You are on page 1of 102

Microsoft Windows Server 2003 Expert Workshop

Hands-on Lab Exercises

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Table of Contents
TABLE OF CONTENTS......................................................................................................................... 2 CLASSROOM LAYOUT......................................................................................................................... 4 COMPUTER NAMES AND IP ADDRESSES ........................................................................................ 5 LAB 01 INSTALL & CONFIGURING DNS SERVER ......................................................................... 6 LAB 02 INSTALLING ACTIVE DIRECTORY ...................................................................................... 13 LAB 03 INSTALLING ADDITIONAL DOMAIN CONTROLLERS IN EACH DOMAIN .................... 18 LAB 04 ELEVATE DOMAIN FUNCTIONAL LEVEL TO WINDOWS 2000 NATIVE MODE ........... 24 LAB 05 TESTING THE AFFECTS OF REPLICATING CHANGES TO MULTI-VALUED ATTRIBUTES ....................................................................................................................................... 27 LAB 06 ELEVATE FOREST FUNCTIONALITY TO WINDOWS SERVER 2003 AND TEST MULTIVALUE REPLICATION ........................................................................................................................ 30 LAB 07 CREATE MULTIPLE SITES ................................................................................................ 33 LAB 08 TEST GLOBAL CATALOG FAILURE ................................................................................ 36 LAB 09 ENABLE AND TEST UNIVERSAL GROUP CACHING ..................................................... 39 LAB 10 RESET DIRECTORY SERVICES RESTORE MODE PASSWORD (OPTIONAL)............. 42 LAB 11 CREATE AN INETORGPERSON OBJECT (OPTIONAL).................................................. 44 LAB 12 MARK A SCHEMA OBJECT AS DEFUNCT (OPTIONAL) ................................................ 46 LAB 13 CREATE AN APPLICATION PARTITION .......................................................................... 49 LAB 14 RENAMING OF DOMAIN CONTROLLERS ....................................................................... 53 LAB 15 RENAMING DOMAIN NETBIOS NAME (TO BE PERFORMED ON THE LAST DAY AS AN OPTIONAL LAB) ........................................................................................................................... 56 LAB 16 SETUP AND TEST CROSS FOREST TRUSTS ................................................................. 59 LAB 17 IIS APPLICATION POOLS.................................................................................................. 65 LAB 18 TERMINAL SERVICES (OPTIONAL) ................................................................................. 73 LAB 19 REMOTE ASSISTANT (OPTIONAL) .................................................................................. 76 LAB 20 CREATE SOFTWARE RESTRICTION POLICY (OPTIONAL)........................................... 80 LAB 21 RESULT SET OF POLICY (RSOP) TOOLS (OPTIONAL) ................................................. 82

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

LAB 22 RESTORE DEFAULT GPOS (OPTIONAL) ....................................................................... 84 LAB 23 - USING VOLUME SHADOW COPY SERVICE TO RECOVER FILES ................................ 86 LAB 24 EFS ...................................................................................................................................... 90 LAB 25 COMMAND LINE TOOLS (OPTIONAL) ........................................................................... 100 APPENDIX A...................................................................................................................................... 102

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

CLASSROOM LAYOUT

Instructor

W2K3.Net

Forest W2K3

Server01 Server02

Server03 Server04

Server05

Server06

Server07

Server08

DomainA

DomainB

DomainC

DomainD

Forest A

Forest B

Server09

Server10

Server11

Server12

Server13

Server14

Server15

Server16

DomainE

DomainF

DomainG

DomainH

Forest E

Forest G

All labs that are not optional must be done. This is to ensure that all labs at the end will function correctly. Optional labs are at the discretion of the instructor.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Computer Names and IP Addresses


Student Number 01 Computer Name Server01 IP Address 10.1.1.1 Subnet Mask 255.255.0.0 DNS Address 10.1.1.1 DomainA.com DomainA.com Forest 02 Server02 10.1.1.2 255.255.0.0 10.1.1.1 DomainA.com DomainA.com Forest 03 Server03 10.1.2.3 255.255.0.0 10.1.2.3 DomainB.com DomainA.com Forest 04 Server04 10.1.2.4 255.255.0.0 10.1.2.3 DomainB.com DomainA.com Forest 05 Server05 10.1.1.5 255.255.0.0 10.1.1.5 DomainC.com DomainC.com Forest 06 Server06 10.1.1.6 255.255.0.0 10.1.1.5 DomainC.com DomainC.com Forest 07 Server07 10.1.2.7 255.255.0.0 10.1.2.7 DomainD.com DomainC.com Forest 08 Server08 10.1.2.8 255.255.0.0 10.1.2.7 DomainD.com DomainC.com Forest 09 Server09 10.1.1.9 255.255.0.0 10.1.1.9 DomainE.com DomainE.com Forest 10 Server10 10.1.1.10 255.255.0.0 10.1.1.9 DomainE.com DomainE.com Forest 11 Server11 10.1.2.11 255.255.0.0 10.1.2.11 DomainF.com DomainE.com Forest 12 Server12 10.1.2.12 255.255.0.0 10.1.2.11 DomainF.com DomainE.com Forest 13 Server13 10.1.1.13 255.255.0.0 10.1.1.13 DomainG.com DomainG.com Forest 14 Server14 10.1.1.14 255.255.0.0 10.1.1.13 DomainG.com DomainG.com Forest 15 Server15 10.1.2.15 255.255.0.0 10.1.2.15 DomainH.com DomainG.com Forest 16 Server16 10.1.2.16 255.255.0.0 10.1.2.15 DomainH.com DomainG.com Forest Domain Forest

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 01 Install & Configuring DNS Server

NOTE: This lab must be done before continuing with the rest of the labs.

Prerequisites
Must be familiar with DNS concepts and operations

Objectives
Install DNS Server services Create Forward and Reverse Lookup Zones Create and configure Conditional Forwarding Test DNS by using nslookup command

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a standalone server. Static IP Address and subnet mask. DNS domain name. Refer to the table on page 5 for this information.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1 - Installing the Primary DNS Server Service


Goal
In this exercise, you will configure the DNS domain name of your computer and install DNS. NOTE: The installation of DNS services will only take place on the following servers: Server1, Server3, Server5, Server7, Server9, Server11, Server13 and Server15.

Tasks 1. Start the Windows Components wizard and install the DNS subcomponent of the Networking Services. Copy the required files from the Windows Server 2003 Advanced Server compact disc. c.

Detailed Steps a. Log on as Administrator with a password of password. b. By default a screen called Manage Your Server will open. This screen allows you to add roles to your server and to manage your server roles. Under Adding Roles to Your Server, click Add or remove a Role. d. On the Preliminary Steps page, click Next. e. On the Server Role page, select DNS Server and click Next. f. On the Summary of Selections page, review the summary and click Next. DNS will start to install. (Insert Windows Server 2003 CD when required)

2. Create a Standard Primary Forward Lookup Zone for your domain.

a. On the Welcome to the Configure a DNS Server Wizard page, click Next. b. On the Select Configuration Action page, select Create forward and reverse lookup zones (recommended for large networks) and click Next. c. On the Forward Lookup Zone page, select Yes, create a forward lookup zone now (recommended), click Next. d. On the Zone Type page, select Primary Zone, click Next. NOTE: Select Only Primary Zone on the first server in each domain. e. On the Zone Name page, enter the zone name for example domainname.com and click Next. f. Leave defaults on Zone File page, click Next.

g. On the Dynamic Update page, select Allow both nonsecure and secure dynamic updates, click Next.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

3. Create a Standard Primary Reverse Lookup Zone for your Network ID.

a. On the Reverse Lookup Zone page, select Yes, create a reverse lookup zone now, and click Next. b. On the Zone Type page, select Primary Zone, click Next. NOTE: The Primary Zone selection must only be used on the first server in each domain. c. On the Reverse Lookup Zone Name page, enter the Network ID for your zone. For example 10.1.1 d. On the Zone File page leave as default, click Next. e. On the Dynamic Update page, select Allow both secure and non-secure dynamic updates, click Next.

4. Create Forwarders to the instructors server.

1. On the Forwarders page, select Yes, it should forward queries to DNS servers with the following IP addresses 2. Enter the instructors server IP address in: 10.1.200.1, click Next. It will start searching for Root Hints. 3. On the Completing the Configure a DNS Server Wizard, click Finish. NOTE: If an error message appears click OK. This message states that it could not configure the Root Hints. Once completed open the DNS server, right click the server name and then select properties. Under ServerX properties select root hints. Ensure that the root hints is available. 4. On the This Server is Now a DNS Server page, click Finish.

5. Enter the Primary DNS Suffix under the My Computer properties

a. Click Start Right Click My Computer Properties b. Click Computer Name Change More c. In the Primary DNS Suffix of this computer enter your DNS domain suffix. E.g. DomainX.com d. Click OK to close all windows and then click Yes to restart the computer.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

6. Ensure computer can resolve both forward and reverse lookups by means of NSLOOKUP

a. Logon as Administrator with the password of password b. Click Start Administrative Tools DNS c. Expand your Server, then expand reverse lookup zones

d. Click on your subnet e. Ensure that a pointer record exist for your computer. f. If the pointer record does not exist create a pointer record by right-clicking the subnet New Pointer Record

g. Under the New Resource Record enter the IP address of the Host computer and enter the Host name under Host Name. h. Once completed click OK and close all windows. i. j. k. Open the command prompt. Start Run CMD At the command prompt, type NSLOOKUP You will receive the following:

Default: computername.domainname.com Address: 10.1.x.x l. 7. Add your partners computer and IP Address to the Name Servers Exit NSLOOKUP by typing exit at the command prompt.

a. Open the DNS console b. Expand your server and then expand forward lookup zone c. Right-click your Domain name Properties Name Servers d. Under Name Servers, click Add e. In the Server fully qualified Domain Name (FQDN), type your partners computer name. E.g. server02.domaina.com f. Under IP Address, enter your partners IP Address, click Add, and then OK. g. Click OK to close the Properties window. Close all other windows.

NOTE: DNS servers/services can still be installed using the Add/Remove Windows Components under Add/Remove Programs menu.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 2 Installing the Secondary DNS Server Services


Goal
During this exercise you will install and configure your Server as a secondary DNS server. Only a secondary forward lookup zone will be created. The reverse lookup zone will be kept on the primary DNS Server. Thus no secondary reverse lookup zone needs to be created. NOTE: The installation of DNS services will only take place on the following servers: Server2, Server4, Server6, Server8, Server10, Server12, Server14 and Server16.

Tasks 1. Start the Windows Components wizard and install the DNS subcomponent of the Networking Services. Copy the required files from the Windows Server 2003 Advanced Server compact disc. c.

Detailed Steps a. Log on as Administrator with a password of password. b. By default a screen called Manage Your Server will open. This screen allows you to add roles to your server and to manage your server roles. Under Adding Roles to Your Server, click Add or remove a Role. d. On the Preliminary Steps page, click Next. e. On the Server Role page, select DNS Server and click Next. f. On the Summary of Selections page, review the summary and click Next. DNS will start to install. (Insert Windows Server 2003 CD when required)

2. Create a Secondary Forward Lookup Zone for your domain.

a. On the Welcome to the Configure a DNS Server Wizard page, click Next. b. On the Select Configuration Action page, select Create forward and reverse lookup zones (recommended for large networks) and click Next. c. On the Forward Lookup Zone page, select Yes, create a forward lookup zone now (recommended), click Next. d. On the Zone Type page, click to select Secondary zone, click Next. e. On the Zone Name page, enter the Zone Name: and click Next. f. On the Master DNS Servers page, enter the IP Address of your partners DNS server, click Add and then click Next.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

g. On the Reverse Lookup Zone page, click No, dont create a reverse lookup zone now, and click Next. h. On the Forwarders page, select Yes, it should forward queries to DNS servers with the following IP addresses i. Enter the instructors server IP address: 10.1.200.1, click Next. It will start searching for Root Hints. j. On the Completing the Configure a DNS Server Wizard, click Finish. NOTE: If an error message appears click OK. This message states that it could not configure the Root Hints. Once completed open the DNS server, right click the server name and then select properties. Under ServerX properties select root hints. Ensure that the root hints is available. k. 3. Enter the Primary DNS Suffix under the My Computer properties On the This Server is Now a DNS Server page, click Finish.

a. Click Start Right Click My Computer Properties b. Click Computer Name Change More c. In the Primary DNS Suffix of this computer enter your DNS domain suffix. E.g. DomainX.com d. Click OK to close all windows and then click Yes to restart the computer.

Ask your partner to check to see if your pointer record has registered. If not ask him/her to create a pointer record.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 3 - Configure Conditional Forwarding in DNS


Goal
Students in each domain will be working as a team when setting up and configuring conditional forwarding between multiple DNS servers.

Tasks 1. Perform the following tasks Test name resolution using NSLOOKUP. Setup conditional forwarding between partner forests DNS zones Use NSLOOKUP to verify resolution to partners forest. Perform for each forest and domain in class. f.

Detailed Steps a. Open command prompt and type NSLOOKUP b. At the prompt type, your partners FQDN in and press ENTER. c. Open the DNS console, right-click your computer name Properties and select Forwarders. d. Under DNS domain: click New and type in the domain name of all partner domains in the classroom. e. Under Selected domains forwarder IP Address list: enter the DNS server IP address of your partners domain and click Add. Use NSLOOKUP to see if you can resolve queries in your partners domain. g. Perform this for all domains in the classroom.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 02 Installing Active Directory

NOTE: This lab is depended on lab 01.

Objectives
After completing this lab, you will be able to install Active Directory by using the Manage Your Server Wizard. NOTE: The Manage Your Server is used to familiarise yourself with the new Wizards and tasks that can be performed. However, you can still promote a server to become a domain controller using the DCPROMO command.

Prerequisites
Understand the logical components of Active Directory Understand the purpose and function of Domain Controllers

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a standalone server. Drive C formatted with NTFS Static IP Address and subnet mask. A domain name is required. Refer to the table on page 5 for this information. A forward lookup zone is required that matches your domain name. The forward lookup zone should have been created in exercise 1 of lab 01.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1 Installing Active Directory


Goal
In this exercise, you will create a Windows 2003 domain by installing Active Directory. This will only be done on one computer in each domain. The rest of the servers will be promoted during a different lab exercise.

Tasks 1. Start the Active Directory Installation Wizard to create: A new domain controller for a new domain. A new domain tree. A new forest of domain trees Server1 Server5 Server9 Server13

Detailed Steps The following steps need to be performed on only these servers: Server Name Forest Name DomainA.Com Forest DomainC.Com Forest DomainE.Com Forest DomainG.Com Forest

NOTE: These servers are the primary servers for each domain which will be containing all the FSMO roles and the global catalog service. a. Log on as Administrator with a password of password. b. On the Manage Your Server page, click Add or remove a role. c. On the Preliminary Steps page, click Next.

d. On the Server Role page, select Domain Controller (Active Directory), click Next. e. On the Summary of Selections page, click Next. f. On the Welcome to the Active Directory Installation Wizard page, click Next. g. On the Operating System Compatibility page, review the information then click Next. h. On the Domain Controller Type page, select Domain Controller for a new domain, click Next. i. In the Create New Domain page, select Domain in a new forest, click Next. j. On the New Domain Name page, enter your domain name in and then click Next. k. In the NetBIOS Domain Name page, select the default

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Domain NetBIOS name, click Next. l. On the Database and Log Folders page, select the default settings and click Next. m. On the Shared System Volume page, select the default settings and click Next. n. Review the DNS Registration Diagnostics and click Next. o. On the Permissions page, leave as default and click Next. p. On the Directory Services Restore Mode Administrator Password page, enter the Restore Mode Password: password and Confirm password: password. q. Review the summary and click Next. r. s. 2. Start the Active Directory Installation Wizard to create: A new domain controller for a new domain. A new domain tree in an existing forest. Server3 Server7 Server11 Server115 Once completed Restart the Server. Logon as Administrator and Click Finish.

The following steps need to be performed on only these servers: Server Name Forest Name DomainA.Com Forest DomainC.Com Forest DomainE.Com Forest DomainG.Com Forest

NOTE: These servers are the domain controllers for the second domains within each forest. They will not contain the Global Catalog service at this point. a. Log on as Administrator and a password of password. b. On the Manage Your Server page, click Add or remove a role. c. On the Preliminary Steps page, click Next.

d. On the Server Role page, select Domain Controller (Active Directory), click Next. e. On the Summary of Selections page, click Next. f. On the Welcome to the Active Directory Installation Wizard page, click Next. g. On the Operating System Compatibility page, review the information then click Next. h. On the Domain Controller Type, select Domain controller

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

for a new domain, click Next. i. On the Create New Domain page, select Domain tree in an existing forest, click Next. j. On the Network Credentials page, enter the administrator name and password. Enter the first domain name under Domain. k. For example

Username = Administrator Password = password Domain = DomainA

On the New Domain Tree page, enter the DNS name for the new domain, click Next.

l.

In the NetBIOS Domain Name page, select the default Domain NetBIOS name, click Next.

m. On the Database and Log Folders page, select the default settings and click Next. n. On the Shared System Volume page, select the default settings and click Next. o. Review the DNS Registration Diagnostics and click Next. p. On the Permissions page, click Next. q. On the Directory Services Restore Mode Administrator Password page, enter the Restore Mode Password: password and Confirm password: password. r. s. Review the summary and click Next. Once completed Restart the Server

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

3. Allow everyone the rights to logon locally onto the domain controllers and update the policy.

This only needs to be done from one Domain Controller.

a. Log on as Administrator with a password of password. b. On the Manage Your Server page, select Manage users and computers in Active Directory. c. In the left pane, right click Domain Controllers and select Properties. d. Select Group Policy under Domain Controller Properties. e. Select the Default Domain Controller Policy and Click Edit. f. Under the Group Policy Object Editor page navigate to Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment. g. Double click Allow log on locally. h. Under the Allow log on locally window, click Add User or Group and add the Everyone group. i. Click OK and close the Group Policy Object Editor window and the Domain Controller Properties window. j. k. Close Mange Users and Computers in Active Directory. From the run command type the following command: gpupdate

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 03 Installing additional domain controllers in each domain

NOTE: This lab is depended on lab 02.

Objectives
After completing this lab, you will be able to promote a member server to become a second Domain Controller by using backup media.

Prerequisites
Understanding of how to use replica from media Understanding of how to promote a server using the replica media Knowledge on performing a back ups Active Directory should have been configured in exercise 1 lab 02

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a standalone server Drive C formatted with NTFS Static IP Address and subnet mask Connectivity to your partners computer Sufficient disk space to keep a backup Access to the Support Tools

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1 - Backup Current Domain Controllers


Goal
During this exercise your partner will backup his/her domain controller. Once the backup process has completed you will then copy the AD Backup.bkf file to you computer.

Tasks 1. Backup the current system

Detailed Steps This part of the lab only needs to be performed on the students

state of the domain controller. computer that contains Active Directory.

a. Open Windows Explorer. b. On the C:\ drive create a folder called backup. c. Once created, share this folder as backup

d. Open Backup. Start All Programs Accessories System Tools Backup e. On the Welcome to the Backup or Restore Wizard page, deselect Always start in wizard mode, click Next. f. On the Backup or Restore page, select Back up files and settings, click Next. g. On the What to Back Up page, select Let me choose what to back up, click Next. h. On the Items to Back Up page, expand My Computer on the left pane and select System State, click Next. i. On the Backup Type, Destination and Name page, type or select the following: j. k. Select the backup type: File Choose a place to save your backup: Browse to C:\Backup Type a name for this backup: AD Backup

Click Next and then click Finish. The backup process will start.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

2. The following tasks needs to be performed: Copy back up file to your computer. Create Restore folder Create Temp folder

These steps only need to be performed on the students computers who are member servers.

a. Open Windows Explorer. b. On the C:\ drive, create a folder called Temp c. On the C:\ drive, create a folder called Restore.

d. Connect to your partners computer and copy the AD Backup.bkf file to the Restore directory on your computer.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 2 Promoting Member Servers to Domain Controllers using the Replicate from Media method
Goal
In this exercise the servers without Active Directory will be promoted by means of using the replicate from media method to become an Active Directory Domain Controller.

Tasks 1. Restore System state data to temp directory.

Detailed Steps These steps only need to be performed from the member server computers.

a. Open Backup. Start All Programs Accessories System Tools Backup b. On the Welcome to the Backup or Restore Wizard page, deselect Always start in wizard mode, click Next. c. On the Backup or Restore page, select Restore files and settings, click Next. d. On the What to Restore page, click Browse and browse to the path c:\restore\Ad Backup.Bkf. Click OK. e. In the Items to restore pane expand File, expand AD Backup.Bkf then select System State tick box. Click Next. f. On the Completing the Restore Wizard page, click Advanced. g. On the Where to Restore page, select Restore files to: Alternative location. h. In the Alternative Location: Type or Browse to c:\temp, click Next. i. On the How to Restore page, select Leave existing files (Recommended), click Next. j. On the Advanced Restore Options page, accept the defaults and click Next. k. 2. Promote the server to a Domain Controller using the restored data On the Completing the Restore Wizard page, click Finish.

a. From the Run command type DCPROMO /ADV b. On the Welcome to the Active Directory Installation Wizard page, click Next.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Wizard page, click Next. c. On the Operating System Compatibility page, click Next.

d. On the Domain Controller Type page, select Additional Domain Controller for an existing domain, click Next. e. On the Copying Domain Information page, select the From these restored backup files and then Browse to C:\temp, click OK, then Next. f. On the Global Catalog page, select No, click Next. This Domain Controller must NOT become a Global

NOTE:

Catalog server at this point in time. g. On the Network Credentials page, enter the administrators username and password and confirm the domain name is correct, click Next. h. On the Database and Log Folders page, accept the default locations by clicking Next. i. On the Shared System Volume page, accept the default locations by clicking Next. j. On the Directory Services Restore Mode Administrator Password page, in the Password and Confirm password boxes, type password and then click Next. k. On the Summary page, review the options you selected, and then click Next. l. When the Completing the Active Directory Installation Wizard page appears, click Finish and then restart your computer.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 3 Install Support Tools


Goal
This exercise needs to be performed on all the servers. The Windows 2003 Advanced server support tools and utilities needs to be installed for later exercises.

Tasks 1. Install Windows 2003 Server Support Tools

Detailed Steps a. Open Windows Explorer b. Select the CD-Rom drive and then double click the Support folder. c. Double click the Tools folder.

d. Double click suptool.msi e. On the Welcome to the Windows Support Tools Setup Wizard page, click Next. f. On the End User License Agreement page, select I Agree then click Next. g. On the User Information page, select default values and click Next. h. On the Destination Directory page, accept the default locations and click Install Now. i. On the Completing the Windows Support Tools Setup Wizard page, click Finish.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 04 Elevate Domain functional level to Windows 2000 Native Mode


NOTE: Do not rush through this lab exercise. If you do, you will not be able to go back and correct your mistake! This lab is depended on lab 02.

Objectives
After completing this lab, you will be able to determine in which mode the domain is in and raise the Domain functionality.

Prerequisites
Knowledge about the different Active Directory versioning Knowledge about the different Active Directory functionality levels

Lab Setup
To complete this lab, you require a computer running Windows Server 2003 that is configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
This exercise consists of the following steps: 1. Use ADSI Edit to determine the current domain mode. 2. Raising the domain functional level to enable additional functionality. This will be required for later exercises. 3. Use ADSI Edit to verify the change in the functional level.

Tasks 1. Use ADSI Edit to verify that nTMixedDomain = 1

Detailed Steps This part of the exercise needs to be performed by all the students.

a. From the Run Command type MMC then click OK. b. On the Console click File Add/Remove Snap-in c. Under Add/Remove Snap-in click Add

d. Under Add Standalone Snap-in, select ADSI Edit and click Add, then close once added. e. On the Add/Remove Snap-in page, click OK. f. On ADSI Edit right click and select Connect to

g. Connection Settings window appears, accept default settings and click OK. h. Expand Domain. i. Right click DC=DomainX,DC=com (where X is your domain number) and select Properties. j. Scroll down the attributes until you find nTMixedDomain. Check to see if the value is set to 1. k. l. Click OK to close the Properties page. Save the console as ADSI Edit under Administrative Tools

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

2. Raise the Domain Functionality to Windows 2000 Native

Only one student per domain needs to perform the following task.

a. Open Active Directory Users and Computers. b. Right click DomainX.com (where X is your domain letter) and select Raise Domain Functional Level c. On the Raise Domain Functional Level page, ensure that Windows 2000 Native is selected and then click Raise. d. A Message appear stating that: This change affects the entire domain. After you raise the domain functional level it cannot be reversed, click OK. e. A second message appears stating that the Functional level was raised successfully, click OK. 3. Use ADSI Edit to verify that nTMixedDomain = 0 a. Open ADSI Edit console that you saved. b. Right click DC=DomainX,DC=com (where X is your domain number) and select Properties. c. Scroll down the attributes until you find nTMixedDomain. Check to see if the value is set to 0. d. Click OK to close the Properties page and Exit the console. All students need to perform the following section.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 05 Testing the affects of replicating changes to multi-valued attributes

NOTE: This lab is depended on lab 02.

Objectives
After completing this lab, you will be able to test the affects of replicating changes to multi-valued attributes.

Prerequisites
Be familiar with Active Directory Users and Computers Understand how replication works between domain controllers Active Directory should have been configured as in exercise 1 lab 02

Lab Setup
To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. Only one computer in each of the forests should be configured as a Global Catalog server.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
In this exercise you will test the effects of replication changes between multi-valued attributes within an organization. Students will create several user accounts and add two of them to a group. Then the server with the global catalog will be unplugged and you will then add two more users to the group from both the domain controllers. Once completed you will plug the network cable back in and see which of these account successfully replicated across.

Tasks 1. Create the following in the User container: Six user accounts: User1, User2, User3, User4, User5, User6 Global Group called Group1

Detailed Steps This part of the exercise can be performed by all students. Each student needs to create three (3) user accounts and one user will need to create a global group. Open Active Directory Users and Computers. a. Expand the domain name b. On the User container right click New User c. On the New Object User page, Fill in the following details and then click Next First name: User1 User logon name: User1 User logon name (pre-Windows 2000): User1

d. Enter a password called password and confirm the password e. Deselect User must change password at next logon, click Next and then click Finish. f. Repeat Steps C F until all six (6) users are created.

g. On the User container right click New Group h. In the Group Name enter Group1 and leave the settings as default, click OK. i. Double click the group called group1 and click the Members Tab. j. Click Add enter User1; User2 and the click Check Names, click OK twice. k. Ensure that the users and group has replicated before continuing. Unplug the Network Cable form the machine that contains the Global Catalog.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

2. Perform the following Add User3 to Group1 on the first DC. Add User4 to Group1 on the second DC.

Perform these steps on the first DC

a. Double click the group called group1 and click the Members Tab. b. Click Add, enter User3 and the click Check Names, and click OK twice. Perform these steps on the second DC

c.

Double click the group called group1 and click the Members Tab. NOTE: A message appears stating that a Global Catalog cannot be located to retrieve the icons for the member list. Some icons may be shown. Click OK.

d. Click Add, enter User4 and the click Check Names, and click OK twice. 3. Plug the Network Cable back in and force replication Perform the following task on any of the DC a. From the Run command type the following syntax: repadmin.exe /syncall /P What are the results on the group membership and why?

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 06 Elevate forest functionality to Windows Server 2003 and test multi-value replication

NOTE: This lab is depended on lab 02 & lab 04

Objectives
After completing this lab, you will be able to: Elevate the forest functionality Test multi-value replication

Prerequisites
Understand the different Forest functionalities Understand how replication works between domain controllers Domain functional level should been configured as in exercise 1 Lab 04

Lab Setup
To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. Only one computer in each of the forests should be configured as a Global Catalog server.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goaln
This exercise is almost the same as in Lab 05. However you will first elevate the forest functionality to .Net and then test the effects of multi-valued replication. Once this has been done you will again disconnect the network cable from the Global Catalog server and add an account to the group on both domain controllers. Then plug the cable back in and replicate the information to see what effect the elevation of the forest functionality has.

Tasks 1. Raise the Forest Functionality to Windows.Net

Detailed Steps Perform the following task on only one of the Domain Controllers. Decide between each other how will perform this task.

a. Open Active Directory Domains and Trusts. b. Right click Active Directory Domains and Trusts and select Raise Forest Functional Level. c. On the Raise Forest Functional Level accept the default settings and click Raise. d. Two messages appear, read the messages and then click OK for each of them. 2. Use ADSI Edit to verify that mSDS-Behavior-Version = 2 a. Open ADSI Edit console that you saved. b. Right click DC=DomainX,DC=com (where X is your domain number) and select Properties. c. Scroll down the attributes until you find mSDS-BehaviorVersion. Check to see if the value is set to 2. a. Click OK to close the Properties page and Exit the console Unplug the Network Cable form the server that contains the Global Catalog. 3. Perform the following Add User5 to Group1 on the first DC. Add User6 to Group1 on the second DC. Perform these steps on the first DCs a. Double click the group called group1 and click the Members Tab. b. Click Add enter User5 and the click Check Names, click OK twice. Perform these steps on the second DC This task should be performed by all students.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

c.

Double click the group called group1 and click the Members Tab. NOTE: A message appears stating that a Global Catalog cannot be located to retrieve the icons for the member list. Some icons may be shown. Click OK.

d. Click Add enter User6 and the click Check Names, click OK twice. 4. Plug the Network Cable back in and force replication Perform the following task on any of the DC b. From the Run command type the following syntax: repadmin.exe /syncall /P Review the group membership. Is there a difference Why?

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 07 Create Multiple Sites

NOTE: This lab is depended on lab 02.

Objectives
Create a site and subnet Configure the properties of a site link

Prerequisites
Understanding of TCP/IP subnets Understanding of Sites and Site Links

Lab Setup
To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. User performing the tasks should have Enterprise Admin Rights

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
NOTE: Students should NOT modify their IP addresses at any stage during this lab!! In this exercise student will work in teams, where they will create several sites within the Active Directory Sites and Services. In additional to this you will also create subnet masks and map these subnet masks to each of the sites that where created. After completing the creation of the sites and subnet masks you will then move the appropriate servers into the correct sites.

Tasks 1. Create two new sites with the name of Site1 and Site2 and link it to the DEFAULTSITELINK

Detailed Steps Perform the following tasks on only one Domain Controller in each forest.

a. Open Active Directory Sites and Services from the Administrative Tools menu, right click Sites and then click New Site. b. In the Name box, type Site1 in and select DEFAULTIPSITELINK and click OK. c. Review the message and click OK.

d. Repeat steps B & C for Site2 2. Create a new subnet object with the network ID of 10.1.x.0/24 (where x is 1 for forest root domain and x = 2 for second domains). Associate the subnet object with your site. c. a. In Active Directory Sites and Service, right click Subnets and then click New Subnet. b. In the New Object Subnet dialog box, in the Address box, type 10.1.x.0 (where x is 1 for forest root domain and x = 2 for second domains). In the Mask box, type 255.255.255.0

d. Under Site Name, click Site1 and then click OK. e. Repeat steps A D for Site2 3. Perform the following tasks on/in the Inter-Site Transport object: Set the properties of Inter-Site Transport for the IP to Ignore Schedules. Change the DEFAULTIPSITELINK a. In Active Directory Sites and Service, expand Inter-Site Transports. b. Right click IP and then click Properties. c. On the Properties page, select Ignore Schedule and click OK. d. In the IP object container right click DEFAULTIPSITELINK and click Properties. e. On the DEFAULTIPSITELINK Properties page, change the

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

DEFAULTIPSITELINK replication value to 15 minutes. 4. Move the server to the appropriate sites.

Replicate very, value to 15 minutes and click OK.

a. In Active Directory Site and Services, expand DefaultFirst-Site-Name then expand Servers. b. Right click ServerX (where X is your server name in your domain) and then click Move. c. In the Move Server page, click the Site to which your server needs to be moved and then click OK. d. Repeat Steps B and C for all the domain controllers.

Run the following command on all servers: Repadmin /kcc serverX.domainX.com (Where X is your server or domain number/letter).

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 08 Test Global Catalog Failure

NOTE: This lab is depended on lab 02.

Objectives
After completing this lab, you will be able to see and understand the importance of a Global Catalog server within an organization

Prerequisites
Knowledge about the role of a Global Catalog server Sites and Subnets should have been configured in exercise 1 Lab 07

Lab Setup
To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. A single Global Catalog Server within each Forest

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
All students that do not have a Global Catalog service on their domain controller will perform this exercise. You will logon as a client that does not have any administrative rights on the server to see the effects it has on a failed Global Catalog service or if no Global Catalog service is available.

Tasks 1. Check to see if everyone group has the rights to Log on Locally

Detailed Steps Check to see if the Everyone group has the rights to Log on Locally

a. Open Active Directory Users and Computers. b. Expand your domain and right click Domain Controllers and select Properties. c. Select Group Policy on the Domain Controllers Properties page. d. Select the Default Domain Controller Policy and Click Edit e. Under the Group Policy Object Editor page navigate to Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment. f. Double click Allow log on locally.

g. Under the Allow log on locally window, Ensure that the Everyone group is added. h. If not, add the Everyone group. i. 2. Create user account in the 2 domain of the forest and force replication after the creation of the account.
nd

From the run command run: gpupdate.exe /force

a. Open Active Directory Users and Computers. b. Expand the domain name c. On the User container right click New User

d. On the New Object User page, Fill in the following details and then click Next First name: Peter1 User logon name: Peter1 User logon name (pre-Windows 2000): Peter1

e. Enter a password called password and confirm the password

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

as password. f. Deselect User must change password at next logon, click Next and then click Finish. g. Force replication by running this syntax: repadmin.exe /syncall /P Log on with the newly created account on all GC servers. Then logoff the account. Unplug the Network Cable on the 1 DC/GC in the forest root domain. Perform this task on all the servers that contains Global Catalogs. These servers are 1, 5, 9 and 13. 3. On the second domain in the forest, logon as the newly created user in that domain. The Global Catalog must not be available. This can take some time. What was the result and Why?
st

Plug the Network Cable back in once the lab has been completed.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 09 Enable and Test Universal Group Caching

NOTE: This lab is depended on lab 02 & 07

Objectives
After completing this lab, you will be able to configure and manage Universal Group Caching.

Prerequisites
Knowledge of Global Catalog servers Knowledge of Universal Group Caching Sites and Subnets should have been configured in exercise 1 Lab 07

Lab Setup
To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. A single Global Catalog Server within each Forest User performing the tasks should have Enterprise Admin Rights

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
Only the students without a Global Catalog will be doing this exercise. In this exercise, you will enable universal group caching and test client logons once again to see the effects of universal group caching.

Tasks 1. In the second domain set the NTDS Site Settings to cache membership from the Partner site which is the first domain. Force Replication.

Detailed Steps This should only be done from the second domain in each of the forests. NOTE: Before you can do this exercise you require Enterprise Admin rights. Use the Run As command when opening Active Directory Sites and Services. Logon as the Administrator of the root domain in your forest.

a. Open Active Directory Sites and Services, expand Sites and then select the site in which you want to Enable Universal Group Membership Caching. b. In the Details pane on the right, right-click NTDS Site Settings and then click Properties. c. Select the Enable Universal Group Membership Caching check box. d. In Refresh Cache from, click Site1 from which this Site2 will refresh its cache from, click OK. e. From the Run command type the following syntax in: repadmin /syncall /P Logon to the DC in the second domain with account details that does not contain any admin rights. This will populate the cache. Unplug the network cable from the back of the machine that hosts the Global Catalog. From second domain in the forest, logon with the user account that does not contain administrative right. Remember the Global Catalog must not be available.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

What is the result and Why?

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 10 Reset Directory Services Restore Mode password (Optional)

Objectives
After completing this lab, you will be able to reset the Directory Services Restore Mode password.

Prerequisites
Knowledge about the NTDSUTIL utility Active Directory should be configured as in exercise 1 Lab 02

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
All students will perform this exercise. Password. You must change the Directory Services Restore Mode

Tasks 1. Use the NTDSUTIL to rest the DSRM password to password

Detailed Steps a. Open the Command Prompt window. b. At the command prompt, type NTDSUTIL and press ENTER. c. At the NTDSUTIL prompt type, set DSRM Password and press ENTER. d. At the Set DSRM Password prompt, type Reset Password on Server Null (Null is used the local server) and press ENTER. e. At the Please type password for DS Restore Mode Administrator Account: type password and press ENTER. f. At the Please confirm new password: type password and press ENTER. g. At the Reset DSRM Administrator Password prompt, type quit and press ENTER h. At the NTDSUTIL prompt, type quit and press ENTER i. Close the command prompt window.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 11 Create an InetOrgPerson Object (Optional)

Objectives
After completing this lab, you will be able to create an InetOrgPerson.

Prerequisites
Knowledge of using Active Directory Users and Computers Active Directory should be configured in exercise 1 Lab 02

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
All students can perform this exercise. Here you will create an inetOrgPerson account within the Active Directory.

Tasks 1. Create an inetOrgPerson account with a password of password.

Detailed Steps a. Open Active Directory Users and Computers. b. Expand your domain and right-click the Users container, select New and then select InetOrgPerson. c. In the New Object InetOrgPerson windows, type studentX (where X is your student number) in the First name and User Logon name boxes, click Next. d. In the password field type password and confirm the password. Deselect User must change password at next logon, click Next and then Finish.

Logoff as Administrator and logon as the newly created account.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 12 Mark a Schema object as defunct (Optional)

NOTE to Instructor (If not already done) - Create a directory called OIDGen on your computer and share that directory as OIDGen. Ensure that the application called OIDGen is available in the directory. The application is available on the Windows 2000 Resource Kit.

Objectives
After completing this lab, you will be able to create a schema object and mark the object as defunct.

Prerequisites
Knowledge of schema objects Active Directory should be configured in exercise 1 Lab 02

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller Schema Administrator rights to be able to create new schema objects OIDGEN to create unique Object Identifiers

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
This exercise needs to be preformed by all students. You will create an attribute within the Active Directory schema. Once you have created this attribute in the Active Directory, you will then make this object defunct. You will also create a second attribute with the same settings as the first one to see the effects of an attribute that has already been created.

Tasks 1. Perform the following tasks Register the Schema Management Snap-in. Copy and Run OIDGen from your computer to generate an Object Identifier. 2. Perform the following task: Create a new attribute called studentX (where X is your student number). Remove Attribute is active of the newly created attribute. Refresh to ensure attribute is no longer available. c.

Detailed Steps a. Connect to you instructors computer and copy the OIDGen file to the temp directory on your local computer. b. From the command prompt, run OIDGen.exe c. Do not close the command prompt.

d. At the run command type the following command in: regsvr32 c:\windows\system32\schmmgmt.dll and then press ENTER. a. Create a custom MMC console and add the Active Directory Schema. b. Expand Active Directory Schema, right-click Attributes, click Create Attribute. On the Warning message, click Continue.

d. On the Create New Attribute page, type StudentX (where X is your student name) into the following boxes, Command Name and LDAP Display Name. e. In the Unique X500 Object ID: enter the Attribute Base OID number generated by the OIDGen application. f. Under the Syntax select Integer and click OK.

g. Browse to the newly created Object, right-click Properties and deselect Attribute is Active. h. Click Yes to accept the Warning Message and click OK.

i.

Refresh to verify that the attribute is not visible in Schema Management.

3. Perform the following tasks Use Show defunct objects in Schema

a. In the Schema Management Console, click View and then Defunct Objects.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Management or use ADSI Edit to locate the Attribute.

b. Browse to the object and see that the Status of the object is. c. Open the ADSI Edit console, right-click ADSI Edit and select Connect To. d. On the Connection Settings page, select Schema under the dropdown list of Select a well known Naming Context, and click OK. e. Browse for the attribute that you created, right-click Properties. f. Ensure the value of isDefunct is set to TRUE, click OK and close ADSI Edit.

Create a new Attribute with the same settings as the defunct attribute. Does this work?

Note: While you can reuse the OID and LDAP name you cannot reuse the common name.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 13 Create an application partition

Objectives
After completing this lab, you will be able to create application partitions and replicate these partitions to different domain controllers within you domain or forest.

Prerequisites
Knowledge of application partitions Knowledge of the NTDSUTIL utility DNS should be configured as in exercise 1 Lab 01 Active Directory should be configured as in exercise 1 Lab 02

Lab Setup
Computers running Windows Server 2003 Enterprise Server that is configured as a Domain Controller A computer running DNS Server Network connectivity between computers within the same forest

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
All students can perform this exercise. Here you will create an application partition and then replicate this partition to all domain controllers with the Active Directory domain/forest.

Tasks 1. Perform the following tasks: On each DC use NTDSUTIL to create an Application Partition called ApptestX (where X is you student number) Add a replica of the application partition to your partners Domain Controller. f. c.

Detailed Steps a. Open the command prompt window. b. At the command prompt, type NTDSUTIL and press ENTER. At the NTDSUTIL prompt type, Domain Management and press ENTER. d. At the Domain Management prompt type, connections and press ENTER. e. At the Server connections prompt, type Connect to server [your server name], and press ENTER. Example: connect to server server1 At the Server connections prompt type, quit and press ENTER. g. At the Domain Management prompt type, list and press ENTER. This will show you all the Directory Partitions for the forest. h. At the Domain Management prompt type, create nc dc=APPTESTX (where X is your student number),dc=your domain name,dc=com Null, press ENTER. Example: create nc dc=applicationpartition,dc=domainX,dc=com null i. At the Domain Management prompt type, list and press ENTER. j. At the Domain Management prompt type, Add nc replica dc =APPTESTX,dc=your domain name,dc=com server2.yourDomainName.com and press ENTER. Example: Add nc replica dc=APPTESTX.dc=domainX,dc=com serverx.domainx.com

k.

At the Domain Management prompt type, list nc replicas

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

dc=APPTESTX,dc=domainX,dc=com and press ENTER. l. At the Domain Management prompt type, quit and press ENTER. m. At the NTDSUTIL prompt type, quit and press ENTER. 2. Perform the following tasks: Create a new DNS zone and store the information into the application partition. Force Replication Verify that all zones are updated on both DC/DNS servers c. a. Open the command prompt b. At the command prompt run repadmin /kcc /serverx.domainx.com Also stop and start the DNS Services by running:

d. Net stop DNS and then Net Start DNS. e. Open DNS console and expand your server name. f. On the Forward Lookup Zones, right-click and select New Zone. g. On the Welcome to the New Zone Wizard page, click Next. h. On the Zone Type page, select Primary Zone, leave the Store the zone in Active Directory (available only if DNS server is a domain controller) tick box and click Next. i. On the Active Directory Zone Replication Scope page, select To all domain controllers specified in the scope of the following application directory. j. Select the Application partition that you created, (ApptestX, where x is your student number) and click Next. k. On the Zone Name page, type Nwtraders.com and click Next. l. On the Dynamic Update page, select Allow only secure dynamic updates (recommended for Active Directory), click Next. m. On the Completing the New Zone Wizard page, click Finish. n. Force replication between the DC/DNS servers using the repadmin /syncall /P command.

3. Use ADSI Edit to view properties of the Application partition.

a. Open the ADSI Edit Console that you created earlier. b. Right-click ADSI Edit, select Connect to c. On the Connection Settings page, Under Select a well known Naming Context select Configuration, and press OK.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

d. Expand the Configuration container and click Partitions. e. On the right side under Directory Partition Name find your partition you created and Browse its properties. f. Exit and close ADSI Edit.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 14 Renaming of Domain Controllers

Objectives
After completing this lab, you will be able to rename Domain Controllers. NOTE: There is several ways in renaming Domain Controllers. In this exercise, the command line version will be used to rename the Domain Controllers. Ask the instructor to demo the renaming of a Domain Controller using the GUI.

Prerequisites
Knowledge, which regards to the impact a renaming of Domain Controllers, can have. Knowledge about the NETDOM utility Active Directory should be configured in exercise 1 Lab 02 Fully Qualified Domain Name (FQDN) of your domain

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
NOTE: Fully Qualified Domain Names (FQDN) must be used when performing this exercise. Perform the rename exercise on only one Domain Controller at a time. Wait for the process to complete before continuing. The table below defines the current and the new server name you must use.

Old Computer Name Server1 Server2 Server3 Server4 Server5 Server6 Server7 Server8 Server9 Server10 Server11 Server12 Server13 Server14 Server15 Server16

New Computer Name Server101 Server102 Server103 Server104 Server105 Server106 Server107 Server108 Server109 Server110 Server111 Server112 Server113 Server114 Server115 Server116

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Tasks 1. Using the Netdom command rename your server. Use the table above for your new computer name. Also check to see if your computer has been successfully renamed.

Detailed Steps NOTE: ServerX = original server name while ServerY = New Server Name

a. Open the command prompt. The command below will be used to add the new server name. b. At the command prompt type: netdom computername serverx.domainx.com /add:servery.domainx.com and press ENTER. (Serverx is your old server number and servery is your new server number. Domainx is your domain letter). The command is used to make the new name the primary name. c. At the command prompt type: netdom computername serverx.domainx.com /makeprimary servery.domainx.com and press ENTER. This command enumerates the old computer name. d. At the command prompt type, netdom computername serverx.domainx.com /enumerate, press ENTER. e. Reboot the server. f. Logon as the administrator.

g. Open the command prompt. This command will remove the old server name. h. At the command prompt type, netdom computername servery.domainx.com /remove serverx.domainx.com, press ENTER. i. j. Reboot the server. Logon as administrator, open command prompt, type hostname and press ENTER. This will show you if you computer has been successfully renamed.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 15 Renaming Domain NetBIOS Name (To be performed on the last day as an optional lab)

Objectives
After completing this lab, you will be able to: Rename the NetBIOS name of the Domain

Prerequisites
Thorough understanding of Domain Renaming DNS should be configured as in exercise 1 Lab 01 Active Directory should be configured as in exercise 1 Lab 02

Lab Setup
To complete this lab, you require computers running Windows Server 2003 that is configured as Domain Controllers.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
This exercise must only be done at the end of the week. You will be working with your partner during this exercise. The goal of this exercise is to rename the current NetBIOS domain name to a new NetBIOS domain name. rendom.exe. The utility that will be used to rename the NetBIOS domain names is

Tasks 1. Perform the following tasks to prepare the domain for renaming: Configure DNS to support the New domain name called DomainRenameX (where X is your domain letter) DNS must be AD integrated, support dynamic updates and have a Host record for the server. Copy random.exe and GPFixup.exe to c:\domainrename f. c.

Detailed Steps Perform the following on all the odd numbered Domain Controllers. a. Open DNS console and create a Forward Lookup Zone called DomainrenameX.com (where X is your domain letter). Ensure that the zone AD integrated is selected and Replicated to all DNS server in the forest is selected. b. Ensure there is a Host (A) record created. If not perform the following action: Right-click the newly created domain name and select New Host (A) d. In the New Host page, type in your server name in the Name (uses parent domain name if blank): box. e. Under the IP address, enter your machines IP address in then click Add Host. Close DNS Console

Perform the following on all Even number Domain Controllers g. Create a directory called domainrename on the c:\ drive. h. Copy all the files in the VALUEADD\MSFT\MGMT\DOMREN which is located on your Windows 2003 Advanced Server into this directory.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

2. The following tasks need to be performed to rename the domain. Rendom /list Save a copy of Domainlist.xml as domainlist-save.xml Edit NetBIOS name in domainlist.xml file and save it. Rendom /showforest and verify change is correct. Rendom /upload and view content of dclist.xml Run repadmin /syncall /P Rendom /prepare and in dclist.xml verify that <State>Prepared</State > is true for all DCs. Rendom /execute and in dclist.xml verify that <State> done</State> is true for all DCs

The following tasks need to be performed from all the even numbered domain controllers in each domain. However it is recommended that your partners follow in what you are doing. a. Open the command prompt and type cd\domainrename and press ENTER. b. At the domainrename prompt type: random /list c. Save a copy of the domainlist.xml file as domainlistsave.xml in the same directory. d. Change the domain NetBIOS name by editing the sections between <NetBIOSName></NetBIOSName> in the domainlist.xml file and save the changes. e. At the domainrename prompt type: random /showforest to verify that your changes are correct. f. At the domainrename prompt type: random /upload and view the contents of dclist.xml g. On all domain controllers within the forest run the following syntax: repadmin /syncall /P h. At the domainrename prompt type: random /prepare and verify in the dslist.xml that <STATE>prepare< /STATE > is true for all DCs. i. At the domainrename prompt type: random /execute and verify in the dslist.xml that <STATE>done< /STATE > is true for all DCs j. k. All the machines in the forest will automatically reboot. Logon and run the command below.

Run GPFixup /oldnb:OldDomainNetBIOSName /Newnb:NewDomainNetBIOSName /dc:DCdnsName Restart all odd numbered domain controllers in the domain/forest. After logon, all the evenly numbered domain controllers must be restarted. Run repadmin /syncall /P on all the domain controllers in the forest. If you get an error message restart the computer again and retry the command again. NOTE: The control station might need to be rebooted twice before the command will work.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 16 Setup and Test Cross Forest Trusts

Instructor Note: review with students trust directions. Make sure they know the difference between trusted and trusting.

Objectives
After completing this lab, you will be able to create cross-forest trust relationships and administer these cross-forest trusts.

Prerequisites
Knowledge on the different types of trust relationships Multiple Active Directories should be configured as per exercise 1 Lab 02 Multiple Forest should have be created within the classroom environment

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
Students will work as a team during this exercise. implemented between the following forests: Forest A and Forest C. Forest E and Forest G. Forest C and W2K3.Net forest Forest G and W2K3.Net forest A Forest Trust relationship needs to be

Tasks 1. Create a two-way trust relationship between two forests within the classroom.

Detailed Steps a. Open Active Directory Domains and Trusts, select the domain and click Properties. b. In Properties of the domain click Trusts and click New Trust. c. On the Welcome to the New Trust Wizard page, click Next.

d. In the Trust Name page, under Name enter the NetBIOS name of the forest root domain you want to trust, click Next. e. On the Trust Type page, select Forest Trust and click Next. f. On the Direction of Trust page, select Two-Way and click Next. g. On Sides of Trust page, select Both this domain and the specified domain, click Next. h. On the User Name and Password page, enter

Administrator into the User Name box and password into the Password box, click Next. i. On the Outgoing Trust Authentication Level Local Forest page, select Forest-wide authentication and click Next. j. On the Outgoing Trust Authentication Level Specified Forest page, select Forest-wide authentication and click Next. k. On the Trust Selections Complete page, review the settings and click Next. l. On the Trust Creation Complete page, review settings and click Next.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

m. On the Confirm Outgoing Trust page, select Yes, confirm the outgoing trust, click Next. n. On the Confirm Incoming Trust page, select Yes, confirm incoming trust, click Next. o. On the Completing the New Trust Wizard page, click Finish. p. Click OK to close the domainx.com properties page and close Active Directory Domains and Trusts.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 2 Test cross forest resource access


Tasks 1. Create a folder called forest and share it as forest. Give users from a different forest the Change rights permission to the directory shared directory. Detailed Steps a. On the servers create a directory called Forest and share the directory as Forest. b. Click Permissions in Forest Properties. c. Click Add under Permissions for Forest.

d. On the Select Users, Computers, or Groups click Locations e. Click DomainX.com (Where X is the domain letter with how you created a forest trust with) then click OK. f. In Enter the object names to select type in Domain Users and click Check Names, click OK. g. In the windows for Permissions for Domain Users select Allow Change, click OK. h. Click OK to close Forest Properties.

2.

a. Logon as a user that was created earlier. b. From the Run command type: \\serverx\forest (where X is the server number), click OK. c. Once open right-click in the blank area, select new and then select bitmap image, press ENTER.

d. Close the window. This has allowed you to create a file on the server in a different forest.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 3 Test cross forest delegations


Tasks 1. Create an OU called DelegateX (where X is your student number) and assign the Domain Admins in the trusted domain access to create and delete users. c. Detailed Steps a. Open Active Directory Users and Computers and click on the Users Container. b. Create an OU called DelegateX (Where X is your student number) Right-click the OU and click Delegate Control

d. On the Welcome to the Delegation of Control Wizard, click Next. e. On the Users or Groups page, click Add, click Locations and highlight the second forest then click OK. f. In the Enter the object names to select type Domain Admins and click Check Names, click OK. g. On the Users or Groups page, ensure that DomainX\Domain Admins is selected, click Next. h. On the Tasks to Delegate page, select Create, delete, and Manage user accounts, click Next. i. On the Completing the Delegation of Control Wizard page, click Finish. j. Logof from the computer

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

2. Test the Delegation by creating a User account in the OU in your partners forest domain.

Logon as a user with Domain Admin rights before starting this exercise. The user must not be the Administrator account.

a. Open Active Directory Users and Computers, right-click your domain and select Connect to Domain. b. On the Connect to Domain page, type the domain name in to which you want to connect and click OK. c. Expand the domain to which you connected and click the OU called DelegationX (where X is will be the student number of the user that administers that domain). d. Right-click the OU and click New User. e. Type a user name into the following boxes: First name and User logon Name, click Next. f. Type in password in the Password and Confirm password boxes, click Next. g. Review the details and click Finish.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 17 IIS
Objectives
After completing this lab, you will be able to: Installing and Configuring IIS Determine which Isolation mode your IIS server is. View the different processes currently running Creating Application Pools Recycling Processes

Prerequisites
Knowledge of IIS

Lab Setup
A computer running Windows Server 2003 Enterprise configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1 Goal
The goal of this exercise is to install and configure IIS for the rest of the exercises.

Tasks

Detailed Steps This Exercise can be performed by all Students

1. View or change the Application Isolation Mode using IIS Manager

a. Click Start Mange Your Server b. On Mange Your Server Add or Remove a Role c. On the Configure Server Wizard Page click Next.

d. On the Server Role Page click Application Server (IIS, ASP.Net) and click Next. e. In the Application Server Option Page leave as default and click Next f. On the summary page click Next

g. This starts the installation and configuration of IIS. h. Once completed click Finish i. On the Manage your Server page click Manage this Application Server j. Browse around the interface to familiarize yourself with the interface.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 2 Goal
The goal of this exercise is to establish in which isolation mode your current IIS server is running in.

Tasks

Detailed Steps This Exercise can be performed by all Students

1. View or change the Application Isolation Mode using IIS Manager

a. Open the IIS snap-in (Click Start, click Programs, click Administrative Tools, and then click Internet Information Services) b. Right click on the Web Sites folder and choose Properties c. Click on the Service tab

d. View the status of the checkbox labeled Isolation Mode e. If the box is unchecked, you are running in worker process isolation mode f. If the box is checked, you are running in IIS5 Isolation Mode

g. Verify that the check box is unchecked uncheck if necessary (You will be required to run in worker process isolation mode for the remainder of these exercises) h. Click Apply i. You will now be prompted to restart the Web services; click Yes to restart IIS. After IIS restarts, click OK to close the Web Sites properties sheet. Verify the Application Pools folder is present.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 3
Goal
In this exercise, you will use a VBScript to view process information.

Tasks

Detailed Steps This Exercise can be performed by all Students

1. Execute the listw3wp.vbs to view process information

a. From the command prompt, change directory to the path containing the script file listw3wp.vbs. It should be C:\IIS b. Execute the command: listw3wp.vbs c. If there are no worker processes running, you should see a message instances d. To view worker processes using the script, navigate to any local URL using Internet Explorer, such as http://localhost (disregard the page that is returned) e. Re-run listw3wp.vbs and you should see the Process ID (PID) and the Application Pool name of the running worker process. Note: You must be running your server in worker process isolation mode for this exercise to work, and for listw3wp to return information. If your configuration is running in IIS5 isolation mode, or you are unsure of the mode, revisit the first exercise on isolation modes. indicating there are no running w3wp.exe

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 4
Goal
In this exercise you will create a new application pool, and assign a virtual directory to that application.

Tasks

Detailed Steps This Exercise can be performed by all Students

1. Create a virtual directory

a. Open a command window b. To use iisvdir, type the following command at the command line: iisvdir /? c. This will display the command line parameters for using the tool. d. Create a virtual directory named myvdir. Execute the command: iisvdir /create default web site myvdir C:\tempvdir e. Verify that the command completed successfully by viewing the message displayed in the command window. f. Create a default HTML page to the virtual directory. Click the Start button, select Run and enter: notepad c:\tempvdir\default.asp. When prompted to create the file, select Yes. In your html page, type the following line <H1>Application Pool Test Page</H1> g. Save the file in the c:\tempvdir folder. Make sure you have correctly named it as default.asp h. View by navigating to the URL: http://localhost/mydir/ using Internet Explorer to verify the virtual directory is working properly i. If the Internet Explorer Enhanced Security Configuration is enabled dialog box appears select the tick box and click OK. (Do not change any settings the lab will work with the current configuration) j. Note: if Active Server Pages have not been enabled on your server, you will receive a 404 error message. Active Server Pages, do the following: a. Open IIS Manager if not already oped b. Expand your server To enable

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

c. Click on Web Service Extensions d. On the right pane click Active Service Pages and click Allow e. This will enable Active Service Pages. k. 2. Create a new Application pool Retry http://localhost/mydir

a. Open the IIS snap-in (Click Start, click Programs, click Administrative Tools, and then click Internet Information Services) b. Expand the Application Pools node. c. Right-click on Application Pools, and choose New, then choose Application Pool. The Add New Application Pool dialog box appears. Enter MyAppPool for the Application Pool ID. d. Click OK. The application pool has now been created. You now need to add the virtual directory you created in the previous step to this application pool.

3. Assign the mydir virtual directory the application pool

a. Expand the Web Sites node, Expand the Default Web Site. b. Right-click the virtual directory named myvdir, and choose Properties. c. Click the Virtual Directory tab.

d. At the bottom you will see a drop-down box for Application Pool. Click on the drop-down box and choose MyAppPool. e. Click Apply, and then OK to save your changes. 4. Verify that your application is running in its own application pool a. Browse to http://localhost/mydir b. At the command line, execute the script listw3wp.vbs, you will see an instance of the worker process running your application pool. c. Optional Step, navigate to other web sites on the local machine that are not in the same application pool, such as http://localhost (which is in the Default Application Pool by default). You will see separate instances of worker processes when you run the listw3wp.vbs script. d. Optional Step: modify your c:\tempvdir\default.asp page to include the following line: My app pool ID is [<%=Request.ServerVariables(APP_POOL_ID)%>]

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

e. And refresh http://localhost/mydir. You should see your newly created MyAppPool in the text

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 5 Goal
In this exercise, you will configure the application pool you created in the previous exercise to recycle after a certain number of requests have been processed.

Tasks

Detailed Steps This Exercise can be performed by all Students

1. Configure the application pool to recycle after 5 requests

a. Open IIS Manager if not already open b. Expand the Application Pools node, right-click the

MyAppPool node, and choose Properties. c. On the MyAppPool Properties dialog box, click the Recycling tab. d. Check the Recycle worker process after check box. Change Number of Requests from the default of 35000 to 5 e. Click Apply, and then click OK.

2. Test the recycling settings

a. Browse to http://localhost/mydir in Internet Explorer. b. From the command line, run listw3wp.vbs to gather the Process ID (PID) information, and remember this process ID number for MyAppPool c. From Internet Explorer, click on the refresh button twice

d. Re-run the command line script and verify the PID is still the same e. From Internet Explorer, refresh the page 3x times f. Run the command line script again and verify the PID has changed. If the PID is different, that means a new process is running in place of the original one. Thus, recycling of the worker process after five requests has completed successfully.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 18 Terminal Services (Optional)

Objectives
After completing this lab, you will be able to: Configure Remote Desktop on a computer running Windows Server 2003 Connect to a computer running Remote Desktop. Install Terminal Services

Prerequisites
Before working with this lab, you must have knowledge of Terminal Services concepts and operations. Knowledge of Remote Desktop concepts and operations are also required.

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
This exercise will be performed by all students. Here you will connect to your partners computer by means of the Remote Desktop Connection. Note that Terminal Server Remote Administration is installed by default. After you have connected to your partners computer you need to install Terminal Services in Application mode.

Tasks 1. Perform the following Tasks: Enable Remote Desktop Connect to server using Remote Desktop Connection.

Detailed Steps This exercise can be done from both computers at the same time.

a. Open System under Control Panel and select Remote. b. Click to select Allow users to connect to this computer. c. A message appears, read the message and click OK to the message and then OK to close System Properties. d. Connect as Administrator to your partners machine using the Remote Desktop Connection. e. Browse your partners computer and then logoff.

Connect to Remote Desktop

Perform this exercise from the first partner and then repeat the lab for the second partner.

a. Ask your partner to open Notepad on his/her machine and leave it open. b. On your machine open Administrative Tools and select to open Remote Desktops. c. Right-click Remote Desktops and select Add new connection. d. In the Add new connection page, type in the Server Name or IP address and give it a Connection Name. e. Under the Logon information enter the administrator and domain details in, and click OK. f. Under Remote Desktop click the Connection Name you created. g. In Notepad add some text, but do not close the application. h. Disconnect form the server.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

i. j. Install Terminal Services in Application Mode.

Once disconnected ask your partner to logon. Your partner should see the text in Notepad that you entered.

a. Open Add and Remove Programs, and select Add/Remove Windows Components. b. On the Windows Components page, select Terminal Server and click Next. c. On the Terminal Server Setup page, review the message and click Next. d. On the Terminal Server Setup page, select Full Security and click Next. e. On the Completing the Windows Components Wizard page, click Finish. f. Restart the Computer.

g. Logon as Administrator and close the Terminal Server help menu.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 19 Remote Assistant (Optional)

Objectives
After completing this lab, you will be able to: Send a Remote Assistance invitation Respond to a Remote Assistance invitation

Prerequisites
A computer running Windows Server 2003

Scenario
You are responsible for providing technical support to users within your company. They are having trouble open or doing some of their day-to-day tasks. It is your responsibility to assist them with their problems by using Remote Assistance.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Gaol
Students will be working in pars during this exercise. The goal of this lap is to get familiar with the remote assistant features within Windows 2003 Advance server.

Tasks 1. Perform the following Tasks: Enable Remote Assistant. c.

Detailed Steps a. Open System under Control Panel and select Remote. b. Click to select Turn on Remote Assistance and allow invitations to be sent from this computer. A message appears read the message and click OK to the message and then OK to close System Properties.

2. Create an Invite and save the invite to c:\temp

a. Click Start All programs and then click Remote Assisstance. b. In Help and Support Centre under Remote Assistance, Click Invite someone to help you. c. On the Remote Assistance Pick how you want to contact your assistant, scroll down to the bottom of the page, and then click Save invitation as a file (Advanced). d. On Remote Assistance Save Invitation page, verify that administrator appears and the expiration time is set to 2 hours and then click Continue e. On Remote Assistance Save Invitation page, verify that Require the recipient to use a password is selected, in the Type Password and Confirm Password boxes, type password and the click Save Invitation. f. In the Save file dialog box, in the Save in drop-down list, click the down arrow, select c:\temp, in the filename box type your name and then click Save. g. On the Your invitation has been saved successfully to: page, click View the status of all my invitations. h. Close Help and Support Center.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 2 Responding to an Invitation


Tasks Detailed Steps

Important: The person responding to the invitation will be the helper, and the person who sent the invitation will be the end user. Each task will be for either the helper or the end user. You and your partner will decide who will be the helper and who will be the end user. 1. Copy the Remote assistance file to your local computer. Logon as administrator and type in the password under the Remote Assistance c. invitation box. From both machines copy the Remote Assistance file to you local machine. a. Log on to the domain as Administrator, with a password of password. b. Double click your partners remote assistance file. In the Remote Assistance Invitation dialog box, type password in the Password box, and then click Yes. Important: Task two is for the end user. 2. Start an application on your computer and then accept the invitation. a. Click Start, click All Programs, click Accessories, and then click WordPad. b. Restore the Remote Assistance dialog box if it is not in the foreground, and the click Yes on the message Do you want to let this person view your screen and chat with you? c. Important: Task three is for the helper. 3. Respond to your partners chat session. a. Respond to your partners chat session by typing in the box at the lower left, and then clicking Send. b. Attempt to click on any item on your partners computer. At this point you can only view the desktop. c. On the Chat History title bar, click the chevron next to Hide Chat. d. On the Remote Assistance menu, click Take Control. e. In the Remote Assistance Web Page dialog box, click Yes. Important: Task four is for the end user. 4. When prompted, let your partner take control of your computer. a. When prompted, DO you want to let Administrator take control of your computer, click Yes. b. In the chat box, explain to your partner the helper that you need to know how to bold text in a WordPad document. Type some text in the chat session box, and the click Send.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

c.

Restore WordPad and type some text in to the document.

Important: Task five is for the helper. The helper has control of the end users computer. Both people can perform tasks on the computer. 5. Perform tasks on your partners computer a. On the Remote Assistance Web Page Dialog message box, click OK. b. With the WordPad document in the foreground and text entered highlight the text and then click the Bold button. c. Click Disconnect and then close the Help and Support Center window. d. Close all open windows, and then log off. Important: Task six is for the end user. 6. Close all open windows and then log off Close all open windows, and then log off.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 20 Create Software Restriction Policy (Optional)

Objectives
After completing this lab, you will be able to create a software restriction policy for your users.

Prerequisites
Understand how Group Policy Objects works. Understand how Software Restriction Policy affects users.

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
Decide between team members in each domain who will perform this exercise. In this exercise you will create a policy that will not allow anyone in your domain to run the calculator application on their computers.

Tasks
1. The following tasks need to be performed: Edit the Default Domain Controller Policy Leave Default Security Policy as Unrestricted Create a Software Restriction Policy that prohibits c:\windows\system32\calc.exe Reboot Computer and test the policy with a user account that does not have admin rights

Detailed Steps a. Open Active Directory Users and Computers, right-click Domain Controllers and select Properties. b. On the Domain Controllers Properties page, click Group Policy. c. Highlight Default Domain Controller Policy and click Edit.

d. Under Computer Configuration, Expand Windows Settings Security Settings, right-click Software Restriction Policies and select New Software Restriction Policies. e. Right-click Additional Rules, select New Path Rule f. On the New Path Rule page, type in the Path box the following: c:\windows\system32\calc.exe g. In the Security Level on the New Path Rule select Disallow and click OK. h. Close all windows and restart the computer. i. j. Logon as a user with no admin rights. From the Run command type, c:\windows\system32\calc.exe and click OK. k. l. A message will appear, read the messages and click OK. Logoff as the user and logon as Administrator.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 21 Result Set of Policy (RSoP) Tools (Optional)

Objectives
After completing this lab, you will be able to use different tools to determine the Result Set of Policies.

Prerequisites
Knowledge of RSoP, GPResult V2.0 and the use of Help Centre Active Directory should be configured as per exercise 1 Lab 02

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
All students must do this exercise. Here you will be looking that the different ways group policy information can be retrieved and viewed.

Tasks 1. Use the following tools to retrieve RSOP information: RSOP Snap-in GPResult v2 Help Centre HTML Report c. b.

Detailed Steps a. Open a new Microsoft Management Console and add the Resultant Set of Policy. Right-click Resultant Set of Policy and click Generate RSoP Data On the Welcome to the Resultant Set of Policy Wizard page, click Next. d. On the Mode Selection, select Logging Mode, click OK. e. On the Computer Selection page, select This Computer and click Next. f. On the User Selection page, select Current user, click Next.

g. On the Summary of Selection page, click Next. h. On the Completing the Resultant Set of Policy Wizard, click Finish. i. Exit without saving the console.

a. Open the command prompt. b. At the command prompt type: gpresult c. Once Complete browse though the settings to see what information is given you about the machine and user. a. Click start and, then click Help and Support. b. Under Support Tasks, click Tools. c. Under Tools, click Help and Support Center Tools.

d. Under Help and Support Center Tools, click Advanced System Information. e. Under Advanced System Information, click View Group Policy Settings applied. f. Scroll to the results that you want to view.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 22 Restore Default GPOs (Optional)

Objectives
After completing this lab, you will be able to restore the default Group Policy Objects to their original settings/values.

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
Decide between each other how you will perform this exercise within each domain. In this exercise you will restore the Group Policies to their default settings.

Tasks 1. Run DCGpoFix.exe and note all prompts and warning messages. 2. Reconfigure the policy to allow users to logon locally.

Detailed Steps a. Open the Command prompt. b. At the command prompt type, DCGpoFix and press ENTER. c. Read the warning message and then press Y and the ENTER. d. Read the second warning message and then press Y and the ENTER. e. Read the last message and then exit the command prompt. f. Reconfigure the policy to allow users to logon locally.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 23 - Using Volume Shadow Copy Service to Recover Files

Objectives
After completing this lab, you will be able to use Volume Shadow copy services to recover changed data files or deleted data files.

Lab Setup
A computer running Windows Server 2003 Enterprise Server that configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1 Goal
Volume Shadow Copy allows administrators to ease the administrative burden of restoring files that users have inadvertently modified or deleted. Once volume shadow copy has been enabled and configured on a volume, users may revert to previous copies of a file or restore deleted files without having to contact administrators in order to obtain previous versions of the file(s).

Tasks 1. Create a folder named c:\shadowcopy. Share it with Authenticated Users having Change and Read permissions.

Detailed steps a. Log on as Administrator with a password of password. b. Open Windows Explorer. c. On the C:\ drive, create a folder called shadowcopy.

d. Right-click the shadow copy folder and select Properties. e. On the shadow copy Properties dialog box, click on Sharing tab, select Share this folder and use the default share name and click Permissions. f. On the Permissions for shadow copy dialog box, click Add.

g. On the Select Users, Computers, or Groups dialog box type Authenticated Users and click OK. h. On the Permissions for shadow copy dialog box, make sure Authenticated Users is highlighted, click Change on Permissions for Authenticated Users (Authenticated Users should now have Change and Read) and then click OK. i. j. 2. Enable shadow copies for the C:\ drive, configure for a 200 MB limit. Click OK to close the shadow copy Properties dialog box. Leave Windows Explorer open.

a. Right-click C: in the folders pane and click Properties. b. On the Local Disk (C:) Properties dialog box, click on the Shadow Copies tab. c. Ensure that C:\ is selected, click Enable on the Enable Shadow Copies dialog box and click Yes. (This can take a few minutes) d. After the process of enabling volume shadow copies on the volume has been completed, click Settings. e. On the Settings dialog box, change the Maximum size, use limit to 200, and then click OK to close the Settings dialog

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

box. f. 3. Install Previous Version Client. Map a drive to the local share. Create a file name Test Shadow Copies.txt. Add text to the new document and save it. c. Click OK to close the Local Disk (C:) Properties dialog box.

a. In Explorer, browse to C:\windows\system32\clients\twclient\x86 b. Double-click twcli32.msi to install the Previous Version Client. Click Finish after the Previous Version Client Setup completes. d. From the Explorer Tool menu, click Map Network Drive. e. In Map Network Drive, in Drive type S, in Folder, type \\localhost\shadowcopy and click Ok. f. In the S: window, create a new text document called Test Shadow Copies.txt (Tip: If you have not enabled viewing of file extensions in your Explorer options, you must include the .txt extension. By default is should be enabled). g. Open Test Shadow Copies.txt and type This is the first copy of my document. h. Save and close the text file.

4. Initiate a shadow copy.

a. Open the Shadow Copies tab of the Local Disk (C:) Properties dialog box, click Create Now to initiate a shadow copy. (This can take a few seconds so please be patient). b. When the shadow copy process has been completed, you should have an additional shadow copy listed in the Shadow copies of selected volume window. c. Click OK on the Local Disk (C:) Properties dialog box.

7. Modify the test document.

a. Open Test Shadow Copies.txt document and type This is my second copy of my shadow copy document. b. Save and close the file.

6. View a previous version on a. Right click on the Test Shadow Copies.txt document and select Properties. the file. b. On the Test Shadow Copies.txt Properties dialog box, select the Previous Versions tab. c. Select Test Shadow Copies.txt from the File Versions and click View. Notice that it opens the first version of your document.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Close the document. 7. Copy a previous version of a. On the Test Shadow Copies.txt Properties dialog box, click the file. Copy. b. On the Copy Items dialog box, select Desktop and click Copy. The previous version will be copied to the desktop. 8. Restore a previous version a. On the Test Shadow Copies.txt Properties dialog box, click Restore. of the file. b. You will be warned that your subsequent version of the file will be overwritten with the previous version, and asked if you are sure that you wish to do this. Click Yes. c. You will be notified that the previous version of the file was successfully restored, and the previous version should no longer be listed in the Previous Versions property sheet. Click OK. d. Click OK to close the Test Shadow Copies.txt Properties dialog box. 9. Verify successful restore of e. Verify that Test Shadow Copies.txt appears as it did before you a previous version file. f. modified the file. Close the file.

g. Close the S: window.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 24 Security

Objectives
After completing this lab, you will be able to: Change EFS Recovery Angents Share EFS data with other users Installing and Configuring a PKI infrastructure Optional

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
The goal of this exercise is to share your encrypted files with other users within your organization.

Tasks

Detailed Steps The Execrise can be performed by all students

1. Create

users

with

a. Logon as as Administrator b. Open Active Directory Users and Computers c. Right-Click the Users container New User

Administrator rights (Do not user Administrator)

d. Create a user called Jack0X (Where X is your server number) e. Create a second user called Sue0X (Where X is your server number) f. 2. Generating a File Recovery certificate Assign both users to the Administrators group

a. Log on as Jack0X b. Open command prompt c. At the command prompt type cipher /r:<Logged on

Username> (Do not include a filename extention) d. When prompt, type password and press enter - confirm password and press enter. e. This will create 2 files <Logged on Username>.pfx and <Logged on Username>.cer f. 3. Sharing Encrypted Files with others. Repeat steps A to E for Sue0X

a. Open Windows Explorer b. Create a directory called <your servername> c. Open the directory and create a text file within the directory.

d. Right-Click the file Properties Advanced and select Encrypt content to secure data e. Click OK twise f. Right-Click the file Properties Advanced Details

g. In the encryption details dialog box, click Add. h. The select user dialog box appears. i. Select the name of the user to whom you want to give access,

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

and click OK. 4. Test to see if it works. a. Logon as the user that you selected. b. Browse to the directory where the file is located. c. Open it and enter text in. Save and Close the file.

If you can open and save the file you successfully shared your EFS file.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 2
Goal
In the exercise, you will change the Recovery Agent from Administrator to your username.

Tasks

Detailed Steps This exercise can be done by all students

1.

a. Log on with the account that you want to designate as a data recovery agent. b. Click Start Run certmgr.msc c. Right-Click Personal All Tasks Import

d. Click Next on the Import Wizard Page e. On the File to Import page Enter the path and the filename of the encryption certificate (.pfx) and click Next. This file was created during previous exercise exercise 1 of lab 24 f. On the password page enter the password for this certificate and then click Mark This Key as Exportable, click Next. g. In the Certificate Store Page select Automatically Select the certificate store based on the type of certificate and click Next. h. Click Finish. 2. a. Open Local Security Settings (Secpol.msc) b. Expand Security Settings Public Key Policies Encrypting File System c. Right Click Encryption File System Add Data Recovery Agent and click Next on the Welcome Wizard page. d. On the Select Recovery Agents page, click Browse Folders and then navigate to the folder that contains the .cer file you created during exercise 1 of lab 24. e. Double Click the file. When the Add recovery Agent box appears click Yes to install the certificate.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

f.

The Select Recovery Agents page now shows the new agent as USER_UNKNOWN. Dont be alarmed by this text.

g. Click Next h. Click Finish The current user is now the data recovery agent for all encrypted files on the system.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 3 Optional
Goal
Install an enterprise root certificate authority in the forest root domain. Then configure an enterprise subordinate certificate authority.

Tasks

Detailed Steps This exercise will be done on Servers 1,5,9,13

1.

Install and configure Enterprise Root CA.

a. Click Start, Control Panel, Add/Remove Programs. b. Click Add/Remove Windows Components to start the Windows Components Wizard. c. In Windows Components select Certificate Services check box. d. A dialog box appears warning that the name and domain membership may not be changed. Click Yes to continue. Note: If you choose to do the appendix lab where the domain is renamed, the certificate services will have to be reconfigured to match the new domain name. e. In Windows Components click Next. f. In CA Type, click Enterprise Root CA and click Next.

g. In CA Identifying Information, in Common name for this CA, type DomainX Root CA and click Next. h. In Certificate Database Settings, click Next. i. Since IIS is not installed, a warning dialog box appears to say that web enrollment wont be available. Click OK. In Completing the Windows Components Wizard, click Finish. k. Close Add/Remove Programs.

j.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Tasks

Detailed Steps This exercise will be done on Servers 3,7,11,15

2.

Install and Configure Enterprise Subordinate CA

a. Log on to the server as the administrator in the forest root. In order to install a subordinate CA, the user must be a member of the Enterprise Administrators group. For example, if you are in DomainB, then log on to the DomainA domain. b. Click Start, Control Panel, Add/Remove Programs. c. Click Add/Remove Windows Components to start the Windows Components Wizard. d. In Windows Components select Certificate Services check box. e. A dialog box appears warning that the name and domain membership may not be changed. Click Yes to continue. Note: If you choose to do the appendix lab where the domain is renamed the certificate services will have to be reconfigured to match the new domain name.

f.

In Windows Components, click Next.

g. In CA Type, click Enterprise subordinate CA, click Next. h. In CA Identifying Information, in Common name for this CA, type DomainX Subordinate CA and click Next. i. j. In Certificate Database Settings, click Next. In CA Certificate Request, click Send the request directly to the CA already on the network. Click Browse, select the root CA server for the forest. Click Next. k. Since IIS is not installed a warning dialog box appears to say that web enrollment wont be available. Click OK. In the Completing the Windows Components Wizard, click Finish. m. Close Add/Remove Programs.

l.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Tasks

Detailed Steps This exercise will be done on Servers 3,7,11,15

1.

Create auto user enrollment template.

a. Open Certification Authority. Click Start, Administrative Tools, Certification Authority. b. In the right-hand pane, right-click Certificate Templates and click Manage. c. In Certificate Templates, in the right-hand pane, scroll down to find user. Right-click user and click Duplicate Template. d. In the Display Name field, type AutoEnrolled User. e. Make sure that the Publish Certificate in Active Directory check box is selected. f. Click the Security tab.

g. In the Group or user names field, click Authenticated Users. h. In the Permissions for Authenticated Users list, select the Enroll and AutoEnroll permission check boxes and then click OK. i. Autoenrolling Authenticated Users is an example. These permission settings are variable, depending on who you want to autoenroll for these certificates. You will probably want to be a little bit more specific than this. j.
2.

Close the Template Manager window.

Configure an enterprise certification authority to issue the AutoEnrolled User certificate.

a. In the Certificate Authority window, in the right-hand pane, right-click Certificate Templates and click New, Certificate Template to Issue. b. In Enable Certificate Templates, select AutoEnrolled User and click OK.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

This needs to be done on Servers 1,3,5,7,9,11,13,15 3. The certificates that will be distributed can be used for email signing. All accounts need to have a valid e-mail address for this to work. This section will add the e-mail property to the administrator account. c. a. Open Active Directory Users and Computers. Click Start, Administrative Tools, Active Directory Users and Computers. b. In the left-hand pane, expand DomainX.com and select Users. Double-click Administrator in the right-hand pane. In the Administrator Properties, under the General tab and in E-mail, type administrator@domainX.com (where X is the domain with which you are working). Click OK to save the changes.

This needs to be done on Servers 1,3,5,7,9,11,13,15 4. Configure Group Policy to distribute certificate to users. This can be done in many different ways, but in this example you will modify the default domain group policy. 5. Run gpupdate to refresh group policy. 6. Check to ensure the certificate was delivered to the local user. f. a. Right-click the domainx.com and click Properties. b. In the DomainX properties window, click Group Policy. Select Default Group Policy and click Edit. This will open the Group Policy Editor. c. In the left-hand pane, expand Default Domain Policy, User Configuration, Windows Settings, Security Settings and Public Key Policies. d. In the right-hand pane, double-click AutoEnrollment Settings. e. Click Enroll certificates automatically. Select the Renew expired certificates, update pending certificates and remove revoked certificates check box. g. Select the Update certificates that use certificate templates check box and click OK. h. Click File, click Exit and then click OK. i. j. k. Run gpupdate to refresh policy. Click Start, Run. In the Run dialog box, type gpupdate and click OK Check to see if the certificate was delivered. Click Start, Run. l. In the Run dialog box, type mmc and click OK.

m. From the File menu, click Add/Remove Snap-in. n. In Add/Remove Snap-in, click Add. o. In Add Standalone Snap-in, select Certificates and

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

click Add. p. In Certificate Snap-in, click My user account and click Finish. q. In Add Standalone Snap-in, click Close. r. s. t. In Add/Remove Snap-in, click OK. Expand Certificates, Personal and select Certificates. In the right-hand pane, look for a certificate that was issued by DomainX subordinate CA.

u. If no certificates appear check the application event log for errors. The event will have a source of AutoEnrollment.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Lab 25 Command Line Tools (Optional)

Objectives
After completing this lab, you will be able to use different command line tools create objects within the Active Directory environment.

Lab Setup
A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Exercise 1
Goal
All students within each domain/forest can participate in this exercise. The goal is to get familiar with the new command line tools/utilities that ship with Windows 2003 Server.

Tasks 1. Perform the following Tasks using the utility called DSadd and DSRM: Create an OU called OUX (Where X is your student number) Create a User called BobX (Where X is your student number) Deleted BobX

Detailed Steps a. Open the command prompt b. At the command prompt, type in dsadd and press ENTER to see all the different options. c. To create an OU type in dsadd ou OU=OUX,DC=domainX,DC=com and press ENTER. d. Check Active Directory Users and Computers to see if OUX has been created. e. To create a user in the OU you just created type: dsadd user cn=bobx,ou=oux,dc=domainx,dc=com fn bobx display bobx samid bobx upn bobx@domainx.com and press ENTER. f. Check Active Directory Users and Computers to see if bobx has been created. g. To delete Bobx type the following command: DSRM u administrator p password cn=bobx,ou=oux,dc=domainx,dc=com and press ENTER. h. When asked are you sure you want to delete the user click Y. i. Close the command prompt.

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises

Appendix A
The creation of the listw3wp.vbs file used in Lab 17.

Set Re = New RegExp Re.Pattern = "-ap ""(.+)""" Re.IgnoreCase = True Set providerObj = GetObject("winmgmts:{(debug)}:/root/cimv2") Set W3WPs = providerObj.ExecQuery("select * from Win32_Process where Name='w3wp.exe'") count = 0 For Each W3WP in W3WPs WScript.Echo "PID: " & W3WP.ProcessId Set Matches = Re.Execute(W3WP.CommandLine) Set SubMatches = Matches(0).SubMatches WScript.Echo "AppPoolID: " & SubMatches(0) count = count + 1 Next if (count < 1) then WScript.Echo "There are no running w3wp.exe instances" End if

Released: 4/16/2003

Microsoft Windows Server 2003 Expert Workshop Hands-on Lab Exercises