MCT USE ONLY.

STUDENT USE PROHIBITED

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

6419B

Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

ii

Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. © 2011 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Product Number: 6419B Part Number: X17-53274 Released: 04/2011

Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

iii

MCT USE ONLY. STUDENT USE PROHIBITED

Managing. and Maintaining Windows Server® 2008-based Servers MCT USE ONLY. STUDENT USE PROHIBITED .iv Configuring.

and Maintaining Windows Server® 2008-based Servers v MCT USE ONLY.Configuring. STUDENT USE PROHIBITED . Managing.

STUDENT USE PROHIBITED .vi Configuring. and Maintaining Windows Server® 2008-based Servers MCT USE ONLY. Managing.

STUDENT USE PROHIBITED .Configuring. and Maintaining Windows Server® 2008-based Servers vii MCT USE ONLY. Managing.

STUDENT USE PROHIBITED . and Maintaining Windows Server® 2008-based Servers MCT USE ONLY.viii Configuring. Managing.

and Maintaining Windows Server® 2008-based Servers ix MCT USE ONLY. Managing.Configuring. STUDENT USE PROHIBITED .

com/WilliamStanek.x Configuring. and Windows Server 2008 Inside Out. Jason is an MCT. SQL Server 2008 Administrator’s Pocket Consultant 2nd Edition. As an associate of S. Based in the United Kingdom. and author on numerous Microsoft courseware development projects. consultant and author who specializes in several Microsoft products. He has a broad range of experience in the IT industry as an administrator. MCT. Follow William on Twitter at http://www. Conan Kezema–Content Developer Conan Kezema. He has been involved as the subject matter expert (SME) for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. Canada since 1997. He also has been involved in TechNet sessions on Microsoft® Exchange Server 2007. STUDENT USE PROHIBITED Acknowledgements Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Andrew J. Group Policy Administrator’s Pocket Consultant.Ed. and author who specializes in Microsoft technologies. Their effort at various stages in the development has ensured that you have a good classroom experience. network systems architect. William Stanek–Technical Reviewer William R. Gary Dunlop–Content Developer Gary Dunlop is a Microsoft Trainer and consultant in Winnipeg. Managing. Stanek (http://www. MCITP and MCSE and has been involved in a number of Microsoft Learning courseware development projects. . Jason Kellington–Content Developer Jason Kellington is a trainer. He is currently a Senior Systems Engineer for Broadview Networks. and Maintaining Windows Server® 2008-based Servers MCT USE ONLY. He specializes in Windows Server and Client systems. instructional designer. and the award-winning author of over 100 books. B. MCSE.R. Conan has been a subject matter expert. and MCT) has more than 22 years of experience in the IT industry. Current or forthcoming books include Active Directory Administrator’s Pocket Consultant. is an educator. he runs his own IT training and education consultancy.com/) is a leading technology expert. MCITP. Warren–Content Developer Andrew Warren (MCSE. consultant. He has authored or co-authored several MOC courses. Windows 7: The Definitive Guide. a pretty-darn-good instructional trainer.williamstanek. educator and technical writer. many of which have been spent in writing and teaching. developer.Technical Services.twitter.

and Maintaining Windows Server® 2008-based Servers xi MCT USE ONLY. Managing.Configuring. STUDENT USE PROHIBITED Contents Module 1: Overview of the Windows Server 2008 Management Environment Lesson 1: Understanding the Windows Server 2008 Environment Lesson 2: Overview of Windows Server 2008 Server Roles and Features Lesson 3: Windows Server 2008 Administration Tools Lesson 4: Managing Windows Server 2008 Server Core Lab: Managing Server Roles in a Windows Server 2008 Environment 1-3 1-11 1-20 1-28 1-35 Module 2: Managing Windows Server 2008 Infrastructure Roles Lesson 1: Understanding IPv6 Addressing Lesson 2: Overview of the DNS Server Role Lesson 3: Configuring DNS Zones Lab A: Installing and Configuring the DNS Server Role Lesson 4: Overview of the DHCP Server Role Lesson 5: Configuring DHCP Scopes and Options Lab B: Installing and Configuring the DHCP Server Role 2-3 2-18 2-29 2-41 2-46 2-53 2-65 Module 3: Configuring Access to File Services Lesson 1: Overview of Access Control Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Managing Permissions for Shared Resources Lesson 4: Determining Effective Permissions Lab: Managing Access to File Services 3-3 3-13 3-23 3-36 3-43 Module 4: Configuring and Managing Distributed File System Lesson 1: Distributed File System Overview Lesson 2: Configuring DFS Namespaces Lesson 3: Configuring DFS Replication Lab: Installing and Configuring Distributed File System 4-3 4-14 4-20 4-28 Module 5: Managing File Resources Using File Server Resource Manager Lesson 1: Overview of File Server Resource Manager Lesson 2: Configuring Quota Management Lab A: Installing FSRM and Implementing Quota Management Lesson 3: Implementing File Screening Lesson 4: Managing Storage Reports Lab B: Configuring File Screening and Storage Reports 5-3 5-11 5-19 5-22 5-28 5-33 .

xii Configuring. Managing. and Maintaining Windows Server® 2008-based Servers MCT USE ONLY. STUDENT USE PROHIBITED Lesson 5: Implementing Classification Management and File Management Tasks Lab C: Configuring Classification and File Management Tasks 5-36 5-49 Module 6: Configuring and Securing Remote Access Lesson 1: Configuring a Virtual Private Network Connection Lesson 2: Overview of Network Policies Lab A: Implementing a Virtual Private Network Lesson 3: Integrating Network Access Protection with VPNs Lesson 4: Configuring VPN Enforcement Using NAP Lab B: Implementing NAP into a VPN Remote Access Solution Lesson 5: Overview of DirectAccess 6-3 6-16 6-26 6-31 6-39 6-48 6-56 Module 7: Managing Active Directory Domain Services Lesson 1: Overview of the Active Directory Infrastructure Lesson 2: Working with Active Directory Administration Tools Lesson 3: Managing User Accounts Lesson 4: Managing Computer Accounts Lab A: Creating and Managing User and Computer Accounts Lesson 5: Managing Groups Lesson 6: Using Queries to Locate Objects in AD DS Lab B: Managing Groups and Locating Objects in AD DS 7-4 7-17 7-26 7-36 7-45 7-50 7-63 7-68 Module 8: Configuring Active Directory Object Administration and Domain Trust Lesson 1: Configuring Active Directory Object Administration Lab A: Configuring Active Directory Delegation Lesson 2: Configuring Active Directory Trusts Lab B: Administering Trust Relationships 8-3 8-15 8-20 8-29 Module 9: Creating and Managing Group Policy Objects Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lab A: Creating and Configuring GPOs Lesson 3: Managing Group Policy Objects Lab B: Creating and Configuring GPOs Lesson 4: Evaluating and Troubleshooting Group Policy Processing Lab C: Troubleshooting Group Policy 9-3 9-14 9-22 9-26 9-35 9-39 9-53 Module 10: Using Group Policy to Configure User and Computer Settings Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts 10-3 .

and Maintaining Windows Server® 2008-based Servers xiii MCT USE ONLY. Managing.Configuring. STUDENT USE PROHIBITED Lab A: Using Group Policy to Configure Scripts and Folder Redirection Lesson 2: Using Administrative Templates to Manage Users and Computers Lab B: Configuring Administrative Templates Lesson 3: Deploying Software Using Group Policy Lab C: Deploying Software Using Group Policy Lesson 4: Deploying Group Policy Preferences Lab D: Deploying Group Policy Preferences 10-14 10-17 10-24 10-27 10-37 10-39 10-46 Module 11: Implementing Security Settings Using Group Policy Lesson 1: Overview of Security Settings Lesson 2: Implementing Fine-Grained Password Policies Lab A: Implementing Security by Using Group Policy Lesson 3: Restricting Group Membership and Access to Software Lab B: Configuring Restricted Groups and Application Control Policies 11-3 11-14 11-21 11-26 11-36 Module 12: Providing Efficient Network Access for Remote Offices Lesson 1: Overview of Remote Office Requirements Lesson 2: Implementing Read-Only Domain Controllers Lab A: Deploying a Read-Only Domain Controller Lesson 3: Implementing BranchCache Lab B: Deploying BranchCache 12-3 12-6 12-16 12-21 12-34 Module 13: Monitoring and Maintaining Windows Server 2008 Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Interpreting Performance Counters Lesson 4: Selecting Appropriate Monitoring Tools Lab: Creating a Baseline of Performance Metrics 13-3 13-9 13-18 13-26 13-33 Module 14: Managing Window Server 2008 Backup and Recovery Lesson 1: Planning and Implementing File Backups on Windows Server 2008 Lesson 2: Planning and Implementing File Recovery Lab A: Implementing Windows Server Backup and Recovery Lesson 3: Recovering Active Directory Lesson 4: Troubleshooting Windows Server Startup Lab B: Recovering Active Directory Objects 14-3 14-14 14-19 14-23 14-29 14-37 .

STUDENT USE PROHIBITED Appendix A: Implementing DirectAccess Exercise 1: Configuring the AD DS domain controller and DNS Exercise 2: Configuring the PKI environment Exercise 3: Configuring the DirectAccess clients and test Intranet Access Exercise 4: Configuring the DirectAccess server Exercise 5: Verifying DirectAccess functionality A-4 A-6 A-9 A-11 A-13 Lab Answer Keys . Managing.xiv Configuring. and Maintaining Windows Server® 2008-based Servers MCT USE ONLY.

corporate policies) Basic knowledge of TCP/IP • • • • • • • Basic knowledge of scripting tools such as PowerShell and WMI Course Objectives After completing this course. and software distribution. Audience Candidates for this course are information technology (IT) professionals who work in medium to large organizations. STUDENT USE PROHIBITED About This Course This section provides you with a brief description of the course. Student Prerequisites This course requires that you meet the following prerequisites: • • At least one year experience in operating Windows Servers in the area of account management. Configure and manage a Distributed File System infrastructure. or server security Certification related to the Microsoft Technology Associate (MTA) Networking Fundamentals. server maintenance. features. Server+. Security Fundamentals. or equivalent knowledge as outlined in course 6419B: Fundamentals of Windows Server 2008 A+. Course Description This course is designed to provide foundation skills in networking and Windows Server® security. and tools used to perform effective server management. and course objectives. hardware portion of Network+. students will be able to: • • • • Describe the Windows Server 2008 environment including the roles. Domain Name System (DNS). The primary candidate is a Windows Server administrator who operates Windows Servers on a daily basis and who requires the skills for configuring. server monitoring. This course may also be considered in combination with other exam preparation materials for candidates wishing to prepare for Microsoft Certified Technology Specialist (MCTS) and Microsoft Certified IT Professional (MCITP) certification in Windows Server 2008. directory services. Describe IPv6 addressing and how to install and configure the DNS and DHCP server infrastructure roles. including the Release 2 (R2) edition. and administration. managing. Candidates are typically responsible for day-to-day management of the server operating system and various server roles such as Dynamic Host Configuration Protocol (DHCP). or equivalent knowledge Working knowledge of networking technologies Intermediate understanding of network operating systems Basic knowledge of Active Directory An understanding of security concepts and methodologies (for example. . file and print services.About This Course i MCT USE ONLY. Configure secure and efficient access to file services. suggested prerequisites. and maintaining servers installed with Windows Server 2008. network services. audience. and Windows Server Administration Fundamentals designations.

ii

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

• • • • • • • • • •

Use File Server Resource Manager to assist in data storage capacity management. Secure remote access by using features such as Virtual Private Networks, Network Access Protection (NAP), and DirectAccess. Describe Active Directory infrastructure and how to manage AD DS objects. Configure and manage AD DS object permissions, and configure trust between AD DS domains. Create and manage Group Policy Objects (GPOs). Understand the specific settings that can be managed by using Group Policy. Secure network clients by using Group Policy. Describe solutions that can be implemented to provide efficient remote office network access. Plan for and implement performance baselines and perform server monitoring by using monitoring tools.

Plan for and identify backup and restore strategies and identify steps needed to recover from server startup issues.

Course Outline
This section provides an outline of the course: Module 1, “Overview of the Windows Server 2008 Management Environment” In this module, you will gain familiarity with the components of the operating system and the concepts and terminology found within the Windows Server 2008 environment. Module 2, “Managing Windows Server 2008 Infrastructure Roles” In this module, students will learn the benefits and technologies associated with IPv6. You will learn the features and configuration options available to implement the DNS and DHCP server roles. Module 3, “Configuring Access to File Services” In this module, you will learn the concepts and terminology involved in file services, and also provide guidance in the practical management of a file services infrastructure within the Windows Server 2008 environment. Module 4, “Configuring and Managing Distributed File System” In this module, you will learn about the Distributed File System (DFS) solution that you can use to meet challenges by providing fault-tolerant access and WAN-friendly replication of files located throughout an enterprise. Module 5, “Managing File Resources Using File Server Resource Manager” In this module, you will learn about the various options available for installing Windows Server, and complete an installation. You will also launch a local media setup and then perform the post-installation configuration of a server. Module 6, “Configuring and Securing Remote Access” In this module, you will understand how to configure and secure your remote access clients by using network policies, and where appropriate, Network Access Protection (NAP). Module 7, “Managing Active Directory Domain Services” In this module, you will learn how to review key concepts and directory services structure. You will take a high-level look at the major components of AD DS and how they fit together. You will also receive hands-on experience working with these components and their associated tools. Module 8, “Configuring Active Directory Object Administration and Domain Trust” In this module, you will learn how to configure permissions and delegate administration for Active Directory objects. This module also describes how to configure and manage Active Directory trusts.

About This Course

iii

MCT USE ONLY. STUDENT USE PROHIBITED

Module 9, “Creating and Managing Group Policy Objects” In this module, you will understand how administrators deliver and maintain customized desktop configurations, ensure the security of a geographically and logistically dispersed collection of computers, and provide administration and management for an increasingly complex and growing computing environment. Module 10, “Using Group Policy to Configure User and Computer Settings” In this module, you will learn the skills and knowledge that you need to use Group Policy to configure Folder Redirection, and how to use scripts. Module 11, “Implementing Security Settings Using Group Policy” In this module, you will understand security-related components that can assist you in implementing security policies in your environment. Module 12, “Providing Efficient Network Access for Remote Offices” In this module, you will learn how to provide fast and secure logons at remote offices and place a read only domain controller (RODC) at the remote office. You will also learn how to use BranchCache to speed up access to data across the WAN and reduce WAN utilization. Module 13, “Monitoring and Maintaining Windows Server 2008” In this module, you will learn how to identify components that require additional tuning, and improve the efficiency of your servers. Module 14, “Managing Window Server 2008 Backup and Recovery” In this module, you will learn necessary planning for backup and restore procedures, and startup issues, to ensure that you protect data and servers sufficiently against disasters.

iv

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Materials
The following materials are included with your kit: • Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. • • • • Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. • Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-todate premium content on TechNet, MSDN®, Microsoft Press® Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. • Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. • To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.

and then click OK. In the Close dialog box.com Windows Server 2008 R2 standalone server A Windows 7 computer in the Contoso. in the What do you want the virtual machine to do? list. . click Turn off and delete changes. perform the following steps: 1. Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.com domain Software Configuration The following software is installed on each VM: • • Windows Server 2008 R2 Enterprise Windows® 7 Classroom Setup Each classroom computer will have the same virtual machine configured in the same way. you will use Hyper-V deployed on Windows Server 2008 to perform the labs.com domain Windows Server 2008 R2 member server in Contoso. Course Hardware Level To ensure a satisfactory student experience. you must close the virtual machine and must not save any changes. on the Action menu. Virtual Machine Configuration In this course. All the virtual machines are deployed on each student computer. The following table shows the role of each virtual machine used in this course: Virtual machine 6419B-NYC-DC1 6419B-NYC-DC2 6419B-NYC-SVR1 6419B-NYC-EDGE1 6419B-INET1 6419B-NYC-CL1 6419B-NYC-CL2 6419B-NYC-SVRCORE 6419B-VAN-DC1 Role Windows Server 2008 R2 domain controller in the Contoso. To close a virtual machine without saving the changes. On the virtual machine.com Windows Server 2008 R2 member server in Contoso. STUDENT USE PROHIBITED Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.About This Course v MCT USE ONLY.com domain Windows Server 2008 R2 domain controller in the Contoso. 2.com domain Windows Server 2008 R2 standalone server with core installation Windows Server 2008 R2 domain controller in the Adatum.com domain A Windows 7 computer in the Contoso. click Close. Important: At the end of each lab.

STUDENT USE PROHIBITED • • • • • • • • • Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor Dual 120 GB hard disks 7200 RM SATA or better* 4 GB RAM DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers *Striped .vi About This Course MCT USE ONLY.

What server role(s) should be installed on NYC-SVR1? How should the server role(s) be configured? Answer: You should install the Print and Document Services server role on NYC-SVR1. Review the following email message received from Ed Meadows. Since only network printing from Windows 7-based clients is being performed. 2. What additional server features will be needed to fulfill the requirements specified by Ed? Answer: The Windows Server Backup Features will need to be enabled in order for the New York City administrators to perform backups of NYC-SVR1. server features. . STUDENT USE PROHIBITED Module 1: Overview of the Windows Server 2008 Management Environment Lab: Managing Server Roles in a Windows Server 2008 Environment Exercise 1: Determine Server Roles and Installation Types  Task 1: Review the supporting documentation.  Task 2: Determine the server roles. and installation types. the appropriate Remote Server Administration Tools will need to be installed on their computers to manage both the Print and Document Services Role as well as the Windows Backup feature. 3. the Print Server is the only Role Service that should be installed. Are there any additional management considerations that need to be considered for the ongoing management of NYC-SVR1? Answer: Since the administrators in New York that will be responsible for managing the servers want to be able to perform management tasks from their desktop computers. 1.Lab: Managing Server Roles in a Windows Server 2008 Environment L1-1 MCT USE ONLY. 1.

click Next. In the Server Manager window. click Add Features. . 7. 4. 6.  Task 2: Use Server Manager to install the Windows Server Backup Features. On the Select Server Roles page. Results: In this exercise. On the Installation Results page. click the checkbox to select Windows Server Backup Features and then click Next. 2. In the right-hand pane. click the Features node in the left-hand pane. On the Confirm Installation Selections screen. Note: The installation process will take a few moments to complete. click Start. On the Select Role Services page. click Add Roles. On the Print and Document Services page. 5. click Next. In the Server Manager window. Note: The installation process will take a few moments to complete. On the Confirm Installation Selections page. On NYC-SVR1. click Close. click Close. click the checkbox to select Print and Document Services and then click Next. 5. 9. click on the Roles node in the left hand pane. On the Installation Results page. you will have installed Windows Server 2008 Server Roles and Features. In the right-hand pane.L1-2 Lab: Managing Server Roles in a Windows Server 2008 Environment MCT USE ONLY. 4. scroll down. click Administrative Tools and then click Server Manager. On the Select Features page. STUDENT USE PROHIBITED Exercise 2: Install Windows Server 2008 Server Roles and Features  Task 1: Use Server Manager to install the Print and Document Services Server Role. 1. click Install. 3. 8. 1. click Install. In the Add Roles Wizard window. 3. 2. click Next.

At the Enter alternate DNS server prompt. type 0 and press ENTER. 3.Lab: Managing Server Roles in a Windows Server 2008 Environment L1-3 MCT USE ONLY.10.0. (S)tatic IP prompt. On the Server Configuration screen type 8 and press ENTER.10 13. At the Select option prompt. 16.0. 6. type the following and press ENTER: 255. In the Administrator: C:\Windows\system32\cmd. type the following and press ENTER: 10. type 4 and press ENTER. At the Enter new preferred DNS server prompt. type the following and press ENTER: 10. click OK. type the following and press ENTER: contoso\administrator 20. 15. At the Enter Static IP Address prompt. At the Select Network Adapter prompt.com 19. STUDENT USE PROHIBITED Exercise 3: Manage Windows Server 2008 Server Core  Task 1: Use Sconfig to configure Server Core installation options 1. type the following and press ENTER: Pa$$w0rd . At the Name of domain to join prompt. 5.0. Switch to the 6419B-NYC-SVRCORE virtual machine.10. type D and press ENTER. At the Join (D)omain or (W)orkgroup? prompt. At the Enter default gateway prompt.1 11.10. Sconfig 4.20 9.255. 2. 12. In the Network settings window. At the Select (D)HCP. 18.0 10. At the Select option prompt. type the following and press ENTER: 10. 17. 8. At the Select option prompt. type 1 and press ENTER. type S and press ENTER. At the Enter subnet mask prompt. press ENTER.exe window. 7. At the Type the password associated with the domain user prompt. type 1 and press ENTER. At the Specify an authorized domain\user prompt. type the following and press ENTER: Contoso. At Server Configuration screen. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd.0. type the following and press ENTER. 14. type 2 and press ENTER.

dism /online /enable-feature /featurename:WindowsServerBackup 5. dism /online /get-features /format:table Note: Check to ensure that WindowsServerBackup shows as Enabled. type the following and press ENTER: NYC-SVRCORE 23.  Task 3: Use Sconfig to configure Server Core remote management 1. Switch to the 6419B-NYC-SVRCORE virtual machine.exe window. type the following and press ENTER. type the following and press ENTER. dism /online /get-features /format:table Note: This command will display the list of features available on this server along with the installation status of each feature. You will find it near the top of the list.  Task 2: Use Dism to install the Windows Server Backup feature 1. click Yes. STUDENT USE PROHIBITED 21. In the Change computer name window.exe window. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd. In the Restart window. type the following and press ENTER: contoso\administrator 24. 2. At the Enter new computer name prompt. Check to ensure that WindowsServerBackup shows as Disabled. type the following and press ENTER. type the following and press ENTER: Pa$$w0rd 25. Note: Wait for NYC-SVRCORE to restart before proceeding to the next task.L1-4 Lab: Managing Server Roles in a Windows Server 2008 Environment MCT USE ONLY. 3. 4. . You will find it near the top of the list. click Yes. In the Administrator: C:\Windows\system32\cmd. Switch to the 6419B-NYC-SVRCORE virtual machine.exe window. In the Administrator: C:\Windows\system32\cmd. At the Type the password associated with the domain user prompt. 22. At the Specify an authorized domain\user prompt. In the Administrator: C:\Windows\system32\cmd.

Lab: Managing Server Roles in a Windows Server 2008 Environment

L1-5

MCT USE ONLY. STUDENT USE PROHIBITED

2. 3.

Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.

Sconfig

4. 5. 6.

On the Server Configuration screen type 4 and press ENTER. On the Configure Remote Management screen, type 3 and press ENTER. Click OK.

Note: Windows PowerShell must be enabled to allow Server Manager remote access.

7. 8. 9.

On the Configure Remote Management screen, type 2 and then press ENTER. In the Restart window, click Yes. The virtual machine restarts. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd.

10. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.
Sconfig

11. On the Server Configuration screen type 4 and press ENTER. 12. On the Configure Remote Management screen, type 3 and press ENTER.

Note: This process will take a few moments to complete.

13. In the Enabled window, click OK. 14. On the Configure Remote Management screen, type 5 and then press ENTER. 15. On the Server Configuration screen, type 13 and then press ENTER.

 Task 4: Use Server Manager to connect to Server Core
1. 2. 3. 4. 5. 6. 7. Switch to the 6419B-NYC-DC1 virtual machine. Log on to NYC-DC1 as Contoso\Administrator with the password Pa$$w0rd. Click Start, click Administrative Tools and then click Server Manager. In the Server Manager window, right-click Server Manager (NYC-DC1) in the left-hand pane and then click Connect to Another Computer. In the Connect to Another Computer window, type NYC-SVRCORE, and then click OK. In the Server Manager window, click on the Roles node in the left hand pane. View the Roles pane.

Note: You cannot add or remove Roles from Server Core installation using Server Manager.

L1-6

Lab: Managing Server Roles in a Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

8. 9.

In the Server Manager window, click on the Features node in the left hand pane. View the Features pane.

Note: You cannot add or remove Features from Server Core installation using Server Manager.

10. In the Server Manager window, click on the Diagnostics node in the left hand pane. 11. View the Diagnostics pane and the available Diagnostics components. 12. In the Server Manager window, click on the Configuration node in the left hand pane. 13. View the Configuration pane and the available Configuration components. 14. In the Server Manager window, click on the Storage node in the left hand pane. 15. View the Storage pane and the available Storage components. 16. Close Server Manager.

Results: In this exercise, you will have configured Windows Server 2008 Server Core.

 To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.

Lab A: Installing and Configuring DNS Server Role

L2-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2: Managing Windows Server 2008 Infrastructure Roles

Lab A: Installing and Configuring DNS Server Role
Exercise 1: Installing and Configuring the DNS Server Role and Zones
 Task 1: Install the DNS Server Role on NYC-SVR1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 virtual machine. On the task bar, click the Server Manager button. The Server Manager appears. In the left pane, click Roles. In the details pane, click Add Roles. The Add Roles Wizard appears, and then click Next. On the Select Server Roles page, select the DNS Server check box, and then click Next. On the DNS Server page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.

 Task 2: Allow Zone Transfers for Contoso.com
1. 2. 3. Switch to the NYC-DC1 virtual machine. Click Start, point to Administrative Tools, and then click DNS. The DNS Manager appears. In DNS Manager, expand NYC-DC1, expand Forward Lookup Zones, and then click Contoso.com. Contoso.com is the DNS zone that represents the Contoso.com Active Directory Domain Services domain. Right-click Contoso.com and then click Properties. In the Contoso.com Properties dialog box, click the Zone Transfers tab. On the Zone Transfers tab, select the Allow zone transfers check box. Under Allow zone transfers, click Only to the following servers, and then click Edit. Under IP address type, 10.10.0.11, press ENTER, and then click OK. Note that a red X will appear. This is expected for this example. On the Zone Transfers tab, click Notify.

4. 5. 6. 7. 8. 9.

10. In the Notify dialog box, ensure that Automatically notify is selected, under IP Address, type 10.10.0.11,press ENTER, and then click OK. 11. Click OK to close the Contoso.com Properties dialog box.

 Task 3: Configure a Secondary Zone for Contoso.com
1. 2. Switch to the NYC-SVR1 virtual machine. Click Start, point to Administrative Tools, and then click DNS. The DNS Manager window appears.

9. under Zone name. On the Zone Type page. On the Active Directory Zone Replication Scope page. and then click Next. 7. 8. 12. click Primary zone.com. and then click Next. Under Forward Lookup Zones. Results: At the end of this exercise. you will have installed the DNS Server role and configured secondary and reverse lookup zones.com zone. and then click New Zone. click Secondary zone. click Finish. Under Forward Lookup Zones. type 10. select the Update associated pointer (PTR) record check box.0.10. On the Completing the New Zone Wizard page. 5. On the Reverse Lookup Zone Name page. . type Contoso. STUDENT USE PROHIBITED 3. 7. click To all DNS servers running on domain controllers in this domain: Contoso.com. Right-click NYC-SVR1. expand NYC-SVR1. The New Zone Wizard appears. On the Master DNS Servers page. expand NYC-DC1. Verify that all of the resource records are visible for the Contoso. and then click Next. On the Zone Name page. 6. The New Zone Wizard appears. 5. press ENTER. In DNS Manager. 11. type 10. On the Zone Type page. 8. On the Reverse Lookup Zone Name page. click Contoso. and then click Next. 10.  Task 4: Configure a Reverse Lookup Zone 1. 9. click IPv4 Reverse Lookup Zone. 4. In the DNS Manager. click Finish. and then click OK.L2-2 Lab A: Installing and Configuring DNS Server Role MCT USE ONLY. On the Completing the New Zone Wizard page. next to Network ID. Switch to the NYC-DC1 virtual machine. Right-click Reverse Lookup Zones. Right-click Forward Lookup Zones. 2. and then click New Zone.com.com. 3. and then click Next.0. Click Next. Ensure that the Store the zone in Active Directory check box is selected. 4. On the Host (A) tab.10. and then click Next. and then click Next. Click Next. On the Dynamic Update page.10. and then click Forward Lookup Zones. under IP Address. 6. and then click Properties. and then click Next. and then click Reverse Lookup Zones. click Contoso. click Allow only secure dynamic updates.

right-click NYC-DC1. and then click New Alias (CNAME). click Contoso. in DNS Manager. Results: At the end of this exercise.Contoso. Right-click Contoso.com. On the General tab. 8. under Forward Lookup Zones. configure 10 days.com and then click Properties.com. 7. In the NYC-DC1 Properties dialog box. Aging. STUDENT USE PROHIBITED Exercise 2: Configuring Resource Records. 5. 4. and then click Properties. under Alias name. and then click OK. click the Advanced tab. 2. Under Fully qualified domain name (FQDN) for target host. Click OK to close the New Resource Record dialog box.com Properties dialog box. On NYC-DC1. 3. and then click OK. type NYC-SVR1. 9. and Scavenging  Task 1: Add resource records for Contoso. 3. click the Scavenge stale resource records check box. Click OK to close the Contoso. 6. 5.com 1. type www. 4. On NYC-DC1. On the Advanced tab. . Next to Scavenging period. 2.com.com and enabled Aging and Scavenging.Lab A: Installing and Configuring DNS Server Role L2-3 MCT USE ONLY.  Task 2: Configure Aging and Scavenging for Contoso. select the Enable automatic scavenging of stale records check box. On the Zone Aging/Scavenging Properties dialog box.com 1. Leave the No-refresh interval and the Refresh interval at the default setting of 7 days. in DNS Manager. Right-click Contoso. In the New Resource Record dialog box. click the Aging button. you will have configured a resource record for Contoso.

L2-4

Lab A: Installing and Configuring DNS Server Role

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Verify DNS Settings
 Task 1: Verify that the secondary zone is functional
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 virtual machine. In DNS Manager, right-click Contoso.com, and then click Refresh. Verify that www is listed in the zone. www has been transferred successfully from the master DNS server. On the task bar, click Start, type Network, and then click View network connections. In the Network Connections window, right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, next to Preferred DNS server, type 10.10.0.11, and then click OK. In the Local Area Connection Properties dialog box, click Close. Close the Network Connections window. Click Start, and then type cmd. Press ENTER.

10. In the command prompt window, type the following command and then press ENTER:
Ping www.contoso.com

11. Ensure that you receive four replies. The four replies verify that the secondary zone is resolving IP addresses as expected. 12. Close all open windows on NYC-SVR1.

 Task 2: Verify records by using Nslookup and DNSlint
1. 2. 3. 4. Switch to the NYC-DC1 virtual machine. Click Start, type cmd, and then press ENTER. At the command prompt, type nslookup, and then press ENTER. At the command prompt, type the following commands each followed by ENTER:
Set querytype=SOA Contoso.com

5. 6. 7. 8. 9.

Take note of the SOA information for the NYC-DC1 DNS server. At the command prompt, type exit and then press ENTER. At the command prompt, type C:\ and then press ENTER. At the command prompt, type cd \Tools\dnslint, and then press ENTER. At the command prompt, type dnslint, and then press ENTER. Notice the command-line help associated with dnslint.

10. At the command prompt, type the following command followed by ENTER:
Dnslint /s 10.10.0.10 /d contoso.com

Lab A: Installing and Configuring DNS Server Role

L2-5

MCT USE ONLY. STUDENT USE PROHIBITED

11. Read through the report results, and then close the report window. 12. Close all open windows on NYC-DC1. Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.

Note: Do not shut down the virtual machines; you will need them for the next lab.

L2-6

Lab A: Installing and Configuring DNS Server Role

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Installing and Configuring DHCP Server Role
Exercise 1: Installing and Authorizing DHCP Server Role
 Task 1: Install the DHCP Server Role on NYC-DC1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-DC1 virtual machine. On the task bar, click the Server Manager button. The Server Manager appears. In the left pane, click Roles. In the details pane, click Add Roles. The Add Roles Wizard opens. Click Next. On the Select Server Roles page, select the DHCP Server check box, and then click Next. On the DHCP Server page, click Next. On the Select Network Connection Bindings page, ensure that 10.10.0.10 is selected and then click Next. On the Specify IPv4 DNS Server Settings page, ensure that Parent domain is Contoso.com and Preferred DNS server IPv4 address is 10.10.0.10, and then click Next. On the Specify IPv4 WINS Server Settings page, click Next.

10. On the Add or Edit DHCP Scopes page, click Next. You will add DHCP scopes in the next exercise. 11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next. 12. On the Authorize DHCP Server page, ensure that Use current credentials is selected, and then click Next. 13. On the Confirm Installation Selections page, click Install. 14. On the Installation Results page, click Close. 15. Close Server Manager.

 Task 2: Verify DHCP Authorization
1. 2. 3. 4. Click Start, point to Administrative Tools, and then click DHCP. The DHCP console appears. In the DHCP console, right-click DHCP, and then click Manage authorized servers. Verify that nyc-dc1.contoso.com is in the authorized DHCP servers list. Click Close to close the Manage Authorized Servers dialog box. Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP authorization.

right-click Local Area Connection. select the 003 Router check box. and then click Next. and then click Configure Options. On the Configure DHCP Options page. 2. On the IP Address Range page. 12. and Reservations  Task 1: Configure a DHCP Scope 1.10. 6. expand nyc-dc1.10. 7.0] ContosoScope1.10. On the Router (Default Gateway) page. and then click Next. type cmd. 15. type Network. type 16. 2. 4. 6. On the Domain Name and DNS Servers page.50. 9. On the Lease Duration page. in the Name box. type ContosoScope1. 11. and then click Next. next to End IP Address. At the command prompt. 5. click Next. 2. and then press ENTER. The New Scope Wizard starts. On the Scope Name page. 8.  Task 3: Configure a DHCP Reservation 1. in the DHCP console.10. click Yes. Right-click Scope Options. . On NYC-DC1. type 10. On the Add Exclusions and Delay page. 5. and then click IPv4. expand Scope [10.0. 13. Next to Length. On the Completing the New Scope Wizard page.0] ContosoScope1.contoso.com. next to Start IP Address. in the DHCP console. click Start. click Finish. type 10. and then click New Scope. Click Address Pool and verify that the start and end IP addresses are configured as expected. 3.0. type ipconfig /all. and then click Properties. type 5. I want to configure these options now. accept the default settings.0.0.0. Right-click IPv4.  Task 2: Configure Scope Options 1.10. 3. 16. Click Next. and then click Next. Click Start. In the Local Area Connection Properties dialog box. STUDENT USE PROHIBITED Exercise 2: Configuring DHCP Scopes. 7. 10. On the General tab. On the Activate Scope page. click Scope Options.1. 3. Options. click Internet Protocol Version 4 (TCP/IPv4). 4. Click Next. and then click View network connections. Under IP address.100. click Next. and then click Properties. In the results take note of the physical address and write it down below (for example: 00-15-5D-0171-71): On the task bar. under Scope [10. I want to activate this scope now is selected. On the IP Address Range page. ensure that Yes. 4. In the DHCP console. In the Network Connections window. Switch to the NYC-SVR1 virtual machine.Lab A: Installing and Configuring DNS Server Role L2-7 MCT USE ONLY. Click Next. On the WINS Servers page. click Add. under Days. click Next. and then click OK. On NYC-DC1. type 10. 14.

10. For example:00-15-5D-01-71-71] 16. 9. click Obtain DNS server address automatically.L2-8 Lab A: Installing and Configuring DNS Server Role MCT USE ONLY. 14. and then click Add: • • • Reservation name: NYC-SVR1 IP address: 10. At the command prompt. click Close. 10. Right-click Reservations. with valid scope options.10. 17. 20. Results: At the end of this exercise. STUDENT USE PROHIBITED 8. 13. 3. 19. Right-click 6419B-NYC-DC1 in the Virtual Machines list. . In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.0. configure the following.0. 4. In the DHCP console. revert the virtual machines back to their initial state. click Reservations. In the New Reservation dialog box. In the Revert Virtual Machine dialog box. and then click New Reservation. 18. To do this. and then Click OK. At the command prompt. 15. Verify that NYC-SVR1 receives an IP address of 10. On the host computer. 12. Switch to the NYC-DC1 virtual machine. complete the following steps: 1. you will have configured a DHCP scope. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box. 2. click Obtain an IP address automatically. under Scope [10.0.10. click Revert. and a DHCP reservation. scope options. In the Local Area Connection Properties dialog box. Repeat these steps for 6419B-NYC-SVR1. and then click Revert. start Hyper-V Manager. type ipconfig/release. Switch to the NYC-SVR1 virtual machine.55 MAC Address: [Enter the value entered for step 4. Click Close to close the New Reservation dialog box. 11.  To prepare for the next module When you finish the lab. type ipconfig/renew.0] ContosoScope1. Close the Network Connections window.55.

Both folders should be shared. . Only Susanna Stubberod should be assigned Full Control for E:\Labfiles\Mod03\Production\Reports. Which NTFS permissions should be assigned to the Research department’s folder structure to fulfill the scenario requirements? Which permissions should be assigned to the shared folder? Answer: NTFS permissions should be assigned as follows. map a network drive to \NYC-SVR1\Research. Right-click the mapped drive. should be created for Susanna Stubberod’s reports. Shared folder permissions should be assigned as follows. What folder structure should be created on NYC-SVR1 to support the requirements of this scenario? Answer: Two folders should be created at. and this folder should not inherit permissions from its parent. E:\Labfiles\Mod03\Production\Reports. so they do not interfere with the application on the server. The Production department should be assigned Change permissions on the folder. E:\Labfiles\Mod03\Production and E:\Labfiles\Mod03\Research. Which NTFS permissions should be assigned to the Production department’s folder structure to fulfill the scenario requirements? Which permissions should be assigned to the shared folder? Answer: NTFS permissions should be assigned as follows. The Production group should be assigned full control permissions for E:\Labfiles\Mod03\Production. An additional folder. and click Always available offline.Lab: Managing Access to File Services L3-1 MCT USE ONLY. Full Control is not necessary because the Production department does not need to change permissions or take ownership of the shared folder. 3. Result: In this exercise. Shared folder permissions should be assigned as follows. 4. you discussed and determined solutions for a shared folder implementation. 2. STUDENT USE PROHIBITED Module 3: Configuring Access to File Services Lab: Managing Access to File Services Exercise 1: Planning a Shared Folder Implementation (Discussion) 1. How will you make the Research department’s files available to Max Stevens when he is offsite with the NYC-CL1? Answer: On NYC-CL1. The Research department should be assigned Read permissions on the folder. The Research department should be assigned full control permissions for E:\Labfiles\Mod03\Research.

In the Permissions for Production window. In the Advanced Sharing window. 7. 10. Close Server Manager.  Task 2: Create a shared folder structure by using Windows Explorer 1. In the Group or user names section. and then click OK. click the Sharing tab. On NYC-SVR1. and then click OK. 15. Type Production and press Enter. 18. click the Allow check box next to the Change option and then click OK. and then click Add. Type Reports and press Enter. 22. 9. 17. Computers. In the File Services section. In the Advanced Sharing window. click Remove. pane. On the toolbar menu. type Production. click New folder. Computers. In the Server Manager window. In the Production Properties window. Service Accounts. On the toolbar. verify that the File Server role service is installed. 4. 2. 3. click Edit. 4. click Text Document and then press ENTER. In the Production Properties window. 5. 20. . 12. In the Select Users. click the check box next to Share this folder and then click the Permissions button. 6. and then click Properties. In the Permissions for Production window. 16. or Groups window. 14. click Everyone. click New. right-click the empty pane. click Start. Double-click the Reports folder.L3-2 Lab: Managing Access to File Services MCT USE ONLY. and then click Computer. 21. STUDENT USE PROHIBITED Exercise 2: Implementing a Shared Folder Implementation  Task 1: Verify the File Services Role on NYC-SVR1 1. click New. Right-click Production. click Administrative Tools. in the left pane. 5. Double-click the Production folder. or Groups windows. In the details. click Add. Service Accounts. 23. Verify that File Services is listed as an installed role. 19. type Production. click Allfiles (E:). and then click Text Document. click Close. Rename the New Text Document file to Report1. click Check Names. and then click OK. On NYC-SVR1. click Check Names. click New folder. In the Computer window. 2. In the Production Properties window. browse to Labfiles\Mod03. right-click the empty pane. 13. click Start. click the Roles node.txt. 11. In the Permissions for Production window. In the Permissions for Production window. and then click Server Manager. and then click Advanced Sharing. In the Select Users. click the Security tab. 8. click OK. 3. select the Allow check box next to the Full control option.

type Susanna. and then click the Permissions button. 11. In the Browse for Folder window. 2. click Remove. click Change Permissions. On the Advanced Security Settings for Reports dialog box. select the Users and groups have custom share permissions option. and then click Add. or Groups window. click Mod03. or Groups windows. remove the Allow check mark next to Read & Execute and List Folder Contents (Allow Read should be the only permission selected) and then click OK. 5. Computers. and then click OK. 35. click the Allow check box next to the Full control option and then click OK 33. In the Share and Storage Management console. click Add. In the Select Users. In the Shared Folder Location page. and then click OK. 7. . 6. 12. In the Permissions for Research window. 16. and then click OK. expand Labfiles. Computers. 8. click Add. STUDENT USE PROHIBITED 24. In the SMB permissions page. 32. and then click the Advanced button. 31. 10. select the Yes. type Research. In the Share Protocols page. Click OK again to close the Advanced Security Settings for Reports dialog box. 28. Remove the check mark next to Include inheritable permissions from this object’s parent. click the Check Names button. In the Permission Entry for Reports window. In the Shared Folder Location page. click Administrative Tools. expand e$. click Next. 30. 15. 4. 25. and then click Make New Folder. click Next. In the Select Users. click Check Names. In the NTFS Permissions page. 26. Right-click the Reports folder and the click Properties. In the Windows Security dialog box. or Groups window. and then click Share and Storage Management. 34. In the SMB Settings page. and then click OK. press ENTER. 13. On the Advanced Security Settings for Reports dialog box. 3. On NYC-SVR1. Service Accounts. 9. change NTFS permissions option. On the Advanced Security Settings for Reports dialog box. Type Research. On the Reports Properties dialog box. click Everyone. Click the Security tab. click Browse. and then click Edit Permissions. click Provision Share in the right pane. Service Accounts. click Check Names. In the Permissions for Research page. click Next. Computers. 27. In the Select Users. Click the Back button to go back to the Production folder. In the NTFS permissions page. click Next. click OK. click OK.Lab: Managing Access to File Services L3-3 MCT USE ONLY. click Remove. In the Permissions for Research window. Service Accounts. type Research. 29. 14.  Task 3: Create shared folders by using the Share and Storage Management Console 1. Close the Production window. click Start.

Close all open windows on NYC-CL1.L3-4 Lab: Managing Access to File Services MCT USE ONLY. In the Windows Explore window. In the Permissions for Research window. ensure that Allow is selected for Read. 20. click Create. In the Windows Explorer window. 6. STUDENT USE PROHIBITED 17. right-click Research (\NYC-SVR1)(R:). Results: In this exercise. 4. you implemented a shared folder structure. In the Confirmation page.  Task 4: Configure Offline files 1. Click Start. click Next. 3. and then click Finish. 18. Log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd. In the SMB Permissions page. click Next. and then click OK. 2. 21. in the Folder box. type \NYC-SVR1\Research. In the DFS Namespace Publishing page. and then click Always available offline. expand Computer. and then click Computer. In the Review Settings and Create Share page. click Map network drive . . click the Drive: drop-down box and select R. In the Map Network Drive window. 5. 19. on the toolbar. click Close.

Click Start and then in the Search programs and files box. 3. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1. Double-click Research (\NYC-SVR1)(R:). Close Notepad and then log off of NYC-CL1. 9. you evaluated a shared folder implementation. type \NYC-SVR1\Production and then press ENTER. and then click Revert. 2. 6. 10. type \NYC-SVR1\Production and then press ENTER. Double-click Reports. complete the following steps: 1. On NYC-CL1. Click Close. 8. In the details pane. An access-denied message appears. click Start and then click Computer. revert the virtual machines back to their initial state. 4. 2. Close Windows Explorer and log off of NYC-CL1. 2. In the Windows Explorer window. 3. Close Notepad. double-click New Text Document to open the file in Notepad. 5. click Revert. Click Cancel. point to New. 7. . Double-click the Reports folder. and then save the file. In the New Text Document – Notepad window. Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd. Click Start and then in the Search programs and files box. On the host computer.  To prepare for the next module When you finish the lab. and then click Text Document. 12. right-click the empty space. 3. To do this. Double-click Report1 and ensure that you can open and save the file. type Testing file permissions. STUDENT USE PROHIBITED Exercise 3: Evaluating the Shared Folder Implementation  Task 1: Test Research Folder Permissions 1. 4.  Task 2: Test Production Shared Folder Permissions 1. Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd. In the Revert Virtual Machine dialog box. 11. Results: In this exercise. An access-denied message appears. start Hyper-V Manager.Lab: Managing Access to File Services L3-5 MCT USE ONLY. 4. Log off of NYC-CL1. Right-click 6419B-NYC-DC1 in the Virtual Machines list.

STUDENT USE PROHIBITED .L3-6 Lab: Managing Access to File Services MCT USE ONLY.

select the check box next to Distributed File System. Switch to the NYC-DC1 virtual machine. In the console pane. 6. 1. DFS Namespaces. click Add Role Services. Close Server Manager. and DFS Replication options are also selected.  Task 2: Install the Distributed File System Role Service on NYC-DC1. click Add Role Services. 4. 3. On the Select Role Services page. click the Server Manager button. 5. Click Next. On the Installation Results page. and DFS Replication options are also selected. 4. click Install. you will have installed the DFS role service on NYC-SVR1 and NYC-DC1. In the console pane. Switch to the NYC-SVR1 virtual machine. click Roles.Lab: Installing and Configuring the Distributed File System Role Service L4-1 MCT USE ONLY. The Add Role Services wizard opens. The Server Manager opens. click the Server Manager button. 5. 7. Results: After completing this exercise. 3. and then click Next. On the task bar. 9. click Close. The Add Role Services wizard opens. STUDENT USE PROHIBITED Module 4: Configuring and Managing Distributed File System Lab: Installing and Configuring the Distributed File System Role Service Exercise 1: Installing the Distributed File System Role Service  Task 1: Install the Distributed File System Role Service on NYC-SVR1. and then click Next. 8. 1. 9. The Server Manager opens. Ensure that the File Server. under File Services. On the Confirm Installation Selections page. 6. On the Confirm Installation Selections page. Close Server Manager. 8. select Create a namespace later using the DFS Management snap-in in Server Manager. In the details pane. On the Create a DFS Namespace page. 2. click Roles. 7. 2. Ensure that the File Server. In the details pane. Click Next. select the check box next to Distributed File System. DFS Namespaces. . On the task bar. On the Create a DFS Namespace page. click Install. On the Installation Results page. click Close. On the Select Role Services page. select Create a namespace later using the DFS Management snap-in in Server Manager.

5. under Namespaces. and then click New Namespace. select the check box next to Enable access-based enumeration for this namespace. click Create. STUDENT USE PROHIBITED Exercise 2: Creating a DFS Namespace  Task 1: Use the New Namespace Wizard to create the CorpDocs namespace. On the Confirmation page. 8. click Start. click the Advanced tab.  Task 2: Enable access-based enumeration for the CorpDocs namespace. click Namespaces. and then click Properties. under Server.com\CorpDocs Properties dialog box. and then click Close. In the console pane. On the Namespace Type page. under Name. ensure that the Create namespace task is successful. and then click DFS Management. and then click Next. click \Contoso. 10. On the Advanced tab. 1. 2.com\CorpDocs. 7. right-click \Contoso. On the Review Settings and Create Namespace page. Take note that the namespace will be accessed by \Contoso. click the Namespace Servers tab and ensure that there is one entry that is enabled for \NYC-SVR1\CorpDocs. 2. Right-click Namespaces. 9. point to Administrative Tools. . In the \Contoso. type NYC-SVR1. In the details pane.L4-2 Lab: Installing and Configuring the Distributed File System Role Service MCT USE ONLY. 11. On the Namespace Server page. The DFS Management console opens. In the console pane. 1. you will have created the CorpDocs namespace and configured it to use access-based enumeration. In the console pane.com\CorpDocs. Results: After completing this exercise. ensure that Domain-based namespace is selected. type CorpDocs. On NYC-SVR1. 4. and then click Next. and then click OK. On the Namespace Name and Settings page. 6. under Namespaces. 3. The New Namespace Wizard starts. Ensure that the check box next to Enable Windows Server 2008 mode is selected and then click Next. 3.com\CorpDocs.

On NYC-SVR1. STUDENT USE PROHIBITED Exercise 3: Configuring Folder Targets  Task 1: Add the MarketingTemplates folder to the CorpDocs namespace. The New Folder dialog box opens. you will have configured Folder Targets for the CorpDocs namespace.Lab: Installing and Configuring the Distributed File System Role Service L4-3 MCT USE ONLY. type \Contoso. Switch to the NYC-SVR1 virtual machine.com\Corpdocs. click Start.com\CorpDocs. in the Search programs and files box. Press ENTER. 5. 2. In the Add Folder Target dialog box. under Name. and then click OK. In the New Folder dialog box. Results: After completing this exercise. In DFS Management. type \NYC-DC1\MarketingTemplates. Close the corpdocs window. 3. Click OK again to close the New Folder dialog box. type \NYC-SVR1\PolicyFiles. In the New Folder dialog box. In the Add Folder Target dialog box.  Task 3: Verify the CorpDocs namespace. In the New Folder dialog box. 2.  Task 2: Add the PolicyFiles folder to the CorpDocs namespace. 4. 1. 2. . right-click \Contoso. The New Folder dialog box opens. under Name. In the corpdocs window. 1. and then click New Folder. type PolicyFiles. click Add. 6. and then click New Folder. In DFS Management. 1. 3. The Add Folder Target dialog box opens. verify that both MarketingTemplates and PolicyFiles are visible. Click OK again to close the New Folder dialog box. and then click OK. In the New Folder dialog box. 5. click Add. type MarketingTemplates.com\CorpDocs. right-click \Contoso. 3. The Add Folder Target dialog box opens. 4. and then.

and then click Create Diagnostic Report. At the Replication Delay message. On the Replication Eligibility page. 7. 1. On the Confirmation page. 5. The Replicate Folder Wizard starts.  Task 3: View Diagnostic Reports. 2. and then click OK. and then click contoso. 7. 9. On the Memberships tab. expand \Contoso. In the Create Share dialog box. in the Replicate Folder Wizard. notice that there is currently only one folder target. right-click contoso. In the details pane. On the Type of Diagnostic Report of Test page. and then click Next. In the Create Share dialog box. expand Replication. and then click Close. In DFS Management. 6. On the Path and Name page. type C:\PolicyFiles. 2. and then click OK.  Task 2: Configure DFS Replication. select Administrators have full access.com\corpdocs\policyfiles. under Path to folder target. The Diagnostic Report Wizard starts. and then click Next. and then click Add Folder Target. 3. and then click Next. select Full mesh. Switch to the NYC-SVR1 virtual machine. and then click Next. 4. 2. click Yes to create the folder on NYC-DC1. select NYC-SVR1. click OK. 8. In the Warning dialog box. In the details pane. In the DFS Management console. On the Topology Selection page. click Create. Right-click PolicyFiles. STUDENT USE PROHIBITED Exercise 4: Configuring DFS Folder Replication  Task 1: Create another Folder Target for PolicyFiles. and then click Make read-only. under Local path of shared folder. click Next. 9. In the Replication dialog box. accept the default settings. 3. 8. 3. click Health report. in the DFS Management console. On NYC-SVR1. 11. and then click Next . on the Replication Group and Replicated Folder Name page. right-click NYC-DC1. On the Replication Group Schedule and Bandwidth page. On the Primary Member page. verify that the replicated folder is shown on both NYCDC1 and NYC-SVR1. 5. click Yes to create the shared folder on NYC-DC1.com\corpdocs\policyfiles. other users have read and write permissions. 1. 10. verify that all tasks are successful. ensure that Replicate continuously using the specified bandwidth is selected. type \NYC-DC1\PolicyFiles. 1. In the Warning dialog box. In DFS Management. On the Review Settings and Create Replication Group page. accept the default settings. click Yes. and then click Next. 6.com\CorpDocs. under Shared folder permissions. 4. In the New Folder Target dialog box. on the Memberships tab.L4-4 Lab: Installing and Configuring the Distributed File System Role Service MCT USE ONLY. This setting will automatically configure the replicated copy to be read-only. and then click PolicyFiles.

Lab: Installing and Configuring the Distributed File System Role Service L4-5 MCT USE ONLY. you will have configured DFS Folder Replication and produced a diagnostic report. and then click Next. click Revert. When you complete the lab exercises. 5. 6. next to Reference Member. In the Revert Virtual Machine dialog box. 7. Review the DFS Replication Health Report for errors. Right-click 6419B-NYC-DC1 in the Virtual Machines list. . 2. On the host computer. and then click Revert. On the Members to Include page. On the Review Settings and Create Report page. On the Options page. revert the virtual machines to their initial state. start Hyper-V Manager. ensure that both NYC-DC1 and NYC-SVR1 are included members. and then click Next. 3. Results: After completing this exercise. 4. complete the following steps: 1. select NYC-SVR1. STUDENT USE PROHIBITED 4. Repeat these steps for 6419B-NYC-SVR1. To do this.  To prepare for the next module. click Create.

STUDENT USE PROHIBITED .L4-6 Lab: Installing and Configuring the Distributed File System Role Service MCT USE ONLY.

In the details pane. click the File Server Resource Manager check box. 6. In the Set Report Options page. In the Select Role Services page. click Administrative Tools. under Role Services. click Next. and then click Server Manager. STUDENT USE PROHIBITED Module 5: Managing File Resources Using File Server Resource Manager Lab A: Installing FSRM and Implementing Quota Management Exercise 1: Installing the FSRM Role Service  Task 1: Install the FSRM role service. In the Server Manager window. 8. In the Confirm Installation Selections page. 2. click Add Role Services. In the Configure Storage Usage Monitoring page. 3. 7. click Start. On NYC-SVR1. After the installation is completed. 9. click Roles.Lab A: Installing FSRM and Implementing Quota Management L5-1 MCT USE ONLY. 1. you installed the FSRM role service. 4. Close the Server Manager window. 5. click Install. . click to select the checkbox next to Allfiles (E:) and then click Next. click Close. Results: In this exercise. and then click Next.

which will generate a warning in Event Viewer. In Windows Explorer. Select the Send warning to event log check box. and then click File Server Resource Manager. and then click Command Prompt. click Accessories. and then click Open Windows Explorer. Click the Event Log tab. Click Auto apply template and create quotas on existing and new subfolders. on the Action menu. In the Create Quota Template dialog box. 11. 7. click Refresh. In the details pane. 3. 8. . and then click Quota Templates. 9. point to Administrative tools. 9. type E:\Labfiles\Mod05\Users. Right-click Quotas. On NYC-SVR1. Under Notification thresholds. 5. click Start. notice that the newly created folder appears in the list. and then select the Send warning to event log check box. point to Administrative Tools. click 100MB Limit Log to Event Viewer. in the Template name field. In File Server Resource Manager. 6. Click OK twice. 6. Type fsutil file createnew file1. In the details pane. expand Quota Management. Type cd \Labfiles\Mod05\Users\Max. browse to E:\Labfiles\Mod05\Users. In the Add Threshold dialog box. On the Create Quota dialog box. click the Event log tab. Click Start. In the File Server Resource Manager console pane. 2. This creates a file that is over 85 MB. and then press Enter. and then press Enter. 5. and then press Enter. click Quotas. 10. verify that the E:\Labfiles\Mod05\Users\* path has been configured with its own quota entry. 4.  Task 3: Test that the quota is functional. 1. 8. 4. type 100 MB Limit Log to Event Viewer. 2. 10. and then click OK. in the Quota path field. 3.L5-2 Lab A: Installing FSRM and Implementing Quota Management MCT USE ONLY. and then click Create Quota Template. Click Start. In the Derive properties from this quota template (recommended) list. 1. 11. Right-click Quota Templates.txt 89400000. in the Generate notification when the usage reaches (%) field. click Add. and then click Create. 4. and then click Event Viewer. Type E:.  Task 2: Configure a quota based on the quota template. 7. Right-click Start. STUDENT USE PROHIBITED Exercise 2: Configuring Storage Quotas  Task 1: Create a quota template. Create a new folder named Max. click Add. click All Programs. and then click Create Quota. You may have to refresh the Quotas folder to view the changes. type 100. In the File Server Resource Manager console pane. 5. In the Create Quota Template dialog box. 3. In the Add Threshold dialog box. 1. 2.

txt 16400000. .Lab A: Installing FSRM and Implementing Quota Management L5-3 MCT USE ONLY. note the event with Event ID of 12325. Notice that the file cannot be created because it would surpass the quota limit. Results: In this exercise. In the details pane. 7. Close all open windows on NYC-SVR1. 10. In the Event Viewer console pane. and then press Enter. type fsutil file createnew file2. STUDENT USE PROHIBITED 6. and then click Application. 9. In the Command Prompt window. expand Windows Logs. Type exit. you configured a storage quota. and then press Enter. 8.

enter MPx Media Files into the File group name box. 1.L5-4 Lab A: Installing FSRM and Implementing Quota Management MCT USE ONLY. and then click Add. On NYC-SVR1. On the File Server Resource Manager Options dialog box. Click OK. Click OK. in the File screen path box. select and then right-click File Screens. type *. type Block MPx Media files. in the Template name box. and then click Create File Screen Template. Click Create. . Right-click File Groups. 7. 2. 3. Under Screening type. Select the check box next to Record file screening activity in auditing database. 6. and then click File Server Resource Manager.mpp. 3. and then click Create File Screen. 6. 4. Do not allow users to save unauthorized files is selected.mp*. STUDENT USE PROHIBITED Lab B: Configuring File Screening and Storage Reports Exercise 1: Configuring File Screening  Task 1: Create a file group. In the Create File Screen window. click Administrative Tools. 8. In the Create File Screen window. 5. In the File Server Resource Manager console tree. click the Derive properties from this file screen template (recommended) drop-down box. 1.  Task 3 Create a file screen. Right-click File Server Resource Manager (Local) and then click Configure Options. 1. 2. type *. Click the check box next to Send warning to event log. Click the Event Log Tab. In the Files to include box. 2. and then click Add. 3. 7. click File Screen Templates. In the Create File Group Properties window. Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit report to be run in Exercise 2 5. and click Block MPx Media Files. 4. ensure that Active screening. click Start. 4. click the File Screen Audit tab. In the File Server Resource Manager console tree. type E:\Labfiles\Mod05\Users. In the File Server Resource Manager console tree. 9. Click OK. 10. click to select the checkbox next to the MPx Media Files file group. Right-click File Screen Templates. In the Create File Screen Template window.  Task 2: Create a file screen template. In the File groups section. In the Files to exclude box. expand File Screening Management and then click File Groups. and then click Create File Group.

expand Labfiles. click Allfiles (E:) In the right pane. Results: After this exercise.  Task 4 Test the file screen. 6. In the left pane. 4. right-click and point to New. you should have configured file screening by creating a file group. and then click Paste. and then click Computer.mp3. Close File Server Resource Manager. and then click Text Document. In the left pane. a file screen template. STUDENT USE PROHIBITED 5. and then click Copy. expand Mod05.Lab A: Installing FSRM and Implementing Quota Management L5-5 MCT USE ONLY. 1. right-click Users. Rename New Text Document. . You will be notified that the system was unable to copy the file to E:\Labfiles\Mod05\Users.txt to musicfile. Click Start. 3. Right-click musicfile. Click Yes to change the file name extension. expand Allfiles (E:).mp3. 5. and a file screen. 2.

In the Browse For Folder dialog box. 3. review the generated reports.L5-6 Lab A: Installing FSRM and Implementing Quota Management MCT USE ONLY. Results: In this exercise. select the File Screening Audit check box. click Add. and then click OK. 2. 1. 5. click Administrative Tools. verify that Wait for reports to be generated and then display them is selected. 7. and then click Generate Reports Now. you generated a storage report. 8. STUDENT USE PROHIBITED Exercise 2: Generating Storage Reports  Task 1: Generate an On-Demand Storage Report. click Storage Reports Management. In the File Server Resource Manager console pane. Under Select reports to generate. In the Storage Reports Task Properties dialog box. 9. In the Generate Storage Reports dialog box. Close all open windows on NYC-SVR1. and then click File Server Resource Manager. browse to E:\Labfiles\Mod05\Users. 4. In the Windows Internet Explorer window. . click Start. and then click OK. On NYC-SVR1. and then click OK. Right-click Storage Reports Management. 6.

Click OK. 7. In the Classification mechanism area. 9. 16. double-click in the blank cell below the Name column and type String. in the Property name box. and then click OK. 4. 10. type Assigns a confidentiality value of Yes or No. click the drop-down box and select Yes/No. Click OK. click the drop-down box and select Content Classifier. 15. In the Additional Rule Parameters window. 14. 2. Right-click the Classification Rules node.  Task 2: Apply classification properties by using classification rules. Right-click Classification Properties. select Confidential (Assigns a confidentiality value of Yes or No) for Property Name. in the Property value section. In the Browse For Folder window. 11. click Administrative Tools. 13. 1. In the Property name section. 8. 5. 3. In the Description box. . In the Run Classification window. Expand the Classification Management node. click OK. click Data. Under Property type. then expand Mod05. 5. type Confidential and in the Description field. and then click Classification Properties. click the Add button.Lab A: Installing FSRM and Implementing Quota Management L5-7 MCT USE ONLY. 6. In the Scope section. then expand Labfiles. select the Wait for classification to complete execution option. 3. In the Rule name box. click Start. 12. 4. expand Allfiles (E:). and then click File Server Resource Manager. select Yes for Property value. and then click Run Classification With All Rules Now. and then click OK. click the Additional Classification Parameters tab. Double-click in the Value column and type payroll. 2. 6. STUDENT USE PROHIBITED Lab C: Configuring Classification and File Management Tasks Exercise 1: Configuring Classification Management  Task 1: Create a classification property. click the Classification tab. type Confidential Payroll Documents. On the Additional Classification Parameters tab. In the Classification Rule Definitions window. 1. and then click Create Property. On NYC-SVR1. Click the Classification Rules node. and then click Create a New Rule. type Classify documents containing the word “payroll” as confidential. Right-click the Classification Rules node. In the Create Classification Property Definition window. In the Classification Rule Definitions window. and then click Advanced.

txt in listed on the report.L5-8 Lab A: Installing FSRM and Implementing Quota Management MCT USE ONLY. . 19. you configured Classification Management. Close all open windows on NYC-SVR1. Browse to the E:\Labfiles\Mod05\Data folder and view the contents of January.txt. View the report and ensure that January. Results: In this exercise. STUDENT USE PROHIBITED 17. 18.

21. To do this. 8.txt is now located in this folder. and then click Run File Management Task Now. 19. click Data. click the Condition tab.txt is on the list. In the Schedule window. 12. expand Mod05. 4. click the Schedule tab. The relocated folder structure for January. revert the virtual machines back to their initial state. 15. In the Create File Management Task window. Right-click the Move Confidential Files task. In the Create File Management Task window. type Move Confidential Files In the Description box. On the Condition tab. and then click File Server Resource Manager. click Administrative Tools. 14. select Confidential. 7.Lab A: Installing FSRM and Implementing Quota Management L5-9 MCT USE ONLY. click the Add button. STUDENT USE PROHIBITED Exercise 2: Implementing File Management Tasks  Task 1: Configure file management tasks based on classification properties. you implemented File Management Tasks. In the Property Condition window. When you finish the lab. In the Revert Virtual Machine dialog box. 5. On the Schedule tab. and then click Create File Management Task. On the Action tab. click the New button. click the Operator drop-down box. 3. select the Wait for task to complete execution option. 9. click Revert. In the Scope section. click the Value drop-down box . Repeat these steps for 6419B-NYC-SVR1. ensuring that January. and then click OK. 6. 10. Results: In this exercise. expand Labfiles. Select and then right-click the File Management Tasks node. 2. Expand Allfiles (E:). In the Task name box. In the Expiration directory field type E:\Labfiles\Mod05\Confidential. click OK. click Start.  To prepare for the next module. 2. 16. In the Create File Management Task window. On the host computer. and then click OK. Right-click 6419B-NYC-DC1 in the Virtual Machines list. In the Run File Management Task window. select File expiration. On NYC-SVR1. 17. In the Create File Management Task window. and then select Yes. for Type. Open the E:\Labfiles\Mod05\Confidential folder and view the contents. 11. click the Action tab. click the Create button. select Equal. and then click OK. click the Add button. 3. Click OK. 4. and then click Revert. 1. View the generated report. under the Property conditions section. click the Property drop-down box. start Hyper-V Manager. 20. 13. complete the following steps: 1. . type Move confidential documents to another folder. 18.

STUDENT USE PROHIBITED .L5-10 Lab A: Installing FSRM and Implementing Quota Management MCT USE ONLY.

7. From the Administrative Tools menu. On the Address Range Assignment page. On the IP Address Assignment page. Click Next. and then click Configure and Enable Routing and Remote Access.0. click Routing and Remote Access. click OK. On the VPN Connection page. 9. select From a specified range of addresses. and then click Next. On the Managing Multiple Remote Access Servers page. select and right-click NYC-EDGE1 (Local). On the Network Policy and Access Services introduction page. select the Public. select the VPN check box.Lab A: Implementing a Virtual Private Network L6-1 MCT USE ONLY. click Start. 2. On NYC-EDGE1.60. 6. and then click Add Roles. In the Routing and Remote Access dialog box. In the Number of addresses box. right-click Roles.  Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients 1. STUDENT USE PROHIBITED Module 6: Configuring and Securing Remote Access Lab A: Implementing a Virtual Private Network Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution  Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1 1. 3. and then click Next. On the Select Role Services page. 4. On the Remote Access page. On NYC-EDGE1. click New. On the Select Server Roles page. . and click Next. verify Installation succeeded appears in the details pane. click Next. and then click Administrative Tools. click Next. 2. 5. 10. click Start. On the wizard Welcome page. use Routing and Remote Access to authenticate connection requests. and then click Next. leave the default selection No. 3. 8. In the Server Manager (NYC-EDGE1) list pane. From the Administrative Tools menu. and then click Administrative Tools. On the Confirm Installation Selections page. The Network Policy and Routing and Remote Access Services roles are installed on 6419B-NYC-EDGE1. On the Configuration page. and in the Start IP address box. The Routing and Remote Access administrative tool appears. Click Finish. 4. and then click Next. select Network Policy and Access Services. and then click Close. Close the Server Manager. 11. and click OK. 9. click Install. 7.10. The Server Manager opens. In the list pane. and click Next. and click Next. Click Next. type the following value 10. 8. click Server Manager. On the Installation Results page. The Add Roles Wizard appears. select the Network Policy Server and Routing and Remote Access Services check boxes. 6. type the value of 75. 5. leave the default Remote Access (dial-up or VPN) selected.

. In the Routing and Remote Access dialog box. for WAN Miniport (L2TP). 7. STUDENT USE PROHIBITED 12. right-click Ports. click Yes to continue. double-click WAN Miniport (SSTP). 3. and then click OK. assign a value of 25 in the Maximum ports box. 6. click OK. 9. double-click WAN Miniport (PPTP). 8. click OK. In the Routing and Remote Access dialog box. Results: In this exercise. Repeat this procedure. In the Configure Device – WAN Miniport (SSTP) dialog box. assign a value of 25 in the Maximum ports box. 4. with the same value (25). Close the Routing and Remote Access administrative tool. click Yes to continue. and then click Properties. In the Ports Properties dialog box.  Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections 1. 5. expand NYC-EDGE1. you enabled routing and remote access on the NYC-EDGE1 server. 2. In the Routing and Remote Access dialog box regarding the DHCP Relay agent. In the Ports Properties dialog box. and then click OK. and in the Configure Device – WAN Miniport (PPTP) dialog box. In the Routing and Remote Access management tool interface. The Routing and Remote Access service starts.L6-2 Lab A: Implementing a Virtual Private Network MCT USE ONLY. In the Ports Properties dialog box.

Configure the following IP address settings. and click Edit. click Next. 2. click Remote Access Server (VPN-Dial up). and in the details pane. Repeat this step to make the policy the first in the list. under Network and Internet. Right-click Local Area Connection 3. In the list pane. and then click New. and then click Next. Change the Time of day constraints to Denied access from 11PM to 6AMMonday thru Friday. deselect all settings except Strongest encryption (MPPE 128-bit). right-click the Secure VPN policy. click Encryption. In the Control Panel window. Click Start. 5. click View network status and tasks. and then click Control Panel. expand Policies. 3. In the Select Condition dialog box. 7.0. right-click Network Policies. click OK. On the Configure Authentication Methods page. PPTP. and then click Move Up.255.1 Click Close.20 Subnet mask: 255. and then click Properties. 4. select Day and time restrictions. and then click Properties.107. and in the details pane. 9.  Task 2: Create a new network policy for RRAS clients 1. 4. Select Internet Protocol Version 4 (TCP/IPv4).  Task 3: Create and Test a VPN Connection 1. deselect the Microsoft Encrypted Authentication (MS-CHAP) check box. STUDENT USE PROHIBITED Exercise 2: Configuring a Custom Network Policy  Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1 1. click Change adapter settings. 2. IP Address: 131. On the New Network Policy – Specify Network Policy Name and Connection Type page. On NYC-EDGE1. and then click Finish. 8. click the Network Policies node. 2. and then click Administrative Tools. scroll down and double-click Tunnel Type. On the Administrative Tools menu. and click Next. leave the default of Access granted. 6. type Secure VPN in the Policy name text box. click Add. 5. and then click OK: • • • 8. and then click Next. and then click Next. click OK. click Network Policy Server. click Start. and in the Type of network access server drop-down list. 10. select L2TP.255. Switch to the NYC-CL1 computer. under Settings. On the Specify Conditions page.Lab A: Implementing a Virtual Private Network L6-3 MCT USE ONLY. In the list pane of the Network Policy Server tool. and then click Next. 7. In the Network and Sharing Center window. and then click the Back button to return to the Network and Sharing Center. select Allow access only on these days and at these times. Close the Network Policy Server tool. . 6. In the Tunnel Type dialog box.0. and SSTP. The Network Policy Server administrative tool appears. On the Configure Constraints page. 3.0 Default gateway: 131. under Constraints. In the Configure Settings dialog box. On the Specify Access Permission page.107. If necessary.

On the host computer. and then click Create. 4.0. Close all open windows on NYC-CL1. To do this. 18. 11. 13. Right-click 6419B-NYC-DC1 in the Virtual Machines list. and then click Next. right-click Contoso VPN. and then click Revert. 3. 2. 17. click Revert. STUDENT USE PROHIBITED 9. In the Revert Virtual Machine dialog box. click Set up a new connection or network. and then click Connect: • • • User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully. In the Type the Internet address to connect to dialog box.L6-4 Lab A: Implementing a Virtual Private Network MCT USE ONLY. click Connect to a workplace. 15. . you created and tested a VPN connection. 16. and then click Next. In the Choose a connection option dialog box. 12. select the Use my Internet connection (VPN) option.107. 10. complete the following steps: 1. Use the following information in the Connect Contoso VPN text boxes. under Change your networking settings. In the Network and Sharing Center window. and then click Connect. leave the user name and password blank. Right-click Contoso VPN. On the Network Connections page.  To prepare for the next lab When you finish the lab. When prompted. Results: In this exercise. Click Close in the Connect to a Workplace dialog box. specify an Internet address of 131. In the Connect to a workplace dialog box. revert the virtual machines back to their initial state. The VPN disconnects. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1. In the Network and Sharing Center window.2 and a Destination Name of Contoso VPN. and click Disconnect. 14. start Hyper-V Manager. click I’ll set up an Internet connection later. On the Type your user name and password page. click Change adapter settings.

Select the Computer check box. In the console tree. On the File menu. and then click Finish. and then press ENTER. and then close the certsrv management console. click Administrative Tools. 6. expand Certificates (Local Computer). click Certificates. point to Administrative Tools. and then click Close. Install the NPS Server role: a. and then select Authenticated Users. b. type mmc. Switch to the NYC-EDGE1computer. and then click Properties. and then click Next. In the permissions for Authenticated Users.  Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server 1. click Run. e. click Active Directory Enrollment Policy. Click No when prompted to save console settings. right-click Certificate Templates. Verify the status of certificate installation as Succeeded. and then click Request New Certificate. 3. Click OK to close the Add or Remove Snap-ins dialog box. c. click Next. and then click Next. Close the Certificate Templates console.Lab A: Implementing a Virtual Private Network L6-5 MCT USE ONLY. under Roles Summary. The Certificate Enrollment dialog box opens. Click Roles. click Security. and then click Finish. and then click Manage. right-click Personal. 5. 2. click Next. Close the Console1 window. and then click OK. 4. STUDENT USE PROHIBITED Lab B: Implementing NAP into a VPN Remote Access Solution Exercise 1: Configuring NAP Components  Task 1: Configure a Computer Certificate 1. 3. . j. click Start. On the Select Certificate Enrollment Policy page. 2. Select the Network Policy Server and Remote Access Service check boxes. k. b. Select the Network Policy and Access Services check box. c. h. Click Next. In the Computer Properties dialog box. On NYC-EDGE1. d. In the Add or Remove Snap-ins dialog box. and then click Enroll. and then click Next twice. On NYC-DC1. d. click Add. In the Certificate Templates Console details pane. and then click Install. e. click Start. select the Allow check box for the Enroll permission. point to All Tasks. Click Start. f. In the certsrv management console. i. click Add/Remove Snap-in. and then click Server Manager. Verify the installation was successful. click Add Roles. Obtain a computer certificate and install it on NYC-EDGE1for server-side PEAP authentication: a. and then click Certification Authority. expand ContosoCA. right-click Computer. select Computer account. g.

Right-click Health Policies. Under Client SHV checks. Configure NPS as a NAP health policy server: a. under Policy name. Disable the two default policies found under Policy Name by right-clicking the policies. Click Start. verify that Access granted is selected. k. Under Client SHV checks. under Policy name. In the Specify Conditions window. and then clicking Disable. Expand Policies. e. and then click OK. select the Windows Security Health Validator check box. j. b. i. double-click Default Configuration. and then click Next. f.L6-6 Lab A: Implementing a Virtual Private Network MCT USE ONLY. Click OK to close the Windows Security Health Validator dialog box. under Health policies. 4. clear all check boxes. e. and then click Settings. Close the Server Manager window. type Noncompliant. and then click Network Policy Server. On the Windows 7/Windows Vista selection. type Compliant-Full-Access. Click Network Policies. Right-click Network Policies. c. Configure health policies: a. and then click Next. j. In the right pane under Name. In the Specify Conditions window. double-click Health Policies. i. Ensure Policies is expanded. c. g. In the Specify Network Policy Name and Connection Type window. In the Select condition dialog box. In the Specify Access Permission window. click Add. Click OK. d. In the Health Policies dialog box. h. 5. point to Administrative Tools. and then click New. type Compliant. verify that Health Policy is specified under Conditions with a value of Compliant. Expand Network Access Protection. STUDENT USE PROHIBITED f. Right-click Health Policies. c. k. under Policy name. d. g. select Compliant. expand System Health Validators. select the Windows Security Health Validator check box. In the Create New Health Policy dialog box. 6. b. Under SHVs used in this health policy. and then click New. expand Windows Security Health Validator. except A firewall is enabled for all network connections. In the Create New Health Policy dialog box. select Client fails one or more SHV checks. e. h. b. . Click OK. Click Next three times. Under SHVs used in this health policy. and then click New. f. verify that Client passes all SHV checks is selected. Configure network policies for compliant computers: a. d.

q. select Destination network. In the Specify Access Permission window. and then click New. In the Select condition dialog box.255. In the Specify Conditions window.255. and then type 255. m. Note: A setting of Access granted does not mean that noncompliant clients are granted full network access. 7. In the Specify Conditions window. k. Click OK to close the Add IP Filter dialog box. and then click OK.10 next to IP address.10. In the Add IP Filter dialog box. c. l. under Policy name. click NAP Enforcement. Click Next three times. click NAP Enforcement. verify that Access granted is selected. verify that Health Policy is specified under Conditions with a value of Noncompliant. click Add. Select Allow limited access. In the Add IP Filter dialog box. and then click Next. d. Click OK to close the Add IP Filter dialog box. and then select Permit only the packets listed below in the Outbound Filters dialog box. type Noncompliant-Restricted. m. click IP Filters. Under IPv4. p. and then type 255. g. Click OK to close the Inbound Filters dialog box. In the Completing New Network Policy window. In the Health Policies dialog box. click Finish. and clear the Enable auto-remediation of client computers check box. select Source network. Type 10.Lab A: Implementing a Virtual Private Network L6-7 MCT USE ONLY. t. click Output Filters. It specifies that the policy should continue to evaluate the clients matching these conditions. j. Verify that Allow full network access is selected. click Finish. b. Configure network policies for noncompliant computers: a. In the Completing New Network Policy window.10 next to IP address. e. double-click Health Policies. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients. i. Right-click Network Policies.255. select Noncompliant. under Health policies. click Next. Click OK to close the Outbound Filters dialog box. and then click New. This step ensures that traffic from noncompliant clients can reach only NYC-DC1. Type 10. In the Specify Network Policy Name and Connection Type window.10.255. click Input Filters. In the Configure Settings window. and then click New.0. and then click Next. s. In the Configure Settings window. In the Configure Settings window. and then click Next. r.255 next to Subnet mask. STUDENT USE PROHIBITED l. . f. n.0.255 next to Subnet mask. Under IPv4. h. In the Configure Settings window. o. and then select Permit only the packets listed below in the Inbound Filters dialog box.

verify that Authenticate requests on this server is selected. and then click Finish. Disable the default Connection Request policy found under Policy Name by right-clicking the policy. l. In the Specify Conditions window. In the Select condition window. 4. Clear the Enable security on the selected interface by setting up static packet filters check box. 6. and then click Next. Type 10.L6-8 Lab A: Implementing a Virtual Private Network MCT USE ONLY. click New. Verify that Enforce Network Access Protection is selected. and then click Next. n. and then click OK. Under EAP Types. h. f.110 next to End IP address. In the Specify Connection Request Forwarding window. and then click Next.10. .10. 3. SSTP. On the Address Range Assignment page. 5. and then click Next. and then click Next. select Override network policy authentication settings.100 next to Start IP address and 10. click Add. Click Next twice. select Remote Access Server (VPN-Dial up).  Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN server 1. i. Right-click Connection Request Policies. click Microsoft: Protected EAP (PEAP). Configure connection request policies: a. 7. click Start. d. k. Close the Network Policy Server console. Under EAP Types. and then click OK. In the Add EAP dialog box. and then click Configure and Enable Routing and Remote Access. Under Type of network access server. 9. Click Next. click Add. and then click Next. Click the network interface called Public. and L2TP. On NYC-EDGE1. under Authentication methods. c. and then clicking Disable. j. m. g. point to Administrative Tools. e. select Remote access (dial-up or VPN).0. type VPN connections. right-click NYC-EDGE1 (local). In the Specify Authentication Methods window. click OK. STUDENT USE PROHIBITED 8. In the Specify Connection Request Policy Name and Connection Type window. and then click Edit. under Authentication methods. In the Add EAP dialog box. click Microsoft: Secured password (EAP-MSCHAP v2). On the IP Address Assignment page. click Add. and then click New. and then click OK. select From a specified range of addresses. 2. Verify that 11 IP addresses are assigned for remote clients. click Microsoft: Protected EAP (PEAP). and then click Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. and then click OK. select PPTP. Click Connection Request Policies. under Policy name. b. Under EAP Types. Select the VPN check box.0. In the Routing and Remote Access console. and then click Next. and then click Next. double-click Tunnel Type.

11. point to Administrative Tools. verify that Allow the connection is selected. 3. Click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. Close the Network Policy Server management console. Next to Protocol type. 7. 6. under Name. 9. Click Next to accept the default scope. ensure No. use Routing and Remote Access to authenticate connection requests is already selected and then click Next. type ICMPv4 echo request. Select Custom. and then click Next. Close the Windows Firewall with the Advanced Security console. 9. and then click Customize. STUDENT USE PROHIBITED 8. and then click Windows Firewall with Advanced Security. and then click Next. Click Inbound Rules. 10. In the Action window. and then click New Rule. Results: In this exercise. Select All programs. On the Managing Multiple Remote Access Servers page. and wait for the Routing and Remote Access Service to start. Close Routing and Remote Access. 13. you configured and enabled a VPN-enforced NAP scheme. This is created automatically when Routing and Remote Access is enabled. Click Start. and then click Finish. . and then click Next. Click Start. 11. and then click Next. Select Specific ICMP types. 8. 12. Click OK twice.Lab A: Implementing a Virtual Private Network L6-9 MCT USE ONLY. Click Finish. right-click Inbound Rules. 10. In the Name window. 2. click OK. 5. select ICMPv4. Click Next to accept the default profile.  Task 4: Allow ping on NYC-EDGE1 1. select the Echo Request check box. point to Administrative Tools. and then click Network Policy Server. 4.

 Task 2: Enable client NAP enforcement 1. In the details pane. Close the Services console.255. double-click Network Access Protection Agent. and then click Properties. c. and then click Enable. Wait for the NAP Agent service to start. click Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center. In the console tree. c. and then click OK.20. Next to Subnet mask. Type napclcfg. Click Change adapter settings. d. . b. Ensure Use the following IP address is already selected. Next to IP address. c.10. change the Startup type to Automatic. Next to Preferred DNS server. Double-click Services. point to All Programs. c. b.0. Double-click Turn on Security Center (Domain PCs only). and then click Properties. type 255. Remove the Default gateway. and then click Run. Enable and start the NAP agent service: a. click Enabled. right-click EAP Quarantine Enforcement Client. e. 2. click Accessories. Click OK. g. Click Internet Protocol Version 4 (TCP/IPv4). Click Start.0. click Control Panel. e. Type gpedit.255. and then press ENTER. and then click Network and Internet. and then click Start. and then click Run. Enable the remote-access. Click Network and Sharing Center. quarantine-enforcement client: a. b. and then press ENTER.msc. STUDENT USE PROHIBITED Exercise 2: Configuring Client Settings to support NAP  Task 1: Configure Security Center 1. e. Click Start. e. Close the Local Group Policy Editor. click All Programs. Configure NYC-CL1 so that Security Center is always enabled: a.10. In the Services list. f. Click Start. and then click Administrative Tools. click System and Security.L6-10 Lab A: Implementing a Virtual Private Network MCT USE ONLY. and then close the Administrative Tools and System and Security windows. d. h.107. Configure NYC-CL1 for the Internet network segment: a. d. type 131. 2. Close the NAP Client Configuration window. remove 10. Click Start. and then click OK. Right-click Local Area Connection 3. click Control Panel. In the console tree. f. d.  Task 3: Move the client to the Internet 1. and then click Close to close the Local Area Connection 3 Properties dialog box.0. Switch to the NYC-CL1 computer. click Accessories. In the Network Access Protection Agent Properties dialog box.msc. b. click Enforcement Clients.

type Contoso next to Domain (optional). 2.  Task 4: Create a VPN on NYC-CL1 1. and type Pa$$w0rd next to Password. In the Network Connections window. and then click Properties. On the How do you want to connect page.com by ContosoCA.0. e. click Microsoft: Protected EAP (PEAP) (encryption enabled).Lab A: Implementing a Virtual Private Network L6-11 MCT USE ONLY. Click Details. Next to Destination name. Under Authentication. d. right-click the Contoso VPN connection. type ping 131.2. and then click Next. and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method. Click Start. clear the Enable Fast Reconnect check box. and then click Create. select the Allow other people to use this connection check box. Test the VPN connection: a. click Control Panel.107. Configure a VPN connection: a. and then click Run. click Connect. On The connection is ready to use page. Right-click the Contoso VPN connection. Click I’ll set up an Internet connection later. click Connect to a workplace. Close the Network Connections window. c.Contoso. m. Click Set up a new connection or network. and then click Network and Internet. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list. b. Verify that the response reads “Reply from 131. On the Type your user name and password page. d. i. At the command prompt.107. STUDENT USE PROHIBITED i. Click Network and Sharing Center. next to Internet address. l. type administrator next to User name. k. o. j.2” Close the command window. 2.0. click Use Extensible Authentication Protocol (EAP). and then press ENTER. f. click Properties. In the Connect Contoso VPN window. . n. Click Start. b. c. You are presented with a Windows Security Alert window the first time this VPN connection is used. type 131. On the Choose a connection option page.0. e. Click Connect. Verify network connectivity for NYC-CL1: a. and then click Next. type Contoso VPN. and then click Connect. g. and then click the Security tab. Click OK twice to accept these settings. In the Network and Sharing Center window.2 and then press ENTER. click Accessories. select the Remember this password check box. click Change adapter settings. and then select the Enforce Network Access Protection check box. click Close. On the Type the Internet address to connect to page. h. click All Programs. Type cmd. Ensure that the Validate server certificate check box is already selected. b.107. Clear the Connect to these servers check box. c. and verify that Certificate Information states that the certificate was issued to NYC-EDGE1. click Use my Internet connection (VPN).

3. Verify the client is placed on the restricted network: a. h. expand Windows Security Health Validator.0. Expand Network Access Protection. Click Connect. In the right pane under Name. Results: In this exercise. To do this. b. e. double-click Default Configuration. On NYC-EDGE1. and then click Connect. it should have unlimited access to the intranet subnet. d. e. Wait for the VPN connection to be made. and then click Command Prompt. System Quarantine State should be Not Restricted. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1. f. and view the IP configuration. select the An antivirus application is on check box. Because NYC-CL1 is compliant. The client does not meet the requirements for the network. d. STUDENT USE PROHIBITED d. and therefore is placed on the restricted network. and then click Network Policy Server. Type ipconfig /all. point to Administrative Tools. click Revert. This should be successful. c. On NYC-CL1. complete the following steps: 1. In the command window. click All Programs. and then click Settings. On the Windows 7/Windows Vista selection. revert the virtual machines back to their initial state. Click Start. View the IP configuration. The client now meets the requirement for VPN full connectivity. type ping 10. c. Click Start.  To prepare for the next module When you finish the lab. and then click Command Prompt. b. and then click Revert. Disconnect the Contoso VPN. you enabled and configured a VPN NAP enforcement policy for Contoso Ltd. On the host computer. Wait for the VPN connection to be made. start Hyper-V Manager. . click All Programs. in the Network Connections window. 4.10 and then press Enter. 4. 2. Right-click 6419B-NYC-DC1 in the Virtual Machines list. Verify that a message appears in the Action Center that states that the computer doesn’t meet security standards. click Accessories. f. Disconnect from the Contoso VPN.10. expand System Health Validators. In the Revert Virtual Machine dialog box. 3.L6-12 Lab A: Implementing a Virtual Private Network MCT USE ONLY. click Accessories. right-click the Contoso VPN. click Start. Configure Windows Security Health Validator to require an antivirus application: a. Type ipconfig /all and then press ENTER. System Quarantine State should be Restricted. g. and then click OK.

click Start. . Property First name Last name Full name User logon name 5. click Properties. At the command prompt. and then click OK. 3. and then click Next and then Finish. click Action. click Start. click New. and then click Active Directory Users and Computers In the Active Directory Users and Computers window. click Administrative Tools.  Task 2: Create a user template account for the Finance users 1. 4. On NYC-DC1.DC=COM" 3. Selected In the right pane right-click the Finance Template user. STUDENT USE PROHIBITED Module 7: Managing Active Directory Domain Services Lab A: Creating and Managing User and Computer Accounts Exercise 1: Creating and Configuring User Accounts  Task 1: Create the Finance OU 1. type the following and press ENTER. and then click Active Directory Module for Windows PowerShell. and then click User.com and then click the Finance OU in the left pane. populate the fields as follows. Property Password Confirm Password Value Pa$$w0rd Pa$$w0rd User must change password at Not Selected next logon Account is disabled 6. Value Finance Template Finance Template FinanceTemplate Click Next and populate the fields as follows. In the New Object – User window.Lab A: Creating and Managing User and Computer Accounts L7-1 MCT USE ONLY. 2. New-ADOrganizationalUnit -Name Finance -Path "DC=CONTOSO. On the toolbar. click Organization. click Administrative Tools. expand Contoso. On NYC-DC1. populate the fields as follows. 2. Close the Active Directory Module for Windows PowerShell window.

populate the fields as follows. populate the fields as follows. Close the Active Directory Users and Computers window. In the Copy Object – User window. Property First name Last name Full name User logon name Value Mark Steele Mark Steele Mark 6. populate the fields as follows. and then click Copy. Value Eva Corets Eva Corets Eva In the Copy Object – User window. click Next. Property Password Confirm Password Account is disabled Value Pa$$w0rd Pa$$w0rd Not Selected 4. right-click the Finance Template user. click Next. Property First name Last name Full name User logon name 3. In the Copy Object – User window. In the Copy Object – User window.L7-2 Lab A: Creating and Managing User and Computer Accounts MCT USE ONLY. In the Active Directory Users and Computers window. Property Password Confirm Password Account is disabled Value Pa$$w0rd Pa$$w0rd Not Selected 7. and then click Finish. right-click the Finance Template user. populate the fields as follows. 5. and then click Next. and then click Finish. and then click Copy. and then click Next. . In the Active Directory Users and Computers window. STUDENT USE PROHIBITED Property Department Value Finance  Task 3: Create new accounts for Eva and Mark 1. 2.

STUDENT USE PROHIBITED  Task 4: Confirm the functionality of user accounts 1. On NYC-DC1. 3. and then click Disable All. On NYC-CL1. log on as Contoso\Mark with a password of Pa$$w0rd.Lab A: Creating and Managing User and Computer Accounts L7-3 MCT USE ONLY. Click Eva Corets. and click Mark Steele. 4. press and hold the Ctrl key. 2. Log off of NYC-CL1. Release the Ctrl key. 4. 2. click Contoso (Local) in the left pane. Results: In this exercise. 3. log on as Contoso\Eva with a password of Pa$$w0rd. In the Active Directory Administrative Center window. click Administrative Tools. 5. . click Start. 5. Switch to the 6419B-NYC-CL1 virtual machine. and then click Active Directory Administrative Center. On NYC-CL1. and then double-click the Finance OU in the middle pane. you created and configured user accounts. Close the Active Directory Administrative Center window.  Task 5: Disable the new user accounts 1. right-click Mark Steele. Switch to the 6149B-NYC-DC1 virtual machine. Log off of NYC-CL1.

click New. Click NYC-CL5. 3. press and hold the Ctrl key and click NYC-CL6. 3. Release the Ctrl key. Close the Active Directory Administrative Center window. . 5. 2. you configured computer account attributes.  Task 2: Configure computer accounts attributes 1. click Start. click Administrative Tools. and then click Computer. 7. 4. type the following command and then press ENTER: New-ADComputer –Name NYC-CL6 -SamAccountName NYC-CL6 -Path ‘CN=Computers. click Contoso (Local) in the left pane.DC=COM' 8. Close the Active Directory Users and Computers window. On NYC-DC1. and then click OK. click Administrative Tools. click Action. click Start. right-click NYCCL6. click the Finance OU. 2. Click Start. In the Active Directory Administrative Center window. click Administrative Tools. In the Move window. type NYC-CL5. In the Computer name box. click the Computers container in the left pane. and then double-click the Computers container in the middle pane. and then click Active Directory Module for Windows PowerShell. and then click Move. 4. and then click OK.DC=CONTOSO.L7-4 Lab A: Creating and Managing User and Computer Accounts MCT USE ONLY. 6. On the toolbar. STUDENT USE PROHIBITED Exercise 2: Creating and Configuring Computer Accounts  Task 1: Create computer accounts by using Active Directory management tools 1. 5. In the Active Directory Users and Computers window. At the command prompt. Results: In this exercise. Close the command prompt window. and then click Active Directory Users and Computers. and then click Active Directory Administrative Center. On NYC-DC1.

In the Enter the object name to select box. New-ADGroup –Name “Finance” –SAMAccountName Finance –GroupCategory Security –GroupScope Global –DisplayName “Finance Department” –Path “OU=Finance. 4.DC=CONTOSO. At the command prompt. 3. the Finance_Folders_Change group could be assigned Change permission rights on the necessary folders. and click Mark Steele. and then click Add to group. and then click Active Directory Administrative Center. Then. and then click OK. 2. On NYC-DC1. In the Active Directory Administrative Center window.DC=COM” 3. type the following and press ENTER. click Contoso (Local) in the left pane. press and hold the Ctrl key. On NYC-DC1. click Administrative Tools. and then click Check Names. click Start. This group type gives the most flexibility in group membership within the domain. click Administrative Tools. Click Start. Release the Ctrl key. Close the Active Directory Administrative Center window. If new users or groups need to have the same access. click Start. and then double-click the Finance OU in the middle pane. At the command prompt.DC=COM” 4. and then click Active Directory Module for Windows PowerShell. right-click Mark Steele.  Task 2: Use management tools to create AD DS groups 1. In the Multiple Names Found window. 5. In the Select Groups window. . click OK. type the following and press ENTER. type Finance.DC=CONTOSO. New-ADGroup –Name “Finance_Folders_Change” –SAMAccountName FinanceFoldersChange – GroupCategory Security –GroupScope DomainLocal –DisplayName “Change Access to Finance Folders” –Path “OU=Finance. 7. click Administrative Tools. click Finance.Lab A: Creating and Managing User and Computer Accounts L7-5 MCT USE ONLY. 8. and then click Active Directory Users and Computers. 2. STUDENT USE PROHIBITED Lab B: Managing Groups and Locating Objects in AD DS Exercise 1: Implement Role-Based Management by Using Groups  Task 1: Determine group requirements Question: Which type of group should you create to group the Finance users together? Answer: A global group should be created for the Finance department users. 6. Question: How can you create a group structure that allows the Finance department members change permissions and also allows other users and groups from the organization to be easily assigned these permissions as well? Answer: You could create a domain local group called Finance_Folders_Change and place the Finance global group inside of it. Click Eva Corets.  Task 3: Modify group attributes 1. they can simply be added to the Finance_Folders_Change domain local group. Close the Active Directory Module for Windows PowerShell window.

and then click Add. you implemented role-based management by using groups. click the Finance OU in the left pane. Results: In this exercise. rightclick the Finance_Folders_Change group in the right pane. 12. and then click Properties. In the Enter the object name to select box. click OK. In the Select Users. click Finance. In the Finance_Folders_Change Properties window. . In the Active Directory Users and Computers window. and then click Check Names. and then click OK. click OK. In the Multiple Names Found window. In the Finance_Folders_Change Properties window. 14. STUDENT USE PROHIBITED 9. 13. Close the Active Directory Users and Computers window. or Groups window.L7-6 Lab A: Creating and Managing User and Computer Accounts MCT USE ONLY. type Finance. click the Members tab. Computers. Contacts. 10. 11. Service Accounts. 15.

click Start. Repeat these steps for 6419B-NYC-CL1. To do this. type cmd in the Open box.dc=com" –disabled 3. and then click OK. 7. you located objects in Active Directory. In the New Query window. STUDENT USE PROHIBITED Exercise 2: Finding Objects in Active Directory  Task 1: Create and save an AD DS query 1. 4. 3. dsquery user "ou=Finance. complete the following steps: 1. click Revert. click OK. In the Find Common Queries window. type Finance Groups. click Start.  Task 2: Use dsquery to locate AD DS objects 1. On NYC-DC1. On NYC-DC1. Expand Saved Queries. Results: In this exercise. and then click the Finance Groups query to confirm the result. 2. and then press ENTER. and then click Revert. and then click OK. In the Revert Virtual Machine dialog box. View the results and confirm that Eva Corets and Mark Steele are listed. In the Name field. type the following command. start Hyper-V Manager.dc=Contoso. On NYC-DC1. On the host computer. revert the virtual machines back to their initial state. 2. click the drop-down box beside the Name box. type the following command. 5. 2. In the Active Directory Users and Computers window. click the Groups tab. in the Name box. and then click Active Directory Users and Computers.Lab A: Creating and Managing User and Computer Accounts L7-7 MCT USE ONLY. 6.  Task 3: Use Windows PowerShell to query AD DS 1. . View the results and confirm that Eva Corets and Mark Steele are listed. and then click Define Query. At the command prompt. 2. Get-ADGroupMember Finance 3. 3. and then click Query. and then click Active Directory Module for Windows PowerShell.  To prepare for the next module When you finish the lab. click Start. click Administrative Tools. 4. type Finance. and then click Starts with. right-click Saved Queries. At the command prompt. click Run. In the New Query window. Right-click 6419B-NYC-DC1 in the Virtual Machines list. click Administrative Tools. click New. and then press ENTER.

STUDENT USE PROHIBITED .L7-8 Lab A: Creating and Managing User and Computer Accounts MCT USE ONLY.

and then click Active Directory Users and Computers. On NYC-DC1. and then click Active Directory Users and Computers. with the password. Log on to NYC-SVR1 as Contoso\Don. Computers. 4. On the Effective Permissions tab. In the Delegation of Control Wizard. and then click the Marketing OU. 6. 8. Service Account.com. In the console pane. expand Contoso. In the Active Directory Users and Computers console. and then click Properties. click Add. click Next. type Marketing_Managers. Pa$$w0rd. click the Effective Permissions tab. Click OK to close the Advanced Security Settings for Marketing dialog box. 2. 5.Lab A: Configuring Active Directory Delegation L8-1 MCT USE ONLY. 8. 3. In the Select User.com. select the Create. 7. STUDENT USE PROHIBITED Module 8: Configuring Active Directory Object Administration and Domain Trust Lab A: Configuring Active Directory Delegation Exercise 1: Delegating Control of AD DS Objects  Task 1: Delegate management tasks for the Marketing OU. Right-click the Marketing OU. . The Delegation of Control Wizard opens. and manage user accounts check box. The Active Directory Users and Computers console opens.  Task 3: Test delegated permissions. click the View menu. 3. 2.  Task 2: Verify effective permissions assigned for the Marketing OU. point to Administrative Tools. click Advanced. 2. and then click Marketing. Verify that Don Roessler has permissions to create and delete user objects. 3. type Don. In the Marketing Properties dialog box. point to Administrative Tools. and then click Finish. On the Tasks to Delegate page. click Next. click Start. delete. and then click Advanced Features. 1. and then click OK. The Active Directory Users and Computers console opens. Right-click Marketing. On the Advanced Security Settings for Marketing dialog box. click OK. Click OK to close the Marketing Properties dialog box. and then click Delegate Control. and then click Next. 1. 5. Expand Contoso. 6. 7. Click Start. Computer. click Select. or Groups dialog box. In the Select Users. 4. 1. Switch to the NYC-DC1 virtual machine. or Group dialog box. 9. On the Users or Groups page. click the Security tab. On the Security tab.

you will have delegated the right to manage user accounts to the Marketing Managers. Notice that you are only able to create a new user.L8-2 Lab A: Configuring Active Directory Delegation MCT USE ONLY. Close Active Directory Users and Computers and log off from NYC-SVR1. Right-click the Marketing OU. . and then point to New. 5. STUDENT USE PROHIBITED 4. Results: After completing this exercise.

right-click Disk Defragmenter. Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name. In a production environment. 12. you would use the actual service that should be assigned the managed service account. type the following command.HostComputers –A 5. 1. New-ADServiceAccount –Name App1_SVR1 3. and then press Enter. and then click Properties. point to Administrative Tools. The Administrator: Active Directory Module for Windows Powershell console opens. and then click Active Directory Module for Windows PowerShell. 11. 6. At the prompt. click the Log On tab. 2. Clear the password for both the Password and Confirm password boxes. type the following command and then press Enter. At the prompt. In the Disk Defragmenter Properties dialog box. On the Log On tab. At the prompt. At the prompt. Close all open windows on NYC-SVR1. 1.  Task 2: Install a managed service account on a server. Install-ADServiceAccount -Identity App1_SVR1 5. and then click Active Directory Module for Windows PowerShell. click This account. On NYC-DC1. Click Start. 3. 2.Lab A: Configuring Active Directory Delegation L8-3 MCT USE ONLY. and then press Enter. and then type Contoso\App1_SVR1$. Close the Services console. . and then press Enter. 7. Click OK. 6. type the following command. 10. Switch to the NYC-SVR1 virtual machine. point to Administrative Tools. with the password. Pa$$w0rd. and then click Services. Log on to NYC-SVR1 as Contoso\Administrator. STUDENT USE PROHIBITED Exercise 2: Creating Managed Service Accounts in AD DS  Task 1: Use Windows PowerShell to create and associate a managed service account. Note: The Disk Defragmenter service is just used as an example for this lab. Click Start. Close all open windows on NYC-DC1. The Administrator: Active Directory Module for Windows PowerShell console opens. 8. In the Services console. 9. Click OK at all prompts. Verify that the App1_SVR1 service account is associated with NYC-SVR1. Add-ADComputerServiceAccount –identity NYC-SVR1 –ServiceAccount App1_SVR1 4. 4. click Start. point to Administrative Tools. type the following command.

2. and then click Revert. revert the virtual machines to their initial state. . STUDENT USE PROHIBITED Results: After completing this exercise. Right-click 6419B-NYC-DC1 in the Virtual Machines list. 3. start Hyper-V Manager.  To prepare for the next lab. In the Revert Virtual Machine dialog box. On the host computer. To do this. click Revert. you will have created and installed a managed service account. 4. complete the following steps: 1.L8-4 Lab A: Configuring Active Directory Delegation MCT USE ONLY. Repeat these steps for 6419B-NYC-SVR1. When you finish the lab.

and then click Conditional Forwarders. 1. and then press Enter. 4. Under IP addresses of the master servers.com.10. you will have configured name resolution between the Contoso. Switch to the VAN-DC1 virtual machine. 6. and then press Enter. and then click New Conditional Forwarder. .  Task 2: Configure DNS conditional forwarding on VAN-DC1. Right-click Conditional Forwarders and then click New Conditional Forwarder. point to Administrative Tools.com and Adatum. type Contoso. and then click OK. click Conditional Forwarders. expand VAN-DC1.com domain and the Adatum. Switch to the NYC-DC1 virtual machine. type Adatum. click Start.100. point to Administrative Tools. type 10. 3. Close the DNS Manager. and then click DNS. 7. In the console pane. under DNS Domain. Select the check box next to Store this conditional forwarder in Active Directory. The DNS Manager console opens. 2.10. In the New Conditional Forwarder dialog box. The New Conditional Forwarder dialog box appears. 3. Close the DNS Manager. and then click DNS. and replicate it as follows. The New Conditional Forwarder dialog box appears. On NYC-DC1. and replicate it as follows.com. In the console pane. and then click OK.10. STUDENT USE PROHIBITED Lab B: Administer Trust Relationships Exercise 1: Configuring Name Resolution between Contoso. under DNS Domain. 1.Lab A: Configuring Active Directory Delegation L8-5 MCT USE ONLY. On VAN-DC1. 5.0. The DNS Manager console opens.com domain. 2.0. type 10.com  Task 1: Configure DNS conditional forwarding on NYC-DC1. 6. Results: After completing this exercise. Under IP addresses of the master servers. Right-click Conditional Forwarders. 4. 8. click Start. Select the check box next to Store this conditional forwarder in Active Directory. In the New Conditional Forwarder dialog box. 7. 8. 5.

select Forest-wide authentication. In the Contoso. and then click Properties. 6.L8-6 Lab A: Configuring Active Directory Delegation MCT USE ONLY. click Yes. point to Administrative Tools. . confirm the outgoing trust. On the Trust Type page. click Start. 12. right-click Contoso. and then click Active Directory Domains and Trusts. click Next.com. and then click Next. 7. select Two-way. On the Authentication tab. click the Trusts tab. 9. On the Sides of Trust page. On the Trust Name page. In the console pane. On NYC-DC1. STUDENT USE PROHIBITED Exercise 2: Configuring a Forest Trust  Task 1: Use the New Trust Wizard to create a Forest Trust. The Active Directory Domains and Trusts console opens. configure the following and then click Next: • • User name: Administrator Password: Pa$$w0rd 10. verify that the trust relationship is successfully created and confirmed. Click OK to close the Contoso. and then click Next. click Yes.com. and then click OK. click Selective authentication. click New Trust. type Adatum. On the Direction of Trust page. select Forest trust. 2. confirm the incoming trust. 4. On the Trust Selections Complete page. and then click Finish. and then click Next. and then click Next. point to Administrative Tools.com Properties dialog box. On the Adatum. click the Trusts tab. On the Trusts tab. and then click Active Directory Domains and Trusts. select Adatum. and then click Next. select Both this domain and the specified domain. 16. In the console pane. 6. On the Outgoing Trust Authentication Level – Specified Forest page. click Start. right-click Contoso. 3. and then close Active Directory Domains and Trusts. 8. The Active Directory Domains and Trusts console opens. 14. 4. On the User Name and Password page. Under Domains trusted by this domain. click Next. 2.com Properties box. On the Confirm Outgoing Trust page. 5. select Forest-wide authentication. On the Confirm Incoming Trust page. 1. On the Trust Selections Complete page. Click Next. 13. and then click Next.com Properties dialog box.com Properties dialog box. On the Outgoing Trust Authentication Level – Local Forest page. 17. In the Contoso. and then click Properties. The New Trust Wizard starts. On NYC-DC1. 11. and then click Next.com and then click Properties. click the Authentication tab. 1. 15. and then click Next. 5. 3.com. On the Completing the New Trust Wizard.  Task 2: Configure selective authentication.

8. start Hyper-V Manager. 2. Right-click 6419B-NYC-DC1 in the Virtual Machines list. 4. 11. Computers. 13. Ensure that Domain Users (ADATUM\Domain Users) is selected. Expand Contoso. Right-click NYC-SVR1. 15.com Properties box. point to Administrative Tools. and then click OK. Service Accounts. 16. and then select the Allow check box next to the Allowed to authenticate permission. In the Revert Virtual Machine dialog box. type Domain Users. revert the virtual machines to their initial state. Click Add. 18. 10. Service Accounts. 14. and then click Revert. in the Select Users. On the host computer. click Revert. click Advanced Features. and then click Properties.com and then click the Computers container.Lab A: Configuring Active Directory Delegation L8-7 MCT USE ONLY. Computers. Click OK to close the NYC-SVR1 Properties dialog box.com. and then. or Groups dialog box. 17. and then click OK. 3. The Active Directory Users and Computers console opens. . When you finish the lab. Click OK to close the Contoso. Click Start. 12. STUDENT USE PROHIBITED 7. Repeat these steps for 6419B-VAN-DC1. Click the Security tab. or Groups dialog box. 9. Close Active Directory Users and Computers. In the Locations dialog box. click Locations. On the View menu. and then click Active Directory Users and Computers. and then close Active Directory Domains and Trusts.  To prepare for the next module. you will have created a Forest Trust and Selective authentication. To do this. Results: After completing this exercise. click Adatum. complete the following steps: 1. In the Select Users.

STUDENT USE PROHIBITED .L8-8 Lab A: Configuring Active Directory Delegation MCT USE ONLY.

Close Group Policy Management Editor. In the details pane. 4. in the Name field. double-click Remove Run menu from the Start Menu. Repeat the previous two steps to create the following GPOs: • • • Baseline Security Windows 7 and Windows Vista Security IT Favorites 3. 4. User name: Administrator Password: Pa$$w0rd Domain: Contoso Repeat steps 2 and 3 for 6419B-NYC-CL1. In the Remove Run menu from Start Menu dialog box. and then click OK. In the Actions pane. 4. In the Group Policy Management Editor window. In Hyper-V Manager. In the Group Policy Management window. type Restrict Run Command. Do not log on to NYC-CL1 until directed to do so. Right-click the Group Policy Objects folder. expand Contoso. you will use the available virtual machine environment. 3. Before you begin the lab. Log on by using the following credentials: • • • 5. 5. point to Administrative Tools. Configure the Restrict Run Command policy 1. and then click Hyper-V™ Manager. expand Forest: Contoso. Exercise 1: Creating and Configuring Group Policy Objects  Task 1: Create the GPOs. .com. expand Policies. and in the Actions pane. click 6419B-NYC-DC1. 3. point to Administrative Tools. in the Group Policy Objects folder. Wait until the virtual machine starts. click Start. and then click Group Policy Objects. 2. In the Group Policy Management window. and then click OK. under User Configuration. click Connect. and then click Start Menu and Taskbar. In the New GPO dialog box.com. and then click Group Policy Management. On NYC-DC1. 2. expand Administrative Templates.Lab A: Creating and Configuring GPOs L9-1 MCT USE ONLY. you must complete the following steps: 1. STUDENT USE PROHIBITED Module 9: Creating and Managing Group Policy Objects Lab A: Creating and Configuring GPOs Lab Setup For this lab. click Start. right-click the Restrict Run Command policy.  Task 2: Configure the GPO settings. click Enabled. expand Domains. and then click New. 1. A. 2. click Start. 5. and then click Edit. On the host computer.

right-click the Baseline Security policy. 6. and then click OK. In the URL field. In the Details dialog box. expand Windows Settings. expand Internet Explorer Maintenance. click Add URL. STUDENT USE PROHIBITED B.L9-2 Lab A: Creating and Configuring GPOs MCT USE ONLY. 5. expand Policies.com domain. In the Group Policy Management window. In the Group Policy Management window. click the Baseline Security GPO. 7. click Enabled. In the details pane. expand System. 4. Close Group Policy Management Editor. D. In the Group Policy Management window. expand Local Policies. Configure the Windows 7 and Windows Vista Security policy 1. Close Group Policy Management Editor. 5. under User Configuration. right-click the IT Favorites policy. Restrict Run Command Windows 7 and Windows Vista Security Click OK. In the details pane. and then click URLs. Close Group Policy Management Editor. 2. 3.  Task 3: Link the GPOs to the appropriate containers. In the Group Policy Management Editor window. in the Group Policy Objects folder. and then click OK. and then click Logon. Configure the IT Favorites Policy 1. type Tech Support. . right-click the Windows 7 and Windows Vista Security GPO. In the Group Policy Management Editor window. right-click the Contoso. 2. 3. In the Group Policy Management window. 2.microsoft. under Computer Configuration. 4. double-click Interactive logon: Do not display last user name. Hold down CTRL and then click the following GPOs: • • 3. and then click Edit. and then click Link an Existing GPO. in the Group Policy Objects folder. 8. select the Define this policy setting check box. and then click Security Options. in the Group Policy Objects folder. Click OK twice. 5. In the Interactive logon: Do not display last user name Properties dialog box. and then click Edit. In the details pane. click Enabled. 3. expand Policies. In the Group Policy Management Editor window. under Computer Configuration. In the Select GPO dialog box. and then click Edit. In the Always wait for the network at computer startup and logon dialog box. expand Administrative Templates. C. 2. double-click Favorites and Links. type http://support. expand Security Settings. double-click Always wait for the network at computer startup and logon.com. Configure the Baseline Security Policy 1. 1. 4. expand Policies. expand Windows Settings. In the Favorites and Links dialog box. in the Name field.

click the IT Favorites GPO. and then click OK. . In the Select GPO dialog box. Right-click the IT OU. STUDENT USE PROHIBITED 4. Result: After completing this exercise you will have created and configured GPOs. 5.Lab A: Creating and Configuring GPOs L9-3 MCT USE ONLY. and then click Link an Existing GPO.

in the details pane. and then click Enforced. expand the Contoso. In the Group Policy Management window. right-click the WMI Filters folder.L9-4 Lab A: Creating and Configuring GPOs MCT USE ONLY. click the Windows 7 and Windows Vista Security policy. In the New WMI Filter dialog box.  Task 2: Configure Group Policy management for the IT OU. and then click Save. click Yes. 1. Click OK. In the Group Policy Management window console pane.  Task 3: Create and apply a WMI filter for the Server Security GPO. 5. 4. 3. 2. type Select * from Win32OperatingSystem where Caption = “Microsoft Windows 7 Enterprise” OR Caption = “Microsoft Windows Vista Enterprise”. Result: After completing this exercise you will have configured the scope of GPO settings. Click Add. in the Name field. and then.com domain to expose the linked policies (denoted by the shortcut icons). in the Query field. . Right-click the Baseline Security link. 8. expand the Group Policy Objects folder. In the Group Policy Management dialog. click the Scope tab. STUDENT USE PROHIBITED Exercise 2: Managing the Scope of GPO Application  Task 1: Configure Group Policy management for the domain container. • In the Group Policy Management window. and then click Block Inheritance. 6. and then click New. 2. click Windows 7 or Windows Vista operating system. right-click the IT OU. In the WMI Filtering list. In the WMI Query dialog box. 1. In the left-hand console pane. 3. type Windows 7 or Windows Vista operating system. Right-click the Windows 7 and Windows Vista Security link. 7. and then click Enforced.

Click Start. Pa$$w0rd. point to Accessories and then verify that Run is not present in the Start menu.  Task 2: Verify that a user in the IT OU is receiving the correct policy. In the Internet Explorer window. Pa$$w0rd. 3. with the password. 2. Result: After completing this exercise you will have tested and verified a GPO application . Log off of NYC-CL1. 4. 5. Log on to NYC-CL1 as CONTOSO\Max. Click Start. 1.Lab A: Creating and Configuring GPOs L9-5 MCT USE ONLY. Restart NYC-CL1. click Ask me later. STUDENT USE PROHIBITED Lab B: Managing Group Policy Objects Exercise 1: Verifying GPO Application  Task 1: Verify that a user in the domain has the Run command removed from the Start menu. 3. Log on to NYC-CL1 as CONTOSO\Ed. and then verify that the link to Tech Support is present. 2. point to All Programs. • After NYC-CL1 is restarted. and then click Internet Explorer. At the Set Up Windows Internet Explorer 8 dialog box. press CTRL-ALT-DEL to see the logon screen. point to All Programs. click Accessories and then verify that Run is present.  Task 3: Verify that the last logged on user name does not appear. with the password. click the Favorites button. point to All Programs. 1. Note: To see this information. Click Start. verify that the last logged on user name does not appear.

3. right-click the Group Policy Objects folder. 5. click OK. and then click Back Up. right-click the Restrict Run Command policy. and then click Manage Backups. Verify that the IT Favorites GPO appears in the Group Policy Objects folder. In the Group Policy Objects folder. On the Backup location page. Right-click the Import GPO. 2. On the Source GPO page. . 1. click OK. 2. in the Group Policy Management window. click the IT Favorites GPO. 2. In the New GPO dialog box. Right-click the Group Policy Objects folder. Right-click the Group Policy Objects folder. click OK. and then press Enter. In the Back Up Group Policy Object dialog box. 6. click Next. under the Group Policy Objects folder. Click OK. 4. In the Import Settings Wizard. 6. 5. In the console pane. type C:\GPO Backup and then click Back Up. click OK.  Task 2: Back up all GPOs. 4. STUDENT USE PROHIBITED Exercise 2: Managing GPOs  Task 1: Back up an individual policy. 8. and then click Import Settings. click Next. and then click Finish. When the backup completes. Browse to Local Disk (C:) and then click Make New Folder. and then click Back Up All. 4. In the Restore dialog box. click Yes. and then click New. 7. Note: If more than one copy of the Restrict Run Command GPO appears. 1. Type GPO Backup. 1. and then click Restore. In the Back Up Group Policy Object dialog box. and then click Delete. 3. in the Location field. On NYC-DC1. In the Group Policy Management dialog box. right-click the IT Favorites policy. In the Manage Backups dialog. 5. 6. click OK and then click Close. 2. and then click Next. click Browse. In the Group Policy Management dialog box. When the backup completes. and then click Back Up. 3. 9. in the Name field. click Next. On the Scanning Backup page.  Task 4: Import a GPO. choose the newer one. and then click Next. When the import completes. 7. and then click OK. 3.  Task 3: Delete and restore an individual GPO. On the Backup GPO page. click Restrict Run Command. type Import. verify the Backup folder is C:\GPO Backup.L9-6 Lab A: Creating and Configuring GPOs MCT USE ONLY. 1.

click the Import GPO. .Lab A: Creating and Configuring GPOs L9-7 MCT USE ONLY. Click show all. 11. In the left-hand console pane. Verify that the Remove Run menu from Start Menu policy setting is enabled. STUDENT USE PROHIBITED 10. 12. and then. in the details pane. expand the Group Policy Objects folder. Result: After completing this exercise you will have backed up restored and imported GPOs. click the Settings tab.

L9-8 Lab A: Creating and Configuring GPOs MCT USE ONLY. In the details pane. Pa$$w0rd. click Administrative Templates.  Task 3: Test the GPO. On NYC-DC1. Click Ed on NYC-CL1. click Disabled. On NYC-CLI.  Task 1: Restore the TestA GPO. On NYC-DC1. Click Start. Close Group Policy Management Editor. In the Group Policy Management Editor window. right-click IT. In the Add the Run command to the Start Menu dialog box. In the Manage Backups dialog box. 2. 5. rightclick Ed on NYC-CL1. STUDENT USE PROHIBITED Lab C: Troubleshooting Group Policy Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1. with the password. Notice that the Add the Run command to the Start Menu setting is enabled. and then click OK. 3. 4. and then click Manage Backups. 1. in the Group Policy Management console pane. . and then click Start Menu and Taskbar. under User Configuration. Log off from NYC-CL1. and then click Restore. In the Select GPO dialog box. and then click Rerun Query. click TestA. click Group Policy Objects. and then click OK. 3. In the Group Policy Management console pane. and then click Close. In the details pane. on the Summary tab. In the Group Policy Management console pane. and then click Edit. Notice that the TestA GPO is being applied.  Task 5: Resolve the issue and test the resolution. 1. this is not the desired behavior. 2. expand Administrative Templates. According to the scenario. and then click Applied GPOs. 1.  Task 4: Troubleshoot the GPO. in the Group Policy Management console pane. and then notice the presence of the Run command. Click OK twice. 1. 2. 1. expand Policies. 2. under User Configuration Summary.  Task 2: Link the TestA GPO to the IT OU. under User Configuration. type C:\Tools\GPOBackup and then press Enter. click TestA. 3. right-click TestA. On the Settings tab. In the Backup location box. double-click Add the Run command to the Start Menu. right-click Group Policy Objects. and then click Link an Existing GPO. and then click Start Menu and Taskbar. expand Group Policy Results. 2. log on as CONTOSO\Ed. 3. 4. under Group Policy Objects. 4.

and then notice that the Run command is no longer present. Click Start. STUDENT USE PROHIBITED 6.Lab A: Creating and Configuring GPOs L9-9 MCT USE ONLY. On NYC-CLI. you will have resolved a Group Policy object issue. log on as CONTOSO\Ed. Result: After completing this exercise. with the password. Pa$$w0rd. . 7.

restart the computer.  Task 6: Troubleshoot the GPO. right-click NYC-CL1. with the password.  Task 2: Restore the TestB GPO. right-click Group Policy Objects. 3. and then click Organizational Unit. 1. 4. right-click Group Policy Management. On NYC-DC1. and then press ENTER. Click OK twice. 1. On NYC-DC1. On NYC-DC1.L9-10 Lab A: Creating and Configuring GPOs MCT USE ONLY. Notice that loopback processing mode is enabled. and then click Close. Right-click Loopback. in the Group Policy Management console pane. and then click Active Directory Users and Computers.  Task 3: Link the TestB GPO to the Loopback OU. users may need . 1. Click Start and notice that the Run command is present again. and then click Link an Existing GPO. log on as Contoso\Ed. Close Active Directory Users and Computers. 3. In the details pane. click Loopback. In the details pane. In the Move dialog box. 2. STUDENT USE PROHIBITED Exercise 2: Troubleshooting Incorrect Policy Settings: Scenario 2  Task 1: Create a new OU named. Note: Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. In the Select GPO dialog box. and then click Applied GPOs. click Start. 2. On the Settings tab. type Loopback. 3. in some cases.  Task 5: Test the GPO. and then click Move. In the Group Policy Management console pane. and then click Refresh. 3. on the Summary tab. expand Contoso.com. In the Active Directory Users and Computers console pane. click TestB. point to New. and then click Manage Backups. click TestB. and then click OK. Loopback. In the Manage Backups dialog box. under Computer Configuration Summary. click Administrative Templates. 1. Notice that the Test B GPO has been applied. 1. and then click System/Group Policy. and then click OK. 4. However. In the New Object – Organizational Unit dialog box. and then click Rerun Query. Pa$$w0rd. in the Group Policy Management console pane. 3. In the Active Directory Users and Computers console pane. and then click Restore. right-click CONTOSO. under Computer Configuration. On NYC-CL1. and then click OK. 2. 2. In the Backup location field. right-click Ed on NYC-CL1. click Group Policy Objects. type C:\Tools\GPOBackup. point to Administrative Tools.  Task 4: Move NYC-CL1 to the Loopback OU.com. When the computer restarts. 3. and then click Computers. 2. 2. 1.

start Hyper-V Manager. To do this. STUDENT USE PROHIBITED policy applied to them based on the location of the computer object alone.Lab A: Creating and Configuring GPOs L9-11 MCT USE ONLY. right-click TestB. Close Group Policy Management. 4.  To prepare for the next module When you finish the lab. 2. 1. Note: Another alternative would be to disable loopback processing in the GPO itself. with the password. Click Start and notice that the Run command is no longer present. expand the Loopback OU. Result: After completing this exercise. and then click Revert. When the computer restarts.  Task 7: Resolve the issue and test the resolution. Pa$$w0rd. On the host computer. 4. In the Revert Virtual Machine dialog box. log on as CONTOSO\Ed. click Revert. In the Group Policy Management console pane. On NYC-CL1. 2. you will have resolved a Group Policy objects issue. revert the virtual machines to their initial state. 3. Right-click 6419B-NYC-DC1 in the Virtual Machines list. especially if there were other settings in the GPO that you did wish to have applied. . You can use the Group Policy loopback feature to apply Group Policy objects (GPOs) that depend only on which computer the user logs on to. Repeat these steps for 6419B-NYC-CL1. 5. restart the computer. and then click Link Enabled to clear the check mark. complete the following steps: 1. 3.

STUDENT USE PROHIBITED .L9-12 Lab A: Creating and Configuring GPOs MCT USE ONLY.

point to Administrative Tools. In the details pane. 4. Expand Contoso. and then click Group Policy Management. Click Start. In the Logon Properties dialog box. and then click Edit. right-click a blank area and then click Paste. 2. . and then click OK. Close Notepad. 3. type DriveMap. and then expand Domains. 2.Lab A: Using Group Policy to Configure Scripts and Folder Redirection L10-1 MCT USE ONLY. and then click Documents. click Show Files. Expand Forest:Contoso. and click Scripts (Logon\Logoff). Click Start. Close the Logon window. Right-click the Map. right-click the Drivemap GPO. On NYC-DC1. In the Logon Properties dialog box. 11.com.  Task 3: Edit the GPO and store the script in Sysvol 1. 6. click Create a GPO in this domain.com. In Group Policy Management Editor.com. STUDENT USE PROHIBITED Module 10: Using Group Policy to Configure User and Computer Settings Lab A: Using Group Policy to Configure Scripts and Folder Redirection Exercise 1: Using a Group Policy Logon Script to Map a Network Drive  Task 1: Create a script to map a drive to the data share 1. In the Add a Script dialog box. Save the file to the default location of Documents. 10. Ensure that you click the Save as type: drop-down arrow in the Save As dialog box and select All Files (*. Click File and click Save. 5. in the Name box.bat file and click Copy. type Net use t: \nyc-dc1\data. expand Policies. double-click Logon. and Link it here. 7. 4.) Close the Documents window. In the Notepad. 3. Click OK twice to close all dialog boxes. (This opens the Netlogon share in Computer).bat. 5. 7.  Task 2: Create and link a GPO 1. click Add. In the New GPO dialog box. Right-click Contoso. 6. click Start. under User Configuration. click Computer. Save the file as Map. 4. type Notepad. Close the Group Policy Management Editor and the Group Policy Management console. 2. and then press ENTER. in the Search programs and files box. 3.*) as the type. 8.bat script and then click Open. Click the Map. (You will paste it into the Netlogon share later. click Browse. 9. expand Windows Settings. In the details pane.

2. Results: In this exercise. Log off NYC-CL1. . STUDENT USE PROHIBITED  Task 4: Test the results 1. 3. log on as Contoso\Administrator with a password of Pa$$word. Click Start and click Computer and then verify that drive has been mapped. you created a script and a GPO to assign the script and store the script in a highly available location. On NYC-CL1.L10-2 Lab A: Using Group Policy to Configure Scripts and Folder Redirection MCT USE ONLY.

click Yes. click Start. Right-click Documents and then click Properties. and then click Specific people. 7. type Redirect. in the Name box. and then expand Contoso. 2. 7. 8.com. 6. 9. In the Group Policy Management Editor. 3. On NYC-DC1. In the Documents Properties dialog box. and then click Edit.com Right-click the Research OU.  Task 3: Test folder redirection 1. In the Warning dialog box. 10. type \NYC-DC1\Redirect. Ensure the Target folder location box is set to Create a folder for each user under the root path. 8. and then expand Folder Redirection. In the File Sharing dialog box. and then click Group Policy Management. click the Permission Level drop-down arrow for the Research group. 11. STUDENT USE PROHIBITED Exercise 2: Using Group Policy to Redirect Folders  Task 1: Create a shared folder 1. 2. and then click Properties. and then click Computer Double-click Local Disk (C:) drive and then click New folder. note that the location of the folder is now the Redirect network share in a subfolder named for the user. Note: Due to cached credentials. 5. In the File Sharing dialog box. Expand Forest: Contoso. In the Select Users or Groups dialog box. 3. 6. click the drop-down arrow. on the Target tab. Right-click the Redirect folder. and then click Read/Write. In the Root Path box. under User Configuration. click Share with. 2. Close the Local Disk (C:) window. right-click the Redirect GPO. Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd. 5. select Basic – Redirect everyone’s folder to the same location. Close all open windows and log off. expand Policies. and then click OK. Close all open windows on NYC-DC1. In the New GPO dialog box.  Task 2: Create a GPO to redirect the Documents folder 1.Lab A: Using Group Policy to Configure Scripts and Folder Redirection L10-3 MCT USE ONLY. Expand the Research OU. type Research. expand Domains. and then click OK. point to Administrative Tools. you may need to log on twice to see the redirection unless the user has never logged on to this computer before. and then click Create a GPO in this domain. 4. In the Setting box. and then select Find people. 4. 3. 9. Click Start. Click Start. In the Document Properties dialog box. Click Share and then click Done. expand Windows Settings. right-click Documents. click OK. Name the new folder Redirect. and Link it here. .

When you finish the lab. .  To prepare for the next lab 1.L10-4 Lab A: Using Group Policy to Configure Scripts and Folder Redirection MCT USE ONLY. STUDENT USE PROHIBITED Results: In this exercise. You created and linked a GPO to redirect the executive’s documents to the shared folder. you created and set permissions on a shared folder. leave the virtual machines running.

3. Under Computer Configuration. In the details pane. click Enabled. and then click OK. in the Name box. expand Domains. click Enabled. point to Administrative Tools. In the New GPO dialog box. expand Policies. click the Start Menu and Taskbar folder. and then click Edit. 3. Expand Contoso. STUDENT USE PROHIBITED Lab B: Configuring Administrative Templates Exercise 1: Configuring Administrative Templates  Task 1: Create and link a GPO to the Research OU 1. under User Configuration.  Task 5: Deny access to the desktop background settings 1. and then click OK. In Group Policy Management Editor. . In the details pane. 2.com. Right-click the Research OU. double-click Windows Firewall: Allow inbound remote administration exception. In the Windows Firewall: Allow inbound remote administration exception dialog box. expand Administrative Templates. In the details pane. click Enabled. Expand Forest:Contoso. 3. and then click the Removable Storage Access folder. In the Remove Run menu from Start Menu dialog box. and then click Edit. double-click Prevent changing desktop background. expand Network. and then expand Contoso. In the Prevent changing desktop background dialog box. and then click Create a GPO in this domain.  Task 3: Deny access to the Run menu 1. Expand the Research OU. In the details pane. In the folder tree. 2. 2. expand the System folder. expand the Control Panel folder.  Task 6: Allow remote administration through the Windows Firewall 1. 3. and then click OK. click Enabled. double-click the Remove Run menu from Start Menu setting. 4. and Link it here. and then click OK. right-click the Default Domain Policy. click Enabled.  Task 4: Deny write access to removable storage 1. 4. In the Prevent access to registry editing tools dialog box. 3. click Start. and then expand Administrative Templates Click System. expand Network Connections.com. and then click Domain Profile. 3. In the folder tree. and then click Group Policy Management. 2.com. In the Removable disks: Deny write access dialog box. 2. 4. expand Policies.  Task 2: Deny access to registry editing tools 1. right-click the ResearchDesktop GPO. On NYC-DC1. type ResearchDesktop. double-click the Removable disks: Deny write access setting. 2. and then click OK. double-click Prevent access to registry editing tools. and then click the Personalization folder. Close Group Policy Management Editor. In the details pane. 4. expand Windows Firewall.Lab A: Using Group Policy to Configure Scripts and Folder Redirection L10-5 MCT USE ONLY. In the folder tree.

in the Allow unsolicited incoming messages from these IP addresses: box. click Control Panel. Click Start and type Regedit. Close all open windows and log off. Results: In this exercise. you created and linked a GPO to control the desktop environment.exe in the Search box. When you finish the lab. Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd. click All Programs. 2.exe does not appear in the search results. 4. 5.  To prepare for the next lab 1. leave the virtual machines running.L10-6 Lab A: Using Group Policy to Configure Scripts and Folder Redirection MCT USE ONLY. Ensure that Regedit. type LocalSubnet.  Task 7: Test the settings 1. and then click Change desktop background. 3. Close all open windows on NYC-DC1. In the Options section. . 6. Ensure that the Run Menu does not appear. Ensure that the feature has been disabled. STUDENT USE PROHIBITED 5. Click Start. and then click Accessories. and then click OK. Click Start.

and then click Create a GPO in this domain. click the drop-down arrow. Close all open windows on NYC-DC1. and click Next. STUDENT USE PROHIBITED Lab C: Deploying Software Using Group Policy Exercise 1: Deploying a Software Package by Using Group Policy  Task 1: Create and populate a shared folder to act as a software distribution point Create and populate an application distribution folder 1. In the New GPO dialog box.msi file. 3. in the Name box. 2.msi. 4. 5. and then click Computer 2. and click Open. In the Open dialog box. under User Configuration. and then click Group Policy Management. Double-click Local Disk (C:). 5.  Task 3: Configure the GPO to publish the XML Notepad 2007 application 1. type Software Deploy. and then click Software Installation. click New. select the checkbox to accept the license agreement. In the Deploy Software dialog box. Double-click the XML Notepad 2007 icon. Right-click and copy XMLNotepad. Right-click the AppDeploy folder. In the XML Notepad 2007 Setup dialog box. click Programs and Features. In the XML Notepad 2007 license agreement dialog box. and then click Install a program from the network. 2. . 4. Click Start and type \NYC-SVR1\E$\labfiles\Mod10 in the search box and press ENTER. and then click Add. 2. expand Policies. Name the new folder AppDeploy. Click Forest:Contoso. click Control Panel. 8. 6. Right-click the IT OU. 5. and Link it here. right-click the Software Deploy GPO. click Published. click Administrative Tools. Expand the IT OU. click Start. Right-click Software Installation. Close the AppDeploy window. 3.Lab A: Using Group Policy to Configure Scripts and Folder Redirection L10-7 MCT USE ONLY.com. Click Share and click Done. In Group Policy Management Editor. and then expand Contoso. Log on to NYC-CL1 as Ed with a password of Pa$$w0rd.  Task 4: Test the deployment 1. 10.com. and then click OK. Browse to C:\AppDeploy and paste the file. expand Software Settings. and then click Specific people. select Everyone. click Next. click Share with. In the File Sharing dialog box.  Task 2: Create and link a GPO to deploy the software to the IT OU 1. 4. 7. expand Domains. 6. Click Start. 4. type \NYC-DC1\AppDeploy\XMLNotepad. and then click Edit. Ensure the permission level for Everyone is Read. Click Start. 3. and then click Package. On NYC-DC1. in the File Name box. and then click New folder. 9. and then click OK. 3. click Programs.

you created and populated a software distribution share and created and configured a GPO to publish an application. In the XML Notepad 2007 Setup dialog box. leave the virtual machines running.L10-8 Lab A: Using Group Policy to Configure Scripts and Folder Redirection MCT USE ONLY. When you finish the lab. In the XML Notepad 2007 Setup dialog box. click Next. and then click Finish. click Install. STUDENT USE PROHIBITED 6. Close all open windows and log off. 8. . 7. Results: In this exercise.  To prepare for the next lab 1.

and then select Create. 5. Click Share.  Task 3: Use preferences to create a desktop shortcut to the Notepad application 1. Under User Configuration. Click OK to close the New Drive Properties dialog box. In the Location box. Select the Run in logged-on user’s security context (user policy option) check box. click Use.com. 6. Click OK to close the Targeting Editor dialog box. and then click New folder. and then click Add. right-click the Default Domain Policy. In the New Shortcut Properties dialog box. select Everyone. click Share with. 3. and then click Group Policy Management. Right-click the ITDocs folder. In the New Drive Properties dialog box. Click the Common tab. In the Location list select All Users Desktop. 6. and then expand Windows Settings. 14. and then select Security Group. 2. and then click Mapped Drive. and then click Shortcut. point to New. Select the Item-level targeting check box. and then select the drive letter R. expand Domains. and then click Specific people. and then click Done. click the drop-down arrow. 3. expand Preferences. type Notepad. click the Action drop-down arrow. and then click Edit.Lab A: Using Group Policy to Configure Scripts and Folder Redirection L10-9 MCT USE ONLY. Select the Reconnect check box. Name the new folder ITDocs. 6. 2. click Administrative Tools. 4. 15. click the drop-down arrow. Right-click Shortcuts. 9. click New. select Create. Click Targeting. 11. Click the elipsis beside the Group field and type IT into the Enter the object name to select box and then click Check Names and then click OK. In the File Sharing dialog box. type \NYC-DC1\ITDocs. 4. On NYC-DC1. in the Action list. In the Targeting Editor dialog box. STUDENT USE PROHIBITED Lab D: Deploying Group Policy Preferences Exercise 1: Deploying Group Policy Preferences  Task 1: Create and share a folder to contain the IT documents 1. Close the Local Disk (C:) window. Then.  Task 2: Use preferences to map a drive for the IT group 1. 7. expand Contoso. 7. Click Start. and then click Computer 2. Right-click Drive Maps. click Start. 12. expand Forest:Contoso. 5. 13. 8. Double-click Local Disk (C:) drive. 4.exe. click New Item. In the Drive Letter section. 5. 10. In the Name box.com. 3. In the Target path. . type C:\Windows\System32\notepad. Ensure the Target type is File System Object.

4. Click Start.L10-10 Lab A: Using Group Policy to Configure Scripts and Folder Redirection MCT USE ONLY. 2. Repeat these steps for 6419B-NYC-CL1. In the Revert Virtual Machine dialog box.  To prepare for the next lab When you finish the lab. Ensure that the Notepad shortcut appears on the desktop. Ensure that there is no drive mapped to the ITDocs shared folder. Ensure that R: drive is mapped to the ITDocs shared folder. click Computer. Ensure the Notepad shortcut appears on the desktop. Close all open windows on NYC-DC1. 5. 3. start Hyper-V Manager.  Task 4: Test the preference settings 1. 4. Right-click 6419B-NYC-DC1 in the Virtual Machines list. clear the Run in logged-on user’s security context (user policy option) check box. you used Group Policy preferences to map a drive to selected users and create a desktop shortcut for all users. . and then click Revert. 8. Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd. To do this. click Revert. Click Common. 2. Results: In this exercise. and then click OK. STUDENT USE PROHIBITED 7. 3. On the host computer. Log on as Dylan with a password of Pa$$w0rd. revert the virtual machines back to their initial state. Click Start and click Computer. Log off NYC-CL1. complete the following steps: 1.

In the Group Policy Management Editor. in the Password must be at least field.com. and then click Group Policy Management. 12. type 5. expand Security Settings. and then click Password Policy. 3. 2. Double-click Maximum password age. in the Password will expire in field. In the Suggested Value Changes dialog box. In the Minimum password age Properties dialog box.com. 14. 11. Exercise 1: Configuring Account and Security Policy Settings  Task 1: Create an account policy for the domain. In the details pane. click 6419B-NYC-DC1. point to Administrative Tools. point to Administrative Tools. 1. right-click Default Domain Policy. double-click Minimum password length. In the Maximum password age Properties dialog box. in the Password can be changed after field. you will use the available virtual machine environment. and then click OK. expand Policies. In the details pane. and then click OK. double-click Account lockout threshold. expand Contoso. Wait until the virtual machine starts. expand Forest: Contoso. In the details pane. Close Group Policy Management Editor. and then click Edit. 7. . expand Windows Settings. and then click OK. and then click Hyper-V™ Manager. In the Group Policy Management console pane. 9. click Connect. 5. click Start. and in the Actions pane. In the Minimum password length Properties dialog box. In the Account lockout threshold Properties dialog box. expand Domains. under Account will not lock out. 15. Do not log on to NYC-CL1 until directed to do so. On NYC-DC1. and then click Group Policy Objects. and then click OK. STUDENT USE PROHIBITED Module 11: Implementing Security Settings Using Group Policy Lab A: Implementing Security Using Group Policy Lab Setup For this lab. type 8. click Account Lockout Policy. type 20. Log on by using the following credentials: • • • User name: Administrator Password: Pa$$w0rd Domain: Contoso Repeat steps 2 and 3 for 6419B-NYC-CL1. 6. 8. you must complete the following steps: On the host computer. Double-click Minimum password age. type 19. In Hyper-V Manager. 10. click Start. 4. expand Account Policies. In the Actions pane. Before you begin the lab. In the console pane. click OK to accept the values of 30 minutes. 13.Lab A: Implementing Security Using Group Policy L11-1 MCT USE ONLY. click Start. under Computer Configuration.

expand User Configuration. Click Start. In the Remove Run menu from Start Menu dialog box. click Add/Remove Snap-in. In the New Profiles properties dialog box.11) Policies. and then click Start Menu and Taskbar. click Add. click Add. double-click Accounts: Administrator account status. 7. In the Accounts: Administrator account status Properties dialog box. in the Authentication list. 1. in the Profile Name field. expand Local Computer\Non-Administrators Policy. Click Non-Administrators.L11-2 Lab A: Implementing Security Using Group Policy MCT USE ONLY. click Add. 9. Start NYC-CL1 and log on as Contoso\Administrator. with the password. 4. and then expand Security Settings. expand Local Computer Policy. and then click Infrastructure. double-click Remove Run menu from Start Menu. and then click OK. expand Windows Settings. type MMC in the search programs and files box. 8. 3. and then press Enter.  Task 3: Create a wireless network GPO for Windows 7 client. 14. expand Administrative Templates. 5. In the console pane. in the Group Policy Management console pane. In the Network Name(s) (SSID) field. in the Name field. In the Group Policy Management Editor. On the Security tab. click the Users tab. In the Browse for a Group Policy Object dialog box. click Enabled. In the details pane. click Finish. under Computer Configuration. In the details pane. right-click Windows 7 Wireless. and then click New. expand Windows Settings. STUDENT USE PROHIBITED  Task 2: Configure local policy settings for a Windows 7 client. 2. 15. 11. type Corporate. . 10. Restart NYC-CL1. and then click Edit. In the Console1 window. On the Network Permissions tab. click Add/Remove Snap-in.1X. on the File menu. 2. click OK. In then console pane. expand Policies. Expand Group Policy Objects. 3. 16. Right-click Wireless Network (IEEE 802. click Open with 802. 6. Close the MMC window and do not save the changes. type Windows 7 Wireless. expand Local Policies. On NYC-DC1. 13. 9. On the File menu. and then click Browse. 12. click Finish and then click OK. Pa$$w0rd. 1. and then click Security Options. and then click OK. 4. click Group Policy Object Editor. expand Security Settings. and then click OK. 5. 8. and then click OK. click Enabled. 6. In the New GPO dialog box. In the New Wireless Network Policy Properties dialog box. click Add. In the Add or Remove Snap-ins dialog box. In the Add or Remove Snap-ins dialog box. and then click OK. 10. expand Computer Configuration. type Corp. 7. and then click Add. right-click Group Policy Objects. click Group Policy Object Editor. and then click Create a New Wireless Network Policy for Windows Vista and Later Releases.

12. Close Group Policy Management Editor. and then click OK. 13. double-click Windows Installer. and then click System Services. select the Define this policy setting check box. 2. 14. right-click Default Domain Controllers Policy. and then click OK twice. verify that Permission is set to Deny. right-click Contoso. STUDENT USE PROHIBITED 11. In the Group Policy Management console pane. you will have configured account and security policy settings. expand Security Settings. In the details pane. verify that Disabled is selected. and then click Edit. type Research. in the Network Name (SSID): field. under Computer Configuration. . expand Windows Settings. 5. and then click Link an Existing GPO. and then click OK. expand Group Policy Objects. 1. click Windows 7 Wireless. In the New Permission Entry dialog box. 4. 3. In the Group Policy Management Editor. In the Select GPO dialog box.Lab A: Implementing Security Using Group Policy L11-3 MCT USE ONLY. In the Group Policy Management console pane. Result: After completing this exercise.com. Close Group Policy Management Editor.  Task 4: Configure a policy that prohibits a service on all domain controllers. expand Policies. In the Windows Installer Properties dialog box.

click Start. type Domain Admins into the Enter the object names to select (examples) field and then click OK. and then click OK to accept the defaults. expand CN=System. 11. type ITAdmin. 9. click CN=Password Settings Container. Click Next. type 07:00:00:00. 3. 16. type 06:00:00:00. type 3. Click Next. Click Next. 5.msc into the Run… dialog box . type 10. 10. click Connect to. Right-click CN=Password Settings Container. In ADSI Edit. . In the Create Object dialog box. Click Next. type adsiedit. 1. and then point to New and then click Object. Right-click ADSI Edit. . you will have implemented a fine-grained password policy. Click OK to close the CN=ITAdmin Properties box and then close the ADSI Edit window. 4. In the CN=ITAdmin Properties window. type 00:00:30:00. 4. and then press Enter. 7. and then click Next. 14. Navigate to DC=Contoso. Click Add Windows Account. Click Next. On NYC-DC1. In the msDS-MaximumPasswordAge value. 1. 5. 13. 6. type TRUE. 2. and then click Next. 15. type FALSE. Click Next. click msDS-PasswordSettings. double-click CN=ITAdmin. Results: After completing this exercise. In the msDS-LockoutThreshold value. click Run. Click Next.  Task 2: Assign the PSO to the Domain Admins global group. 2. type 30. 3. and then click Next and then click Finish. scroll down and then double-click msDS-PSOAppliesTo. In the msDS-PasswordHistoryLength value. type 10. Click Next. STUDENT USE PROHIBITED Exercise 2: Implementing Fine-Grained Password Policies  Task 1: Create a PSO by using ADSI edit. In the msDS-MinimumPasswordAge value. In the msDS-PasswordComplexityEnabled value.L11-4 Lab A: Implementing Security Using Group Policy MCT USE ONLY. select the CN=Password Settings Container and then in the details pane. Click OK. In the msDS-PasswordReversibleEncryptionEnabled value. In the msDS-LockoutDuration value. 8. 12. In the msDS-PasswordSettingsPrecedence value. In the msDS-LockoutObservationWindow value. Click Next. DC=com. type 00:00:30:00. In Value box. In the msDS-MinimumPasswordLength value.

and then click Add Group. and then click OK.Click Start and in the Start Search field. and then click OK twice. 2. shut down NYC-CL1 and restart it. expand Contoso. expand Forest: Contoso. next to Members of this group. click Add. 7. 3. and then click Group Policy Management. In the Administrators Properties window. you configured and tested restricted groups by using Group Policy. and then click Restricted Groups. click Start. expand Policies. Close the lusrmgr – [Local Users and Groups (Local)] window. expand Security Settings. In the Administrators Properties dialog box. 6. In the right hand pane. 9. 8. Close Group Policy Management Editor. 5. Next to Members of this group. 1. type Edit local users and groups and then press Enter. and then click Edit. 4. under Computer Configuration. 7. click the Groups node in the left hand pane. expand Domains.com. type Administrators. 10. Close the Administrators Properties window. 1. STUDENT USE PROHIBITED Lab B: Configuring Restricted Groups and Application Control Policies Exercise 1: Configuring Restricted Groups  Task 1: Configure restricted groups for the local administrators group. In the lusrmgr – [Local Users and Groups (Local)] window. right-click Default Domain Policy. and then click OK. expand Windows Settings. Log on to NYC-CL1 as Contoso\Ed with a password of Pa$$w0rd. confirm that CONTOSO\Domain Admins and CONTOSO\IT are listed in the Members pane. In the Group Policy Management console. Right-click Restricted Groups. Results: After completing this exercise. click Administrative Tools. type CONTOSO\IT. In the Add Member dialog box. expand Group Policy Objects. 2. Start the 6419B-NYC-CL1 VM. double-click the Administrators group. . click Add. In the Add Group dialog box. 5. type CONTOSO\Domain Admins. In the Group Policy Management Editor window. . If the VM is already started. 6.Lab A: Implementing Security Using Group Policy L11-5 MCT USE ONLY. 9. In the Add Member dialog box.  Task 2: Test restricted groups for the local administrators group. Log off from NYC-CL1. 3. 4. On NYC-DC1.com. 8.

Click Yes if prompted to create default rules. and then click OK. 22. 18. Double-click Local Disk (C:). select wordpad. select Publisher. select the Configured check box. 2. WordPad Restriction Policy. select the Define this policy setting check box. Right-click Group Policy Objects and click New. In the Group Policy Management Editor. 1. Select Executable Rules. Expand Computer Configuration. 24. Click OK. and then click Group Policy Management. Expand Application Control Policies. 13. expand Policies. and then double-click Application Identity. and then click Next. expand Computer Configuration. and then click Open. and then expand AppLocker. 28. and then click Next. double-click Windows NT.com. and then click Create. expand Computer Configuration. 11. Click AppLocker. and then expand Domains.L11-6 Lab A: Implementing Security Using Group Policy MCT USE ONLY. Right-click WordPad Restriction Policy and click Edit. On the Enforcement tab. Double-click Program Files. Click System Services. 21. 7. 8. 12. click Administrative Tools. expand Windows Settings.com. 23. 14. Click Next again. 4. 9. 26. In the Application Identity Properties dialog box. On NYC-DC1. expand Windows Settings. Move the slider up to the File name: position and click Next. click Start. 15.exe. Click Next. select Deny. Close Group Policy Management Editor. 27. expand Windows Settings. and then expand Security Settings. 16. STUDENT USE PROHIBITED Exercise 2: Configuring Application Control Policies  Task 1: Create a GPO to enforce the default AppLocker™ Executable rules. and then select Enforce rules. Click Browse …. 17. expand Policies. 20. double-click Accessories. 3. On the Conditions page. and then right-click and select Create New Rule. 6. and then right-click and select Properties. and then expand Security Settings. expand Security Settings. 5. and then click Computer. 25. 10. Expand Contoso. and click OK. Select Automatic under Select service startup mode. Click Group Policy Objects. On the Permissions page. . Name the new GPO. expand Policies. 19. under Executable rules. In the Group Policy Management Editor. expand Application Control Policies. Expand Forest: Contoso.

com domain.com domain container. 9. in the Search programs and files box. In the Command Prompt window. in the Search programs and files box. and then press Enter. Expand Domains.  To prepare for the next module. 4. Close the Group Policy Management console. and then press Enter. the application will be restricted. Click OK to link the GPO to the domain. 5.com. 8. STUDENT USE PROHIBITED  Task 2: Apply the GPO to the Contoso. 2. type command. you will have restricted an application by using AppLocker. Expand Group Policy Objects. 5. Repeat these steps for 6419B-NYC-CL1. 1. Restart and then log on to the NYC-CL1 as Contoso\Alan. Results: After completing this exercise. type gpupdate /force. In the Command Prompt window. Click Start.  Task 3: Test the AppLocker rule. Wait for the policy to be updated. start Hyper-V Manager. Click OK when prompted with a message.com.Lab A: Implementing Security Using Group Policy L11-7 MCT USE ONLY. 4. and then press Enter. Click Start. type gpupdate /force. click Accessories. To do this. 7. If the application runs. After the policy setting is applied. revert the virtual machines to their initial state. 2. Click Start. On the host computer. In the Group Policy Management window. expand Forest: Contoso. 3. 4. click All programs. 3. Drag the WordPad Restriction Policy GPO on top of the Contoso. and then press Enter. Note: The AppLocker policy should restrict you from running this application. 1. In the Revert Virtual Machine dialog box. and then click WordPad. 2. with the password. Pa$$w0rd. 6. type cmd. Right-click 6419B-NYC-DC1 in the Virtual Machines list. . log off from NYC-CL1 and log on again. and then click Revert. 3. Wait for the policy to be updated. When you finish the lab. complete the following steps: 1. Expand Contoso. It may take a few minutes for the policy setting to apply to NYC-CL1. click Revert.

STUDENT USE PROHIBITED .L11-8 Lab A: Implementing Security Using Group Policy MCT USE ONLY.

click Start. When prompted. click Restart Now. open Server Manager. Close Active Directory Users and Computers.Lab A: Deploying a Read-Only Domain Controller L12-1 MCT USE ONLY. 7. right-click NYC-SVR1. Click Change System Properties. This computer needs to be in a workgroup to pre-stage it as an RODC. and click OK. In the Computer Name/Domain Changes window.  Task 2: Stage a delegated installation of an RODC 1. 8. click Next. On NYC-SVR1. 9. 4. 9. In the System Properties window. On the Specify the Computer Name page. 7. 12. 6. Right-click Domain Controllers and click Pre-create Read-only Domain Controller account. click Start. type TEMPORARY. and then click the Computers container. 10. On the Operating System Compatibility page. 5.com. under Computer Information. 4. In the System Properties window. 5. 10. Click OK to confirm changing to the TEMPORARY workgroup. and click Active Directory Users and Computers. On NYC-DC1. point to Administrative Tools. 3. Click OK to close the message about restarting. 2. On NYC-DC1. Expand Contoso. On the Select a Site page. 6. 11. . STUDENT USE PROHIBITED Module 12: Providing Efficient Network Access for Remote Offices Lab A: Deploying a Read-Only Domain Controller Exercise 1: Installing an RODC  Task 1: Verify the prerequisites for a staged installation of an RODC 1. note the domain status. Click Yes to confirm subtree deletion. 2. click Workgroup. Right-click Contoso. point to Administrative Tools. Verify that the forest functional level is at least Microsoft Windows Server 2003 and then click OK. 8. Click Yes to confirm deleting the computer account. click Change. click Next. In the Active Directory Domain Services Installation Wizard. type NYC-SVR1. and click Delete. click Next. and then click Next.com and click Properties. 13. On the Network Credentials page. 3. click Next. Click OK to close the warning. click Close. and click Active Directory Users and Computers.

and press ENTER. On the Additional Domain Controller Options page. click Next. 12. . and then click Next. type CONTOSO\IT.L12-2 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. In the Password box. Andrea is a member of the IT group that was delegated permission to install in the previous task. Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd. 8. 15. In the User Name box. click Next. 3.com. On NYC-SVR1.com domain. Click Yes to continue. On the Directory Services Restore Mode Administrator Password page. type Andrea. click Start. 4. Click Set. 7. On the Completing the Active Directory Domain Services Installation Wizard page. 9. A message appears to inform you that your credentials do not belong to the Domain Admins or Enterprise Admins groups. and then press ENTER. select the Reboot On Completion check box. In the progress window. 17. Click the Domain Controllers OU and read the DC Type for NYC-SVR1. click Next. in the Password and Confirm Password boxes. and then click Next. in the Group or user box. type Pa$$w0rd. On the Choose a Deployment Configuration page. Review your selections on the Summary page. On the Location For Database. On the Summary page. A message appears to inform you that the account for NYC-SVR1 has been prestaged in Active Directory as an RODC. 13.com (forest root domain). click Finish. 10. Click OK to use the existing an account. On the Delegation of RODC Installation and Administration page. 14. click Next. you configured NYC-SVR1 as an RODC in the contoso. 14.  Task 3: Complete a staged installation of an RODC 1. On the Network Credentials page. click Next. Log Files. On the Operating System Compatibility page. type Pa$$w0rd. 5. select Existing forest. 13. and then click Next. and then click Next. 6. On the Network Credentials page. 2. and SYSVOL page. click Next. select contoso. you can proceed with the delegated credentials. Results: In this exercise. type contoso. 11. type dcpromo. 16. 15. Because you have prestaged and delegated administration of the RODC. On the Select a Domain page. In the Active Directory Domain Services Installation Wizard. 12. click Add a domain controller to an existing domain. and then click Next. STUDENT USE PROHIBITED 11.

STUDENT USE PROHIBITED Exercise 2: Configuring Password Replication Policy and Credential Caching  Task 1: Configure domain-wide password replication policy 1. or Groups window. Alexander. and then press ENTER. In the Group name: box. Type Alan. and then click OK. and then click the Add button. NYC-CL1. Max. Click the Password Replication Policy tab. In the Select Users. and then click OK. Click OK. click the Research OU. type DNSAdmins. click the Domain Controllers OU. 4. and then click OK. 9. 11. Verify that the Allowed RODC Password Replication Group and Denied RODC Password Replication Group are listed. 14. In the console tree. Examine the default membership of Allowed RODC Password Replication Group and note that there are no members by default. Computers. type Remote Office Users. 4. click Start. Click OK to close the Remote Office Users Properties dialog box. Click the Members tab. select the Computers check box. 10.  Task 2: Create a group to manage password replication to the remote office RODC 1. Right-click NYC-SVR1 and click Properties. Right-click Remote Office Users. type Remote Office Users. and click Active Directory Users and Computers. 8. 2. 7. 6.Lab A: Deploying a Read-Only Domain Controller L12-3 MCT USE ONLY. point to New. point to Administrative Tools. Click the Members tab.  Task 3: Configure password replication policy for the remote office RODC 1. 5. 3. 2. 4. 3. 6. 6. expand Contoso. Click Add. . and then click Properties. In the Active Directory Users and Computers console tree. and then click the Users container. click the Domain Controllers OU. Click the Add button. Click the Members tab. In the console tree. 5. On NYC-DC1. In the Active Directory Users and Computers console tree. 3. and then press ENTER. Click OK. and then click Group. Click OK. 7. Right-click Research. Click Object Types. Right-click NYC-SVR1 and click Properties. 12. 13. 8.com. Click Allow passwords for the account to replicate to this RODC. 5. Double-click Denied RODC Password Replication Group. Click the Password Replication Policy tab. and then click OK. Dylan. Double-click Allowed RODC Password Replication Group. 2.

4. 3. Click the Password Replication Policy tab. Right-click NYC-SVR1 and click Properties. Click OK to close the NYC-SVR1 Properties dialog box. Attempt to log on to NYC-SRV1 as Alexander with the password Pa$$w0rd. Click OK. Click OK to clear the message indicating that the password was successfully cached. click the Resultant Policy tab. 6. Shut down NYC-DC1. Click OK at the error message.  Task 6: Prepopulate credential caching 1. and then click Properties. Type Alan. 3. 6. click Prepopulate Passwords. 4. On NYC-DC1. In the Advanced Password Replication Policy for NYC-SVR1 window. 9. From the drop-down list. Click the Advanced button. and then click Properties. 5. right-click NYC-SVR1.  Task 5: Monitor credential caching 1. 7. and then click the Add button. 10. This logon will fail because Alexander does not have the permission to log on to the RODC. 3. and then click OK. click Start and click Control Panel. 8. 2. and then press ENTER.L12-4 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. On the Policy Usage tab. Click Yes to confirm that you want to send the credentials to the RODC. Click Close. Click the Password Replication Policy tab. In the Active Directory Users and Computers console.  Task 7: Test cached passwords on NYC-SVR1 1. 3. NYC-CL1. On NYC-CL1. 4. 6. Click the Password Replication Policy tab. Click Network and Internet and click Network and Sharing Center. . Click OK to close the NYC-SVR1 Properties dialog box. Click Close. Confirm that Alexander’s password can be cached.  Task 4: Evaluate resultant password replication policy 1. Click Close. 5. read the list of cached passwords to confirm that the passwords for Alan and NYC-CL1 have been cached. 2. Click the Advanced button. 2. select Accounts that have been authenticated to this Read-only Domain Controller. 5. and then click OK. but authentication is performed. Type Alex. Notice that Alexander’s password has been cached. STUDENT USE PROHIBITED 7. On the Policy Usage tab. in the Active Directory Users and Computers right-click NYC-SVR1. 2. 7. Click the Advanced button.

In the Local Area Connection 3 Properties window. 8. revert the virtual machines to their initial state. start Hyper-V Manager. Click Local Area Connection 3 and then click Properties. 7. you configured and tested password replication for an RODC. On the host computer. complete the following steps: 1. In the Revert Virtual Machine dialog box. log off and then log on as Alan with a password of Pa$$w0rd. Right-click 6419B-NYC-DC1 in the Virtual Machines list. . In the Internet Protocol Version 4 (TCP/IPv4) Properties window. Results: In this exercise. 5.10. 9. click Close.11. To do this. log off and then log on as Alexander with a password of Pa$$w0rd. On NYC-CL1. Close all open windows and log off.  To prepare for the next lab When you finish the lab. and then click Properties.Lab A: Deploying a Read-Only Domain Controller L12-5 MCT USE ONLY. In the Local Area Connection 3 Properties window. On NYC-CL1. 10. type 10. 2. STUDENT USE PROHIBITED 4.0. and then click Revert. 6. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1. 3. 4. in the Alternate DNS box. and then click OK. click Internet Protocol Version 4 (TCP/IPv4). click Revert.

Close Server Manager. and then click Lanman Server. click Computer. and then click Edit. 4. Close the Local Group Policy Editor. 5. In the details pane.  Task 3: Enable a file share for BranchCache 1. click Enabled. on the Sharing tab. On the Create a QoS policy page of the Policy-based QoS wizard. and then click OK. expand Administrative Templates. select the Specify Outbound Throttle Rate: check box. On the Specify the source and destination IP addresses page. 11. 3. under Computer Configuration. 9. In the Share Properties dialog box. in the Hash publication actions box. In the Offline Settings dialog box. 3. In the Hash Publication for BranchCache dialog box. . On the Installation Results page. In the tree pane of the Local Group Policy Editor console. click Close. Right-click Share. click Next. type 100. In the Computer window. On the Specify the protocol and port numbers page. point to Administrative Tools. and then click Create new policy.L12-6 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. select the Enable BranchCache check box. On the Confirm Installation Selections page. scroll down to the File Services section and then click Add Role Services. and then click Next. 2. right-click Policy-based QoS. On the Start menu of NYC-DC1. 10. browse to Local Disk (C:). 3. right-click Hash Publication for BranchCache. 2. in the Search programs and files box. 4. expand Network.  Task 2: Simulate slow link to the remote office 1. in the Policy name box. STUDENT USE PROHIBITED Lab B: Deploying BranchCache Exercise 1: Configuring BranchCache in Distributed Cache Mode  Task 1: Configure NYC-DC1 to use BranchCache 1. 4. 6. type Limit to 100 KBps. expand Windows Settings. 5. under Computer Configuration. click Next. On the This QoS policy applies to page. click Caching. click Install. type gpedit. and then click Next. and then click Properties. and then click Server Manager. click Finish. in the Role services list. 8. and then press ENTER. click Advanced Sharing. click Roles. On the Start menu of NYC-DC1. In the tree pane of the Server Manager console.msc. 2. 7. 6. In the tree pane of the Local Group Policy Editor console. 6. select the BranchCache for network files check box. In the Advanced Sharing dialog box. and then click OK. On the Select Role Services page. select Allow hash publication only for shared folders on which BranchCache is enabled. On the Start menu of NYC-DC1. In the Setting list of the Lanman Server result pane. 5.

expand Administrative Templates. click Enabled. On the Start menu of NYC-DC1. Close Windows Explorer. and then click Group Policy Management. 5. click Predefined. 9. 2. under Computer Configuration. and then click BranchCache.Lab A: Deploying a Read-Only Domain Controller L12-7 MCT USE ONLY. expand Contoso. click Finish. and then expand Windows Firewall with Advanced Security. and then click Edit. right-click Contoso. and then click Next. On the Action page.  Task 5: Configure client firewall rules for BranchCache 1. and Link it here. expand Domains. In the Group Policy Management Editor console. In the Name box of the New GPO dialog box. On the Rule Type page of the New Inbound Rule Wizard. 3. under Windows Firewall with Advanced Security. and then click Create a GPO in this domain. right-click Turn on BranchCache. expand Windows Settings. and then click Edit. This setting is required to simulate access from a remote office and is not typically required. and then click OK. 4. In the Setting list of the BranchCache result pane. 9. 3. 6. In the Setting list of the BranchCache result pane. . 8. click BranchCache – Peer Discovery (Uses WSD). In the Setting list of the BranchCache result pane. 8. click Predefined. In the Advanced Sharing dialog box. right-click BranchCache.com. and then click OK. STUDENT USE PROHIBITED 7. point to Administrative Tools. On the Action page. click OK. expand Policies. and then click Next. 2. click Finish to create the firewall inbound rule. under Domains. 10. expand Security Settings. and then click Edit. right-click Inbound Rules and click New Rule. 7. In the Set BranchCache Distributed Cache mode dialog box. 9. In the Turn on BranchCache dialog box. 5. 8. type 0. On the Predefined Rules page. in the tree pane of the Group Policy Management Editor console.com. In the Share Properties dialog box. and then click OK. In the tree pane of the Group Policy Management Editor console. 7. 10. click Enabled. In the tree pane. in the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box. On NYC-DC1. In the tree pane of the Group Policy Management console. type BranchCache. click BranchCache – Content Retrieval (Uses HTTP). click Next. 11. right-click Configure BranchCache for network files. In the Configure BranchCache for network files dialog box. and then click Edit. In the tree pane of the Group Policy Management console. Right-click Inbound Rules and click New Rule. and then click OK. 4. click Enabled. On the Rule Type page of the New Inbound Rule Wizard. under Computer Configuration. expand Forest: Contoso. expand Windows Firewall with Advanced Security. 6. expand Network. under Policies. right-click Set BranchCache Distributed Cache mode. On the Predefined Rules page. and then click Inbound Rules.  Task 4: Configure clients to use BranchCache in distributed cache mode 1.com. click Next. click Close.

and then press ENTER. click BranchCache. Restart NYC-CL2. netsh branchcache show status all 17. 19. click the Delete (Delete Key) icon. click Performance Monitor. Start 6419B-NYC-CL2. After the computer starts. and then click Command Prompt. type Performance. In the tree pane of the Performance Monitor console. . Start 6419B-NYC-CL1. After the computer restarts. click Accessories. under Monitoring Tools. log on as Contoso\Administrator with the password of Pa$$w0rd. In the tree pane of the Performance Monitor console. At the command prompt window. Restart NYC-CL1. type Performance. Close the Group Policy Management Editor console. 15. On the Start menu of NYC-CL2. Change the graph type to Report. 18. and then click Command Prompt. point to All Programs. 14. in the Search programs and files box. log on as Contoso\Administrator with the password of Pa$$w0rd. In the Performance Monitor result pane. 10. log on as Contoso\Administrator with the password of Pa$$w0rd. in the Search programs and files box. netsh branchcache show status all 5. click the Add (Ctrl+N) icon. On the Start menu of NYC-CL2. 3. At the command prompt. and then press ENTER. 6. and then press ENTER. click Performance Monitor. gpupdate /force 4. log on as Contoso\Administrator with the password of Pa$$w0rd.L12-8 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. At the command prompt window. 8. type the following code. In the Performance Monitor result pane. 12. On the Start menu of NYC-CL1. gpupdate /force 16. 12. 2. and then press ENTER. and then press ENTER. In the Add Counters dialog box. At the command prompt window. point to All Programs. and then click Add. 7. 9. After the computer restarts. under Monitoring Tools. Close the Group Policy Management console. type the following code. STUDENT USE PROHIBITED 11. click Accessories.  Task 6: Apply BranchCache settings to the clients 1. 11. In the Select counters from computer box of the Add Counters dialog box. On the Start menu of NYC-CL1. type the following code. 13. and then press ENTER. click OK. After the computer starts. type the following code.

and then click Command Prompt. 2. type the following code. In the Performance Monitor console. right-click mspaint. In the Performance Monitor result pane. Also. and then click Paste. If the performance counters do not change and the file copy is slow. In the Name list of the Share window. type the following code. At the command prompt window. click the Delete (Delete Key) icon. view the Performance Monitor graph. netsh branchcache show status all .contoso. In the Share window. 12. On the Desktop. and then press ENTER. click the Minimize button. and then press ENTER.com\Share. in the Search programs and files box. point to All Programs. and then press ENTER. Change the graph type to Report. At the command prompt window. Note: While copying the file. click OK. point to All Programs.com\Share. 24. click the Minimize button. 23. 5. right-click anywhere. click Accessories. right-click mspaint. On the Start menu of NYC-CL1. STUDENT USE PROHIBITED 20. 6. click Accessories. In the Share window. make note of how long it takes to copy the file to NYC-CL1. view the SMB:Bytes from cache counter to confirm that file was copied from the BranchCache.  Task 7: Test BranchCache in the distributed caching mode 1. 3. try restarting the BranchCache service or restarting NYC-CL2. 13. 21.Lab A: Deploying a Read-Only Domain Controller L12-9 MCT USE ONLY. 14. and then click Add. In the Performance Monitor console. right-click anywhere. 22. 10. If the performance counters do not change try restarting the BranchCache service or restarting NYC-CL1. type \NYCDC1. 9. and then click Copy. and then click Copy. and then click Command Prompt. 4. Also. In the Performance Monitor result pane. 11. In the Select counters from computer box of the Add Counters dialog box. Notice that computer attempted discovery is successful and the file was copied much faster. click Minimize.contoso. On the Desktop. On the Start menu of NYC-CL1. click Minimize. Note: While copying the file. click BranchCache. 7. and then click Paste. On the Start menu of NYC-CL2. On the Start menu of NYC-CL2. netsh branchcache show status all 8. type \NYCDC1. view the Performance Monitor graph. In the Name list of the Share window. In the Add Counters dialog box. and then press ENTER. Notice that computer attempted discovery is not running successfully because you are copying the file to the branch office for the first time. click the Add (Ctrl+N) icon. in the Search programs and files box.

On NYC-CL2. close all open Windows. STUDENT USE PROHIBITED 15. On NYC-CL1.L12-10 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. close all open windows. . 16.

In the Setting list of the BranchCache result pane. At the command prompt window. 12.com. 2. In the Setting list of the BranchCache result pane. In the tree pane of the Group Policy Management Editor console. and then expand Contoso. and then click BranchCache. In the Set BranchCache Distributed Cache mode dialog box. right-click Features. expand Policies.contoso. point to Administrative Tools. in the Enter the location of hosted cache box. type the following code. click Accessories. right-click Set BranchCache Distributed Cache mode. 3. point to Administrative Tools. point to All Programs. type the following code. and then press ENTER. under Computer Configuration. point to All Programs. STUDENT USE PROHIBITED Exercise 2: Configuring BranchCache in Hosted Cache Mode (optional)  Task 1: Configure clients to use BranchCache in hosted cache mode 1. In the tree pane. At the command prompt window. netsh branchcache show status all 14. right-click BranchCache. In the Set BranchCache Hosted Cache mode dialog box. under Contoso. and then press ENTER. and then click Server Manager. and then click Command prompt. In the tree pane of the Server Manager console. 7. netsh branchcache show status all  Task 2: Install the BranchCache feature on NYC-SVR1 1. Start 6419B-NYC-SVR1. click Enabled. and then click Command prompt. 5.com. In the tree pane of the Group Policy Management console. gpupdate /force 13. After the computer starts. Close the Group Policy Management Editor console. On the Start menu of NYC-SVR1. gpupdate /force 16. 2. and then click Edit. click Accessories. 3. 11. right-click Set BranchCache Hosted Cache mode. 9. 10. if necessary. At the command prompt window. type the following code. . 8. On the Start menu of NYC-CL1. log on as Contoso\Administrator with the password of Pa$$w0rd. At the command prompt window. Close the Group Policy Management console. and then click Edit. 6. type NYC-SVR1. type the following code.Lab A: Deploying a Read-Only Domain Controller L12-11 MCT USE ONLY. and then click OK. expand Administrative Templates.com.com. expand Forest: Contoso. and then click Group Policy Management. and then press ENTER. and then press ENTER. expand Domains. click Not Configured. and then click OK. On the Start menu of NYC-CL2. expand Network. On the Start menu of NYC-DC1. 15. 4. and then click Edit. and then click Add Features.

click Run. On the File menu of the Console1 – [Console Root] console. In the This snap-in will always manage certificates for page of the Certificates Snap-in wizard. 2. and then press ENTER. click Thumbprint. click Accessories.com. right-click Personal. click Install. netsh http add sslcert ipport=0. and then click OK. 3. 14. In the Available snap-ins area of the Add or Remove Snap-in dialog box. type BranchCacheHost. You can paste the certificatehashvalue from the certificate.Contoso. On the Start menu.  Task 3: Request a certificate and link it to BranchCache. On the Installation Results page. 16. and then click Add. On the Request Certificates page. On the Confirm Installation Selections page. On the Before You Begin page of the Certificate Enrollment wizard. click Close. select thumbprint values in the details section. netsh branchcache show status all  Task 4: Start the BranchCache Host Server 1. click Computer account. 7. and then click Next. 15. point to New. On NYC-DC1. click Start.Organization Unit window. 5. In the tree pane of the Console1 – [Console Root] console. In the Issued To result pane. On the Select the computer you want this snap-in to manage page. and then click Enroll. 3. On the Start menu of NYC-SVR1. 2. point to Administrative Tools. type mmc. and then click OK. 12. and then click OK. and click Active Directory Users and Computers. In the Open box of the Run dialog box. and then click Open. . point to All Tasks. and then click Request New Certificate. In the New Object . On the Details tab of the Certificate dialog box. 6. and then click Next. and then press Enter. click Next. On the Select Features page of the Add Features Wizard. expand Certificates (Local Computer). 11.0. 4. 8. in the Field list. select the Computer check box. click OK. 5. At the command prompt.0. select the BranchCache check box. At the command prompt window. under Personal. press Ctrl+C to copy the values to the Clipboard. On the Select Certificate Enrollment Policy page. click Next.L12-12 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. click All Programs. 9. type the following code. click Finish. 6. 13. and click Organizational Unit. On the Certificate Installation Results page. 17. but you must remove the spaces. Right-click Contoso. click Finish. Close Server Manager. click Certificates. and then click Command Prompt. 7. STUDENT USE PROHIBITED 4. type the following code. 1. right-click NYC-SVR1. In the Add or Remove Snap-ins dialog box. In the tree pane of the Console1 – [Console Root] console. click Add/Remove Snap-ins. 10.com. click Certificates.0:443 certhash=certificatehashvalue appid={d673f5eea714-454d-8de2-492e4c1bd8f8} 18.

click BranchCache. click the Add (Ctrl+N) icon. To clear the BranchCache data. and then press Enter. Under Domains. 5. type Performance. netsh branchcache flush 3. click Performance Monitor. netsh branchcache set service hostedserver 13. Change graph type to Report. 3. on the Disk Usage tab. and then click OK. and click Group Policy Management. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd. Close the Offline Files window On the Start menu. and then press ENTER. under Monitoring Tools. 7. type the following code. click Start. Click NYC-SVR1 and drag it to BranchCacheHost. In the Performance Monitor result pane. 8. type the following code. Net stop branchcache 4. At the command prompt. type the following code. at the command prompt. At the command prompt. 9. In the Offline Files window. On NYC-CL1. 6. right-click BranchCacheHost. On the Start menu of NYC-SVR1. Click Yes to clear the warning about moving objects. expand Contoso. and then press ENTER. type cmd. On NYC-SVR1. 4.  Task 5: Configure Performance Monitor on NYC-SVR1 1. and click Block Inheritance. 2. and then press ENTER.. Close Active Directory Users and Computers. and then press ENTER. close all open windows. under Select counters from computer. Click the Computers container. point to Administrative Tools. in the Search programs and files box. In the Add Counters dialog box. 11.exe and press ENTER. Close the command prompt. Net start branchcache 5. STUDENT USE PROHIBITED 4. click the Delete (Delete Key) icon. and then click Manage offline files. 8.Lab A: Deploying a Read-Only Domain Controller L12-13 MCT USE ONLY. In the Performance Monitor result pane. . type offline. type Performance. 6.  Task 6: Clear BranchCache data and Performance statistics on NYC-CL1 1. 2. In the tree pane of the Performance Monitor console.com. in the Search programs and files box. On NYC-DC1. Click Start. click Add. click Delete temporary files. 5. 7. type the following code. 12. 10. Click Start. and then press ENTER. 6. open a command prompt.

Click Start. netsh branchcache flush 3. click the Delete (Delete Key) icon. click Add.com\Share. type Performance. under Monitoring Tools.contoso. and then click Copy. click Performance Monitor. In the Performance Monitor result pane. 9. Change graph type to Report. and then press ENTER. In the Performance Monitor result pane. in the Search programs and files box. type offline. type the following code. and then press ENTER. in the Search programs and files box. Net start branchcache 5. To clear the BranchCache data. 12. Close the Offline Files window On the Start menu. On the Desktop. 11. 2. 13. 2. at the command prompt. click the Delete (Delete Key) icon. 13.  Task 7: Clear BranchCache data and performance statistics on NYC-CL2 1. . 6. click BranchCache. click Start. under Select counters from computer.exe window. click Add. under Select counters from computer. click the Add (Ctrl+N) icon. 11. under Monitoring Tools. click Minimize. In the Offline Files window. and then click OK. right-click anywhere. and then press ENTER.exe and press Enter. and then press ENTER. type the following code. type the following code. and then click OK. right-click mspaint. Notice that the value for all performance statistics is zero. and then press ENTER. In the tree pane of the Performance Monitor console. on the Disk Usage tab. In the Performance Monitor result pane. type \NYCDC1. click Minimize. In the Administrator: C:\Windows\system32\cmd. click BranchCache. 3. 5. click Delete temporary files. 10. In the Share window. On the Start menu of NYC-CL1. In the tree pane of the Performance Monitor console. click the Add (Ctrl+N) icon. At the command prompt. 4. In the Add Counters dialog box. and then click Manage offline files. Net stop branchcache 4.L12-14 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY. In the Performance Monitor result pane. STUDENT USE PROHIBITED 9. 12. 10. At the command prompt. 8. On NYC-CL2.  Task 8: Test BranchCache in hosted caching mode 1. In the Add Counters dialog box. Change graph type to Report. and then click Paste. Notice that the value of all performance statistics is zero. 7. In the Name list of the Share window. type cmd. click Performance Monitor.

2. Read the performance statistics on NYC-SVR1. click Minimize. 10. Repeat these steps for 6419B-NYC-SVR1. 13. . right-click anywhere. This file was retrieved from the NYC-DC1 (Retrieval: Bytes from Server). start Hyper-V Manager. This server has offered cached data to clients (Hosted Cache: Client file segment offers made). 12. 6419B-NYC-CL1 and 6419B-NYC-CL2. In the Name list of the Share window.exe window. STUDENT USE PROHIBITED 6.contoso. and then press ENTER. in the Search programs and files box. On the host computer. click Minimize. In the Administrator: C:\Windows\system32\cmd. On the Desktop. In the Share window. 4. 8. 3.com\Share. right-click mspaint. 7. complete the following steps: 1. Right-click 6419B-NYC-DC1 in the Virtual Machines list. it was passed up to the hosted cache. This file was obtained from the hosted cache (Retrieval: Bytes from Cache).Lab A: Deploying a Read-Only Domain Controller L12-15 MCT USE ONLY.  To prepare for the next module When you finish the lab. click Revert. To do this. 11. and then click Revert. revert the virtual machines to their initial state. After the file was cached locally. 9. and then click Copy. Read the performance statistics on NYC-CL2. In the Revert Virtual Machine dialog box. Read the performance statistics on NYC-CL1. (Retrieval: Bytes Served) On the Start menu of NYC-CL2. and then click Paste. type \NYCDC1.

STUDENT USE PROHIBITED .L12-16 Lab A: Deploying a Read-Only Domain Controller MCT USE ONLY.

and in the Actions pane. Before you begin the lab. 3. Memory. click 6419B-NYC-DC1. and then click Hyper-V™ Manager. 2. you will use the available virtual machine environment. Exercise 1: Determining Performance Metrics  Task 1: Determine performance counters to use Question: What are the main hardware components that you should be measuring on NYC-SVR? Answer: Processor. Wait until the virtual machine starts. click Start. you must complete the following steps: 1. On the host computer. 4. click Connect. Memory.Lab: Creating a Baseline of Performance Metrics L13-1 MCT USE ONLY. you will have determined performance metrics. In Hyper-V Manager. Log on by using the following credentials: • • • 5. Hard Disk and Network. Physical Disk and Network Interface. click Start. User name: Administrator Password: Pa$$w0rd Domain: Contoso Repeat steps 2 and 3 for 6419B-NYC-SVR1. In the Actions pane. Question: Which Performance Monitor objects correspond to these components? Answer: The key objects are: Processor. STUDENT USE PROHIBITED Module 13: Monitoring and Maintaining Windows Server 2008 Lab: Creating a Baseline of Performance Metrics Lab Setup For this lab. Note: After completing this exercise. . point to Administrative Tools.

click Start. On the Create the Data Collector Set? screen. Physical Disk and Network Interface objects 1. you will have viewed performance by using monitoring tools. In the Available counters section. scroll to find Network Interface. and then click Next. and then click Finish. 10. 13. click Microsoft Virtual Machine Bus Network Adapter _2. click the Add button. and then highlight all counters under Memory. 7. In the Create new Data Collector Set window. Note: The Data Collector Set will take a few moments to complete. STUDENT USE PROHIBITED Exercise 2: Configuring a Performance Baseline  Task 1: Create a Data Collector Set to log the counters for the Processor. 9. scroll to find Processor. and then highlight all counters under Physical Disk. click the Add button In the Available counters section. 8. scroll to find Physical Disk. 5. click <All Instances>. 16. select Start this Data Collector Set now. click Administrative Tools and then click Performance Monitor. 14. and then expand Processor. . type NYC-SVR1 Baseline in the Name field. expand the Data Collector Sets node. ensuring all counters are highlighted. scroll to find Memory. Click Next. In the Performance Monitor window. Complete Exercise 3 and then come back to finish Task 2 of this exercise. and then click the Add button. Memory. expand Network Interface. and then highlight all counters under Network Interface. Note: After completing this exercise. In the Available counters section.L13-2 Lab: Creating a Baseline of Performance Metrics MCT USE ONLY. click Next 15. click New. expand Physical Disk. In the Instances of selected object section. and then click the Add button. 4. click the Add button. 11. right-click on User Defined. In the Instances of selected object section. and then click OK. click <All Instances>. In the Available counters section. select Create Manually (Advanced). 12. 6. 3. 2. and then click Data Collector Set. On NYC-SVR1. In the Create new Data Collector Set window. In the Performance counters field. click the checkbox to select Performance counter and then click Next. Select Create data logs. In the Instances of selected object section. In the Instances of selected object section. expand Memory.

In the Performance Monitor window. 2. expand the NYC-SVR1 Baseline node. View the report in the right hand column and ensure that performance data was collected. expand the User Defined node. you will have configured a performance baseline. STUDENT USE PROHIBITED  Task 2: Review the Data Collector Set Report to ensure performance data has been captured 1. Note: After completing this exercise.Lab: Creating a Baseline of Performance Metrics L13-3 MCT USE ONLY. . and then click the NYC-SVR1_XXXXXXXX node. expand the Reports node.

STUDENT USE PROHIBITED Exercise 3: Viewing Performance Using Monitoring Tools  Task 1: Use Resource Monitor to view system performance statistics 1. Check the Reliability Monitor for any Error events represented by a red X icon. 3. type Resource Monitor and then press ENTER. in the Start Menu Search box. click Start. 2.  Task 2: Use Reliability Monitor to view server reliability history 1. On NYC-SVR1. and then click Revert. On the host computer. start Hyper-V Manager. . click Revert. 2. 2. in the Start Menu Search box. To do this. On NYC-SVR1. Right-click 6419B-NYC-DC1 in the Virtual Machines list. Repeat these steps for 6419B-NYC-SVR1. click Start.  To prepare for the next module When you finish the lab. View the graphs on the right hand side of the screen to ensure none of them is near the top of the graph window. revert the virtual machines to their initial state. In the Revert Virtual Machine dialog box. 4. you will have viewed performance by using monitoring tools. 3. Click each tab in the Resource Monitor window to view the real time performance data for the associated component. complete the following steps: 1. type Reliability and then press ENTER.L13-4 Lab: Creating a Baseline of Performance Metrics MCT USE ONLY. Note: After completing this exercise.

Frequency Daily Backup Sales . point to Administrative Tools. 2. In the Actions pane.4 for 6419B-NYC-SVR1. On the host computer. Exercise 1: Evaluating the Existing Backup Plan  Task 1: Review an existing backup plan.Lab A: Implementing Windows Server Backup and Recovery L14-1 MCT USE ONLY. Before you begin the lab. Propose an appropriate backup frequency for the shares in the following table. Critical data includes the Sales. 3. and in the Actions pane. 4. You have also agreed that if a server fails. In Hyper-V™ Manager. so the servers must be rebuilt in the event of a failure. This task is performed weekly by using a script to preserve the encryption on the files. you copy the Human Resources confidential data onto a removable hard disk that is attached to a computer in the Human Resources office. click 6419B-NYC-DC1. This would make restoring the original configuration very difficult. Does the current backup plan enable you to restore the servers in this way? Answer: No. No system state backups are being performed on the servers. 1. Log on by using the following credentials: • • • 5. Wait until the virtual machine starts. What are the consequences of this process and how would you deal with them? Answer: The issue is that the confidential files are on an easily removable device in an unsecured office. Currently. click Connect. the data that is restored could be up to a week old. features. 2. STUDENT USE PROHIBITED Module 14: Managing Window Server 2008 Backup and Recovery Lab A: Implementing Windows Server Backup and Recovery Lab Setup For this lab. You have agreed that no more than one day's data should be lost in the event of a disaster. You could provide a secure data storage device. click Start. in six hours. and then click Hyper-V Manager. and Projects data. you must complete the following steps: 1. or you could place the removable hard disk in a secure area after the backup job is complete. Does the current backup plan meet this requirement? Answer: No. you will use the available virtual machine environment. The current weekly backup plan means that if data is lost. and security identity. Finance.  Task 2: Propose changes to the backup plan. you should be able to restore that server. click Start. User name: Administrator Password: Pa$$w0rd Domain: Contoso Repeat steps 2 . 3. including all installed roles. 1. applications.

. 2. click Add Features. On the Specify Backup Time page. click OK. click Backup Schedule. 7. 4. Frequency Daily Daily Weekly Daily. In the Register Backup Schedule dialog box. 1. type \NYC-SVR1\backup. In the password field. and then click Windows Server Backup. 8. so this will depend on how often the server configuration is changed.  Task 3: Install Windows Server Backup feature. click Next. Click the plus sign to expand the feature. 9. click Server Manager on the Task bar. In the details pane. and then click Next. Select the check box to select the Command-line tools and click Next Click Install Click Close. 1. 7. On the Select Backup Configuration page. Note that command-line tools are not selected by default. click Administrative Tools. Click Start. click Different options. and then click Next.  Task 5: Back up an individual folder. On the Backup Options page. 6. On NYC-DC1. click Full server. Click Finish.  Task 4: Use the backup wizard to schedule a backup. In the Location field. In the Actions pane. click Back up to a shared network folder. 6.L14-2 Lab A: Implementing Windows Server Backup and Recovery MCT USE ONLY. STUDENT USE PROHIBITED Backup Finance Human Resources Technical Library Projects 2. 5. 2. and then click Next. type Pa$$w0rd. 2. In the Add Features Wizard. 1. 4. The backup should be at an appropriate frequency. 10. In the Backup Schedule Wizard. and then click OK. type Contoso\Administrator. In the left pane. 3. On the Specify Destination Type page. Typical schedules may be weekly or monthly. or perhaps more frequently How would you meet the requirement to restore the servers and how frequently would you back up the servers? Answer: Back up the system state data on the servers so that you can restore them later. click the drop-down arrow. 5. and then click Next. In the Windows Server Backup dialog box. select 1:00 AM as the Time of day. and then click Close. 3. click Backup Once. click Features. and then click Next. and then close Server Manager. select Windows Server Backup Features. In the Actions pane.

click Close after the backup completes. On the Backup Progress page. Expand Local disk (C:). Results: After completing this exercise. click Add Items. On the Select Backup Configuration page click Custom.Lab A: Implementing Windows Server Backup and Recovery L14-3 MCT USE ONLY. and then select the check box next to MarketingTemplates. and then click Next. 4. 7. . click Backup. and then click Next. 6. In the Specify Remote Folder dialog box. you will have reviewed an existing backup plan and proposed changes to that plan. On the Confirmation page. and then click Next. On the Select Items for Backup page. On the Specify Destination Type page. type \NYC-SVR1\Backup. 5. click Remote shared folder. 9. click OK. you will have configured backups to become familiar with the Windows Server Backup feature. and then click Next. Then. STUDENT USE PROHIBITED 3. 8.

click Recover. Switch to Windows Server Backup and in the Actions pane. Navigate to C:\MarketingTemplates and ensure that the content been restored. 1. Store the legal compliance data on a separate network device such as another server or archive device. 2. 1. and Projects shares. click A backup stored on another location. select MarketingTemplates. how could you maximize your budget while providing backup for the entire network data for which you are responsible? Answer: Consider using a tiered approach to back up and restore. A user who has restore privilege is required to access the data if an audit is performed.  Task 2: Create a backup strategy to comply with legal requirements. and delete the contents in the folder. On the Specify Recovery Options page. expand NYC-DC1. expand Local disk (C:):. type C:\MarketingTemplates. You should be able to restore critical data. . Use faster backup hardware and media for critical data. Click Next. but use slower backup hardware and media for noncritical data to reduce costs. STUDENT USE PROHIBITED Exercise 2: Implementing a Backup Plan  Task 1: Create a backup strategy to comply with the SLA. as quickly as possible in the event of a disaster. This device may offer policies to help you control retention requirements. On the Select Recovery Type page. On the Confirmation page. Click Next. On the Select Backup Date page. such as: • Create separate archive backups for legal compliance purposes. click Recover. On the Specify Location Type page. and then click Next. which costs more. navigate to C:\MarketingTemplates. On the Recovery Progress page. Given that you have a limited budget to meet the SLA requirements. and then click Next. 2. •  Task 3: Use the Recovery Wizard to restore the data. 3.L14-4 Lab A: Implementing Windows Server Backup and Recovery MCT USE ONLY. 1. On the Specify Remote Folder page. What factors affect how quickly you can restore data? Answer: The size of the backed-up data and the backup hardware and media both affect how quickly you can restore data. 5. click Close. click Next. 7. 9. How will you ensure that the required data is stored for the minimum legal requirement period and that the data is available for audit purposes when it is required? Answer: Various approaches are valid. click Remote shared folder. On NYC-DC1. click Next. open Windows Explorer. 8. You must also consider the storage lifetime of the media—a tape may not retain seven-year-old data if it is not refreshed. 13. On the Select Items to Recover page. 10. 12. Close all open windows on NYC-DC1. 6. Finance. On the Getting Started page. 11. Include only the required data in these archives. and then click Next. type \NYC-SVR1\Backup. which includes the Sales. 4.

you should have reviewed an existing recovery plan and proposed changes to that plan. 3. On the host computer. 2. revert the virtual machines to their initial state. and then click Revert. click Revert. Right-click 6419B-NYC-DC1 in the Virtual Machines list. When you finish the lab. In the Revert Virtual Machine dialog box. Note: Repeat steps 2 .Lab A: Implementing Windows Server Backup and Recovery L14-5 MCT USE ONLY. To do this. start Hyper-V Manager.  To revert the virtual machines. . You should also have tested data recovery.3 for 6419B-NYC-SVR1. STUDENT USE PROHIBITED Results: After completing this exercise. complete the following steps: 1.

and then press ENTER. 2. 1. 3. CN=Directory Service. On NYC-DC1. Set-ADForestMode –Identity contoso. and then click Active Directory Module for Windows PowerShell. Close the Active Directory Module for Windows PowerShell. CN=Services. click Start. Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature. Press Y. type the following command. you will have raised the forest functional level and enabled Active Directory Recycle Bin. type the following command.com -ForestMode Windows2008R2Forest 3. . STUDENT USE PROHIBITED Lab B: Recovering Active Directory Objects Exercise 1: Enabling Active Directory Recycle Bin  Task 1: Raise the forest functional level.com’ 2. In the Active Directory Module for Windows PowerShell.L14-6 Lab A: Implementing Windows Server Backup and Recovery MCT USE ONLY.CN=Configuration.DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso. and then press ENTER. DC=contoso. At the command prompt. and then press ENTER. CN=Optional Features. Press Y. click Administrative Tools. and then press ENTER.  Task 2: Enable the Active Directory Recycle Bin. 1. CN=Windows NT. Results: After completing this exercise.

Restore Active Directory Users and Computers.OU=Research. right-click and then click Modify. click Return deleted objects. In the Connect dialog box. 4. 6. and then click Refresh. and then click Connect.Lab A: Implementing Windows Server Backup and Recovery L14-7 MCT USE ONLY. DC=Contoso. Minimize Active Directory Users and Computers. 4.DC=Com. In the Edit Entry Attribute field. expand DC=Contoso. type DC=Contoso. In the Bind dialog box. click Delete. click Yes. right-click Command Prompt. click Administrative Tools. and then click Bind. . and then click Enter. 11. 5.DC=Com and double-click CN=Deleted Objects. 8. click Run as administrator. 8. Click View. Right-click Dylan Miller. 7. In the Operation section. 7. 9. Expand Contoso. and then click Active Directory Users and Computers. type ldp.exe. click Controls. type distinguishedname. and then click Run. click OK Click the Connection menu. click Accessories. Dylan Miller’s user account has been restored to the OU. click All Programs. 2. In the Operation section. 1. and then click Delete.  Task 3: Restore a deleted AD object by using LDP. In the Values field.exe. and then click the Research OU. 10. Select the Extended check box. and then press ENTER. in the Edit Entry Attribute field. Right-click Alan Brewer. Click the Connection menu.DC=Contoso. 3. 7. 5. Click Start. click Replace. expand the Load Predefined drop-down menu. 2. 1. click OK.  Task 2: Use LDP. 4. In the Active Directory Domain Services dialog box. Click Start. locate the user you deleted in the previous task.DC=Com. and then click Delete. 6. type isDeleted. click Tree. In the Deleted Objects container.DC=Com. 1. 9. In the Modify dialog box. in the BaseDN field. In the Controls dialog box. STUDENT USE PROHIBITED Exercise 2: Restoring a Deleted Active Directory Object  Task 1: Delete Active Directory Objects. In the console tree. On the Options menu. 3.com. Close the LDP application.exe to display the deleted objects container. Click the Enter button. Right-click the Research OU. click Yes. 2. type CN=Dylan Miller. and then click OK. and then click OK. 3. 6. Dylan Miller. In the Active Directory Domain Services dialog box. 5.

type the following command. At the Active Directory module for Windows PowerShell command prompt. and then click Refresh.exe and Windows PowerShell. revert the virtual machines to their initial state. and then press ENTER. On the host computer. Get-ADObject -Filter {displayName -eq "Alan Brewer"} -IncludeDeletedObjects | RestoreADObject 3. 4. Close all open windows. Click Start. In the Revert Virtual Machine dialog box. Results: After completing this exercise. and then click Run as administrator.exe to view deleted objects. 1. When you finish the lab. Alan Brewer’s user account has been restored to the OU. Open Active Directory Users and Computers. To do this. Right-click 6419B-NYC-DC1 in the Virtual Machines list. right-click the Research OU. STUDENT USE PROHIBITED  Task 4: Use Windows PowerShell to restore a deleted Active Directory object. 3.  To revert the virtual machines. complete the following steps: 1.3 for 6419B-NYC-SVR1 and 6419B-NYC-DC2. 2.L14-8 Lab A: Implementing Windows Server Backup and Recovery MCT USE ONLY. click Revert. 2. Note: Repeat steps 2 . and then click Revert. right-click Active Directory Module for Windows PowerShell. start Hyper-V Manager. you should have used the LDP. . click Administrative Tools. and restored objects by using both LDP.