DISCLAIMER
THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.
Trademarks
Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
12/04/2008
Windows Server 2008 Directory Services Lab Manual
Microsoft Confidential - For Internal Use Only
DISCLAIMER
THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.
Trademarks
Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
12/04/2008
Lab 1
Lab 1: Implementing Windows Server 2008
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will prepare the forest and domain for the introduction of Windows Server 2008 domain controllers. You will be introduced to Server Manager and some of the functions that can be performed using this tool. Estimated time to complete this lab: 20 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of Microsoft Virtual Server or Virtual PC
What You Will Learn
After completing this lab, you will be able to:
■
Use Server Manager to perform tasks related to add roles and features.
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■
2008-01
Important
You must log on as an administrative user in order to perform all of the tasks in this lab. Administrative username and password
□ □ □
Exercise 1: Introduction to Server Manager
Scenario
Use the Initial Configuration Tasks console and Server Manager to perform common tasks.
Tasks
In the following steps, we will examine some of the different types of tasks and information that can be accessed through Server Manager. We will first examine the IP address of the network adapter, and then we will enable Remote Desktop through the Initial Configuration Tasks console. Following that, we will use Server Manager to add the Terminal Services Role and then the Windows Server Backup Feature. Lastly, we will view Diagnostics information provided under Server Manager.
Note If Initial Configuration Tasks has been closed you can run oobe.exe to open it again.
1.
Explore the Initial Configuration Tasks console on 2008-01. a. View the Network Connection properties for the computer. 1) 2) 3) 4) 5) b. Under section 1. Provide Computer Information, click Configure networking to display the Network Connections dialog box. Right-click Local Area Connection and select Properties Select Internet Protocol Version 4 (TCP/IPv4) and click Properties View the IP address of this adapter. Close all and return to the Initial Configuration Tasks screen.
Enable Remote Desktop 1) 2) Under section 3. Customize This Server click Enable Remote Desktop. This brings up the Remote tab of System Properties. Select the 2nd option: Allow connections from computers running any version of Remote Desktop (less secure)
Read the Firewall exception warning message, click OK, and then click OK in System Properties. Notice Remote Desktop now shows as Enabled. Close Initial Configuration Tasks console. Server Manager should launch automatically after several seconds.
Add the Windows Server Backup Feature from Server Manager 1) 2) 3) Click Features under Server Manager in left pane. Click Add Features in right pane. This will launch the Add Features Wizard. Review the available features, expand Windows Server Backup Features, and then select Windows Server Backup.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
During this lab, you will promote a Windows Server 2008 machine that is in a workgroup, to a Domain Controller in a Windows Server 2003 domain. Estimated time to complete this lab: 60 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of Microsoft Virtual Server or Virtual PC
What You Will Learn
After completing this lab, you will be able to:
■
Use new DCPROMO GUI features available in Windows Server 2008
Lab Environment
To complete this lab, you will need the following Virtual Machines:
□ □
2003-01 2008-01
Important
You must log on as an administrative user in order to perform all of the tasks in this lab. Administrative username and password
□ □ □
Exercise 1: Prepare domain and forest for the introduction of a Windows Server 2008 domain controller
Scenario
You are the administrator of Contoso.com, a Windows 2003 domain. You are given the task of introducing a Windows Server 2008 domain controller into your environment.
Pre-Tasks
■ ■
Start the 2003-DC1 Virtual Machine Start the 2008-01 Virtual Machine
Tasks
First, prepare the forest by running adprep /forestprep on 2003-DC1. Then raise the domain functional level to Windows Server 2003 mode. Finally, prepare the domain by running domainprep and gpprep. 1. On 2003-01, at the “Welcome to the Windows Setup Wizard” screen, click Next
At the “License Agreement” screen, check the “I accept this agreement” radio button, click Next At the “Date and Time Settings” screen, click Next
At the “Network configuration popup”, click “Ok” Allow time for 2003-01 to boot up completely 2. First, prepare the forest by running adprep /forestprep on 2003-DC1 a. Log on to the Schema Master, 2003-DC1, as Contoso\Administrator. b. Open a command prompt on 2003-DC1, and change directories to the Adprep folder:
C:\Sources\ADPrep
c. At the command prompt, type the following and then press ENTER
adprep /forestprep
d. You will be prompted with an ADPREP WARNING message requesting confirmation that all Windows 2000 Active Directory Domain Controllers in the forest are upgraded to Windows 2000 SP4 or later. a. Type C and then press ENTER. When the process finishes you will receive a message that Adprep successfully updated the forestwide information.
Note The domain must be in at least Windows 2000 native mode before you can run adprep /domainprep.
3. Run Adprep /rodcprep a. Open a command prompt, and then change directories to the Adprep folder: C:\sources\adprep b. At the command prompt, type the following and then press ENTER adprep /rodcprep c. When the command completes the last entry should report: "Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory c:\windows\debug\adprep\logs\<numerical value> for more information. " d. Review the adprep.log to review the changes made by running adprep /rodcprep.
4. Prepare the domain by running domainprep and gpprep on 2003-DC. a. At the command prompt, type the following and then press ENTER
adprep /domainprep /gpprep
b. When the process finishes you will receive the message, Adprep successfully updated the domain-wide information. Adprep successfully updated the Group Policy Object <GPO> information. c. Close command prompt
Exercise 2: Promote a Windows Server 2008 machine to a Domain Controller in an existing Windows Server 2003 domain.
Scenario
You are an administrator for your domain and would like to introduce a Window Server 2008 domain controller in your existing Windows Server 2003 domain.
Tasks
1. Promote 2008-01 as a replica domain controller in the Contoso domain by adding the Active Directory Domain Services role via Server Manager. Then from a command prompt run DCPromo.exe to start the domain controller promotion. Use the advanced mode installation option to make the domain controller a DNS server as well as a Global Catalog. Lastly, export these dcpromo settings to a text file to be used later in the promotion of another domain controller. Name the text file 2008-answer.txt and place it in C:\. a. Add AD DS role via Server Manager. 1) 2) Log on to 2008-01 as local Administrator. Launch Server Manager if it is not already open. a) 3) 4) 5) Click Start , Administrative Tools, and then Server Manager
Select Roles and click on Add Roles in the right pane. The Add Roles Wizard will start. On the Before you Begin page click on Next On the Select Server Roles page, select Active Directory Domain Services. Read the Add Roles Wizard pop-up and select the second option Install AD DS anyway click Next. Click on Next and review the information on the Active Directory Domain Services page then click Next. Review the information on the Confirm Installation Selections page and then click Install.
When the Installation Results are displayed, verify that the installation succeeded.
Note You can now launch DCPROMO directly from the Installation Results page. There is a link in blue that states – Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). You decide to start either with a. or with b. – since b. includes a. automatically.
9)
Click Close.
10) Notice Active Directory Domain Services is listed under Roles in Server Manager now but has a Red X. Click Active Directory Domain Services and read the Summary.
Note Please note that Active Directory snap-ins was not installed when the role was added. Adding the role installs the AD DS binaries only and does not automatically start the dcpromo process.
b.
Promote the new domain controller. 1) Open a command prompt, type DCPROMO, and then press ENTER. A check runs to determine if Active Directory Domain Services binaries are installed. If not, they are installed and the AD DS installation wizard launches automatically. a) ALTERNATIVELY, you can promote the domain controller from the Roles Summary by clicking Active Directory Domain Services with the Red X and then under Summary click Run the Active Directory Domain Services Installation Wizard (dcrpomo.exe).
Note Since Terminal Services was installed on this computer during the previous lab the ACTIVE DIRECTORY DOMAIN SERVICES INSTALLATION WIZARD displays a message requesting confirmation for changes in security policy on this computer that allows only Administrator to log on to the computer with Terminal Server.
2)
Click OK to the dialog. On Welcome page, check Use advanced mode installation and then click Next.
Microsoft Confidential
On the Choose a Deployment Configuration page, select Existing forest, and Add a domain controller to an existing domain then click Next. On the Network Credentials page, type Contoso.com in window for Type the name of any domain in the forest where you plan to install this domain controller. Click Set..., enter the following information as your Network Credentials, and then click OK. a) b) User name: Contoso\Administrator Password: P@ssw0rd1
4)
5)
6) 7) 8)
Click Next On the Select a Domain page Select Contoso.com (forest root domain) and click Next In the Select a Site dialog check Use the site that corresponds to the IP address of this computer.
Note The Windows Server 2008 Active Directory Domain Services Installation Wizard has a new dialog for Additional Domain Controller Options. The options available are:
■ ■ ■
DNS Server Global Catalog Read-only domain controller (RODC)
9)
Read Additional information and confirm that both the DNS server and Global catalog options are checked and then click Next.
10) Read the warning message about delegation for this DNS Server and click Yes.
Note The informational message that is displayed indicates that a delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS Server… In our case, this occurs since contoso.com is our top-level domain and .com cannot be found because it does not exist. The goal of this informational message is to help ensure IT professionals correctly configure their DNS settings during the DCPROMO process.
11) On the Install from Media screen ensure the first option Replicate data over the network from an existing domain controller is selected and then click Next.
Note The second new dialog page added to the Windows Server 2008 Active Directory Domain Services Installation Wizard provides the option to select a source domain controller. Note that the source domain controller must be writable.
12) On the Source Domain Controller screen, select Let the wizard choose an appropriate domain controller option and then click Next. 13) On the Location for Database, Log Files, and Sysvol leave the default settings and click Next. 14) Provide the Password of P@ssw0rd1 on Directory Services Restore Mode Administrator Password page and click Next. 15) On the Summary page, click Export settings... to create an answer file for use later. a) Type C:\2008-answer.txt when prompted for location to save unattended file and then click Save and OK.
16) Click Next on the Summary page to begin configuration Active Directory Domain Services. 17) Check the Reboot on completion box on the Active Directory Domain Services Installation Wizard. Once the configuration completes the server will reboot automatically.
(4) _GC._TCP.Contoso.com b) Check Primary and Alternate DNS server settings (1) Highlight Server Manager at the top of the left hand window. (2) Under Server Summary click View Network Connections (3) View the properties of the Internet Protocol Version 4 (TCP/IPv4) of the Local Area Connection and notice which IP address is being used as the Alternate DNS server.
(4)
Close these properties and return to Server Manager.
9)
Under Diagnostics expand Event Viewer and then Windows Logs a) b) Select the Application log and confirm SceCli event 1704 is reported. Under the Applications and Services log select the File Replication Service log and confirm NtFrs event 13516.
Tip It may take several minutes for the sysvol to share out and for the above events to appear. If you cannot verify these steps after five minutes stop and start the NTFRS service to resolve this issue.
c)
Close Server Manager
10) Open dssite.msc and examine the security descriptor on the DC object. It will display an unresolved security identifier -498 which is by design. It was inherited from the configuration container. 2. View dcpromo.log and note the day, month and year this machine was promoted to be a domain controller. a. b. Open C:\Windows\Debug\DCPROMO.LOG file Note that the log now records day, month and year under the first column 1) Example:
Microsoft Confidential
10/01/2007 11:03:20 [INFO] Promotion request… Note The DCPROMO.LOG in Windows Server 2008 now displays the year in addition to day and month that the domain controller was promoted.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
During this lab, you will configure and Troubleshoot DNS Estimated time to complete this lab: 75 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of DNS
What You Will Learn
After completing this lab, you will be able to:
■
Configure and Troubleshoot DNS using NSLOOKUP, and NLTEST
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■ ■
2003-01 2008-01
Important
You must log on as an administrative user in order to perform all of the tasks in this lab. Administrative username and password Username: Administrator Password: P@ssw0rd1 Domain: Contoso
What is your logon server? __________________________1 Resolve the IP Address of your logon server using NSLOOKUP. Type the following statement and press enter:
NSLOOKUP 2008-01
5.
What are the IP Addresses?__________________________________2
Exercise 2: Using NSlookup, IPConfig, and NLTEST to test DNS settings
Task 1: Verify the new domain controller SRV records using NSLlookup
1. Still from 2008-01 type the following command at the command prompt and then press Enter:
NSLOOKUP
2.
Type the following command and press enter:
set type=all
3.
Type the following command and press enter:
_ldap._tcp.dc._msdcs.Contoso.com
4. You should see the result in Figure 2: 5. Close the command prompt
Task 2: Verify whether you are using a domain controller in your site using NLTEST and test the next closest site Group Policy Setting
1. On 2008-01, enable next closest site lookups for domain controllers: a. Open gpedit.msc from the run line. b. Navigate to Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records. Select Try next closest site, change the setting to Enabled, and then click OK. Close the Local Group Policy Editor. c. Open a command prompt and run GPUPDATE /Force. 2. Use the following statement to call and test the DSGetDCName function of the DClocator service from command line. This will show the enumerated or cached DC.
NLTEST /DSGETDC:Contoso.com
More info: http://msdn2.microsoft.com/en-us/library/ms675985.aspx DC names of All DC’s ________________________________________________________ __________________________________________________________________________________4 4. Use the following statement to locate a writable DC within a set of DCs in the next closest AD site from the client's perspective that could authenticate the client:
NLTEST /DSGETDC:Contoso.com /Writable /Try_Next_Closest_Site
Note Since both DC’s are in the same site, you will not actually see a next closest site resolution, but during the RODC labs you can test this command to see a populate response. This command would be useful during a support call to show you where DCLocator will look for the next closest DC based on ISTG topology data.
5. Use the following statement to force a rediscovery of DCs and clear the cached DC and site. This command is useful if a DC goes down in the client’s site and forces the client to use a DC in another site. The sticky behavior of the DClocator will cause the client to continue to use the remote DC until it becomes unavailable or the client is restarted. However, in Windows Server 2008 and Vista, whenever DsGetDcName retrieves a domain controller name from its cache, it checks to see if this cached entry has expired and if so, discards that domain controller name and tries to rediscover a domain controller name.
NLTEST /DSGETDC:Contoso.com /force
3. Type the following, and then press Enter: Dnscmd 2008-01.contoso.com/config /Enableglobalnamessupport 1
Create the GlobalNames Zone
Using the Windows Interface
1. Open the DNS console. 2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard. 3. Create a new zone and give it the name GlobalNames. Note This is not case sensitive: globalnames is also supported. 4. Choose an appropriate storage method and replication scope for the zone Note We recommend that you store the zone in AD DS and replicate it to all domain controllers that are DNS servers in the Forest. This will create a new AD DS-integrated zone called GlobalNames which is stored in the forest-wide DNS application partition. Create a Shortname Resource Record 1. Right click globalnamezones and select New Host (A or AAA) 2. In Name type test 3. In IP Address type 10.10.10.55 4. Click Add Host
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
0 Version 1.0
During this lab, you will prepare the forest and domain for the introduction of Windows Server 2008 Read Only Domain Controllers. You will also install the RODC and understand its features. Estimated time to complete this lab: 90 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of Microsoft Virtual Server or Virtual PC
What You Will Learn
After completing this lab, you will be able to:
■
Understand preparation and installation of a Windows Server 2008 Read Only Domain Controller. Understand new features and functionality of RODC
■
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■ ■ ■ ■
2003-01 2008-01 2008-02 Vista-01
Important
You must log on as an administrative user in order to perform some of the tasks in this lab. Administrative username and password
□ □ □
Exercise 1: Prepare Windows Server 2003 domain for the installation of a Read Only Domain Controller
Scenario
You are the administrator of Contoso.com domain and have branch offices where physical security cannot be guaranteed. You have decided to install a Read Only Domain Controller (RODC) in your branch office.
Tasks
1. Prepare the contoso.com domain (Windows 2003 domain) for the RODC installation. a. Ensure that the forest functional Level is Windows Server 2003. 1) 2) Log onto the domain controller 2003-DC1 as the contoso\administrator. Open Active Directory Domains and Trusts. Click the Action menu and choose Raise Forest Functional Level. When the Raise forest functional level dialog opens check the forest function level is set to Windows Server 2003.
Exercise 2: Install an RODC on a full installation of Windows Server 2008
Scenario
Now that you have prepared your domain for RODC installation, you want to delegate the ability to attach the server that will be the RODC in your branch office to a user, Susan Burk. You have therefore decided to perform a staged installation of the RODC and use this method to add Users, Computers and Groups to the Password Replication Policy.
User: Administrator Password: P@ssw0rd1 a. Disable Cached Credentials on Vista-01. 1) 2) Launch Regedit.exe on Vista-01. Expand HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Set the cachedlogonscount value to 0, and then close regedit.exe.
3) b. 3.
Join Vista-01 to contoso.com and reboot the client afterwards.
On the Add Groups, Users and Computers dialog choose Allow passwords for the account to replicate to this RODC and click OK. 1) Add user Don Hall and computer Vista-01 and click OK. Ensure Don Hall and Vista-01 has been added with the setting of Allow. Click Next.
l.
On the Delegation of RODC Installation and Administration page click Set…, on the Select User or Group dialog add Susan Burk, and click OK. Click Next and then Next again to create the Read Only Domain Controller computer account. Click Finish. Notice the computer account created in the Domain Controller container is listed as type: Unoccupied DC Account (Read-only, GC)
m. 4.
Install the Active Directory Domain Services role. a. b. c. Log onto 2008-01 and reset password for Susan Burk to P@ssw0rd1 Log onto 2008-02 as local Administrator with password of P@ssw0rd1 Launch Server Manager and select Roles. Click Add Roles in the right pane. The Add Role Wizard starts. On the Before You Begin page click Next. On the Select Server Roles page select Active Directory Domain Services and click Next. Review information on Active Directory Domain Services page and click Next. On the Confirm Installation Selections page, click Install. Once the installation finishes click Close.
d. e. f. g. 4.
Promote 2008-02 as a Read Only Domain Controller using the delegated account. a. b. Click Start, Run and type: dcpromo /UseExistingAccount:Attach and then click OK. On the Active Directory Domain Services Installation Wizard check the box for Use advanced mode installation and click Next.
On the Network Credentials page, provide Contoso.com as the domain name and click Set… Provide SBurk as the user name and password of P@ssw0rd1 click OK and Next. On the Select Domain Controller Account page select 2008-02 and click Next. Select Yes if it reports a message indicating this computer has one or more network adapters without any static IP address settings… Click Next On the Install from Media page ensure Replicate data over the network from an existing domain controller is selected and click Next. On the Source Domain Controller page ensure Let the wizard choose an appropriate domain controller is selected and click Next. On the Location for Database, Log Files, and SYSVOL page leave the default entries and click Next. On the Directory Services Restore Mode Administrator Password provide the password of P@ssw0rd1 click Next. On the Summary page click Next and choose Reboot on completion from the Active Directory Domain Services Installation Wizard.
d. e.
f.
g. h. i. j. 5.
Verify Installation of Active Directory a. b. c. d. After the computer reboots allow the replication to take place. Logon as Contoso\SBurk Start Server Manager and confirm that Active Directory Domain Services is listed under Roles. What happens if you attempt to add the user accounts for Susan Burk and Don Hall to the Domain Admins group? Why?
For the purpose of this lab confirm successful replication of 2008-02 a. b. Logon on 2008-01 as Contoso\Administrator Force 2008-02 to inbound replicate the domain partition from 2008-01 using: repadmin/replicate 2008-02 2008-01 dc=contoso,dc=com c. Log on 2008-02 as Contoso\Administrator Note: You may get an error when trying to log onto 2008-02 for first time due to trust account not being valid. If so, force inbound replication on 2008-02 before trying again. d. Force frs to poll AD by running ntfrsutl poll /now on 2008-02
Exercise 3: Test the Password Replication Policy
Scenario
As an administrator for Contoso domain, you are curious to find out what new attributes support Password Replication Policy. You understand that Password Replication Policy is the mechanism for determining whether a user or computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.
c. Navigate to Roles, Active Directory Domain Services, Active Directory Users and Computers, Contoso.com and then select Domain Controllers OU d. Enable Advanced Features by clicking on view menu and then Advanced Features e. Select 2008-02 from right pane f. Right click it and select Properties g. Select Attribute Editor tab h. Click on Filter and select Constructed and Backlinks i. Now under Attributes list, you will see following attributes listed: msDS-Reveal-OnDemandGroup: commonly known as the Allowed List msDS-NeverRevealGroup : commonly known as the Denied List msDS-RevealedList : commonly known as the Revealed List msDS-AuthenticatedToAccountList : commonly known as the Authenticated to List
Scenario
During the installation of RODC you set a policy for the password of Vista-01 machine account and user Don Hall to be cached on the RODC. You now want Don Hall, user in branch office, to log on to Vista-01. After the user and machine successfully authenticates, you expect their passwords to be stored on RODC.
Log on to 2008-02 as contoso\SBurk. View current credentials that are cached on the RODC. Ensure Don Hall and Vista-01 is cached. Review whose accounts have been authenticated to an RODC. a. b. Log on to the 2008-02 as Contoso\SBurk. Launch Server Manager if it is not already open. 1) c. d. e. f. g. h. Click Start , Administrative Tools, and then Server Manager
Navigate to Roles, Active Directory Domain Services, Active Directory Users and Computers. Expand Contoso.com and then select Domain Controllers container. In the details pane, right click 2008-02 and select properties. Click the Password Replication Policy tab. Click on Advanced. From the drop-down list, select Accounts whose passwords are stored on this Read-only Domain Controller and ensure Don Hall and Vista01 are cached. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller and list the accounts that have been authenticated to RODC.
i.
5.
Log off Vista-01
Scenario
Don Hall, a user in the branch office wants to log on to his machine, Vista-01. However, the WAN connection is down and the branch office which belongs to site, West, only contains an RODC. You understand that the RODC will be able to authenticate Don Hall and Vista-01 because their credentials are successfully cached on the RODC.
Tasks
1. 2. Pause the 2008-01 to simulate a broken WAN link. Log on to Vista-01 machine as Don Hall ( This should be successful)
Exercise 4: Administrator Role Separation
Scenario
You are the administrator of the Contoso domain and would like to create a local administrator role for the RODC and add a user to that role
Tasks
1. Configure Administrator Role Separation for an RODC a. b. c. d. 2. 3. 4. Log on to the 2008-02, as Contoso\administrator Launch command prompt and type dsmgmt and then press ENTER At the DSMGMT prompt, type local roles and then press ENTER Type add contoso\bsmith Administrators. It will report a message Successfully updated local role.
Type Quit two times Close command prompt Log onto 2008-02 using contoso\bsmith account
Exercise 5: Dump the RODC machine account
Scenario
You are the administrator of the Contoso domain. You want to quickly find out how many RODC do you have in your domain. You want to achieve this by using a command line.
Tasks
1. Use DSQuery and NLTest to discover the RODCs on the domain. a. b. c. Open up a command prompt on 2008-01. Type Dsquery server –isreadonly and view the results. Type Nltest /dclist:Contoso.com and view the results.
Exercise 6: Reset the credentials cached on the stolen RODC and delete the RODC
Scenario
You are the administrator of the Contoso domain. You just found out that the RODC in your branch office has been stolen. You are concerned that some of your user’s passwords are cached on the RODC. You are going to take appropriate steps to reset the current credentials cached on the RODC.
Tasks
1. Reset the current credentials that are cached on the RODC a. b. c. d. e. f. g. Log on to the 2008-01, as Contoso\Administrator Launch Server Manager if it is not already open. Click Start , Administrative Tools, and then Server Manager Navigate to Roles, Active Directory Domain Services, Active Directory Users and Computers Expand Contoso.com and then select Domain Controllers container In the details pane, right click 2008-02 and select Delete To confirm deletion, click Yes It will launch Deleting Domain controller dialog box 1)
○
Review the following options: Reset all passwords for user accounts that were cached on this Read-only Domain Controller Reset all passwords for computer accounts that were cached on this Read-only Domain Controller Uncheck Export the list of accounts that were cached on this Readonly Domain Controller to this file
○
○
h.
Click Cancel. Do NOT click on Delete! The RODC is needed for a later lab.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will promote a Windows Server 2008 server core machine into the contoso.com domain. You will also learn how to perform basic administrative tasks from the command line. Estimated time to complete this lab: 60 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of Microsoft Virtual Server
What You Will Learn
After completing this lab, you will be able to:
■ ■
Configure IPV4 addresses with Netsh Add a Server Role with ocsetup
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■ ■ ■
2008-core-01 2008-01 2003-01
You must log on as an administrative user in order to perform some of the tasks in this lab.
■
Exercise 1: Configure the IP Address with Netsh
Scenario
You have a fresh install of Windows Server 2008 Core. You are tasked with setting the IP address in a manner that is consistent with corporate guidelines.
Tasks
1. Use Netsh to configure TCP/IP properties a. b. c. d. e. f. In command prompt type netsh and press ENTER Type interface and press ENTER Type ipv4 and press ENTER Type show interfaces and press ENTER to show list of network adapters Note Idx is 2 for Local Area Connection network adapter. Type following to set IP Address, Subnet and Default gateway: set address “2” static 10.1.1.2 255.0.0.0 g. Type following to set primary DNS server: add dnsserver “2” 10.1.1.4 1 h. i. Type exit and press ENTER Verify IP configuration information At the command prompt type the following and then press ENTER Ipconfig /all
Exercise 2: Configure 2008-core-01 so that it can be controlled remotely
Scenario
2008-core-01 will be in a remote location. Make sure it will be possible to connect to the server using RDP. 1. Enable Remote Desktop a. At the command prompt type the following and then press ENTER Cscript C:\Windows\System32\ Scregedit.wsf /ar 0
Note
Cscript C:\Windows\System32\ Scregedit.wsf /cli will show you several other options.
2. Connect to 2008-core-01 remotely a. b. c. d. e. f. Log onto 2008-01 as contoso\administrator Launch MSTSC Type 2008-core-01 and click Connect Right Click DNS; select Connect to DNS Server… Select The following computer: and enter 2008-core-01 and click OK Verify RDP is now available on 2008-core-01
Confirm if the feature is added by typing the following command Oclist Confirm it shows “Installed” for WindowsServerBackup
Exercise 4: Add the DNS server Role with OCsetup
Scenario
In preparation of promotion to a Domain Controller, add the DNS Server role to 2008-core-01. 1. Add the DNS Server Role with OCsetup a. At the command prompt type the following and then press ENTER Start /w ocsetup DNS-Server-Core-Role Note: Using the /w switch prevents the command prompt from returning until the installation completes. Without the /w switch there is no indication that the installation completed. b. c. d. Once the process is completed, you will see command prompt again Confirm if the role is added by typing the following Oclist Confirm it shows “Installed” for DNS-Server-Core-Role
2. Manage the DNS server role remotely a. b. c. d. Log onto 2008-01 as contoso\administrator Launch DNSMGMT.msc Right click DNS; select Connect to DNS Server… Select The following computer: and enter 2008-core-01 and click OK
Exercise 5: Promote the Server Core box into the contoso.com domain using the answer file that we created in a previous lab.
Scenario
You are testing the use of server core Domain Controllers in your enterprise. Please promote 2008-core-01 as a new Domain Controller DC in contoso.com using an unattend file (the unattend file was created in a previous lab). 1. Run Dcpromo with answer file. a. b. c. d. e. Copy the unattended installation file created in lab 3 to 2008-core-01. Open the file in notepad.exe. Find the SafeModeAdminPassword field and set this to P@ssw0rd1 At the command prompt type the following and then press ENTER dcpromo /unattend:2008-answer.txt It will check if Active Directory Domain Services binaries are installed. If not, it will install Domain Services binaries and will start Active directory Domain Services setup. When prompted, enter P@ssw0rd1 as the administrator password. Once the installation completes, it will restart the Server. Logon as contoso\administrator after the reboot completes. At the command prompt type the following and then press ENTER Netsh firewall show state. Notice the firewall is enabled. At the command prompt, type the following and then press ENTER net share. Confirm Sysvol and Netlogon are shared.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will perform hands on Windows Server 2008 Auditing. Estimated time to complete this lab: 60 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of directory service auditing changes.
What You Will Learn
After completing this lab, you will be able to:
■ ■
Enable and disable auditing Understand new auditing Event ID’s
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■
2008-01
You must log on as an administrative user in order to perform all of the tasks in this lab.
■
Exercise 1: Review DS Auditing changes in Windows Server 2008
Scenario
You are an administrator of Contoso domain and would like to view changes to Auditing in Windows Server 2008.
Tasks
1. Review the Audit Policy settings under Default Domain Policy. a. Log on to 2008-01 as Contoso\administrator b. Launch Server Manager if it is not already open. c. Expand Features d. Expand Group Policy Management e. Expand Forest: Contoso.com f. Expand Domains g. Expand Contoso.com h. Expand Group Policy Objects i. j. Select Default Domain Policy Right click it and select Edit...
k. In Group Policy Management Editor, Select Audit Policy under Computer Configuration, Windows Settings, Security Settings, Local Policies l. Review audit policies and policy setting in details pane
c. In Group Policy Management Editor, Select Audit Policy under Computer Configuration, Windows Settings, Security Settings, Local Policies d. Review audit policies and policy setting in details pane e. Confirm Policy Setting for Audit directory service access is set to Success. f. Close Group Policy Management Editor 3. View the subcategories of DS Access via auditpol.cmd and ensure that Directory Service Changes is set to Success a. Launch a command prompt 1) Click on Start, type cmd and press ENTER b. Type Auditpol /clear c. Type Auditpol /set /category:"DS Access" d. Type Auditpol /get /category:"DS Access" e. List the subcategories and setting for each of the subcategory _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ f. Confirm Directory Service Changes is set to Success g. Close command prompt
Exercise 2: DS Auditing Creation, Modification and Moving of AD Objects
Scenario
You are an administrator of Contoso domain and would like to audit creation and modification and moving of AD objects.
Tasks
1. Ensure audit policy is enabled (completed in exercise 1) 2. Create an OU called AuditTest and set up auditing on the OU created a. Launch Server Manager if it is not already open. b. Expand Server Manager c. Expand Roles d. Expand Active Directory Domain Services e. Expand Active Directory Users and Computers f. Select Contoso.com g. Right click it and select New, Organizational Unit h. Type AuditTest in the Name of New Object and click on OK i. j. Right click AuditTest in Contoso.com and click Properties Confirm Advanced Features are enabled in the View menu in order for you to view the Security tab.
k. Select Security tab, click on Advanced and select the Auditing tab. l. Click on Add
c. Click on Next d. Type P@ssw0rd1 in Password and confirm password. e. Click on Next and then Finish 4. View security logs to review audit event generated a. In Server Manager, Expand Diagnostics and then Event Viewer b. Expand Windows Logs c. Select Security log d. The log shows Directory Service Changes event 5137 indicating creation of new directory service object:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 11:50:48 AM Event ID: 5137 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was created. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: cn=AuditTest1,ou=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Operation: Correlation ID: {57586991-b6fd-49e8-b52b-6cdb19067268} Application Correlation ID: -
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will migrate SYSVOL from FRS to DFSR as the replication engine. Estimated time to complete this lab: 60 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of Microsoft Virtual Server
What You Will Learn
After completing this lab, you will be able to:
■
Understand migration of SYSVOL from FRS to DFSR in Windows Server 2008 domain
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■ ■ ■
2008-01 2008-02 2008-Core-01
You must log on as an administrative user in order to perform all of the tasks in this lab.
■
Exercise 1: Migrate SYSVOL from using NTFRS to DFSR
Scenario
You are the administrator of Contoso.com domain. You understand that in your current environment SYSVOL is using NTFRS as its replication engine. However, you have read that DFSR provides substantial improvements over FRS and several key new features. Therefore, you wish to perform a DFSR migration and you are ready to demote any domain controller that is not running Windows Server 2008 to perform this migration.
13. Type quit and press ENTER 14. At the command prompt, type netdom query fsmo and then press ENTER 15. Confirm 2008-01 holds all the FSMO roles 16. Close command prompt b. Demote 2003-01 back to a member server. 1. While logged on to 2003-01 as Contoso\Administrator 2. Start | Run and type DCPROMO 3. Remove Active Directory from 2003-01 4. Reboot 5. Make sure 2003-01 is no longer referred to as a DNS server in TCP/IP properties of any domain member.
2.
Raise the Contoso.com Domain Functional Level to Windows Server 2008. a. While logged onto 2008-01 as Contoso\Administrator, run DSA.msc. b. Right click on the domain and select Raise Domain Functional Level. c. Raise the domain functional level to Windows Server 2008 d. Stay logged on to 2008-01 as Contoso\Administrator
f. Launch Adsiedit.msc g. Connect to Default naming context h. Expand OU=Domain Controllers ,DC=Contoso, DC=com i. Expand each of the Domain Controllers and select CN=NTFRS Subscriptions j. Confirm that the right pane shows an NTFRS Subscriber object called CN=Domain System Volume (SYSVOL share) k. Expand CN=File Replication Service,CN=System, DC=Contoso, DC=Com l. Select CN=Domain System Volume (SYSVOL share) m. Confirm right pane contains NTFRS member objects for all the Domain Controllers. NTFRS member object name is same as the domain controller name. n. Close Adsiedit.msc o. Click on Start, Programs, Administrative Tools and Event Viewer. p. Check the File Replication Service log and confirm that no errors or warnings are reported for Sysvol. 4. Backup data in the Sysvol folder. a. It is recommended to take a backup of the data in the SYSVOL folder before beginning the process of migrating from FRS to DFS Replication. b. On 2008-01, copy C:\Windows\SYSVOL\domain folder to Desktop 1. At the command prompt, run
xcopy /x /e /h /r C:\Windows\SYSVOL\domain %userprofile%\desktop
d. If the service is not installed: 1. Expand Roles in left pane and select File Services 2. Right click File Services and select Add Role Services 3. It will launch the Add role Services wizard 4. Expand Windows Server 2003 File Services and select File Replication Service 5. Click on Install 6. Once the process completes, it will display a message confirming File Replication Service installed successfully. 7. Select File Services from left pane. 8. Review details pane. 9. Now DFS Replication service is listed under System Services. 10. Status shows Running and Startup Type is Auto. 6. Run DfsrMig tool on PDC to create DFSR-GlobalSettings object a. On 2008-01, launch a command prompt b. Type DfsrMig /CreateGlobalObjects and then press ENTER c. It will report following.
Current DFSR global state: Start Succeeded.
d. The DfsrMig performs following actions: 1. Creates the ReplicationGroup, Content object, ContentSet, and Topology objects. 2. msDFSR-GlobalSettings object under System container is created. a) b) c) d) Launch Adsiedit.msc or LDP Connect to Default naming context Expand DC=Contoso, DC=Com Select CN=System
Microsoft Confidential
Notice in details pane, CN=DFSR-GlobalSettings object of class msDFSR-GlobalSettings is created under CN=System.
3. msDFSR-ReplicationGroup object under msDFSR-GlobalSettings. msDFSR-ReplicationGroupType is set to a value of 1. a) b) Expand CN=System and select CN=DFSR-GlobalSettings Notice in details pane, CN=Domain System volume object of class msDFSR-ReplicationGroup is created under CN=DFSRGlobalsettings Right click CN=Domain System volume and select properties Under Attributes, select msDFSR-ReplicationGroupType Confirm the value is set to 1 Click on Cancel
c) d) e) f)
4. msDFSR-Content and msDFSR-Topology objects are created under the msDFSR-ReplicationGroup object. a) b) c) Expand CN=DFSR-Globalsettings in left pane. Select CN=Domain System volume. Notice the CN=Content and CN=Topology objects are created.
5. msDFSR-ContentSet object under msDFSR-Content object is created. a) b) Expand CN=Domain System volume in left pane and select CN=Content. Notice in details pane, CN=SYSVOL Share object of class msDFSRContentSet is created.
6. For NTFRS compatibility, the content set is set to filter out the DO_NOT_REMOVE_NtFrs_PreInstall_Directory and NtFrs_PreExisting___See_EventLog folders. a) b) Right click CN=SYSVOL Share and select Properties. From the list of attributes, select msDFSR-DirectoryFilter.
Confirm the value is set to DO_NOT_REMOVE_NtFrs_PreInstall_Directory, NtFrs_PreExisting___See_EventLog. Click on Cancel.
d)
7. Creates member objects for each existing RODC. a) b) c) Select CN=Topology in left pane Notice in details pane, CN=2008-02 object of msDFSR-Member class is created. Close Adsiedit.msc.
8. Sets GlobalState to 0. e. Launch a Command prompt f. Type DfsrMig /GetGlobalState and then press ENTER 1. It will report the following:
Current DFSR global state: ‘Start’ Succeeded.
7.
Run DfsrMig.exe on PDC to enter the Prepare phase a. Launch a Command prompt b. Type DFSRMig /SetGlobalState 1 and then press ENTER 1. It will report:
Current DFSR global state: Start New DFSR global state: ‘Prepared’ Migration will proceed to ‘Prepared’ state. DFSR service will copy the contents of SYSVOL to SYSVOL_DFSR folder. If any DC is unable to start migration then try manual polling. OR Run with option /CreateGlobalObjects. Migration can start anytime between 15 min to 1 hour. Succeeded.
1. Creates SYSVOL_DFSR, and its immediate subfolders, copying the ACLs from the original SYSVOL. a) b) c) Launch Windows Explorer. Confirm SYSVOL_DFSR folder is created under %SystemRoot%. Confirm ACLs are identical for Policies and Scripts folders under %SystemRoot%\SYSVOL\Domain and %SystemRoot%\SYSVOL_DFSR\Domain
2. ROBOCOPY copies SYSVOL\domain to SYSVOL_DFSR\domain. a) Confirm the contents of %SystemRoot%\SYSVOL_DFSR\Domain is same as the contents of %SystemRoot%\SYSVOL\Domain.
3. The output of ROBOCOPY is saved in %SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt. a) Review file %SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt.
4. Creates the SYSVOL junction. a) b) c) d) e) Launch command prompt Type following command and then press ENTER cd %SystemRoot%\SYSVOL_DFSR\Sysvol Type Dir /a and then press ENTER Confirm a Junction Contoso.com is created for %SystemRoot%\SYSVOL_DFSR\domain. Close Command prompt
5. msDFSR-Member object under msDFSR-Topology object was populated with msDFSR-ComputerReference, ServerReference, and ServerReferenceBL attribute values. a) b) c) d) Launch Adsiedit.msc. Connect to Default naming context. Expand CN=Domain System Volume,CN=DFSRGlobalSettings,CN=System ,DC=Contoso, DC=com. Select CN=Topology.
Microsoft Confidential
Details pane shows CN=2008-02 object of class msDFSR-Member. Right click 2008-02 and select Properties. Review attributes msDFSR-ComputerReference, ServerReference, and ServerReferenceBL. To see the ServerReferenceBL value you must enable Backlink values. (1) Click Filter, then click Backlinks
h)
Click on Cancel
6. msDFSR-LocalSettings object under OU=Domain Controllers is created. a) b) c) Expand OU=Domain Controllers under DC=Contoso,DC=com. Expand CN=2008-01. Notice CN=DFSR-LocalSettings object is created under CN=2008-01.
7. msDFSR-Subscriber object under msDFSR-LocalSettings object is populated with msDFSR-MemberReference and msDFSRReplicationGroupGuid attribute values. a) b) c) d) e) Select CN=DFSR-LocalSettings. Details pane shows CN=Domain System Volume object of class msDFSR-Subscriber. Right click CN=Domain System Volume and select Properties. Review attributes msDFSR-MemberReference and msDFSRReplicationGroupGuid. Click on Cancel.
8. msDFSR-Subscription object under msDFSR-Subscriber object is populated with msDFSR-RootPath, msDFSR-StagingPath, msDFSRReplicationGroupGuid, msDFSR-ContentSetGuid, msDFSR-ReadOnly, and msDFSR-Options attribute values. a) b) Select CN=Domain System Volume in left pane. Details pane shows CN=SYSVOL Subscription object of class msDFSR-Subscription.
Microsoft Confidential
Right click CN=SYSVOL Subscription and select Properties. Review attributes msDFSR-RootPath, msDFSR-StagingPath, msDFSR-ReplicationGroupGuid, msDFSR-ContentSetGuid, msDFSR-ReadOnly, and msDFSR-Options. Click on Cancel. Close Adsiedit.msc.
e) f)
9. Creates and populates this key in the registry: HKLM\System\CurrentControlSet\Services\DFSR\Parameters\SysVols \Migrating SysVols. a) b) Launch regedit. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \DFSR\Parameters\SysVols\Migrating SysVols Confirm the value of Local State is set to 1. Close Registry Editor.
c) d)
d. Confirm the global state is set to Prepared now. 1. Launch Command prompt 2. Type DfsrMig /GetGlobalState and then press ENTER 3. It will report:
Current DFSR global state: ‘Prepared’ Succeeded.
e. Confirm all Domain Controllers are synchronized with Global State (Prepared). It is highly recommended not to initiate migration to the REDIRECTED state until this is done. 1. At the command prompt, type DfsrMig /GetMigrationState and then press ENTER 2. It will list Domain Controllers that are not in sync with Global State. Example:
3. If any of the Domain Controllers are listed there, then force Active Directory replication using following command: Repadmin /syncall 2008-01 /AdeP Repadmin /syncall 2008-02 /Ade 4. Check for success with: repadmin /showattr * "CN=DFSRGlobalSettings,CN=System,DC=contoso,DC=com" /atts:msDFSRFlags
New DFSR global state: ‘Redirected’ Migration will proceed to ‘Redirected’ state. The SYSVOL share will be changed to SYSVOL_DFSR folder. If any changes have been made to the SYSVOL share during the state transition from ‘Prepared’ to ‘Redirected’ please robocopy the changes from SYSVOL to SYSVOL_DFSR on any replicated RWDC. Succeeded.
d. Verify that DFS Replication global migration state is set to REDIRECTED 1. Launch command prompt if it is not already open. 2. Type DfsrMig /GetGobalState and then press ENTER 3. It will report
Current DFSR global state: Redirected Succeeded.
a. Launch a Command prompt b. Type DFSRMig /SetGlobalState 3 and then press ENTER c. It will report
Current DFSR global state: ‘Redirected’ New DFSR global state: ‘Eliminated’ Migration will proceed to ‘Eliminated’ state. It is not possible to revert this step. If any RODC is stuck in the ‘Eliminating’ state for too long then run with option /DeleteRoNtfrsMembers. Succeeded.
d. Verify that DFS Replication global migration state is set to ELIMINATED. 1. Type DfsrMig /GetGlobalState and then press ENTER 2. It will report
Current DFSR global state: Eliminated Succeeded.
e. Confirm all Domain Controllers are in sync with global state or in ELIMINATED state. 1. At the command prompt, type DfsrMig /GetMigrationState and then press ENTER 2. It will list Domain Controllers that are not in sync with Global State. 3. If any of the Domain Controllers are listed there, then Force Active Directory replication using following command Repadmin /syncall /Ade Manually poll Active Directory on a Domain Controller using DfsrDiag PollAD OR Remotely from any other Domain Controller using DfsrDiag PollAD /Member:<Domain Controller name> f. The DfsrMig performs following actions: 1. Deletes the NTFRS SYSVOL Active Directory configuration objects. a) b) Launch Adsiedit.msc and connect to Default naming context. Expand CN=DFSR-LocalSettings,CN=2008-01,OU=Domain Controllers DC=Contoso, DC=com.
Microsoft Confidential
Select CN=Domain System Volume. Details pane shows CN=SYSVOL Subscription object of class msDFSR-Subscription. Confirm there is no more CN=NTFRS Subscriptions object for SYSVOL under CN=2008-01. Expand CN=File Replication Service,CN=System. Select CN=Domain System volume (SYSVOL share). Confirm it does not have any nTFRSMember objects. Close Adsiedit.msc.
2. Deletes content under SYSVOL folder. a) b) c) d) Start Windows Explorer. Navigate to %SystemRoot%. Confirm there is no Policies or Scripts inside the SYSVOL folder. Close Windows Explorer.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will learn about Group Policy changes and FGPP. Estimated time to complete this lab: 75 minutes
Before You Begin
Before starting this lab, you should:
■
Have an understanding of FGPP
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■ ■
2008-01 2003-DC1
You must log on as an administrative user in order to perform all of the tasks in this lab.
■
Exercise 1: Create a New Password Settings Object (PSO)
Scenario
You are the administrator of Contoso.com domain. You have been asked to set up a password policy for your users in Managers group with password’s minimum length to be of 10 characters.
Tasks
1. On 2008-01, verify the domain functional level is set to Windows Server 2008. a. b. c. d. e. f. 2. Log on to 2008-01 as Contoso\administrator Launch Server Manager if it is not already open. Click on Start, Administrative Tools, and then Server Manager Expand Roles | Active Directory Domain Services | Active Directory Users and computers | Contoso.com. Right click Contoso.com and select Raise domain functional level... Confirm Current domain functional level is set to Windows Server 2008 Click on Close
Create a new Password Settings Object and name it managers. Specify Password Length to be of 10 characters. a. b. c. d. e. f. Click on Start, Run, type Adsiedit.msc and click on OK. Connect to Default naming context. Expand CN=System,DC=Contoso,DC=com Right click CN=Password Settings and select New, Object... It will launch Create Object wizard. Confirm msDS-PasswordSettings class is selected and click Next.
Test the password policy by resetting the password of Lisa Miller in Managers group to seven characters from AD users and computers. It should fail. Test it by setting to 10 or more characters. a. b. c. d. Launch Server Manager if it is not already open. Click on Start, Administrative Tools, and then Server Manager Expand Roles | Active Directory Domain Services | Active Directory Users and computers | Contoso.com. Select Lisa Miller in the Training Organizational Unit. Right click the Lisa Miller account and select Properties. Click on the MemberOf tab and verify Lisa Miller is a member of the Managers group. Click OK to close the user properties. Right click on the user account and select “Reset Password…” Type a password with seven characters. It will report an error informing Windows cannot complete the password change because the password does not meet the password policy requirements. Click OK. Right click on the user account again and select “Reset Password…” Type a password that has 10 or more characters and click on OK. It will report, “The password has been changed.” Click OK.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will learn about Group Policy changes and FGPP. Estimated time to complete this lab: 75 minutes
Before You Begin
Before starting this lab, you should:
■ ■
Have an understanding of new group policy changes Have an understanding of FGPP
What You Will Learn
After completing this lab, you will be able to:
■ ■ ■ ■ ■
Create a Central Store Configure and use GPEdit logging Create and use Starter GPOs Use folder redirection to share data between V1 and V2 user profiles Understand what password policies and account lockout policies are
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■
2008-01
You must log on as an administrative user in order to perform all of the tasks in this lab.
■
Exercise 1: Enabling GPEDIT logging and Create a Central Store
Task 1: Enable GPEDIT logging
1. Logon to 2008-01 as Contoso\Administrator 2. Run Regedit.exe 3. Enable GPEDIT logging: a. b. Debug Logging is provided for GPEDIT, and may be enabled via the following Registry key. Create the following registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPEditDebugLevel(REG_DWORD) 1) 2) Change the Value to Hexadecimal 10002 Close the Registry Editor.
Task 2: Creating and Using a Central Store
Note
There is no user interface for populating the central store in Windows Vista or Windows Server 2008 at this time. This procedure shows how to populate the central store using command line syntax. 1. 2. To populate the Central Store, open a command window on server 2008-01. To copy all the language-neutral and specific ADMX files from your Windows Server 2008-01 system to the central store on your domain controller using the xcopy command, type:
Xcopy /S %systemroot%\PolicyDefinitions\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions
Type a name for the GPO and click OK. Expand the Group Policy Objects node. Right-click the name of the GPO you created and click Edit. Select Administrative Templates under Computer Configurations, Policies. In the right pane, view the message stating Administrative Templates: Policy definitions (ADMX files) retrieved from the central store
10. Click on Printers under Administrative Templates and select Web-based Printing 11. Select Enabled and click OK 12. Close Group Policy Management Editor 13. Open c:\windows\debug\usermode\gpedit.log 14. Review the log and notice the information stating Successfully wrote: Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting
Important
The Group Policy Object Editor automatically reads all ADMX files stored in the central store. When there is no central store, the Group Policy Object Editor reads the local versions of the ADMX files used by the local GPO on your Windows Vista™ administrative machine.
Exercise 2: Creating and Using Starter GPO’s
Scenario
As an administrator for Contoso.com, you plan on delegating permissions to other users to administer specific Organizational Units in the future. To aid the other users in Group Policy creation, you are going to prepare a Starter GPO that contains helpful pre-configured Administrative Template settings.
Right click Starter GPOs and then click New. In the New Starter GPO dialog box, type Contoso Base in the Name box and click OK. Right click Contoso Base and select Edit. Notice only Administrative templates are available to manage in a Starter GPO. Change an administrative template setting under User or Computer configuration; then close the Group Policy Editor window.
2.
Create a new policy from the Starter GPO. a. b. Right Click Contoso Base and then click New GPO from Starter GPO. In the New GPO dialog box, type Training Policy in the Name box and click OK.
Exercise 4: Create a network share for all computers in the domain via Preferences in group policy
Task 1:
1. Logon as contoso\administrator on 2008-01. 2. Create a folder C:\scripts. 3. Edit the Default Domain Policy a. b. c. 4. Click on Start | Run and type gpmc.msc Double click Domains and then Contoso.com Right click the Default Domain Policy and click Edit
Click on Computer Configuration | Preferences | Windows Settings | Network Shares a. Under Group Policy Management Editor click on Computer Configuration, Preferences, Windows Settings and Network Shares
Action : Create Share name: 2008TEST Folder Path: C:\scripts Leave rest as Default settings Click OK
Force Group Policy application by typing gpupdate /force in the command prompt. Select Y when prompted to re-login Re-login and open up a command prompt and type net share. You will see a share by the name 2008TEST pointing to an existing folder, in this case to the C drive on 2008-01.
Exercise 5: Create a mapped drive for users in the Domain Admins group via Preferences in group policy
Task 1:
1. On 2008-01, edit the Default Domain Policy a. b. c. 2. Logon to 2008-01. Click on Start | Run and type gpmc.msc Double click Domains and then Contoso.com Right click the Default Domain Policy and click Edit
Click on User Configuration | Preferences | Windows Settings | Drive Maps a. Under Group Policy Management Editor click on User Configuration, Preferences, Windows Settings and Drive Maps
3.
Create a new mapped drive preference setting a. b. Right Click Drive Maps and select New and Map Drives In the New Drive properties window, select the following: 1) 2) 3) Action : Create Location: \\2008-01\c$ Label as: MyDrive
Microsoft Confidential
Drive Letter: Use first available starting at: E Keep rest of the settings as default Click on the Common Tab and select item-level targeting and select Targeting Click New Item and select Security Group and click on Browse Type Domain Admins and click on Check Names. Click OK Click OK
Force Group Policy application by typing gpupdate /force in the command prompt. Select Y when prompted to re-login Re-login and open My Computer and view MyDrive pointing to \\2008-01\C$ (Optional) Test via logging to Vista-01 as a Domain Admin and a non admin and confirm if the drive is mapped.
Exercise 6: Disable a preference setting
Task 1:
1. On 2008-01, edit the Default Domain Policy a. b. c. Logon to 2008-01. Click on Start | Run and type gpmc.msc Double click Domains and then Contoso.com Right click the Default Domain Policy and click Edit
2. Click on User Configuration | Preferences | Windows Settings | Drive Maps a. 3. 4. 5. Under Group Policy Management Editor click on User Configuration, Preferences, Windows Settings and Drive Maps
Click on Drive letter in the right console to select the preference and click the red circle with a slash on the toolbar to disable it Force Group Policy application by typing gpupdate /force in the command prompt. Select Y when prompted to re-login Re-login and open My Computer and view MyDrive is not available anymore
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Version 1.0
During this lab, you will use the Windows Server 2008 Backup features to backup, view, and restore Active Directory data. Estimated time to complete this lab: 60 minutes
Before You Begin
Before starting this lab, you should:
■
Have a basic understanding of Microsoft Virtual Server or Virtual PC
What You Will Learn
After completing this lab, you will be able to:
■ ■
Backup Windows Server 2008 System State data. Create a snapshot and mount the snapshot so that the backup directory information can be viewed in an LDAP browser. Restore the System State backup.
■
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■
2008-01
Important
You must log on as an administrative user in order to perform some of the tasks in this lab. Administrative username and password
□ □ □
Exercise 1: Use Windows Server Backup to backup and restore System State data
Scenario
As an administrator of Active Directory in Contoso.com, you need to test the correct Disaster Recovery procedures used for Active Directory in Windows Server 2008.
Tasks
1. Use Windows Server backup to backup the Windows System State. a. Verify Windows Backup is installed, or install the Windows Backup feature. 1) 2) Log onto 2008-01 as contoso\Administrator. Launch Server Manager. a) 3) 4) 5) Click Start, Administrative Tools, then Server Manager
Select Features and verify Windows Server Backup is installed by looking at the list under Features Summary. If not installed, click Add Features in right pane under Features Summary. This will launch the Add Features Wizard. On the Select Features page, select Windows Server Backup Features. Expand Windows Server Backup Features and make sure Command-line Tools is checked and click Next. On Confirm Installation Selections, select Install. Click Close on the Installation Results page.
6) 7) b.
Create a system state backup. 1) At the command prompt, type wbadmin start SystemStateBackup –backuptarget:D:, then press Enter
When prompted, enter C and press Enter, then enter Y and press Enter.
Important The backup could take up to 90 minutes to complete; depending on hardware resources.
3)
Examine the contents of D:\WindowsImageBackup\200801\SystemStateBackup\Backup\<date> a) Notice the backup file has a .vhd extension.
2.
Create a Snapshot using NTDSUtil.exe a. b. c. At the command prompt type ntdsutil snapshot At the snapshot prompt, type activate instance ntds At the snapshot prompt, type Create
3.
Mount the snapshot created in step 2 using DSMain.exe. a. Mount the System State using ntdsutil.exe 1) 2) b. At the snapshot prompt, type List All At the snapshot prompt, type mount 1
View the contents of C:\$SNAP_<datetime>_VOLUMEC$\ 1) Notice you can browse to the ntds.dit file at C:\$SNAP_<datetime>_VOLUMEC$\Windows\NTDS\ntds.dit
4.
Load the ntds.dit copy created in the snapshot and connect to the offline directory using an ldap browser a. Use DSAMain.exe to load the snapshot 1) At another command prompt, type dsamain –dbpath C:\$SNAP_<datetime>_VOLUMEC$\Windows\NTDS\ntds.dit – ldapport 5000
b.
Launch LDP.exe and view the contents of the ntds.dit database 1) 2) Launch ldp.exe Click Connection | Connect
Microsoft Confidential
Change the port to 5000 and click OK Click Connection | Bind Click View | Tree a) Notice you can view the directory data
6) 5.
In the DSAMain command window, enter Control-C and press Enter
Delete the contoso\bsmith user account a. Launch Server Manager. 1) b. c. Click Start, Administrative Tools, then Server Manager
Expand Roles | Active Directory Domain Services | Active Directory Users and Computers | contoso.com | Training. Find Ben Smith, and delete this account.
Note The above steps are necessary to un-mount the Windows Server 2008 ISO to prevent accidently selecting “Boot from CD or DVD” during the reboot.
d. e.
Restart the server Enter Directory Services Restore mode 1) 2) Press F8 to enter Advanced Boot options Select Directory Services Restore mode and press Enter
6.
Use Windows Server backup to restore the Windows System State backup. a. Obtain the version of the store system state 1) 2) b. At the command prompt, type wbadmin get versions Note the Version identifier value
At the command prompt, type wbadmin start systemstaterecovery –version:<datetime as found in previous step> Type Y when prompted at Do you want to start the system state recovery operation. Type Y when prompted at: The replication engine used at backup time was `FRS`. You cannot use System State Recovery if the replication engine for SYSVOL changed from the backup time. If the replication engine has changed, abort this recovery and contact support. Do you want to proceed? [Y] Yes [N] No
Note If you are going to perform a restore after a SYSVOL migration to DFSR has been performed, you cannot use a system state backup taken while FRS was the replication engine for SYSVOL.
7.
Using ntdsutil.exe, authoritatively restore the User object a. At the command prompt, type ntdsutil and press enter b. Type activate instance ntds and press enter c. Type authoritative restore and press enter d. Type restore object “CN=Ben Smith,OU=Training,DC=Contoso,DC=com” and press enter e. Type quit and press enter, then type quit again and press enter Restart the Server into normal mode Verify the contoso\bsmith account is available after the restore. a. Launch Server Manager. 1) b. c. Click Start, Administrative Tools, then Server Manager
8. 9.
Expand Roles | Active Directory Domain Services | Active Directory Users and Computers | contoso.com | Training. Find Ben Smith.