Professional Documents
Culture Documents
70 742 Lab04 AJ
70 742 Lab04 AJ
LAB 4
CONFIGURING SERVICE
AUTHENTICATION AND
ACCOUNT POLICIES
Table 4-1
Computers required for Lab 4
Computer Operating System Computer Name
Server (VM 1) Windows Server 2016 LON-DC1
Server (VM 2) Windows Server 2016 LON-SVR1
In addition to the computers, you will also require the software listed in Table 4-2 to
complete Lab 4.
Table 4-2
Software required for Lab 4
Software Location
Lab 4 student worksheet Lab04_worksheet.docx (provided by instructor)
SCENARIO
3. In the Group Policy Management console, expand Forest: Adatum.com, Domains, and
then the Adatum.com node. Click Default Domain Policy, and in the Group Policy
Management Console dialog box, click OK to close an information box. The Group
Policy Management Console displays (see Figure 4-1).
Figure 4-1
70-742 Identity with Windows Server 2016
4. Right-click Default Domain Policy and choose Edit. The Group Policy Management
Editor opens, as shown in Figure 4-2.
Figure 4-2
The Group Policy Management Editor
5. In the left pane, expand the Computer Configuration node, expand the Policies node,
and then expand the Windows Settings node. Expand the Security Settings node,
expand Account Policies, and then select Kerberos Policy.
7. In the Maximum tolerance for computer clock synchronization dialog box, change the
maximum tolerance to 4 minutes. Click OK.
70-742 Identity with Windows Server 2016
9. In the Maximum lifetime for user ticket Properties dialog box, change the time to 8
hours. Click OK.
11. Take a screen shot of Group Policy Management Editor by pressing Alt+PrtScr and
then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V.
1. On LON-DC1, in Server Manager, click Tools > Active Directory Users and
Computers.
3. Right-click Adatum.com and choose New > Organizational Unit. The New Object –
Organizational Unit dialog box opens.
4. In the Name text box, type Service Accounts and then click OK.
5. Right-click the Service Accounts organizational unit and choose New > User. The New
Object – User Wizard starts.
70-742 Identity with Windows Server 2016
6. In the First name text box, type App1. In the Last name text box, type Service. In the
User logon name text box, type App1Service. Click Next. The password options appear.
7. In the Password text box and the Confirm password text box, type Pa$$w0rd. Select the
Password never expires option. When a message displays, indicating that the password
should never expire and that the user will not be required to change the password at next
logon, click OK.
8. Click Next.
10. Take a screen shot of the Active Directory Users and Computers showing the Service
Accounts OU by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file
in the page provided by pressing Ctrl+V.
12. In Server Manager, click Tools > Services. The Services console opens, as shown in
Figure 4-3.
70-742 Identity with Windows Server 2016
Figure 4-3
The Services console
13. Scroll down and double-click the SNMP Trap service. The SNMP Trap Properties
dialog box opens.
15. Select This account and then, in the text box, type adatum\app1service.
16. In the Password text box and the Confirm password text box, type Pa$$w0rd.
18. When a message indicates that the account has been granted the Log On As Service,
click OK.
20. Take a screen shot of the Services console by pressing Alt+PrtScr and then paste it into
your Lab04_worksheet file in the page provided by pressing Ctrl+V.
4. In the Properties dialog box, click the Members tab and then click Add.
6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in
the Enter the object names to select text box, type LON-SVR1.
8. On LON-DC1, in Server Manager, click Tools > Active Directory Module for
Windows PowerShell. The Active Directory Module for Windows Powershell opens.
70-742 Identity with Windows Server 2016
9. To create a key distribution services root key for the domain, execute the following
command in PowerShell:
Take Note
There is not space after AddHours.
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-
10))
10. Take a screen shot of the Active Directory Module for Windows PowerShell window by
pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page
provided by pressing Ctrl+V.
12. In Active Directory Users and Computers, under Adatum.com, click the Managed
Service Account OU and then take a screen shot of the new service account by pressing
Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by
pressing Ctrl+V.
14. In Server Manager, click Manage > Add Roles and Features.
70-742 Identity with Windows Server 2016
18. Click Active Directory Domain Services. If you are prompted to confirm that you want
to add features, click Add Features. Then click Next.
23. On LON-SVR1, in Server Manager, click Tools > Active Directory Module for
Windows PowerShell.
24. In Windows PowerShell, execute the following command to add the computer account
to LON-SVR1:
25. On LON-SVR1, in Server Manager, click Tools > Services. The Services console
opens.
26. Double-click the SNMP Trap service. The SNMP Trap Properties dialog box opens.
Why is $ used?
Question
4
Because it is a vitural local account
29. Clear the password in the Password text box and the Confirm password text box.
31. When a message indicates that the account has been granted the Log On As A Service,
click OK. Click OK to close the ‘not take effect’ dialog box.
32. Take a screen shot of the Services console showing the SNMP Trap service by pressing
Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by
pressing Ctrl+V.
70-742 Identity with Windows Server 2016
1. On LON-DC1, in Server Manager, click Tools > ADSI Edit. The ADSI Edit
console opens.
2. Right-click ADSI Edit in the console tree and choose Connect To. In the
Connection Settings dialog box (see Figure 4-4), click OK.
70-742 Identity with Windows Server 2016
Figure 4-4
Viewing the connection settings
4. In the Details pane, right-click the App1 Service and choose Properties. The
CN=App1 Service Properties dialog box opens, as shown in Figure 4-5.
70-742 Identity with Windows Server 2016
Figure 4-5
Editing the properties of a user
Figure 4-6
Modifying the servicePrincipalName
6. In the Value to add field, type http/portal.adatum.com:443 and then click Add.
7. Take a screen shot of the ADSI Edit window showing the Multi-valued String Editor
dialog box by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file
in the page provided by pressing Ctrl+V.
8. Click OK twice.
9. In Active Directory Users and Computers, navigate to and click the Service
Accounts organizational unit.
10. Right-click App1 Service and choose Properties. The Properties dialog box opens.
12. To allow this account to be delegated for a service, click the Trust this user for
delegation to any service (Kerberos only) option.
1. On LON-DC1, In Server Manager, click Tools > Group Policy Management. The
Group Policy Management console opens.
2. Navigate to and click Default Domain Policy. In the Group Policy Management
Console dialog box, click OK.
4. The Group Policy Management Editor opens (as shown in Figure 4-7).
70-742 Identity with Windows Server 2016
Figure 4-7
The Default Domain Policy
5. In the left window pane, expand the Computer Configuration node, expand the
Policies node, expand the Windows Settings folder, and then expand the Security
Settings node. In the Security Settings node, expand Account Policies and select
Password Policy.
8. In the Password must meet complexity requirements Properties dialog box, click the
Explain tab.
Question
9
9. Close the Password must meet complexity requirements Properties dialog box by
clicking OK.
10. Take a screen shot of the Group Policy Management Editor window by pressing
Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by
pressing Ctrl+V.
11. On LON-DC1, using Default Domain Policy Group Policy Management Editor console,
under Account Policies, click Account Lockout Policy.
12. Double-click Account lockout duration. In the Account lockout duration Properties
dialog box, click to enable the Define this policy setting.
13. Click OK to close the Account lockout duration Properties dialog box. In the Suggested
Value Changes dialog box, answer the following question and then click OK.
14. Take a screen shot of the Account Lockout Policy window by pressing Alt+PrtScr and
then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V.
15. Close the Group Policy Management Editor window for the Default Domain Policy.
End of lab.