server2008 implementation
TRANSCRIPT
Microsoft Server 2008 Term Journal
Microsoft Server 2008 Term Journal 2
Active Directory provides a centralized authentication service for Microsoft Networks.
Using Active Directory one can efficiently manage users, computers, groups, printers,
applications and other directory enabled objects. I’ll be keeping a Journal in conjunction with
MOAC Lab to document the installation and troubleshooting process of Active Directory on
Windows Server 2008.
Windows Server 2008 system requirements:
Processor- Minimum 1GHZ or(x86) 1.4(x64)
Recommended- 2GHZ or faster
Memory- Minimum 512Mb RAM
Recommended- 2GHZ or faster
Drive- DVD-ROM
Group configured a total of four machines with Active Directory, using same:
Administrative Password: MSPress#1
Default Gateway: 192.168.0.1
Subnet Mask: 255.255.255.0
Machine #1- Configured as root Domain Controller
Domain Name: domain01.local
I.P. Address: 192.168.0.2
Comp Name: RWDC01
Microsoft Server 2008 Term Journal 3
Machine #2- Configured as a Read Only Domain Controller
Domain Name: domain01.local
I.P. Address: 192.168.0.3
Comp Name: RODC01
Machine #3- Configured as a Re-Writeable Child Domain Controller
Domain Name: child02.domain01.local
I.P. Address: 192.168.0.5
Comp Name: RWDC02
Machine #4- Configured with Server 2008 Server Core
Domain Name: domain01.local
I.P. Address: 192.168.0.4
Comp Name: SCDC01
Exploring the Windows Server 2008 Interface
Modify basic server settings:
Installed Server 2008 on Machine #1, configured as our root Domain controller.
Log on as Administrator (Important to write down and save password)
Expand Initial Configuration Tasks window to full screen
Click Set Time Zone and select appropriate time zone, click OK
Microsoft Server 2008 Term Journal 4
Click Enable Automatic Updating and Feedback, click Close
Click Window Automatic Update and click Close
Click Provide Computer Name and Domain, on computer name tab click change: RWDC01
Click OK to Restart
Log back on to as Administrator, place checkmark next to Do Not Show This Window at Logon
Click close and the Server Manager window is displayed automatically
Configure TCP/IP settings:
From the Server Manager window click View Network Connections
Right click on the Network Connection and select Properties
Click TCP/IPv4 and select Properties
Select, Use the following I.P. Address radio button; enter I.P. info for RWDC01 click OK
Log off
In the process of installing Server 2008 on machine #2, the group had issues with the machine
not recognizing the optical drive. The group was able to locate an external drive, changed the
boot order in the BIOS and the software was installed successfully.
Follow the same installation process as machine #1 (RWDC01) via the Initial Configuration Task
window. The group named this Domain controller, RODC01. Next, we configure TCP/IP settings;
enter IP information for RODC01 and Log off.
Microsoft Server 2008 Term Journal 5
Follow the same installation process as machine #1(RWDC01) via the Initial Configuration Task
window for machine #3. The group named this Domain Controller, RWDC02. Next, we configure
TCP/IP settings; enter IP information for RWDC02 and Log off. Installed a final machine to run
Windows Server 2008 Server Core. To configure this machine was a little trickier than the other
machines, in that the process is mostly all command driven.
Log on as Administrator and the command window initiates
Key timedate.cpl and press enter,
Click Change Time Zone and select appropriate time zone, click OK. Key hostname, press enter
Key netdom renamecomputer <currentname> /newname:SCDC01 key y and press enter
Key shutdown /r press enter
Configuring a Static I.P. Address
From command prompt key ipconfig /all, press enter
Ket netsh, press enter
Key interface, press enter
Key ipv4, press enter
Key set address name “Local Area Connection” source=static address=192.168.0.4
mask=255.255.255.0 gateway=192.168.0.1 gwmetric=1 and press enter. Key ipconfig /all
Microsoft Server 2008 Term Journal 6
Key netsh advfirewall set all profiles settings remotemanagement enable to allow remote
access to the server via the MMC
Log off
Installing the Active Directory Domain Services role:
Log on to RWDC01 as Administrator
Left pane of Server Manager, double click Roles
Click Active Directory Domain Services
Click Run the ADDS Installation Wizard
Place a checkmark next to Use Advance Mode Installation and click next
OS compatibility window is displayed
Read and click next. The Choose a Deployment Configuration Window is displayed
Check the Create A New Domain in a New Forest radio button and click next
Key domain01.local as the FQDN and click next to accept the NetBios name. Select Windows
Server 2003 from the Forest Functional Level drop down box and click Next
Click Next to accept Windows Server 2003 as the Domain Functional Level, accept and continue
Key Administration password and click next
Review installation choices and click next to continue
Microsoft Server 2008 Term Journal 7
Click Finish when prompted, click Restart Now
Verifying SRV Record Creation
Log on as Administrator to RWDC01, on command prompt key nslookup and press enter
Key set type=srv and press enter. Key _ldap._tcp.dc_msdcs.domain01.local and press enter
An error message appears, key exit and press enter
Creating User Accounts
Log on as Administrator on RWDC01
Click start, admin tools, Active Directory Users and Computers. Click+ next to domain01.local
Right click users, select new and then select user. Create name, click next and create password
Click next, click Finish to create user, close console
Configure accounts with Administrative access to the forest root domain
Click start, admin tools, Active Directory Users and Computers. Click+ next to domain01.local
Right click enterprise admins and select Properties. Click Member tab, click add, name and OK
Installing a child domain
First step is to configure computer to perform DNS resolution:
Log on to RWDC2 as Administrator, click View Network Connections. Right click network
connection and select properties. Click TCP/IPv4 and select properties
Microsoft Server 2008 Term Journal 8
Select the Use the Following DNS server address radio button. Enter info for the writeable
domain controller that’s configured for domain01.local. Click OK to save and log off
Configure the RWDC02 Computer as the First DC in the child.domain01.local Child Domain in
the domain01.local Active Directory Forest
Log on as Administrator on RWDC02
Left pane of Server Manager, double click Roles, in the right pane you will see number of roles
installed on this server and names of those roles.
Click ADDS, click Run the ADDS installation wizard, place a checkmark next to use advanced
mode installation and click next
Read info, click next. Click Existing Forest radio button and then select Create a New Domain in
an Existing Forest
Click Next, in the type the name of any domain in the forest where you plan to install this
Domain Controller text box, key domain01.local
Click Set to Specify an Alternate Set of Credentials to create the child domain
Key name and the password for account then OK. Click next
In the FQDN of the parent domain text box, key domain01.local. In the single-label DNS Name
of Child Domain text box, key child02. Click Next 4x’s
Place a checkmark next to Global Catalog and DNS server and click Next, yes on Wizard warning
Microsoft Server 2008 Term Journal 9
Click next 2x’s, key Admin password then next. Review installation choices and click next
Click finish and click Restart Now
Creating an Administrative account in the child domain
Log on to RWDC02 as Administrator account of the forest root domain
Click Start, Admin Tools, Active Directory Users and Computers, next to child02.domain01.local
Click Users container, right click users, select new and select user
In the full name and user logon name fields key child02name then next password and confirm
password. Review selections and click finish to create user account
Click+ next to domain01.local, click users container, right click domain admins select properties
Click Member Tab, click add, the Enter Object Names to Select window is displayed. Key
child02name and click OK
Verifying Child Domain SRV Records
Log on to RWDC02 as Administrator; click Start, Admin Tools, DNS Management
Click+ next to server name, click forward lookup zones, click domain01.local, click
child02.domain01.local- click _msdcs, and then click dc
Click _tcp in the left pane, in the right pane double click _ldap
Close the DNS Management Console and Log off
Microsoft Server 2008 Term Journal 10
Verifying LDAP Records for the child domain using nslookup
Log on to RWDC02 as Administrator
Open the command prompt, key nslookup, press enter. Key set type=srv, press enter
Key _ldap._tcp.dc_msdcs.child02.domain01.local and press enter
A summary output is displayed, key exit and press enter
Close command prompt and Log off
Create a Local Administrator for the Read-Only DC in the Forest Root Domain
Log on to RWDC01, username
Click start, Admin Tools, Active Directory Users and Computers
Click Next to domain01.local, click the users container, right click users, select New, select User
In the Full Name and User Log on fields key RODCadminxx, click Next to continue
Enter Password to be used, click Next. Review selections and click Finish to create account
Configure a Read-Only DC in the Forest Root Domain
Log on to RODC01 and log on as Administrator
Click View Network Connections, right click Network Connections and select Properties
Microsoft Server 2008 Term Journal 11
Click TCP/IPv4 and select Properties. Select the Use the Following DNS Server Addresses radio
button. In the Preferred DNS server text box enter the IP Address info for writeable DC that is
configured as the Domain Controller for domain01.local (192.168.0.2)
Click OK 2x’s to save
In the left pane of Server Manager, double click Roles. Click Add Role, Next to bypass window
Place a checkmark next to Active Directory Domain Services, click Next, read info and click Next
Read info, click Install and click Close this Wizard and Launch ADDS Installation Wizard
Place a checkmark next to Use Advance Mode Installation and click Next, read info, click Next
Click the Existing Forest radio button and click Add a Domain Controller to an Existing Domain
and click Next. In the Type the Name of Any Domain in the Forest Where You Plan to Install this
Domain key in domain01.local
Click Set to Specify an Alternate Set of Credentials to Add the New Domain Controller
Key namexx and password for this account and click OK, select domain01.local domain, Next
Place a checkmark next to RODC and click Next, click Yes on Wizard Warnings, confirm
Click Set to Specify a Local Administrator for the ROCD that does not have Administrative
Permissions within AD. Key RODCadminxx and click OK
Accept the default selections and click Next, key Password, click Next, review and click Finish
Microsoft Server 2008 Term Journal 12
Confirm Local Administrator Functionality on the Forest Root Read-Only DC
Log on to RODC01 as Administrator (username will be rodcadminxx)
Start, Admin Tools, Event Viewer, when you receive UAC prompt click Continue
Click Windows Logs and then click Security, close the Event Viewer
Start, Admin Tools, Active Directory Users and Computers, click OK
Browse as needed to select domain01.local and then click Users, right click Administrator and
click Reset Password, enter new password, click OK, click cancel, close the AD Users and
Computer Console
Configure a Server Core Domain Controller in the Forest Root Domain
Log on to SCDC01 as Administrator, in the Command Prompt key netsh interface ipv4 set
dnsservername=”SCDC01” static 192.168.0.2 primary Press enter, key ipconfig /all
Key notepad and press enter, Refer to Page 42 of the MOAC Lab Manual to create an
unattended configuration file for the dcpromo process into Notepad. Save file as c:\
unattend.txt and close Notepad, key dcpromo /unnattend:c:\unattend.txt then press Enter
Working with Active Directory Sites
AD replication process is used to communicate changes from one domain controller to all other
domain controllers in a domain or forest. Intrasite replication takes place within the same site
and will transmit changes as soon as they occur. Itersite replication is scheduled or every 15 min.
Microsoft Server 2008 Term Journal 13
by default. AD will designate a bridgehead server in each site to act as a gatekeeper in
managing site-to-site replication.
Replications Management (Forcing Replication)
Log on to RWDC01 as Administrator
Open the Active Directory Sites And Services MMC snap-in, click Start, click Administrative
Tools, and then click Active Directory Sites and Services
In the left pane, expand the Sites folder, expand the Click the Default-First-Site-Name
Click the Servers folder, expand the icon for the server that you are using. In the left pane, click
NTDS Settings. In the right pane, select on the replication connections that has been configures
for your server. Right click the connection and the click Replicate Now. A Replicate Now
message box is displayed, indicating Active Directory has replicated connection.
Click OK and close the Active Directory Sites And Services console
Managing Connections Objects
Open the AD Sites and Services console. In the left pane expand the Sites folder and then
expand the Default-First-Site-Name
Expand the Sites folder, and then expand the computer name of the server that you are using.
In the left console pane, click NTDS Settings
Right Click NTDS Settings, and then New AD Domain Services Connection. The find Domain
Controllers dialog box is displayed
Microsoft Server 2008 Term Journal 14
Select the name from the list of computer names displayed in the search results window pane;
Click OK, an AD message box is displayed indication that there is already a connection and
asking you if you want to create another connection. Click Yes, A New Object Connection dialog
box is displayed
To accept the default setting, click OK. The new connection is created. Two connections should
be displayed: the automatically generated connection and the manually generated connection
In the right pane, right click the manually created connection and click Delete, and AD message
box is displayed, click Yes to confirm that want to delete the connection object
Identifying the Global Catalog
In the Active Directory Sites and Services console’s left pane, right click NTDS Settings and then
click Properties, on the General Tab, you can see that the Global Catalog checkbox is selected
Creating a new site
Log on to RWDC01 as Administrator, open the AD Sites and Services console
In the left pane, right click Sites and then click New Site. The New Object-Site dialog box is
displayed
In the Name text box, key MainSite, click DEFAULTIPSITELINK and then click OK. A message box
is displayed, indicating that you must complete additional steps to configure the site, OK
Group also configured a new site, following the same steps, with RWDC02 and named it
BranchSite.
Microsoft Server 2008 Term Journal 15
Renamed Default-First-Site-Name to HQ by right-clicking on site and selecting Rename
Creating a Subnet Object
Log on to RWDC01 as Administrator, open Active Directory Sites and Services console
Left pane, right click Subnets and then click New Subnet, The New Object Subnet dialog box is
displayed. Key 192.168.x.0/24 in the Prefix text box, in the Site Name portion click MainSite and
click OK
Group also created a Subnet object for RWDC02 for site named Branchsite
Moving Computers to the Appropriate Site
Log on to RWDC01 as Administrator, open the Active Directory Sites and Services console.
Verify that the default site was renamed to HQ. In the left pane, expand HQ site and then
expand the Servers folder
Right click RWDC01, then click move. The Move Server dialog box is displayed, click Mainsite,OK
Left pane, expand MainSite, expand Servers object below MainSite. You should see the 01
computer object
Try to force replication using the connection object of the 01 computer, should also see a
message indicating that these servers are in different sites. Click OK
Right click RWDC02 and then click Move. The Move Server dialog box is displayed click
BranchSite, click Ok
Microsoft Server 2008 Term Journal 16
In the left pane, expand BranchSite and then expand the Servers folder. You should see the 02
computer object
Creating a Site Link Object from the RWDC02 computer
For replication to take place between RWDC01 and RWDC02 in separate sites, you must create a
site link object between these sites
Log on to RWDC02 using the Domainxx\name account In the domain01.local domain. Open the
Active Directory Sites and Services console
In the left pane, expand the Inter-Site Transports folder. Right click IP, click New Site Link. The
New Object-Site Link dialog box is displayed
In the Name text box, key EvenLink. Tn the Sites Not In This Site Link box, click MainSite and
then click Add
In the Sites Not in This Site Link box, click BranchSite and then click Add, OK to save changes
Group also created a Site Link Object from RWDC01 named OddLink
Group also followed the POST-LAB CLEANUP portion of the LAB
Pg. 66 of the MOAC Lab Manual
Window Server 2008 provides tools to allow for problem discovering, diagnosis and resolution
i.e. Event log in Event Viewer. Dcdiag and repadmin both can be run from the command-line.
Dcdiag can report DNS reg problems, analyze the permission required for replication, the state
Microsoft Server 2008 Term Journal 17
of DC’s within the forest. Repadmin can view the replication topology, force replication and view
the replication metadata (actual data and USN info)
Global Catalog and FSMO Roles
Global Catalog has four functions: Facilitate searches for objects in the forest, resolve UPN’s,
maintain universal group membership info and maintain a copy of all objects in the domain. For
sites that do not have a global catalog server available a feature called universal group
membership caching is used. It eliminates the need to place a global catalog in a remote
location and maximize resources.
Raise the Parent Domain Functional Level
Log on to RWDC01 as Administrator, open the Active Directory Domains and Trusts console
Right click the domain01.local node, click Raise Domain Functional Level. The Raise Domain
Functional Level dialog box is displayed
Dropdown, select Windows Server 2008 and then click Raise, read the message and confirm
A second message is displayed indicating that the domain functional level has been raised
Group also raised the Functional Level to the child domain following same steps
Raise the Forest Functional Level
Log on to RWDC01 as Administrator, Open Active Directory Domains And Trusts console
Microsoft Server 2008 Term Journal 18
Right click the top-level node ADDAT (RWDC01.domain01.local) and then click Raise Forest
Functional Level, dialog box is displayed
Dropdown selections box click Windows Server 2008 and then click Raise, read the message
then confirm and a second message is displayed, click OK
Enabling Universal Group Membership Caching
Log on to RWDC01 as Administrator, Open the Active Directory Sites And Services console
In the left pane, click Sites and the click Default-First-Site-Name. Right click NTDS Site Settings
and click Properties. Place a checkmark next to Enable Universal Membership Group Caching
and click OK, force AD replication
Working with Flexible Single Master Operation Roles
Viewing Operations Masters
First, determine which server holds the schema operations master role
On RWDC02 log on as Administrator, click start, key ntdsutil, key roles, key connections, key
connect to server RWDC01.domain01.local press enter
Key quit, key select operation target, key list roles for connected server, review output- what
FSMO roles are assigned to RWDC01?
Key quit , key connections, key connect to server RWDC02.child02.domain01.local press enter,
key quit, key select operation target, key list roles for connected server and press enter
Microsoft Server 2008 Term Journal 19
Key quit and close the command-prompt window and log off
Transferring the Schema Master to a Different Domain Controller
Log on to RWDC01 as Administrator, click Start, key ntdsutil and press enter
Key roles, key connections, key connect to server RWDC02.child02.domain01.local and press
enter. Key quit, key transfer schema master, confirm click yes. Review the output of the ntdsutil
window to confirm that RWDC02 is now listed as the schema operations master
Close command-prompt and log off
Group transferred schema master roles back to RWDC01
Total of five FSMO roles- Three are domain specific which are Relative Identifier Master,
responsible for assigning relative identifiers to domain controllers in the domain. Infrastructure
Master, responsible for reference updates from its domain to other domains and primary
Domain Controller Emulator, manages password changes, account lockouts, time
synchronization. The two forest wide roles are: Domain Naming Master has the authority to
manage the creation and deletion of domains, domain trees and application data partitions in
the forest. Schema Master is responsible for managing changes to the AD schema
Creating Administrative Accounts
In this unit the group configured one the most common administrative tasked performed when
working with AD. Created administrative user accounts, Changed group memberships, created
global and universal groups to assign permission to user accounts
Microsoft Server 2008 Term Journal 20
Creating Administrative Accounts
Create an account to the Parent Domain
Log on to the Forest Domain as default domain administrator (domain01.local/administrator)
Open the AD Users and Computers MMC Snap-in, expand object domain01.local
Right click Users, New then User, create new user named DomAdmin with default password
Make sure that the Users container is selected, right window pane of AD Users and Computers
Right click DomAdmin for properties, click MemberOf tab, click add, key Domain Admins in the
Object Name box
DomAdmin Properties, click Domain Admins in the MemberOf, make the primary group Domain
Admins. Click Domain Users in the MemberOf selection box. Click Remove to make
Domain Admins the only group membership for this user account. Repeated the same process
to create two additional accounts named SchAdmin (member of Schema Admins group) and
EntAdmin(member of Enterprise Admin group)
Creating Administrative Accounts on the Child Domain
Log on to the Child Domain with username Administrator default password, open AD Users and
Computers MMC snap in. Expand child01domain01.local, right click Users, click New
Create new user account named DomAdmins, verify that DomAdmins is part of the Domain
Microsoft Server 2008 Term Journal 21
Admins group(refer to manual). Created two additional accounts named SchAdmin, EntAdmin,
Didn’t configure membership at this time
Adding Child User Accounts to Enterprise-wide Administrative Roles
Log on to Child Domain as default Domain Administrator, open AD Users and Computers
Expand domain01.local, select Users container, Right click the Enterprise Admins group, click
properties, click Members tab and click Add. Click locations and expand the domaion01 object,
expand child01.domain01 domain. Click Users uder the child domain and key EntAdmin, check
name and make sure that the EntAdmin user from the child domain is displayed and underlined
Repeat steps to add SchAdmin user account from the child01 domain to the Schema Admins
Group on the parent account
Allowing Users to Log On to Domain Controllers
Typically you wouldn’t want to grant Users permission to log on to the Domain Controller, for
testing purposes
Under Group Policy Management Console, expand the tree until you find Domain Controllers,
Right-click the Default Domain Controllers Policy and click Edit. Expand Computer
Configuration, expand Policies, expand Window Settings, Security Settings, Local Policies and
click User Rights Assignment. Double click the Allow Logon Locally policy object, check box for
Microsoft Server 2008 Term Journal 22
Define these Policy settings. Add user or Group, key Administrators, key Users in the Users And
Group Names text box. OK again in the allow Logon Locally Properties dialog box.
Determine Which Account Can Create Sites, Users and Attributes
Group followed Lab Manual for Project 5.2 Testing Administrative Access, to test the capabilities
of each user account that has been created from the previous projects. After completing the
Project the conclusion was that EntAdmin account was able to create sites, users and attributes.
DomAdmin account was able to create sites and not sites or attributes. SchAdmin was able to
add attributes and not able to add users groups or sites.
Creating Global and Universal Group
Logged on to the parent and child domain, created a Global group named LAdmin01 for parent
and LAdmin02 for child. Next we added LAdmin01,02 as part of a Universal Group, granting
Administrator privileges. Next we created a user named LocalAdmin01,02 in the Parent and
Child Domain, made it part of the LAdmin group(page 97 MOAC Lab Manual)
Employing Security Concepts
Using Naming Standards and Secure Passwords
Group created a user account on the Root Domain using the Naming Standard, full name of
Reed Koch to the following: RKoch01 with default password and make sure the User Must
Change Password at Next Logon is not selected. Also created a user account on the Child
Domain using the Naming Standard, full name of Brannon Jones to the following: BJones02
Microsoft Server 2008 Term Journal 23
Employing Administrator Account Security
Refer to page 107-109 of MOAC Lab Manual for the various methods for using the runas utiliy
from the command prompt and as a Shortcut, reducing the exposure or administrative
accounts
Delegating Administrative Responsibility
Delegating Control on the Parent Domain
Log on to RWDC01 as default administrator, open command-prompt window(refer to pg.109
for commands to create user accounts), open the AD Users and Computers console. Right-click
the domain01.local object, click New, Organizational Unit, key Mgmt1 and OK
Right-Mgmt1 and click Delegate control. The Delegation of Control Wizard is displayed, click
Next, the Users Or Groups, click Add select Users, key Manager in the Object Names and click
OK to Check Names. In the Users Or Groups page, click Next. The Tasks To Delegate page is
displayed, move the User1 account from the Users container to the Mgmt1 OU(click and drag),
open command-prompt(refer to Pg.110 for commands)
In the left pane of AD User and Computers, select the Mgmt01 and make sure User1 and User2
are displayed.
To Delegate Control on the Child Domain would be the same process. The group created
User3,4 and created an OU with the name Mgmt2. Then we moved User3,4 to the OU Mgmt2.
We also tested Delegated Permissions on the Parent and Child Domain, in order to delete users
from the OU the Delegated User must have proper credentials.
Microsoft Server 2008 Term Journal 24
Configuring the Local Computer Policy
Group Policy is a method of controlling settings across the Network. You can configure one or
more GPOs within a domain and then use a process called linking, which applies these settings
to various containers within AD
Removing the Child Domain
Log on as Administrator and using Notepad, create a file called c:\demote.txt(refer to page 121
for the information file must contain). Open command-prompt window, key dcpromo /answer:
“c:\demote.txt” and press enter, after the domain controller is demoted, it will reboot
automatically. Log back on to RWDC02 as Administrator, open Server Manager, browse to
Computer Information and click Change System Properties. On the Computer Name tab, click
Change. Click More and remove the child02.domain01.local primary DNS suffix. Browse to Roles
Summary and click Remove Roles, restart computer.
Confirm that the computer is configured to use the IP address of RWDC01 as its primary DNS
server
The group also configured the Child Domain to Remove the Properties Option When Right
Clicking My Computer via the gpedit.msc(The Group Policy Object Editor) pg.122
Configure the Computer Properties Context Menu Setting On The Domain
Log on as RWDC01 as Administrator, Open Group Policy Management Console from the Amin
Tools folder. Drill down to the Group Policy Objects Node
Microsoft Server 2008 Term Journal 25
Right-click Default Domain Policy and click Edit, Under User Configuration, click Policies and
click Admin Templates, Desktop node. In the right window, double click the Remove Properties
from the Computer Icon Context Menu setting, click Disable and OK
Create Domain Users for Testing
Under AD Users And Computers console, the group created a user account named L7DomUser
in the Users container of Domain01.local, created a new top-level OU named L7Test1
Created a user account in the L7Test1 OU named L7Test1User
Created GPO Links for the Domain
Log on to RWDC01 as administrator, open the GP Management Console from the Admin Tools
folder, down to the Domain01 node. Right-click the domain01 node and select Create A GPO In
This Domain and Link it Here, name the new GPO(RemoveHelp1) and press enter
Navigate to the Group Policy Objects Node, Right-click the RemoveHelp1 GPO and click Edit
Browse to User Configuration, click Policies, click Admin Templates node, select Start Menu and
Taskbar object. In the right pane, double-click the Remove Help Menu From Start Menu Setting
Select the Enabled radio button, close the GP Management Editor, Right-click the domain01
node and select Create A GPO In This Domain And Link It Here, name the new GPO
(RemoveSearch01)enter. Repeat steps to enable the Remove Search Link From Start Menu
setting for the new GPO
Microsoft Server 2008 Term Journal 26
Create GPO Links for an OU
Open the GP Management Console and drill down to the L7Test1 OU and select Create A GPO
In This Domain And Link It Here, name the new GPO AddHelp1 and press enter
Repeat from previous steps to disable the Remove Help Menu Fom Start Menu setting in the
AddHelp1 GPO(close the GP Management Editor). Create and link another GPO to the L7Test1
OU named RemoveComputerProperties2. Enable the RPFTCICM setting in the
RemoveComputerProperties2 GPO. Close the GP Management editor and Console
Group tested the results
Using Block Policy Inheritance and Enforce
The group deleted 2 GPO links from the L7Test01 OU, on RWDC01 drill down to the L7Test1 OU,
right-click Block Inheritance. Open the GP Management Console from Admin Templates, drill
down to domain01 node, right click Default Domain Policy GPO link and click Enforced
Inheritance can be altered by using the Enforce and Block Policy Inheritance settings
Using Group Policy Loopback Processing
Create a new top-level OU named L7test2 in domain01.local, left pane, click the Computers
container, right-click RWDC02 and click Move, select the L7Test2 OU and click OK
Open the GP Management Console from the Amin Tools Folder, drill down to the L7Test2 node
Right-click the L7Test2 node and select Create A GPO In This Domain, And Link It Here
Microsoft Server 2008 Term Journal 27
Name the newly created GPO DisableCP, Navigate to the Group Policy Objects node. Right-click
DisableCP and click Edit, drill down to User configuration, click Policies, click Admin Templates
and then Control Panel. Enable the Prohibit Access To The Control Panel setting
Edit the DisableCP GPO, navigate to Computer Configuration, click Policies, click Admin
Templates, click System and click GP. Enable the User GP Loopback Processing Mode setting,
leave drop-down box to replace. Close The GPM Editor.
Managing Users and Computers with Group Policy
To configure a domain-wide password policy, browse to Computer Configuration, policies,
Window Settings, Security Settings, Account Policies, Password Policy. To configure a domain-
wide Louckout policy, drill down to Account Policies under Computer Configuration, configure
the Account Lockout Threshold setting for invalid Logon attempts. Audit Policy allows
administrators to log successful and failed security events, can be used to track user and system
activities.
Configure Folder Redirection and Disk Quotas
Folder Redirection provides the administrator with the ability to redirect the contents to certain
folders to a network location. Group created a new folder on the C:\ drive named Lab8MyDocs1.
Created a new GPO named Redirect1 and linked it to the Marketing OU. Drilled down to Folder
Redirection under Edit GPO. Ensured that the Target Folder Location is Create A Folder For Each
User Under The Root Path and key in proper DC with name of folder. Disk quotas can be used to
limit the amount of space available on the server for user data. Group created and linked a new
Microsoft Server 2008 Term Journal 28
GPO named DiskQuota1. Opened Group Policy Editor, drilled down to disk quotas and enabled
disk quotas to a value of 512kb. (pg.145). The group also learned how to use gpudate, a
command-line tool used to manually force an update
Software Distribution
Preparing the Distribution share
Windows Installer-enabled applications must be used to install software through Group Policy.
There are two ways to deploy Software: Assigning or Publishing. When an application is
assigned to a user, the application is advertised on the Start menu of the user’s workstation.
When an application is published, it is advertised in Add Or Remove Programs in the Control
Panel.
Insert Windows Server 2008 cd and create a folder named C:\MSI , right click and click share.
Key in Everyone to share on network, click share and close. Copy the contents of the \upgrade\
netfx folder on the Windows Server 2008 CD-ROM into the MSI folder
Group created a New GPO named SoftDist1, under User Configuration-Policies-Software
Settings, right clicked software. File name(rwdc01\msi), clicked Netfx and deployed software via
Published.
Click Categories, select to med the Development Tools category in the Selected Categories and
select OK to close
Microsoft Server 2008 Term Journal 29
To Assign Software, drill down to Forest Domain, Edit GPO, User Configuration-Policies-Software
Settings-Software Installation. Right-click Microsft .NET Framework 1.1 then Properties. Under
deployment select Assigned
Using Software Restriction Policies
Drill down to User Configuration-Policies-Windows Settings-Security Settings-Software
Restriction Polices. Browse for file to be restricted under New Path rule. Group restricted IE from
the Desktop for testing purposes. Group also found a way around this restriction, copy from
folder and paste to desktop. In order to complete the user from accessing files, is if New Hash
Rule is selected
Controlling Group Policy
To meet the need for refined control over the application of group policies, two additional
filtering methods can be used. Security Group Filtering uses the GPO’s Security Tab to determine
user and group access to the policy. WMI provides management information and control, allow
administrators to create queries based on hardware, software, OS, and services. WMI filters can
be used to control which user or computers will be affected by a GPO based on defined criteria.
Resultant set of Policy (RSoP) is a tool used to assist administrators in determining the effects of
policies. Using the RSoP wizard allows administrators to simulate policy effects prior to
implementing. GPresults is a feature in Group Policy Management that obtains RSoP
information from the client computer to show the actual effects the policies have on the client
computer and user enviorment
Microsoft Server 2008 Term Journal 30
To use the Resultant Set of Policy Wizard (refer to page 171 of MOAC Lab manual) and to use
the GPResult feature (refer to page 171 of MOAC Lab manual)
Group Configured Security Group Filtering created an OU and created a group called 10BGroup1
within the OU. Drill down to forest domains-domain01.local-Group Policy Objects, select GPO
and highlight Authenticated Users and click Remove, click add to add 10BGroup1 click OK. To
create a WMI filter (refer to page 175 for commands).
Disaster Recover and Maintenance
Group configured three new user accounts on RWDC01 inside the Administration OU that was
also created, named the user accounts Misty, Samantha, and Denise. Simulated a replication
delay by disabling the network connection, preventing replication. Created another OU named
Accounting in the RWDC01 domain. On RWDC02 we created two new users accounts inside
Accounting named Wedge and Wood and deleted for testing purposes. Now enable network
connection on RWDC01 to allow to replicate changes.
In the AD User and Computers console, ensure that the Avananced Features view option is
enabled. In The left pane, click the LostAndFound container. This container should have the
deleted user accounts that were created. To resolve the loss of the Administration OU, create a
new Administration OU, and then move the users from the LostandFound container to the new
one.
Performing a System State Data Backup
Installing the Windows Server Backup Feature and performing the System State Backup
Microsoft Server 2008 Term Journal 31
Server Manager, browse to Features, in the right pane, click Add Features. Place a checkmark
next to: Windows Powershel, Windows Server Backup Features- Windows Server Backup,
Windows Server Backup Features-Command-line tools and close. To perform backup:
Administrative Tools, Windows Server Backup, click Action and then Backup once. Next, Custom
and then Next. In the Backup Destination dropdown list, confirm that the second hard drive is
selected. Read the Description of the VSS copy back and click next to begin backup process
To perform an offline defragmentation of the AD datatbase(refer to page 190 of MOAC Lab
Manual)
There’s two ways to restore Active Directory, restoring using Normal Replication, using other
Domain Controllers that exist in the forest. Restoring AD using WBADMIN and NTDSUTIL,
wbadmin is a command-line component to perform and unauthoritative restore, which restores
a single AD DC to its state before the backup. This method is used with the normal restore to
allow certain database information to be marked as authoritative or most current, so that the
replication process will not overwrite this data.
Configuring Name Resolution and Additional Services
DNS is the primary means of name resolution for Active Directory as well as the Internet and
TCP/IP networks. TCP/IP communication is based on IP Addresses. When you use a name instead
of an address in an application the computer must convert the name into the proper IP address.
The name to address conversion is called name resolution. DNS is the name resolution
mechanism computers use for all Internet communications.
Microsoft Server 2008 Term Journal 32
Creating a Reverse Lookup Zone
Click Start, Administrative Tools, click DNS, drill down to Forward Lookup Zones node. For this
Lab there was a forward Lookup Zone. Drill down to the Reverse Lookup Zone, there’s no
Reverse Lookup Zone. To create, right click New Zone, wizard will display, click Primary zone.
Place a checkmark next to Store The Zone IN Active Directory. The AD Zone Replication Scope
screen is displayed. Accept default selection and click Next. Select IPv4 Reverse Lookup Zone
and next.
In a Zone Transfer the server hosting the primary zone copies the primary master zone database
file to the secondary zone to make their resource records identical. This enables the secondary
zone to perform authoritative name resolutions for the domains in the zone, just as the primary
does.
To create a Secondary Zone, right click the Forward Lookup Zones node and select New Zone
(page 203 of MOAC Lab)
Active Directory Rights Management Service is a service you can use to protect sensitive data on
a Windows network such as word processing or spreadsheet applications by controlling who can
open, modify, or print a document and even who can print or forward confidential email
messages. To configure and install AD Rights Management Service Role (refer to Page 204-205
MOAC Lab Manual).