server2008 implementation

Microsoft Server 2008 Term Journal

Microsoft Server 2008 Term Journal 2

Active Directory provides a centralized authentication service for Microsoft Networks.

Using Active Directory one can efficiently manage users, computers, groups, printers,

applications and other directory enabled objects. I’ll be keeping a Journal in conjunction with

MOAC Lab to document the installation and troubleshooting process of Active Directory on

Windows Server 2008.

Windows Server 2008 system requirements:

Processor- Minimum 1GHZ or(x86) 1.4(x64)

Recommended- 2GHZ or faster

Memory- Minimum 512Mb RAM

Recommended- 2GHZ or faster

Drive- DVD-ROM

Group configured a total of four machines with Active Directory, using same:

Administrative Password: MSPress#1

Default Gateway: 192.168.0.1

Subnet Mask: 255.255.255.0

Machine #1- Configured as root Domain Controller

Domain Name: domain01.local

I.P. Address: 192.168.0.2

Comp Name: RWDC01


Machine #2- Configured as a Read Only Domain Controller


I.P. Address: 192.168.0.3

Comp Name: RODC01

Machine #3- Configured as a Re-Writeable Child Domain Controller

Domain Name: child02.domain01.local

I.P. Address: 192.168.0.5

Comp Name: RWDC02

Machine #4- Configured with Server 2008 Server Core


I.P. Address: 192.168.0.4

Comp Name: SCDC01

Exploring the Windows Server 2008 Interface

Modify basic server settings:

Installed Server 2008 on Machine #1, configured as our root Domain controller.

Log on as Administrator (Important to write down and save password)

Expand Initial Configuration Tasks window to full screen

Click Set Time Zone and select appropriate time zone, click OK


Click Enable Automatic Updating and Feedback, click Close

Click Window Automatic Update and click Close

Click Provide Computer Name and Domain, on computer name tab click change: RWDC01

Click OK to Restart

Log back on to as Administrator, place checkmark next to Do Not Show This Window at Logon

Click close and the Server Manager window is displayed automatically

Configure TCP/IP settings:

From the Server Manager window click View Network Connections

Right click on the Network Connection and select Properties

Click TCP/IPv4 and select Properties

Select, Use the following I.P. Address radio button; enter I.P. info for RWDC01 click OK

Log off

In the process of installing Server 2008 on machine #2, the group had issues with the machine

not recognizing the optical drive. The group was able to locate an external drive, changed the

boot order in the BIOS and the software was installed successfully.

Follow the same installation process as machine #1 (RWDC01) via the Initial Configuration Task

window. The group named this Domain controller, RODC01. Next, we configure TCP/IP settings;

enter IP information for RODC01 and Log off.


Follow the same installation process as machine #1(RWDC01) via the Initial Configuration Task

window for machine #3. The group named this Domain Controller, RWDC02. Next, we configure

TCP/IP settings; enter IP information for RWDC02 and Log off. Installed a final machine to run

Windows Server 2008 Server Core. To configure this machine was a little trickier than the other

machines, in that the process is mostly all command driven.

Log on as Administrator and the command window initiates

Key timedate.cpl and press enter,

Click Change Time Zone and select appropriate time zone, click OK. Key hostname, press enter

Key netdom renamecomputer <currentname> /newname:SCDC01 key y and press enter

Key shutdown /r press enter

Configuring a Static I.P. Address

From command prompt key ipconfig /all, press enter

Ket netsh, press enter

Key interface, press enter

Key ipv4, press enter

Key set address name “Local Area Connection” source=static address=192.168.0.4

mask=255.255.255.0 gateway=192.168.0.1 gwmetric=1 and press enter. Key ipconfig /all


Key netsh advfirewall set all profiles settings remotemanagement enable to allow remote

access to the server via the MMC

Log off

Installing the Active Directory Domain Services role:

Log on to RWDC01 as Administrator

Left pane of Server Manager, double click Roles

Click Active Directory Domain Services

Click Run the ADDS Installation Wizard

Place a checkmark next to Use Advance Mode Installation and click next

OS compatibility window is displayed

Read and click next. The Choose a Deployment Configuration Window is displayed

Check the Create A New Domain in a New Forest radio button and click next

Key domain01.local as the FQDN and click next to accept the NetBios name. Select Windows

Server 2003 from the Forest Functional Level drop down box and click Next

Click Next to accept Windows Server 2003 as the Domain Functional Level, accept and continue

Key Administration password and click next

Review installation choices and click next to continue


Click Finish when prompted, click Restart Now

Verifying SRV Record Creation

Log on as Administrator to RWDC01, on command prompt key nslookup and press enter

Key set type=srv and press enter. Key _ldap._tcp.dc_msdcs.domain01.local and press enter

An error message appears, key exit and press enter

Creating User Accounts

Log on as Administrator on RWDC01

Click start, admin tools, Active Directory Users and Computers. Click+ next to domain01.local

Right click users, select new and then select user. Create name, click next and create password

Click next, click Finish to create user, close console

Configure accounts with Administrative access to the forest root domain

Click start, admin tools, Active Directory Users and Computers. Click+ next to domain01.local

Right click enterprise admins and select Properties. Click Member tab, click add, name and OK

Installing a child domain

First step is to configure computer to perform DNS resolution:

Log on to RWDC2 as Administrator, click View Network Connections. Right click network

connection and select properties. Click TCP/IPv4 and select properties


Select the Use the Following DNS server address radio button. Enter info for the writeable

domain controller that’s configured for domain01.local. Click OK to save and log off

Configure the RWDC02 Computer as the First DC in the child.domain01.local Child Domain in

the domain01.local Active Directory Forest

Log on as Administrator on RWDC02

Left pane of Server Manager, double click Roles, in the right pane you will see number of roles

installed on this server and names of those roles.

Click ADDS, click Run the ADDS installation wizard, place a checkmark next to use advanced

mode installation and click next

Read info, click next. Click Existing Forest radio button and then select Create a New Domain in

an Existing Forest

Click Next, in the type the name of any domain in the forest where you plan to install this

Domain Controller text box, key domain01.local

Click Set to Specify an Alternate Set of Credentials to create the child domain

Key name and the password for account then OK. Click next

In the FQDN of the parent domain text box, key domain01.local. In the single-label DNS Name

of Child Domain text box, key child02. Click Next 4x’s

Place a checkmark next to Global Catalog and DNS server and click Next, yes on Wizard warning


Click next 2x’s, key Admin password then next. Review installation choices and click next

Click finish and click Restart Now

Creating an Administrative account in the child domain

Log on to RWDC02 as Administrator account of the forest root domain

Click Start, Admin Tools, Active Directory Users and Computers, next to child02.domain01.local

Click Users container, right click users, select new and select user

In the full name and user logon name fields key child02name then next password and confirm

password. Review selections and click finish to create user account

Click+ next to domain01.local, click users container, right click domain admins select properties

Click Member Tab, click add, the Enter Object Names to Select window is displayed. Key

child02name and click OK

Verifying Child Domain SRV Records

Log on to RWDC02 as Administrator; click Start, Admin Tools, DNS Management

Click+ next to server name, click forward lookup zones, click domain01.local, click

child02.domain01.local- click _msdcs, and then click dc

Click _tcp in the left pane, in the right pane double click _ldap

Close the DNS Management Console and Log off


Verifying LDAP Records for the child domain using nslookup


Open the command prompt, key nslookup, press enter. Key set type=srv, press enter

Key _ldap._tcp.dc_msdcs.child02.domain01.local and press enter

A summary output is displayed, key exit and press enter

Close command prompt and Log off

Create a Local Administrator for the Read-Only DC in the Forest Root Domain

Log on to RWDC01, username

Click start, Admin Tools, Active Directory Users and Computers

Click Next to domain01.local, click the users container, right click users, select New, select User

In the Full Name and User Log on fields key RODCadminxx, click Next to continue

Enter Password to be used, click Next. Review selections and click Finish to create account

Configure a Read-Only DC in the Forest Root Domain

Log on to RODC01 and log on as Administrator

Click View Network Connections, right click Network Connections and select Properties


Click TCP/IPv4 and select Properties. Select the Use the Following DNS Server Addresses radio

button. In the Preferred DNS server text box enter the IP Address info for writeable DC that is

configured as the Domain Controller for domain01.local (192.168.0.2)

Click OK 2x’s to save

In the left pane of Server Manager, double click Roles. Click Add Role, Next to bypass window

Place a checkmark next to Active Directory Domain Services, click Next, read info and click Next

Read info, click Install and click Close this Wizard and Launch ADDS Installation Wizard

Place a checkmark next to Use Advance Mode Installation and click Next, read info, click Next

Click the Existing Forest radio button and click Add a Domain Controller to an Existing Domain

and click Next. In the Type the Name of Any Domain in the Forest Where You Plan to Install this

Domain key in domain01.local

Click Set to Specify an Alternate Set of Credentials to Add the New Domain Controller

Key namexx and password for this account and click OK, select domain01.local domain, Next

Place a checkmark next to RODC and click Next, click Yes on Wizard Warnings, confirm

Click Set to Specify a Local Administrator for the ROCD that does not have Administrative

Permissions within AD. Key RODCadminxx and click OK

Accept the default selections and click Next, key Password, click Next, review and click Finish


Confirm Local Administrator Functionality on the Forest Root Read-Only DC

Log on to RODC01 as Administrator (username will be rodcadminxx)

Start, Admin Tools, Event Viewer, when you receive UAC prompt click Continue

Click Windows Logs and then click Security, close the Event Viewer

Start, Admin Tools, Active Directory Users and Computers, click OK

Browse as needed to select domain01.local and then click Users, right click Administrator and

click Reset Password, enter new password, click OK, click cancel, close the AD Users and

Computer Console

Configure a Server Core Domain Controller in the Forest Root Domain

Log on to SCDC01 as Administrator, in the Command Prompt key netsh interface ipv4 set

dnsservername=”SCDC01” static 192.168.0.2 primary Press enter, key ipconfig /all

Key notepad and press enter, Refer to Page 42 of the MOAC Lab Manual to create an

unattended configuration file for the dcpromo process into Notepad. Save file as c:\

unattend.txt and close Notepad, key dcpromo /unnattend:c:\unattend.txt then press Enter

Working with Active Directory Sites

AD replication process is used to communicate changes from one domain controller to all other

domain controllers in a domain or forest. Intrasite replication takes place within the same site

and will transmit changes as soon as they occur. Itersite replication is scheduled or every 15 min.


by default. AD will designate a bridgehead server in each site to act as a gatekeeper in

managing site-to-site replication.

Replications Management (Forcing Replication)


Open the Active Directory Sites And Services MMC snap-in, click Start, click Administrative

Tools, and then click Active Directory Sites and Services

In the left pane, expand the Sites folder, expand the Click the Default-First-Site-Name

Click the Servers folder, expand the icon for the server that you are using. In the left pane, click

NTDS Settings. In the right pane, select on the replication connections that has been configures

for your server. Right click the connection and the click Replicate Now. A Replicate Now

message box is displayed, indicating Active Directory has replicated connection.

Click OK and close the Active Directory Sites And Services console

Managing Connections Objects

Open the AD Sites and Services console. In the left pane expand the Sites folder and then

expand the Default-First-Site-Name

Expand the Sites folder, and then expand the computer name of the server that you are using.

In the left console pane, click NTDS Settings

Right Click NTDS Settings, and then New AD Domain Services Connection. The find Domain

Controllers dialog box is displayed


Select the name from the list of computer names displayed in the search results window pane;

Click OK, an AD message box is displayed indication that there is already a connection and

asking you if you want to create another connection. Click Yes, A New Object Connection dialog

box is displayed

To accept the default setting, click OK. The new connection is created. Two connections should

be displayed: the automatically generated connection and the manually generated connection

In the right pane, right click the manually created connection and click Delete, and AD message

box is displayed, click Yes to confirm that want to delete the connection object

Identifying the Global Catalog

In the Active Directory Sites and Services console’s left pane, right click NTDS Settings and then

click Properties, on the General Tab, you can see that the Global Catalog checkbox is selected

Creating a new site

Log on to RWDC01 as Administrator, open the AD Sites and Services console

In the left pane, right click Sites and then click New Site. The New Object-Site dialog box is

displayed

In the Name text box, key MainSite, click DEFAULTIPSITELINK and then click OK. A message box

is displayed, indicating that you must complete additional steps to configure the site, OK

Group also configured a new site, following the same steps, with RWDC02 and named it

BranchSite.


Renamed Default-First-Site-Name to HQ by right-clicking on site and selecting Rename

Creating a Subnet Object

Log on to RWDC01 as Administrator, open Active Directory Sites and Services console

Left pane, right click Subnets and then click New Subnet, The New Object Subnet dialog box is

displayed. Key 192.168.x.0/24 in the Prefix text box, in the Site Name portion click MainSite and

click OK

Group also created a Subnet object for RWDC02 for site named Branchsite

Moving Computers to the Appropriate Site

Log on to RWDC01 as Administrator, open the Active Directory Sites and Services console.

Verify that the default site was renamed to HQ. In the left pane, expand HQ site and then

expand the Servers folder

Right click RWDC01, then click move. The Move Server dialog box is displayed, click Mainsite,OK

Left pane, expand MainSite, expand Servers object below MainSite. You should see the 01

computer object

Try to force replication using the connection object of the 01 computer, should also see a

message indicating that these servers are in different sites. Click OK

Right click RWDC02 and then click Move. The Move Server dialog box is displayed click

BranchSite, click Ok


In the left pane, expand BranchSite and then expand the Servers folder. You should see the 02

computer object

Creating a Site Link Object from the RWDC02 computer

For replication to take place between RWDC01 and RWDC02 in separate sites, you must create a

site link object between these sites

Log on to RWDC02 using the Domainxx\name account In the domain01.local domain. Open the

Active Directory Sites and Services console

In the left pane, expand the Inter-Site Transports folder. Right click IP, click New Site Link. The

New Object-Site Link dialog box is displayed

In the Name text box, key EvenLink. Tn the Sites Not In This Site Link box, click MainSite and

then click Add

In the Sites Not in This Site Link box, click BranchSite and then click Add, OK to save changes

Group also created a Site Link Object from RWDC01 named OddLink

Group also followed the POST-LAB CLEANUP portion of the LAB

Pg. 66 of the MOAC Lab Manual

Window Server 2008 provides tools to allow for problem discovering, diagnosis and resolution

i.e. Event log in Event Viewer. Dcdiag and repadmin both can be run from the command-line.

Dcdiag can report DNS reg problems, analyze the permission required for replication, the state


of DC’s within the forest. Repadmin can view the replication topology, force replication and view

the replication metadata (actual data and USN info)

Global Catalog and FSMO Roles

Global Catalog has four functions: Facilitate searches for objects in the forest, resolve UPN’s,

maintain universal group membership info and maintain a copy of all objects in the domain. For

sites that do not have a global catalog server available a feature called universal group

membership caching is used. It eliminates the need to place a global catalog in a remote

location and maximize resources.

Raise the Parent Domain Functional Level

Log on to RWDC01 as Administrator, open the Active Directory Domains and Trusts console

Right click the domain01.local node, click Raise Domain Functional Level. The Raise Domain

Functional Level dialog box is displayed

Dropdown, select Windows Server 2008 and then click Raise, read the message and confirm

A second message is displayed indicating that the domain functional level has been raised

Group also raised the Functional Level to the child domain following same steps

Raise the Forest Functional Level

Log on to RWDC01 as Administrator, Open Active Directory Domains And Trusts console


Right click the top-level node ADDAT (RWDC01.domain01.local) and then click Raise Forest

Functional Level, dialog box is displayed

Dropdown selections box click Windows Server 2008 and then click Raise, read the message

then confirm and a second message is displayed, click OK

Enabling Universal Group Membership Caching

Log on to RWDC01 as Administrator, Open the Active Directory Sites And Services console

In the left pane, click Sites and the click Default-First-Site-Name. Right click NTDS Site Settings

and click Properties. Place a checkmark next to Enable Universal Membership Group Caching

and click OK, force AD replication

Working with Flexible Single Master Operation Roles

Viewing Operations Masters

First, determine which server holds the schema operations master role

On RWDC02 log on as Administrator, click start, key ntdsutil, key roles, key connections, key

connect to server RWDC01.domain01.local press enter

Key quit, key select operation target, key list roles for connected server, review output- what

FSMO roles are assigned to RWDC01?

Key quit , key connections, key connect to server RWDC02.child02.domain01.local press enter,

key quit, key select operation target, key list roles for connected server and press enter


Key quit and close the command-prompt window and log off

Transferring the Schema Master to a Different Domain Controller

Log on to RWDC01 as Administrator, click Start, key ntdsutil and press enter

Key roles, key connections, key connect to server RWDC02.child02.domain01.local and press

enter. Key quit, key transfer schema master, confirm click yes. Review the output of the ntdsutil

window to confirm that RWDC02 is now listed as the schema operations master

Close command-prompt and log off

Group transferred schema master roles back to RWDC01

Total of five FSMO roles- Three are domain specific which are Relative Identifier Master,

responsible for assigning relative identifiers to domain controllers in the domain. Infrastructure

Master, responsible for reference updates from its domain to other domains and primary

Domain Controller Emulator, manages password changes, account lockouts, time

synchronization. The two forest wide roles are: Domain Naming Master has the authority to

manage the creation and deletion of domains, domain trees and application data partitions in

the forest. Schema Master is responsible for managing changes to the AD schema

Creating Administrative Accounts

In this unit the group configured one the most common administrative tasked performed when

working with AD. Created administrative user accounts, Changed group memberships, created

global and universal groups to assign permission to user accounts


Creating Administrative Accounts

Create an account to the Parent Domain

Log on to the Forest Domain as default domain administrator (domain01.local/administrator)

Open the AD Users and Computers MMC Snap-in, expand object domain01.local

Right click Users, New then User, create new user named DomAdmin with default password

Make sure that the Users container is selected, right window pane of AD Users and Computers

Right click DomAdmin for properties, click MemberOf tab, click add, key Domain Admins in the

Object Name box

DomAdmin Properties, click Domain Admins in the MemberOf, make the primary group Domain

Admins. Click Domain Users in the MemberOf selection box. Click Remove to make

Domain Admins the only group membership for this user account. Repeated the same process

to create two additional accounts named SchAdmin (member of Schema Admins group) and

EntAdmin(member of Enterprise Admin group)

Creating Administrative Accounts on the Child Domain

Log on to the Child Domain with username Administrator default password, open AD Users and

Computers MMC snap in. Expand child01domain01.local, right click Users, click New

Create new user account named DomAdmins, verify that DomAdmins is part of the Domain


Admins group(refer to manual). Created two additional accounts named SchAdmin, EntAdmin,

Didn’t configure membership at this time

Adding Child User Accounts to Enterprise-wide Administrative Roles

Log on to Child Domain as default Domain Administrator, open AD Users and Computers

Expand domain01.local, select Users container, Right click the Enterprise Admins group, click

properties, click Members tab and click Add. Click locations and expand the domaion01 object,

expand child01.domain01 domain. Click Users uder the child domain and key EntAdmin, check

name and make sure that the EntAdmin user from the child domain is displayed and underlined

Repeat steps to add SchAdmin user account from the child01 domain to the Schema Admins

Group on the parent account

Allowing Users to Log On to Domain Controllers

Typically you wouldn’t want to grant Users permission to log on to the Domain Controller, for

testing purposes

Under Group Policy Management Console, expand the tree until you find Domain Controllers,

Right-click the Default Domain Controllers Policy and click Edit. Expand Computer

Configuration, expand Policies, expand Window Settings, Security Settings, Local Policies and

click User Rights Assignment. Double click the Allow Logon Locally policy object, check box for


Define these Policy settings. Add user or Group, key Administrators, key Users in the Users And

Group Names text box. OK again in the allow Logon Locally Properties dialog box.

Determine Which Account Can Create Sites, Users and Attributes

Group followed Lab Manual for Project 5.2 Testing Administrative Access, to test the capabilities

of each user account that has been created from the previous projects. After completing the

Project the conclusion was that EntAdmin account was able to create sites, users and attributes.

DomAdmin account was able to create sites and not sites or attributes. SchAdmin was able to

add attributes and not able to add users groups or sites.

Creating Global and Universal Group

Logged on to the parent and child domain, created a Global group named LAdmin01 for parent

and LAdmin02 for child. Next we added LAdmin01,02 as part of a Universal Group, granting

Administrator privileges. Next we created a user named LocalAdmin01,02 in the Parent and

Child Domain, made it part of the LAdmin group(page 97 MOAC Lab Manual)

Employing Security Concepts

Using Naming Standards and Secure Passwords

Group created a user account on the Root Domain using the Naming Standard, full name of

Reed Koch to the following: RKoch01 with default password and make sure the User Must

Change Password at Next Logon is not selected. Also created a user account on the Child

Domain using the Naming Standard, full name of Brannon Jones to the following: BJones02


Employing Administrator Account Security

Refer to page 107-109 of MOAC Lab Manual for the various methods for using the runas utiliy

from the command prompt and as a Shortcut, reducing the exposure or administrative

accounts

Delegating Administrative Responsibility

Delegating Control on the Parent Domain

Log on to RWDC01 as default administrator, open command-prompt window(refer to pg.109

for commands to create user accounts), open the AD Users and Computers console. Right-click

the domain01.local object, click New, Organizational Unit, key Mgmt1 and OK

Right-Mgmt1 and click Delegate control. The Delegation of Control Wizard is displayed, click

Next, the Users Or Groups, click Add select Users, key Manager in the Object Names and click

OK to Check Names. In the Users Or Groups page, click Next. The Tasks To Delegate page is

displayed, move the User1 account from the Users container to the Mgmt1 OU(click and drag),

open command-prompt(refer to Pg.110 for commands)

In the left pane of AD User and Computers, select the Mgmt01 and make sure User1 and User2

are displayed.

To Delegate Control on the Child Domain would be the same process. The group created

User3,4 and created an OU with the name Mgmt2. Then we moved User3,4 to the OU Mgmt2.

We also tested Delegated Permissions on the Parent and Child Domain, in order to delete users

from the OU the Delegated User must have proper credentials.


Configuring the Local Computer Policy

Group Policy is a method of controlling settings across the Network. You can configure one or

more GPOs within a domain and then use a process called linking, which applies these settings

to various containers within AD

Removing the Child Domain

Log on as Administrator and using Notepad, create a file called c:\demote.txt(refer to page 121

for the information file must contain). Open command-prompt window, key dcpromo /answer:

“c:\demote.txt” and press enter, after the domain controller is demoted, it will reboot

automatically. Log back on to RWDC02 as Administrator, open Server Manager, browse to

Computer Information and click Change System Properties. On the Computer Name tab, click

Change. Click More and remove the child02.domain01.local primary DNS suffix. Browse to Roles

Summary and click Remove Roles, restart computer.

Confirm that the computer is configured to use the IP address of RWDC01 as its primary DNS

server

The group also configured the Child Domain to Remove the Properties Option When Right

Clicking My Computer via the gpedit.msc(The Group Policy Object Editor) pg.122

Configure the Computer Properties Context Menu Setting On The Domain

Log on as RWDC01 as Administrator, Open Group Policy Management Console from the Amin

Tools folder. Drill down to the Group Policy Objects Node


Right-click Default Domain Policy and click Edit, Under User Configuration, click Policies and

click Admin Templates, Desktop node. In the right window, double click the Remove Properties

from the Computer Icon Context Menu setting, click Disable and OK

Create Domain Users for Testing

Under AD Users And Computers console, the group created a user account named L7DomUser

in the Users container of Domain01.local, created a new top-level OU named L7Test1

Created a user account in the L7Test1 OU named L7Test1User

Created GPO Links for the Domain

Log on to RWDC01 as administrator, open the GP Management Console from the Admin Tools

folder, down to the Domain01 node. Right-click the domain01 node and select Create A GPO In

This Domain and Link it Here, name the new GPO(RemoveHelp1) and press enter

Navigate to the Group Policy Objects Node, Right-click the RemoveHelp1 GPO and click Edit

Browse to User Configuration, click Policies, click Admin Templates node, select Start Menu and

Taskbar object. In the right pane, double-click the Remove Help Menu From Start Menu Setting

Select the Enabled radio button, close the GP Management Editor, Right-click the domain01

node and select Create A GPO In This Domain And Link It Here, name the new GPO

(RemoveSearch01)enter. Repeat steps to enable the Remove Search Link From Start Menu

setting for the new GPO


Create GPO Links for an OU

Open the GP Management Console and drill down to the L7Test1 OU and select Create A GPO

In This Domain And Link It Here, name the new GPO AddHelp1 and press enter

Repeat from previous steps to disable the Remove Help Menu Fom Start Menu setting in the

AddHelp1 GPO(close the GP Management Editor). Create and link another GPO to the L7Test1

OU named RemoveComputerProperties2. Enable the RPFTCICM setting in the

RemoveComputerProperties2 GPO. Close the GP Management editor and Console

Group tested the results

Using Block Policy Inheritance and Enforce

The group deleted 2 GPO links from the L7Test01 OU, on RWDC01 drill down to the L7Test1 OU,

right-click Block Inheritance. Open the GP Management Console from Admin Templates, drill

down to domain01 node, right click Default Domain Policy GPO link and click Enforced

Inheritance can be altered by using the Enforce and Block Policy Inheritance settings

Using Group Policy Loopback Processing

Create a new top-level OU named L7test2 in domain01.local, left pane, click the Computers

container, right-click RWDC02 and click Move, select the L7Test2 OU and click OK

Open the GP Management Console from the Amin Tools Folder, drill down to the L7Test2 node

Right-click the L7Test2 node and select Create A GPO In This Domain, And Link It Here


Name the newly created GPO DisableCP, Navigate to the Group Policy Objects node. Right-click

DisableCP and click Edit, drill down to User configuration, click Policies, click Admin Templates

and then Control Panel. Enable the Prohibit Access To The Control Panel setting

Edit the DisableCP GPO, navigate to Computer Configuration, click Policies, click Admin

Templates, click System and click GP. Enable the User GP Loopback Processing Mode setting,

leave drop-down box to replace. Close The GPM Editor.

Managing Users and Computers with Group Policy

To configure a domain-wide password policy, browse to Computer Configuration, policies,

Window Settings, Security Settings, Account Policies, Password Policy. To configure a domain-

wide Louckout policy, drill down to Account Policies under Computer Configuration, configure

the Account Lockout Threshold setting for invalid Logon attempts. Audit Policy allows

administrators to log successful and failed security events, can be used to track user and system

activities.

Configure Folder Redirection and Disk Quotas

Folder Redirection provides the administrator with the ability to redirect the contents to certain

folders to a network location. Group created a new folder on the C:\ drive named Lab8MyDocs1.

Created a new GPO named Redirect1 and linked it to the Marketing OU. Drilled down to Folder

Redirection under Edit GPO. Ensured that the Target Folder Location is Create A Folder For Each

User Under The Root Path and key in proper DC with name of folder. Disk quotas can be used to

limit the amount of space available on the server for user data. Group created and linked a new


GPO named DiskQuota1. Opened Group Policy Editor, drilled down to disk quotas and enabled

disk quotas to a value of 512kb. (pg.145). The group also learned how to use gpudate, a

command-line tool used to manually force an update

Software Distribution

Preparing the Distribution share

Windows Installer-enabled applications must be used to install software through Group Policy.

There are two ways to deploy Software: Assigning or Publishing. When an application is

assigned to a user, the application is advertised on the Start menu of the user’s workstation.

When an application is published, it is advertised in Add Or Remove Programs in the Control

Panel.

Insert Windows Server 2008 cd and create a folder named C:\MSI , right click and click share.

Key in Everyone to share on network, click share and close. Copy the contents of the \upgrade\

netfx folder on the Windows Server 2008 CD-ROM into the MSI folder

Group created a New GPO named SoftDist1, under User Configuration-Policies-Software

Settings, right clicked software. File name(rwdc01\msi), clicked Netfx and deployed software via

Published.

Click Categories, select to med the Development Tools category in the Selected Categories and

select OK to close


To Assign Software, drill down to Forest Domain, Edit GPO, User Configuration-Policies-Software

Settings-Software Installation. Right-click Microsft .NET Framework 1.1 then Properties. Under

deployment select Assigned

Using Software Restriction Policies

Drill down to User Configuration-Policies-Windows Settings-Security Settings-Software

Restriction Polices. Browse for file to be restricted under New Path rule. Group restricted IE from

the Desktop for testing purposes. Group also found a way around this restriction, copy from

folder and paste to desktop. In order to complete the user from accessing files, is if New Hash

Rule is selected

Controlling Group Policy

To meet the need for refined control over the application of group policies, two additional

filtering methods can be used. Security Group Filtering uses the GPO’s Security Tab to determine

user and group access to the policy. WMI provides management information and control, allow

administrators to create queries based on hardware, software, OS, and services. WMI filters can

be used to control which user or computers will be affected by a GPO based on defined criteria.

Resultant set of Policy (RSoP) is a tool used to assist administrators in determining the effects of

policies. Using the RSoP wizard allows administrators to simulate policy effects prior to

implementing. GPresults is a feature in Group Policy Management that obtains RSoP

information from the client computer to show the actual effects the policies have on the client

computer and user enviorment


To use the Resultant Set of Policy Wizard (refer to page 171 of MOAC Lab manual) and to use

the GPResult feature (refer to page 171 of MOAC Lab manual)

Group Configured Security Group Filtering created an OU and created a group called 10BGroup1

within the OU. Drill down to forest domains-domain01.local-Group Policy Objects, select GPO

and highlight Authenticated Users and click Remove, click add to add 10BGroup1 click OK. To

create a WMI filter (refer to page 175 for commands).

Disaster Recover and Maintenance

Group configured three new user accounts on RWDC01 inside the Administration OU that was

also created, named the user accounts Misty, Samantha, and Denise. Simulated a replication

delay by disabling the network connection, preventing replication. Created another OU named

Accounting in the RWDC01 domain. On RWDC02 we created two new users accounts inside

Accounting named Wedge and Wood and deleted for testing purposes. Now enable network

connection on RWDC01 to allow to replicate changes.

In the AD User and Computers console, ensure that the Avananced Features view option is

enabled. In The left pane, click the LostAndFound container. This container should have the

deleted user accounts that were created. To resolve the loss of the Administration OU, create a

new Administration OU, and then move the users from the LostandFound container to the new

one.

Performing a System State Data Backup

Installing the Windows Server Backup Feature and performing the System State Backup


Server Manager, browse to Features, in the right pane, click Add Features. Place a checkmark

next to: Windows Powershel, Windows Server Backup Features- Windows Server Backup,

Windows Server Backup Features-Command-line tools and close. To perform backup:

Administrative Tools, Windows Server Backup, click Action and then Backup once. Next, Custom

and then Next. In the Backup Destination dropdown list, confirm that the second hard drive is

selected. Read the Description of the VSS copy back and click next to begin backup process

To perform an offline defragmentation of the AD datatbase(refer to page 190 of MOAC Lab

Manual)

There’s two ways to restore Active Directory, restoring using Normal Replication, using other

Domain Controllers that exist in the forest. Restoring AD using WBADMIN and NTDSUTIL,

wbadmin is a command-line component to perform and unauthoritative restore, which restores

a single AD DC to its state before the backup. This method is used with the normal restore to

allow certain database information to be marked as authoritative or most current, so that the

replication process will not overwrite this data.

Configuring Name Resolution and Additional Services

DNS is the primary means of name resolution for Active Directory as well as the Internet and

TCP/IP networks. TCP/IP communication is based on IP Addresses. When you use a name instead

of an address in an application the computer must convert the name into the proper IP address.

The name to address conversion is called name resolution. DNS is the name resolution

mechanism computers use for all Internet communications.


Creating a Reverse Lookup Zone

Click Start, Administrative Tools, click DNS, drill down to Forward Lookup Zones node. For this

Lab there was a forward Lookup Zone. Drill down to the Reverse Lookup Zone, there’s no

Reverse Lookup Zone. To create, right click New Zone, wizard will display, click Primary zone.

Place a checkmark next to Store The Zone IN Active Directory. The AD Zone Replication Scope

screen is displayed. Accept default selection and click Next. Select IPv4 Reverse Lookup Zone

and next.

In a Zone Transfer the server hosting the primary zone copies the primary master zone database

file to the secondary zone to make their resource records identical. This enables the secondary

zone to perform authoritative name resolutions for the domains in the zone, just as the primary

does.

To create a Secondary Zone, right click the Forward Lookup Zones node and select New Zone

(page 203 of MOAC Lab)

Active Directory Rights Management Service is a service you can use to protect sensitive data on

a Windows network such as word processing or spreadsheet applications by controlling who can

open, modify, or print a document and even who can print or forward confidential email

messages. To configure and install AD Rights Management Service Role (refer to Page 204-205

MOAC Lab Manual).

server2008 implementation

Documents

advance mode installation

gp management editor

key ipconfig

gp management console

reverse lookup zone

moac lab manual

active directory users

domain functional level