Windows Server 2008 Directory Services Lab Manual

  • July 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Windows Server 2008 Directory Services Lab Manual as PDF for free.

More details

  • Words: 16,781
  • Pages: 112
Windows Server 2008 Directory Services Lab Manual

Microsoft Confidential - For Internal Use Only

DISCLAIMER THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.

Terms of Use Microsoft Confidential - For Internal Use Only © 2008 Microsoft Corporation. All rights reserved. This content is proprietary and is intended only for use as described in the content provided in this document. No part of the text or software included in this training package may be reproduced or transmitted in any form or by any electronic or mechanical means, including photocopying, recording, or copying to any information storage and retrieval system, without express written permission from Microsoft. For more information about use of licensed and copyrighted materials, please visit the Use of Microsoft Copyrighted Content Web page at http://www.microsoft.com/about/legal/permissions/.

Trademarks Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

12/04/2008

Windows Server 2008 Directory Services Lab Manual

Microsoft Confidential - For Internal Use Only

DISCLAIMER THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.

Terms of Use Microsoft Confidential - For Internal Use Only © 2008 Microsoft Corporation. All rights reserved. This content is proprietary and is intended only for use as described in the content provided in this document. No part of the text or software included in this training package may be reproduced or transmitted in any form or by any electronic or mechanical means, including photocopying, recording, or copying to any information storage and retrieval system, without express written permission from Microsoft. For more information about use of licensed and copyrighted materials, please visit the Use of Microsoft Copyrighted Content Web page at http://www.microsoft.com/about/legal/permissions/.

Trademarks Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

12/04/2008

Lab 1

Lab 1: Implementing Windows Server 2008

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will prepare the forest and domain for the introduction of Windows Server 2008 domain controllers. You will be introduced to Server Manager and some of the functions that can be performed using this tool. Estimated time to complete this lab: 20 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn After completing this lab, you will be able to: ■

Use Server Manager to perform tasks related to add roles and features.

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-01 Important

You must log on as an administrative user in order to perform all of the tasks in this lab.



Administrative username and password □

Username: Contoso\Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Introduction to Server Manager Scenario Use the Initial Configuration Tasks console and Server Manager to perform common tasks.

Tasks In the following steps, we will examine some of the different types of tasks and information that can be accessed through Server Manager. We will first examine the IP address of the network adapter, and then we will enable Remote Desktop through the Initial Configuration Tasks console. Following that, we will use Server Manager to add the Terminal Services Role and then the Windows Server Backup Feature. Lastly, we will view Diagnostics information provided under Server Manager. Note If Initial Configuration Tasks has been closed you can run oobe.exe to open it again.

1.

Explore the Initial Configuration Tasks console on 2008-01. a.

b.

View the Network Connection properties for the computer. 1)

Under section 1. Provide Computer Information, click Configure networking to display the Network Connections dialog box.

2)

Right-click Local Area Connection and select Properties

3)

Select Internet Protocol Version 4 (TCP/IPv4) and click Properties

4)

View the IP address of this adapter.

5)

Close all and return to the Initial Configuration Tasks screen.

Enable Remote Desktop 1)

Under section 3. Customize This Server click Enable Remote Desktop. This brings up the Remote tab of System Properties.

2)

Select the 2nd option: Allow connections from computers running any version of Remote Desktop (less secure)

©2008 Microsoft Corporation

Microsoft Confidential

2

2.

3)

Read the Firewall exception warning message, click OK, and then click OK in System Properties.

4)

Notice Remote Desktop now shows as Enabled.

5)

Close Initial Configuration Tasks console. Server Manager should launch automatically after several seconds.

Add the Windows Server Backup Feature from Server Manager 1)

Click Features under Server Manager in left pane.

2)

Click Add Features in right pane. This will launch the Add Features Wizard.

3)

Review the available features, expand Windows Server Backup Features, and then select Windows Server Backup.

From the Pop-up message, what additional feature is required for Windows Server Backup to be installed? ____________________________________________________________________________________________1 Click Add Required Features and then select Command-line Tools. From the Pop-up message, what additional feature is required for Command-line Tools? ____________________________________________________________________________________________2 Select Add Required Features and then click Next. On the Confirm Installation Selections page, click Install. Once the installation finishes the Installation Results will be displayed, confirm the Installation succeeded and click Close. 4)

Confirm that Windows Server Backup is listed under the Features Summary in the right pane.

3. 1 Windows Recovery Disc 2 Windows PowerShell ©2008 Microsoft Corporation

Microsoft Confidential

3

Lab 2

Lab 2: Installing Active Directory Domain Services

©2008 Microsoft Corporation

Microsoft Confidential

1

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

©2008 Microsoft Corporation

Microsoft Confidential

1

During this lab, you will promote a Windows Server 2008 machine that is in a workgroup, to a Domain Controller in a Windows Server 2003 domain. Estimated time to complete this lab: 60 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn After completing this lab, you will be able to: ■

Use new DCPROMO GUI features available in Windows Server 2008

Lab Environment To complete this lab, you will need the following Virtual Machines: □

2003-01



2008-01

Important

You must log on as an administrative user in order to perform all of the tasks in this lab.



Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

2

Exercise 1: Prepare domain and forest for the introduction of a Windows Server 2008 domain controller Scenario You are the administrator of Contoso.com, a Windows 2003 domain. You are given the task of introducing a Windows Server 2008 domain controller into your environment.

Pre-Tasks ■

Start the 2003-DC1 Virtual Machine



Start the 2008-01 Virtual Machine

Tasks First, prepare the forest by running adprep /forestprep on 2003-DC1. Then raise the domain functional level to Windows Server 2003 mode. Finally, prepare the domain by running domainprep and gpprep. 1. On 2003-01, at the “Welcome to the Windows Setup Wizard” screen, click Next At the “License Agreement” screen, check the “I accept this agreement” radio button, click Next At the “Date and Time Settings” screen, click Next

At the “Network configuration popup”, click “Ok” Allow time for 2003-01 to boot up completely 2. First, prepare the forest by running adprep /forestprep on 2003-DC1 a. Log on to the Schema Master, 2003-DC1, as Contoso\Administrator. b. Open a command prompt on 2003-DC1, and change directories to the Adprep folder: C:\Sources\ADPrep

©2008 Microsoft Corporation

Microsoft Confidential

3

c. At the command prompt, type the following and then press ENTER adprep /forestprep

d. You will be prompted with an ADPREP WARNING message requesting confirmation that all Windows 2000 Active Directory Domain Controllers in the forest are upgraded to Windows 2000 SP4 or later. a. Type C and then press ENTER. When the process finishes you will receive a message that Adprep successfully updated the forestwide information. Note The domain must be in at least Windows 2000 native mode before you can run adprep /domainprep.

3. Run Adprep /rodcprep a. Open a command prompt, and then change directories to the Adprep folder: C:\sources\adprep b. At the command prompt, type the following and then press ENTER adprep /rodcprep c. When the command completes the last entry should report: "Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory c:\windows\debug\adprep\logs\ for more information. " d. Review the adprep.log to review the changes made by running adprep /rodcprep.

©2008 Microsoft Corporation

Microsoft Confidential

4

4. Prepare the domain by running domainprep and gpprep on 2003-DC. a. At the command prompt, type the following and then press ENTER adprep /domainprep /gpprep

b. When the process finishes you will receive the message, Adprep successfully updated the domain-wide information. Adprep successfully updated the Group Policy Object information. c. Close command prompt

©2008 Microsoft Corporation

Microsoft Confidential

5

Exercise 2: Promote a Windows Server 2008 machine to a Domain Controller in an existing Windows Server 2003 domain. Scenario You are an administrator for your domain and would like to introduce a Window Server 2008 domain controller in your existing Windows Server 2003 domain.

Tasks 1.

Promote 2008-01 as a replica domain controller in the Contoso domain by adding the Active Directory Domain Services role via Server Manager. Then from a command prompt run DCPromo.exe to start the domain controller promotion. Use the advanced mode installation option to make the domain controller a DNS server as well as a Global Catalog. Lastly, export these dcpromo settings to a text file to be used later in the promotion of another domain controller. Name the text file 2008-answer.txt and place it in C:\. a.

Add AD DS role via Server Manager. 1)

Log on to 2008-01 as local Administrator.

2)

Launch Server Manager if it is not already open. a)

Click Start , Administrative Tools, and then Server Manager

3)

Select Roles and click on Add Roles in the right pane. The Add Roles Wizard will start.

4)

On the Before you Begin page click on Next

5)

On the Select Server Roles page, select Active Directory Domain Services. Read the Add Roles Wizard pop-up and select the second option Install AD DS anyway click Next.

6)

Click on Next and review the information on the Active Directory Domain Services page then click Next.

7)

Review the information on the Confirm Installation Selections page and then click Install.

©2008 Microsoft Corporation

Microsoft Confidential

6

8)

When the Installation Results are displayed, verify that the installation succeeded.

Note You can now launch DCPROMO directly from the Installation Results page. There is a link in blue that states – Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). You decide to start either with a. or with b. – since b. includes a. automatically.

9)

Click Close.

10) Notice Active Directory Domain Services is listed under Roles in Server Manager now but has a Red X. Click Active Directory Domain Services and read the Summary. Note Please note that Active Directory snap-ins was not installed when the role was added. Adding the role installs the AD DS binaries only and does not automatically start the dcpromo process.

b.

Promote the new domain controller. 1)

Open a command prompt, type DCPROMO, and then press ENTER. A check runs to determine if Active Directory Domain Services binaries are installed. If not, they are installed and the AD DS installation wizard launches automatically. a)

ALTERNATIVELY, you can promote the domain controller from the Roles Summary by clicking Active Directory Domain Services with the Red X and then under Summary click Run the Active Directory Domain Services Installation Wizard (dcrpomo.exe).

Note Since Terminal Services was installed on this computer during the previous lab the ACTIVE DIRECTORY DOMAIN SERVICES INSTALLATION WIZARD displays a message requesting confirmation for changes in security policy on this computer that allows only Administrator to log on to the computer with Terminal Server.

2)

Click OK to the dialog. On Welcome page, check Use advanced mode installation and then click Next.

©2008 Microsoft Corporation

Microsoft Confidential

7

3)

On the Choose a Deployment Configuration page, select Existing forest, and Add a domain controller to an existing domain then click Next.

4)

On the Network Credentials page, type Contoso.com in window for Type the name of any domain in the forest where you plan to install this domain controller.

5)

Click Set..., enter the following information as your Network Credentials, and then click OK. a)

User name: Contoso\Administrator

b)

Password: P@ssw0rd1

6)

Click Next

7)

On the Select a Domain page Select Contoso.com (forest root domain) and click Next

8)

In the Select a Site dialog check Use the site that corresponds to the IP address of this computer.

Note The Windows Server 2008 Active Directory Domain Services Installation Wizard has a new dialog for Additional Domain Controller Options. The options available are: ■

DNS Server



Global Catalog



Read-only domain controller (RODC)

9)

Read Additional information and confirm that both the DNS server and Global catalog options are checked and then click Next.

10) Read the warning message about delegation for this DNS Server and click Yes.

©2008 Microsoft Corporation

Microsoft Confidential

8

Note The informational message that is displayed indicates that a delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS Server… In our case, this occurs since contoso.com is our top-level domain and .com cannot be found because it does not exist. The goal of this informational message is to help ensure IT professionals correctly configure their DNS settings during the DCPROMO process.

11) On the Install from Media screen ensure the first option Replicate data over the network from an existing domain controller is selected and then click Next. Note The second new dialog page added to the Windows Server 2008 Active Directory Domain Services Installation Wizard provides the option to select a source domain controller. Note that the source domain controller must be writable.

12) On the Source Domain Controller screen, select Let the wizard choose an appropriate domain controller option and then click Next. 13) On the Location for Database, Log Files, and Sysvol leave the default settings and click Next. 14) Provide the Password of P@ssw0rd1 on Directory Services Restore Mode Administrator Password page and click Next. 15) On the Summary page, click Export settings... to create an answer file for use later. a)

Type C:\2008-answer.txt when prompted for location to save unattended file and then click Save and OK.

16) Click Next on the Summary page to begin configuration Active Directory Domain Services. 17) Check the Reboot on completion box on the Active Directory Domain Services Installation Wizard. Once the configuration completes the server will reboot automatically.

©2008 Microsoft Corporation

Microsoft Confidential

9

2.

Confirm the domain controller is functioning properly. 1)

Logon as Contoso\administrator after the reboot completes.

2)

Initial Configuration Tasks will open automatically. Notice under section 1. Provide Computer Information, the Full Computer Name and Domain is listed.

3)

Close Initial Configuration Tasks and Server Manager should start automatically.

4)

Confirm Active Directory Domain Services is listed under Roles.

5)

From a command prompt type: Net share and confirm that both sysvol and netlogon are shared out.

6)

Select Active Directory Domain Services and review the information in right pane.

7)

Expand Active Directory Domain Services in the left pane and examine the following: a)

Expand Active Directory Users and Computers (1) Confirm 2008-01 is listed under Domain Controllers container

b)

Expand Active Directory Sites and Services (1) Confirm 2008-01 is added in East site (2) Confirm that the 2008-01 NTDS Settings have been created

8)

Verify DNS record registration and DNS a)

Verify the following records exist for 2008-01. Expand DNS Server, DNS, 2008-01, Forward Lookup Zones, Contoso.com, and then highlight _tcp. In the right hand window, ensure that the following records exist for 2008-01. (1) _LDAP._TCP.Contoso.com (2) _Kerberos._TCP.Contoso.com (3) _Kpasswd._TCP.Contoso.com

©2008 Microsoft Corporation

Microsoft Confidential

10

(4) _GC._TCP.Contoso.com b)

Check Primary and Alternate DNS server settings (1) Highlight Server Manager at the top of the left hand window. (2) Under Server Summary click View Network Connections (3) View the properties of the Internet Protocol Version 4 (TCP/IPv4) of the Local Area Connection and notice which IP address is being used as the Alternate DNS server. (4)

9)

Close these properties and return to Server Manager.

Under Diagnostics expand Event Viewer and then Windows Logs a)

Select the Application log and confirm SceCli event 1704 is reported.

b)

Under the Applications and Services log select the File Replication Service log and confirm NtFrs event 13516.

Tip It may take several minutes for the sysvol to share out and for the above events to appear. If you cannot verify these steps after five minutes stop and start the NTFRS service to resolve this issue.

c)

Close Server Manager

10) Open dssite.msc and examine the security descriptor on the DC object. It will display an unresolved security identifier -498 which is by design. It was inherited from the configuration container. 2.

View dcpromo.log and note the day, month and year this machine was promoted to be a domain controller. a.

Open C:\Windows\Debug\DCPROMO.LOG file

b.

Note that the log now records day, month and year under the first column 1)

Example:

©2008 Microsoft Corporation

Microsoft Confidential

11

10/01/2007 11:03:20 [INFO] Promotion request… Note The DCPROMO.LOG in Windows Server 2008 now displays the year in addition to day and month that the domain controller was promoted.

©2008 Microsoft Corporation

Microsoft Confidential

12

Lab 3

Lab 3: Windows Server 2008 DNS

©2008 Microsoft Corporation

Microsoft Confidential

1

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

©2008 Microsoft Corporation

Microsoft Confidential

2

During this lab, you will configure and Troubleshoot DNS Estimated time to complete this lab: 75 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of DNS

What You Will Learn After completing this lab, you will be able to: ■

Configure and Troubleshoot DNS using NSLOOKUP, and NLTEST

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2003-01



2008-01 Important

You must log on as an administrative user in order to perform all of the tasks in this lab.



Administrative username and password Username: Administrator Password: P@ssw0rd1 Domain: Contoso

Exercise 1: Use NSLOOKUP to gather IP Information Task 1: Use NSLOOKUP to retrieve the IP Address of you current logon server and to test that to see if forward lookup capabilities are working or not. 1.

Log on to 2008-01 as Contoso\Administrator.

2.

Open a command prompt, type SET and press Enter. ©2008 Microsoft Corporation

Microsoft Confidential

3

3.

What is your logon server? __________________________1

4.

Resolve the IP Address of your logon server using NSLOOKUP. Type the following statement and press enter: NSLOOKUP 2008-01

5.

What are the IP Addresses?__________________________________2

Exercise 2: Using NSlookup, IPConfig, and NLTEST to test DNS settings Task 1: Verify the new domain controller SRV records using NSLlookup 1.

Still from 2008-01 type the following command at the command prompt and then press Enter: NSLOOKUP

2.

Type the following command and press enter: set type=all

3.

Type the following command and press enter: _ldap._tcp.dc._msdcs.Contoso.com

4. You should see the result in Figure 2: 5. Close the command prompt

©2008 Microsoft Corporation

Microsoft Confidential

4

Figure 2: LDAP Servers for Contoso

Task 2: Verify whether you are using a domain controller in your site using NLTEST and test the next closest site Group Policy Setting 1. On 2008-01, enable next closest site lookups for domain controllers: a. Open gpedit.msc from the run line. b. Navigate to Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records. Select Try next closest site, change the setting to Enabled, and then click OK. Close the Local Group Policy Editor. c. Open a command prompt and run GPUPDATE /Force. 2. Use the following statement to call and test the DSGetDCName function of the DClocator service from command line. This will show the enumerated or cached DC. NLTEST /DSGETDC:Contoso.com

More info: http://msdn2.microsoft.com/en-us/library/ms675983.aspx DC name of current DC: _____________________________________________________3 3. Use the following statement to call and test the DSGetDCOpen function of the DClocator service from command line. This will show you a list of DC’s in a pseudo-random order taking into consideration priorities and weights. ©2008 Microsoft Corporation

Microsoft Confidential

5

NLTEST /DNSGETDC:Contoso.com

More info: http://msdn2.microsoft.com/en-us/library/ms675985.aspx DC names of All DC’s ________________________________________________________ __________________________________________________________________________________4 4. Use the following statement to locate a writable DC within a set of DCs in the next closest AD site from the client's perspective that could authenticate the client: NLTEST /DSGETDC:Contoso.com /Writable /Try_Next_Closest_Site

Note Since both DC’s are in the same site, you will not actually see a next closest site resolution, but during the RODC labs you can test this command to see a populate response. This command would be useful during a support call to show you where DCLocator will look for the next closest DC based on ISTG topology data.

5. Use the following statement to force a rediscovery of DCs and clear the cached DC and site. This command is useful if a DC goes down in the client’s site and forces the client to use a DC in another site. The sticky behavior of the DClocator will cause the client to continue to use the remote DC until it becomes unavailable or the client is restarted. However, in Windows Server 2008 and Vista, whenever DsGetDcName retrieves a domain controller name from its cache, it checks to see if this cached entry has expired and if so, discards that domain controller name and tries to rediscover a domain controller name. NLTEST /DSGETDC:Contoso.com /force

Exercise 3: GlobalNameZones Enable the GlobalNames Zone functionality Using the command line 1. Log onto 2008-01 2. Open a command prompt: Click Start, right-click Command Prompt, and then click Run as Administrator. ©2008 Microsoft Corporation

Microsoft Confidential

6

3. Type the following, and then press Enter: Dnscmd 2008-01.contoso.com/config /Enableglobalnamessupport 1

Create the GlobalNames Zone

Using the Windows Interface 1. Open the DNS console. 2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard. 3. Create a new zone and give it the name GlobalNames. Note This is not case sensitive: globalnames is also supported. 4. Choose an appropriate storage method and replication scope for the zone Note We recommend that you store the zone in AD DS and replicate it to all domain controllers that are DNS servers in the Forest. This will create a new AD DS-integrated zone called GlobalNames which is stored in the forest-wide DNS application partition. Create a Shortname Resource Record 1. Right click globalnamezones and select New Host (A or AAA) 2. In Name type test 3. In IP Address type 10.10.10.55 4. Click Add Host

Use NSLOOKUP to query Global Name Zones 1. Open a command prompt 2. Type NSLOOKUP 3. Type set type=all 4. Type server 2003-01 ©2008 Microsoft Corporation

Microsoft Confidential

7

5. Type test and see the result 6. Type server 2008-01 7. Type test and see if query displays correct results

©2008 Microsoft Corporation

Microsoft Confidential

8

1 LOGONSERVER=\2008-01 2 172.24.1.2 3 DC:\\2008-01.contoso.com 4 2003-dc1.contoso.com, 2008-01.contoso.com

©2008 Microsoft Corporation

Microsoft Confidential

9

Lab 4

Lab 4: Implementing RODC

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

0 Version 1.0

During this lab, you will prepare the forest and domain for the introduction of Windows Server 2008 Read Only Domain Controllers. You will also install the RODC and understand its features. Estimated time to complete this lab: 90 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn After completing this lab, you will be able to: ■

Understand preparation and installation of a Windows Server 2008 Read Only Domain Controller.



Understand new features and functionality of RODC

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2003-01



2008-01



2008-02



Vista-01 Important

You must log on as an administrative user in order to perform some of the tasks in this lab.



Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Prepare Windows Server 2003 domain for the installation of a Read Only Domain Controller Scenario You are the administrator of Contoso.com domain and have branch offices where physical security cannot be guaranteed. You have decided to install a Read Only Domain Controller (RODC) in your branch office.

Tasks 1.

Prepare the contoso.com domain (Windows 2003 domain) for the RODC installation. a.

Ensure that the forest functional Level is Windows Server 2003. 1)

Log onto the domain controller 2003-DC1 as the contoso\administrator.

2)

Open Active Directory Domains and Trusts. Click the Action menu and choose Raise Forest Functional Level. When the Raise forest functional level dialog opens check the forest function level is set to Windows Server 2003.

Exercise 2: Install an RODC on a full installation of Windows Server 2008 Scenario Now that you have prepared your domain for RODC installation, you want to delegate the ability to attach the server that will be the RODC in your branch office to a user, Susan Burk. You have therefore decided to perform a staged installation of the RODC and use this method to add Users, Computers and Groups to the Password Replication Policy.

Tasks 1.

Configure network settings on 2008-02 and Vista-01 to place them in the 10.1.2.x subnet that maps to the West site, then join Vista-01 to the Contoso.com domain.

2.

Log onto Vista-01 using Local Administrator account ©2008 Microsoft Corporation

Microsoft Confidential

2

User: Administrator Password: P@ssw0rd1 a.

b. 3.

Disable Cached Credentials on Vista-01. 1)

Launch Regedit.exe on Vista-01.

2)

Expand HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

3)

Set the cachedlogonscount value to 0, and then close regedit.exe.

Join Vista-01 to contoso.com and reboot the client afterwards.

Pre-create a Read Only Domain Controller account using Active Directory Users and computers on 2008-01. a.

Log onto the domain controller 2008-01 as Contoso\administrator

b.

Launch Server Manager if it is not already open.

c.

Expand Roles, Active Directory Domain Services, Active Directory Users and Computers and then Contoso.com.

d.

Right click the Domain Controllers container and select Pre-create Read-only Domain Controller account.

e.

Select the check box for Use advanced mode installation and click Next.

f.

On the Network Credentials page verify My current logged on credentials (CONTOSO\administrator) is selected and click Next.

g.

On the Specify Computer Name page provide 2008-02 as the computer name and click Next.

h.

On the Select a Site page select West and click Next.

i.

On the Additional Domain Controller Options page, ensure DNS server and Global Catalog are checked and that Read-only domain controller (RODC) is checked but grayed out. Click Next.

j.

On the Specify the Password Replication Policy page notice only the Allowed RODC Password Replication Group is set to Allow under Settings. Click Add. ©2008 Microsoft Corporation

Microsoft Confidential

3

k.

On the Add Groups, Users and Computers dialog choose Allow passwords for the account to replicate to this RODC and click OK. 1)

4.

4.

Add user Don Hall and computer Vista-01 and click OK. Ensure Don Hall and Vista-01 has been added with the setting of Allow. Click Next.

l.

On the Delegation of RODC Installation and Administration page click Set…, on the Select User or Group dialog add Susan Burk, and click OK. Click Next and then Next again to create the Read Only Domain Controller computer account. Click Finish.

m.

Notice the computer account created in the Domain Controller container is listed as type: Unoccupied DC Account (Read-only, GC)

Install the Active Directory Domain Services role. a.

Log onto 2008-01 and reset password for Susan Burk to P@ssw0rd1

b.

Log onto 2008-02 as local Administrator with password of P@ssw0rd1

c.

Launch Server Manager and select Roles. Click Add Roles in the right pane. The Add Role Wizard starts. On the Before You Begin page click Next.

d.

On the Select Server Roles page select Active Directory Domain Services and click Next.

e.

Review information on Active Directory Domain Services page and click Next.

f.

On the Confirm Installation Selections page, click Install.

g.

Once the installation finishes click Close.

Promote 2008-02 as a Read Only Domain Controller using the delegated account. a.

Click Start, Run and type: dcpromo /UseExistingAccount:Attach and then click OK.

b.

On the Active Directory Domain Services Installation Wizard check the box for Use advanced mode installation and click Next.

©2008 Microsoft Corporation

Microsoft Confidential

4

5.

c.

On the Network Credentials page, provide Contoso.com as the domain name and click Set… Provide SBurk as the user name and password of P@ssw0rd1 click OK and Next.

d.

On the Select Domain Controller Account page select 2008-02 and click Next.

e.

Select Yes if it reports a message indicating this computer has one or more network adapters without any static IP address settings… Click Next

f.

On the Install from Media page ensure Replicate data over the network from an existing domain controller is selected and click Next.

g.

On the Source Domain Controller page ensure Let the wizard choose an appropriate domain controller is selected and click Next.

h.

On the Location for Database, Log Files, and SYSVOL page leave the default entries and click Next.

i.

On the Directory Services Restore Mode Administrator Password provide the password of P@ssw0rd1 click Next.

j.

On the Summary page click Next and choose Reboot on completion from the Active Directory Domain Services Installation Wizard.

Verify Installation of Active Directory a.

After the computer reboots allow the replication to take place.

b.

Logon as Contoso\SBurk

c.

Start Server Manager and confirm that Active Directory Domain Services is listed under Roles.

d.

What happens if you attempt to add the user accounts for Susan Burk and Don Hall to the Domain Admins group? Why?

__________________________________________________________________________________________ __________________________________________________________________________________________1

©2008 Microsoft Corporation

Microsoft Confidential

5

6.

For the purpose of this lab confirm successful replication of 2008-02 a.

Logon on 2008-01 as Contoso\Administrator

b.

Force 2008-02 to inbound replicate the domain partition from 2008-01 using: repadmin/replicate 2008-02 2008-01 dc=contoso,dc=com

c.

Log on 2008-02 as Contoso\Administrator Note: You may get an error when trying to log onto 2008-02 for first time due to trust account not being valid. If so, force inbound replication on 2008-02 before trying again.

d.

Force frs to poll AD by running ntfrsutl poll /now on 2008-02

Exercise 3: Test the Password Replication Policy Scenario As an administrator for Contoso domain, you are curious to find out what new attributes support Password Replication Policy. You understand that Password Replication Policy is the mechanism for determining whether a user or computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.

Tasks 1. View the following attributes that have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations msDS-Reveal-OnDemandGroup msDS-NeverRevealGroup msDS-RevealedList msDS-AuthenticatedToAccountList a. Log on to the 2008-01, as Contoso\administrator b. Launch Server Manager if it is not already open. Click Start , Administrative Tools, and then Server Manager ©2008 Microsoft Corporation

Microsoft Confidential

6

c. Navigate to Roles, Active Directory Domain Services, Active Directory Users and Computers, Contoso.com and then select Domain Controllers OU d. Enable Advanced Features by clicking on view menu and then Advanced Features e. Select 2008-02 from right pane f. Right click it and select Properties g. Select Attribute Editor tab h. Click on Filter and select Constructed and Backlinks i.

Now under Attributes list, you will see following attributes listed: 

msDS-Reveal-OnDemandGroup: commonly known as the Allowed List



msDS-NeverRevealGroup : commonly known as the Denied List



msDS-RevealedList : commonly known as the Revealed List



msDS-AuthenticatedToAccountList : commonly known as the Authenticated to List

Scenario During the installation of RODC you set a policy for the password of Vista-01 machine account and user Don Hall to be cached on the RODC. You now want Don Hall, user in branch office, to log on to Vista-01. After the user and machine successfully authenticates, you expect their passwords to be stored on RODC.

Tasks 1.

Pause the 2003-01 Virtual Machine from within the Virtual Server Administration website or Virtual PC settings. Since Windows Server 2003 does not recognize the Windows Server 2008 RODC as a domain controller, the 2003 server will register DNS service records in the West site. We pause the 2003 Domain controller to prevent it from accepting authentication request from our Vista-01 client.

2.

Log onto 2008-01 and reset password for Don Hall to P@ssw0rd1

3.

Restart Vista-01, then log on to Vista-01 as contoso\dhall ©2008 Microsoft Corporation

Microsoft Confidential

7

4.

Log on to 2008-02 as contoso\SBurk. View current credentials that are cached on the RODC. Ensure Don Hall and Vista-01 is cached. Review whose accounts have been authenticated to an RODC. a.

Log on to the 2008-02 as Contoso\SBurk.

b.

Launch Server Manager if it is not already open. 1)

5.

Click Start , Administrative Tools, and then Server Manager

c.

Navigate to Roles, Active Directory Domain Services, Active Directory Users and Computers.

d.

Expand Contoso.com and then select Domain Controllers container.

e.

In the details pane, right click 2008-02 and select properties.

f.

Click the Password Replication Policy tab.

g.

Click on Advanced.

h.

From the drop-down list, select Accounts whose passwords are stored on this Read-only Domain Controller and ensure Don Hall and Vista01 are cached.

i.

In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller and list the accounts that have been authenticated to RODC.

Log off Vista-01

Scenario Don Hall, a user in the branch office wants to log on to his machine, Vista-01. However, the WAN connection is down and the branch office which belongs to site, West, only contains an RODC. You understand that the RODC will be able to authenticate Don Hall and Vista-01 because their credentials are successfully cached on the RODC.

Tasks 1.

Pause the 2008-01 to simulate a broken WAN link.

2.

Log on to Vista-01 machine as Don Hall ( This should be successful)

©2008 Microsoft Corporation

Microsoft Confidential

8

3.

Resume virtual machine 2008-01 and 2003-01

©2008 Microsoft Corporation

Microsoft Confidential

9

Exercise 4: Administrator Role Separation Scenario You are the administrator of the Contoso domain and would like to create a local administrator role for the RODC and add a user to that role

Tasks 1.

Configure Administrator Role Separation for an RODC a.

Log on to the 2008-02, as Contoso\administrator

b.

Launch command prompt and type dsmgmt and then press ENTER

c.

At the DSMGMT prompt, type local roles and then press ENTER

d.

Type add contoso\bsmith Administrators. It will report a message Successfully updated local role.

2.

Type Quit two times

3.

Close command prompt

4.

Log onto 2008-02 using contoso\bsmith account

Exercise 5: Dump the RODC machine account Scenario You are the administrator of the Contoso domain. You want to quickly find out how many RODC do you have in your domain. You want to achieve this by using a command line.

Tasks 1.

Use DSQuery and NLTest to discover the RODCs on the domain. a.

Open up a command prompt on 2008-01.

b.

Type Dsquery server –isreadonly and view the results.

c.

Type Nltest /dclist:Contoso.com and view the results.

©2008 Microsoft Corporation

Microsoft Confidential

10

Exercise 6: Reset the credentials cached on the stolen RODC and delete the RODC Scenario You are the administrator of the Contoso domain. You just found out that the RODC in your branch office has been stolen. You are concerned that some of your user’s passwords are cached on the RODC. You are going to take appropriate steps to reset the current credentials cached on the RODC.

Tasks 1.

Reset the current credentials that are cached on the RODC a.

Log on to the 2008-01, as Contoso\Administrator

b.

Launch Server Manager if it is not already open. Click Start , Administrative Tools, and then Server Manager

c.

Navigate to Roles, Active Directory Domain Services, Active Directory Users and Computers

d.

Expand Contoso.com and then select Domain Controllers container

e.

In the details pane, right click 2008-02 and select Delete

f.

To confirm deletion, click Yes

g.

It will launch Deleting Domain controller dialog box 1)

h.

Review the following options:



Reset all passwords for user accounts that were cached on this Read-only Domain Controller



Reset all passwords for computer accounts that were cached on this Read-only Domain Controller



Uncheck Export the list of accounts that were cached on this Readonly Domain Controller to this file

Click Cancel. Do NOT click on Delete! The RODC is needed for a later lab.

1 The options are grayed out and the user is unable to make changes. ©2008 Microsoft Corporation

Microsoft Confidential

11

Lab 5

Lab 5: Server Core

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will promote a Windows Server 2008 server core machine into the contoso.com domain. You will also learn how to perform basic administrative tasks from the command line. Estimated time to complete this lab: 60 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of Microsoft Virtual Server

What You Will Learn After completing this lab, you will be able to: ■

Configure IPV4 addresses with Netsh



Add a Server Role with ocsetup

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-core-01



2008-01



2003-01

You must log on as an administrative user in order to perform some of the tasks in this lab. ■

Administrative username and password □

Username: Administrator



Password: P@ssw0rd1

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Configure the IP Address with Netsh Scenario You have a fresh install of Windows Server 2008 Core. You are tasked with setting the IP address in a manner that is consistent with corporate guidelines.

Tasks 1. Use Netsh to configure TCP/IP properties a.

In command prompt type netsh and press ENTER

b.

Type interface and press ENTER

c.

Type ipv4 and press ENTER

d.

Type show interfaces and press ENTER to show list of network adapters

e.

Note Idx is 2 for Local Area Connection network adapter.

f.

Type following to set IP Address, Subnet and Default gateway: set address “2” static 10.1.1.2 255.0.0.0

g.

Type following to set primary DNS server: add dnsserver “2” 10.1.1.4 1

h.

Type exit and press ENTER

i.

Verify IP configuration information 

At the command prompt type the following and then press ENTER Ipconfig /all

2. Change hostname to 2008-Core-01 a.

In command prompt type the following: netdom renamecomputer . /newname:2008-Core-01

b.

Enter Y to confirm and press ENTER

c.

Reboot machine typing: shutdown /r ©2008 Microsoft Corporation

Microsoft Confidential

2

Exercise 2: Configure 2008-core-01 so that it can be controlled remotely Scenario 2008-core-01 will be in a remote location. Make sure it will be possible to connect to the server using RDP. 1.

Enable Remote Desktop a. At the command prompt type the following and then press ENTER Cscript C:\Windows\System32\ Scregedit.wsf /ar 0 Note

Cscript C:\Windows\System32\ Scregedit.wsf /cli will show you several other options.

2. Connect to 2008-core-01 remotely a.

Log onto 2008-01 as contoso\administrator

b.

Launch MSTSC

c.

Type 2008-core-01 and click Connect

d.

Right Click DNS; select Connect to DNS Server…

e.

Select The following computer: and enter 2008-core-01 and click OK

f.

Verify RDP is now available on 2008-core-01

Exercise 3: Add the Windows Server Backup Feature. Scenario All Servers need backup. Please add the Windows Server Backup feature to 2008core-01. We will use this feature in a later lab. 1. Add the Windows Server Backup Feature with OCsetup a.

At the command prompt type the following and then press ENTER Start /w ocsetup WindowsServerBackup

b.

Once the process is completed, you will see command prompt again ©2008 Microsoft Corporation

Microsoft Confidential

3

c.

Confirm if the feature is added by typing the following command Oclist

d.

Confirm it shows “Installed” for WindowsServerBackup

Exercise 4: Add the DNS server Role with OCsetup Scenario In preparation of promotion to a Domain Controller, add the DNS Server role to 2008-core-01. 1. Add the DNS Server Role with OCsetup a.

At the command prompt type the following and then press ENTER Start /w ocsetup DNS-Server-Core-Role Note: Using the /w switch prevents the command prompt from returning until the installation completes. Without the /w switch there is no indication that the installation completed.

b.

Once the process is completed, you will see command prompt again

c.

Confirm if the role is added by typing the following Oclist

d.

Confirm it shows “Installed” for DNS-Server-Core-Role

2. Manage the DNS server role remotely a.

Log onto 2008-01 as contoso\administrator

b.

Launch DNSMGMT.msc

c.

Right click DNS; select Connect to DNS Server…

d.

Select The following computer: and enter 2008-core-01 and click OK

©2008 Microsoft Corporation

Microsoft Confidential

4

Exercise 5: Promote the Server Core box into the contoso.com domain using the answer file that we created in a previous lab. Scenario You are testing the use of server core Domain Controllers in your enterprise. Please promote 2008-core-01 as a new Domain Controller DC in contoso.com using an unattend file (the unattend file was created in a previous lab). 1.

Run Dcpromo with answer file. a.

Copy the unattended installation file created in lab 3 to 2008-core-01.

b.

Open the file in notepad.exe.

c.

Find the SafeModeAdminPassword field and set this to P@ssw0rd1

d.

At the command prompt type the following and then press ENTER dcpromo /unattend:2008-answer.txt

e.

It will check if Active Directory Domain Services binaries are installed. If not, it will install Domain Services binaries and will start Active directory Domain Services setup.

f.

When prompted, enter P@ssw0rd1 as the administrator password.

g.

Once the installation completes, it will restart the Server.

h.

Logon as contoso\administrator after the reboot completes.

i.

At the command prompt type the following and then press ENTER Netsh firewall show state. Notice the firewall is enabled.

j.

At the command prompt, type the following and then press ENTER net share.

k.

Confirm Sysvol and Netlogon are shared.

©2008 Microsoft Corporation

Microsoft Confidential

5

Lab 6

Lab 6: Directory Services Auditing Changes

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will perform hands on Windows Server 2008 Auditing. Estimated time to complete this lab: 60 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of directory service auditing changes.

What You Will Learn After completing this lab, you will be able to: ■

Enable and disable auditing



Understand new auditing Event ID’s

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-01

You must log on as an administrative user in order to perform all of the tasks in this lab. ■

Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Review DS Auditing changes in Windows Server 2008 Scenario You are an administrator of Contoso domain and would like to view changes to Auditing in Windows Server 2008.

Tasks 1. Review the Audit Policy settings under Default Domain Policy. a. Log on to 2008-01 as Contoso\administrator b. Launch Server Manager if it is not already open. c. Expand Features d. Expand Group Policy Management e. Expand Forest: Contoso.com f. Expand Domains g. Expand Contoso.com h. Expand Group Policy Objects i.

Select Default Domain Policy

j.

Right click it and select Edit...

k. In Group Policy Management Editor, Select Audit Policy under Computer Configuration, Windows Settings, Security Settings, Local Policies l.

Review audit policies and policy setting in details pane

m. Close Group Policy Management Editor 2. Review the Audit Policy settings under Default Domain Controllers Policy. Ensure the policy setting for directory service access audit policy is set to Success a. Select Default Domain Controllers Policy under Group Policy Object in Server Manager b. Right click it and select Edit... ©2008 Microsoft Corporation

Microsoft Confidential

2

c. In Group Policy Management Editor, Select Audit Policy under Computer Configuration, Windows Settings, Security Settings, Local Policies d. Review audit policies and policy setting in details pane e. Confirm Policy Setting for Audit directory service access is set to Success. f. Close Group Policy Management Editor 3. View the subcategories of DS Access via auditpol.cmd and ensure that Directory Service Changes is set to Success a. Launch a command prompt 1) Click on Start, type cmd and press ENTER b. Type Auditpol /clear c. Type Auditpol /set /category:"DS Access" d. Type Auditpol /get /category:"DS Access" e. List the subcategories and setting for each of the subcategory _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ f. Confirm Directory Service Changes is set to Success g. Close command prompt

Exercise 2: DS Auditing Creation, Modification and Moving of AD Objects Scenario You are an administrator of Contoso domain and would like to audit creation and modification and moving of AD objects.

©2008 Microsoft Corporation

Microsoft Confidential

3

Tasks 1. Ensure audit policy is enabled (completed in exercise 1) 2. Create an OU called AuditTest and set up auditing on the OU created a. Launch Server Manager if it is not already open. b. Expand Server Manager c. Expand Roles d. Expand Active Directory Domain Services e. Expand Active Directory Users and Computers f. Select Contoso.com g. Right click it and select New, Organizational Unit h. Type AuditTest in the Name of New Object and click on OK i.

Right click AuditTest in Contoso.com and click Properties

j.

Confirm Advanced Features are enabled in the View menu in order for you to view the Security tab.

k. Select Security tab, click on Advanced and select the Auditing tab. l.

Click on Add

m. Under Enter the object name to select, type Authenticated Users and then click OK. n. In Apply onto, confirm This object and all descendant objects is selected. o. Under Access, select the Successful check box for Write all properties, Create all child objects and Delete all child objects. It will check successful audit for several other accesses. p. Click on OK until you exit the property sheet for the OU or other object. 3. Create a user called AuditTest1 in OU AuditTest a. Right click OU AuditTest, select New, User b. Type AuditTest1 in First name and User logon name ©2008 Microsoft Corporation

Microsoft Confidential

4

c. Click on Next d. Type P@ssw0rd1 in Password and confirm password. e. Click on Next and then Finish 4. View security logs to review audit event generated a. In Server Manager, Expand Diagnostics and then Event Viewer b. Expand Windows Logs c. Select Security log d. The log shows Directory Service Changes event 5137 indicating creation of new directory service object: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 11:50:48 AM Event ID: 5137 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was created. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: cn=AuditTest1,ou=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Operation: Correlation ID: {57586991-b6fd-49e8-b52b-6cdb19067268} Application Correlation ID: -

5. Rename the user’s First Name to Test1000 a. Switch back to Active Directory Users and Computers in Server Manager ©2008 Microsoft Corporation

Microsoft Confidential

5

b. Select user AuditTest1 c. Right click it and select Properties d. Change First name to Test1000 e. Click on OK 6. Review the security logs to review audit event generated a. In Server Manager, Expand Diagnostics and then Event Viewer b. Expand Windows Logs c. Select Security log d. The log shows two Directory Service Changes events 5136. The first one shows Operation type: Value deleted for givenName AuditTest1 and the second one shows Operation type: Value added for givenName with value Test1000. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 2:04:51 PM Event ID: 5136 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was modified. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Attribute: LDAP Display Name: givenName Syntax (OID): 2.5.5.12 Value: AuditTest1 ©2008 Microsoft Corporation

Microsoft Confidential

6

Operation: Type: Value Deleted Correlation ID: {b87e4c30-c6cd-44cf-947b-09ee52dd25e9} Application Correlation ID: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 2:04:51 PM Event ID: 5136 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was modified. Subject: Security ID: CONTOSO\Administrator Account Name: Administrator Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: DN: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com Class: user Attribute: LDAP Display Name: givenName Syntax (OID): 2.5.5.12 Value: Test1000 Operation: Type: Value Added Correlation ID: {b87e4c30-c6cd-44cf-947b-09ee52dd25e9} Application Correlation ID: -

7. Create a new user in the users container called AuditTest2 a. Switch back to Active Directory Users and Computers in Server Manager b. Select Users container from Contoso.com c. Right click Users container and select New, User d. Type AuditTest2 in First name and User logon name ©2008 Microsoft Corporation

Microsoft Confidential

7

e. Click on Next f. Type P@ssw0rd1 in Password and Confirm password g. Click on Next h. Click on Finish 8. Move AuditTest2 in AuditTest OU a. Select newly created user account AuditTest2 b. Right click it and select Move... c. Select OU AuditTest when prompted to select a container to move object into d. Click on OK e. Select AuditTest OU and confirm that the user object is moved 9. Review the security logs to view audit event generated a. In Server Manager, Expand Diagnostics and then Event Viewer b. Expand Windows Logs c. Select Security log The log shows Directory Service Changes event 5139 indicating successful move. Please note that the event shows Old and New DN showing original and new location of an object. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/1/2007 2:28:02 PM Event ID: 5139 Task Category: Directory Service Changes Level: Information Keywords: Audit Success User: N/A Computer: 2008-01.Contoso.com Description: A directory service object was moved. Subject: Security ID: Account Name: ©2008 Microsoft Corporation

CONTOSO\Administrator Administrator Microsoft Confidential

8

Account Domain: CONTOSO Logon ID: 0x18b1d Directory Service: Name: Contoso.com Type: Active Directory Domain Services Object: Old DN: CN=AuditTest2,CN=Users,DC=Contoso,DC=com New DN: CN=AuditTest2,OU=AuditTest,DC=Contoso,DC=com GUID: CN=AuditTest2,OU=AuditTest,DC=Contoso,DC=com Class: user Operation: Correlation ID: {2fe1228d-d0a4-45d1-bdfc-48d64d7802be} Application Correlation ID: -

©2008 Microsoft Corporation

Microsoft Confidential

9

Lab 7

Lab 7: DFSR and SYSVOL Migration

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will migrate SYSVOL from FRS to DFSR as the replication engine. Estimated time to complete this lab: 60 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of Microsoft Virtual Server

What You Will Learn After completing this lab, you will be able to: ■

Understand migration of SYSVOL from FRS to DFSR in Windows Server 2008 domain

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-01



2008-02



2008-Core-01

You must log on as an administrative user in order to perform all of the tasks in this lab. ■

Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Migrate SYSVOL from using NTFRS to DFSR Scenario You are the administrator of Contoso.com domain. You understand that in your current environment SYSVOL is using NTFRS as its replication engine. However, you have read that DFSR provides substantial improvements over FRS and several key new features. Therefore, you wish to perform a DFSR migration and you are ready to demote any domain controller that is not running Windows Server 2008 to perform this migration.

Tasks 1.

Transfer all FSMO roles to from 2003-01 to 2008-01 and demote 2003-01. Note: Dcrpromo will try to transfer roles automatically if not done before. a. Transfer all the FSMO roles to 2008-01 1. Log on to 2008-01 as Contoso\administrator 2. Launch a Command Prompt 3. Type ntdsutil and then press ENTER 4. Type Roles and then press ENTER 5. Type Connections and then press ENTER 6. Type Connect to Server 2008-01 and then press ENTER 7. Type Quit and then press ENTER 8. Type Transfer PDC and then press ENTER 9. It will prompt you to confirm if you want to transfer the role to 2008-01 10. Click on Yes 11. Transfer rest of the roles by typing Transfer Schema Master Transfer naming master Transfer infrastructure master Transfer RID master 12. Type quit and press ENTER ©2008 Microsoft Corporation

Microsoft Confidential

2

13. Type quit and press ENTER 14. At the command prompt, type netdom query fsmo and then press ENTER 15. Confirm 2008-01 holds all the FSMO roles 16. Close command prompt b. Demote 2003-01 back to a member server. 1. While logged on to 2003-01 as Contoso\Administrator 2. Start | Run and type DCPROMO 3. Remove Active Directory from 2003-01 4. Reboot 5. Make sure 2003-01 is no longer referred to as a DNS server in TCP/IP properties of any domain member.

2.

Raise the Contoso.com Domain Functional Level to Windows Server 2008. a. While logged onto 2008-01 as Contoso\Administrator, run DSA.msc. b. Right click on the domain and select Raise Domain Functional Level. c. Raise the domain functional level to Windows Server 2008 d. Stay logged on to 2008-01 as Contoso\Administrator

3.

Verify that your SYSVOL is currently healthy and replicating a. Log on to the Schema Master, 2008-01, as Contoso\administrator. b. Open a command prompt. c. At the command prompt, type the following and then press ENTER net share d. Confirm SYSVOL and NETLOGON are shared and are pointing to C:\Windows\SYSVOL\Sysvol e. Close command prompt ©2008 Microsoft Corporation

Microsoft Confidential

3

f. Launch Adsiedit.msc g. Connect to Default naming context h. Expand OU=Domain Controllers ,DC=Contoso, DC=com i. Expand each of the Domain Controllers and select CN=NTFRS Subscriptions j. Confirm that the right pane shows an NTFRS Subscriber object called CN=Domain System Volume (SYSVOL share) k. Expand CN=File Replication Service,CN=System, DC=Contoso, DC=Com l. Select CN=Domain System Volume (SYSVOL share) m. Confirm right pane contains NTFRS member objects for all the Domain Controllers. NTFRS member object name is same as the domain controller name. n. Close Adsiedit.msc o. Click on Start, Programs, Administrative Tools and Event Viewer. p. Check the File Replication Service log and confirm that no errors or warnings are reported for Sysvol. 4.

Backup data in the Sysvol folder. a. It is recommended to take a backup of the data in the SYSVOL folder before beginning the process of migrating from FRS to DFS Replication. b. On 2008-01, copy C:\Windows\SYSVOL\domain folder to Desktop 1. At the command prompt, run xcopy /x /e /h /r C:\Windows\SYSVOL\domain %userprofile%\desktop

c. Confirm that Policies and Scripts folders are copied correctly. 5.

Verify that the DFS Replication service is installed and is set to Automatic start a. On 2008-01, launch Server Manager if it is not already open. Click on Start, Administrative Tools, and then Server Manager b. Expand Configuration and select Services c. Confirm DFS Replication service is started and startup Type is set to Automatic ©2008 Microsoft Corporation

Microsoft Confidential

4

d. If the service is not installed: 1. Expand Roles in left pane and select File Services 2. Right click File Services and select Add Role Services 3. It will launch the Add role Services wizard 4. Expand Windows Server 2003 File Services and select File Replication Service 5. Click on Install 6. Once the process completes, it will display a message confirming File Replication Service installed successfully. 7. Select File Services from left pane. 8. Review details pane. 9. Now DFS Replication service is listed under System Services. 10. Status shows Running and Startup Type is Auto. 6.

Run DfsrMig tool on PDC to create DFSR-GlobalSettings object a. On 2008-01, launch a command prompt b. Type DfsrMig /CreateGlobalObjects and then press ENTER c. It will report following. Current DFSR global state: Start Succeeded.

d. The DfsrMig performs following actions: 1. Creates the ReplicationGroup, Content object, ContentSet, and Topology objects. 2. msDFSR-GlobalSettings object under System container is created. a)

Launch Adsiedit.msc or LDP

b)

Connect to Default naming context

c)

Expand DC=Contoso, DC=Com

d)

Select CN=System

©2008 Microsoft Corporation

Microsoft Confidential

5

e)

Notice in details pane, CN=DFSR-GlobalSettings object of class msDFSR-GlobalSettings is created under CN=System.

3. msDFSR-ReplicationGroup object under msDFSR-GlobalSettings. msDFSR-ReplicationGroupType is set to a value of 1. a)

Expand CN=System and select CN=DFSR-GlobalSettings

b)

Notice in details pane, CN=Domain System volume object of class msDFSR-ReplicationGroup is created under CN=DFSRGlobalsettings

c)

Right click CN=Domain System volume and select properties

d)

Under Attributes, select msDFSR-ReplicationGroupType

e)

Confirm the value is set to 1

f)

Click on Cancel

4. msDFSR-Content and msDFSR-Topology objects are created under the msDFSR-ReplicationGroup object. a)

Expand CN=DFSR-Globalsettings in left pane.

b)

Select CN=Domain System volume.

c)

Notice the CN=Content and CN=Topology objects are created.

5. msDFSR-ContentSet object under msDFSR-Content object is created. a)

Expand CN=Domain System volume in left pane and select CN=Content.

b)

Notice in details pane, CN=SYSVOL Share object of class msDFSRContentSet is created.

6. For NTFRS compatibility, the content set is set to filter out the DO_NOT_REMOVE_NtFrs_PreInstall_Directory and NtFrs_PreExisting___See_EventLog folders. a)

Right click CN=SYSVOL Share and select Properties.

b)

From the list of attributes, select msDFSR-DirectoryFilter.

©2008 Microsoft Corporation

Microsoft Confidential

6

c)

Confirm the value is set to DO_NOT_REMOVE_NtFrs_PreInstall_Directory, NtFrs_PreExisting___See_EventLog.

d)

Click on Cancel.

7. Creates member objects for each existing RODC. a)

Select CN=Topology in left pane

b)

Notice in details pane, CN=2008-02 object of msDFSR-Member class is created.

c)

Close Adsiedit.msc.

8. Sets GlobalState to 0. e. Launch a Command prompt f. Type DfsrMig /GetGlobalState and then press ENTER 1. It will report the following: Current DFSR global state: ‘Start’ Succeeded.

7.

Run DfsrMig.exe on PDC to enter the Prepare phase a. Launch a Command prompt b. Type DFSRMig /SetGlobalState 1 and then press ENTER 1. It will report: Current DFSR global state: Start New DFSR global state: ‘Prepared’ Migration will proceed to ‘Prepared’ state. DFSR service will copy the contents of SYSVOL to SYSVOL_DFSR folder. If any DC is unable to start migration then try manual polling. OR Run with option /CreateGlobalObjects. Migration can start anytime between 15 min to 1 hour. Succeeded.

c. The DfsrMig performs following actions:

©2008 Microsoft Corporation

Microsoft Confidential

7

1. Creates SYSVOL_DFSR, and its immediate subfolders, copying the ACLs from the original SYSVOL. a)

Launch Windows Explorer.

b)

Confirm SYSVOL_DFSR folder is created under %SystemRoot%.

c)

Confirm ACLs are identical for Policies and Scripts folders under %SystemRoot%\SYSVOL\Domain and %SystemRoot%\SYSVOL_DFSR\Domain

2. ROBOCOPY copies SYSVOL\domain to SYSVOL_DFSR\domain. a)

Confirm the contents of %SystemRoot%\SYSVOL_DFSR\Domain is same as the contents of %SystemRoot%\SYSVOL\Domain.

3. The output of ROBOCOPY is saved in %SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt. a)

Review file %SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt.

4. Creates the SYSVOL junction. a)

Launch command prompt

b)

Type following command and then press ENTER cd %SystemRoot%\SYSVOL_DFSR\Sysvol

c)

Type Dir /a and then press ENTER

d)

Confirm a Junction Contoso.com is created for %SystemRoot%\SYSVOL_DFSR\domain.

e)

Close Command prompt

5. msDFSR-Member object under msDFSR-Topology object was populated with msDFSR-ComputerReference, ServerReference, and ServerReferenceBL attribute values. a)

Launch Adsiedit.msc.

b)

Connect to Default naming context.

c)

Expand CN=Domain System Volume,CN=DFSRGlobalSettings,CN=System ,DC=Contoso, DC=com.

d)

Select CN=Topology.

©2008 Microsoft Corporation

Microsoft Confidential

8

e)

Details pane shows CN=2008-02 object of class msDFSR-Member.

f)

Right click 2008-02 and select Properties.

g)

Review attributes msDFSR-ComputerReference, ServerReference, and ServerReferenceBL. To see the ServerReferenceBL value you must enable Backlink values. (1) Click Filter, then click Backlinks

h)

Click on Cancel

6. msDFSR-LocalSettings object under OU=Domain Controllers is created. a)

Expand OU=Domain Controllers under DC=Contoso,DC=com.

b)

Expand CN=2008-01.

c)

Notice CN=DFSR-LocalSettings object is created under CN=2008-01.

7. msDFSR-Subscriber object under msDFSR-LocalSettings object is populated with msDFSR-MemberReference and msDFSRReplicationGroupGuid attribute values. a)

Select CN=DFSR-LocalSettings.

b)

Details pane shows CN=Domain System Volume object of class msDFSR-Subscriber.

c)

Right click CN=Domain System Volume and select Properties.

d)

Review attributes msDFSR-MemberReference and msDFSRReplicationGroupGuid.

e)

Click on Cancel.

8. msDFSR-Subscription object under msDFSR-Subscriber object is populated with msDFSR-RootPath, msDFSR-StagingPath, msDFSRReplicationGroupGuid, msDFSR-ContentSetGuid, msDFSR-ReadOnly, and msDFSR-Options attribute values. a)

Select CN=Domain System Volume in left pane.

b)

Details pane shows CN=SYSVOL Subscription object of class msDFSR-Subscription.

©2008 Microsoft Corporation

Microsoft Confidential

9

c)

Right click CN=SYSVOL Subscription and select Properties.

d)

Review attributes msDFSR-RootPath, msDFSR-StagingPath, msDFSR-ReplicationGroupGuid, msDFSR-ContentSetGuid, msDFSR-ReadOnly, and msDFSR-Options.

e)

Click on Cancel.

f)

Close Adsiedit.msc.

9. Creates and populates this key in the registry: HKLM\System\CurrentControlSet\Services\DFSR\Parameters\SysVols \Migrating SysVols. a)

Launch regedit.

b)

Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \DFSR\Parameters\SysVols\Migrating SysVols

c)

Confirm the value of Local State is set to 1.

d)

Close Registry Editor.

d. Confirm the global state is set to Prepared now. 1. Launch Command prompt 2. Type DfsrMig /GetGlobalState and then press ENTER 3. It will report: Current DFSR global state: ‘Prepared’ Succeeded.

e. Confirm all Domain Controllers are synchronized with Global State (Prepared). It is highly recommended not to initiate migration to the REDIRECTED state until this is done. 1. At the command prompt, type DfsrMig /GetMigrationState and then press ENTER 2. It will list Domain Controllers that are not in sync with Global State. Example:

©2008 Microsoft Corporation

Microsoft Confidential

10

3. If any of the Domain Controllers are listed there, then force Active Directory replication using following command: Repadmin /syncall 2008-01 /AdeP Repadmin /syncall 2008-02 /Ade 4. Check for success with: repadmin /showattr * "CN=DFSRGlobalSettings,CN=System,DC=contoso,DC=com" /atts:msDFSRFlags

5. Manually poll Active Directory on a Domain Controller using: DfsrDiag PollAD OR Remotely from any other Domain Controller using: DfsrDiag PollAD /Member: 8.

Run DfsrMig.exe on PDC to enter the Re-Directed phase a. Launch a command prompt b. Type DFSRMig /SetGlobalState 2 and then press ENTER c. It will report: Current DFSR global state: ‘Prepared’ ©2008 Microsoft Corporation

Microsoft Confidential

11

New DFSR global state: ‘Redirected’ Migration will proceed to ‘Redirected’ state. The SYSVOL share will be changed to SYSVOL_DFSR folder. If any changes have been made to the SYSVOL share during the state transition from ‘Prepared’ to ‘Redirected’ please robocopy the changes from SYSVOL to SYSVOL_DFSR on any replicated RWDC. Succeeded.

d. Verify that DFS Replication global migration state is set to REDIRECTED 1. Launch command prompt if it is not already open. 2. Type DfsrMig /GetGobalState and then press ENTER 3. It will report Current DFSR global state: Redirected Succeeded.

e. Verify that SYSVOL and NETLOGON shares are now pointing to paths under SYSVOL_DFSR. 1. At the command prompt, type net share and then press ENTER 2. Confirm SYSVOL and NETLOGON shares are pointing to paths under SYSVOL_DFSR. f. Confirm all Domain Controllers are in sync with global state or in REDIRECTED state. It is recommended not to initiate migration to the ELIMINATED state until this is done. 1. At the command prompt, type DfsrMig /GetMigrationState and then press ENTER 2. It will list Domain Controllers that are not in sync with Global State. 3. If any of the Domain Controllers are listed there, then Force Active Directory replication using following command Repadmin /syncall /AeD Manually poll Active Directory on a Domain Controller using DfsrDiag PollAD OR Remotely from any other Domain Controller using DfsrDiag PollAD /Member: 9.

Run DfsrMig.exe on PDC to enter Eliminate phase ©2008 Microsoft Corporation

Microsoft Confidential

12

a. Launch a Command prompt b. Type DFSRMig /SetGlobalState 3 and then press ENTER c. It will report Current DFSR global state: ‘Redirected’ New DFSR global state: ‘Eliminated’ Migration will proceed to ‘Eliminated’ state. It is not possible to revert this step. If any RODC is stuck in the ‘Eliminating’ state for too long then run with option /DeleteRoNtfrsMembers. Succeeded.

d. Verify that DFS Replication global migration state is set to ELIMINATED. 1. Type DfsrMig /GetGlobalState and then press ENTER 2. It will report Current DFSR global state: Eliminated Succeeded.

e. Confirm all Domain Controllers are in sync with global state or in ELIMINATED state. 1. At the command prompt, type DfsrMig /GetMigrationState and then press ENTER 2. It will list Domain Controllers that are not in sync with Global State. 3. If any of the Domain Controllers are listed there, then Force Active Directory replication using following command Repadmin /syncall /Ade Manually poll Active Directory on a Domain Controller using DfsrDiag PollAD OR Remotely from any other Domain Controller using DfsrDiag PollAD /Member: f. The DfsrMig performs following actions: 1. Deletes the NTFRS SYSVOL Active Directory configuration objects. a)

Launch Adsiedit.msc and connect to Default naming context.

b)

Expand CN=DFSR-LocalSettings,CN=2008-01,OU=Domain Controllers DC=Contoso, DC=com.

©2008 Microsoft Corporation

Microsoft Confidential

13

c)

Select CN=Domain System Volume.

d)

Details pane shows CN=SYSVOL Subscription object of class msDFSR-Subscription.

e)

Confirm there is no more CN=NTFRS Subscriptions object for SYSVOL under CN=2008-01.

f)

Expand CN=File Replication Service,CN=System.

g)

Select CN=Domain System volume (SYSVOL share).

h)

Confirm it does not have any nTFRSMember objects.

i)

Close Adsiedit.msc.

2. Deletes content under SYSVOL folder. a)

Start Windows Explorer.

b)

Navigate to %SystemRoot%.

c)

Confirm there is no Policies or Scripts inside the SYSVOL folder.

d)

Close Windows Explorer.

g. Verify that SYSVOL and NETLOGON shares are pointing to paths under SYSVOL_DFSR. 1. Launch command prompt. 2. Type net share and then press ENTER. 3. Confirm NETLOGON and SYSVOL shares point to %SystemRoot%\SYSVOL_DFSR. 4. Close command prompt 5. Start Regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon \Parameters 6. Confirm the value of SysVol is %SystemRoot%\SYSVOL_DFSR\Sysvol. 7. Close regedit.exe. 10. Review the DFS Replication Event log for DFSR SYSVOL migration events. ©2008 Microsoft Corporation

Microsoft Confidential

14

a. Click on Start, Programs, Administrative Tools and Event Viewer. b. Check the DFS Replication log and examine the SYSVOL migration events.

©2008 Microsoft Corporation

Microsoft Confidential

15

Lab 8

Lab 8: Fine Grained Password Policy

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will learn about Group Policy changes and FGPP. Estimated time to complete this lab: 75 minutes

Before You Begin Before starting this lab, you should: ■

Have an understanding of FGPP

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-01



2003-DC1

You must log on as an administrative user in order to perform all of the tasks in this lab. ■

Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Create a New Password Settings Object (PSO) Scenario You are the administrator of Contoso.com domain. You have been asked to set up a password policy for your users in Managers group with password’s minimum length to be of 10 characters.

Tasks 1.

2.

On 2008-01, verify the domain functional level is set to Windows Server 2008. a.

Log on to 2008-01 as Contoso\administrator

b.

Launch Server Manager if it is not already open. Click on Start, Administrative Tools, and then Server Manager

c.

Expand Roles | Active Directory Domain Services | Active Directory Users and computers | Contoso.com.

d.

Right click Contoso.com and select Raise domain functional level...

e.

Confirm Current domain functional level is set to Windows Server 2008

f.

Click on Close

Create a new Password Settings Object and name it managers. Specify Password Length to be of 10 characters. a.

Click on Start, Run, type Adsiedit.msc and click on OK.

b.

Connect to Default naming context.

c.

Expand CN=System,DC=Contoso,DC=com

d.

Right click CN=Password Settings and select New, Object...

e.

It will launch Create Object wizard.

f.

Confirm msDS-PasswordSettings class is selected and click Next.

©2008 Microsoft Corporation

Microsoft Confidential

2

g.

For different attributes, type the corresponding values from the following list and click Next (the times are entered in d:hh:mm:ss format): Value

Attribute cn

Managers

msDS-PasswordSettingsPrecedence

10

msDS-PasswordReversibleEncryptionEnabled

FALSE

msDS-PasswordHistoryLength

24

msDS-PasswordComplexityEnabled

TRUE

msDS-MinimumPasswordLength

10

msDS-MinimumPasswordAge

0

msDS-MaximumPasswordAge

20:00:00:00 (20 days)

msDS-LockoutThreshold

0

msDS-LockoutObservationWindow

0:00:30:00 (30 minutes)

msDS-LockoutDuration

0:00:30:00 (30 minutes)

h. 3.

Click Finish to complete the creation of this object.

Apply the PSO to Managers group a.

In the CN=Password Settings container, right click on the CN=Managers object in the details pane and select Properties.

b.

Select msDS-PSOAppliesTo attribute from the list of attributes.

c.

Click Edit.

d.

Click Add Windows Account…

e.

Type Managers in the Select Users, Computers, or Groups dialog and click OK.

f.

Click OK in the Multi-valued Distinguished Name with Security Principal Editor dialog box.

g.

Confirm correct value is set for msDS-PSOAppliesTo attribute. ©2008 Microsoft Corporation

Microsoft Confidential

3

4.

h.

Click OK.

i.

Close Adsiedit.msc.

Test the password policy by resetting the password of Lisa Miller in Managers group to seven characters from AD users and computers. It should fail. Test it by setting to 10 or more characters. a.

Launch Server Manager if it is not already open. Click on Start, Administrative Tools, and then Server Manager

b.

Expand Roles | Active Directory Domain Services | Active Directory Users and computers | Contoso.com.

c.

Select Lisa Miller in the Training Organizational Unit.

d.

Right click the Lisa Miller account and select Properties. Click on the MemberOf tab and verify Lisa Miller is a member of the Managers group. Click OK to close the user properties.

e.

Right click on the user account and select “Reset Password…”

f.

Type a password with seven characters.

g.

It will report an error informing Windows cannot complete the password change because the password does not meet the password policy requirements.

h.

Click OK.

i.

Right click on the user account again and select “Reset Password…”

j.

Type a password that has 10 or more characters and click on OK.

k.

It will report, “The password has been changed.”

l.

Click OK.

©2008 Microsoft Corporation

Microsoft Confidential

4

Exercise 2: How to determine which PSO is effective on a user Tasks 1. On 2008-01, query the msDS-ResultantPSO attribute for the user in question. This will indicate the distinguished name of the PSO that is ultimately applied to that user. a. In Active Directory Users and Computers, click on View and confirm that Advanced Features are enabled. b. Select the user account for which you would like to examine the effective PSO. c. Right click on the user account and select Properties. d. Select the Attribute Editor tab. e. Click Filter, confirm that Show attributes: Optional, and Show readonly attributes: Constructed are checked. f. From the list of attributes, select the msDs-ResultantPSO attribute. It will show distinguished name of the PSO that is applied to the user. g. If multiple PSO’s are applied to a user, which one will take effect? How can you tell? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ h. If a PSO is applied to a user and a group, which one takes precedence? How can you tell? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 2. Run the following command: dsget user “cn=lmiller,ou=training,dc=contoso,dc=com” –effectivepso ©2008 Microsoft Corporation

Microsoft Confidential

5

What does the output show?

©2008 Microsoft Corporation

Microsoft Confidential

6

Lab 9

Lab 9: Group Policy Changes and Enhancements

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will learn about Group Policy changes and FGPP. Estimated time to complete this lab: 75 minutes

Before You Begin Before starting this lab, you should: ■

Have an understanding of new group policy changes



Have an understanding of FGPP

What You Will Learn After completing this lab, you will be able to: ■

Create a Central Store



Configure and use GPEdit logging



Create and use Starter GPOs



Use folder redirection to share data between V1 and V2 user profiles



Understand what password policies and account lockout policies are

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-01

You must log on as an administrative user in order to perform all of the tasks in this lab. ■

Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Enabling GPEDIT logging and Create a Central Store Task 1: Enable GPEDIT logging 1.

Logon to 2008-01 as Contoso\Administrator

2. Run Regedit.exe 3.

Enable GPEDIT logging: a.

Debug Logging is provided for GPEDIT, and may be enabled via the following Registry key.

b.

Create the following registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPEditDebugLevel(REG_DWORD) 1)

Change the Value to Hexadecimal 10002

2)

Close the Registry Editor.

Task 2: Creating and Using a Central Store Note

There is no user interface for populating the central store in Windows Vista or Windows Server 2008 at this time. This procedure shows how to populate the central store using command line syntax. 1.

To populate the Central Store, open a command window on server 2008-01.

2.

To copy all the language-neutral and specific ADMX files from your Windows Server 2008-01 system to the central store on your domain controller using the xcopy command, type: Xcopy /S %systemroot%\PolicyDefinitions\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions

3.

When prompted for file or directory, enter D

4.

To edit administrative template policy settings using ADMX files open the Group Policy Management Console. Click Start, click Run, then type GPMC.msc.

5.

To create a new GPO right-click Contoso.com under Domains and select Create a GPO in this domain, and link it here. ©2008 Microsoft Corporation

Microsoft Confidential

2

6.

Type a name for the GPO and click OK.

7.

Expand the Group Policy Objects node.

8.

Right-click the name of the GPO you created and click Edit.

9.

Select Administrative Templates under Computer Configurations, Policies. In the right pane, view the message stating Administrative Templates: Policy definitions (ADMX files) retrieved from the central store

10. Click on Printers under Administrative Templates and select Web-based Printing 11. Select Enabled and click OK 12. Close Group Policy Management Editor 13. Open c:\windows\debug\usermode\gpedit.log 14. Review the log and notice the information stating Successfully wrote: Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting Important

The Group Policy Object Editor automatically reads all ADMX files stored in the central store. When there is no central store, the Group Policy Object Editor reads the local versions of the ADMX files used by the local GPO on your Windows Vista™ administrative machine.

Exercise 2: Creating and Using Starter GPO’s Scenario As an administrator for Contoso.com, you plan on delegating permissions to other users to administer specific Organizational Units in the future. To aid the other users in Group Policy creation, you are going to prepare a Starter GPO that contains helpful pre-configured Administrative Template settings.

Task 1: 1.

On 2008-01 create a new Starter GPO a.

Logon to 2008-01 as contoso\administrator.

b.

In Server Manager, expand Features | Group Policy Management | Forest: contoso.com | Domains | contoso.com | Starter GPOs. ©2008 Microsoft Corporation

Microsoft Confidential

3

2.

c.

Right click Starter GPOs and then click New.

d.

In the New Starter GPO dialog box, type Contoso Base in the Name box and click OK.

e.

Right click Contoso Base and select Edit. Notice only Administrative templates are available to manage in a Starter GPO. Change an administrative template setting under User or Computer configuration; then close the Group Policy Editor window.

Create a new policy from the Starter GPO. a.

Right Click Contoso Base and then click New GPO from Starter GPO.

b.

In the New GPO dialog box, type Training Policy in the Name box and click OK.

Exercise 4: Create a network share for all computers in the domain via Preferences in group policy Task 1: 1.

Logon as contoso\administrator on 2008-01.

2. Create a folder C:\scripts. 3. Edit the Default Domain Policy

4.

a.

Click on Start | Run and type gpmc.msc

b.

Double click Domains and then Contoso.com

c.

Right click the Default Domain Policy and click Edit

Click on Computer Configuration | Preferences | Windows Settings | Network Shares a.

5.

Under Group Policy Management Editor click on Computer Configuration, Preferences, Windows Settings and Network Shares

Create a new network share Preference setting a.

Right Click Network Shares and select New and Network Shares

b.

In the New Network Share properties window, select the following: ©2008 Microsoft Corporation

Microsoft Confidential

4

1)

Action : Create

2)

Share name: 2008TEST

3)

Folder Path: C:\scripts

4)

Leave rest as Default settings

5)

Click OK

6.

Force Group Policy application by typing gpupdate /force in the command prompt. Select Y when prompted to re-login

7.

Re-login and open up a command prompt and type net share. You will see a share by the name 2008TEST pointing to an existing folder, in this case to the C drive on 2008-01.

Exercise 5: Create a mapped drive for users in the Domain Admins group via Preferences in group policy Task 1: 1.

2.

On 2008-01, edit the Default Domain Policy a.

Logon to 2008-01. Click on Start | Run and type gpmc.msc

b.

Double click Domains and then Contoso.com

c.

Right click the Default Domain Policy and click Edit

Click on User Configuration | Preferences | Windows Settings | Drive Maps a.

3.

Under Group Policy Management Editor click on User Configuration, Preferences, Windows Settings and Drive Maps

Create a new mapped drive preference setting a.

Right Click Drive Maps and select New and Map Drives

b.

In the New Drive properties window, select the following: 1)

Action : Create

2)

Location: \\2008-01\c$

3)

Label as: MyDrive

©2008 Microsoft Corporation

Microsoft Confidential

5

4)

Drive Letter: Use first available starting at: E

5)

Keep rest of the settings as default

6)

Click on the Common Tab and select item-level targeting and select Targeting

7)

Click New Item and select Security Group and click on Browse

8)

Type Domain Admins and click on Check Names. Click OK

9)

Click OK

4.

Force Group Policy application by typing gpupdate /force in the command prompt. Select Y when prompted to re-login

5.

Re-login and open My Computer and view MyDrive pointing to \\2008-01\C$

6.

(Optional) Test via logging to Vista-01 as a Domain Admin and a non admin and confirm if the drive is mapped.

Exercise 6: Disable a preference setting Task 1: 1.

On 2008-01, edit the Default Domain Policy a.

Logon to 2008-01. Click on Start | Run and type gpmc.msc

b.

Double click Domains and then Contoso.com

c.

Right click the Default Domain Policy and click Edit

2. Click on User Configuration | Preferences | Windows Settings | Drive Maps a.

Under Group Policy Management Editor click on User Configuration, Preferences, Windows Settings and Drive Maps

3.

Click on Drive letter in the right console to select the preference and click the red circle with a slash on the toolbar to disable it

4.

Force Group Policy application by typing gpupdate /force in the command prompt. Select Y when prompted to re-login

5.

Re-login and open My Computer and view MyDrive is not available anymore

©2008 Microsoft Corporation

Microsoft Confidential

6

Lab 10

Lab 10: Windows Server 2008 Backup and Recovery

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2006 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.0

During this lab, you will use the Windows Server 2008 Backup features to backup, view, and restore Active Directory data. Estimated time to complete this lab: 60 minutes

Before You Begin Before starting this lab, you should: ■

Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn After completing this lab, you will be able to: ■

Backup Windows Server 2008 System State data.



Create a snapshot and mount the snapshot so that the backup directory information can be viewed in an LDAP browser.



Restore the System State backup.

Lab Environment To complete this lab, you will need the following Virtual Machines: ■

2008-01 Important

You must log on as an administrative user in order to perform some of the tasks in this lab.



Administrative username and password □

Username: Administrator



Password: P@ssw0rd1



Domain: Contoso

©2008 Microsoft Corporation

Microsoft Confidential

1

Exercise 1: Use Windows Server Backup to backup and restore System State data Scenario As an administrator of Active Directory in Contoso.com, you need to test the correct Disaster Recovery procedures used for Active Directory in Windows Server 2008.

Tasks 1.

Use Windows Server backup to backup the Windows System State. a.

Verify Windows Backup is installed, or install the Windows Backup feature. 1)

Log onto 2008-01 as contoso\Administrator.

2)

Launch Server Manager. a)

b.

Click Start, Administrative Tools, then Server Manager

3)

Select Features and verify Windows Server Backup is installed by looking at the list under Features Summary.

4)

If not installed, click Add Features in right pane under Features Summary. This will launch the Add Features Wizard.

5)

On the Select Features page, select Windows Server Backup Features. Expand Windows Server Backup Features and make sure Command-line Tools is checked and click Next.

6)

On Confirm Installation Selections, select Install.

7)

Click Close on the Installation Results page.

Create a system state backup. 1)

At the command prompt, type wbadmin start SystemStateBackup –backuptarget:D:, then press Enter

Important

The backup target location must contain a drive letter and colon, followed by no folder path (such as D: , F: , etc). The backup target cannot be the system drive, and cannot be a mapped drive. ©2008 Microsoft Corporation

Microsoft Confidential

2

2)

When prompted, enter C and press Enter, then enter Y and press Enter.

Important The backup could take up to 90 minutes to complete; depending on hardware resources.

3)

Examine the contents of D:\WindowsImageBackup\200801\SystemStateBackup\Backup\ a)

2.

3.

Create a Snapshot using NTDSUtil.exe a.

At the command prompt type ntdsutil snapshot

b.

At the snapshot prompt, type activate instance ntds

c.

At the snapshot prompt, type Create

Mount the snapshot created in step 2 using DSMain.exe. a.

b.

Mount the System State using ntdsutil.exe 1)

At the snapshot prompt, type List All

2)

At the snapshot prompt, type mount 1

View the contents of C:\$SNAP__VOLUMEC$\ 1)

4.

Notice the backup file has a .vhd extension.

Notice you can browse to the ntds.dit file at C:\$SNAP__VOLUMEC$\Windows\NTDS\ntds.dit

Load the ntds.dit copy created in the snapshot and connect to the offline directory using an ldap browser a.

Use DSAMain.exe to load the snapshot 1)

b.

At another command prompt, type dsamain –dbpath C:\$SNAP__VOLUMEC$\Windows\NTDS\ntds.dit – ldapport 5000

Launch LDP.exe and view the contents of the ntds.dit database 1)

Launch ldp.exe

2)

Click Connection | Connect

©2008 Microsoft Corporation

Microsoft Confidential

3

3)

Change the port to 5000 and click OK

4)

Click Connection | Bind

5)

Click View | Tree a)

6) 5.

Notice you can view the directory data

In the DSAMain command window, enter Control-C and press Enter

Delete the contoso\bsmith user account a.

Launch Server Manager. 1)

Click Start, Administrative Tools, then Server Manager

b.

Expand Roles | Active Directory Domain Services | Active Directory Users and Computers | contoso.com | Training.

c.

Find Ben Smith, and delete this account.

Note The above steps are necessary to un-mount the Windows Server 2008 ISO to prevent accidently selecting “Boot from CD or DVD” during the reboot.

6.

d.

Restart the server

e.

Enter Directory Services Restore mode 1)

Press F8 to enter Advanced Boot options

2)

Select Directory Services Restore mode and press Enter

Use Windows Server backup to restore the Windows System State backup. a.

b.

Obtain the version of the store system state 1)

At the command prompt, type wbadmin get versions

2)

Note the Version identifier value

Restore the system state

©2008 Microsoft Corporation

Microsoft Confidential

4

1)

2) 3)

At the command prompt, type wbadmin start systemstaterecovery –version: Type Y when prompted at Do you want to start the system state recovery operation. Type Y when prompted at: The replication engine used at backup time was `FRS`. You cannot use System State Recovery if the replication engine for SYSVOL changed from the backup time. If the replication engine has changed, abort this recovery and contact support. Do you want to proceed? [Y] Yes [N] No

Note If you are going to perform a restore after a SYSVOL migration to DFSR has been performed, you cannot use a system state backup taken while FRS was the replication engine for SYSVOL.

7.

Using ntdsutil.exe, authoritatively restore the User object a. At the command prompt, type ntdsutil and press enter b. Type activate instance ntds and press enter c. Type authoritative restore and press enter d. Type restore object “CN=Ben Smith,OU=Training,DC=Contoso,DC=com” and press enter e. Type quit and press enter, then type quit again and press enter

8.

Restart the Server into normal mode

9.

Verify the contoso\bsmith account is available after the restore. a.

Launch Server Manager. 1)

Click Start, Administrative Tools, then Server Manager

b.

Expand Roles | Active Directory Domain Services | Active Directory Users and Computers | contoso.com | Training.

c.

Find Ben Smith.

©2008 Microsoft Corporation

Microsoft Confidential

5

Related Documents