Windows Server Expert Workshop

Released: 4/16/2003 Microsoft Windows Server 2003 Expert Workshop

Hands-on Lab Exercises

Microsoft® Windows Server 2003 Expert Workshop Hands-on Lab Exercises



Table of Contents

TABLE OF CONTENTS......................................................................................................................... 2

CLASSROOM LAYOUT......................................................................................................................... 4

COMPUTER NAMES AND IP ADDRESSES ........................................................................................ 5

LAB 01 – INSTALL & CONFIGURING DNS SERVER ......................................................................... 6

LAB 02 INSTALLING ACTIVE DIRECTORY ...................................................................................... 13

LAB 03 – INSTALLING ADDITIONAL DOMAIN CONTROLLERS IN EACH DOMAIN .................... 18

LAB 04 – ELEVATE DOMAIN FUNCTIONAL LEVEL TO WINDOWS 2000 NATIVE MODE ........... 24

LAB 05 – TESTING THE AFFECTS OF REPLICATING CHANGES TO MULTI-VALUED

ATTRIBUTES ....................................................................................................................................... 27

LAB 06 – ELEVATE FOREST FUNCTIONALITY TO WINDOWS SERVER 2003 AND TEST MULTI-

VALUE REPLICATION ........................................................................................................................ 30

LAB 07 – CREATE MULTIPLE SITES................................................................................................ 33

LAB 08 – TEST GLOBAL CATALOG FAILURE ................................................................................ 36

LAB 09 – ENABLE AND TEST UNIVERSAL GROUP CACHING ..................................................... 39

LAB 10 – RESET DIRECTORY SERVICES RESTORE MODE PASSWORD (OPTIONAL)............. 42

LAB 11 – CREATE AN INETORGPERSON OBJECT (OPTIONAL).................................................. 44

LAB 12 – MARK A SCHEMA OBJECT AS DEFUNCT (OPTIONAL) ................................................ 46

LAB 13 – CREATE AN APPLICATION PARTITION .......................................................................... 49

LAB 14 – RENAMING OF DOMAIN CONTROLLERS ....................................................................... 53

LAB 15 – RENAMING DOMAIN NETBIOS NAME (TO BE PERFORMED ON THE LAST DAY AS

AN OPTIONAL LAB) ........................................................................................................................... 56

LAB 16 – SETUP AND TEST CROSS FOREST TRUSTS ................................................................. 59

LAB 17 – IIS APPLICATION POOLS.................................................................................................. 65

LAB 18 – TERMINAL SERVICES (OPTIONAL) ................................................................................. 73

LAB 19 – REMOTE ASSISTANT (OPTIONAL) .................................................................................. 76

LAB 20 – CREATE SOFTWARE RESTRICTION POLICY (OPTIONAL)........................................... 80

LAB 21 – RESULT SET OF POLICY (RSOP) TOOLS (OPTIONAL) ................................................. 82



LAB 22 – RESTORE DEFAULT GPO’S (OPTIONAL) ....................................................................... 84

LAB 23 - USING VOLUME SHADOW COPY SERVICE TO RECOVER FILES ................................ 86

LAB 24 – EFS ...................................................................................................................................... 90

LAB 25 – COMMAND LINE TOOLS (OPTIONAL) ........................................................................... 100

APPENDIX A...................................................................................................................................... 102



CLASSROOM LAYOUT

DomainBDomainA DomainC DomainD

DomainFDomainE DomainHDomainG

W2K3.Net

Forest A Forest B

Forest E Forest G

Server01 Server02

Server16Server15Server14Server13Server12Server11Server10Server09

Server08Server07Server06Server05Server04Server03

Instructor

ForestW2K3

All labs that are not optional must be done. This is to ensure that all labs at the end will function correctly. Optional labs are at the discretion of the instructor.



Computer Names and IP Addresses Student

Number

Computer

Name

IP

Address

Subnet

Mask

DNS

Address

Domain Forest

01 Server01 10.1.1.1 255.255.0.0 10.1.1.1 DomainA.com DomainA.com

Forest

02 Server02 10.1.1.2 255.255.0.0 10.1.1.1 DomainA.com DomainA.com

Forest

03 Server03 10.1.2.3 255.255.0.0 10.1.2.3 DomainB.com DomainA.com

Forest

04 Server04 10.1.2.4 255.255.0.0 10.1.2.3 DomainB.com DomainA.com

Forest

05 Server05 10.1.1.5 255.255.0.0 10.1.1.5 DomainC.com DomainC.com

Forest

06 Server06 10.1.1.6 255.255.0.0 10.1.1.5 DomainC.com DomainC.com

Forest

07 Server07 10.1.2.7 255.255.0.0 10.1.2.7 DomainD.com DomainC.com

Forest

08 Server08 10.1.2.8 255.255.0.0 10.1.2.7 DomainD.com DomainC.com

Forest

09 Server09 10.1.1.9 255.255.0.0 10.1.1.9 DomainE.com DomainE.com

Forest

10 Server10 10.1.1.10 255.255.0.0 10.1.1.9 DomainE.com DomainE.com

Forest

11 Server11 10.1.2.11 255.255.0.0 10.1.2.11 DomainF.com DomainE.com

Forest

12 Server12 10.1.2.12 255.255.0.0 10.1.2.11 DomainF.com DomainE.com

Forest

13 Server13 10.1.1.13 255.255.0.0 10.1.1.13 DomainG.com DomainG.com

Forest

14 Server14 10.1.1.14 255.255.0.0 10.1.1.13 DomainG.com DomainG.com

Forest

15 Server15 10.1.2.15 255.255.0.0 10.1.2.15 DomainH.com DomainG.com

Forest

16 Server16 10.1.2.16 255.255.0.0 10.1.2.15 DomainH.com DomainG.com

Forest



Lab 01 – Install & Configuring DNS Server

NOTE: This lab must be done before continuing with the rest of the labs.

Prerequisites

• Must be familiar with DNS concepts and operations

Objectives

• Install DNS Server services

• Create Forward and Reverse Lookup Zones

• Create and configure Conditional Forwarding

• Test DNS by using nslookup command

Lab Setup

• A computer running Windows Server 2003 Enterprise Server that is configured as a standalone server.

• Static IP Address and subnet mask.

• DNS domain name. Refer to the table on page 5 for this information.



Exercise 1 - Installing the Primary DNS Server Service

Goal

In this exercise, you will configure the DNS domain name of your computer and install DNS.

NOTE: The installation of DNS services will only take place on the following servers: Server1,

Server3, Server5, Server7, Server9, Server11, Server13 and Server15.

Tasks Detailed Steps

1. Start the Windows Components wizard and install the DNS subcomponent of the Networking Services. Copy the required files from the Windows Server 2003 Advanced Server compact disc.

a. Log on as Administrator with a password of password.

b. By default a screen called Manage Your Server will open. This screen allows you to add roles to your server and to manage your server roles.

c. Under Adding Roles to Your Server, click Add or remove a Role.

d. On the Preliminary Steps page, click Next.

e. On the Server Role page, select DNS Server and click Next.

f. On the Summary of Selections page, review the summary and click Next.

DNS will start to install. (Insert Windows Server 2003 CD when required)

2. Create a Standard Primary Forward Lookup Zone for your domain.

a. On the Welcome to the Configure a DNS Server Wizard page, click Next.

b. On the Select Configuration Action page, select Create forward and reverse lookup zones (recommended for large networks) and click Next.

c. On the Forward Lookup Zone page, select Yes, create a forward lookup zone now (recommended), click Next.

d. On the Zone Type page, select Primary Zone, click Next.

NOTE: Select Only Primary Zone on the first server in each domain.

e. On the Zone Name page, enter the zone name for example domainname.com and click Next.

f. Leave defaults on Zone File page, click Next.

g. On the Dynamic Update page, select Allow both non-secure and secure dynamic updates, click Next.



3. Create a Standard Primary Reverse Lookup Zone for your Network ID.

a. On the Reverse Lookup Zone page, select Yes, create a reverse lookup zone now, and click Next.

b. On the Zone Type page, select Primary Zone, click Next.

NOTE: The Primary Zone selection must only be used on the first server in each domain.

c. On the Reverse Lookup Zone Name page, enter the Network ID for your zone. For example 10.1.1

d. On the Zone File page leave as default, click Next.

e. On the Dynamic Update page, select Allow both secure and non-secure dynamic updates, click Next.

4. Create Forwarders to the instructors’ server.

1. On the Forwarders page, select Yes, it should forward queries to DNS servers with the following IP addresses

2. Enter the instructors’ server IP address in: 10.1.200.1, click Next.

It will start searching for Root Hints.

3. On the Completing the Configure a DNS Server Wizard, click Finish.

NOTE: If an error message appears click OK. This message

states that it could not configure the Root Hints. Once completed open the DNS server, right click the server name and then select properties. Under ServerX properties select root hints.

Ensure that the root hints is available.

4. On the This Server is Now a DNS Server page, click Finish.

5. Enter the Primary DNS Suffix under the My Computer properties

a. Click Start à Right Click My Computer à Properties

b. Click Computer Name à Change à More

c. In the Primary DNS Suffix of this computer enter your DNS

domain suffix. E.g. DomainX.com

d. Click OK to close all windows and then click Yes to restart

the computer.



6. Ensure computer can resolve both forward and reverse lookups by means of NSLOOKUP

a. Logon as Administrator with the password of password

b. Click à Start à Administrative Tools à DNS

c. Expand your Server, then expand reverse lookup zones

d. Click on your subnet

e. Ensure that a pointer record exist for your computer.

f. If the pointer record does not exist create a pointer record by right-clicking the subnet à New Pointer Record

g. Under the New Resource Record enter the IP address of the Host computer and enter the Host name under Host Name.

h. Once completed click OK and close all windows.

i. Open the command prompt. Start à Run à CMD

j. At the command prompt, type NSLOOKUP

k. You will receive the following:

Default: computername.domainname.com

Address: 10.1.x.x

l. Exit NSLOOKUP by typing exit at the command prompt.

7. Add your partner’s computer and IP Address to the Name Servers

a. Open the DNS console

b. Expand your server and then expand forward lookup zone

c. Right-click your Domain name à Properties à Name Servers

d. Under Name Servers, click Add

e. In the Server fully qualified Domain Name (FQDN), type

your partner’s computer name. E.g. server02.domaina.com

f. Under IP Address, enter your partner’s IP Address, click Add, and then OK.

g. Click OK to close the Properties window. Close all other

windows.

NOTE: DNS servers/services can still be installed using the Add/Remove Windows Components under Add/Remove Programs menu.



Exercise 2 – Installing the Secondary DNS Server Services

Goal

During this exercise you will install and configure your Server as a secondary DNS server. Only a secondary forward lookup zone will be created. The reverse lookup zone will be kept on the primary DNS Server. Thus no secondary reverse lookup zone needs to be created.

NOTE: The installation of DNS services will only take place on the following servers: Server2,

Server4, Server6, Server8, Server10, Server12, Server14 and Server16.


1. Start the Windows Components wizard and install the DNS subcomponent of the Networking Services. Copy the required files from the Windows Server 2003 Advanced Server compact disc.


b. By default a screen called Manage Your Server will open. This screen allows you to add roles to your server and to manage your server roles.

c. Under Adding Roles to Your Server, click Add or remove a Role.

d. On the Preliminary Steps page, click Next.

e. On the Server Role page, select DNS Server and click Next.

f. On the Summary of Selections page, review the summary and click Next.

DNS will start to install. (Insert Windows Server 2003 CD when required)

2. Create a Secondary Forward Lookup Zone for your domain.

a. On the Welcome to the Configure a DNS Server Wizard page, click Next.

b. On the Select Configuration Action page, select Create forward and reverse lookup zones (recommended for large networks) and click Next.

c. On the Forward Lookup Zone page, select Yes, create a forward lookup zone now (recommended), click Next.

d. On the Zone Type page, click to select Secondary zone, click Next.

e. On the Zone Name page, enter the Zone Name: and click Next.

f. On the Master DNS Servers page, enter the IP Address of your partners DNS server, click Add and then click Next.



g. On the Reverse Lookup Zone page, click No, don’t create a reverse lookup zone now, and click Next.

h. On the Forwarders page, select Yes, it should forward queries to DNS servers with the following IP addresses

i. Enter the instructor’s server IP address: 10.1.200.1, click Next.

It will start searching for Root Hints.

j. On the Completing the Configure a DNS Server Wizard, click Finish.

NOTE: If an error message appears click OK. This message

states that it could not configure the Root Hints. Once completed open the DNS server, right click the server name and then select properties. Under ServerX properties select root hints. Ensure that the root hints is available.

k. On the This Server is Now a DNS Server page, click Finish.

3. Enter the Primary DNS Suffix under the My Computer properties

a. Click Start à Right Click My Computer à Properties

b. Click Computer Name à Change à More

c. In the Primary DNS Suffix of this computer enter your DNS

domain suffix. E.g. DomainX.com

d. Click OK to close all windows and then click Yes to restart

the computer.

Ask your partner to check to see if your pointer record has registered. If not ask him/her to create a pointer record.



Exercise 3 - Configure Conditional Forwarding in DNS

Goal

Students in each domain will be working as a team when setting up and configuring conditional forwarding between multiple DNS servers.


1. Perform the following tasks

• Test name resolution using NSLOOKUP.

• Setup conditional forwarding between partner forests DNS zones

• Use NSLOOKUP to verify resolution to partner’s forest.

• Perform for each forest and domain in class.

a. Open command prompt and type NSLOOKUP

b. At the prompt type, your partners FQDN in and press ENTER.

c. Open the DNS console, right-click your computer name à Properties and select Forwarders.

d. Under DNS domain: click New and type in the domain name

of all partner domains in the classroom.

e. Under Selected domain’s forwarder IP Address list: enter

the DNS server IP address of your partner’s domain and click Add.

f. Use NSLOOKUP to see if you can resolve queries in your

partner’s domain.

g. Perform this for all domains in the classroom.



Lab 02 Installing Active Directory

NOTE: This lab is depended on lab 01.

Objectives

After completing this lab, you will be able to install Active Directory by using the Manage Your Server Wizard.

NOTE: The Manage Your Server is used to familiarise yourself with the new Wizards and tasks that

can be performed. However, you can still promote a server to become a domain controller using the DCPROMO command.

Prerequisites

• Understand the logical components of Active Directory

• Understand the purpose and function of Domain Controllers

Lab Setup

• A computer running Windows Server 2003 Enterprise Server that is configured as a standalone server.

• Drive C formatted with NTFS

• Static IP Address and subnet mask.

• A domain name is required. Refer to the table on page 5 for this information.

• A forward lookup zone is required that matches your domain name. The forward lookup zone should have been created in exercise 1 of lab 01.



Exercise 1 – Installing Active Directory

Goal

In this exercise, you will create a Windows 2003 domain by installing Active Directory. This will only be done on one computer in each domain. The rest of the servers will be promoted during a different lab exercise.


1. Start the Active Directory Installation Wizard to create:

• A new domain controller for a new domain.

• A new domain tree.

• A new forest of domain trees

The following steps need to be performed on only these servers:

Server Name Forest Name

Server1 DomainA.Com Forest

Server5 DomainC.Com Forest

Server9 DomainE.Com Forest

Server13 DomainG.Com Forest

NOTE: These servers are the primary servers for each domain

which will be containing all the FSMO roles and the global catalog service.


b. On the Manage Your Server page, click Add or remove a role.

c. On the Preliminary Steps page, click Next.

d. On the Server Role page, select Domain Controller (Active Directory), click Next.

e. On the Summary of Selections page, click Next.

f. On the Welcome to the Active Directory Installation Wizard page, click Next.

g. On the Operating System Compatibility page, review the information then click Next.

h. On the Domain Controller Type page, select Domain Controller for a new domain, click Next.

i. In the Create New Domain page, select Domain in a new forest, click Next.

j. On the New Domain Name page, enter your domain name in and then click Next.

k. In the NetBIOS Domain Name page, select the default



Domain NetBIOS name, click Next.

l. On the Database and Log Folders page, select the default settings and click Next.

m. On the Shared System Volume page, select the default settings and click Next.

n. Review the DNS Registration Diagnostics and click Next.

o. On the Permissions page, leave as default and click Next.

p. On the Directory Services Restore Mode Administrator Password page, enter the Restore Mode Password: password and Confirm password: password.

q. Review the summary and click Next.

r. Once completed Restart the Server.

s. Logon as Administrator and Click Finish.

2. Start the Active Directory Installation Wizard to create:

• A new domain controller for a new domain.

• A new domain tree in an existing forest.

The following steps need to be performed on only these servers:

Server Name Forest Name

Server3 DomainA.Com Forest

Server7 DomainC.Com Forest

Server11 DomainE.Com Forest

Server115 DomainG.Com Forest

NOTE: These servers are the domain controllers for the second

domains within each forest. They will not contain the Global Catalog service at this point.

a. Log on as Administrator and a password of password.

b. On the Manage Your Server page, click Add or remove a role.

c. On the Preliminary Steps page, click Next.

d. On the Server Role page, select Domain Controller (Active Directory), click Next.

e. On the Summary of Selections page, click Next.

f. On the Welcome to the Active Directory Installation Wizard page, click Next.

g. On the Operating System Compatibility page, review the information then click Next.

h. On the Domain Controller Type, select Domain controller



for a new domain, click Next.

i. On the Create New Domain page, select Domain tree in an existing forest, click Next.

j. On the Network Credentials page, enter the administrator

name and password. Enter the first domain name under Domain. For example

• Username = Administrator

• Password = password

• Domain = DomainA

k. On the New Domain Tree page, enter the DNS name for the new domain, click Next.

l. In the NetBIOS Domain Name page, select the default Domain NetBIOS name, click Next.

m. On the Database and Log Folders page, select the default settings and click Next.

n. On the Shared System Volume page, select the default settings and click Next.

o. Review the DNS Registration Diagnostics and click Next.

p. On the Permissions page, click Next.

q. On the Directory Services Restore Mode Administrator Password page, enter the Restore Mode Password: password and Confirm password: password.

r. Review the summary and click Next.

s. Once completed Restart the Server



3. Allow everyone the rights to logon locally onto the domain controllers and update the policy.

This only needs to be done from one Domain Controller.


b. On the Manage Your Server page, select Manage users and computers in Active Directory.

c. In the left pane, right click Domain Controllers and select Properties.

d. Select Group Policy under Domain Controller Properties.

e. Select the Default Domain Controller Policy and Click Edit.

f. Under the Group Policy Object Editor page navigate to Computer Configuration à Windows Settings à Security Settings à Local Policies à User Rights Assignment.

g. Double click Allow log on locally.

h. Under the Allow log on locally window, click Add User or Group and add the Everyone group.

i. Click OK and close the Group Policy Object Editor window and the Domain Controller Properties window.

j. Close Mange Users and Computers in Active Directory.

k. From the run command type the following command: gpupdate



Lab 03 – Installing additional domain controllers in each domain


Objectives

After completing this lab, you will be able to promote a member server to become a second Domain Controller by using backup media.

Prerequisites

• Understanding of how to use replica from media

• Understanding of how to promote a server using the replica media

• Knowledge on performing a back ups

• Active Directory should have been configured in exercise 1 lab 02

Lab Setup

• A computer running Windows Server 2003 Enterprise Server that is configured as a standalone server

• Drive C formatted with NTFS

• Static IP Address and subnet mask

• Connectivity to your partners’ computer

• Sufficient disk space to keep a backup

• Access to the Support Tools



Exercise 1 - Backup Current Domain Controllers

Goal

During this exercise your partner will backup his/her domain controller. Once the backup process has completed you will then copy the AD Backup.bkf file to you computer.


1. Backup the current system state of the domain controller.

This part of the lab only needs to be performed on the student’s computer that contains Active Directory.

a. Open Windows Explorer.

b. On the C:\ drive create a folder called backup.

c. Once created, share this folder as backup

d. Open Backup. Start à All Programs à Accessories à System Tools à Backup

e. On the Welcome to the Backup or Restore Wizard page, deselect Always start in wizard mode, click Next.

f. On the Backup or Restore page, select Back up files and settings, click Next.

g. On the What to Back Up page, select Let me choose what to back up, click Next.

h. On the Items to Back Up page, expand My Computer on the left pane and select System State, click Next.

i. On the Backup Type, Destination and Name page, type or

select the following:

• Select the backup type: File

• Choose a place to save your backup: Browse to C:\Backup

• Type a name for this backup: AD Backup

j. Click Next and then click Finish.

k. The backup process will start.



2. The following tasks needs to be performed:

• Copy back up file to your computer.

• Create Restore folder

• Create Temp folder

These steps only need to be performed on the student’s computers who are member servers.

a. Open Windows Explorer.

b. On the C:\ drive, create a folder called Temp

c. On the C:\ drive, create a folder called Restore.

d. Connect to your partner’s computer and copy the AD Backup.bkf file to the Restore directory on your computer.



Exercise 2 – Promoting Member Servers to Domain Controllers

using the Replicate from Media method

Goal

In this exercise the servers without Active Directory will be promoted by means of using the replicate from media method to become an Active Directory Domain Controller.


1. Restore System state data to temp directory.

These steps only need to be performed from the member server computers.

a. Open Backup. Start à All Programs à Accessories à System Tools à Backup

b. On the Welcome to the Backup or Restore Wizard page, deselect Always start in wizard mode, click Next.

c. On the Backup or Restore page, select Restore files and settings, click Next.

d. On the What to Restore page, click Browse and browse to the path c:\restore\Ad Backup.Bkf. Click OK.

e. In the Items to restore pane expand File, expand AD Backup.Bkf then select System State tick box. Click Next.

f. On the Completing the Restore Wizard page, click Advanced.

g. On the Where to Restore page, select Restore files to: Alternative location.

h. In the Alternative Location: Type or Browse to c:\temp, click Next.

i. On the How to Restore page, select Leave existing files (Recommended), click Next.

j. On the Advanced Restore Options page, accept the defaults and click Next.

k. On the Completing the Restore Wizard page, click Finish.

2. Promote the server to a Domain Controller using the restored data

a. From the Run command type DCPROMO /ADV

b. On the Welcome to the Active Directory Installation Wizard page, click Next.



Wizard page, click Next.

c. On the Operating System Compatibility page, click Next.

d. On the Domain Controller Type page, select Additional Domain Controller for an existing domain, click Next.

e. On the Copying Domain Information page, select the From these restored backup files and then Browse to C:\temp, click OK, then Next.

f. On the Global Catalog page, select No, click Next.

NOTE: This Domain Controller must NOT become a Global

Catalog server at this point in time.

g. On the Network Credentials page, enter the administrator’s

username and password and confirm the domain name is correct, click Next.

h. On the Database and Log Folders page, accept the default locations by clicking Next.

i. On the Shared System Volume page, accept the default locations by clicking Next.

j. On the Directory Services Restore Mode Administrator Password page, in the Password and Confirm password boxes, type password and then click Next.

k. On the Summary page, review the options you selected, and then click Next.

l. When the Completing the Active Directory Installation Wizard page appears, click Finish and then restart your

computer.



Exercise 3 – Install Support Tools

Goal

This exercise needs to be performed on all the servers. The Windows 2003 Advanced server support tools and utilities needs to be installed for later exercises.


1. Install Windows 2003 Server Support Tools

a. Open Windows Explorer

b. Select the CD-Rom drive and then double click the Support

folder.

c. Double click the Tools folder.

d. Double click suptool.msi

e. On the Welcome to the Windows Support Tools Setup Wizard page, click Next.

f. On the End User License Agreement page, select I Agree then click Next.

g. On the User Information page, select default values and click Next.

h. On the Destination Directory page, accept the default locations and click Install Now.

i. On the Completing the Windows Support Tools Setup Wizard page, click Finish.



Lab 04 – Elevate Domain functional level to Windows 2000 Native Mode

NOTE: Do not rush through this lab exercise. If you do, you will not be able to go back and correct your mistake! This lab is depended on lab 02.

Objectives

After completing this lab, you will be able to determine in which mode the domain is in and raise the Domain functionality.

Prerequisites

• Knowledge about the different Active Directory versioning

• Knowledge about the different Active Directory functionality levels

Lab Setup

To complete this lab, you require a computer running Windows Server 2003 that is configured as a Domain Controller.



Exercise 1

Goal

This exercise consists of the following steps:

1. Use ADSI Edit to determine the current domain mode.

2. Raising the domain functional level to enable additional functionality. This will be required for later exercises.

3. Use ADSI Edit to verify the change in the functional level.


1. Use ADSI Edit to verify that nTMixedDomain = 1

This part of the exercise needs to be performed by all the students.

a. From the Run Command type MMC then click OK.

b. On the Console click File à Add/Remove Snap-in…

c. Under Add/Remove Snap-in click Add

d. Under Add Standalone Snap-in, select ADSI Edit and click Add, then close once added.

e. On the Add/Remove Snap-in page, click OK.

f. On ADSI Edit right click and select Connect to

g. Connection Settings window appears, accept default settings and click OK.

h. Expand Domain.

i. Right click DC=DomainX,DC=com (where X is your domain number) and select Properties.

j. Scroll down the attributes until you find nTMixedDomain. Check to see if the value is set to 1.

k. Click OK to close the Properties page.

l. Save the console as ADSI Edit under Administrative Tools



2. Raise the Domain Functionality to Windows 2000 Native

Only one student per domain needs to perform the following task.

a. Open Active Directory Users and Computers.

b. Right click DomainX.com (where X is your domain letter) and select Raise Domain Functional Level…

c. On the Raise Domain Functional Level page, ensure that Windows 2000 Native is selected and then click Raise.

d. A Message appear stating that: This change affects the entire domain. After you raise the domain functional level it cannot be reversed, click OK.

e. A second message appears stating that the Functional level was raised successfully, click OK.

3. Use ADSI Edit to verify that nTMixedDomain = 0

All students need to perform the following section.

a. Open ADSI Edit console that you saved.

b. Right click DC=DomainX,DC=com (where X is your domain number) and select Properties.

c. Scroll down the attributes until you find nTMixedDomain. Check to see if the value is set to 0.

d. Click OK to close the Properties page and Exit the console.



Lab 05 – Testing the affects of replicating changes to multi-valued attributes


Objectives

After completing this lab, you will be able to test the affects of replicating changes to multi-valued attributes.

Prerequisites

• Be familiar with Active Directory Users and Computers

• Understand how replication works between domain controllers

• Active Directory should have been configured as in exercise 1 lab 02

Lab Setup

To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. Only one computer in each of the forests should be configured as a Global Catalog server.



Exercise 1

Goal

In this exercise you will test the effects of replication changes between multi-valued attributes within an organization. Students will create several user accounts and add two of them to a group. Then the server with the global catalog will be unplugged and you will then add two more users to the group from both the domain controllers. Once completed you will plug the network cable back in and see which of these account successfully replicated across.


1. Create the following in the User container:

• Six user accounts: User1, User2, User3, User4, User5, User6

• Global Group called Group1

This part of the exercise can be performed by all students. Each student needs to create three (3) user accounts and one user will need to create a global group.

Open Active Directory Users and Computers.

a. Expand the domain name

b. On the User container right click à New à User

c. On the New Object – User page, Fill in the following details and then click Next

• First name: User1

• User logon name: User1

• User logon name (pre-Windows 2000): User1

d. Enter a password called password and confirm the password

e. Deselect User must change password at next logon, click Next and then click Finish.

f. Repeat Steps C – F until all six (6) users are created.

g. On the User container right click à New à Group

h. In the Group Name enter Group1 and leave the settings as default, click OK.

i. Double click the group called group1 and click the Members Tab.

j. Click Add enter User1; User2 and the click Check Names, click OK twice.

k. Ensure that the users and group has replicated before continuing.

Unplug the Network Cable form the machine that contains the Global Catalog.



2. Perform the following

• Add User3 to Group1 on the first DC.

• Add User4 to Group1 on the second DC.

Perform these steps on the first DC

a. Double click the group called group1 and click the Members Tab.

b. Click Add, enter User3 and the click Check Names, and click OK twice.

Perform these steps on the second DC

c. Double click the group called group1 and click the Members Tab.

NOTE: A message appears stating that a Global Catalog

cannot be located to retrieve the icons for the member list. Some icons may be shown. Click OK.

d. Click Add, enter User4 and the click Check Names, and click OK twice.

3. Plug the Network Cable back in and force replication

Perform the following task on any of the DC

a. From the Run command type the following syntax: repadmin.exe /syncall /P

What are the results on the group membership and why?



Lab 06 – Elevate forest functionality to Windows Server 2003 and test multi-value replication

NOTE: This lab is depended on lab 02 & lab 04

Objectives

After completing this lab, you will be able to:

• Elevate the forest functionality

• Test multi-value replication

Prerequisites

• Understand the different Forest functionalities

• Understand how replication works between domain controllers

• Domain functional level should been configured as in exercise 1 Lab 04

Lab Setup

To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers. Only one computer in each of the forests should be configured as a Global Catalog server.



Exercise 1

Goaln

This exercise is almost the same as in Lab 05. However you will first elevate the forest functionality to .Net and then test the effects of multi-valued replication. Once this has been done you will again disconnect the network cable from the Global Catalog server and add an account to the group on both domain controllers. Then plug the cable back in and replicate the information to see what effect the elevation of the forest functionality has.


1. Raise the Forest Functionality to Windows.Net

Perform the following task on only one of the Domain Controllers. Decide between each other how will perform this task.

a. Open Active Directory Domains and Trusts.

b. Right click Active Directory Domains and Trusts and select Raise Forest Functional Level.

c. On the Raise Forest Functional Level accept the default settings and click Raise.

d. Two messages appear, read the messages and then click OK for each of them.

2. Use ADSI Edit to verify that mSDS-Behavior-Version = 2

This task should be performed by all students.

a. Open ADSI Edit console that you saved.

b. Right click DC=DomainX,DC=com (where X is your domain number) and select Properties.

c. Scroll down the attributes until you find mSDS-Behavior-Version. Check to see if the value is set to 2.

a. Click OK to close the Properties page and Exit the console

Unplug the Network Cable form the server that contains the Global Catalog.

3. Perform the following

• Add User5 to Group1 on the first DC.

• Add User6 to Group1 on the second DC.

Perform these steps on the first DCs

a. Double click the group called group1 and click the Members Tab.

b. Click Add enter User5 and the click Check Names, click OK

twice.

Perform these steps on the second DC



c. Double click the group called group1 and click the Members Tab.

NOTE: A message appears stating that a Global Catalog

cannot be located to retrieve the icons for the member list. Some icons may be shown. Click OK.

d. Click Add enter User6 and the click Check Names, click OK

twice.

4. Plug the Network Cable back in and force replication

Perform the following task on any of the DC

b. From the Run command type the following syntax: repadmin.exe /syncall /P

Review the group membership. Is there a difference – Why?



Lab 07 – Create Multiple Sites


Objectives

• Create a site and subnet

• Configure the properties of a site link

Prerequisites

• Understanding of TCP/IP subnets

• Understanding of Sites and Site Links

Lab Setup

• To complete this lab, you require computers running Windows Server 2003 that is configured as a Domain Controllers.

• User performing the tasks should have Enterprise Admin Rights



Exercise 1

Goal

NOTE: Students should NOT modify their IP addresses at any stage during this lab!!

In this exercise student will work in teams, where they will create several sites within the Active Directory Sites and Services. In additional to this you will also create subnet masks and map these subnet masks to each of the sites that where created. After completing the creation of the sites and subnet masks you will then move the appropriate servers into the correct sites.


1. Create two new sites with the name of Site1 and Site2 and link it to the DEFAULTSITELINK

Perform the following tasks on only one Domain Controller in each forest.

a. Open Active Directory Sites and Services from the Administrative Tools menu, right click Sites and then click New Site.

b. In the Name box, type Site1 in and select DEFAULTIPSITELINK and click OK.

c. Review the message and click OK.

d. Repeat steps B & C for Site2

2. Create a new subnet object with the network ID of 10.1.x.0/24 (where x is 1 for forest root domain and x = 2 for second domains). Associate the subnet object with your site.

a. In Active Directory Sites and Service, right click Subnets and then click New Subnet.

b. In the New Object – Subnet dialog box, in the Address box, type 10.1.x.0 (where x is 1 for forest root domain and x = 2 for

second domains).

c. In the Mask box, type 255.255.255.0

d. Under Site Name, click Site1 and then click OK.

e. Repeat steps A – D for Site2

3. Perform the following tasks on/in the Inter-Site Transport object:

• Set the properties of Inter-Site Transport for the IP to Ignore Schedules.

• Change the DEFAULTIPSITELINK

a. In Active Directory Sites and Service, expand Inter-Site Transports.

b. Right click IP and then click Properties.

c. On the Properties page, select Ignore Schedule and click OK.

d. In the IP object container right click DEFAULTIPSITELINK and click Properties.

e. On the DEFAULTIPSITELINK Properties page, change the



DEFAULTIPSITELINK replication value to 15 minutes.

Replicate very, value to 15 minutes and click OK.

4. Move the server to the appropriate sites.

a. In Active Directory Site and Services, expand Default-First-Site-Name then expand Servers.

b. Right click ServerX (where X is your server name in your domain) and then click Move.

c. In the Move Server page, click the Site to which your server needs to be moved and then click OK.

d. Repeat Steps B and C for all the domain controllers.

Run the following command on all servers: Repadmin /kcc serverX.domainX.com

(Where X is your server or domain number/letter).



Lab 08 – Test Global Catalog Failure


Objectives

After completing this lab, you will be able to see and understand the importance of a Global Catalog server within an organization

Prerequisites

• Knowledge about the role of a Global Catalog server

• Sites and Subnets should have been configured in exercise 1 Lab 07

Lab Setup


• A single Global Catalog Server within each Forest



Exercise 1

Goal

All students that do not have a Global Catalog service on their domain controller will perform this exercise. You will logon as a client that does not have any administrative rights on the server to see the effects it has on a failed Global Catalog service or if no Global Catalog service is available.


1. Check to see if everyone group has the rights to “Log on Locally”

Check to see if the Everyone group has the rights to “Log on Locally”


b. Expand your domain and right click Domain Controllers and select Properties.

c. Select Group Policy on the Domain Controllers Properties

page.

d. Select the Default Domain Controller Policy and Click Edit

e. Under the Group Policy Object Editor page navigate to Computer Configuration à Windows Settings à Security Settings à Local Policies à User Rights Assignment.

f. Double click Allow log on locally.

g. Under the Allow log on locally window, Ensure that the Everyone group is added.

h. If not, add the Everyone group.

i. From the run command run: gpupdate.exe /force

2. Create user account in the 2nd domain of the forest and force replication after the creation of the account.


b. Expand the domain name

c. On the User container right click à New à User

d. On the New Object – User page, Fill in the following details and then click Next

• First name: Peter1

• User logon name: Peter1

• User logon name (pre-Windows 2000): Peter1

e. Enter a password called password and confirm the password



as password.

f. Deselect User must change password at next logon, click Next and then click Finish.

g. Force replication by running this syntax: repadmin.exe /syncall /P

Log on with the newly created account on all GC servers. Then logoff the account.

Unplug the Network Cable on the 1st DC/GC in the forest root domain. Perform this task on all the servers that contains Global Catalogs. These servers are 1, 5, 9 and 13.

3. On the second domain in the forest, logon as the newly created user in that domain. The Global Catalog must not be available. This can take some time.

What was the result and Why?

Plug the Network Cable back in once the lab has been completed.



Lab 09 – Enable and Test Universal Group Caching

NOTE: This lab is depended on lab 02 & 07

Objectives

After completing this lab, you will be able to configure and manage Universal Group Caching.

Prerequisites

• Knowledge of Global Catalog servers

• Knowledge of Universal Group Caching

• Sites and Subnets should have been configured in exercise 1 Lab 07

Lab Setup


• A single Global Catalog Server within each Forest

• User performing the tasks should have Enterprise Admin Rights



Exercise 1

Goal

Only the students without a Global Catalog will be doing this exercise. In this exercise, you will enable universal group caching and test client logons once again to see the effects of universal group caching.


1. In the second domain set the “NTDS Site Settings” to cache membership from the “Partner site” which is the first domain. Force Replication.

This should only be done from the second domain in each of the forests.

NOTE: Before you can do this exercise you require Enterprise

Admin rights. Use the Run As command when opening Active Directory Sites and Services. Logon as the Administrator of the root domain in your forest.

a. Open Active Directory Sites and Services, expand Sites and then select the site in which you want to Enable Universal Group Membership Caching.

b. In the Details pane on the right, right-click NTDS Site Settings and then click Properties.

c. Select the Enable Universal Group Membership Caching

check box.

d. In Refresh Cache from, click Site1 from which this Site2 will refresh its cache from, click OK.

e. From the Run command type the following syntax in: repadmin /syncall /P

Logon to the DC in the second domain with account details that does not contain any admin rights. This will populate the cache.

Unplug the network cable from the back of the machine that hosts the Global Catalog.

From second domain in the forest, logon with the user account that does not contain administrative right. Remember the Global Catalog must not be available.



What is the result and Why?



Lab 10 – Reset Directory Services Restore Mode password (Optional)

Objectives

After completing this lab, you will be able to reset the Directory Services Restore Mode password.

Prerequisites

• Knowledge about the NTDSUTIL utility

• Active Directory should be configured as in exercise 1 Lab 02

Lab Setup

• A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller



Exercise 1

Goal

All students will perform this exercise. You must change the Directory Services Restore Mode Password.


1. Use the NTDSUTIL to rest the DSRM password to “password”

a. Open the Command Prompt window.

b. At the command prompt, type NTDSUTIL and press ENTER.

c. At the NTDSUTIL prompt type, set DSRM Password and press ENTER.

d. At the Set DSRM Password prompt, type Reset Password on Server Null (Null is used the local server) and press ENTER.

e. At the Please type password for DS Restore Mode Administrator Account: type password and press ENTER.

f. At the Please confirm new password: type password and press ENTER.

g. At the Reset DSRM Administrator Password prompt, type quit and press ENTER

h. At the NTDSUTIL prompt, type quit and press ENTER

i. Close the command prompt window.



Lab 11 – Create an InetOrgPerson Object (Optional)

Objectives

After completing this lab, you will be able to create an InetOrgPerson.

Prerequisites

• Knowledge of using Active Directory Users and Computers

• Active Directory should be configured in exercise 1 Lab 02

Lab Setup




Exercise 1

Goal

All students can perform this exercise. Here you will create an inetOrgPerson account within the Active Directory.


1. Create an inetOrgPerson account with a password of password.


b. Expand your domain and right-click the Users container, select New and then select InetOrgPerson.

c. In the New Object – InetOrgPerson windows, type studentX (where X is your student number) in the First name and User Logon name boxes, click Next.

d. In the password field type password and confirm the password. Deselect User must change password at next logon, click Next and then Finish.

Logoff as Administrator and logon as the newly created account.



Lab 12 – Mark a Schema object as defunct (Optional)

NOTE to Instructor (If not already done) - Create a directory called OIDGen on your computer and

share that directory as OIDGen. Ensure that the application called OIDGen is available in the directory. The application is available on the Windows 2000 Resource Kit.

Objectives

After completing this lab, you will be able to create a schema object and mark the object as defunct.

Prerequisites

• Knowledge of schema objects


Lab Setup


• Schema Administrator rights to be able to create new schema objects

• OIDGEN to create unique Object Identifiers



Exercise 1

Goal

This exercise needs to be preformed by all students. You will create an attribute within the Active Directory schema. Once you have created this attribute in the Active Directory, you will then make this object defunct. You will also create a second attribute with the same settings as the first one to see the effects of an attribute that has already been created.



• Register the Schema Management Snap-in.

• Copy and Run OIDGen from your computer to generate an Object Identifier.

a. Connect to you instructors computer and copy the OIDGen file to the temp directory on your local computer.

b. From the command prompt, run OIDGen.exe

c. Do not close the command prompt.

d. At the run command type the following command in: regsvr32 c:\windows\system32\schmmgmt.dll and then press ENTER.

2. Perform the following task:

• Create a new attribute called studentX (where X is your student number).

• Remove “Attribute is active” of the newly created attribute.

• Refresh to ensure attribute is no longer available.

a. Create a custom MMC console and add the Active Directory Schema.

b. Expand Active Directory Schema, right-click Attributes, click Create Attribute.

c. On the Warning message, click Continue.

d. On the Create New Attribute page, type StudentX (where X is your student name) into the following boxes, Command Name and LDAP Display Name.

e. In the Unique X500 Object ID: enter the Attribute Base OID number generated by the OIDGen application.

f. Under the Syntax select Integer and click OK.

g. Browse to the newly created Object, right-click Properties and deselect Attribute is Active.

h. Click Yes to accept the Warning Message and click OK.

i. Refresh to verify that the attribute is not visible in Schema Management.


• Use “Show defunct objects” in Schema

a. In the Schema Management Console, click View and then Defunct Objects.



Management or use ADSI Edit to locate the Attribute.

b. Browse to the object and see that the Status of the object is.

c. Open the ADSI Edit console, right-click ADSI Edit and select Connect To.

d. On the Connection Settings page, select Schema under the dropdown list of Select a well known Naming Context, and click OK.

e. Browse for the attribute that you created, right-click Properties.

f. Ensure the value of isDefunct is set to TRUE, click OK and close ADSI Edit.

Create a new Attribute with the same settings as the defunct attribute.

Does this work?

Note: While you can reuse the OID and LDAP name you cannot reuse the common name.



Lab 13 – Create an application partition

Objectives

After completing this lab, you will be able to create application partitions and replicate these partitions to different domain controllers within you domain or forest.

Prerequisites

• Knowledge of application partitions

• Knowledge of the NTDSUTIL utility

• DNS should be configured as in exercise 1 Lab 01


Lab Setup

• Computers running Windows Server 2003 Enterprise Server that is configured as a Domain Controller

• A computer running DNS Server

• Network connectivity between computers within the same forest



Exercise 1

Goal

All students can perform this exercise. Here you will create an application partition and then replicate this partition to all domain controllers with the Active Directory domain/forest.


1. Perform the following tasks:

• On each DC use NTDSUTIL to create an Application Partition called ApptestX (where X is you student number)

• Add a replica of the application partition to your partners Domain Controller.

a. Open the command prompt window.

b. At the command prompt, type NTDSUTIL and press ENTER.

c. At the NTDSUTIL prompt type, Domain Management and press ENTER.

d. At the Domain Management prompt type, connections and press ENTER.

e. At the Server connections prompt, type Connect to server [your server name], and press ENTER. Example: connect to

server server1

f. At the Server connections prompt type, quit and press ENTER.

g. At the Domain Management prompt type, list and press ENTER.

This will show you all the Directory Partitions for the forest.

h. At the Domain Management prompt type, create nc dc=APPTESTX (where X is your student number),dc=your domain name,dc=com Null, press ENTER. Example:

create nc dc=applicationpartition,dc=domainX,dc=com null

i. At the Domain Management prompt type, list and press ENTER.

j. At the Domain Management prompt type, Add nc replica dc =APPTESTX,dc=your domain name,dc=com server2.yourDomainName.com and press ENTER.

Example: Add nc replica dc=APPTESTX.dc=domainX,dc=com serverx.domainx.com

k. At the Domain Management prompt type, list nc replicas



dc=APPTESTX,dc=domainX,dc=com and press ENTER.

l. At the Domain Management prompt type, quit and press ENTER.

m. At the NTDSUTIL prompt type, quit and press ENTER.

2. Perform the following tasks:

• Create a new DNS zone and store the information into the application partition.

• Force Replication

• Verify that all zones are updated on both DC/DNS servers

a. Open the command prompt

b. At the command prompt run à repadmin /kcc /serverx.domainx.com

c. Also stop and start the DNS Services by running:

d. Net stop DNS and then Net Start DNS.

e. Open DNS console and expand your server name.

f. On the Forward Lookup Zones, right-click and select New Zone.

g. On the Welcome to the New Zone Wizard page, click Next.

h. On the Zone Type page, select Primary Zone, leave the Store the zone in Active Directory (available only if DNS server is a domain controller) tick box and click Next.

i. On the Active Directory Zone Replication Scope page, select To all domain controllers specified in the scope of the following application directory.

j. Select the Application partition that you created, (ApptestX, where x is your student number) and click Next.

k. On the Zone Name page, type Nwtraders.com and click Next.

l. On the Dynamic Update page, select Allow only secure dynamic updates (recommended for Active Directory), click Next.

m. On the Completing the New Zone Wizard page, click Finish.

n. Force replication between the DC/DNS servers using the repadmin /syncall /P command.

3. Use ADSI Edit to view properties of the Application partition.

a. Open the ADSI Edit Console that you created earlier.

b. Right-click ADSI Edit, select Connect to…

c. On the Connection Settings page, Under Select a well known Naming Context select Configuration, and press OK.



d. Expand the Configuration container and click Partitions.

e. On the right side under Directory Partition Name find your

partition you created and Browse its properties.

f. Exit and close ADSI Edit.



Lab 14 – Renaming of Domain Controllers

Objectives

After completing this lab, you will be able to rename Domain Controllers.

NOTE: There is several ways in renaming Domain Controllers. In this exercise, the command line

version will be used to rename the Domain Controllers. Ask the instructor to demo the renaming of a Domain Controller using the GUI.

Prerequisites

• Knowledge, which regards to the impact a renaming of Domain Controllers, can have.

• Knowledge about the NETDOM utility


• Fully Qualified Domain Name (FQDN) of your domain



Exercise 1

NOTE: Fully Qualified Domain Names (FQDN) must be used when performing this exercise.

Perform the rename exercise on only one Domain Controller at a time. Wait for the process to complete before continuing. The table below defines the current and the new server name you must use.

Old Computer Name New Computer Name

Server1 Server101

Server2 Server102

Server3 Server103

Server4 Server104

Server5 Server105

Server6 Server106

Server7 Server107

Server8 Server108

Server9 Server109

Server10 Server110

Server11 Server111

Server12 Server112

Server13 Server113

Server14 Server114

Server15 Server115

Server16 Server116




1. Using the Netdom command rename your server. Use the table above for your new computer name. Also check to see if your computer has been successfully renamed.

NOTE: ServerX = original server name while ServerY = New

Server Name

a. Open the command prompt.

The command below will be used to add the new server name.

b. At the command prompt type: netdom computername serverx.domainx.com /add:servery.domainx.com and press ENTER. (Serverx is your old server number and

servery is your new server number. Domainx is your domain letter).

The command is used to make the new name the primary name.

c. At the command prompt type: netdom computername serverx.domainx.com /makeprimary servery.domainx.com and press ENTER.

This command enumerates the old computer name.

d. At the command prompt type, netdom computername serverx.domainx.com /enumerate, press ENTER.

e. Reboot the server.

f. Logon as the administrator.

g. Open the command prompt.

This command will remove the old server name.

h. At the command prompt type, netdom computername servery.domainx.com /remove serverx.domainx.com, press ENTER.

i. Reboot the server.

j. Logon as administrator, open command prompt, type hostname and press ENTER.

This will show you if you computer has been successfully renamed.



Lab 15 – Renaming Domain NetBIOS Name (To be performed on the last day as an optional lab)

Objectives


• Rename the NetBIOS name of the Domain

Prerequisites

• Thorough understanding of Domain Renaming

• DNS should be configured as in exercise 1 Lab 01


Lab Setup

• To complete this lab, you require computers running Windows Server 2003 that is configured as Domain Controllers.



Exercise 1

Goal

This exercise must only be done at the end of the week. You will be working with your partner during this exercise. The goal of this exercise is to rename the current NetBIOS domain name to a new NetBIOS domain name. The utility that will be used to rename the NetBIOS domain names is rendom.exe.


1. Perform the following tasks to prepare the domain for renaming:

• Configure DNS to support the New domain name called DomainRenameX (where X is your domain letter)

• DNS must be AD integrated, support dynamic updates and have a Host record for the server.

• Copy random.exe and GPFixup.exe to c:\domainrename

Perform the following on all the odd numbered Domain Controllers.

a. Open DNS console and create a Forward Lookup Zone called DomainrenameX.com (where X is your domain letter). Ensure that the zone AD integrated is selected and Replicated to all DNS server in the forest is selected.

b. Ensure there is a Host (A) record created. If not perform the

following action:

c. Right-click the newly created domain name and select New Host (A)…

d. In the New Host page, type in your server name in the Name (uses parent domain name if blank): box.

e. Under the IP address, enter your machines IP address in then click Add Host.

f. Close DNS Console

Perform the following on all Even number Domain Controllers

g. Create a directory called domainrename on the c:\ drive.

h. Copy all the files in the VALUEADD\MSFT\MGMT\DOMREN

which is located on your Windows 2003 Advanced Server into this directory.



2. The following tasks need to be performed to rename the domain.

• Rendom /list

• Save a copy of Domainlist.xml as domainlist-save.xml

• Edit NetBIOS name in domainlist.xml file and save it.

• Rendom /showforest and verify change is correct.

• Rendom /upload and view content of dclist.xml

• Run repadmin /syncall /P

• Rendom /prepare and in dclist.xml verify that <State>Prepared</State> is true for all DC’s.

• Rendom /execute and in dclist.xml verify that <State> done</State> is true for all DC’s

The following tasks need to be performed from all the even numbered domain controllers in each domain. However it is recommended that your partner’s follow in what you are doing.

a. Open the command prompt and type cd\domainrename and press ENTER.

b. At the domainrename prompt type: random /list

c. Save a copy of the domainlist.xml file as domainlistsave.xml in the same directory.

d. Change the domain NetBIOS name by editing the sections between <NetBIOSName></NetBIOSName> in the domainlist.xml file and save the changes.

e. At the domainrename prompt type: random /showforest to

verify that your changes are correct.

f. At the domainrename prompt type: random /upload and view the contents of dclist.xml

g. On all domain controllers within the forest run the following syntax: repadmin /syncall /P

h. At the domainrename prompt type: random /prepare and verify in the dslist.xml that <STATE>prepare< /STATE > is

true for all DC’s.

i. At the domainrename prompt type: random /execute and verify in the dslist.xml that <STATE>done< /STATE > is true

for all DC’s

j. All the machines in the forest will automatically reboot.

k. Logon and run the command below.

Run GPFixup /oldnb:OldDomainNetBIOSName /Newnb:NewDomainNetBIOSName /dc:DCdnsName

Restart all odd numbered domain controllers in the domain/forest. After logon, all the evenly numbered domain controllers must be restarted.

Run repadmin /syncall /P on all the domain controllers in the forest. If you get an error message restart the computer again and retry the command again.

NOTE: The control station might need to be rebooted twice before the command will work.



Lab 16 – Setup and Test Cross Forest Trusts

Instructor Note: review with students trust directions. Make sure they know the difference between

“trusted” and “trusting”.

Objectives

After completing this lab, you will be able to create cross-forest trust relationships and administer these cross-forest trusts.

Prerequisites

• Knowledge on the different types of trust relationships

• Multiple Active Directories should be configured as per exercise 1 Lab 02

• Multiple Forest should have be created within the classroom environment



Exercise 1

Goal

Students will work as a team during this exercise. A Forest Trust relationship needs to be implemented between the following forests:

• Forest A and Forest C.

• Forest E and Forest G.

• Forest C and W2K3.Net forest

• Forest G and W2K3.Net forest


1. Create a two-way trust relationship between two forests within the classroom.

a. Open Active Directory Domains and Trusts, select the domain and click Properties.

b. In Properties of the domain click Trusts and click New Trust.

c. On the Welcome to the New Trust Wizard page, click Next.

d. In the Trust Name page, under Name enter the NetBIOS name of the forest root domain you want to trust, click Next.

e. On the Trust Type page, select Forest Trust and click Next.

f. On the Direction of Trust page, select Two-Way and click Next.

g. On Sides of Trust page, select Both this domain and the specified domain, click Next.

h. On the User Name and Password page, enter Administrator into the User Name box and password into the Password box, click Next.

i. On the Outgoing Trust Authentication Level – Local Forest page, select Forest-wide authentication and click Next.

j. On the Outgoing Trust Authentication Level – Specified Forest page, select Forest-wide authentication and click Next.

k. On the Trust Selections Complete page, review the settings and click Next.

l. On the Trust Creation Complete page, review settings and click Next.



m. On the Confirm Outgoing Trust page, select Yes, confirm the outgoing trust, click Next.

n. On the Confirm Incoming Trust page, select Yes, confirm incoming trust, click Next.

o. On the Completing the New Trust Wizard page, click Finish.

p. Click OK to close the domainx.com properties page and close

Active Directory Domains and Trusts.



Exercise 2 – Test cross forest resource access


1. Create a folder called forest and share it as forest. Give users from a different forest the Change rights permission to the directory shared directory.

a. On the servers create a directory called Forest and share the directory as Forest.

b. Click Permissions in Forest Properties.

c. Click Add under Permissions for Forest.

d. On the Select Users, Computers, or Groups click Locations

e. Click DomainX.com (Where X is the domain letter with how you created a forest trust with) then click OK.

f. In Enter the object names to select type in Domain Users and click Check Names, click OK.

g. In the windows for Permissions for Domain Users select Allow – Change, click OK.

h. Click OK to close Forest Properties.

2. a. Logon as a user that was created earlier.

b. From the Run command type: \\serverx\forest (where X is the server number), click OK.

c. Once open right-click in the blank area, select new and then select bitmap image, press ENTER.

d. Close the window. This has allowed you to create a file on the server in a different forest.



Exercise 3 – Test cross forest delegations


1. Create an OU called DelegateX (where X is your student number) and assign the Domain Admins in the trusted domain access to create and delete users.

a. Open Active Directory Users and Computers and click on the Users Container.

b. Create an OU called DelegateX (Where X is your student

number)

c. Right-click the OU and click Delegate Control…

d. On the Welcome to the Delegation of Control Wizard, click

Next.

e. On the Users or Groups page, click Add, click Locations and highlight the second forest then click OK.

f. In the Enter the object names to select type Domain Admins and click Check Names, click OK.

g. On the Users or Groups page, ensure that DomainX\Domain Admins is selected, click Next.

h. On the Tasks to Delegate page, select Create, delete, and Manage user accounts, click Next.

i. On the Completing the Delegation of Control Wizard page, click Finish.

j. Logof from the computer



2. Test the Delegation by creating a User account in the OU in your partner’s forest domain.

Logon as a user with Domain Admin rights before starting this exercise. The user must not be the Administrator account.

a. Open Active Directory Users and Computers, right-click your domain and select Connect to Domain.

b. On the Connect to Domain page, type the domain name in to which you want to connect and click OK.

c. Expand the domain to which you connected and click the OU called DelegationX (where X is will be the student number of the user that administers that domain).

d. Right-click the OU and click New à User.

e. Type a user name into the following boxes: First name and User logon Name, click Next.

f. Type in password in the Password and Confirm password boxes, click Next.

g. Review the details and click Finish.



Lab 17 – IIS

Objectives


• Installing and Configuring IIS

• Determine which Isolation mode your IIS server is.

• View the different processes currently running

• Creating Application Pools

• Recycling Processes

Prerequisites

• Knowledge of IIS

Lab Setup

A computer running Windows Server 2003 Enterprise configured as a Domain Controller.



Exercise 1

Goal

The goal of this exercise is to install and configure IIS for the rest of the exercises.


This Exercise can be performed by all Students

1. View or change the Application Isolation Mode using IIS Manager

a. Click Start à Mange Your Server

b. On Mange Your Server à Add or Remove a Role

c. On the Configure Server Wizard Page click Next.

d. On the Server Role Page click Application Server (IIS, ASP.Net) and click Next.

e. In the Application Server Option Page leave as default and click Next

f. On the summary page click Next

g. This starts the installation and configuration of IIS.

h. Once completed click Finish

i. On the Manage your Server page click Manage this Application Server

j. Browse around the interface to familiarize yourself with the interface.



Exercise 2

Goal

The goal of this exercise is to establish in which isolation mode your current IIS server is running in.



1. View or change the Application Isolation Mode using IIS Manager

a. Open the IIS snap-in (Click Start, click Programs, click Administrative Tools, and then click Internet Information Services)

b. Right click on the “Web Sites” folder and choose “Properties”

c. Click on the “Service” tab

d. View the status of the checkbox labeled “Isolation Mode”

e. If the box is unchecked, you are running in worker process isolation mode

f. If the box is checked, you are running in IIS5 Isolation Mode

g. Verify that the check box is unchecked – uncheck if necessary

(You will be required to run in worker process isolation mode for the remainder of these exercises)

h. Click Apply

i. You will now be prompted to restart the Web services; click Yes to restart IIS. After IIS restarts, click OK to close the Web Sites properties sheet. Verify the Application Pools

folder is present.



Exercise 3

Goal

In this exercise, you will use a VBScript to view process information.



1. Execute the listw3wp.vbs to view process information

a. From the command prompt, change directory to the path containing the script file listw3wp.vbs. It should be C:\IIS

b. Execute the command: listw3wp.vbs

c. If there are no worker processes running, you should see a message indicating “there are no running w3wp.exe instances”

d. To view worker processes using the script, navigate to any local URL using Internet Explorer, such as http://localhost (disregard the page that is returned)

e. Re-run listw3wp.vbs and you should see the Process ID (PID) and the Application Pool name of the running worker process.

Note: You must be running your server in worker process

isolation mode for this exercise to work, and for listw3wp to return information. If your configuration is running in IIS5 isolation mode, or you are unsure of the mode, revisit the first exercise on isolation modes.



Exercise 4

Goal

In this exercise you will create a new application pool, and assign a virtual directory to that application.



1. Create a virtual directory a. Open a command window

b. To use iisvdir, type the following command at the command line: iisvdir /?

c. This will display the command line parameters for using the tool.

d. Create a virtual directory named “myvdir”. Execute the command: iisvdir /create “default web site” myvdir C:\tempvdir

e. Verify that the command completed successfully by viewing the message displayed in the command window.

f. Create a default HTML page to the virtual directory. Click the Start button, select Run and enter: notepad c:\tempvdir\default.asp. When prompted to create the file, select ‘Yes’. In your html page, type the following line <H1>Application Pool Test Page</H1>

g. Save the file in the c:\tempvdir folder. Make sure you have correctly named it as default.asp

h. View by navigating to the URL: http://localhost/mydir/ using Internet Explorer to verify the virtual directory is working properly

i. If the Internet Explorer Enhanced Security Configuration is enabled dialog box appears select the tick box and click OK. (Do not change any settings the lab will work with the

current configuration)

j. Note: if Active Server Pages have not been enabled on your server, you will receive a 404 error message. To enable Active Server Pages, do the following:

a. Open IIS Manager if not already oped

b. Expand your server



c. Click on Web Service Extensions

d. On the right pane click Active Service Pages and click Allow

e. This will enable Active Service Pages.

k. Retry http://localhost/mydir

2. Create a new Application pool

a. Open the IIS snap-in (Click Start, click Programs, click Administrative Tools, and then click Internet Information Services)

b. Expand the Application Pools node.

c. Right-click on Application Pools, and choose New, then choose Application Pool. The Add New Application Pool dialog box appears. Enter MyAppPool for the Application Pool ID.

d. Click OK. The application pool has now been created. You

now need to add the virtual directory you created in the previous step to this application pool.

3. Assign the mydir virtual directory the application pool

a. Expand the Web Sites node, Expand the Default Web Site.

b. Right-click the virtual directory named myvdir, and choose Properties.

c. Click the Virtual Directory tab.

d. At the bottom you will see a drop-down box for Application Pool. Click on the drop-down box and choose MyAppPool.

e. Click Apply, and then OK to save your changes.

4. Verify that your application is running in its own application pool

a. Browse to http://localhost/mydir

b. At the command line, execute the script listw3wp.vbs, you will see an instance of the worker process running your application pool.

c. Optional Step, navigate to other web sites on the local

machine that are not in the same application pool, such as http://localhost (which is in the Default Application Pool by default). You will see separate instances of worker processes when you run the listw3wp.vbs script.

d. Optional Step: modify your c:\tempvdir\default.asp page to include the following line: My app pool ID is [<%=Request.ServerVariables(“APP_POOL_ID”)%>]



e. And refresh http://localhost/mydir. You should see your newly created MyAppPool in the text



Exercise 5

Goal

In this exercise, you will configure the application pool you created in the previous exercise to recycle

after a certain number of requests have been processed.



1. Configure the application pool to recycle after 5 requests

a. Open IIS Manager if not already open

b. Expand the Application Pools node, right-click the MyAppPool node, and choose Properties.

c. On the MyAppPool Properties dialog box, click the Recycling tab.

d. Check the Recycle worker process after check box. Change Number of Requests from the default of 35000 to 5

e. Click Apply, and then click OK.

2. Test the recycling settings a. Browse to http://localhost/mydir in Internet Explorer.

b. From the command line, run listw3wp.vbs to gather the

Process ID (PID) information, and remember this process ID number for MyAppPool

c. From Internet Explorer, click on the refresh button twice

d. Re-run the command line script and verify the PID is still the same

e. From Internet Explorer, refresh the page 3x times

f. Run the command line script again and verify the PID has changed. If the PID is different, that means a new process is running in place of the original one. Thus, recycling of the worker process after five requests has completed successfully.



Lab 18 – Terminal Services (Optional)

Objectives


• Configure Remote Desktop on a computer running Windows Server 2003

• Connect to a computer running Remote Desktop.

• Install Terminal Services

Prerequisites

• Before working with this lab, you must have knowledge of Terminal Services concepts and operations.

• Knowledge of Remote Desktop concepts and operations are also required.

Lab Setup

• A computer running Windows Server 2003 Enterprise Server that is configured as a Domain Controller.



Exercise 1

Goal

This exercise will be performed by all students. Here you will connect to your partner’s computer by means of the Remote Desktop Connection. Note that Terminal Server Remote Administration is installed by default. After you have connected to your partner’s computer you need to install Terminal Services in Application mode.


1. Perform the following Tasks:

• Enable Remote Desktop

• Connect to server using Remote Desktop Connection.

This exercise can be done from both computers at the same time.

a. Open System under Control Panel and select Remote.

b. Click to select Allow users to connect to this computer.

c. A message appears, read the message and click OK to the message and then OK to close System Properties.

d. Connect as Administrator to your partner’s machine using the Remote Desktop Connection.

e. Browse your partner’s computer and then logoff.

• Connect to Remote Desktop

Perform this exercise from the first partner and then repeat the lab for the second partner.

a. Ask your partner to open Notepad on his/her machine and

leave it open.

b. On your machine open Administrative Tools and select to open Remote Desktops.

c. Right-click Remote Desktops and select Add new connection.

d. In the Add new connection page, type in the Server Name or IP address and give it a Connection Name.

e. Under the Logon information enter the administrator and domain details in, and click OK.

f. Under Remote Desktop click the Connection Name you created.

g. In Notepad add some text, but do not close the application.

h. Disconnect form the server.



i. Once disconnected ask your partner to logon.

j. Your partner should see the text in Notepad that you entered.

Install Terminal Services in Application Mode.

a. Open Add and Remove Programs, and select Add/Remove Windows Components.

b. On the Windows Components page, select Terminal Server and click Next.

c. On the Terminal Server Setup page, review the message and click Next.

d. On the Terminal Server Setup page, select Full Security and click Next.

e. On the Completing the Windows Components Wizard page, click Finish.

f. Restart the Computer.

g. Logon as Administrator and close the Terminal Server help menu.



Lab 19 – Remote Assistant (Optional)

Objectives


• Send a Remote Assistance invitation

• Respond to a Remote Assistance invitation

Prerequisites

• A computer running Windows Server 2003

Scenario

You are responsible for providing technical support to users within your company. They are having trouble open or doing some of their day-to-day tasks. It is your responsibility to assist them with their problems by using Remote Assistance.



Exercise 1

Gaol

Students will be working in pars during this exercise. The goal of this lap is to get familiar with the remote assistant features within Windows 2003 Advance server.


1. Perform the following Tasks:

• Enable Remote Assistant.

a. Open System under Control Panel and select Remote.

b. Click to select Turn on Remote Assistance and allow invitations to be sent from this computer.

c. A message appears read the message and click OK to the message and then OK to close System Properties.

2. Create an Invite and save the invite to c:\temp

a. Click Start à All programs and then click Remote Assisstance.

b. In Help and Support Centre under Remote Assistance, Click Invite someone to help you.

c. On the Remote Assistance – Pick how you want to contact your assistant, scroll down to the bottom of the page, and then click Save invitation as a file (Advanced).

d. On Remote Assistance – Save Invitation page, verify that administrator appears and the expiration time is set to 2 hours and then click Continue

e. On Remote Assistance – Save Invitation page, verify that Require the recipient to use a password is selected, in the Type Password and Confirm Password boxes, type password and the click Save Invitation.

f. In the Save file dialog box, in the Save in drop-down list, click the down arrow, select c:\temp, in the filename box type your name and then click Save.

g. On the Your invitation has been saved successfully to: page, click View the status of all my invitations.

h. Close Help and Support Center.



Exercise 2 – Responding to an Invitation


Important: The person responding to the invitation will be the helper, and the person who sent the invitation will be the end user. Each task will be for either the helper or the end user. You and your partner will decide who will be the helper and who will be the end user.

1. Copy the Remote assistance file to your local computer. Logon as administrator and type in the password under the Remote Assistance invitation box.

From both machines copy the Remote Assistance file to you local machine.

a. Log on to the domain as Administrator, with a password of password.

b. Double click your partners remote assistance file.

c. In the Remote Assistance Invitation dialog box, type password in the Password box, and then click Yes.

Important: Task two is for the end user.

2. Start an application on your computer and then accept the invitation.

a. Click Start, click All Programs, click Accessories, and then click WordPad.

b. Restore the Remote Assistance dialog box if it is not in the foreground, and the click Yes on the message Do you want to let this person view your screen and chat with you?

c. Type some text in the chat session box, and the click Send.

Important: Task three is for the helper.

3. Respond to your partner’s chat session.

a. Respond to your partner’s chat session by typing in the box at the lower left, and then clicking Send.

b. Attempt to click on any item on your partner’s computer. At this point you can only view the desktop.

c. On the Chat History title bar, click the chevron next to Hide Chat.

d. On the Remote Assistance menu, click Take Control.

e. In the Remote Assistance – Web Page dialog box, click Yes.

Important: Task four is for the end user.

4. When prompted, let your partner take control of your computer.

a. When prompted, DO you want to let Administrator take control of your computer, click Yes.

b. In the chat box, explain to your partner the helper that you need to know how to bold text in a WordPad document.



c. Restore WordPad and type some text in to the document.

Important: Task five is for the helper. The helper has control of the end user’s computer. Both people can perform tasks on the computer.

5. Perform tasks on your partner’s computer

a. On the Remote Assistance –Web Page Dialog message box, click OK.

b. With the WordPad document in the foreground and text entered highlight the text and then click the Bold button.

c. Click Disconnect and then close the Help and Support

Center window.

d. Close all open windows, and then log off.

Important: Task six is for the end user.

6. Close all open windows and then log off

• Close all open windows, and then log off.



Lab 20 – Create Software Restriction Policy (Optional)

Objectives

After completing this lab, you will be able to create a software restriction policy for your users.

Prerequisites

• Understand how Group Policy Objects works.

• Understand how Software Restriction Policy affects users.

Lab Setup




Exercise 1

Goal

Decide between team members in each domain who will perform this exercise. In this exercise you will create a policy that will not allow anyone in your domain to run the calculator application on their computers.


1. The following tasks need to be

performed:

• Edit the Default Domain

Controller Policy

• Leave Default Security Policy

as Unrestricted

• Create a Software Restriction

Policy that prohibits

c:\windows\system32\calc.exe

• Reboot Computer and test the

policy with a user account that

does not have admin rights

a. Open Active Directory Users and Computers, right-click Domain Controllers and select Properties.

b. On the Domain Controllers Properties page, click Group Policy.

c. Highlight Default Domain Controller Policy and click Edit.

d. Under Computer Configuration, Expand Windows Settings à Security Settings, right-click Software Restriction Policies and select New Software Restriction Policies.

e. Right-click Additional Rules, select New Path Rule…

f. On the New Path Rule page, type in the Path box the following: c:\windows\system32\calc.exe

g. In the Security Level on the New Path Rule select Disallow and click OK.

h. Close all windows and restart the computer.

i. Logon as a user with no admin rights.

j. From the Run command type, c:\windows\system32\calc.exe and click OK.

k. A message will appear, read the messages and click OK.

l. Logoff as the user and logon as Administrator.



Lab 21 – Result Set of Policy (RSoP) Tools (Optional)

Objectives

After completing this lab, you will be able to use different tools to determine the Result Set of Policies.

Prerequisites

• Knowledge of RSoP, GPResult V2.0 and the use of Help Centre

• Active Directory should be configured as per exercise 1 Lab 02



Exercise 1

Goal

All students must do this exercise. Here you will be looking that the different ways group policy information can be retrieved and viewed.


1. Use the following tools to retrieve RSOP information:

• RSOP Snap-in

• GPResult v2

• Help Centre HTML Report

a. Open a new Microsoft Management Console and add the Resultant Set of Policy.

b. Right-click Resultant Set of Policy and click Generate RSoP Data…

c. On the Welcome to the Resultant Set of Policy Wizard page, click Next.

d. On the Mode Selection, select Logging Mode, click OK.

e. On the Computer Selection page, select This Computer and click Next.

f. On the User Selection page, select Current user, click Next.

g. On the Summary of Selection page, click Next.

h. On the Completing the Resultant Set of Policy Wizard, click Finish.

i. Exit without saving the console.

a. Open the command prompt.

b. At the command prompt type: gpresult

c. Once Complete browse though the settings to see what information is given you about the machine and user.

a. Click start and, then click Help and Support.

b. Under Support Tasks, click Tools.

c. Under Tools, click Help and Support Center Tools.

d. Under Help and Support Center Tools, click Advanced System Information.

e. Under Advanced System Information, click View Group Policy Settings applied.

f. Scroll to the results that you want to view.



Lab 22 – Restore Default GPO’s (Optional)

Objectives

After completing this lab, you will be able to restore the default Group Policy Objects to their original settings/values.

Lab Setup




Exercise 1

Goal

Decide between each other how you will perform this exercise within each domain. In this exercise you will restore the Group Policies to their default settings.


1. Run DCGpoFix.exe and note all prompts and warning messages.

2. Reconfigure the policy to allow users to logon locally.

a. Open the Command prompt.

b. At the command prompt type, DCGpoFix and press ENTER.

c. Read the warning message and then press Y and the ENTER.

d. Read the second warning message and then press Y and the ENTER.

e. Read the last message and then exit the command prompt.

f. Reconfigure the policy to allow users to logon locally.



Lab 23 - Using Volume Shadow Copy Service to Recover Files

Objectives

After completing this lab, you will be able to use Volume Shadow copy services to recover changed data files or deleted data files.

Lab Setup

• A computer running Windows Server 2003 Enterprise Server that configured as a Domain Controller.



Exercise 1

Goal

Volume Shadow Copy allows administrators to ease the administrative burden of restoring files that users have inadvertently modified or deleted. Once volume shadow copy has been enabled and configured on a volume, users may revert to previous copies of a file or restore deleted files without having to contact administrators in order to obtain previous versions of the file(s).

Tasks Detailed steps

1. Create a folder named c:\shadowcopy. Share it with Authenticated Users having Change and Read permissions.


b. Open Windows Explorer.

c. On the C:\ drive, create a folder called shadowcopy.

d. Right-click the shadow copy folder and select Properties.

e. On the shadow copy Properties dialog box, click on Sharing tab, select Share this folder and use the default share name and click Permissions.

f. On the Permissions for shadow copy dialog box, click Add.

g. On the Select Users, Computers, or Groups dialog box type Authenticated Users and click OK.

h. On the Permissions for shadow copy dialog box, make sure Authenticated Users is highlighted, click Change on Permissions for Authenticated Users (Authenticated Users should now have Change and Read) and then click OK.

i. Click OK to close the shadow copy Properties dialog box.

j. Leave Windows Explorer open.

2. Enable shadow copies for the C:\ drive, configure for a 200 MB limit.

a. Right-click C: in the folders pane and click Properties.

b. On the Local Disk (C:) Properties dialog box, click on the Shadow Copies tab.

c. Ensure that C:\ is selected, click Enable on the Enable Shadow Copies dialog box and click Yes. (This can take a few

minutes)

d. After the process of enabling volume shadow copies on the volume has been completed, click Settings.

e. On the Settings dialog box, change the Maximum size, use limit to 200, and then click OK to close the Settings dialog



box.

f. Click OK to close the Local Disk (C:) Properties dialog box.

3. Install Previous Version

Client. Map a drive to the local share. Create a file name Test Shadow Copies.txt. Add text to the

new document and save it.

a. In Explorer, browse to

C:\windows\system32\clients\twclient\x86

b. Double-click twcli32.msi to install the Previous Version Client.

c. Click Finish after the Previous Version Client Setup

completes.

d. From the Explorer Tool menu, click Map Network Drive.

e. In Map Network Drive, in Drive type S, in Folder, type \\localhost\shadowcopy and click Ok.

f. In the S: window, create a new text document called Test Shadow Copies.txt

(Tip: If you have not enabled viewing of file extensions in your

Explorer options, you must include the .txt extension. By default is should be enabled).

g. Open Test Shadow Copies.txt and type This is the first copy of my document.

h. Save and close the text file.

4. Initiate a shadow copy. a. Open the Shadow Copies tab of the Local Disk (C:) Properties dialog box, click Create Now to initiate a shadow copy. (This can

take a few seconds so please be patient).

b. When the shadow copy process has been completed, you should have an additional shadow copy listed in the Shadow copies of selected volume window.

c. Click OK on the Local Disk (C:) Properties dialog box.

7. Modify the test document. a. Open Test Shadow Copies.txt document and type This is my

second copy of my shadow copy document.

b. Save and close the file.

6. View a previous version on the file.

a. Right click on the Test Shadow Copies.txt document and select Properties.

b. On the Test Shadow Copies.txt Properties dialog box, select the Previous Versions tab.

c. Select Test Shadow Copies.txt from the File Versions and click View. Notice that it opens the first version of your document.



Close the document.

7. Copy a previous version of the file.

a. On the Test Shadow Copies.txt Properties dialog box, click

Copy.

b. On the Copy Items dialog box, select Desktop and click Copy.

The previous version will be copied to the desktop.

8. Restore a previous version of the file.

a. On the Test Shadow Copies.txt Properties dialog box, click Restore.

b. You will be warned that your subsequent version of the file will be overwritten with the previous version, and asked if you are sure that you wish to do this. Click Yes.

c. You will be notified that the previous version of the file was successfully restored, and the previous version should no longer be listed in the Previous Versions property sheet. Click OK.

d. Click OK to close the Test Shadow Copies.txt Properties

dialog box.

9. Verify successful restore of a previous version file.

e. Verify that Test Shadow Copies.txt appears as it did before you

modified the file.

f. Close the file.

g. Close the S: window.



Lab 24 – Security

Objectives


• Change EFS Recovery Angents

• Share EFS data with other users

• Installing and Configuring a PKI infrastructure – Optional

Lab Setup




Exercise 1

Goal

The goal of this exercise is to share your encrypted files with other users within your organization.


The Execrise can be performed by all students

1. Create 2 users with Administrator rights (Do not user Administrator)

a. Logon as as Administrator

b. Open Active Directory Users and Computers

c. Right-Click the Users container à New à User

d. Create a user called Jack0X (Where X is your server number)

e. Create a second user called Sue0X (Where X is your server number)

f. Assign both users to the Administrators group

2. Generating a File Recovery certificate

a. Log on as Jack0X

b. Open command prompt

c. At the command prompt type cipher /r:<Logged on Username> (Do not include a filename extention)

d. When prompt, type password and press enter - confirm password and press enter.

e. This will create 2 files <Logged on Username>.pfx and <Logged on Username>.cer

f. Repeat steps A to E for Sue0X

3. Sharing Encrypted Files with others.

a. Open Windows Explorer

b. Create a directory called <your servername>

c. Open the directory and create a text file within the directory.

d. Right-Click the file à Properties à Advanced à and select Encrypt content to secure data

e. Click OK twise

f. Right-Click the file à Properties à Advanced à Details

g. In the encryption details dialog box, click Add.

h. The select user dialog box appears.

i. Select the name of the user to whom you want to give access,



and click OK.

4. Test to see if it works. a. Logon as the user that you selected.

b. Browse to the directory where the file is located.

c. Open it and enter text in. Save and Close the file.

If you can open and save the file you successfully shared your EFS file.



Exercise 2

Goal

In the exercise, you will change the Recovery Agent from Administrator to your username.


This exercise can be done by all students

1. a. Log on with the account that you want to designate as a data recovery agent.

b. Click Start à Run à certmgr.msc

c. Right-Click Personal à All Tasks à Import

d. Click Next on the Import Wizard Page

e. On the File to Import page Enter the path and the filename of the encryption certificate (.pfx) and click Next.

This file was created during previous exercise – exercise 1 of lab 24

f. On the password page enter the password for this certificate and then click Mark This Key as Exportable,

click Next.

g. In the Certificate Store Page select Automatically Select the certificate store based on the type of certificate and click Next.

h. Click Finish.

2. a. Open Local Security Settings (Secpol.msc)

b. Expand Security Settings à Public Key Policies à Encrypting File System

c. Right Click Encryption File System à Add Data Recovery Agent and click Next on the Welcome Wizard page.

d. On the Select Recovery Agents page, click Browse Folders and then navigate to the folder that contains the .cer file you

created during exercise 1 of lab 24.

e. Double Click the file. When the Add recovery Agent box appears click Yes to install the certificate.



f. The Select Recovery Agents page now shows the new agent as USER_UNKNOWN. Don’t be alarmed by this text.

g. Click Next

h. Click Finish

The current user is now the data recovery agent for all encrypted files on the system.



Exercise 3 – Optional

Goal

Install an enterprise root certificate authority in the forest root domain. Then configure an enterprise

subordinate certificate authority.


This exercise will be done on Servers 1,5,9,13

1. Install and configure Enterprise Root CA.

a. Click Start, Control Panel, Add/Remove Programs.

b. Click Add/Remove Windows Components to start the

Windows Components Wizard.

c. In Windows Components select Certificate Services

check box.

d. A dialog box appears warning that the name and domain membership may not be changed. Click Yes to continue.

Note: If you choose to do the appendix lab where the

domain is renamed, the certificate services will have to be reconfigured to match the new domain name.

e. In Windows Components click Next.

f. In CA Type, click Enterprise Root CA and click Next.

g. In CA Identifying Information, in Common name for this CA, type DomainX Root CA and click Next.

h. In Certificate Database Settings, click Next.

i. Since IIS is not installed, a warning dialog box appears to say that web enrollment won’t be available. Click OK.

j. In Completing the Windows Components Wizard, click Finish.

k. Close Add/Remove Programs.





2. Install and Configure

Enterprise Subordinate CA

a. Log on to the server as the administrator in the forest root. In order to install a subordinate CA, the user must be a member of the Enterprise Administrators group. For example, if you are in DomainB, then log on to the DomainA domain.

b. Click Start, Control Panel, Add/Remove Programs.

c. Click Add/Remove Windows Components to start the

Windows Components Wizard.

d. In Windows Components select Certificate Services

check box.

e. A dialog box appears warning that the name and domain membership may not be changed. Click Yes to continue.

Note: If you choose to do the appendix lab where the

domain is renamed the certificate services will have to be reconfigured to match the new domain name.

f. In Windows Components, click Next.

g. In CA Type, click Enterprise subordinate CA, click Next.

h. In CA Identifying Information, in Common name for this CA, type DomainX Subordinate CA and click Next.

i. In Certificate Database Settings, click Next.

j. In CA Certificate Request, click Send the request directly to the CA already on the network. Click Browse, select the root CA server for the forest. Click Next.

k. Since IIS is not installed a warning dialog box appears to say that web enrollment won’t be available. Click OK.

l. In the Completing the Windows Components Wizard, click Finish.

m. Close Add/Remove Programs.





1. Create auto user enrollment

template.

a. Open Certification Authority. Click Start, Administrative Tools, Certification Authority.

b. In the right-hand pane, right-click Certificate Templates and click Manage.

c. In Certificate Templates, in the right-hand pane, scroll down to find “user.” Right-click user and click Duplicate Template.

d. In the Display Name field, type AutoEnrolled User.

e. Make sure that the Publish Certificate in Active Directory check box is selected.

f. Click the Security tab.

g. In the Group or user names field, click Authenticated Users.

h. In the Permissions for Authenticated Users list, select the Enroll and AutoEnroll permission check boxes and then click OK.

i. Autoenrolling Authenticated Users is an example.

These permission settings are variable, depending on who you want to autoenroll for these certificates. You will probably want to be a little bit more specific than this.

j. Close the Template Manager window.

2. Configure an enterprise certification authority to issue the AutoEnrolled User certificate.

a. In the Certificate Authority window, in the right-hand pane, right-click Certificate Templates and click New, Certificate Template to Issue.

b. In Enable Certificate Templates, select AutoEnrolled User and click OK.



This needs to be done on Servers 1,3,5,7,9,11,13,15

3. The certificates that will be distributed can be used for e-mail signing. All accounts need to have a valid e-mail address for this to work. This section will add the e-mail property to the administrator account.

a. Open Active Directory Users and Computers. Click Start, Administrative Tools, Active Directory Users and Computers.

b. In the left-hand pane, expand DomainX.com and select Users. Double-click Administrator in the right-hand

pane.

c. In the Administrator Properties, under the General tab and in E-mail, type [email protected] (where X is the domain with which you are working). Click OK to save the changes.

This needs to be done on Servers 1,3,5,7,9,11,13,15

4. Configure Group Policy to distribute certificate to users. This can be done in many different ways, but in this example you will modify the default domain group policy.

5. Run gpupdate to refresh group policy.

6. Check to ensure the certificate was delivered to the local user.

a. Right-click the domainx.com and click Properties.

b. In the DomainX properties window, click Group Policy. Select Default Group Policy and click Edit. This will

open the Group Policy Editor.

c. In the left-hand pane, expand Default Domain Policy, User Configuration, Windows Settings, Security Settings and Public Key Policies.

d. In the right-hand pane, double-click AutoEnrollment Settings.

e. Click Enroll certificates automatically.

f. Select the Renew expired certificates, update pending certificates and remove revoked certificates

check box.

g. Select the Update certificates that use certificate templates check box and click OK.

h. Click File, click Exit and then click OK.

i. Run gpupdate to refresh policy. Click Start, Run.

j. In the Run dialog box, type gpupdate and click OK

k. Check to see if the certificate was delivered. Click Start, Run.

l. In the Run dialog box, type mmc and click OK.

m. From the File menu, click Add/Remove Snap-in.

n. In Add/Remove Snap-in, click Add.

o. In Add Standalone Snap-in, select Certificates and



click Add.

p. In Certificate Snap-in, click My user account and click Finish.

q. In Add Standalone Snap-in, click Close.

r. In Add/Remove Snap-in, click OK.

s. Expand Certificates, Personal and select Certificates.

t. In the right-hand pane, look for a certificate that was issued by DomainX subordinate CA.

u. If no certificates appear check the application event log for errors. The event will have a source of AutoEnrollment.



Lab 25 – Command Line Tools (Optional)

Objectives

After completing this lab, you will be able to use different command line tools create objects within the Active Directory environment.

Lab Setup




Exercise 1

Goal

All students within each domain/forest can participate in this exercise. The goal is to get familiar with the new command line tools/utilities that ship with Windows 2003 Server.


1. Perform the following Tasks using the utility called DSadd and DSRM:

• Create an OU called OUX (Where X is your student number)

• Create a User called BobX (Where X is your student number)

• Deleted BobX

a. Open the command prompt

b. At the command prompt, type in dsadd and press ENTER to see all the different options.

c. To create an OU type in dsadd ou OU=OUX,DC=domainX,DC=com and press ENTER.

d. Check Active Directory Users and Computers to see if OUX has been created.

e. To create a user in the OU you just created type: dsadd user cn=bobx,ou=oux,dc=domainx,dc=com –fn bobx –display bobx –samid bobx –upn [email protected] and press ENTER.

f. Check Active Directory Users and Computers to see if bobx has been created.

g. To delete Bobx type the following command: DSRM –u administrator –p password cn=bobx,ou=oux,dc=domainx,dc=com and press ENTER.

h. When asked are you sure you want to delete the user click Y.

i. Close the command prompt.



Appendix A

The creation of the listw3wp.vbs file used in Lab 17.

Set Re = New RegExp Re.Pattern = "-ap ""(.+)""" Re.IgnoreCase = True Set providerObj = GetObject("winmgmts:{(debug)}:/root/cimv2") Set W3WPs = providerObj.ExecQuery("select * from Win32_Process where Name='w3wp.exe'") count = 0 For Each W3WP in W3WPs WScript.Echo "PID: " & W3WP.ProcessId Set Matches = Re.Execute(W3WP.CommandLine) Set SubMatches = Matches(0).SubMatches WScript.Echo "AppPoolID: " & SubMatches(0) count = count + 1 Next if (count < 1) then WScript.Echo "There are no running w3wp.exe instances" End if

Documents

Windows Server Expert Workshop