You are on page 1of 142

MCT USE ONLY.

STUDENT USE PROHIBITED

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

6419B

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

ii

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Product Number: 6419B Part Number: X17-53274 Released: 04/2011

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

iii

MCT USE ONLY. STUDENT USE PROHIBITED

iv

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

vi

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

vii

MCT USE ONLY. STUDENT USE PROHIBITED

viii

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

ix

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Andrew J. WarrenContent Developer


Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of which have been spent in writing and teaching. He has been involved as the subject matter expert (SME) for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. He also has been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs his own IT training and education consultancy.

Conan KezemaContent Developer


Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems architect, and author who specializes in Microsoft technologies. As an associate of S.R.Technical Services, Conan has been a subject matter expert, instructional designer, and author on numerous Microsoft courseware development projects.

Gary DunlopContent Developer


Gary Dunlop is a Microsoft Trainer and consultant in Winnipeg, Canada since 1997. He has authored or co-authored several MOC courses. He specializes in Windows Server and Client systems. He is currently a Senior Systems Engineer for Broadview Networks.

Jason KellingtonContent Developer


Jason Kellington is a trainer, consultant and author who specializes in several Microsoft products. He has a broad range of experience in the IT industry as an administrator, developer, educator and technical writer. Jason is an MCT, MCITP and MCSE and has been involved in a number of Microsoft Learning courseware development projects.

William StanekTechnical Reviewer


William R. Stanek (http://www.williamstanek.com/) is a leading technology expert, a pretty-darn-good instructional trainer, and the award-winning author of over 100 books. Current or forthcoming books include Active Directory Administrators Pocket Consultant, Group Policy Administrators Pocket Consultant, SQL Server 2008 Administrators Pocket Consultant 2nd Edition, Windows 7: The Definitive Guide, and Windows Server 2008 Inside Out. Follow William on Twitter at http://www.twitter.com/WilliamStanek.

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

xi

MCT USE ONLY. STUDENT USE PROHIBITED

Contents
Module 1: Overview of the Windows Server 2008 Management Environment
Lesson 1: Understanding the Windows Server 2008 Environment Lesson 2: Overview of Windows Server 2008 Server Roles and Features Lesson 3: Windows Server 2008 Administration Tools Lesson 4: Managing Windows Server 2008 Server Core Lab: Managing Server Roles in a Windows Server 2008 Environment 1-3 1-11 1-20 1-28 1-35

Module 2: Managing Windows Server 2008 Infrastructure Roles


Lesson 1: Understanding IPv6 Addressing Lesson 2: Overview of the DNS Server Role Lesson 3: Configuring DNS Zones Lab A: Installing and Configuring the DNS Server Role Lesson 4: Overview of the DHCP Server Role Lesson 5: Configuring DHCP Scopes and Options Lab B: Installing and Configuring the DHCP Server Role 2-3 2-18 2-29 2-41 2-46 2-53 2-65

Module 3: Configuring Access to File Services


Lesson 1: Overview of Access Control Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Managing Permissions for Shared Resources Lesson 4: Determining Effective Permissions Lab: Managing Access to File Services 3-3 3-13 3-23 3-36 3-43

Module 4: Configuring and Managing Distributed File System


Lesson 1: Distributed File System Overview Lesson 2: Configuring DFS Namespaces Lesson 3: Configuring DFS Replication Lab: Installing and Configuring Distributed File System 4-3 4-14 4-20 4-28

Module 5: Managing File Resources Using File Server Resource Manager


Lesson 1: Overview of File Server Resource Manager Lesson 2: Configuring Quota Management Lab A: Installing FSRM and Implementing Quota Management Lesson 3: Implementing File Screening Lesson 4: Managing Storage Reports Lab B: Configuring File Screening and Storage Reports 5-3 5-11 5-19 5-22 5-28 5-33

xii

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 5: Implementing Classification Management and File Management Tasks Lab C: Configuring Classification and File Management Tasks

5-36 5-49

Module 6: Configuring and Securing Remote Access


Lesson 1: Configuring a Virtual Private Network Connection Lesson 2: Overview of Network Policies Lab A: Implementing a Virtual Private Network Lesson 3: Integrating Network Access Protection with VPNs Lesson 4: Configuring VPN Enforcement Using NAP Lab B: Implementing NAP into a VPN Remote Access Solution Lesson 5: Overview of DirectAccess 6-3 6-16 6-26 6-31 6-39 6-48 6-56

Module 7: Managing Active Directory Domain Services


Lesson 1: Overview of the Active Directory Infrastructure Lesson 2: Working with Active Directory Administration Tools Lesson 3: Managing User Accounts Lesson 4: Managing Computer Accounts Lab A: Creating and Managing User and Computer Accounts Lesson 5: Managing Groups Lesson 6: Using Queries to Locate Objects in AD DS Lab B: Managing Groups and Locating Objects in AD DS 7-4 7-17 7-26 7-36 7-45 7-50 7-63 7-68

Module 8: Configuring Active Directory Object Administration and Domain Trust


Lesson 1: Configuring Active Directory Object Administration Lab A: Configuring Active Directory Delegation Lesson 2: Configuring Active Directory Trusts Lab B: Administering Trust Relationships 8-3 8-15 8-20 8-29

Module 9: Creating and Managing Group Policy Objects


Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lab A: Creating and Configuring GPOs Lesson 3: Managing Group Policy Objects Lab B: Creating and Configuring GPOs Lesson 4: Evaluating and Troubleshooting Group Policy Processing Lab C: Troubleshooting Group Policy 9-3 9-14 9-22 9-26 9-35 9-39 9-53

Module 10: Using Group Policy to Configure User and Computer Settings
Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts 10-3

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

xiii

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Using Group Policy to Configure Scripts and Folder Redirection Lesson 2: Using Administrative Templates to Manage Users and Computers Lab B: Configuring Administrative Templates Lesson 3: Deploying Software Using Group Policy Lab C: Deploying Software Using Group Policy Lesson 4: Deploying Group Policy Preferences Lab D: Deploying Group Policy Preferences

10-14 10-17 10-24 10-27 10-37 10-39 10-46

Module 11: Implementing Security Settings Using Group Policy


Lesson 1: Overview of Security Settings Lesson 2: Implementing Fine-Grained Password Policies Lab A: Implementing Security by Using Group Policy Lesson 3: Restricting Group Membership and Access to Software Lab B: Configuring Restricted Groups and Application Control Policies 11-3 11-14 11-21 11-26 11-36

Module 12: Providing Efficient Network Access for Remote Offices


Lesson 1: Overview of Remote Office Requirements Lesson 2: Implementing Read-Only Domain Controllers Lab A: Deploying a Read-Only Domain Controller Lesson 3: Implementing BranchCache Lab B: Deploying BranchCache 12-3 12-6 12-16 12-21 12-34

Module 13: Monitoring and Maintaining Windows Server 2008


Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Interpreting Performance Counters Lesson 4: Selecting Appropriate Monitoring Tools Lab: Creating a Baseline of Performance Metrics 13-3 13-9 13-18 13-26 13-33

Module 14: Managing Window Server 2008 Backup and Recovery


Lesson 1: Planning and Implementing File Backups on Windows Server 2008 Lesson 2: Planning and Implementing File Recovery Lab A: Implementing Windows Server Backup and Recovery Lesson 3: Recovering Active Directory Lesson 4: Troubleshooting Windows Server Startup Lab B: Recovering Active Directory Objects 14-3 14-14 14-19 14-23 14-29 14-37

xiv

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Appendix A: Implementing DirectAccess


Exercise 1: Configuring the AD DS domain controller and DNS Exercise 2: Configuring the PKI environment Exercise 3: Configuring the DirectAccess clients and test Intranet Access Exercise 4: Configuring the DirectAccess server Exercise 5: Verifying DirectAccess functionality A-4 A-6 A-9 A-11 A-13

Lab Answer Keys

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course


This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description
This course is designed to provide foundation skills in networking and Windows Server security, network services, and administration.

Audience
Candidates for this course are information technology (IT) professionals who work in medium to large organizations. The primary candidate is a Windows Server administrator who operates Windows Servers on a daily basis and who requires the skills for configuring, managing, and maintaining servers installed with Windows Server 2008, including the Release 2 (R2) edition. Candidates are typically responsible for day-to-day management of the server operating system and various server roles such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), file and print services, directory services, and software distribution. This course may also be considered in combination with other exam preparation materials for candidates wishing to prepare for Microsoft Certified Technology Specialist (MCTS) and Microsoft Certified IT Professional (MCITP) certification in Windows Server 2008.

Student Prerequisites
This course requires that you meet the following prerequisites: At least one year experience in operating Windows Servers in the area of account management, server maintenance, server monitoring, or server security Certification related to the Microsoft Technology Associate (MTA) Networking Fundamentals, Security Fundamentals, and Windows Server Administration Fundamentals designations, or equivalent knowledge as outlined in course 6419B: Fundamentals of Windows Server 2008 A+, Server+, hardware portion of Network+, or equivalent knowledge Working knowledge of networking technologies Intermediate understanding of network operating systems Basic knowledge of Active Directory An understanding of security concepts and methodologies (for example, corporate policies) Basic knowledge of TCP/IP

Basic knowledge of scripting tools such as PowerShell and WMI

Course Objectives
After completing this course, students will be able to: Describe the Windows Server 2008 environment including the roles, features, and tools used to perform effective server management. Describe IPv6 addressing and how to install and configure the DNS and DHCP server infrastructure roles. Configure secure and efficient access to file services. Configure and manage a Distributed File System infrastructure.

ii

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Use File Server Resource Manager to assist in data storage capacity management. Secure remote access by using features such as Virtual Private Networks, Network Access Protection (NAP), and DirectAccess. Describe Active Directory infrastructure and how to manage AD DS objects. Configure and manage AD DS object permissions, and configure trust between AD DS domains. Create and manage Group Policy Objects (GPOs). Understand the specific settings that can be managed by using Group Policy. Secure network clients by using Group Policy. Describe solutions that can be implemented to provide efficient remote office network access. Plan for and implement performance baselines and perform server monitoring by using monitoring tools.

Plan for and identify backup and restore strategies and identify steps needed to recover from server startup issues.

Course Outline
This section provides an outline of the course: Module 1, Overview of the Windows Server 2008 Management Environment In this module, you will gain familiarity with the components of the operating system and the concepts and terminology found within the Windows Server 2008 environment. Module 2, Managing Windows Server 2008 Infrastructure Roles In this module, students will learn the benefits and technologies associated with IPv6. You will learn the features and configuration options available to implement the DNS and DHCP server roles. Module 3, Configuring Access to File Services In this module, you will learn the concepts and terminology involved in file services, and also provide guidance in the practical management of a file services infrastructure within the Windows Server 2008 environment. Module 4, Configuring and Managing Distributed File System In this module, you will learn about the Distributed File System (DFS) solution that you can use to meet challenges by providing fault-tolerant access and WAN-friendly replication of files located throughout an enterprise. Module 5, Managing File Resources Using File Server Resource Manager In this module, you will learn about the various options available for installing Windows Server, and complete an installation. You will also launch a local media setup and then perform the post-installation configuration of a server. Module 6, Configuring and Securing Remote Access In this module, you will understand how to configure and secure your remote access clients by using network policies, and where appropriate, Network Access Protection (NAP). Module 7, Managing Active Directory Domain Services In this module, you will learn how to review key concepts and directory services structure. You will take a high-level look at the major components of AD DS and how they fit together. You will also receive hands-on experience working with these components and their associated tools. Module 8, Configuring Active Directory Object Administration and Domain Trust In this module, you will learn how to configure permissions and delegate administration for Active Directory objects. This module also describes how to configure and manage Active Directory trusts.

About This Course

iii

MCT USE ONLY. STUDENT USE PROHIBITED

Module 9, Creating and Managing Group Policy Objects In this module, you will understand how administrators deliver and maintain customized desktop configurations, ensure the security of a geographically and logistically dispersed collection of computers, and provide administration and management for an increasingly complex and growing computing environment. Module 10, Using Group Policy to Configure User and Computer Settings In this module, you will learn the skills and knowledge that you need to use Group Policy to configure Folder Redirection, and how to use scripts. Module 11, Implementing Security Settings Using Group Policy In this module, you will understand security-related components that can assist you in implementing security policies in your environment. Module 12, Providing Efficient Network Access for Remote Offices In this module, you will learn how to provide fast and secure logons at remote offices and place a read only domain controller (RODC) at the remote office. You will also learn how to use BranchCache to speed up access to data across the WAN and reduce WAN utilization. Module 13, Monitoring and Maintaining Windows Server 2008 In this module, you will learn how to identify components that require additional tuning, and improve the efficiency of your servers. Module 14, Managing Window Server 2008 Backup and Recovery In this module, you will learn necessary planning for backup and restore procedures, and startup issues, to ensure that you protect data and servers sufficiently against disasters.

iv

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-todate premium content on TechNet, MSDN, Microsoft Press Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual Machine Environment


This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration


In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK.

The following table shows the role of each virtual machine used in this course: Virtual machine 6419B-NYC-DC1 6419B-NYC-DC2 6419B-NYC-SVR1 6419B-NYC-EDGE1 6419B-INET1 6419B-NYC-CL1 6419B-NYC-CL2 6419B-NYC-SVRCORE 6419B-VAN-DC1 Role Windows Server 2008 R2 domain controller in the Contoso.com domain Windows Server 2008 R2 domain controller in the Contoso.com domain Windows Server 2008 R2 member server in Contoso.com Windows Server 2008 R2 member server in Contoso.com Windows Server 2008 R2 standalone server A Windows 7 computer in the Contoso.com domain A Windows 7 computer in the Contoso.com domain Windows Server 2008 R2 standalone server with core installation Windows Server 2008 R2 domain controller in the Adatum.com domain

Software Configuration
The following software is installed on each VM: Windows Server 2008 R2 Enterprise

Windows 7

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All the virtual machines are deployed on each student computer.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

vi

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor Dual 120 GB hard disks 7200 RM SATA or better* 4 GB RAM DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers *Striped

Lab: Managing Server Roles in a Windows Server 2008 Environment

L1-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1: Overview of the Windows Server 2008 Management Environment

Lab: Managing Server Roles in a Windows Server 2008 Environment


Exercise 1: Determine Server Roles and Installation Types
Task 1: Review the supporting documentation.
1. Review the following email message received from Ed Meadows.

Task 2: Determine the server roles, server features, and installation types.
1. What server role(s) should be installed on NYC-SVR1? How should the server role(s) be configured? Answer: You should install the Print and Document Services server role on NYC-SVR1. Since only network printing from Windows 7-based clients is being performed, the Print Server is the only Role Service that should be installed. 2. What additional server features will be needed to fulfill the requirements specified by Ed? Answer: The Windows Server Backup Features will need to be enabled in order for the New York City administrators to perform backups of NYC-SVR1. 3. Are there any additional management considerations that need to be considered for the ongoing management of NYC-SVR1? Answer: Since the administrators in New York that will be responsible for managing the servers want to be able to perform management tasks from their desktop computers, the appropriate Remote Server Administration Tools will need to be installed on their computers to manage both the Print and Document Services Role as well as the Windows Backup feature.

L1-2

Lab: Managing Server Roles in a Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Install Windows Server 2008 Server Roles and Features


Task 1: Use Server Manager to install the Print and Document Services Server Role.
1. 2. 3. 4. 5. 6. 7. 8. On NYC-SVR1, click Start, click Administrative Tools and then click Server Manager. In the Server Manager window, click on the Roles node in the left hand pane. In the right-hand pane, click Add Roles. In the Add Roles Wizard window, click Next. On the Select Server Roles page, click the checkbox to select Print and Document Services and then click Next. On the Print and Document Services page, click Next. On the Select Role Services page, click Next. On the Confirm Installation Selections screen, click Install.

Note: The installation process will take a few moments to complete.

9.

On the Installation Results page, click Close.

Task 2: Use Server Manager to install the Windows Server Backup Features.
1. 2. 3. 4. In the Server Manager window, click the Features node in the left-hand pane. In the right-hand pane, click Add Features. On the Select Features page, scroll down, click the checkbox to select Windows Server Backup Features and then click Next. On the Confirm Installation Selections page, click Install.

Note: The installation process will take a few moments to complete.

5.

On the Installation Results page, click Close.

Results: In this exercise, you will have installed Windows Server 2008 Server Roles and Features.

Lab: Managing Server Roles in a Windows Server 2008 Environment

L1-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Manage Windows Server 2008 Server Core


Task 1: Use Sconfig to configure Server Core installation options
1. 2. 3. Switch to the 6419B-NYC-SVRCORE virtual machine. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.

Sconfig

4. 5. 6. 7. 8.

On the Server Configuration screen type 8 and press ENTER. At the Select Network Adapter prompt, type 0 and press ENTER. At the Select option prompt, type 1 and press ENTER. At the Select (D)HCP, (S)tatic IP prompt, type S and press ENTER. At the Enter Static IP Address prompt, type the following and press ENTER:

10.10.0.20

9.

At the Enter subnet mask prompt, type the following and press ENTER:

255.255.0.0

10. At the Enter default gateway prompt, type the following and press ENTER:
10.10.0.1

11. At the Select option prompt, type 2 and press ENTER. 12. At the Enter new preferred DNS server prompt, type the following and press ENTER:
10.10.0.10

13. In the Network settings window, click OK. 14. At the Enter alternate DNS server prompt, press ENTER. 15. At the Select option prompt, type 4 and press ENTER. 16. At Server Configuration screen, type 1 and press ENTER. 17. At the Join (D)omain or (W)orkgroup? prompt, type D and press ENTER. 18. At the Name of domain to join prompt, type the following and press ENTER:
Contoso.com

19. At the Specify an authorized domain\user prompt, type the following and press ENTER:
contoso\administrator

20. At the Type the password associated with the domain user prompt, type the following and press ENTER:
Pa$$w0rd

L1-4

Lab: Managing Server Roles in a Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

21. In the Change computer name window, click Yes. 22. At the Enter new computer name prompt, type the following and press ENTER:
NYC-SVRCORE

23. At the Specify an authorized domain\user prompt, type the following and press ENTER:
contoso\administrator

24. At the Type the password associated with the domain user prompt, type the following and press ENTER:
Pa$$w0rd

25. In the Restart window, click Yes.

Note: Wait for NYC-SVRCORE to restart before proceeding to the next task.

Task 2: Use Dism to install the Windows Server Backup feature


1. 2. 3. Switch to the 6419B-NYC-SVRCORE virtual machine. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.

dism /online /get-features /format:table

Note: This command will display the list of features available on this server along with the installation status of each feature. Check to ensure that WindowsServerBackup shows as Disabled. You will find it near the top of the list.

4.

In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.

dism /online /enable-feature /featurename:WindowsServerBackup

5.

In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.

dism /online /get-features /format:table

Note: Check to ensure that WindowsServerBackup shows as Enabled. You will find it near the top of the list.

Task 3: Use Sconfig to configure Server Core remote management


1. Switch to the 6419B-NYC-SVRCORE virtual machine.

Lab: Managing Server Roles in a Windows Server 2008 Environment

L1-5

MCT USE ONLY. STUDENT USE PROHIBITED

2. 3.

Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.

Sconfig

4. 5. 6.

On the Server Configuration screen type 4 and press ENTER. On the Configure Remote Management screen, type 3 and press ENTER. Click OK.

Note: Windows PowerShell must be enabled to allow Server Manager remote access.

7. 8. 9.

On the Configure Remote Management screen, type 2 and then press ENTER. In the Restart window, click Yes. The virtual machine restarts. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd.

10. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press ENTER.
Sconfig

11. On the Server Configuration screen type 4 and press ENTER. 12. On the Configure Remote Management screen, type 3 and press ENTER.

Note: This process will take a few moments to complete.

13. In the Enabled window, click OK. 14. On the Configure Remote Management screen, type 5 and then press ENTER. 15. On the Server Configuration screen, type 13 and then press ENTER.

Task 4: Use Server Manager to connect to Server Core


1. 2. 3. 4. 5. 6. 7. Switch to the 6419B-NYC-DC1 virtual machine. Log on to NYC-DC1 as Contoso\Administrator with the password Pa$$w0rd. Click Start, click Administrative Tools and then click Server Manager. In the Server Manager window, right-click Server Manager (NYC-DC1) in the left-hand pane and then click Connect to Another Computer. In the Connect to Another Computer window, type NYC-SVRCORE, and then click OK. In the Server Manager window, click on the Roles node in the left hand pane. View the Roles pane.

Note: You cannot add or remove Roles from Server Core installation using Server Manager.

L1-6

Lab: Managing Server Roles in a Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

8. 9.

In the Server Manager window, click on the Features node in the left hand pane. View the Features pane.

Note: You cannot add or remove Features from Server Core installation using Server Manager.

10. In the Server Manager window, click on the Diagnostics node in the left hand pane. 11. View the Diagnostics pane and the available Diagnostics components. 12. In the Server Manager window, click on the Configuration node in the left hand pane. 13. View the Configuration pane and the available Configuration components. 14. In the Server Manager window, click on the Storage node in the left hand pane. 15. View the Storage pane and the available Storage components. 16. Close Server Manager.

Results: In this exercise, you will have configured Windows Server 2008 Server Core.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.

Lab A: Installing and Configuring DNS Server Role

L2-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2: Managing Windows Server 2008 Infrastructure Roles

Lab A: Installing and Configuring DNS Server Role


Exercise 1: Installing and Configuring the DNS Server Role and Zones
Task 1: Install the DNS Server Role on NYC-SVR1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 virtual machine. On the task bar, click the Server Manager button. The Server Manager appears. In the left pane, click Roles. In the details pane, click Add Roles. The Add Roles Wizard appears, and then click Next. On the Select Server Roles page, select the DNS Server check box, and then click Next. On the DNS Server page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.

Task 2: Allow Zone Transfers for Contoso.com


1. 2. 3. Switch to the NYC-DC1 virtual machine. Click Start, point to Administrative Tools, and then click DNS. The DNS Manager appears. In DNS Manager, expand NYC-DC1, expand Forward Lookup Zones, and then click Contoso.com. Contoso.com is the DNS zone that represents the Contoso.com Active Directory Domain Services domain. Right-click Contoso.com and then click Properties. In the Contoso.com Properties dialog box, click the Zone Transfers tab. On the Zone Transfers tab, select the Allow zone transfers check box. Under Allow zone transfers, click Only to the following servers, and then click Edit. Under IP address type, 10.10.0.11, press ENTER, and then click OK. Note that a red X will appear. This is expected for this example. On the Zone Transfers tab, click Notify.

4. 5. 6. 7. 8. 9.

10. In the Notify dialog box, ensure that Automatically notify is selected, under IP Address, type 10.10.0.11,press ENTER, and then click OK. 11. Click OK to close the Contoso.com Properties dialog box.

Task 3: Configure a Secondary Zone for Contoso.com


1. 2. Switch to the NYC-SVR1 virtual machine. Click Start, point to Administrative Tools, and then click DNS. The DNS Manager window appears.

L2-2

Lab A: Installing and Configuring DNS Server Role

MCT USE ONLY. STUDENT USE PROHIBITED

3. 4. 5. 6. 7. 8. 9.

In the DNS Manager, expand NYC-SVR1, and then click Forward Lookup Zones. Right-click Forward Lookup Zones, and then click New Zone. The New Zone Wizard appears. Click Next. On the Zone Type page, click Secondary zone, and then click Next. On the Zone Name page, under Zone name, type Contoso.com, and then click Next. On the Master DNS Servers page, under IP Address, type 10.10.0.10, press ENTER, and then click Next. On the Completing the New Zone Wizard page, click Finish. Under Forward Lookup Zones, click Contoso.com. Verify that all of the resource records are visible for the Contoso.com zone.

Task 4: Configure a Reverse Lookup Zone


1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-DC1 virtual machine. In DNS Manager, expand NYC-DC1, and then click Reverse Lookup Zones. Right-click Reverse Lookup Zones, and then click New Zone. The New Zone Wizard appears. Click Next. On the Zone Type page, click Primary zone. Ensure that the Store the zone in Active Directory check box is selected, and then click Next. On the Active Directory Zone Replication Scope page, click To all DNS servers running on domain controllers in this domain: Contoso.com, and then click Next. On the Reverse Lookup Zone Name page, click IPv4 Reverse Lookup Zone, and then click Next. On the Reverse Lookup Zone Name page, next to Network ID, type 10.10.0, and then click Next. On the Dynamic Update page, click Allow only secure dynamic updates, and then click Next. On the Completing the New Zone Wizard page, click Finish.

10. Under Forward Lookup Zones, click Contoso.com. 11. Right-click NYC-SVR1, and then click Properties. 12. On the Host (A) tab, select the Update associated pointer (PTR) record check box, and then click OK. Results: At the end of this exercise, you will have installed the DNS Server role and configured secondary and reverse lookup zones.

Lab A: Installing and Configuring DNS Server Role

L2-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Resource Records, Aging, and Scavenging


Task 1: Add resource records for Contoso.com
1. 2. 3. 4. 5. On NYC-DC1, in DNS Manager, under Forward Lookup Zones, click Contoso.com. Right-click Contoso.com, and then click New Alias (CNAME). In the New Resource Record dialog box, under Alias name, type www. Under Fully qualified domain name (FQDN) for target host, type NYC-SVR1.Contoso.com. Click OK to close the New Resource Record dialog box.

Task 2: Configure Aging and Scavenging for Contoso.com


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in DNS Manager, right-click NYC-DC1, and then click Properties. In the NYC-DC1 Properties dialog box, click the Advanced tab. On the Advanced tab, select the Enable automatic scavenging of stale records check box. Next to Scavenging period, configure 10 days, and then click OK. Right-click Contoso.com and then click Properties. On the General tab, click the Aging button. On the Zone Aging/Scavenging Properties dialog box, click the Scavenge stale resource records check box. Leave the No-refresh interval and the Refresh interval at the default setting of 7 days, and then click OK. Click OK to close the Contoso.com Properties dialog box. Results: At the end of this exercise, you will have configured a resource record for Contoso.com and enabled Aging and Scavenging.

L2-4

Lab A: Installing and Configuring DNS Server Role

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Verify DNS Settings


Task 1: Verify that the secondary zone is functional
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 virtual machine. In DNS Manager, right-click Contoso.com, and then click Refresh. Verify that www is listed in the zone. www has been transferred successfully from the master DNS server. On the task bar, click Start, type Network, and then click View network connections. In the Network Connections window, right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, next to Preferred DNS server, type 10.10.0.11, and then click OK. In the Local Area Connection Properties dialog box, click Close. Close the Network Connections window. Click Start, and then type cmd. Press ENTER.

10. In the command prompt window, type the following command and then press ENTER:
Ping www.contoso.com

11. Ensure that you receive four replies. The four replies verify that the secondary zone is resolving IP addresses as expected. 12. Close all open windows on NYC-SVR1.

Task 2: Verify records by using Nslookup and DNSlint


1. 2. 3. 4. Switch to the NYC-DC1 virtual machine. Click Start, type cmd, and then press ENTER. At the command prompt, type nslookup, and then press ENTER. At the command prompt, type the following commands each followed by ENTER:
Set querytype=SOA Contoso.com

5. 6. 7. 8. 9.

Take note of the SOA information for the NYC-DC1 DNS server. At the command prompt, type exit and then press ENTER. At the command prompt, type C:\ and then press ENTER. At the command prompt, type cd \Tools\dnslint, and then press ENTER. At the command prompt, type dnslint, and then press ENTER. Notice the command-line help associated with dnslint.

10. At the command prompt, type the following command followed by ENTER:
Dnslint /s 10.10.0.10 /d contoso.com

Lab A: Installing and Configuring DNS Server Role

L2-5

MCT USE ONLY. STUDENT USE PROHIBITED

11. Read through the report results, and then close the report window. 12. Close all open windows on NYC-DC1. Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.

Note: Do not shut down the virtual machines; you will need them for the next lab.

L2-6

Lab A: Installing and Configuring DNS Server Role

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Installing and Configuring DHCP Server Role


Exercise 1: Installing and Authorizing DHCP Server Role
Task 1: Install the DHCP Server Role on NYC-DC1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-DC1 virtual machine. On the task bar, click the Server Manager button. The Server Manager appears. In the left pane, click Roles. In the details pane, click Add Roles. The Add Roles Wizard opens. Click Next. On the Select Server Roles page, select the DHCP Server check box, and then click Next. On the DHCP Server page, click Next. On the Select Network Connection Bindings page, ensure that 10.10.0.10 is selected and then click Next. On the Specify IPv4 DNS Server Settings page, ensure that Parent domain is Contoso.com and Preferred DNS server IPv4 address is 10.10.0.10, and then click Next. On the Specify IPv4 WINS Server Settings page, click Next.

10. On the Add or Edit DHCP Scopes page, click Next. You will add DHCP scopes in the next exercise. 11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next. 12. On the Authorize DHCP Server page, ensure that Use current credentials is selected, and then click Next. 13. On the Confirm Installation Selections page, click Install. 14. On the Installation Results page, click Close. 15. Close Server Manager.

Task 2: Verify DHCP Authorization


1. 2. 3. 4. Click Start, point to Administrative Tools, and then click DHCP. The DHCP console appears. In the DHCP console, right-click DHCP, and then click Manage authorized servers. Verify that nyc-dc1.contoso.com is in the authorized DHCP servers list. Click Close to close the Manage Authorized Servers dialog box. Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP authorization.

Lab A: Installing and Configuring DNS Server Role

L2-7

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring DHCP Scopes, Options, and Reservations


Task 1: Configure a DHCP Scope
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in the DHCP console, expand nyc-dc1.contoso.com, and then click IPv4. Right-click IPv4, and then click New Scope. The New Scope Wizard starts. Click Next. On the Scope Name page, in the Name box, type ContosoScope1, and then click Next. On the IP Address Range page, next to Start IP Address, type 10.10.0.50. On the IP Address Range page, next to End IP Address, type 10.10.0.100. Next to Length, type 16. Click Next. On the Add Exclusions and Delay page, click Next. On the Lease Duration page, under Days, type 5. Click Next. On the Configure DHCP Options page, click Yes, I want to configure these options now, and then click Next.

10. On the Router (Default Gateway) page, click Next. 11. On the Domain Name and DNS Servers page, accept the default settings, and then click Next. 12. On the WINS Servers page, click Next. 13. On the Activate Scope page, ensure that Yes, I want to activate this scope now is selected, and then click Next. 14. On the Completing the New Scope Wizard page, click Finish. 15. In the DHCP console, expand Scope [10.10.0.0] ContosoScope1. 16. Click Address Pool and verify that the start and end IP addresses are configured as expected.

Task 2: Configure Scope Options


1. 2. 3. 4. On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Scope Options. Right-click Scope Options, and then click Configure Options. On the General tab, select the 003 Router check box. Under IP address, type 10.10.0.1, click Add, and then click OK.

Task 3: Configure a DHCP Reservation


1. 2. 3. 4. 5. 6. 7. Switch to the NYC-SVR1 virtual machine. Click Start, type cmd, and then press ENTER. At the command prompt, type ipconfig /all. In the results take note of the physical address and write it down below (for example: 00-15-5D-0171-71): On the task bar, click Start, type Network, and then click View network connections. In the Network Connections window, right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

L2-8

Lab A: Installing and Configuring DNS Server Role

MCT USE ONLY. STUDENT USE PROHIBITED

8. 9.

In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain DNS server address automatically, and then Click OK.

10. In the Local Area Connection Properties dialog box, click Close. 11. Close the Network Connections window. 12. Switch to the NYC-DC1 virtual machine. 13. In the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Reservations. 14. Right-click Reservations, and then click New Reservation. 15. In the New Reservation dialog box, configure the following, and then click Add: Reservation name: NYC-SVR1 IP address: 10.10.0.55 MAC Address: [Enter the value entered for step 4. For example:00-15-5D-01-71-71]

16. Click Close to close the New Reservation dialog box. 17. Switch to the NYC-SVR1 virtual machine. 18. At the command prompt, type ipconfig/release. 19. At the command prompt, type ipconfig/renew. 20. Verify that NYC-SVR1 receives an IP address of 10.10.0.55, with valid scope options. Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a DHCP reservation.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1.

Lab: Managing Access to File Services

L3-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3: Configuring Access to File Services

Lab: Managing Access to File Services


Exercise 1: Planning a Shared Folder Implementation (Discussion)
1. What folder structure should be created on NYC-SVR1 to support the requirements of this scenario? Answer: Two folders should be created at, E:\Labfiles\Mod03\Production and E:\Labfiles\Mod03\Research. Both folders should be shared. An additional folder, E:\Labfiles\Mod03\Production\Reports, should be created for Susanna Stubberods reports. 2. Which NTFS permissions should be assigned to the Production departments folder structure to fulfill the scenario requirements? Which permissions should be assigned to the shared folder?

Answer: NTFS permissions should be assigned as follows. The Production group should be assigned full control permissions for E:\Labfiles\Mod03\Production. Only Susanna Stubberod should be assigned Full Control for E:\Labfiles\Mod03\Production\Reports, and this folder should not inherit permissions from its parent. Shared folder permissions should be assigned as follows. The Production department should be assigned Change permissions on the folder. Full Control is not necessary because the Production department does not need to change permissions or take ownership of the shared folder. 3. Which NTFS permissions should be assigned to the Research departments folder structure to fulfill the scenario requirements? Which permissions should be assigned to the shared folder?

Answer: NTFS permissions should be assigned as follows. The Research department should be assigned full control permissions for E:\Labfiles\Mod03\Research. Shared folder permissions should be assigned as follows. The Research department should be assigned Read permissions on the folder, so they do not interfere with the application on the server. 4. How will you make the Research departments files available to Max Stevens when he is offsite with the NYC-CL1?

Answer: On NYC-CL1, map a network drive to \\NYC-SVR1\Research. Right-click the mapped drive, and click Always available offline. Result: In this exercise, you discussed and determined solutions for a shared folder implementation.

L3-2

Lab: Managing Access to File Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Implementing a Shared Folder Implementation


Task 1: Verify the File Services Role on NYC-SVR1
1. 2. 3. 4. 5. On NYC-SVR1, click Start, click Administrative Tools, and then click Server Manager. In the Server Manager window, click the Roles node, Verify that File Services is listed as an installed role. In the File Services section, verify that the File Server role service is installed. Close Server Manager.

Task 2: Create a shared folder structure by using Windows Explorer


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, and then click Computer. In the Computer window, in the left pane, click Allfiles (E:). In the details, pane, browse to Labfiles\Mod03. On the toolbar, click New folder. Type Production and press Enter. Right-click Production, and then click Properties. In the Production Properties window, click the Security tab. In the Group or user names section, click Edit. In the Permissions for Production window, click Add.

10. In the Select Users, Computers, Service Accounts, or Groups windows, type Production, click Check Names, and then click OK. 11. In the Permissions for Production window, select the Allow check box next to the Full control option, and then click OK. 12. In the Production Properties window, click the Sharing tab, and then click Advanced Sharing. 13. In the Advanced Sharing window, click the check box next to Share this folder and then click the Permissions button. 14. In the Permissions for Production window, click Everyone, click Remove, and then click Add. 15. In the Select Users, Computers, Service Accounts, or Groups window, type Production, click Check Names, and then click OK. 16. In the Permissions for Production window, click the Allow check box next to the Change option and then click OK. 17. In the Advanced Sharing window, click OK. 18. In the Production Properties window, click Close. 19. Double-click the Production folder, right-click the empty pane, click New, click Text Document and then press ENTER. 20. On the toolbar menu, click New folder. 21. Type Reports and press Enter. 22. Double-click the Reports folder, right-click the empty pane, click New, and then click Text Document. 23. Rename the New Text Document file to Report1.txt.

Lab: Managing Access to File Services

L3-3

MCT USE ONLY. STUDENT USE PROHIBITED

24. Click the Back button to go back to the Production folder. 25. Right-click the Reports folder and the click Properties. 26. Click the Security tab, and then click the Advanced button. 27. On the Advanced Security Settings for Reports dialog box, click Change Permissions. 28. Remove the check mark next to Include inheritable permissions from this objects parent. 29. In the Windows Security dialog box, click Remove. 30. On the Advanced Security Settings for Reports dialog box, click Add. 31. In the Select Users, Computers, Service Accounts, or Groups windows, type Susanna, click Check Names, and then click OK. 32. In the Permission Entry for Reports window, click the Allow check box next to the Full control option and then click OK 33. On the Advanced Security Settings for Reports dialog box, click OK. Click OK again to close the Advanced Security Settings for Reports dialog box. 34. On the Reports Properties dialog box, click OK. 35. Close the Production window.

Task 3: Create shared folders by using the Share and Storage Management Console
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, click Administrative Tools, and then click Share and Storage Management. In the Share and Storage Management console, click Provision Share in the right pane. In the Shared Folder Location page, click Browse. In the Browse for Folder window, expand e$, expand Labfiles, click Mod03, and then click Make New Folder. Type Research, press ENTER, and then click OK. In the Shared Folder Location page, click Next. In the NTFS permissions page, select the Yes, change NTFS permissions option, and then click Edit Permissions. In the Permissions for Research window, click Add. In the Select Users, Computers, Service Accounts, or Groups window, type Research, click Check Names, and then click OK.

10. In the Permissions for Research page, remove the Allow check mark next to Read & Execute and List Folder Contents (Allow Read should be the only permission selected) and then click OK. 11. In the NTFS Permissions page, click Next. 12. In the Share Protocols page, click Next. 13. In the SMB Settings page, click Next. 14. In the SMB permissions page, select the Users and groups have custom share permissions option, and then click the Permissions button. 15. In the Permissions for Research window, click Everyone, click Remove, and then click Add. 16. In the Select Users, Computers, Service Accounts, or Groups window, type Research, click the Check Names button, and then click OK.

L3-4

Lab: Managing Access to File Services

MCT USE ONLY. STUDENT USE PROHIBITED

17. In the Permissions for Research window, ensure that Allow is selected for Read, and then click OK. 18. In the SMB Permissions page, click Next. 19. In the DFS Namespace Publishing page, click Next. 20. In the Review Settings and Create Share page, click Create. 21. In the Confirmation page, click Close.

Task 4: Configure Offline files


1. 2. 3. 4. 5. 6. Log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd. Click Start, and then click Computer. In the Windows Explorer window, on the toolbar, click Map network drive . In the Map Network Drive window, click the Drive: drop-down box and select R, in the Folder box, type \\NYC-SVR1\Research, and then click Finish. In the Windows Explore window, expand Computer, right-click Research (\\NYC-SVR1)(R:), and then click Always available offline. Close all open windows on NYC-CL1.

Results: In this exercise, you implemented a shared folder structure.

Lab: Managing Access to File Services

L3-5

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Evaluating the Shared Folder Implementation


Task 1: Test Research Folder Permissions
1. 2. 3. 4. On NYC-CL1, click Start and then click Computer. Double-click Research (\\NYC-SVR1)(R:). In the details pane, right-click the empty space, point to New, and then click Text Document. An access-denied message appears. Click Cancel. Close Windows Explorer and log off of NYC-CL1.

Task 2: Test Production Shared Folder Permissions


1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd. Click Start and then in the Search programs and files box, type \\NYC-SVR1\Production and then press ENTER. In the Windows Explorer window, double-click New Text Document to open the file in Notepad. In the New Text Document Notepad window, type Testing file permissions, and then save the file. Close Notepad. Double-click the Reports folder. An access-denied message appears. Click Close. Log off of NYC-CL1. Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd. Click Start and then in the Search programs and files box, type \\NYC-SVR1\Production and then press ENTER.

10. Double-click Reports. 11. Double-click Report1 and ensure that you can open and save the file. 12. Close Notepad and then log off of NYC-CL1. Results: In this exercise, you evaluated a shared folder implementation.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1.

L3-6

Lab: Managing Access to File Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Installing and Configuring the Distributed File System Role Service

L4-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4: Configuring and Managing Distributed File System

Lab: Installing and Configuring the Distributed File System Role Service
Exercise 1: Installing the Distributed File System Role Service
Task 1: Install the Distributed File System Role Service on NYC-SVR1.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 virtual machine. On the task bar, click the Server Manager button. The Server Manager opens. In the console pane, click Roles. In the details pane, click Add Role Services. The Add Role Services wizard opens. On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next. On the Create a DFS Namespace page, select Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.

Task 2: Install the Distributed File System Role Service on NYC-DC1.


1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-DC1 virtual machine. On the task bar, click the Server Manager button. The Server Manager opens. In the console pane, click Roles. In the details pane, under File Services, click Add Role Services. The Add Role Services wizard opens. On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next. On the Create a DFS Namespace page, select Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.

Results: After completing this exercise, you will have installed the DFS role service on NYC-SVR1 and NYC-DC1.

L4-2

Lab: Installing and Configuring the Distributed File System Role Service

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Creating a DFS Namespace


Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, point to Administrative Tools, and then click DFS Management. The DFS Management console opens. In the console pane, click Namespaces. Right-click Namespaces, and then click New Namespace. The New Namespace Wizard starts. On the Namespace Server page, under Server, type NYC-SVR1, and then click Next. On the Namespace Name and Settings page, under Name, type CorpDocs, and then click Next. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Contoso.com\CorpDocs. Ensure that the check box next to Enable Windows Server 2008 mode is selected and then click Next. On the Review Settings and Create Namespace page, click Create. On the Confirmation page, ensure that the Create namespace task is successful, and then click Close.

10. In the console pane, under Namespaces, click \\Contoso.com\CorpDocs. 11. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\CorpDocs.

Task 2: Enable access-based enumeration for the CorpDocs namespace.


1. 2. 3. In the console pane, under Namespaces, right-click \\Contoso.com\CorpDocs, and then click Properties. In the \\Contoso.com\CorpDocs Properties dialog box, click the Advanced tab. On the Advanced tab, select the check box next to Enable access-based enumeration for this namespace, and then click OK. Results: After completing this exercise, you will have created the CorpDocs namespace and configured it to use access-based enumeration.

Lab: Installing and Configuring the Distributed File System Role Service

L4-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring Folder Targets


Task 1: Add the MarketingTemplates folder to the CorpDocs namespace.
1. 2. 3. 4. 5. 6. Switch to the NYC-SVR1 virtual machine. In DFS Management, right-click \\Contoso.com\CorpDocs, and then click New Folder. The New Folder dialog box opens. In the New Folder dialog box, under Name, type MarketingTemplates. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens. In the Add Folder Target dialog box, type \\NYC-DC1\MarketingTemplates, and then click OK. Click OK again to close the New Folder dialog box.

Task 2: Add the PolicyFiles folder to the CorpDocs namespace.


1. 2. 3. 4. 5. In DFS Management, right-click \\Contoso.com\CorpDocs, and then click New Folder. The New Folder dialog box opens. In the New Folder dialog box, under Name, type PolicyFiles. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens. In the Add Folder Target dialog box, type \\NYC-SVR1\PolicyFiles, and then click OK. Click OK again to close the New Folder dialog box.

Task 3: Verify the CorpDocs namespace.


1. 2. 3. On NYC-SVR1, click Start, and then, in the Search programs and files box, type \\Contoso.com\Corpdocs. Press ENTER. In the corpdocs window, verify that both MarketingTemplates and PolicyFiles are visible. Close the corpdocs window. Results: After completing this exercise, you will have configured Folder Targets for the CorpDocs namespace.

L4-4

Lab: Installing and Configuring the Distributed File System Role Service

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring DFS Folder Replication


Task 1: Create another Folder Target for PolicyFiles.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 virtual machine. In DFS Management, expand \\Contoso.com\CorpDocs, and then click PolicyFiles. In the details pane, notice that there is currently only one folder target. Right-click PolicyFiles, and then click Add Folder Target. In the New Folder Target dialog box, under Path to folder target, type \\NYC-DC1\PolicyFiles, and then click OK. In the Warning dialog box, click Yes to create the shared folder on NYC-DC1. In the Create Share dialog box, under Local path of shared folder, type C:\PolicyFiles. In the Create Share dialog box, under Shared folder permissions, select Administrators have full access; other users have read and write permissions, and then click OK. In the Warning dialog box, click Yes to create the folder on NYC-DC1. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.

Task 2: Configure DFS Replication.


1. 2. 3. 4. 5. 6. 7. 8. 9. In DFS Management, in the Replicate Folder Wizard, on the Replication Group and Replicated Folder Name page, accept the default settings, and then click Next. On the Replication Eligibility page, click Next. On the Primary Member page, select NYC-SVR1, and then click Next. On the Topology Selection page, select Full mesh, and then click Next. On the Replication Group Schedule and Bandwidth page, ensure that Replicate continuously using the specified bandwidth is selected, and then click Next. On the Review Settings and Create Replication Group page, click Create. On the Confirmation page, verify that all tasks are successful, and then click Close. At the Replication Delay message, click OK. In the DFS Management console, expand Replication, and then click contoso.com\corpdocs\policyfiles.

10. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYCDC1 and NYC-SVR1. 11. On the Memberships tab, right-click NYC-DC1, and then click Make read-only. This setting will automatically configure the replicated copy to be read-only.

Task 3: View Diagnostic Reports.


1. 2. 3. On NYC-SVR1, in the DFS Management console, right-click contoso.com\corpdocs\policyfiles, and then click Create Diagnostic Report. The Diagnostic Report Wizard starts. On the Type of Diagnostic Report of Test page, click Health report, and then click Next. On the Path and Name page, accept the default settings, and then click Next

Lab: Installing and Configuring the Distributed File System Role Service

L4-5

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7.

On the Members to Include page, ensure that both NYC-DC1 and NYC-SVR1 are included members, and then click Next. On the Options page, next to Reference Member, select NYC-SVR1, and then click Next. On the Review Settings and Create Report page, click Create. Review the DFS Replication Health Report for errors. Results: After completing this exercise, you will have configured DFS Folder Replication and produced a diagnostic report.

To prepare for the next module.


When you complete the lab exercises, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1.

L4-6

Lab: Installing and Configuring the Distributed File System Role Service

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Installing FSRM and Implementing Quota Management

L5-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 5: Managing File Resources Using File Server Resource Manager

Lab A: Installing FSRM and Implementing Quota Management


Exercise 1: Installing the FSRM Role Service
Task 1: Install the FSRM role service.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, click Administrative Tools, and then click Server Manager. In the Server Manager window, click Roles. In the details pane, under Role Services, click Add Role Services. In the Select Role Services page, click the File Server Resource Manager check box, and then click Next. In the Configure Storage Usage Monitoring page, click to select the checkbox next to Allfiles (E:) and then click Next. In the Set Report Options page, click Next. In the Confirm Installation Selections page, click Install. After the installation is completed, click Close. Close the Server Manager window.

Results: In this exercise, you installed the FSRM role service.

L5-2

Lab A: Installing FSRM and Implementing Quota Management

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Storage Quotas


Task 1: Create a quota template.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, point to Administrative tools, and then click File Server Resource Manager. In the File Server Resource Manager console pane, expand Quota Management, and then click Quota Templates. Right-click Quota Templates, and then click Create Quota Template. In the Create Quota Template dialog box, in the Template name field, type 100 MB Limit Log to Event Viewer. Under Notification thresholds, click Add. In the Add Threshold dialog box, click the Event log tab. Select the Send warning to event log check box, and then click OK. In the Create Quota Template dialog box, click Add. In the Add Threshold dialog box, in the Generate notification when the usage reaches (%) field, type 100.

10. Click the Event Log tab, and then select the Send warning to event log check box. 11. Click OK twice.

Task 2: Configure a quota based on the quota template.


1. 2. 3. 4. 5. 6. 7. 8. 9. In the File Server Resource Manager console pane, click Quotas. Right-click Quotas, and then click Create Quota. On the Create Quota dialog box, in the Quota path field, type E:\Labfiles\Mod05\Users. Click Auto apply template and create quotas on existing and new subfolders. In the Derive properties from this quota template (recommended) list, click 100MB Limit Log to Event Viewer, and then click Create. In the details pane, verify that the E:\Labfiles\Mod05\Users\* path has been configured with its own quota entry. You may have to refresh the Quotas folder to view the changes. Right-click Start, and then click Open Windows Explorer. In Windows Explorer, browse to E:\Labfiles\Mod05\Users. Create a new folder named Max.

10. In File Server Resource Manager, on the Action menu, click Refresh. 11. In the details pane, notice that the newly created folder appears in the list.

Task 3: Test that the quota is functional.


1. 2. 3. 4. 5. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type E:, and then press Enter. Type cd \Labfiles\Mod05\Users\Max, and then press Enter. Type fsutil file createnew file1.txt 89400000, and then press Enter. This creates a file that is over 85 MB, which will generate a warning in Event Viewer. Click Start, point to Administrative Tools, and then click Event Viewer.

Lab A: Installing FSRM and Implementing Quota Management

L5-3

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7. 8. 9.

In the Event Viewer console pane, expand Windows Logs, and then click Application. In the details pane, note the event with Event ID of 12325. In the Command Prompt window, type fsutil file createnew file2.txt 16400000, and then press Enter. Notice that the file cannot be created because it would surpass the quota limit. Type exit, and then press Enter.

10. Close all open windows on NYC-SVR1. Results: In this exercise, you configured a storage quota.

L5-4

Lab A: Installing FSRM and Implementing Quota Management

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Configuring File Screening and Storage Reports


Exercise 1: Configuring File Screening
Task 1: Create a file group.
1. 2. 3. 4. On NYC-SVR1, click Start, click Administrative Tools, and then click File Server Resource Manager. Right-click File Server Resource Manager (Local) and then click Configure Options. On the File Server Resource Manager Options dialog box, click the File Screen Audit tab. Select the check box next to Record file screening activity in auditing database. Click OK. Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit report to be run in Exercise 2 5. 6. 7. 8. 9. In the File Server Resource Manager console tree, expand File Screening Management and then click File Groups. Right-click File Groups, and then click Create File Group. In the Create File Group Properties window, enter MPx Media Files into the File group name box. In the Files to include box, type *.mp*, and then click Add. In the Files to exclude box, type *.mpp, and then click Add.

10. Click OK.

Task 2: Create a file screen template.


1. 2. 3. 4. 5. 6. 7. In the File Server Resource Manager console tree, click File Screen Templates. Right-click File Screen Templates, and then click Create File Screen Template. In the Create File Screen Template window, in the Template name box, type Block MPx Media files. Under Screening type, ensure that Active screening. Do not allow users to save unauthorized files is selected. In the File groups section, click to select the checkbox next to the MPx Media Files file group. Click the Event Log Tab. Click the check box next to Send warning to event log. Click OK.

Task 3 Create a file screen.


1. 2. 3. 4. In the File Server Resource Manager console tree, select and then right-click File Screens, and then click Create File Screen. In the Create File Screen window, in the File screen path box, type E:\Labfiles\Mod05\Users. In the Create File Screen window, click the Derive properties from this file screen template (recommended) drop-down box, and click Block MPx Media Files. Click Create.

Lab A: Installing FSRM and Implementing Quota Management

L5-5

MCT USE ONLY. STUDENT USE PROHIBITED

5.

Close File Server Resource Manager.

Task 4 Test the file screen.


1. 2. 3. 4. 5. 6. Click Start, and then click Computer. In the left pane, click Allfiles (E:) In the right pane, right-click and point to New, and then click Text Document. Rename New Text Document.txt to musicfile.mp3. Click Yes to change the file name extension. Right-click musicfile.mp3, and then click Copy. In the left pane, expand Allfiles (E:), expand Labfiles, expand Mod05, right-click Users, and then click Paste. You will be notified that the system was unable to copy the file to E:\Labfiles\Mod05\Users.

Results: After this exercise, you should have configured file screening by creating a file group, a file screen template, and a file screen.

L5-6

Lab A: Installing FSRM and Implementing Quota Management

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Generating Storage Reports


Task 1: Generate an On-Demand Storage Report.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, click Administrative Tools, and then click File Server Resource Manager. In the File Server Resource Manager console pane, click Storage Reports Management. Right-click Storage Reports Management, and then click Generate Reports Now. In the Storage Reports Task Properties dialog box, click Add. In the Browse For Folder dialog box, browse to E:\Labfiles\Mod05\Users, and then click OK. Under Select reports to generate, select the File Screening Audit check box, and then click OK. In the Generate Storage Reports dialog box, verify that Wait for reports to be generated and then display them is selected, and then click OK. In the Windows Internet Explorer window, review the generated reports. Close all open windows on NYC-SVR1.

Results: In this exercise, you generated a storage report.

Lab A: Installing FSRM and Implementing Quota Management

L5-7

MCT USE ONLY. STUDENT USE PROHIBITED

Lab C: Configuring Classification and File Management Tasks


Exercise 1: Configuring Classification Management
Task 1: Create a classification property.
1. 2. 3. 4. 5. 6. On NYC-SVR1, click Start, click Administrative Tools, and then click File Server Resource Manager. Expand the Classification Management node, and then click Classification Properties. Right-click Classification Properties, and then click Create Property. In the Create Classification Property Definition window, in the Property name box, type Confidential and in the Description field, type Assigns a confidentiality value of Yes or No. Under Property type, click the drop-down box and select Yes/No. Click OK.

Task 2: Apply classification properties by using classification rules.


1. 2. 3. 4. 5. 6. 7. 8. 9. Click the Classification Rules node. Right-click the Classification Rules node, and then click Create a New Rule. In the Rule name box, type Confidential Payroll Documents. In the Description box, type Classify documents containing the word payroll as confidential. In the Scope section, click the Add button. In the Browse For Folder window, expand Allfiles (E:), then expand Labfiles, then expand Mod05, click Data, and then click OK. In the Classification Rule Definitions window, click the Classification tab. In the Classification mechanism area, click the drop-down box and select Content Classifier. In the Property name section, select Confidential (Assigns a confidentiality value of Yes or No) for Property Name, in the Property value section, select Yes for Property value, and then click Advanced.

10. In the Additional Rule Parameters window, click the Additional Classification Parameters tab. 11. On the Additional Classification Parameters tab, double-click in the blank cell below the Name column and type String. 12. Double-click in the Value column and type payroll. 13. Click OK. 14. In the Classification Rule Definitions window, click OK. 15. Right-click the Classification Rules node, and then click Run Classification With All Rules Now. 16. In the Run Classification window, select the Wait for classification to complete execution option, and then click OK.

L5-8

Lab A: Installing FSRM and Implementing Quota Management

MCT USE ONLY. STUDENT USE PROHIBITED

17. View the report and ensure that January.txt in listed on the report. 18. Browse to the E:\Labfiles\Mod05\Data folder and view the contents of January.txt. 19. Close all open windows on NYC-SVR1. Results: In this exercise, you configured Classification Management.

Lab A: Installing FSRM and Implementing Quota Management

L5-9

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Implementing File Management Tasks


Task 1: Configure file management tasks based on classification properties.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, click Administrative Tools, and then click File Server Resource Manager. Select and then right-click the File Management Tasks node, and then click Create File Management Task. In the Task name box, type Move Confidential Files In the Description box, type Move confidential documents to another folder. In the Scope section, click the Add button. Expand Allfiles (E:), expand Labfiles, expand Mod05, click Data, and then click OK. In the Create File Management Task window, click the Action tab. On the Action tab, for Type, select File expiration. In the Expiration directory field type E:\Labfiles\Mod05\Confidential.

10. In the Create File Management Task window, click the Condition tab. 11. On the Condition tab, under the Property conditions section, click the Add button. 12. In the Property Condition window, click the Property drop-down box, select Confidential, click the Operator drop-down box, select Equal, click the Value drop-down box , and then select Yes. 13. Click OK. 14. In the Create File Management Task window, click the Schedule tab. 15. On the Schedule tab, click the Create button. 16. In the Schedule window, click the New button, and then click OK. 17. In the Create File Management Task window, click OK. 18. Right-click the Move Confidential Files task, and then click Run File Management Task Now. 19. In the Run File Management Task window, select the Wait for task to complete execution option, and then click OK. 20. View the generated report, ensuring that January.txt is on the list. 21. Open the E:\Labfiles\Mod05\Confidential folder and view the contents. The relocated folder structure for January.txt is now located in this folder. Results: In this exercise, you implemented File Management Tasks.

To prepare for the next module.


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1.

L5-10

Lab A: Installing FSRM and Implementing Quota Management

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Implementing a Virtual Private Network

L6-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 6: Configuring and Securing Remote Access

Lab A: Implementing a Virtual Private Network


Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution
Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-EDGE1, click Start, and then click Administrative Tools. From the Administrative Tools menu, click Server Manager. The Server Manager opens. In the Server Manager (NYC-EDGE1) list pane, right-click Roles, and then click Add Roles. The Add Roles Wizard appears. Click Next. On the Select Server Roles page, select Network Policy and Access Services, and then click Next. On the Network Policy and Access Services introduction page, click Next. On the Select Role Services page, select the Network Policy Server and Routing and Remote Access Services check boxes, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, verify Installation succeeded appears in the details pane, and then click Close. Close the Server Manager. The Network Policy and Routing and Remote Access Services roles are installed on 6419B-NYC-EDGE1.

Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for
Remote Access clients
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-EDGE1, click Start, and then click Administrative Tools. From the Administrative Tools menu, click Routing and Remote Access. The Routing and Remote Access administrative tool appears. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable Routing and Remote Access. On the wizard Welcome page, click Next. On the Configuration page, leave the default Remote Access (dial-up or VPN) selected, and click Next. On the Remote Access page, select the VPN check box, and click Next. On the VPN Connection page, select the Public, and then click Next. On the IP Address Assignment page, select From a specified range of addresses, and then click Next. On the Address Range Assignment page, click New, and in the Start IP address box, type the following value 10.10.0.60. In the Number of addresses box, type the value of 75, and click OK. Click Next.

10. On the Managing Multiple Remote Access Servers page, leave the default selection No, use Routing and Remote Access to authenticate connection requests, and click Next. Click Finish. 11. In the Routing and Remote Access dialog box, click OK.

L6-2

Lab A: Implementing a Virtual Private Network

MCT USE ONLY. STUDENT USE PROHIBITED

12. In the Routing and Remote Access dialog box regarding the DHCP Relay agent, click OK. The Routing and Remote Access service starts.

Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25
L2TP connections
1. 2. 3. 4. 5. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, right-click Ports, and then click Properties. In the Ports Properties dialog box, double-click WAN Miniport (SSTP). In the Configure Device WAN Miniport (SSTP) dialog box, assign a value of 25 in the Maximum ports box, and then click OK. In the Routing and Remote Access dialog box, click Yes to continue. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and in the Configure Device WAN Miniport (PPTP) dialog box, assign a value of 25 in the Maximum ports box, and then click OK. In the Routing and Remote Access dialog box, click Yes to continue. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP). In the Ports Properties dialog box, click OK. Close the Routing and Remote Access administrative tool.

6. 7. 8. 9.

Results: In this exercise, you enabled routing and remote access on the NYC-EDGE1 server.

Lab A: Implementing a Virtual Private Network

L6-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring a Custom Network Policy


Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1
1. 2. On NYC-EDGE1, click Start, and then click Administrative Tools. On the Administrative Tools menu, click Network Policy Server. The Network Policy Server administrative tool appears.

Task 2: Create a new network policy for RRAS clients


1. 2. In the list pane, expand Policies, right-click Network Policies, and then click New. On the New Network Policy Specify Network Policy Name and Connection Type page, type Secure VPN in the Policy name text box, and in the Type of network access server drop-down list, click Remote Access Server (VPN-Dial up), and then click Next. On the Specify Conditions page, click Add. In the Select Condition dialog box, scroll down and double-click Tunnel Type. In the Tunnel Type dialog box, select L2TP, PPTP, and SSTP, click OK, and then click Next. On the Specify Access Permission page, leave the default of Access granted, and click Next. On the Configure Authentication Methods page, deselect the Microsoft Encrypted Authentication (MS-CHAP) check box, and then click Next. On the Configure Constraints page, under Constraints, select Day and time restrictions, and in the details pane, select Allow access only on these days and at these times, and click Edit. Change the Time of day constraints to Denied access from 11PM to 6AMMonday thru Friday, click OK, and then click Next. In the Configure Settings dialog box, under Settings, click Encryption, and in the details pane, deselect all settings except Strongest encryption (MPPE 128-bit), click Next, and then click Finish. In the list pane of the Network Policy Server tool, click the Network Policies node. If necessary, right-click the Secure VPN policy, and then click Move Up. Repeat this step to make the policy the first in the list.

3.

4. 5. 6.

7. 8. 9.

10. Close the Network Policy Server tool.

Task 3: Create and Test a VPN Connection


1. 2. 3. 4. 5. 6. 7. Switch to the NYC-CL1 computer. Click Start, and then click Control Panel. In the Control Panel window, under Network and Internet, click View network status and tasks. In the Network and Sharing Center window, click Change adapter settings. Right-click Local Area Connection 3, and then click Properties. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Configure the following IP address settings, and then click OK: 8. IP Address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: 131.107.0.1

Click Close, and then click the Back button to return to the Network and Sharing Center.

L6-4

Lab A: Implementing a Virtual Private Network

MCT USE ONLY. STUDENT USE PROHIBITED

9.

In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace, and then click Next.

10. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, click Ill set up an Internet connection later. 11. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next. 12. On the Type your user name and password page, leave the user name and password blank, and then click Create. 13. Click Close in the Connect to a Workplace dialog box. 14. In the Network and Sharing Center window, click Change adapter settings. 15. On the Network Connections page, right-click Contoso VPN, and then click Connect. 16. Use the following information in the Connect Contoso VPN text boxes, and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso

The VPN connects successfully. 17. Right-click Contoso VPN, and click Disconnect. The VPN disconnects. 18. Close all open windows on NYC-CL1.

To prepare for the next lab


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1.

Results: In this exercise, you created and tested a VPN connection.

Lab A: Implementing a Virtual Private Network

L6-5

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Implementing NAP into a VPN Remote Access Solution


Exercise 1: Configuring NAP Components
Task 1: Configure a Computer Certificate
1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then click Manage. In the Certificate Templates Console details pane, right-click Computer, and then click Properties. In the Computer Properties dialog box, click Security, and then select Authenticated Users. In the permissions for Authenticated Users, select the Allow check box for the Enroll permission, and then click OK. Close the Certificate Templates console, and then close the certsrv management console.

Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server


1. 2. Switch to the NYC-EDGE1computer. Obtain a computer certificate and install it on NYC-EDGE1for server-side PEAP authentication: a. b. c. d. e. f. g. h. i. j. k. 3. Click Start, click Run, type mmc, and then press ENTER. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish. Click OK to close the Add or Remove Snap-ins dialog box. In the console tree, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate. The Certificate Enrollment dialog box opens. Click Next. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and then click Next. Select the Computer check box, and then click Enroll. Verify the status of certificate installation as Succeeded, and then click Finish. Close the Console1 window. Click No when prompted to save console settings.

Install the NPS Server role: a. b. c. d. e. On NYC-EDGE1, click Start, click Administrative Tools, and then click Server Manager. Click Roles, under Roles Summary, click Add Roles, and then click Next. Select the Network Policy and Access Services check box, and then click Next twice. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install. Verify the installation was successful, and then click Close.

L6-6

Lab A: Implementing a Virtual Private Network

MCT USE ONLY. STUDENT USE PROHIBITED

f. 4.

Close the Server Manager window.

Configure NPS as a NAP health policy server: a. b. c. d. e. Click Start, point to Administrative Tools, and then click Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, clear all check boxes, except A firewall is enabled for all network connections. Click OK to close the Windows Security Health Validator dialog box.

5.

Configure health policies: a. b. c. d. e. f. g. h. i. j. k. Expand Policies. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, under Policy name, type Compliant. Under Client SHV checks, verify that Client passes all SHV checks is selected. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, under Policy name, type Noncompliant. Under Client SHV checks, select Client fails one or more SHV checks. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK.

6.

Configure network policies for compliant computers: a. b. c. d. e. f. g. h. i. j. k. Ensure Policies is expanded. Click Network Policies. Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable. Right-click Network Policies, and then click New. In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next. In the Specify Access Permission window, verify that Access granted is selected. Click Next three times.

Lab A: Implementing a Virtual Private Network

L6-7

MCT USE ONLY. STUDENT USE PROHIBITED

l.

In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.

m. In the Completing New Network Policy window, click Finish. 7. Configure network policies for noncompliant computers: a. b. c. d. e. f. g. Right-click Network Policies, and then click New. In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next. In the Specify Access Permission window, verify that Access granted is selected.

Note: A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients matching these conditions. h. i. j. k. l. Click Next three times. In the Configure Settings window, click NAP Enforcement. Select Allow limited access, and clear the Enable auto-remediation of client computers check box. In the Configure Settings window, click IP Filters. Under IPv4, click Input Filters, and then click New. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.

m. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Inbound Filters dialog box. n. o. p. q. Click OK to close the Inbound Filters dialog box. Under IPv4, click Output Filters, and then click New. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients. Click OK to close the Outbound Filters dialog box. In the Configure Settings window, click Next. In the Completing New Network Policy window, click Finish.

r. s. t.

L6-8

Lab A: Implementing a Virtual Private Network

MCT USE ONLY. STUDENT USE PROHIBITED

8.

Configure connection request policies: a. b. c. d. e. f. g. h. i. j. k. l. Click Connection Request Policies. Disable the default Connection Request policy found under Policy Name by right-clicking the policy, and then clicking Disable. Right-click Connection Request Policies, and then click New. In the Specify Connection Request Policy Name and Connection Type window, under Policy name, type VPN connections. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next. In the Specify Conditions window, click Add. In the Select condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP, click OK, and then click Next. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next. In the Specify Authentication Methods window, select Override network policy authentication settings. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.

m. Verify that Enforce Network Access Protection is selected, and then click OK. n. 9. Click Next twice, and then click Finish.

Close the Network Policy Server console.

Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server
1. 2. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access. In the Routing and Remote Access console, right-click NYC-EDGE1 (local), and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard. Click Next, select Remote access (dial-up or VPN), and then click Next. Select the VPN check box, and then click Next. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. On the IP Address Assignment page, select From a specified range of addresses, and then click Next. On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses are assigned for remote clients, and then click Next.

3. 4. 5.

6. 7.

Lab A: Implementing a Virtual Private Network

L6-9

MCT USE ONLY. STUDENT USE PROHIBITED

8. 9.

On the Managing Multiple Remote Access Servers page, ensure No, use Routing and Remote Access to authenticate connection requests is already selected and then click Next. Click Finish.

10. Click OK twice, and wait for the Routing and Remote Access Service to start. 11. Click Start, point to Administrative Tools, and then click Network Policy Server. Click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This is created automatically when Routing and Remote Access is enabled. 12. Close the Network Policy Server management console. 13. Close Routing and Remote Access.

Task 4: Allow ping on NYC-EDGE1


1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. Click Inbound Rules, right-click Inbound Rules, and then click New Rule. Select Custom, and then click Next. Select All programs, and then click Next. Next to Protocol type, select ICMPv4, and then click Customize. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next. Click Next to accept the default scope. In the Action window, verify that Allow the connection is selected, and then click Next. Click Next to accept the default profile.

10. In the Name window, under Name, type ICMPv4 echo request, and then click Finish. 11. Close the Windows Firewall with the Advanced Security console. Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.

L6-10

Lab A: Implementing a Virtual Private Network

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Client Settings to support NAP


Task 1: Configure Security Center
1. 2. Switch to the NYC-CL1 computer. Configure NYC-CL1 so that Security Center is always enabled: a. b. c. d. e. Click Start, point to All Programs, click Accessories, and then click Run. Type gpedit.msc, and then press ENTER. In the console tree, click Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. Close the Local Group Policy Editor.

Task 2: Enable client NAP enforcement


1. Enable the remote-access, quarantine-enforcement client: a. b. c. d. e. 2. Click Start, click All Programs, click Accessories, and then click Run. Type napclcfg.msc, and then press ENTER. In the console tree, click Enforcement Clients. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable. Close the NAP Client Configuration window.

Enable and start the NAP agent service: a. b. c. d. e. f. Click Start, click Control Panel, click System and Security, and then click Administrative Tools. Double-click Services. In the Services list, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start. Wait for the NAP Agent service to start, and then click OK. Close the Services console, and then close the Administrative Tools and System and Security windows.

Task 3: Move the client to the Internet


1. Configure NYC-CL1 for the Internet network segment: a. b. c. d. e. f. g. h. Click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Change adapter settings. Right-click Local Area Connection 3, and then click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Ensure Use the following IP address is already selected. Next to IP address, type 131.107.0.20. Next to Subnet mask, type 255.255.255.0. Remove the Default gateway. Next to Preferred DNS server, remove 10.10.0.10. Click OK, and then click Close to close the Local Area Connection 3 Properties dialog box.

Lab A: Implementing a Virtual Private Network

L6-11

MCT USE ONLY. STUDENT USE PROHIBITED

i. 2.

Close the Network Connections window.

Verify network connectivity for NYC-CL1: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type cmd, and then press ENTER. At the command prompt, type ping 131.107.0.2 and then press ENTER. Verify that the response reads Reply from 131.107.0.2 Close the command window.

Task 4: Create a VPN on NYC-CL1


1. Configure a VPN connection: a. b. c. d. e. f. g. Click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Set up a new connection or network. On the Choose a connection option page, click Connect to a workplace, and then click Next. On the How do you want to connect page, click Use my Internet connection (VPN). Click Ill set up an Internet connection later. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2. Next to Destination name, type Contoso VPN, select the Allow other people to use this connection check box, and then click Next. On the Type your user name and password page, type administrator next to User name, and type Pa$$w0rd next to Password, select the Remember this password check box, type Contoso next to Domain (optional), and then click Create. On The connection is ready to use page, click Close. In the Network and Sharing Center window, click Change adapter settings. Right-click the Contoso VPN connection, click Properties, and then click the Security tab. Under Authentication, click Use Extensible Authentication Protocol (EAP).

h.

i. j. k. l.

m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled), and then click Properties. n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method, clear the Enable Fast Reconnect check box, and then select the Enforce Network Access Protection check box. Click OK twice to accept these settings.

o. 2.

Test the VPN connection: a. b. c. In the Network Connections window, right-click the Contoso VPN connection, and then click Connect. In the Connect Contoso VPN window, click Connect. You are presented with a Windows Security Alert window the first time this VPN connection is used. Click Details, and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.

L6-12

Lab A: Implementing a Virtual Private Network

MCT USE ONLY. STUDENT USE PROHIBITED

d. e. f. g. h. 3.

Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all, and view the IP configuration. System Quarantine State should be Not Restricted. In the command window, type ping 10.10.0.10 and then press Enter. This should be successful. The client now meets the requirement for VPN full connectivity. Disconnect from the Contoso VPN.

Configure Windows Security Health Validator to require an antivirus application: a. b. c. d. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box, and then click OK.

4.

Verify the client is placed on the restricted network: a. b. c. d. e. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN, and then click Connect. Click Connect. Wait for the VPN connection to be made. Verify that a message appears in the Action Center that states that the computer doesnt meet security standards. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and then press ENTER. View the IP configuration. System Quarantine State should be Restricted. The client does not meet the requirements for the network, and therefore is placed on the restricted network. f. Disconnect the Contoso VPN.

Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso Ltd.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1.

Lab A: Creating and Managing User and Computer Accounts

L7-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 7: Managing Active Directory Domain Services

Lab A: Creating and Managing User and Computer Accounts


Exercise 1: Creating and Configuring User Accounts
Task 1: Create the Finance OU
1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. At the command prompt, type the following and press ENTER.

New-ADOrganizationalUnit -Name Finance -Path "DC=CONTOSO,DC=COM"

3.

Close the Active Directory Module for Windows PowerShell window.

Task 2: Create a user template account for the Finance users


1. 2. 3. 4. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers In the Active Directory Users and Computers window, expand Contoso.com and then click the Finance OU in the left pane. On the toolbar, click Action, click New, and then click User. In the New Object User window, populate the fields as follows. Property First name Last name Full name User logon name 5. Value Finance Template Finance Template FinanceTemplate

Click Next and populate the fields as follows, and then click Next and then Finish. Property Password Confirm Password Value Pa$$w0rd Pa$$w0rd

User must change password at Not Selected next logon Account is disabled 6. Selected

In the right pane right-click the Finance Template user, click Properties, click Organization, populate the fields as follows, and then click OK.

L7-2

Lab A: Creating and Managing User and Computer Accounts

MCT USE ONLY. STUDENT USE PROHIBITED

Property Department

Value Finance

Task 3: Create new accounts for Eva and Mark


1. 2. In the Active Directory Users and Computers window, right-click the Finance Template user, and then click Copy. In the Copy Object User window, populate the fields as follows, and then click Next. Property First name Last name Full name User logon name 3. Value Eva Corets Eva Corets Eva

In the Copy Object User window, populate the fields as follows, click Next, and then click Finish. Property Password Confirm Password Account is disabled Value Pa$$w0rd Pa$$w0rd Not Selected

4. 5.

In the Active Directory Users and Computers window, right-click the Finance Template user, and then click Copy. In the Copy Object User window, populate the fields as follows, and then click Next. Property First name Last name Full name User logon name Value Mark Steele Mark Steele Mark

6.

In the Copy Object User window, populate the fields as follows, click Next, and then click Finish. Property Password Confirm Password Account is disabled Value Pa$$w0rd Pa$$w0rd Not Selected

7.

Close the Active Directory Users and Computers window.

Lab A: Creating and Managing User and Computer Accounts

L7-3

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Confirm the functionality of user accounts


1. 2. 3. 4. 5. Switch to the 6419B-NYC-CL1 virtual machine. On NYC-CL1, log on as Contoso\Eva with a password of Pa$$w0rd. Log off of NYC-CL1. On NYC-CL1, log on as Contoso\Mark with a password of Pa$$w0rd. Log off of NYC-CL1.

Task 5: Disable the new user accounts


1. 2. 3. 4. 5. Switch to the 6149B-NYC-DC1 virtual machine. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Administrative Center. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and then double-click the Finance OU in the middle pane. Click Eva Corets, press and hold the Ctrl key, and click Mark Steele. Release the Ctrl key, right-click Mark Steele, and then click Disable All. Close the Active Directory Administrative Center window. Results: In this exercise, you created and configured user accounts.

L7-4

Lab A: Creating and Managing User and Computer Accounts

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Creating and Configuring Computer Accounts


Task 1: Create computer accounts by using Active Directory management tools
1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, click the Computers container in the left pane. On the toolbar, click Action, click New, and then click Computer. In the Computer name box, type NYC-CL5, and then click OK. Close the Active Directory Users and Computers window. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. At the command prompt, type the following command and then press ENTER:

New-ADComputer Name NYC-CL6 -SamAccountName NYC-CL6 -Path CN=Computers,DC=CONTOSO,DC=COM'

8.

Close the command prompt window.

Task 2: Configure computer accounts attributes


1. 2. 3. 4. 5. Click Start, click Administrative Tools, and then click Active Directory Administrative Center. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and then double-click the Computers container in the middle pane. Click NYC-CL5, press and hold the Ctrl key and click NYC-CL6. Release the Ctrl key, right-click NYCCL6, and then click Move. In the Move window, click the Finance OU, and then click OK. Close the Active Directory Administrative Center window. Results: In this exercise, you configured computer account attributes.

Lab A: Creating and Managing User and Computer Accounts

L7-5

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Managing Groups and Locating Objects in AD DS


Exercise 1: Implement Role-Based Management by Using Groups
Task 1: Determine group requirements
Question: Which type of group should you create to group the Finance users together? Answer: A global group should be created for the Finance department users. This group type gives the most flexibility in group membership within the domain. Question: How can you create a group structure that allows the Finance department members change permissions and also allows other users and groups from the organization to be easily assigned these permissions as well? Answer: You could create a domain local group called Finance_Folders_Change and place the Finance global group inside of it. Then, the Finance_Folders_Change group could be assigned Change permission rights on the necessary folders. If new users or groups need to have the same access, they can simply be added to the Finance_Folders_Change domain local group.

Task 2: Use management tools to create AD DS groups


1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. At the command prompt, type the following and press ENTER.

New-ADGroup Name Finance SAMAccountName Finance GroupCategory Security GroupScope Global DisplayName Finance Department Path OU=Finance,DC=CONTOSO,DC=COM

3.

At the command prompt, type the following and press ENTER.

New-ADGroup Name Finance_Folders_Change SAMAccountName FinanceFoldersChange GroupCategory Security GroupScope DomainLocal DisplayName Change Access to Finance Folders Path OU=Finance,DC=CONTOSO,DC=COM

4.

Close the Active Directory Module for Windows PowerShell window.

Task 3: Modify group attributes


1. 2. 3. 4. 5. 6. 7. 8. Click Start, click Administrative Tools, and then click Active Directory Administrative Center. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and then double-click the Finance OU in the middle pane. Click Eva Corets, press and hold the Ctrl key, and click Mark Steele. Release the Ctrl key, right-click Mark Steele, and then click Add to group. In the Enter the object name to select box, type Finance, and then click Check Names. In the Multiple Names Found window, click Finance, and then click OK. In the Select Groups window, click OK. Close the Active Directory Administrative Center window. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

L7-6

Lab A: Creating and Managing User and Computer Accounts

MCT USE ONLY. STUDENT USE PROHIBITED

9.

In the Active Directory Users and Computers window, click the Finance OU in the left pane, rightclick the Finance_Folders_Change group in the right pane, and then click Properties.

10. In the Finance_Folders_Change Properties window, click the Members tab, and then click Add. 11. In the Enter the object name to select box, type Finance, and then click Check Names. 12. In the Multiple Names Found window, click Finance, and then click OK. 13. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, click OK. 14. In the Finance_Folders_Change Properties window, click OK. 15. Close the Active Directory Users and Computers window. Results: In this exercise, you implemented role-based management by using groups.

Lab A: Creating and Managing User and Computer Accounts

L7-7

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Finding Objects in Active Directory


Task 1: Create and save an AD DS query
1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, right-click Saved Queries, click New, and then click Query. In the New Query window, type Finance Groups, in the Name box, and then click Define Query. In the Find Common Queries window, click the Groups tab, click the drop-down box beside the Name box, and then click Starts with. In the Name field, type Finance, and then click OK. In the New Query window, click OK. Expand Saved Queries, and then click the Finance Groups query to confirm the result.

Task 2: Use dsquery to locate AD DS objects


1. 2. On NYC-DC1, click Start, click Run, type cmd in the Open box, and then click OK. At the command prompt, type the following command, and then press ENTER.

dsquery user "ou=Finance,dc=Contoso,dc=com" disabled

3.

View the results and confirm that Eva Corets and Mark Steele are listed.

Task 3: Use Windows PowerShell to query AD DS


1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. At the command prompt, type the following command, and then press ENTER.

Get-ADGroupMember Finance

3.

View the results and confirm that Eva Corets and Mark Steele are listed. Results: In this exercise, you located objects in Active Directory.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-CL1.

L7-8

Lab A: Creating and Managing User and Computer Accounts

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Configuring Active Directory Delegation

L8-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 8: Configuring Active Directory Object Administration and Domain Trust

Lab A: Configuring Active Directory Delegation


Exercise 1: Delegating Control of AD DS Objects
Task 1: Delegate management tasks for the Marketing OU.
1. 2. 3. 4. 5. 6. 7. 8. Switch to the NYC-DC1 virtual machine. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. In the console pane, expand Contoso.com, and then click Marketing. Right-click Marketing, and then click Delegate Control. The Delegation of Control Wizard opens. In the Delegation of Control Wizard, click Next. On the Users or Groups page, click Add. In the Select Users, Computers, or Groups dialog box, type Marketing_Managers, click OK, and then click Next. On the Tasks to Delegate page, select the Create, delete, and manage user accounts check box, click Next, and then click Finish.

Task 2: Verify effective permissions assigned for the Marketing OU.


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Active Directory Users and Computers console, click the View menu, and then click Advanced Features. Right-click the Marketing OU, and then click Properties. In the Marketing Properties dialog box, click the Security tab. On the Security tab, click Advanced. On the Advanced Security Settings for Marketing dialog box, click the Effective Permissions tab. On the Effective Permissions tab, click Select. In the Select User, Computer, Service Account, or Group dialog box, type Don, and then click OK. Verify that Don Roessler has permissions to create and delete user objects. Click OK to close the Advanced Security Settings for Marketing dialog box. Click OK to close the Marketing Properties dialog box.

Task 3: Test delegated permissions.


1. 2. 3. Log on to NYC-SVR1 as Contoso\Don, with the password, Pa$$w0rd. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. Expand Contoso.com, and then click the Marketing OU.

L8-2

Lab A: Configuring Active Directory Delegation

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5.

Right-click the Marketing OU, and then point to New. Notice that you are only able to create a new user. Close Active Directory Users and Computers and log off from NYC-SVR1. Results: After completing this exercise, you will have delegated the right to manage user accounts to the Marketing Managers.

Lab A: Configuring Active Directory Delegation

L8-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Creating Managed Service Accounts in AD DS


Task 1: Use Windows PowerShell to create and associate a managed service account.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module for Windows PowerShell. The Administrator: Active Directory Module for Windows PowerShell console opens. At the prompt, type the following command and then press Enter.

2.

New-ADServiceAccount Name App1_SVR1

3.

At the prompt, type the following command, and then press Enter.

Add-ADComputerServiceAccount identity NYC-SVR1 ServiceAccount App1_SVR1

4.

At the prompt, type the following command, and then press Enter.

Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers A

5. 6.

Verify that the App1_SVR1 service account is associated with NYC-SVR1. Close all open windows on NYC-DC1.

Task 2: Install a managed service account on a server.


1. 2. 3. Switch to the NYC-SVR1 virtual machine. Log on to NYC-SVR1 as Contoso\Administrator, with the password, Pa$$w0rd. Click Start, point to Administrative Tools, and then click Active Directory Module for Windows PowerShell. The Administrator: Active Directory Module for Windows Powershell console opens. At the prompt, type the following command, and then press Enter.

4.

Install-ADServiceAccount -Identity App1_SVR1

5. 6.

Click Start, point to Administrative Tools, and then click Services. In the Services console, right-click Disk Defragmenter, and then click Properties. Note: The Disk Defragmenter service is just used as an example for this lab. In a production environment, you would use the actual service that should be assigned the managed service account.

7. 8. 9.

In the Disk Defragmenter Properties dialog box, click the Log On tab. On the Log On tab, click This account, and then type Contoso\App1_SVR1$. Clear the password for both the Password and Confirm password boxes. Click OK.

10. Click OK at all prompts. 11. Close the Services console. 12. Close all open windows on NYC-SVR1.

L8-4

Lab A: Configuring Active Directory Delegation

MCT USE ONLY. STUDENT USE PROHIBITED

Results: After completing this exercise, you will have created and installed a managed service account.

To prepare for the next lab.


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1.

Lab A: Configuring Active Directory Delegation

L8-5

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Administer Trust Relationships


Exercise 1: Configuring Name Resolution between Contoso.com and Adatum.com
Task 1: Configure DNS conditional forwarding on NYC-DC1.
1. 2. 3. 4. 5. 6. 7. 8. Switch to the NYC-DC1 virtual machine. On NYC-DC1, click Start, point to Administrative Tools, and then click DNS. The DNS Manager console opens. In the console pane, click Conditional Forwarders. Right-click Conditional Forwarders, and then click New Conditional Forwarder. The New Conditional Forwarder dialog box appears. In the New Conditional Forwarder dialog box, under DNS Domain, type Adatum.com. Under IP addresses of the master servers, type 10.10.0.100, and then press Enter. Select the check box next to Store this conditional forwarder in Active Directory, and replicate it as follows, and then click OK. Close the DNS Manager.

Task 2: Configure DNS conditional forwarding on VAN-DC1.


1. 2. 3. 4. 5. 6. 7. 8. Switch to the VAN-DC1 virtual machine. On VAN-DC1, click Start, point to Administrative Tools, and then click DNS. The DNS Manager console opens. In the console pane, expand VAN-DC1, and then click Conditional Forwarders. Right-click Conditional Forwarders and then click New Conditional Forwarder. The New Conditional Forwarder dialog box appears. In the New Conditional Forwarder dialog box, under DNS Domain, type Contoso.com. Under IP addresses of the master servers, type 10.10.0.10, and then press Enter. Select the check box next to Store this conditional forwarder in Active Directory, and replicate it as follows, and then click OK. Close the DNS Manager. Results: After completing this exercise, you will have configured name resolution between the Contoso.com domain and the Adatum.com domain.

L8-6

Lab A: Configuring Active Directory Delegation

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring a Forest Trust


Task 1: Use the New Trust Wizard to create a Forest Trust.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. The Active Directory Domains and Trusts console opens. In the console pane, right-click Contoso.com and then click Properties. In the Contoso.com Properties dialog box, click the Trusts tab. On the Trusts tab, click New Trust. The New Trust Wizard starts. Click Next. On the Trust Name page, type Adatum.com, and then click Next. On the Trust Type page, select Forest trust, and then click Next. On the Direction of Trust page, select Two-way, and then click Next. On the Sides of Trust page, select Both this domain and the specified domain, and then click Next. On the User Name and Password page, configure the following and then click Next: User name: Administrator Password: Pa$$w0rd

10. On the Outgoing Trust Authentication Level Local Forest page, select Forest-wide authentication, and then click Next. 11. On the Outgoing Trust Authentication Level Specified Forest page, select Forest-wide authentication, and then click Next. 12. On the Trust Selections Complete page, click Next. 13. On the Trust Selections Complete page, click Next. 14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next. 15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next. 16. On the Completing the New Trust Wizard, verify that the trust relationship is successfully created and confirmed, and then click Finish. 17. Click OK to close the Contoso.com Properties box, and then close Active Directory Domains and Trusts.

Task 2: Configure selective authentication.


1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. The Active Directory Domains and Trusts console opens. In the console pane, right-click Contoso.com, and then click Properties. In the Contoso.com Properties dialog box, click the Trusts tab. Under Domains trusted by this domain, select Adatum.com, and then click Properties. On the Adatum.com Properties dialog box, click the Authentication tab. On the Authentication tab, click Selective authentication, and then click OK.

Lab A: Configuring Active Directory Delegation

L8-7

MCT USE ONLY. STUDENT USE PROHIBITED

7. 8. 9.

Click OK to close the Contoso.com Properties box, and then close Active Directory Domains and Trusts. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. On the View menu, click Advanced Features.

10. Expand Contoso.com and then click the Computers container. 11. Right-click NYC-SVR1, and then click Properties. 12. Click the Security tab. 13. Click Add, and then, in the Select Users, Computers, Service Accounts, or Groups dialog box, click Locations. 14. In the Locations dialog box, click Adatum.com, and then click OK. 15. In the Select Users, Computers, Service Accounts, or Groups dialog box, type Domain Users, and then click OK. 16. Ensure that Domain Users (ADATUM\Domain Users) is selected, and then select the Allow check box next to the Allowed to authenticate permission. 17. Click OK to close the NYC-SVR1 Properties dialog box. 18. Close Active Directory Users and Computers. Results: After completing this exercise, you will have created a Forest Trust and Selective authentication.

To prepare for the next module.


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-VAN-DC1.

L8-8

Lab A: Configuring Active Directory Delegation

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Creating and Configuring GPOs

L9-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 9: Creating and Managing Group Policy Objects

Lab A: Creating and Configuring GPOs


Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso

Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.

Exercise 1: Creating and Configuring Group Policy Objects


Task 1: Create the GPOs.
1. 2. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group Policy Objects. Right-click the Group Policy Objects folder, and then click New. In the New GPO dialog box, in the Name field, type Restrict Run Command, and then click OK. Repeat the previous two steps to create the following GPOs: Baseline Security Windows 7 and Windows Vista Security IT Favorites

3. 4. 5.

Task 2: Configure the GPO settings.


A. Configure the Restrict Run Command policy
1. 2. 3. 4. 5. In the Group Policy Management window, in the Group Policy Objects folder, right-click the Restrict Run Command policy, and then click Edit. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar. In the details pane, double-click Remove Run menu from the Start Menu. In the Remove Run menu from Start Menu dialog box, click Enabled, and then click OK. Close Group Policy Management Editor.

L9-2

Lab A: Creating and Configuring GPOs

MCT USE ONLY. STUDENT USE PROHIBITED

B. Configure the Baseline Security Policy


1. 2. In the Group Policy Management window, in the Group Policy Objects folder, right-click the Baseline Security policy, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the details pane, double-click Interactive logon: Do not display last user name. In the Interactive logon: Do not display last user name Properties dialog box, select the Define this policy setting check box, click Enabled, and then click OK. Close Group Policy Management Editor.

3. 4. 5.

C. Configure the Windows 7 and Windows Vista Security policy


1. 2. 3. 4. 5. In the Group Policy Management window, in the Group Policy Objects folder, right-click the Windows 7 and Windows Vista Security GPO, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Logon. In the details pane, double-click Always wait for the network at computer startup and logon. In the Always wait for the network at computer startup and logon dialog box, click Enabled, and then click OK. Close Group Policy Management Editor.

D. Configure the IT Favorites Policy


1. 2. 3. 4. 5. 6. 7. 8. In the Group Policy Management window, in the Group Policy Objects folder, right-click the IT Favorites policy, and then click Edit. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and then click URLs. In the details pane, double-click Favorites and Links. In the Favorites and Links dialog box, click Add URL. In the Details dialog box, in the Name field, type Tech Support. In the URL field, type http://support.microsoft.com. Click OK twice. Close Group Policy Management Editor.

Task 3: Link the GPOs to the appropriate containers.


1. 2. In the Group Policy Management window, right-click the Contoso.com domain, and then click Link an Existing GPO. In the Select GPO dialog box, click the Baseline Security GPO. Hold down CTRL and then click the following GPOs: 3. Restrict Run Command Windows 7 and Windows Vista Security

Click OK.

Lab A: Creating and Configuring GPOs

L9-3

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5.

Right-click the IT OU, and then click Link an Existing GPO. In the Select GPO dialog box, click the IT Favorites GPO, and then click OK.

Result: After completing this exercise you will have created and configured GPOs.

L9-4

Lab A: Creating and Configuring GPOs

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Managing the Scope of GPO Application


Task 1: Configure Group Policy management for the domain container.
1. 2. 3. In the Group Policy Management window, expand the Contoso.com domain to expose the linked policies (denoted by the shortcut icons). Right-click the Baseline Security link, and then click Enforced. Right-click the Windows 7 and Windows Vista Security link, and then click Enforced.

Task 2: Configure Group Policy management for the IT OU.


In the Group Policy Management window, right-click the IT OU, and then click Block Inheritance.

Task 3: Create and apply a WMI filter for the Server Security GPO.
1. 2. 3. 4. In the Group Policy Management window console pane, right-click the WMI Filters folder, and then click New. In the New WMI Filter dialog box, in the Name field, type Windows 7 or Windows Vista operating system. Click Add. In the WMI Query dialog box, in the Query field, type Select * from Win32OperatingSystem where Caption = Microsoft Windows 7 Enterprise OR Caption = Microsoft Windows Vista Enterprise. Click OK, and then click Save. In the left-hand console pane, expand the Group Policy Objects folder, click the Windows 7 and Windows Vista Security policy, and then, in the details pane, click the Scope tab. In the WMI Filtering list, click Windows 7 or Windows Vista operating system. In the Group Policy Management dialog, click Yes. Result: After completing this exercise you will have configured the scope of GPO settings.

5. 6. 7. 8.

Lab A: Creating and Configuring GPOs

L9-5

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Managing Group Policy Objects


Exercise 1: Verifying GPO Application
Task 1: Verify that a user in the domain has the Run command removed from the Start
menu.
1. 2. 3. Log on to NYC-CL1 as CONTOSO\Max, with the password, Pa$$w0rd. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in the Start menu. Log off of NYC-CL1.

Task 2: Verify that a user in the IT OU is receiving the correct policy.


1. 2. 3. 4. 5. Log on to NYC-CL1 as CONTOSO\Ed, with the password, Pa$$w0rd. Click Start, point to All Programs, click Accessories and then verify that Run is present. Click Start, point to All Programs, and then click Internet Explorer. At the Set Up Windows Internet Explorer 8 dialog box, click Ask me later. In the Internet Explorer window, click the Favorites button, and then verify that the link to Tech Support is present. Restart NYC-CL1.

Task 3: Verify that the last logged on user name does not appear.
After NYC-CL1 is restarted, verify that the last logged on user name does not appear. Note: To see this information, press CTRL-ALT-DEL to see the logon screen.

Result: After completing this exercise you will have tested and verified a GPO application

L9-6

Lab A: Creating and Configuring GPOs

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Managing GPOs


Task 1: Back up an individual policy.
1. 2. 3. 4. 5. 6. On NYC-DC1, in the Group Policy Management window, under the Group Policy Objects folder, right-click the Restrict Run Command policy, and then click Back Up. In the Back Up Group Policy Object dialog box, click Browse. Browse to Local Disk (C:) and then click Make New Folder. Type GPO Backup, and then press Enter. Click OK, and then click Back Up. When the backup completes, click OK.

Task 2: Back up all GPOs.


1. 2. 3. In the console pane, right-click the Group Policy Objects folder, and then click Back Up All. In the Back Up Group Policy Object dialog box, in the Location field, type C:\GPO Backup and then click Back Up. When the backup completes, click OK.

Task 3: Delete and restore an individual GPO.


1. 2. 3. 4. 5. 6. 7. In the Group Policy Objects folder, right-click the IT Favorites policy, and then click Delete. In the Group Policy Management dialog box, click Yes. Right-click the Group Policy Objects folder, and then click Manage Backups. In the Manage Backups dialog, click the IT Favorites GPO, and then click Restore. In the Group Policy Management dialog box, click OK. In the Restore dialog box, click OK and then click Close. Verify that the IT Favorites GPO appears in the Group Policy Objects folder.

Task 4: Import a GPO.


1. 2. 3. 4. 5. 6. 7. Right-click the Group Policy Objects folder, and then click New. In the New GPO dialog box, in the Name field, type Import, and then click OK. Right-click the Import GPO, and then click Import Settings. In the Import Settings Wizard, click Next. On the Backup GPO page, click Next. On the Backup location page, verify the Backup folder is C:\GPO Backup, and then click Next. On the Source GPO page, click Restrict Run Command, and then click Next. Note: If more than one copy of the Restrict Run Command GPO appears, choose the newer one. 8. 9. On the Scanning Backup page, click Next, and then click Finish. When the import completes, click OK.

Lab A: Creating and Configuring GPOs

L9-7

MCT USE ONLY. STUDENT USE PROHIBITED

10. In the left-hand console pane, expand the Group Policy Objects folder, click the Import GPO, and then, in the details pane, click the Settings tab. 11. Click show all. 12. Verify that the Remove Run menu from Start Menu policy setting is enabled. Result: After completing this exercise you will have backed up restored and imported GPOs.

L9-8

Lab A: Creating and Configuring GPOs

MCT USE ONLY. STUDENT USE PROHIBITED

Lab C: Troubleshooting Group Policy


Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1.
Task 1: Restore the TestA GPO.
1. 2. 3. 4. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click Manage Backups. In the Backup location box, type C:\Tools\GPOBackup and then press Enter. In the Manage Backups dialog box, click TestA, and then click Restore. Click OK twice, and then click Close.

Task 2: Link the TestA GPO to the IT OU.


1. 2. In the Group Policy Management console pane, right-click IT, and then click Link an Existing GPO. In the Select GPO dialog box, click TestA, and then click OK.

Task 3: Test the GPO.


1. 2. 3. On NYC-CLI, log on as CONTOSO\Ed, with the password, Pa$$w0rd. Click Start, and then notice the presence of the Run command. According to the scenario, this is not the desired behavior. Log off from NYC-CL1.

Task 4: Troubleshoot the GPO.


1. 2. 3. 4. On NYC-DC1, in the Group Policy Management console pane, expand Group Policy Results, rightclick Ed on NYC-CL1, and then click Rerun Query. Click Ed on NYC-CL1. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the TestA GPO is being applied. On the Settings tab, under User Configuration, click Administrative Templates, and then click Start Menu and Taskbar. Notice that the Add the Run command to the Start Menu setting is enabled.

Task 5: Resolve the issue and test the resolution.


1. 2. 3. 4. 5. In the Group Policy Management console pane, under Group Policy Objects, right-click TestA, and then click Edit. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar. In the details pane, double-click Add the Run command to the Start Menu. In the Add the Run command to the Start Menu dialog box, click Disabled, and then click OK. Close Group Policy Management Editor.

Lab A: Creating and Configuring GPOs

L9-9

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7.

On NYC-CLI, log on as CONTOSO\Ed, with the password, Pa$$w0rd. Click Start, and then notice that the Run command is no longer present.

Result: After completing this exercise, you will have resolved a Group Policy object issue.

L9-10

Lab A: Creating and Configuring GPOs

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Troubleshooting Incorrect Policy Settings: Scenario 2


Task 1: Create a new OU named, Loopback.
1. 2. 3. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console pane, right-click CONTOSO.com, point to New, and then click Organizational Unit. In the New Object Organizational Unit dialog box, type Loopback, and then click OK.

Task 2: Restore the TestB GPO.


1. 2. 3. 4. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click Manage Backups. In the Backup location field, type C:\Tools\GPOBackup, and then press ENTER. In the Manage Backups dialog box, click TestB, and then click Restore. Click OK twice, and then click Close.

Task 3: Link the TestB GPO to the Loopback OU.


1. 2. 3. In the Group Policy Management console pane, right-click Group Policy Management, and then click Refresh. Right-click Loopback, and then click Link an Existing GPO. In the Select GPO dialog box, click TestB, and then click OK.

Task 4: Move NYC-CL1 to the Loopback OU.


1. 2. 3. 4. In the Active Directory Users and Computers console pane, expand Contoso.com, and then click Computers. In the details pane, right-click NYC-CL1, and then click Move. In the Move dialog box, click Loopback, and then click OK. Close Active Directory Users and Computers.

Task 5: Test the GPO.


1. 2. 3. On NYC-CL1, restart the computer. When the computer restarts, log on as Contoso\Ed, with the password, Pa$$w0rd. Click Start and notice that the Run command is present again.

Task 6: Troubleshoot the GPO.


1. 2. 3. On NYC-DC1, in the Group Policy Management console pane, right-click Ed on NYC-CL1, and then click Rerun Query. In the details pane, on the Summary tab, under Computer Configuration Summary, click Group Policy Objects, and then click Applied GPOs. Notice that the Test B GPO has been applied. On the Settings tab, under Computer Configuration, click Administrative Templates, and then click System/Group Policy. Notice that loopback processing mode is enabled. Note: Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need

Lab A: Creating and Configuring GPOs

L9-11

MCT USE ONLY. STUDENT USE PROHIBITED

policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy objects (GPOs) that depend only on which computer the user logs on to.

Task 7: Resolve the issue and test the resolution.


1. In the Group Policy Management console pane, expand the Loopback OU, right-click TestB, and then click Link Enabled to clear the check mark. Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there were other settings in the GPO that you did wish to have applied. 2. 3. 4. 5. Close Group Policy Management. On NYC-CL1, restart the computer. When the computer restarts, log on as CONTOSO\Ed, with the password, Pa$$w0rd. Click Start and notice that the Run command is no longer present. Result: After completing this exercise, you will have resolved a Group Policy objects issue.

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-CL1.

L9-12

Lab A: Creating and Configuring GPOs

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

L10-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 10: Using Group Policy to Configure User and Computer Settings

Lab A: Using Group Policy to Configure Scripts and Folder Redirection


Exercise 1: Using a Group Policy Logon Script to Map a Network Drive
Task 1: Create a script to map a drive to the data share
1. 2. 3. On NYC-DC1, click Start, in the Search programs and files box, type Notepad, and then press ENTER. In the Notepad, type Net use t: \\nyc-dc1\data. Click File and click Save. Save the file as Map.bat. Ensure that you click the Save as type: drop-down arrow in the Save As dialog box and select All Files (*.*) as the type. Save the file to the default location of Documents. Close Notepad. Click Start, click Computer, and then click Documents. Right-click the Map.bat file and click Copy. (You will paste it into the Netlogon share later.) Close the Documents window.

4. 5. 6. 7.

Task 2: Create and link a GPO


1. 2. 3. 4. Click Start, point to Administrative Tools, and then click Group Policy Management. Expand Forest:Contoso.com, and then expand Domains. Right-click Contoso.com, click Create a GPO in this domain, and Link it here. In the New GPO dialog box, in the Name box, type DriveMap, and then click OK.

Task 3: Edit the GPO and store the script in Sysvol


1. 2. 3. 4. 5. 6. 7. 8. 9. Expand Contoso.com, right-click the Drivemap GPO, and then click Edit. In Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and click Scripts (Logon\Logoff). In the details pane, double-click Logon. In the Logon Properties dialog box, click Show Files. (This opens the Netlogon share in Computer). In the details pane, right-click a blank area and then click Paste. Close the Logon window. In the Logon Properties dialog box, click Add. In the Add a Script dialog box, click Browse. Click the Map.bat script and then click Open.

10. Click OK twice to close all dialog boxes. 11. Close the Group Policy Management Editor and the Group Policy Management console.

L10-2

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Test the results


1. On NYC-CL1, log on as Contoso\Administrator with a password of Pa$$word.
2. 3. Click Start and click Computer and then verify that drive has been mapped. Log off NYC-CL1. Results: In this exercise, you created a script and a GPO to assign the script and store the script in a highly available location.

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

L10-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Using Group Policy to Redirect Folders


Task 1: Create a shared folder
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, and then click Computer Double-click Local Disk (C:) drive and then click New folder. Name the new folder Redirect. Right-click the Redirect folder, click Share with, and then click Specific people. In the File Sharing dialog box, click the drop-down arrow, and then select Find people. In the Select Users or Groups dialog box, type Research, and then click OK. In the File Sharing dialog box, click the Permission Level drop-down arrow for the Research group, and then click Read/Write. Click Share and then click Done. Close the Local Disk (C:) window.

Task 2: Create a GPO to redirect the Documents folder


1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Group Policy Management. Expand Forest: Contoso.com, expand Domains, and then expand Contoso.com Right-click the Research OU, and then click Create a GPO in this domain, and Link it here. In the New GPO dialog box, in the Name box, type Redirect, and then click OK. Expand the Research OU, right-click the Redirect GPO, and then click Edit. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection. Right-click Documents and then click Properties. In the Document Properties dialog box, on the Target tab, In the Setting box, select Basic Redirect everyones folder to the same location. Ensure the Target folder location box is set to Create a folder for each user under the root path.

10. In the Root Path box, type \\NYC-DC1\Redirect, click OK. In the Warning dialog box, click Yes. 11. Close all open windows on NYC-DC1.

Task 3: Test folder redirection


1.
2.

Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd. Click Start, right-click Documents, and then click Properties. In the Documents Properties dialog box, note that the location of the folder is now the Redirect network share in a subfolder named for the user. Note: Due to cached credentials, you may need to log on twice to see the redirection unless the user has never logged on to this computer before.

3.

Close all open windows and log off.

L10-4

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

MCT USE ONLY. STUDENT USE PROHIBITED

Results: In this exercise, you created and set permissions on a shared folder. You created and linked a GPO to redirect the executives documents to the shared folder.

To prepare for the next lab


1. When you finish the lab, leave the virtual machines running.

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

L10-5

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Configuring Administrative Templates


Exercise 1: Configuring Administrative Templates
Task 1: Create and link a GPO to the Research OU
1. 2. 3. 4. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management. Expand Forest:Contoso.com, expand Domains, and then expand Contoso.com. Right-click the Research OU, and then click Create a GPO in this domain, and Link it here. In the New GPO dialog box, in the Name box, type ResearchDesktop, and then click OK.

Task 2: Deny access to registry editing tools


1. 2. 3. 4. Expand the Research OU, right-click the ResearchDesktop GPO, and then click Edit. In Group Policy Management Editor, under User Configuration, expand Policies, and then expand Administrative Templates Click System. In the details pane, double-click Prevent access to registry editing tools. In the Prevent access to registry editing tools dialog box, click Enabled, and then click OK.

Task 3: Deny access to the Run menu


1. 2. 3. In the folder tree, click the Start Menu and Taskbar folder. In the details pane, double-click the Remove Run menu from Start Menu setting. In the Remove Run menu from Start Menu dialog box, click Enabled, and then click OK.

Task 4: Deny write access to removable storage


1. 2. 3. In the folder tree, expand the System folder, and then click the Removable Storage Access folder. In the details pane, double-click the Removable disks: Deny write access setting. In the Removable disks: Deny write access dialog box, click Enabled, and then click OK.

Task 5: Deny access to the desktop background settings


1. 2. 3. 4. In the folder tree, expand the Control Panel folder, and then click the Personalization folder. In the details pane, double-click Prevent changing desktop background. In the Prevent changing desktop background dialog box, click Enabled, and then click OK. Close Group Policy Management Editor.

Task 6: Allow remote administration through the Windows Firewall


1. 2. Expand Contoso.com, right-click the Default Domain Policy, and then click Edit. Under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception. In the Windows Firewall: Allow inbound remote administration exception dialog box, click Enabled.

3. 4.

L10-6

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

MCT USE ONLY. STUDENT USE PROHIBITED

5. 6.

In the Options section, in the Allow unsolicited incoming messages from these IP addresses: box, type LocalSubnet, and then click OK. Close all open windows on NYC-DC1.

Task 7: Test the settings


1. 2. 3. 4. 5. Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd. Click Start, click All Programs, and then click Accessories. Ensure that the Run Menu does not appear. Click Start, click Control Panel, and then click Change desktop background. Ensure that the feature has been disabled. Click Start and type Regedit.exe in the Search box. Ensure that Regedit.exe does not appear in the search results. Close all open windows and log off. Results: In this exercise, you created and linked a GPO to control the desktop environment.

To prepare for the next lab


1. When you finish the lab, leave the virtual machines running.

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

L10-7

MCT USE ONLY. STUDENT USE PROHIBITED

Lab C: Deploying Software Using Group Policy


Exercise 1: Deploying a Software Package by Using Group Policy
Task 1: Create and populate a shared folder to act as a software distribution point
Create and populate an application distribution folder 1. On NYC-DC1, click Start, and then click Computer 2. Double-click Local Disk (C:), and then click New folder. 3. Name the new folder AppDeploy. 4. Right-click the AppDeploy folder, click Share with, and then click Specific people. 5. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add. Ensure the permission level for Everyone is Read. 6. Click Share and click Done. 7. Click Start and type \\NYC-SVR1\E$\labfiles\Mod10 in the search box and press ENTER. 8. Right-click and copy XMLNotepad.msi file. 9. Browse to C:\AppDeploy and paste the file. 10. Close the AppDeploy window.

Task 2: Create and link a GPO to deploy the software to the IT OU


1. Click Start, click Administrative Tools, and then click Group Policy Management. 2. Click Forest:Contoso.com, expand Domains, and then expand Contoso.com. 3. Right-click the IT OU, and then click Create a GPO in this domain, and Link it here. 4. In the New GPO dialog box, in the Name box, type Software Deploy, and then click OK.

Task 3: Configure the GPO to publish the XML Notepad 2007 application
1. Expand the IT OU, right-click the Software Deploy GPO, and then click Edit. 2. In Group Policy Management Editor, under User Configuration, expand Policies, expand Software Settings, and then click Software Installation. 3. Right-click Software Installation, click New, and then click Package. 4. In the Open dialog box, in the File Name box, type \\NYC-DC1\AppDeploy\XMLNotepad.msi, and click Open. 5. In the Deploy Software dialog box, click Published, and then click OK. 6. Close all open windows on NYC-DC1.

Task 4: Test the deployment


1. Log on to NYC-CL1 as Ed with a password of Pa$$w0rd. 2. Click Start, click Control Panel, click Programs, click Programs and Features, and then click Install a program from the network. 3. Double-click the XML Notepad 2007 icon. 4. In the XML Notepad 2007 Setup dialog box, click Next. 5. In the XML Notepad 2007 license agreement dialog box, select the checkbox to accept the license agreement, and click Next.

L10-8

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

MCT USE ONLY. STUDENT USE PROHIBITED

6. In the XML Notepad 2007 Setup dialog box, click Next. 7. In the XML Notepad 2007 Setup dialog box, click Install, and then click Finish. 8. Close all open windows and log off. Results: In this exercise, you created and populated a software distribution share and created and configured a GPO to publish an application.

To prepare for the next lab


1. When you finish the lab, leave the virtual machines running.

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

L10-9

MCT USE ONLY. STUDENT USE PROHIBITED

Lab D: Deploying Group Policy Preferences


Exercise 1: Deploying Group Policy Preferences
Task 1: Create and share a folder to contain the IT documents
1. On NYC-DC1, click Start, and then click Computer 2. Double-click Local Disk (C:) drive, and then click New folder. 3. Name the new folder ITDocs. 4. Right-click the ITDocs folder, click Share with, and then click Specific people. 5. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add. 6. Click Share, and then click Done. 7. Close the Local Disk (C:) window.

Task 2: Use preferences to map a drive for the IT group


1. Click Start, click Administrative Tools, and then click Group Policy Management. Then, expand Forest:Contoso.com, expand Domains, expand Contoso.com, right-click the Default Domain Policy, and then click Edit. 2. Under User Configuration, expand Preferences, and then expand Windows Settings. 3. Right-click Drive Maps, click New, and then click Mapped Drive. 4. In the New Drive Properties dialog box, click the Action drop-down arrow, and then select Create. 5. In the Location box, type \\NYC-DC1\ITDocs. 6. Select the Reconnect check box. 7. In the Drive Letter section, click Use, click the drop-down arrow, and then select the drive letter R. 8. Click the Common tab. 9. Select the Run in logged-on users security context (user policy option) check box. 10. Select the Item-level targeting check box. 11. Click Targeting. 12. In the Targeting Editor dialog box, click New Item, and then select Security Group. 13. Click the elipsis beside the Group field and type IT into the Enter the object name to select box and then click Check Names and then click OK. 14. Click OK to close the Targeting Editor dialog box. 15. Click OK to close the New Drive Properties dialog box.

Task 3: Use preferences to create a desktop shortcut to the Notepad application


1. Right-click Shortcuts, point to New, and then click Shortcut. 2. In the New Shortcut Properties dialog box, in the Action list, select Create. 3. In the Name box, type Notepad. 4. Ensure the Target type is File System Object. 5. In the Location list select All Users Desktop. 6. In the Target path, type C:\Windows\System32\notepad.exe.

L10-10

Lab A: Using Group Policy to Configure Scripts and Folder Redirection

MCT USE ONLY. STUDENT USE PROHIBITED

7. Click Common, clear the Run in logged-on users security context (user policy option) check box, and then click OK. 8. Close all open windows on NYC-DC1.

Task 4: Test the preference settings


1. Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd. Ensure the Notepad shortcut appears on the desktop. 2. Click Start, click Computer. Ensure that R: drive is mapped to the ITDocs shared folder. 3. Log off NYC-CL1. 4. Log on as Dylan with a password of Pa$$w0rd. Ensure that the Notepad shortcut appears on the desktop. 5. Click Start and click Computer. Ensure that there is no drive mapped to the ITDocs shared folder. Results: In this exercise, you used Group Policy preferences to map a drive to selected users and create a desktop shortcut for all users.

To prepare for the next lab


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-CL1.

Lab A: Implementing Security Using Group Policy

L11-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 11: Implementing Security Settings Using Group Policy

Lab A: Implementing Security Using Group Policy


Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso

Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.

Exercise 1: Configuring Account and Security Policy Settings


Task 1: Create an account policy for the domain.
1. 2. 3. 4. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management console pane, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group Policy Objects. In the details pane, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy. In the details pane, double-click Minimum password length. In the Minimum password length Properties dialog box, in the Password must be at least field, type 8, and then click OK. Double-click Minimum password age. In the Minimum password age Properties dialog box, in the Password can be changed after field, type 19, and then click OK. Double-click Maximum password age.

5. 6. 7. 8. 9.

10. In the Maximum password age Properties dialog box, in the Password will expire in field, type 20, and then click OK. 11. In the console pane, click Account Lockout Policy. 12. In the details pane, double-click Account lockout threshold. 13. In the Account lockout threshold Properties dialog box, under Account will not lock out, type 5, and then click OK. 14. In the Suggested Value Changes dialog box, click OK to accept the values of 30 minutes. 15. Close Group Policy Management Editor.

L11-2

Lab A: Implementing Security Using Group Policy

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Configure local policy settings for a Windows 7 client.


1. 2. 3. 4. 5. Start NYC-CL1 and log on as Contoso\Administrator, with the password, Pa$$w0rd. Click Start, type MMC in the search programs and files box, and then press Enter. In the Console1 window, on the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, click Finish and then click OK. In the console pane, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the details pane, double-click Accounts: Administrator account status. In the Accounts: Administrator account status Properties dialog box, click Enabled, and then click OK. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, and then click Browse.

6. 7. 8. 9.

10. In the Browse for a Group Policy Object dialog box, click the Users tab. 11. Click Non-Administrators, click OK, click Finish, and then click OK. 12. In then console pane, expand Local Computer\Non-Administrators Policy, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar. 13. In the details pane, double-click Remove Run menu from Start Menu. 14. In the Remove Run menu from Start Menu dialog box, click Enabled, and then click OK. 15. Close the MMC window and do not save the changes. 16. Restart NYC-CL1.

Task 3: Create a wireless network GPO for Windows 7 client.


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and then click New. In the New GPO dialog box, in the Name field, type Windows 7 Wireless, and then click OK. Expand Group Policy Objects, right-click Windows 7 Wireless, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create a New Wireless Network Policy for Windows Vista and Later Releases. In the New Wireless Network Policy Properties dialog box, click Add, and then click Infrastructure. In the New Profiles properties dialog box, in the Profile Name field, type Corporate. In the Network Name(s) (SSID) field, type Corp, and then click Add. On the Security tab, in the Authentication list, click Open with 802.1X, and then click OK.

10. On the Network Permissions tab, click Add.

Lab A: Implementing Security Using Group Policy

L11-3

MCT USE ONLY. STUDENT USE PROHIBITED

11. In the New Permission Entry dialog box, in the Network Name (SSID): field, type Research, verify that Permission is set to Deny, and then click OK twice. 12. Close Group Policy Management Editor. 13. In the Group Policy Management console pane, right-click Contoso.com, and then click Link an Existing GPO. 14. In the Select GPO dialog box, click Windows 7 Wireless, and then click OK.

Task 4: Configure a policy that prohibits a service on all domain controllers.


1. 2. 3. 4. 5. In the Group Policy Management console pane, expand Group Policy Objects, right-click Default Domain Controllers Policy, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click System Services. In the details pane, double-click Windows Installer. In the Windows Installer Properties dialog box, select the Define this policy setting check box, verify that Disabled is selected, and then click OK. Close Group Policy Management Editor. Result: After completing this exercise, you will have configured account and security policy settings.

L11-4

Lab A: Implementing Security Using Group Policy

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Implementing Fine-Grained Password Policies


Task 1: Create a PSO by using ADSI edit.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, click Run, type adsiedit.msc into the Run dialog box , and then press Enter. Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults. Navigate to DC=Contoso, DC=com, expand CN=System, click CN=Password Settings Container. Right-click CN=Password Settings Container, and then point to New and then click Object. . In the Create Object dialog box, click msDS-PasswordSettings, and then click Next. In Value box, type ITAdmin, and then click Next. In the msDS-PasswordSettingsPrecedence value, type 10. Click Next. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE. Click Next. In the msDS-PasswordHistoryLength value, type 30. Click Next.

10. In the msDS-PasswordComplexityEnabled value, type TRUE. Click Next. 11. In the msDS-MinimumPasswordLength value, type 10. Click Next. 12. In the msDS-MinimumPasswordAge value, type 06:00:00:00. Click Next. 13. In the msDS-MaximumPasswordAge value, type 07:00:00:00. Click Next. 14. In the msDS-LockoutThreshold value, type 3. Click Next. 15. In the msDS-LockoutObservationWindow value, type 00:00:30:00. Click Next. 16. In the msDS-LockoutDuration value, type 00:00:30:00, and then click Next and then click Finish.

Task 2: Assign the PSO to the Domain Admins global group.


1. 2. 3. 4. 5. In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click CN=ITAdmin. In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo. Click Add Windows Account, type Domain Admins into the Enter the object names to select (examples) field and then click OK. Click OK. Click OK to close the CN=ITAdmin Properties box and then close the ADSI Edit window. Results: After completing this exercise, you will have implemented a fine-grained password policy.

Lab A: Implementing Security Using Group Policy

L11-5

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Configuring Restricted Groups and Application Control Policies


Exercise 1: Configuring Restricted Groups
Task 1: Configure restricted groups for the local administrators group.
1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management. In the Group Policy Management console, expand Forest: Contoso.com, expand Domains, expand Contoso.com, expand Group Policy Objects, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Restricted Groups. Right-click Restricted Groups, and then click Add Group. In the Add Group dialog box, type Administrators, and then click OK. In the Administrators Properties dialog box, next to Members of this group, click Add. In the Add Member dialog box, type CONTOSO\IT, and then click OK. Next to Members of this group, click Add. In the Add Member dialog box, type CONTOSO\Domain Admins, and then click OK twice.

3. 4. 5. 6. 7. 8. 9.

10. Close Group Policy Management Editor.

Task 2: Test restricted groups for the local administrators group.


1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6419B-NYC-CL1 VM. If the VM is already started, shut down NYC-CL1 and restart it. Log on to NYC-CL1 as Contoso\Ed with a password of Pa$$w0rd. .Click Start and in the Start Search field, type Edit local users and groups and then press Enter. In the lusrmgr [Local Users and Groups (Local)] window, click the Groups node in the left hand pane. In the right hand pane, double-click the Administrators group. In the Administrators Properties window, confirm that CONTOSO\Domain Admins and CONTOSO\IT are listed in the Members pane. Close the Administrators Properties window. Close the lusrmgr [Local Users and Groups (Local)] window. Log off from NYC-CL1. Results: After completing this exercise, you configured and tested restricted groups by using Group Policy.

L11-6

Lab A: Implementing Security Using Group Policy

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Application Control Policies


Task 1: Create a GPO to enforce the default AppLocker Executable rules.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management. Expand Forest: Contoso.com, and then expand Domains. Expand Contoso.com. Click Group Policy Objects. Right-click Group Policy Objects and click New. Name the new GPO, WordPad Restriction Policy, and then click OK. Right-click WordPad Restriction Policy and click Edit. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then expand AppLocker. Select Executable Rules, and then right-click and select Create New Rule.

10. Click Next. 11. On the Permissions page, select Deny, and then click Next. 12. On the Conditions page, select Publisher, and then click Next. 13. Click Browse , and then click Computer. 14. Double-click Local Disk (C:). 15. Double-click Program Files, double-click Windows NT, double-click Accessories, select wordpad.exe, and then click Open. 16. Move the slider up to the File name: position and click Next. 17. Click Next again, and then click Create. 18. Click Yes if prompted to create default rules. 19. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 20. Expand Application Control Policies. 21. Click AppLocker, and then right-click and select Properties. 22. On the Enforcement tab, under Executable rules, select the Configured check box, and then select Enforce rules. 23. Click OK. 24. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings. 25. Click System Services, and then double-click Application Identity. 26. In the Application Identity Properties dialog box, select the Define this policy setting check box. 27. Select Automatic under Select service startup mode, and click OK. 28. Close Group Policy Management Editor.

Lab A: Implementing Security Using Group Policy

L11-7

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Apply the GPO to the Contoso.com domain.


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Group Policy Management window, expand Forest: Contoso.com. Expand Domains. Expand Contoso.com. Expand Group Policy Objects. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container. Click OK to link the GPO to the domain. Close the Group Policy Management console. Click Start, in the Search programs and files box, type cmd, and then press Enter. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated.

Task 3: Test the AppLocker rule.


1. 2. 3. 4. 5. Restart and then log on to the NYC-CL1 as Contoso\Alan, with the password, Pa$$w0rd. Click Start, in the Search programs and files box, type command, and then press Enter. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated. Click Start, click All programs, click Accessories, and then click WordPad. Click OK when prompted with a message. Note: The AppLocker policy should restrict you from running this application. If the application runs, log off from NYC-CL1 and log on again. It may take a few minutes for the policy setting to apply to NYC-CL1. After the policy setting is applied, the application will be restricted.

Results: After completing this exercise, you will have restricted an application by using AppLocker.

To prepare for the next module.


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-CL1.

L11-8

Lab A: Implementing Security Using Group Policy

MCT USE ONLY. STUDENT USE PROHIBITED

Lab A: Deploying a Read-Only Domain Controller

L12-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 12: Providing Efficient Network Access for Remote Offices

Lab A: Deploying a Read-Only Domain Controller


Exercise 1: Installing an RODC
Task 1: Verify the prerequisites for a staged installation of an RODC
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. Right-click Contoso.com and click Properties. Verify that the forest functional level is at least Microsoft Windows Server 2003 and then click OK. Close Active Directory Users and Computers. On NYC-SVR1, open Server Manager, under Computer Information, note the domain status. This computer needs to be in a workgroup to pre-stage it as an RODC. Click Change System Properties. In the System Properties window, click Change. In the Computer Name/Domain Changes window, click Workgroup, type TEMPORARY, and click OK. Click OK to close the warning.

10. Click OK to confirm changing to the TEMPORARY workgroup. 11. Click OK to close the message about restarting. 12. In the System Properties window, click Close. 13. When prompted, click Restart Now.

Task 2: Stage a delegated installation of an RODC


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. Expand Contoso.com, and then click the Computers container, right-click NYC-SVR1, and click Delete. Click Yes to confirm deleting the computer account. Click Yes to confirm subtree deletion. Right-click Domain Controllers and click Pre-create Read-only Domain Controller account. In the Active Directory Domain Services Installation Wizard, click Next. On the Operating System Compatibility page, click Next. On the Network Credentials page, click Next. On the Specify the Computer Name page, type NYC-SVR1, and then click Next.

10. On the Select a Site page, click Next.

L12-2

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

11. On the Additional Domain Controller Options page, click Next. 12. On the Delegation of RODC Installation and Administration page, in the Group or user box, type CONTOSO\IT, and then click Next. 13. Review your selections on the Summary page, and then click Next. 14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. 15. Click the Domain Controllers OU and read the DC Type for NYC-SVR1.

Task 3: Complete a staged installation of an RODC


1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd. On NYC-SVR1, click Start, type dcpromo, and press ENTER. In the Active Directory Domain Services Installation Wizard, click Next. On the Operating System Compatibility page, click Next. On the Choose a Deployment Configuration page, select Existing forest, click Add a domain controller to an existing domain, and then click Next. On the Network Credentials page, type contoso.com. Click Set. In the User Name box, type Andrea. Andrea is a member of the IT group that was delegated permission to install in the previous task. In the Password box, type Pa$$w0rd, and then press ENTER.

10. On the Network Credentials page, click Next. 11. On the Select a Domain page, select contoso.com (forest root domain), and then click Next. A message appears to inform you that your credentials do not belong to the Domain Admins or Enterprise Admins groups. Because you have prestaged and delegated administration of the RODC, you can proceed with the delegated credentials. 12. Click Yes to continue. A message appears to inform you that the account for NYC-SVR1 has been prestaged in Active Directory as an RODC. 13. Click OK to use the existing an account. 14. On the Location For Database, Log Files, and SYSVOL page, click Next. 15. On the Directory Services Restore Mode Administrator Password page, in the Password and Confirm Password boxes, type Pa$$w0rd, and then click Next. 16. On the Summary page, click Next. 17. In the progress window, select the Reboot On Completion check box. Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.

Lab A: Deploying a Read-Only Domain Controller

L12-3

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Password Replication Policy and Credential Caching


Task 1: Configure domain-wide password replication policy
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. In the Active Directory Users and Computers console tree, expand Contoso.com, and then click the Users container. Double-click Allowed RODC Password Replication Group. Click the Members tab. Examine the default membership of Allowed RODC Password Replication Group and note that there are no members by default. Click OK. Double-click Denied RODC Password Replication Group. Click the Members tab. Click Add, type DNSAdmins, and then press ENTER.

10. Click OK. 11. In the console tree, click the Domain Controllers OU. 12. Right-click NYC-SVR1 and click Properties. 13. Click the Password Replication Policy tab. Verify that the Allowed RODC Password Replication Group and Denied RODC Password Replication Group are listed. 14. Click OK.

Task 2: Create a group to manage password replication to the remote office RODC
1. 2. 3. 4. 5. 6. 7. 8. In the Active Directory Users and Computers console tree, click the Research OU. Right-click Research, point to New, and then click Group. In the Group name: box, type Remote Office Users, and then click OK. Right-click Remote Office Users, and then click Properties. Click the Members tab, and then click the Add button. Click Object Types, select the Computers check box, and then click OK. Type Alan; Alexander; Dylan; Max; NYC-CL1, and then click OK. Click OK to close the Remote Office Users Properties dialog box.

Task 3: Configure password replication policy for the remote office RODC
1. 2. 3. 4. 5. 6. In the console tree, click the Domain Controllers OU. Right-click NYC-SVR1 and click Properties. Click the Password Replication Policy tab. Click the Add button. Click Allow passwords for the account to replicate to this RODC, and then click OK. In the Select Users, Computers, or Groups window, type Remote Office Users, and then press ENTER.

L12-4

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

7.

Click OK to close the NYC-SVR1 Properties dialog box.

Task 4: Evaluate resultant password replication policy


1. 2. 3. 4. 5. 6. 7. Right-click NYC-SVR1 and click Properties. Click the Password Replication Policy tab. Click the Advanced button. In the Advanced Password Replication Policy for NYC-SVR1 window, click the Resultant Policy tab, and then click the Add button. Type Alex, and then press ENTER. Confirm that Alexanders password can be cached. Click Close. Click OK to close the NYC-SVR1 Properties dialog box.

Task 5: Monitor credential caching


1. Attempt to log on to NYC-SRV1 as Alexander with the password Pa$$w0rd. This logon will fail because Alexander does not have the permission to log on to the RODC, but authentication is performed. Click OK at the error message. On NYC-DC1, in the Active Directory Users and Computers right-click NYC-SVR1, and then click Properties. Click the Password Replication Policy tab. Click the Advanced button. From the drop-down list, select Accounts that have been authenticated to this Read-only Domain Controller. Notice that Alexanders password has been cached. Click Close, and then click OK.

2. 3. 4. 5. 6.

Task 6: Prepopulate credential caching


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Active Directory Users and Computers console, right-click NYC-SVR1, and then click Properties. Click the Password Replication Policy tab. Click the Advanced button. On the Policy Usage tab, click Prepopulate Passwords. Type Alan; NYC-CL1, and then click OK. Click Yes to confirm that you want to send the credentials to the RODC. Click OK to clear the message indicating that the password was successfully cached. On the Policy Usage tab, read the list of cached passwords to confirm that the passwords for Alan and NYC-CL1 have been cached. Click Close.

10. Click OK.

Task 7: Test cached passwords on NYC-SVR1


1. 2. 3. Shut down NYC-DC1. On NYC-CL1, click Start and click Control Panel. Click Network and Internet and click Network and Sharing Center.

Lab A: Deploying a Read-Only Domain Controller

L12-5

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7. 8. 9.

Click Local Area Connection 3 and then click Properties. In the Local Area Connection 3 Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the Alternate DNS box, type 10.10.0.11, and then click OK. In the Local Area Connection 3 Properties window, click Close. Close all open windows and log off. On NYC-CL1, log off and then log on as Alexander with a password of Pa$$w0rd.

10. On NYC-CL1, log off and then log on as Alan with a password of Pa$$w0rd. Results: In this exercise, you configured and tested password replication for an RODC.

To prepare for the next lab


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1.

L12-6

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Deploying BranchCache


Exercise 1: Configuring BranchCache in Distributed Cache Mode
Task 1: Configure NYC-DC1 to use BranchCache
1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of NYC-DC1, point to Administrative Tools, and then click Server Manager. In the tree pane of the Server Manager console, click Roles. In the details pane, scroll down to the File Services section and then click Add Role Services. On the Select Role Services page, in the Role services list, select the BranchCache for network files check box, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager. On the Start menu of NYC-DC1, in the Search programs and files box, type gpedit.msc, and then press ENTER. In the tree pane of the Local Group Policy Editor console, under Computer Configuration, expand Administrative Templates, expand Network, and then click Lanman Server.

10. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache, and then click Edit. 11. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication actions box, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.

Task 2: Simulate slow link to the remote office


1. 2. In the tree pane of the Local Group Policy Editor console, under Computer Configuration, expand Windows Settings, right-click Policy-based QoS, and then click Create new policy. On the Create a QoS policy page of the Policy-based QoS wizard, in the Policy name box, type Limit to 100 KBps, select the Specify Outbound Throttle Rate: check box, type 100, and then click Next. On the This QoS policy applies to page, click Next. On the Specify the source and destination IP addresses page, click Next. On the Specify the protocol and port numbers page, click Finish. Close the Local Group Policy Editor.

3. 4. 5. 6.

Task 3: Enable a file share for BranchCache


1. 2. 3. 4. 5. 6. On the Start menu of NYC-DC1, click Computer. In the Computer window, browse to Local Disk (C:). Right-click Share, and then click Properties. In the Share Properties dialog box, on the Sharing tab, click Advanced Sharing. In the Advanced Sharing dialog box, click Caching. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.

Lab A: Deploying a Read-Only Domain Controller

L12-7

MCT USE ONLY. STUDENT USE PROHIBITED

7. 8. 9.

In the Advanced Sharing dialog box, click OK. In the Share Properties dialog box, click Close. Close Windows Explorer.

Task 4: Configure clients to use BranchCache in distributed cache mode


1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of NYC-DC1, point to Administrative Tools, and then click Group Policy Management. In the tree pane of the Group Policy Management console, expand Forest: Contoso.com, expand Domains, right-click Contoso.com, and then click Create a GPO in this domain, and Link it here. In the Name box of the New GPO dialog box, type BranchCache, and then click OK. In the tree pane of the Group Policy Management console, under Domains, expand Contoso.com, right-click BranchCache, and then click Edit. In the tree pane of the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache. In the Setting list of the BranchCache result pane, right-click Turn on BranchCache, and then click Edit. In the Turn on BranchCache dialog box, click Enabled, and then click OK. In the Setting list of the BranchCache result pane, right-click Set BranchCache Distributed Cache mode, and then click Edit. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then click OK.

10. In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network files, and then click Edit. 11. In the Configure BranchCache for network files dialog box, click Enabled, in the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box, type 0, and then click OK. This setting is required to simulate access from a remote office and is not typically required.

Task 5: Configure client firewall rules for BranchCache


1. On NYC-DC1, in the tree pane of the Group Policy Management Editor console, under Computer Configuration, under Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security. In the tree pane, under Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Inbound Rules and click New Rule. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Content Retrieval (Uses HTTP), and then click Next. On the Predefined Rules page, click Next. On the Action page, click Finish to create the firewall inbound rule. In the Group Policy Management Editor console, right-click Inbound Rules and click New Rule. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Peer Discovery (Uses WSD), and then click Next. On the Predefined Rules page, click Next.

2. 3. 4. 5. 6. 7. 8. 9.

10. On the Action page, click Finish.

L12-8

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

11. Close the Group Policy Management Editor console. 12. Close the Group Policy Management console.

Task 6: Apply BranchCache settings to the clients


1. 2. 3. Start 6419B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. On the Start menu of NYC-CL1, point to All Programs, click Accessories, and then click Command Prompt. At the command prompt window, type the following code, and then press ENTER.

gpupdate /force

4.

At the command prompt, type the following code, and then press ENTER.

netsh branchcache show status all

5. 6. 7. 8. 9.

Restart NYC-CL1. After the computer restarts, log on as Contoso\Administrator with the password of Pa$$w0rd. On the Start menu of NYC-CL1, in the Search programs and files box, type Performance, and then press ENTER. In the tree pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In the Performance Monitor result pane, click the Delete (Delete Key) icon. In the Performance Monitor result pane, click the Add (Ctrl+N) icon.

10. In the Select counters from computer box of the Add Counters dialog box, click BranchCache, and then click Add. 11. In the Add Counters dialog box, click OK. 12. Change the graph type to Report. 13. Start 6419B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 14. On the Start menu of NYC-CL2, point to All Programs, click Accessories, and then click Command Prompt. 15. At the command prompt window, type the following code, and then press ENTER.
gpupdate /force

16. At the command prompt window, type the following code, and then press ENTER.
netsh branchcache show status all

17. Restart NYC-CL2. After the computer restarts, log on as Contoso\Administrator with the password of Pa$$w0rd. 18. On the Start menu of NYC-CL2, in the Search programs and files box, type Performance, and then press ENTER. 19. In the tree pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor.

Lab A: Deploying a Read-Only Domain Controller

L12-9

MCT USE ONLY. STUDENT USE PROHIBITED

20. In the Performance Monitor result pane, click the Delete (Delete Key) icon. 21. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. 22. In the Select counters from computer box of the Add Counters dialog box, click BranchCache, and then click Add. 23. In the Add Counters dialog box, click OK. 24. Change the graph type to Report.

Task 7: Test BranchCache in the distributed caching mode


1. 2. 3. 4. 5. On the Start menu of NYC-CL1, in the Search programs and files box, type \\NYCDC1.contoso.com\Share, and then press ENTER. In the Name list of the Share window, right-click mspaint, and then click Copy. In the Share window, click Minimize. In the Performance Monitor console, click Minimize. On the Desktop, right-click anywhere, and then click Paste. Note: While copying the file, view the Performance Monitor graph. Notice that computer attempted discovery is not running successfully because you are copying the file to the branch office for the first time. Also, make note of how long it takes to copy the file to NYC-CL1. If the performance counters do not change try restarting the BranchCache service or restarting NYC-CL1. 6. 7. On the Start menu of NYC-CL1, point to All Programs, click Accessories, and then click Command Prompt. At the command prompt window, type the following code, and then press ENTER.

netsh branchcache show status all

8. 9.

On the Start menu of NYC-CL2, in the Search programs and files box, type \\NYCDC1.contoso.com\Share, and then press ENTER. In the Name list of the Share window, right-click mspaint, and then click Copy.

10. In the Share window, click the Minimize button. 11. In the Performance Monitor console, click the Minimize button. 12. On the Desktop, right-click anywhere, and then click Paste. Note: While copying the file, view the Performance Monitor graph. Notice that computer attempted discovery is successful and the file was copied much faster. Also, view the SMB:Bytes from cache counter to confirm that file was copied from the BranchCache. If the performance counters do not change and the file copy is slow, try restarting the BranchCache service or restarting NYC-CL2. 13. On the Start menu of NYC-CL2, point to All Programs, click Accessories, and then click Command Prompt. 14. At the command prompt window, type the following code, and then press ENTER.
netsh branchcache show status all

L12-10

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

15. On NYC-CL2, close all open windows. 16. On NYC-CL1, close all open Windows.

Lab A: Deploying a Read-Only Domain Controller

L12-11

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring BranchCache in Hosted Cache Mode (optional)


Task 1: Configure clients to use BranchCache in hosted cache mode
1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of NYC-DC1, point to Administrative Tools, and then click Group Policy Management. In the tree pane of the Group Policy Management console, if necessary, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com. In the tree pane, under Contoso.com, right-click BranchCache, and then click Edit. In the tree pane of the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache. In the Setting list of the BranchCache result pane, right-click Set BranchCache Distributed Cache mode, and then click Edit. In the Set BranchCache Distributed Cache mode dialog box, click Not Configured, and then click OK. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode, and then click Edit. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of hosted cache box, type NYC-SVR1.contoso.com, and then click OK. Close the Group Policy Management Editor console.

10. Close the Group Policy Management console. 11. On the Start menu of NYC-CL1, point to All Programs, click Accessories, and then click Command prompt. 12. At the command prompt window, type the following code, and then press ENTER.
gpupdate /force

13. At the command prompt window, type the following code, and then press ENTER.
netsh branchcache show status all

14. On the Start menu of NYC-CL2, point to All Programs, click Accessories, and then click Command prompt. 15. At the command prompt window, type the following code, and then press ENTER.
gpupdate /force

16. At the command prompt window, type the following code, and then press ENTER.
netsh branchcache show status all

Task 2: Install the BranchCache feature on NYC-SVR1


1. 2. 3. Start 6419B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. On the Start menu of NYC-SVR1, point to Administrative Tools, and then click Server Manager. In the tree pane of the Server Manager console, right-click Features, and then click Add Features.

L12-12

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7.

On the Select Features page of the Add Features Wizard, select the BranchCache check box, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.

Task 3: Request a certificate and link it to BranchCache.


1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of NYC-SVR1, click Run. In the Open box of the Run dialog box, type mmc, and then click OK. On the File menu of the Console1 [Console Root] console, click Add/Remove Snap-ins. In the Available snap-ins area of the Add or Remove Snap-in dialog box, click Certificates, and then click Add. In the This snap-in will always manage certificates for page of the Certificates Snap-in wizard, click Computer account, and then click Next. On the Select the computer you want this snap-in to manage page, click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the tree pane of the Console1 [Console Root] console, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate. On the Before You Begin page of the Certificate Enrollment wizard, click Next.

10. On the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, select the Computer check box, and then click Enroll. 12. On the Certificate Installation Results page, click Finish. 13. In the tree pane of the Console1 [Console Root] console, under Personal, click Certificates. 14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com, and then click Open. 15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK. 16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt. 17. At the command prompt window, type the following code, and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5eea714-454d-8de2-492e4c1bd8f8}

18. At the command prompt, type the following code, and then press ENTER.
netsh branchcache show status all

Task 4: Start the BranchCache Host Server


1. 2. 3. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. Right-click Contoso.com, point to New, and click Organizational Unit. In the New Object - Organization Unit window, type BranchCacheHost, and then click OK.

Lab A: Deploying a Read-Only Domain Controller

L12-13

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7. 8. 9.

Click the Computers container. Click NYC-SVR1 and drag it to BranchCacheHost. Click Yes to clear the warning about moving objects. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, and click Group Policy Management. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance.

10. On NYC-DC1, close all open windows. 11. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd.. 12. On NYC-SVR1, open a command prompt, type the following code, and then press Enter.
netsh branchcache set service hostedserver

13. Close the command prompt.

Task 5: Configure Performance Monitor on NYC-SVR1


1. 2. 3. 4. 5. 6. On the Start menu of NYC-SVR1, in the Search programs and files box, type Performance, and then press ENTER. In the tree pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In the Performance Monitor result pane, click the Delete (Delete Key) icon. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. Change graph type to Report.

Task 6: Clear BranchCache data and Performance statistics on NYC-CL1


1. 2. On NYC-CL1, click Start, type cmd.exe and press ENTER. To clear the BranchCache data, at the command prompt, type the following code, and then press ENTER.

netsh branchcache flush

3.

At the command prompt, type the following code, and then press ENTER.

Net stop branchcache

4.

At the command prompt, type the following code, and then press ENTER.

Net start branchcache

5. 6. 7. 8.

Click Start, type offline, and then click Manage offline files. In the Offline Files window, on the Disk Usage tab, click Delete temporary files. Close the Offline Files window On the Start menu, in the Search programs and files box, type Performance, and then press ENTER.

L12-14

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

9.

In the tree pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor.

10. In the Performance Monitor result pane, click the Delete (Delete Key) icon. 11. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. 12. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. 13. Change graph type to Report. Notice that the value of all performance statistics is zero.

Task 7: Clear BranchCache data and performance statistics on NYC-CL2


1. 2. On NYC-CL2, click Start, type cmd.exe and press Enter. To clear the BranchCache data, at the command prompt, type the following code, and then press ENTER.

netsh branchcache flush

3.

At the command prompt, type the following code, and then press ENTER.

Net stop branchcache

4.

At the command prompt, type the following code, and then press ENTER.

Net start branchcache

5. 6. 7. 8. 9.

Click Start, type offline, and then click Manage offline files. In the Offline Files window, on the Disk Usage tab, click Delete temporary files. Close the Offline Files window On the Start menu, in the Search programs and files box, type Performance, and then press ENTER. In the tree pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor.

10. In the Performance Monitor result pane, click the Delete (Delete Key) icon. 11. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. 12. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. 13. Change graph type to Report. Notice that the value for all performance statistics is zero.

Task 8: Test BranchCache in hosted caching mode


1. 2. 3. 4. 5. On the Start menu of NYC-CL1, in the Search programs and files box, type \\NYCDC1.contoso.com\Share, and then press ENTER. In the Name list of the Share window, right-click mspaint, and then click Copy. In the Share window, click Minimize. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. On the Desktop, right-click anywhere, and then click Paste.

Lab A: Deploying a Read-Only Domain Controller

L12-15

MCT USE ONLY. STUDENT USE PROHIBITED

6.

Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served) On the Start menu of NYC-CL2, in the Search programs and files box, type \\NYCDC1.contoso.com\Share, and then press ENTER. In the Name list of the Share window, right-click mspaint, and then click Copy. In the Share window, click Minimize.

7. 8. 9.

10. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. 11. On the Desktop, right-click anywhere, and then click Paste. 12. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). 13. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-CL1 and 6419B-NYC-CL2.

L12-16

Lab A: Deploying a Read-Only Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Creating a Baseline of Performance Metrics

L13-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 13: Monitoring and Maintaining Windows Server 2008

Lab: Creating a Baseline of Performance Metrics


Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso

Repeat steps 2 and 3 for 6419B-NYC-SVR1.

Exercise 1: Determining Performance Metrics


Task 1: Determine performance counters to use
Question: What are the main hardware components that you should be measuring on NYC-SVR? Answer: Processor, Memory, Hard Disk and Network. Question: Which Performance Monitor objects correspond to these components? Answer: The key objects are: Processor, Memory, Physical Disk and Network Interface. Note: After completing this exercise, you will have determined performance metrics.

L13-2

Lab: Creating a Baseline of Performance Metrics

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring a Performance Baseline


Task 1: Create a Data Collector Set to log the counters for the Processor, Memory,
Physical Disk and Network Interface objects
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, click Administrative Tools and then click Performance Monitor. In the Performance Monitor window, expand the Data Collector Sets node, right-click on User Defined, click New, and then click Data Collector Set. In the Create new Data Collector Set window, type NYC-SVR1 Baseline in the Name field, select Create Manually (Advanced), and then click Next. Select Create data logs, click the checkbox to select Performance counter and then click Next. In the Performance counters field, click the Add button In the Available counters section, scroll to find Processor, and then expand Processor, ensuring all counters are highlighted. In the Instances of selected object section, click <All Instances>, and then click the Add button. In the Available counters section, scroll to find Memory, expand Memory, and then highlight all counters under Memory. In the Instances of selected object section, click the Add button.

10. In the Available counters section, scroll to find Physical Disk, expand Physical Disk, and then highlight all counters under Physical Disk. 11. In the Instances of selected object section, click <All Instances>, and then click the Add button. 12. In the Available counters section, scroll to find Network Interface, expand Network Interface, and then highlight all counters under Network Interface. 13. In the Instances of selected object section, click Microsoft Virtual Machine Bus Network Adapter _2, click the Add button, and then click OK. 14. In the Create new Data Collector Set window, click Next 15. Click Next. 16. On the Create the Data Collector Set? screen, select Start this Data Collector Set now, and then click Finish. Note: The Data Collector Set will take a few moments to complete. Complete Exercise 3 and then come back to finish Task 2 of this exercise.

Note: After completing this exercise, you will have viewed performance by using monitoring tools.

Lab: Creating a Baseline of Performance Metrics

L13-3

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Review the Data Collector Set Report to ensure performance data has been
captured
1. 2. In the Performance Monitor window, expand the Reports node, expand the User Defined node, expand the NYC-SVR1 Baseline node, and then click the NYC-SVR1_XXXXXXXX node. View the report in the right hand column and ensure that performance data was collected. Note: After completing this exercise, you will have configured a performance baseline.

L13-4

Lab: Creating a Baseline of Performance Metrics

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Viewing Performance Using Monitoring Tools


Task 1: Use Resource Monitor to view system performance statistics
1. 2. 3. On NYC-SVR1, click Start, in the Start Menu Search box, type Resource Monitor and then press ENTER. View the graphs on the right hand side of the screen to ensure none of them is near the top of the graph window. Click each tab in the Resource Monitor window to view the real time performance data for the associated component.

Task 2: Use Reliability Monitor to view server reliability history


1. 2. On NYC-SVR1, click Start, in the Start Menu Search box, type Reliability and then press ENTER. Check the Reliability Monitor for any Error events represented by a red X icon. Note: After completing this exercise, you will have viewed performance by using monitoring tools.

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6419B-NYC-SVR1.

Lab A: Implementing Windows Server Backup and Recovery

L14-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 14: Managing Window Server 2008 Backup and Recovery

Lab A: Implementing Windows Server Backup and Recovery


Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso

Repeat steps 2 - 4 for 6419B-NYC-SVR1.

Exercise 1: Evaluating the Existing Backup Plan


Task 1: Review an existing backup plan.
1. You have agreed that no more than one day's data should be lost in the event of a disaster. Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet this requirement? Answer: No. The current weekly backup plan means that if data is lost, the data that is restored could be up to a week old. 2. Currently, you copy the Human Resources confidential data onto a removable hard disk that is attached to a computer in the Human Resources office. This task is performed weekly by using a script to preserve the encryption on the files. What are the consequences of this process and how would you deal with them? Answer: The issue is that the confidential files are on an easily removable device in an unsecured office. You could provide a secure data storage device, or you could place the removable hard disk in a secure area after the backup job is complete. 3. You have also agreed that if a server fails, you should be able to restore that server, including all installed roles, features, applications, and security identity, in six hours. Does the current backup plan enable you to restore the servers in this way? Answer: No. No system state backups are being performed on the servers, so the servers must be rebuilt in the event of a failure. This would make restoring the original configuration very difficult.

Task 2: Propose changes to the backup plan.


1. Propose an appropriate backup frequency for the shares in the following table. Frequency Daily Backup Sales

L14-2

Lab A: Implementing Windows Server Backup and Recovery

MCT USE ONLY. STUDENT USE PROHIBITED

Backup Finance Human Resources Technical Library Projects 2.

Frequency Daily Daily Weekly Daily, or perhaps more frequently

How would you meet the requirement to restore the servers and how frequently would you back up the servers? Answer: Back up the system state data on the servers so that you can restore them later. The backup should be at an appropriate frequency, so this will depend on how often the server configuration is changed. Typical schedules may be weekly or monthly.

Task 3: Install Windows Server Backup feature.


1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Server Manager on the Task bar. In the left pane, click Features. In the details pane, click Add Features. In the Add Features Wizard, select Windows Server Backup Features. Click the plus sign to expand the feature. Note that command-line tools are not selected by default. Select the check box to select the Command-line tools and click Next Click Install Click Close, and then close Server Manager.

Task 4: Use the backup wizard to schedule a backup.


1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, click Administrative Tools, and then click Windows Server Backup. In the Actions pane, click Backup Schedule. In the Backup Schedule Wizard, click Next. On the Select Backup Configuration page, click Full server, and then click Next. On the Specify Backup Time page, click the drop-down arrow, select 1:00 AM as the Time of day, and then click Next. On the Specify Destination Type page, click Back up to a shared network folder, and then click Next. In the Windows Server Backup dialog box, click OK. In the Location field, type \\NYC-SVR1\backup, and then click Next. In the Register Backup Schedule dialog box, type Contoso\Administrator. In the password field, type Pa$$w0rd, and then click OK.

10. Click Finish, and then click Close.

Task 5: Back up an individual folder.


1. 2. In the Actions pane, click Backup Once. On the Backup Options page, click Different options, and then click Next.

Lab A: Implementing Windows Server Backup and Recovery

L14-3

MCT USE ONLY. STUDENT USE PROHIBITED

3. 4. 5. 6. 7. 8. 9.

On the Select Backup Configuration page click Custom, and then click Next. On the Select Items for Backup page, click Add Items. Expand Local disk (C:), and then select the check box next to MarketingTemplates, click OK, and then click Next. On the Specify Destination Type page, click Remote shared folder, and then click Next. In the Specify Remote Folder dialog box, type \\NYC-SVR1\Backup, and then click Next. On the Confirmation page, click Backup. On the Backup Progress page, click Close after the backup completes.

Results: After completing this exercise, you will have reviewed an existing backup plan and proposed changes to that plan. Then, you will have configured backups to become familiar with the Windows Server Backup feature.

L14-4

Lab A: Implementing Windows Server Backup and Recovery

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Implementing a Backup Plan


Task 1: Create a backup strategy to comply with the SLA.
1. You should be able to restore critical data, which includes the Sales, Finance, and Projects shares, as quickly as possible in the event of a disaster. What factors affect how quickly you can restore data? Answer: The size of the backed-up data and the backup hardware and media both affect how quickly you can restore data. 2. Given that you have a limited budget to meet the SLA requirements, how could you maximize your budget while providing backup for the entire network data for which you are responsible? Answer: Consider using a tiered approach to back up and restore. Use faster backup hardware and media for critical data, which costs more, but use slower backup hardware and media for noncritical data to reduce costs.

Task 2: Create a backup strategy to comply with legal requirements.


1. How will you ensure that the required data is stored for the minimum legal requirement period and that the data is available for audit purposes when it is required? Answer: Various approaches are valid, such as: Create separate archive backups for legal compliance purposes. Include only the required data in these archives. A user who has restore privilege is required to access the data if an audit is performed. You must also consider the storage lifetime of the mediaa tape may not retain seven-year-old data if it is not refreshed. Store the legal compliance data on a separate network device such as another server or archive device. This device may offer policies to help you control retention requirements.

Task 3: Use the Recovery Wizard to restore the data.


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, open Windows Explorer, navigate to C:\MarketingTemplates, and delete the contents in the folder. Switch to Windows Server Backup and in the Actions pane, click Recover. On the Getting Started page, click A backup stored on another location. Click Next. On the Specify Location Type page, click Remote shared folder. Click Next. On the Specify Remote Folder page, type \\NYC-SVR1\Backup, and then click Next. On the Select Backup Date page, click Next. On the Select Recovery Type page, click Next. On the Select Items to Recover page, expand NYC-DC1, expand Local disk (C:):, select MarketingTemplates, and then click Next. On the Specify Recovery Options page, type C:\MarketingTemplates, and then click Next.

10. On the Confirmation page, click Recover. 11. On the Recovery Progress page, click Close. 12. Navigate to C:\MarketingTemplates and ensure that the content been restored. 13. Close all open windows on NYC-DC1.

Lab A: Implementing Windows Server Backup and Recovery

L14-5

MCT USE ONLY. STUDENT USE PROHIBITED

Results: After completing this exercise, you should have reviewed an existing recovery plan and proposed changes to that plan. You should also have tested data recovery.

To revert the virtual machines.


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.

Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1.

L14-6

Lab A: Implementing Windows Server Backup and Recovery

MCT USE ONLY. STUDENT USE PROHIBITED

Lab B: Recovering Active Directory Objects


Exercise 1: Enabling Active Directory Recycle Bin
Task 1: Raise the forest functional level.
1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. At the command prompt, type the following command, and then press ENTER.

Set-ADForestMode Identity contoso.com -ForestMode Windows2008R2Forest

3.

Press Y, and then press ENTER.

Task 2: Enable the Active Directory Recycle Bin.


1. In the Active Directory Module for Windows PowerShell, type the following command, and then press ENTER.

Enable-ADOptionalFeature Identity CN=Recycle Bin Feature, CN=Optional Features, CN=Directory Service, CN=Windows NT, CN=Services,CN=Configuration, DC=contoso,DC=com Scope ForestOrConfigurationSet Target contoso.com
2. 3. Press Y, and then press ENTER. Close the Active Directory Module for Windows PowerShell. Results: After completing this exercise, you will have raised the forest functional level and enabled Active Directory Recycle Bin.

Lab A: Implementing Windows Server Backup and Recovery

L14-7

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Restoring a Deleted Active Directory Object


Task 1: Delete Active Directory Objects.
1. 2. 3. 4. 5. 6. 7. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. Expand Contoso.com, and then click the Research OU. Right-click Dylan Miller, and then click Delete. In the Active Directory Domain Services dialog box, click Yes. Right-click Alan Brewer, and then click Delete. In the Active Directory Domain Services dialog box, click Yes. Minimize Active Directory Users and Computers.

Task 2: Use LDP.exe to display the deleted objects container.


1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, click All Programs, click Accessories, right-click Command Prompt, click Run as administrator, type ldp.exe, and then press ENTER. On the Options menu, click Controls. In the Controls dialog box, expand the Load Predefined drop-down menu, click Return deleted objects, and then click OK. Click the Connection menu, and then click Connect. In the Connect dialog box, click OK Click the Connection menu, and then click Bind. In the Bind dialog box, click OK. Click View, click Tree, in the BaseDN field, type DC=Contoso,DC=Com, and then click OK. In the console tree, expand DC=Contoso,DC=Com and double-click CN=Deleted Objects, DC=Contoso,DC=Com.

Task 3: Restore a deleted AD object by using LDP.exe.


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Deleted Objects container, locate the user you deleted in the previous task, Dylan Miller, right-click and then click Modify. In the Modify dialog box, in the Edit Entry Attribute field, type isDeleted. In the Operation section, click Delete, and then click Enter. In the Edit Entry Attribute field, type distinguishedname. In the Values field, type CN=Dylan Miller,OU=Research,DC=Contoso,DC=Com. In the Operation section, click Replace. Select the Extended check box. Click the Enter button, and then click Run. Close the LDP application.

10. Restore Active Directory Users and Computers. 11. Right-click the Research OU, and then click Refresh. Dylan Millers user account has been restored to the OU.

L14-8

Lab A: Implementing Windows Server Backup and Recovery

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Use Windows PowerShell to restore a deleted Active Directory object.


1. 2. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER.
Get-ADObject -Filter {displayName -eq "Alan Brewer"} -IncludeDeletedObjects | RestoreADObject 3.

4.

Open Active Directory Users and Computers, right-click the Research OU, and then click Refresh. Alan Brewers user account has been restored to the OU. Close all open windows. Results: After completing this exercise, you should have used the LDP.exe to view deleted objects, and restored objects by using both LDP.exe and Windows PowerShell.

To revert the virtual machines.


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.

Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1 and 6419B-NYC-DC2.