1: Plan a trial restore
1. In the following table, list the hardware and software requirements for
performing a trial restore.
Requirements
Additional server (physical or virtual)
Backup hardware; for example, tape drive, connection to network, or connection

to storage area network (SAN)
Access to backup media; for example, tapes
Windows Server 2008 source (DVD)
Backup software such as third-party backup software
2. What additional consideration must you make for performing a trial restore of
the HR data on NYC-FS1?
Answer: You must retrieve the off-site backup media for testing.
3. With what types of backup data should you perform a trial restore?
Answer: You should perform trial restores on all types of backup, including
volume backups, complete server backups, and database backups.

Exercise 3: Investigating a Failed Restore
Task 1: Determine the reason for the wrong file version
2. In the Server Manager console pane, expand Diagnostics, expand Event
Viewer, expand Applications and Services Logs, expand Microsoft, expand
Windows, expand Backup, and then click Operational.
This is where you can view any issues that occur with a restore operation.
Task 2: Create a Restore Operators group

1. In the Server Manager console pane, expand Configuration, expand Local
Users and Groups, and then click Groups.
2. Right-click Groups, and then click New Group.
3. In the New Group dialog box, in the Group name field, type Restore
Operators, click Create, and then, click Close.

Task 3: Separate the Backup and Restore roles
1. Click Start, point to Administrative Tools, and then click Local Security
Policy.
2. In the Local Security Policy console pane, expand Local Policies, and then
click User Rights Assignment.
3. In the details pane, double-click Restore files and directories.
4. In the Restore files and directories Properties dialog box, on the Local
Security Setting tab, click Backup Operators, and then click Remove.
5. Click Add User or Group.
6. In the Select Users, Computers, or Groups dialog box, click Locations.
7. In the Locations dialog box, click NYC-SVR1, and then click OK.
8. In the Select Users or Groups dialog box, click Object Types.
9. In the Object Types dialog box, select the Groups check box, and then click
OK.
10. In the Select Users or Groups dialog box, type Restore Operators and then
click OK twice.
11. Close Local Security Policy.

Exercise 4: Restoring System State Data
Task 1: Backup and restore specific files and folders
1. Click Start, point to Administrative Tools, and then click Windows Server
Backup.
2. In the Windows Server Backup window, in the Actions pane, click Backup
Once.
3. On the Backup options page, verify that Different options is selected, and
then click Next.
4. On the Select backup configuration page, click Custom, and then click Next.
5. On the Select backup items page, clear the Enable system recovery check
box.
6. Select the Allfiles (E:) check box, and then click Next.
7. On the Specify destination type page, click Remote shared folder, and then
click Next.
8. On the Specify remote folder page, type \\NYC-DC1\Data, and then click
Next.
9. On the Specify advanced option page, click VSS full backup, and then click
Next.
10. On the Confirmation page, click Backup.
11. The backup will take up to 10 minutes to complete. When it is finished, click
Close.
Results: You should have a full backup of the E drive now.
12. Click Start and then click Computer.

13. In the Computer window, browse to E:\Mod15.
14. Right-click Document 3.txt and then click Delete.

15. In the Delete File dialog box, click Yes.
16. In the Windows Server Backup window, in the Actions pane, click Recover.
17. On the Getting started page, click Next.
18. On the Select backup date, click Next.
19. On the Select recovery type page, verify that Files and folders is selected, and
then click Next.
20. On the Select items to recover page, under Available items, expand NYC-
INF, expand Allfiles (E:), and then click Mod15.
21. In the details pane, click Document 3.txt, and then click Next.
22. On the Specify recovery options page, review the configuration options, and
then click Next.
23. On the Confirmation page, click Recover.
24. When the restore operation is complete, click Close.
25. Close Windows Server Backup.
26. In Windows Explorer, note that Document 3.txt is present.
Task 2: Check the state of the DHCP service

1. On NYC-INF, click Start, point to Administrative Tools, and then click
Services.
2. In the Services details pane, double-click DHCPServer.
3. In the Services dialog box, review the error message, and then click OK.
4. In the second Services dialog box, review the error message, and then click
OK.
5. Close Services.

Task 3: Perform a system state restore
2. In the Administrator: Command Prompt window, type
wbadmin get versions -backuptarget:e: and then press ENTER.
3. Take note of the version identifier.
4. Type wbadmin start systemstaterecovery -version:<version identifier> -
backuptarget:e: and then press ENTER.
5. When prompted to start the system state recovery operation, press Y, and then
press ENTER.
6. After a short while, you may press Ctrl+C to cancel the restore.
Note: A full system restore would take a considerable amount of time to complete, but
once it is done, the DHCP Server service will start successfully.
Results: You have successfully backed up and restored files using the Windows Server
Backup utility.
Task 4: Lab Shutdown

click OK.

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol2

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol2

Uploaded by

Copyright:

Available Formats

OFFICIAL MICROSOFT LEARNING PRODUCT

Be sure to access the extended learning content on your

All other trademarks are property of their respective owners.

Product Number: 6419A

Aaron Clutter – Lead Developer

Michael Cassens – Content Developer

Sean Masters – Content Developer

Valerie Lee – Content Developer

Joel Barker – Content Developer

Philip Morgan - Subject Matter Expert

Conan Kezema – Technical Reviewer

Module 2: Creating Active Directory Domain Services User and Computer

Module 3: Creating Groups and Organizational Units

Module 4: Managing Access to Resources in Active Directory Domain Services

Module 5: Configuring Active Directory Objects and Trusts

Module 6: Creating and Configuring Group Policy

Module 7: Configure User and Computer Environments By Using Group

Module 8: Implementing Security Using Group Policy

Module 9: Configuring Server Security Compliance

Module 10: Configuring and Managing Storage Technologies

Module 11: Configuring and Managing Distributed File System

Module 12: Configuring Network Access Protection

Module 13: Configuring Availability of Network Content and Resources

Module 14: Monitoring and Maintaining Windows Server 2008 Servers

Module 15: Managing Windows Server 2008 Backup and Restore

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Install the DNS Server role

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Verify domain membership

Note: Notice that WOODGROVEBANK\Domain Admins is a member of this group

8. Click Cancel and close Server Manager.

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Grant Axel Delgado access to Remote Desktop for

Task 3: Configure security for Remote Desktop for Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Verify Remote Desktop for Administration Functionality

MCT USE ONLY. STUDENT USE PROHIBITED

Task 6: Close all virtual machines and discard undo disks

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Create a new user account

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Modify Kerim Hanif’s user account properties

MCT USE ONLY. STUDENT USE PROHIBITED

Last name Template

Full name CustomerService Template

User logon name _ CustomerServiceTemplate

Account is disabled Selected

User must change password at Selected

Description Customer Service Representative

Office New York Main Office

Department Customer Service

Logon Hours 6:00 A.M – 6:00 P.M. Monday to Friday

MCT USE ONLY. STUDENT USE PROHIBITED

Question: What values did not transfer from the template?

Answer: The Description and Office attributes.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Delete a computer account in AD DS

Task 3: Join a computer to an AD DS domain

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED