1.

Lab: Domain and trust management in AD DS

Scenario:
A. Datum has deployed a single AD DS domain with all the domain controllers located in its
London datacenter. As the company has grown and added branch offices with a large
numbers of users, it has become increasingly apparent that the current AD DS environment
does not meet company requirements. The network team is concerned about the amount of
AD DS–related network traffic that is crossing WAN links, which are becoming highly utilized.

The company has also become increasingly integrated with partner organizations, some of
which need access to shared resources and applications that are located on the A. Datum
internal network. The Security department at A. Datum wants to ensure that access for these
external users is as secure as possible.

As one of the senior network administrators at A. Datum, you are responsible for
implementing an AD DS infrastructure that meets company requirements. You are responsible
for planning an AD DS domain and forest deployment that provides optimal services for
internal and external users while addressing the security requirements at A. Datum.

2. Exercise 1: Implementing forest trusts

Task 1: Configure stub zones for DNS name resolution

1. On LON-DC1, in Server Manager, click the Tools menu, and then in the drop-down menu,
click DNS.

2. In the DNS tree pane, expand LON-DC1, click and right-click Forward Lookup Zones,and then
click New Zone.

3. In the New Zone Wizard, click Next.

4. On the Zone Type page, click Stub zone, and then click Next.
5. On the Active Directory Zone Replication Scope page, click To all DNS servers running on
domain controllers in this forest: adatum.com,and then click Next.

6. In the Zone name text box, type treyresearch.net,and then click Next.

7. On the Master DNS Servers page, click <Click here to add an IP Address or DNS
Name>,type 172.16.10.10,click the free space, and then click Next.

8. On the Completing the New Zone Wizard page, click Next, and then click Finish.

9. Expand Forward Lookup Zones, click and right-click the new stub zone treyresearch.net,and
then click Transfer from Master.

10. Right-click treyresearch.net,and then click Refresh.

11. Confirm that the treyresearch.net stub zone contains records, and then close DNS Manager.

12. Switch to TREY-DC1.

13. In Server Manager, click the Tools menu, and then in the drop-down menu, click DNS.

14. In the tree pane, expand TREY-DC1, click and right-click Forward Lookup Zones,and then
click New Zone.
 15. In the New Zone Wizard, click Next.

16. On the Zone Type page, click Stub zone, and then click Next.

17. On the Active Directory Zone Replication Scope page, click To all DNS servers running on
domain controllers in this forest: Treyresearch.net,and then click Next.

18. In the Zone name text box, type adatum.com,and then click Next.

19. On the Master DNS Servers page, click <Click here to add an IP Address or DNS
Name>,type 172.16.0.10,click the free space, and then click Next.

20. On the Completing the New Zone Wizard page, click Next, and then click Finish.

21. Expand Forward Lookup Zones, click and right-click the new stub zone adatum.com,and then
click Transfer from Master.

22. Right-click adatum.com,and then click Refresh.

23. Confirm that the adatum.com stub zone contains records.

24. Close DNS Manager.

3. Exercise 1: Implementing forest trusts

Task 2: Configure a forest trust with selective authentication

1. On LON-DC1, on the Tools menu, click Active Directory Domain and Trusts.

2. In the Active Directory Domains and Trusts management console, right-click Adatum.com, and
then click Properties.

3. In the Adatum.com Properties dialog box, click the Trusts tab, and then click New Trust.

4. On the New Trust Wizard page, click Next.

5. On the Trust Name page, in the Name textbox, type treyresearch.net,and then click Next.

6. On the Trust Type page, click Forest trust,and then click Next.

7. On the Direction of Trust page, click One-way: outgoing, and then click Next.

8. On the Sides of Trust page, click Both this domain and the specified domain,and then
click Next.

9. On the User Name and Password page, type Administrator as the user name and Pa55w.rd as
the password in the appropriate boxes, and then click Next.

10. On the Outgoing Trust Authentication Level-Local Forest page, click Selective
authentication,and then click Next.
 11. On the Trust Selections Complete page, click Next.

12. On the Trust Creation Complete page, click Next.

13. On the Confirm Outgoing Trust page, click Next.

14. On the Completing the New Trust Wizard page, click Finish.

15. In the Adatum.com Properties dialog box, click the Trusts tab.

16. On the Trusts tab, under Domains trusted by this domain (outgoing trusts),
click treyresearch.net,and then click Properties.

17. In the treyresearch.net Properties dialog box, click Validate.

18. Review the "The trust has been validated. It is in place and active" message that displays, click OK,
and then at the prompt, click No.

19. In the TreyResearch.net Properties dialog box, click OK, and then click OK in the Adatum.com
Properties dialog box.

20. Close Active Directory Domains and Trusts.

4. Exercise 1: Implementing forest trusts

Task 3: Configure a server for selective authentication

1. On LON-DC1, in Server Manager, on the Tools menu, click Active Directory Users and
Computers.

2. In the Active Directory Users and Computers console, on the View menu, click Advanced
Features.

3. Expand Adatum.com,and then click Computers.

4. Right-click LON-SVR2,and then click Properties.

5. In the LON-SVR2 Properties dialog box, click the Security tab, and then click Add.

6. On the Select Users, Computers, Service Accounts, or Groups page, click Locations.

7. Click treyresearch.net,and then click OK.

8. In the Enter the object name to select (examples:) text box, type IT,and then click Check
Names. When prompted for credentials, type TreyResearch\Administrator with the
password Pa55w.rd, and then click OK.

9. On the Select Users, Computers, Service Accounts, or Groups page, click OK.
10. In the LON-SVR2 Properties window, ensure that IT (TreyResearch\IT) is highlighted, select
the Allow check box that is in line with Allowed to authenticate, and then click OK.

11. Switch to LON-SVR2.

12. On the taskbar, click the File Explorer icon.

13. In the File Explorer window, expand This PC, and then click Local Disk (C).

14. Right-click in the details pane, click New, and then click Folder.

15. In the Name text box, type IT-Data,and then press Enter.

16. Right-click IT-Data, and then click Properties.

17. In the IT-Data Properties dialog box, click the Sharing tab, and then click Advanced Sharing.

18. In the Advanced Sharing dialog box, click Share this folder, and then click Permissions.

19. In the Permissions for IT-Data dialog box, click Add.

20. On the Select Users, Computers, Service Accounts, or Groups page, click Locations.
 21. Click treyresearch.net,and then click OK.

22. In the Enter the object name to select (examples:) text box, type IT,and then click Check
Names. When prompted for credentials, type TreyResearch\Administrator with the
password Pa55w.rd, and then click OK.

23. On the Select Users, Computers, Service Accounts, or Groups page, click OK.

24. In the Permissions for IT-Data dialog box, click OK.

25. In the Advanced Sharing dialog box, click OK.

26. Sign out of TREY-DC1.

27. Sign in to TREY-DC1 as TreyResearch\Alice with the password Pa55w.rd.

28. Click Start, and then click Search.

29. In the Search text box, type \\LON-SVR2.adatum.com\IT-Data , and then press Enter. The
folder opens.

5. Exercise 2: Implementing child domains in AD DS**

Task 1: Install a domain controller in a child domain
1. On TOR-DC1, click Start, and then click Server Manager. In Server Manager, click Manage, and
then in the drop-down list, click Add Roles and Features.

2. On the Before you begin page, click Next.

3. On the Select installation type page, confirm that the Role-based or feature-based
installation option is selected, and then click Next.

4. On the Select destination server page, ensure that the Select a server from the server
pool option is selected and that TOR-DC1.adatum.com is highlighted, and then click Next.

5. On the Select server roles page, click Active Directory Domain Services.

6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features.

7. On the Select server roles page, click Next.

8. On the Select features page, click Next.

9. On the Active Directory Domain Services page, click Next.

10. On the Confirm installation selections page, click Install. This might take a few minutes to
complete.
 11. When the Active Directory Domain Services (AD DS) binaries have installed, click the
blue Promote this server to a domain controller link.

12. In the Deployment Configuration window, click Add a new domain to an existing forest.

13. Verify that Select domain type is set to Child Domain and that Parent domain name is set
to Adatum.com.

14. In the New domain name text box, type na.

15. Confirm that Supply the credentials to perform this operation is set
to ADATUM\Administrator (Current user), and then click Next.

Note: If the credentials are not set to Adatum\Administrator, use the Change button to
enter the credentials Adatum\Administrator with the password Pa55w.rd.

16. In the Domain Controller Options window, ensure that Domain functional level is set
to Windows Server 2016.

17. Ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes
are selected.

18. Confirm that Site name: is set to Default-First-Site-Name.

19. Under Type the Directory Services Restore Mode (DSRM) password, type Pa55w.rd in both
text boxes, and then click Next.
 20. On the DNS Options page, click Next.

21. On the Additional Options page, click Next.

22. On the Paths page, click Next.

23. On the Review Options page, click Next.

24. On the Prerequisites Check page, confirm that there are no issues, and then click Install.

Note: If you receive a "Windows Server 2016 domain controllers have a default for the
security setting named 'Allow cryptography algorithms compatible with Windows NT 4.0'"
warning, you may safely ignore it.

After the configuration completes, the server restarts automatically.

6. Exercise 2: Implementing child domains in AD DS**

Task 2: Verify the default trust configuration

1. Sign in to TOR-DC1 as NA\Administrator with the password Pa55w.rd.

2. Click Start, click Server Manager, and then in Server Manager, click Local Server.

3. Verify that Windows Firewall shows Domain: Off. If it does not, perform the following steps:

• a. Click the underlined blue text next to Windows Firewall. In the Windows
Firewall window, click Turn Windows Firewall on or off.
• b. Under each section, select Turn off Windows Firewall (not recommended), and
then click OK. Ignore any warning prompts that appear regarding Windows Firewall.
 • c. In Server Manager, click the Refresh "Local Server" icon, indicated by double
arrows.
• d. After the refresh completes, verify that Windows Firewall shows Public: Off.

4. In Server Manager, on the Tools menu, click Active Directory Domains and Trusts.

5. In the Active Directory Domains and Trusts console, expand Adatum.com, right-
click na.adatum.com, andthenclick Properties.

6. In the na.adatum.com Properties dialog box, click the Trusts tab, in the Domains trusted by
this domain (outgoing trusts) text box, click Adatum.com, and then click Properties.

7. In the Adatum.com Properties dialog box, click Validate,and then click Yes, validate the
incoming trust.

8. In the User name textbox, type administrator, in the Password text box, type Pa55w.rd, and
then click OK.

9. When the "The trust has been validated. It is in place and active" message appears, click OK.

Note: If you receive a message that the trust cannot be validated or that the secure channel
verification has failed, ensure that you have completed step 3, and then wait for at least 10–
15 minutes before trying again.

10. Click OK twice to close the Adatum.com Properties dialog box.

7. Exercise 2: Implementing child domains in AD DS**

Task 3: Prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To
do this, complete the following steps

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-TOR-DC1, 20742B-TREY-DC1, and 20742B-LON-SVR2.