Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
M I C R O S O F T
L E A R N I N G
P R O D U C T
Information in this document, including URL and other Internet website references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third-party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Module 1
Lab Instructions: Planning Server Deployment and Upgrade
Contents:
Exercise 1: Planning a Windows Server 2008 R2 Deployment Exercise 2: Modifying a Windows Server 2008 R2 Image Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image 3 6 7
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso has been running their head office network infrastructure on the Windows Server 2003 platform. In the branch offices, UNIX is used to host a line-of-business application. Contoso has decided to upgrade their head office network infrastructure to Windows Server 2008 R2, and at the same time, replace the UNIX hosts with Windows Server 2008 R2 hosts. You have been assigned the task of planning a suitable deployment method, creating a standard server image for deployment, and finally, preparing deployment tools to implement the deployment. For this project, you must complete the following tasks: Plan a suitable deployment method for Contoso.
Modify an existing server image by using command-line tools. Prepare to deploy Windows Server by using the modified image and WDS.
No problem. Details are in the attached datasheet. Its worth noting the utilization figures for the deployed servers. Also, remember that some of the research staff are working on isolated networks with no Internet access. Regards, Ed ----- Original Message ----From: Charlotte Weiss [Charlotte@contoso.com] Sent: 26May 2011 08:42 To: Ed@contoso.com Subject: Contoso Windows Server 2008 R2 Deployment Plan Ed, Can you provide me with details about the deployed servers in both the head office and the branch offices? Charlotte
Deployed Server Datasheet.doc (subset) NYC-DC1 Function(s) Domain Controller File services Certificate services Utilization 80 percent Additional information Windows Server 2003 Enterprise Edition (64-bit) NYC-SVR1 Function(s) File services DNS DHCP WSUS Utilization 75 percent Additional information Windows Server 2003 Enterprise Edition (64-bit) NYC-SVR2 Function(s) File services Domain Controller DNS Utilization 25 percent Additional information Windows Server 2003 Standard Edition (32-bit) Physical security at the branch is difficult to maintain NYC-SVR3 Branch Office 2 Branch Office 2 Head Office Head Office
Deployed Server Datasheet.doc (subset) 10 percent Additional information UNIX operating system
Note The utilization figure is an amalgamated value intended to give an overview of the overall workload on the server, rather than a quoted value for a specific Windows performance counter.
Task 2: Update the proposal document with your planned course of action.
1. Answer the questions in the Contoso Windows Server 2008 R2 Deployment Plan document. Contoso Windows Server 2008 R2 Deployment Plan Document Reference Number:CW2805/1 Document Author Date Charlotte Weiss May 28
Requirements Overview To provide information to help plan the upgrade/migration to Windows Server 2008 R2. Additional Information Branch Office 2 supports forty client computers and two servers. Branch Office 2 is isolated from the Internet. Branch Office 2 has no server room and servers are placed in the main office space. Proposals 1. 2. 3. 4. 5. 6. 7. In Eds email, he recommended that Charlotte should examine the server utilization figures. Why is this significant when planning server deployment? Ed also reminded Charlotte that some departments used servers and client workstations that are isolated from the Internet. What is the impact of this in terms of deployment? In environments where there are isolated servers and workstations, which factors determine the activation technology that you use? Are there situations where virtualization is indicated? How would you help to improve security at Branch Office 2? Which activation method would you use at Branch Office 2? All the other branches have similar server configurations to those in Branch Office 2. Assuming Contoso accepts your proposals for the branch servers at Branch Office 2, how would you propose to deploy the servers at this office and the other ten branch offices in the New York area?
Results: At the end of this exercise, you should have successfully planned the Windows Server 2008 R2 deployment.
2. 3.
2.
3.
Wait until the status of Microsoft-Hyper-V is Enable Pending, and then run the following command.
Results: At the end of this exercise, you will have prepared the branch office image.
2. 3.
Close the Command Prompt window. Switch to Windows Deployment Services, and then verify the presence of the new boot image. Question: How many boot images are listed?
WDSUTIL /Set-Server /AutoAddPolicy /Message:TheContoso administrator is authorizing this request. Please wait.
4.
Results: At the end of this exercise, you will have successfully prepared WDS to support Windows Server deployment to the branch offices.
Module 2
Lab Instructions: Planning Server Management and Delegated Administration
Contents:
Exercise 1: Creating an Administrative-Level Role Group Exercise 2: Creating an Account Management Group Exercise 3: Enabling and Configuring Auditing for Sensitive Groups 3 3 4
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. is currently beginning an Active Directory redesign project. There are two members of the IT departmentKenn Sutton and Christine Koch. Their group will require full control over Active Directory objects in the Contoso domain. Ryan Ihrig, a new intern, has been assigned user management tasks in the Research department to alleviate department load, while Kenn and Christine are working on the project. You have been asked to provide the Active Directory groups and permissions that will allow these changes to take place. You have also been asked to enable auditing on the Domain Admins group, Enterprise Admins group, and any newly created groups that have been granted administrative-level permissions. For this project, you must complete the following tasks: Create an administrative-level role group.
Create a user management role group. Enable and configure auditing for sensitive groups.
Task 2: Place the user accounts for Kenn Sutton and Christine Koch into the ADRedesign group.
1. 2. In Active Directory Users and Computers, open the Properties page of the ADRedesign group in the Users container. Add Kern Sutton and Christine Koch as members of the ADRedesign group.
Task 3: Delegate full control over the Contoso.com domain to the ADRedesign group.
1. 2. In Active Directory Users and Computers, start the Delegation of Control Wizard on the Contoso.com domain node. Grant the ADRedesign full control permissions for all objects in the domain.
Results: After completing this exercise, you should have created an administrative-level role group.
2. 3.
Place the user account for Ryan Ihrig into the AcctMgmt group. Grant create, delete, and manage user accounts privileges to the AcctMgmt group for the Research OU.
1. 2. 3.
Task 2: Place the user account for Ryan Ihrig into the AcctMgmt group.
1. 2. In Active Directory Users and Computers, open the Properties page of the AcctMgmt group in the Users container. Add Ryan Ihrig as a member of the AcctMgmt group.
Task 3: Grant create, delete, and manage user accounts privileges to the AcctMgmt group.
1. 2. In Active Directory Users and Computers, start the Delegation of Control Wizard on the Research OU. Grant the AcctMgmt group create, delete, and manage user accounts privileges in the Research OU.
Results: After completing this exercise, you should have created an account management group.
Task 2: Configure auditing settings for the Domain Admins, Enterprise Admins, ADRedesign, and AcctMgmt groups.
1. 2. 3. 4. 5. 6. Enable Advanced Features from the View menu in Active Directory Users and Computers. Right-click the Domain Admins group, and then click Properties. In the Security tab, click the Advanced button to access the Auditing tab. Enable full control auditing for the Authenticated Users group. Close the Properties windows. Repeat steps 1 to 4 for the Enterprise Admins, ADRedesign, and AcctMgmt groups.
Results: After completing this exercise, you should have enabled and configured auditing for sensitive groups
Module 3
Lab Instructions: Planning Network Addressing and Name Resolution
Contents:
Exercise 1: Planning the Deployment of DHCP and DNS Servers Exercise 2: Implementing DNS Exercise 3: Implementing DHCP 3 5 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd has created a new regional research team. As a result, branch offices are being fitted out to support the various regional research functions. You are responsible for planning the network infrastructure for these new branch offices. Dylan Miller, the national Research Manager, has been communicating with you about his specific requirements for the regional offices. In addition, Ed Meadows, a colleague in IT, has visited some of the branch offices. For this project, you must complete the following tasks: Plan the deployment of DHCP and DNS servers. Implement DNS in the branch offices.
Implement DHCP in the branch offices. Implement a transition to IPv6 in the branch offices
Supporting Documentation
Email thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Ed Meadows [Ed@contoso.com] 24 July 2011 17:00 Charlotte@contoso.com Re: Branch office network services
Answers in line below, Regards, Ed ----- Original Message ----From: Charlotte Weiss [Charlotte@contoso.com] Sent: 24 July 2011 13:30 To: Ed@contoso.com Subject: Branch office network services Ed, I need to think about the infrastructure for the branch offices. Could you answer the following questions? 1. How are IP addresses to be assigned for this region? [Ed] By DHCP 2. Is there anything I should know about the DNS name space for these offices? [Ed] The research computers will be in their own DNS name space, research.contoso.com 3. I have a vague recollection that one of the line-of-business applications that research uses requires NetBIOS. Is that right? [Ed] You're right, Charlotte, they need NetBIOS name resolution in research. Thanks, Charlotte
Requirements Overview Specify which network services are required in each branch office and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Branch Office Network Infrastructure Plan: Network Services Proposals 1. 2. 3. 4. 5. 6. 7. How many DHCP servers do you propose to deploy in the region? Where do you propose to deploy these servers? What name resolution services are required? To support the DNS name space in the sales division, how would you propose to configure DNS? Will you require WINS? If so, how many WINS servers will you require for the region? If not, how do you propose to support single-label names?
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you planned the placement of DHCP and DNS servers for the Contoso branch offices.
2. 3. 4.
Install the DNS server role on NYC-SVR2. Create the research.contoso.com DNS zone. Create the research.contoso.com delegation.
Results: In this exercise, you deployed the DNS server to the first branch office.
In this exercise, you will select a suitable DHCP configuration to support the branch office environment. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install the DHCP role on NYC-SVR2. Enable DHCP Relay. Create the required scope for branch. Add the branch office scope on NYC-DC1. Configure NYC-CL2 for DHCP.
2. 3.
In DHCP, in the navigation pane, expand nyc-svr2.research.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: Name: Branch Office IP Address range: 172.16.16.4 > 172.16.16.254 Subnet mask: 255.255.255.0 Exclusions: 172.16.16.200 > 172.16.16.254 Other settings use default values Configure options: Router: 172.16.16.1 Parent domain: research.contoso.com DNS servers: 172.16.16.2 and 10.10.0.10 Other settings use default values
Activate scope
Activate scope
Configure Internet Protocol Version 4 (TCP/IPv4): Obtain an IP address automatically Obtain DNS server address automatically
3. 4. 5. 6.
Open a command prompt, and answer the following questions: What is the IP address of NYC-CL2? What is the DHCP server IP address? Leave windows open for next (optional) exercise.
Results: In this exercise, you implemented DHCP for the branch offices.
Module 4
Lab Instructions: Planning and Provisioning Active Directory Domain Services
Contents:
Exercise 1: Planning an Active Directory Structure Exercise 2: Active Directory Domain Services Backup and Recovery Exercise 3: Configuring Active Directory Recycle Bin 3 5 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals. Contoso is preparing to migrate to Windows Server 2008 R2 domain controllers. The New York Branch has already migrated and you have been asked to test the backup and restore functionality for the Contoso.com Active Directory Domain Services structure. In addition, you have been asked to raise the forest functional level for the forest and enable the Active Directory Recycle Bin feature for the Contoso.com domain. For this project, you must complete the following tasks: Plan an Active Directory structure.
Backup and restore the Active Directory Domain Services database. Configure the Active Directory Recycle Bin.
Supporting Documentation
E-mail thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner [Alan@Contoso.com] Sent: 24 August 2011 14:02 To: Gregory@Contoso.com Subject: Re: Branch Office Plan Attachments: Sales Office Details.doc Greg, Take a look at the attached document. Get back to me with any questions. I got this from Joe Healy, the sales manager. Alan ----- Original Message ----From: Gregory Weber [Gregory@Contoso.com] Sent: 24 August 2011 13:30 To: Alan@Contoso.com Subject: Branch Office Plan Alan, What can you tell me about these new sales offices? Thanks, Greg
There was some talk of creating a separate name space for sales, such as Sales.Contoso.com, but we have implemented this only as an e-mail domain. The computers are all part of the Contoso.com domain. Weve had some issues in the past with security; we often have members of the public in our sales offices, and consequently, security is a critical factor. We do not always have the option of a secure computer room, and so our laptops are locked to the desks. Servers are often to be found in a closet, or small office. Each branch office consists of a number of subnets; two for hosting the sales staff laptops and another for branch network servers. Branch Office Planning Document Reference Number: GW0809/2 Document Author Date Gregory Weber September 1
Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services. Proposals 1. Do you intend to deploy a domain controller(s) in the branch offices? How many? 2. 3. 4. 5. 6. 7. Will you deploy an RODC(s)? How will you optimize the directory replication for the branches? How will domain controllers determine in which branch they are located? Do you anticipate the need for global catalog services? How will you configure global catalog and DNS? What additional Active Directoryrelated services are required to support the branch office line-ofbusiness applications?
Task 2: Update the Branch Office Planning document with your proposals.
Answer the questions in the Branch Office Planning document.
Results: At the end of this exercise, you will have planned an Active Directory Domain Services strategy.
6.
At the command prompt, type the following and press Enter. This will restore the system state from the backup to NYC-DC1. Use the version identifier recorded in the previous step, in place of <versionidentifier>.
Note 7. 8. 9.
Type Y and press Enter when prompted. Restore will take approximately 45 minutes
Restart NYC-DC1 when prompted. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Click Start, click Run, and in the Open field, type msconfig, and then press Enter.
10. In the System Configuration window, click the Boot tab. 11. On the Boot tab, clear the check box to deselect Safe boot, and then click OK. 12. In the System Configuration pop-up window, click Restart. The computer will restart. On restart, NYC-DC1 will run Active Directory Domain Services integrity checks to confirm the integrity of the newly restored Active Directory Domain Services database. 13. Log on to NYC-DC1 as NYC-DC1\Administrator, with the password, Pa$$w0rd. 14. Open Active Directory Users and Computers. 15. Confirm that the IT OU has been restored. 16. Close Active Directory Users and Computers. Results: At the end of this exercise, you will have successfully backed up and recovered Active Directory Domain Services.
Exercise Overview
The main tasks for this exercise are as follows: 1. 2. 3. 4. Raise the forest functional level for Contoso.com. Enable Active Directory Recycle Bin. Create and delete a test object in the Contoso.com domain. Restore the test object from Active Directory Recycle Bin.
2.
Task 4: Restore the deleted test object from Active Directory Recycle Bin.
1. 2. Open the Active Directory Module for Windows PowerShell. Run the following command to view objects in Active Directory Recycle Bin with a display name of Mary.
3.
Run the following command to restore the object located in the previous step.
4. 5. 6. 7. 8.
Close the Active Directory module for Windows PowerShell window. Open Active Directory Users and Computers. Navigate to the IT OU and confirm that the Mary user account is present. Delete the Mary test account. Close Active Directory Users and Computers.
Results: At the end of this exercise, you will have configured the Active Directory Recycle Bin.
Module 5
Lab Instructions: Planning Group Policy Strategy
Contents:
Exercise 1: Planning Group Policy Exercise 2: Implementing the Proposed GPO Plan 3 4
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Ed Meadows has asked you to look at the existing GPO infrastructure with a view to updating it to support the requirements of new branch offices. A list of requirements is provided, and you must consider these requirements and then propose a GPO solution that addresses these requirements. For this project, you must complete the following tasks: Plan group policies for Contoso. Implement the GPOs required by your plan.
Supporting Documentation
Email thread of correspondence with Ed Meadows: Charlotte Weiss
Ed Meadows [Ed@contoso.com] September 15, 2011 17:30 Charlotte@contoso.com Group policy implementation
Id like you to take the lead on planning our implementation of group policy. At this time, we have only the default GPOs in place for the domain and domain controllers. Here are the requirements: Read and write access to removable drives should be blocked for all office computers, including servers. Because weve upgraded all the computers to Windows 7 and Windows Server 2008 R2, this should be no problem. We must ensure that another GPO does not override this setting. Because of the creation of the three new branch offices for the Research Department, we are hiring a new person to manage those offices. Wed like the new person to be able to manage group policy for those remote offices, but not the head office. Id like to start using group policy preferences for drive mappings, rather than logon scripts. We want the drive letters to be consistent in each location, but the server names will vary in each location. Application installation and updates for the branches will be done by using group policy. In the branch offices, the sales staff and office staff will have different applications. We need to be able to roll applications out one location at a time, during initial deployment. However, later updates can be done for all branches at once. Application installation files should be stored in DFS and replicated to each branch. The computer training lab in the head office should not be subject to the restriction on removable drives. Well be using USB drives to configure these computers for various courses.
At a minimum, I need to you to determine how these can be implemented. As part of your plan, please create an OU structure and define where each group policy will be linked. Let me know if you require any clarification. Ed
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Contoso Group Policy Plan document. Contoso Group Policy Plan Document Reference Number:CW0911/1 Document Author Date Charlotte Weiss September 16
Requirements Overview Create the AD DS infrastructure required to support GPO deployment. Create GPOs and link them to the containers in AD DS. Configure filtering and loopback processing as required to fine-tune the GPO application. Proposals 1. 2. 3. 4. How will you accommodate the requirement to block access to removable read and write storage devices on office computers, and ensure that this setting cannot be overridden? How do you intend to allow the new user in the branch offices to be able to manage branch office GPOs, but not head office GPOs? How do you propose to support the different application needs of sales and office staff in the branch offices? What changes to your plans must you make to support the training lab requirements?
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution to the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you completed the Contoso Group Policy Plan.
Settings Block read and write access to removable drives Drive letter mappings for head office Drive letter mappings for branch 1 Drive letter mappings for branch 2 Drive letter mappings for branch 3 Applications for branch sales staff
Filters Security filter: Lab computers group denied apply permission None
Head office Preferences Branch 1 Preferences Branch 2 Preferences Branch 3 Preferences Branch Sales Applications
Branch 1
None
Branch 2
None
Branch 3
None
Create the following computer object: Object type: Computer Name: Lab1 Location: Contoso.com\Head Office
3. 4. 5.
Add Lab1 to the Lab Computers group. Open Group Policy Management. Create a new GPO with the following properties: Name: Enforced Security Location: Forest: Contoso.com\Domains\Contoso.com
6.
Enable the following settings in the Enforced Security GPO: Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access
7. 8. 9.
Close Group Policy Management Editor. Enforce the Enforced Security GPO. Grant the following delegation permissions on the Enforced Security GPO: Lab Computers: Deny Read Lab Computers: Deny Apply group policy
Navigate to User Configuration >Preferences> Windows Settings> Drive Maps. Add a new drive map: Location: \\branchsvr1\shared Drive letter: S:
3. 4.
Close the Group Policy Management Editor. Link the new GPO to the Branch1 organizational unit.
In Active Directory Users and Computers, create the following group: Object type: Security group Name: Office Staff Location: Contoso.com\Head Office\Branches Type and scope: Defaults
4. 5. 6.
Close Active Directory Users and Computers. Switch to Group Policy Management. Create a new Group Policy object with the following properties: Name: Sales Applications Location: Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects
7.
Create a new Group Policy object with the following properties: Name: Office Applications Location: Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects
8.
Click the Sales Applications GPO. Remove the Authenticated Users object from the Security Filtering list. Add Sales Staff to the Security Filtering list.
9.
Click the Office Applications GPO. Remove the Authenticated Users object from the Security Filtering list. Add Office Staff to the Security Filtering list.
In the Branch1 on Branch1 area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Which policies apply and do not apply, and why? Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Which policies apply and do not apply, and why?
5.
Results: In this exercise, you implemented the appropriate group policies for users in Branch 1.
Module 6
Lab Instructions: Planning Active Directory Certificate Services
Contents:
Exercise 1: Certificate Services Deployment Planning Exercise 2: Stand-Alone Root and Enterprise Subordinate CA Exercise 3: Configure Key Archiving and Recovery Exercise 4: Online Certificate Status Protocol Array
3 4 6 8
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps 2 to 4 for 6433A-NYC-SVR1, 6433A-NYC-CA1, and 6433A-NYC-CL1. For NYCCA1, log on as Administrator with the password of Pa$$w0rd.
Lab Scenario
Contoso has a head office site located in Melbourne, Australia and state branch offices located in Sydney, Perth, Adelaide, and Hobart. Contoso requires the deployment of two certificate servers. One certificate server will be placed on the perimeter network and will be used to issue certificates to partners and third parties. The second certificate server will be deployed on the internal network and will be the primary point for the distribution of organizational certificates. You will configure this CA to support key archiving and recovery. You will also configure this CA to support an OCSP array. For this project, you must complete the following tasks:
Plan a suitable deployment Certificate Services deployment for Contoso. Configure a stand-alone root and enterprise subordinate CA Configure Key Archiving and recovery. Configure an Online Certificate Status Protocol array.
Requirements Overview
1.
Contoso Australia wants to use Active Directory Certificate Services to deploy certificates to support the following certificate types: Computer certificates for SSL and TLS and DirectAccess Encrypting File System certificates BitLocker and EFS Data Recovery Agents Key Recovery Agent certificates
2. Contoso Australias head office location is in Melbourne Australia. There are branch offices in the state capital cities of Sydney, Adelaide, Perth, and Hobart. 3. Your design needs to ensure that certificates can be renewed in the event of a WAN failure. 4. Your design needs to ensure that revocation checks can occur in the event of a WAN failure. 5. Your design should minimize the impact that revocation checks have on network utilization. 6. The root Certification Authority should be made as secure as possible.
Results: In this exercise, you planned an appropriate certificate services configuration for Contoso.
3. 4. 5. 6. 7. 8. 9.
Close the command prompt. Switch to NYC-CA1. Click Start, right-click Computer, and then click Properties. Click Advancedsystem settings and click Computer Name. Click Change and then click More. In the Primary DNS suffix of this computer dialog box, type contoso.com. Close the dialog box and restart the computer.
10. When the server restarts, log on as Administrator with the password Pa$$w0rd. 11. Open Server Manager, and then click Add Roles. . 12. On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next twice 13. On the Select Role Services page, and select the Certification Authority and Certification Authority Web Enrollment check boxes. 14. When prompted, click Add Required Role Services.
15. On the Specify Setup Type page, click Stand-alone. 16. On the Specify CA Type page, ensure that Root CA is selected. 17. On the Set Up Private Key page, ensure that Create a new private key is selected. 18. On the Configure Cryptography for CA page, set the Key character length to 4096. 19. On the Configure CA Name page, click Next. 20. On the Set Validity Period page, set the validity to 6 years, and then click Next five times. 21. On the Confirm Installation Selections page, click Install. Close the wizard when it completes. 22. Open the Certification Authority console. 23. Expand contoso-NYC-CA1-CA,right-click the Revoked Certificates node, click All Tasks, and then click Publish. On the Publish CRL page, click OK. 24. Open an elevated command prompt and issue the following command and press Enter.
Copy c:\windows\system32\certsrv\certenroll\*.* \\nyc-svr1\certs
25. Switch to NYC-DC1 26. Open an elevated command prompt and issue the following command, pressing Enter at the end of each line:
Dnscmd /recordadd contoso.com nyc-ca1 A 10.10.0.20 Certutil -dspublish -f \\nyc-svr1\certs\NYC-CA1.contoso.com_contoso-NYC-CA1-CA.crt
Note This will publish the stand-alone root CAs root certificate to the enterprise root store in Active Directory.
gpupdate /force
3. 4. 5. 6. 7. 8.
Open the Server Manager console, click Roles, click Add Roles and then click Next. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next three times. On the Specify Setup Type page, select Enterprise, and then click Next. On the Specify CA Type page, select Subordinate CA, and then click Next. On the Set Up Private Key page, select Create a new private key, and then click Next three times. On the Request Certificate From a Parent CA page, click Browse, and then click ContosoCA. Click OK, click Next twice, and then click Install.
9.
Results: In this exercise, you installed both a Stand-alone Root and an EnterpriseSubordinate CA.
10. In the Certification Authority console, click Pending Requests. Issue the certificate. 11. Right-click Contoso-NYC-SVR1-CA and then click Properties. 12. On the Recovery Agents tab, select Archive the Key, and then click Add. 13. On the Key Recovery Agent Selection dialog box, click OK. Click Apply. Note If no Key Recovery Agent is present, open an elevated command prompt and issue the command certutil -pulse and reopen the CA properties dialog box. 14. Restart Active Directory Certificate Services. 15. Click the Issued Certificates node. Right-click the listed certificate, click All Tasks, and then click Export Binary Data. 16. Select Save binary data to a file and save the file as Recovery_Agent.cer to the Desktop 17. In the Certificates console, right-click the Personal node, click All Tasks, and then click Import. 18. Select Recovery_Agent.cer on the Desktop and then click Open. Click OK.
10. Issue the command CertUtil -GetKey SearchToken EFSKEY.cer where SearchToken is the certificate serial number that you made note of in step 14. Note Do not put any spaces in the serial number when recovering the private key.
11. In the MMC that has Certificates - Current User Snap-In, right-click the Personal\Certificates node, click All Tasks, click Import, and then click Next.
12. Click Browse and navigate to c:\certs\EFSKEY.cer, and then click Next twice, and click Finish. Then, click OK. Results: In this exercise, you configured a Key RecoveryAgent, configured a certificate template so that private keys are archived and performed a private key recover.
10. Right-click the Personal\Certificates node, click All Tasks, and click Request New Certificate. 11. Enroll in the Advanced OCSP Response Signing certificate. 12. Expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click the new certificate, click All Tasks, and click Manage Private Keys. 13. On the Security tab, click Add. Enter Network Service. Assign Full control permission.
4. 5. 6. 7. 8. 9.
10. On the URL Retrieval Tool ensure that OCSP (from AIA) is selected and then click Retrieve. 11. Click Exit to close the URL Retrieval Tool. Note As all these actions are occurring quickly, the OCSP, while present, may not have picked up the revoked status of the certificate.
10
Results: In this exercise, you configured an online responder array that can respond to CRL checks for certificates issued by the enterprise subordinate CA.
Module 7
Lab Instructions: Planning and Provisioning Application Servers
Contents:
Exercise 1: Planning Application Deployment Exercise 2: Configuring Group Policy Settings for Remote Desktop Policies Exercise 3: Installing and Configuring a Remote Desktop Gateway
3 5 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
You have been tasked with making changes to Contoso, Ltds application server infrastructure to accommodate the recent Windows Server 2008 migration. All application servers have been upgraded to Windows Server 2008 R2. Your supervisor, Ed Meadows, has sent you an e-mail containing a new request for an application deployment for the Marketing department. Ed would like you to review the request and provide a recommendation for deploying the application. Finally, you are to create a Group Policy object containing settings for the soon-to-beimplemented CRM application As well, you have been asked to provide connectivity for outside users via Remote Desktop Gateway. For this project, you must complete the following tasks:
Plan the deployment of an application Configure Group Policy settings for Remote Desktop Services Install and Configure Remote Desktop Gateway.
Supporting Documentation
E-mail thread of correspondence with Ed Meadows: Charlotte Weiss From: Ed Meadows [Ed@contoso.com] Sent: 25 July 2011 17:00 To: Charlotte@contoso.com Subject: FW: New CRM program Charlotte, Here are the details Ive received from Adam Carter, our national marketing manager regarding their CRM app deployment - the details look pretty complete. From what Adam says in his email, it looks like this will be nationwide all locations. I also want to remind you that we have several of the quad processor servers left over from the Hyper-V implementation that can be allocated to this project if necessary, let me know if you need anything else. Regards, Ed ----- Original Message ----From: Adam Carter [Adam@contoso.com] Sent: 24 July 2011 13:30 To: Ed@contoso.com Subject: New CRM program Ed, Here is what I can tell you so far about the new CRM program.
We will be using this program in all of our branch offices nation-wide to maintain client information. Our branch office staff will all need access to the program as they all handle sales. Most of our Marketing staff share two or three computers out on the floor. These will need to have the program loaded as well. There is a database server component that comes with the software. The program needs to be able to access the database in order to run properly. The plan right now is to put the database server in New York. This application will be a critical part of our Marketing plan nationwide and it has to be available during business hours. Adam
Requirements Overview Determine the appropriate application delivery method to use for the Marketing departments new CRM application. Application Deployment Plan Proposals 1. What type of application configuration should be used for the CRM application? Answer: Remote Desktop Session Host presentation virtualization should be used for this implementation. Due to the spread-out nature of the users and the specific requirements of the application, this method will provide the best performance and scalability for the application while requiring relatively few new resources. 2. Where should the application host servers be located within Contoso, Ltds branch network? Answer: The application servers should be hosted in New York, where the database server is located. A large amount of network bandwidth will be required between the application servers and the database server. 3. How can the application deployment be implemented to handle the current user load and easily scale to accommodate user growth? Answer: A server farm should be created in the New York location. The Remote Desktop Connection Broker service should be installed to implement application load balancing for the farm. 4. How should the application deployment integrate with the server component of the CRM application? Answer: The applications running on the RD Session Host farm group members should be configured to connect to the CRM database server over the network. Adequate network configuration should be implemented between RD Session Host servers and the database server in
Application Deployment Plan order to avoid negatively impacting the applications performance. 5. What potential issues could arise with the current configuration? How could these issues be rectified? Answer: There is currently only one RD Connection Broker in the deployment. Failure of this server would result in the temporary unavailability of the RD Session Host servers. This could be rectified by configuring the RD Connection Broker server as a member of a failover cluster.
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Task 2: Create a Group Policy Object called AppServerPolicy and link it to the CRMAppServers OU
1. 2. 3. On NYC-DC1, in the Group Policy Management Console, create a new GPO named CRMAppPolicy. Drag the CRMAppPolicy from the Group Policy Objects node onto the CRMAppServers node. Ensure that the GPO is linked.
2.
In the GPMC Editor window, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session time limits. Enable the Set time limit for disconnected sessions setting and configure it for 5 minutes. Close the Group Policy Management Editor window, close the Group Policy Management console window.
3. 4.
Results: In this exercise, you will have configured remote desktop policies.
9.
5. 6. 7.
Connect to NYC-SVR1, and log on as Contoso\Andrea. Verify that you can connect to NYC-SVR1 through the Remote Desktop Gateway. Log off NYC-SVR1.
Results: In this exercise, you deployed and configured the Remote Desktop Gateway role service and verified the RD Gateway functionality.
Module 8
Lab Instructions: Planning File and Print Services
Contents:
Exercise 1: Planning File Services Exercise 2: Implementing File Services in the Branch Office Exercise 3: Implementing Print Services in the Branch Office 3 5 7
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1,and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Ed Meadows has asked you to deploy file and print services at the new branch offices. You have decided to test the deployment with branch 1. Your tasks are to plan the deployment, and then implement both file and print services at the branch. For this project, you must complete the following tasks: Plan the deployment of file and print services. Implement file services in the branch office. Implement print services in the branch office.
Supporting Documentation:
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Thanks for agreeing to head up this deployment. Ive drawn up a list of requirements for the file and print services at the first branch. Although these offices are all new, the departments based there are moving their existing server infrastructure across to the new locations. Here are the initial requirements: The marketing team has an application that stores data files at a local file server. Someone in the team then manually copies these files to a central location where they can be consolidated. We need to automate this process. There are three departments in each branch: marketing, research, and production. We need a data folder for each department. Each user account requires a home folder for personal files. Well use GPO to configure folder redirection for documents to this personal location. Users require standardized desktop settings. Well use GPO to create a folder redirection, but we need the folders that will store these desktop settings and start menus. I think the best approach is to use advanced folder redirection based on security group membership. The production team has a UNIX application. We need to host these files on the branch server. We will migrate the application to Win32 later. Theres an old Windows 2000 file server in the research department. I think we should take the opportunity to migrate the data from that. We need to implement printer locations and publish all printers in AD DS to ensure that visiting users to each branch can quickly locate the nearest printer. Storage is limited at the branch, and the department heads are happy to apportion the cost of storage, based upon departmental usage. Weve had some problems with storage being consumed by large media files. We need to resolve this issue at this new branch before it goes the same way as the head office servers. Ed Meadows [Ed@contoso.com] 22 October 2011 12:30 Charlotte@contoso.com File and print services in the branches
2. 3.
Update the Branch Offices File and Print Service Deployment Plan document with your planned course of action. Compare your solution to the one provided in the Lab Answer Key.
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Offices File and Print Service Deployment Plan document. Branch Offices File and Print Service Deployment Plan Document Reference Number:CW0111/1 Document Author Date Charlotte Weiss 1st November
Requirements Overview Implement file and print services in the branch offices. Migrate data from legacy systems running UNIX and Windows 2000 Server. Support the data storage needs of the three departments at the branch offices, including: Home folders for each user. Departmental shared folders. Folders to store departmental Start Menu and Desktop settings. Automatic consolidation of marketing team data to central location each evening. Deploy print services to support the branch users. Proposals 1. 2. 3. 4. 5. 6. 7. 8. Which file services role service will you deploy to support the needs of the branch office users? Which folder structure do you envisage to support the needs of the branch offices? Which folder permissions do you envisage configuring on these folders? Which shared folders will be required for the branch offices? Which permissions will you configure on these folders? What must you consider when planning to migrate files from the Windows 2000 Server? How will you meet the needs of department heads to determine storage usage? How will you restrict file types that can be stored on the new server?
Task 3: Compare your solution to the one provided in the Lab Answer Key.
Compare your solution to the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: At the end of this exercise, you will have planned the file and print services deployment for the branch offices.
Share name: Marketing Share permissions: Everyone Allow Full Control Local NTFS security permissions: Remove Users permissions. Grant Contoso\Marketing Allow Modify permissions.
5.
Create a file screen for C:\User Data: Derive properties from this file screen template (recommended): Block Audio and Video Files.
3. 4. 5.
In the navigation pane, right-click File Server Resource Manager (Local). and then click Configure Options. On the File ScreenAudit tab enable Record file screening activity in the auditing database. Close File Server Resource Manager.
Results: At the end of this exercise, you will have implemented elements of the branch office file services.
3.
Create a new subnet: Prefix: 172.16.16.0/24 Site: Default-First-Site-Name Note We are using the Default-First-Site-Name here because we do not have domain controllers in the branches to support separate sites.
4. 5. 6.
Modify the Location string for the subnet: Contoso/New York/Branch Offices/Branch 1 Modify the location string for the Default-First-Site-Name site: Contoso/New York/Branch Offices Close Active Directory Sites and Services.
5.
Add a new printer: On the What type of printer do you want to install page, click Add a network, wireless or Bluetooth printer. The Research Color Laser is listed.
6.
Results: At the end of this exercise, you will have configured the branch office printing environment.
Module 9
Lab Instructions: Planning Network Access
Contents:
Exercise 1: Planning Network Access Exercise 2: Implementing Network Access 3 4
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso has created a new regional research team. As a result, branch offices have been fitted out to support the various regional research functions. You were responsible for planning and implementing the network infrastructure for the branch offices. Dylan Miller, the national Research Manager, has been in contact regarding the need for Research staff to work from home. They still require access to resources both in their branches and the head office. Ed Meadows, a colleague in IT, has just returned from some of the branch offices after conducting a needs analysis with the users and management team.
You need to consider the information resulting from this needs analysis and then determine the appropriate remote network access solution for the branch office users. Next, you must implement a part of the plan. For this project, you must complete the following tasks: Plan network access for branch office users. Implement the network access plan.
Supporting Documentation
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Ive just got back from the branch offices tour. I chatted to various users and to the Research manager, Dylan Miller. Here are my findings: The users need access to all servers to which they usually connect, both in the head office and their branches. Most users work from home, but some work from customer site and from wireless hotspots. Although we provide research workers with laptops, some use their own desktop computers from home. Dylan has stressed that due to the sensitive nature of the work that his staff undertake, security of data in transit is important. Ed Meadows [Ed@contoso.com] 5 November 2011 14:27 Charlotte@contoso.com Branch Office Network Access
From a technical standpoint, Ive had a few thoughts: Just a reminder, we have deferred the IPv6 rollout, so there is currently no IPv6 at the branches or the head office. All client computers are configured by using DHCP. DHCP runs on the NYC-DC1 server at the head office. All clients should be running Windows Firewall.
Regards, Ed
The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Compare your solution with the one provided in the Lab Answer Key.
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Office Network Access Plan document. Branch Office Network Access Plan Document Reference Number: CW0611/1 Document Author Date Charlotte Weiss 6th November
Requirements Overview Plan a remote network access solution for Research department users based in branch offices. Proposals 1. 2. 3. 4. 5. What remote access solutions would you consider to support the branch offices users? What network access technologies are suggested by the fact that some users access the Contoso network resources from public access points and from their own computers at home? Dylan is concerned about the security of data in transit. What could you do to alleviate his legitimate concerns? How would you propose to allocate IP configurations to remote access clients? What is your remote network access solution? Provide details including server roles required to support the configuration.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you will have completed the Branch Office Network Access Plan document.
Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server. Allow ping on NYC-EDGE1. Configure required NAP client settings Move the client to the Internet. Create a VPN on NYC-CL1.
10. Under Network Access Protection, open the Default Configuration for the Windows Security Health Validator. 11. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections. Note In reality, you would leave the default selections. However, to make testing the policy feasible, you are limiting the requirements. 12. Create a health policy with the following settings: a. b. c. Name: Compliant Client SHV checks: Client passes all SHV checks SHVs used in this health policy: Windows Security Health Validator
a. b. c.
Name: Noncompliant Client SHV checks: Client fails one or more SHV checks SHVs used in this health policy: Windows Security Health Validator
14. Disable all existing network policies. 15. Configure a new network policy with the following settings: a. b. c. d. Name: Compliant-Full-Access Conditions: Health Policies = Compliant Access permissions: Access granted Settings: NAP Enforcement = Allow full network access
16. Configure a new network policy with the following settings: a. b. c. Name: Noncompliant-Restricted Conditions: Health Policies = Noncompliant Access permissions: Access granted
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. d. Settings: I. II. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of client computers is not selected. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.
17. Disable existing connection request policies. 18. Create a new Connection Request Policy with the following settings: a. b. c. d. e. Policy name: Branch VPN connections Type of network access server: Remote Access Server (VPN-Dial up) Conditions: Tunnel type = L2TP, SSTP, and PPTP Authenticate requests on this server = true Authentication methods: I. II. III. f. Select Override network policy authentication settings Add Microsoft: Protected EAP (PEAP). Add Microsoft: Secured password (EAP-MSCHAP v2)
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server.
1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. Select Configure and Enable Routing and Remote Access. Use the following settings to complete configuration: a. b. c. d. e. 4. Select Remote access (dial-up or VPN). Select the VPN check box. Choose the interface called Public and clear the Enable security on the selected interface by setting up static packet filters check box. IP Address Assignment: Default. Complete the process by accepting defaults when prompted and confirming any messages by clicking OK.
Switch to the Network Policy Server console. Click the Connection Request Policies node, and press F5 to refresh the display. Disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. Close Network Policy Server management console and the Routing and Remote Access console.
5.
Open Windows Firewall with Advanced Security. Create an Inbound Rule with the following properties: a. b. c. Rule Type: Custom Program: All programs Protocol and Ports: Choose ICMPv4 and then click Customize I. d. e. f. g. Specific ICMP types: Echo Request
Scope: Default scope Action: Allow the connection Profile: Default profile Name: ICMPv4 echo request
3.
the lab environment. 1. 2. Switch to the NYC-CL1 computer. Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center/Turn on Security Center (Domain PCs only) setting. Close the Local Group Policy Editor. Run the NAP Client Configuration tool (napclcfg.msc). Under Enforcement Clients, enable the EAP Quarantine Enforcement Client. Close the NAP Client Configuration tool. Run services.msc and configure the Network Access Protection Agent service for automatic startup. Start the service. Close the services console.
3. 4. 5. 6. 7. 8. 9.
After you have created the VPN, modify its settings by viewing the properties of the connection and then selecting the Security tab. Use the following settings to reconfigure the VPN: a. b. Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled). Properties of this authentication type: I. Validate server certificate: true
Connect to these servers: false Authentication method: Secured password (EAP-MSCHAP v2) Enable Fast Reconnect: false Enforce Network Access Protection: true
Test the VPN connection: a. b. In the Network Connections window, right-click the Contoso VPN connection and then click Connect. In the Connect Contoso VPN window, click Connect.
Note If you do not connect and receive error code 618, switch to NYC-EDGE1 and open the Network Policy Server. Disable any Connection Request policies found under Policy Name except for the Branch VPN Connections policy. c. 4. View the details of the Windows Security Alert. Verify that the correct certificate information is displayed and then click Connect.
Verify that your computer meets the health requirements of the NAP policy: a. b. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted. Ping 10.10.0.10.
5. 6.
Disconnect the Contoso VPN. On NYC-EDGE1, 0pen the Network policy Server and configure the Windows Security Health Validator to require an antivirus application: a. b. Switch to NYC-EDGE1 and open Network Policy Server. Modify the Default Configuration of the Windows Security Health Validator so that An antivirus application is on check box is enabled on the Windows 7/Windows Vista selection.
7. 8. 9.
Switch back to NYC-CL1 and reconnect the VPN. Verify that your computer does not meet the health requirements of the NAP policy. Use IPCONFIG /all to verify that the System Quarantine State is Restricted. Disconnect the VPN.
Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso.
Module 10
Lab Instructions: Provisioning Data and Storage
Contents:
Exercise 1: Planning Data Access Exercise 2: Installing and Configuring DFS Exercise 3: Enabling and Configuring BranchCache 4 5 7
Lab Setup
Note Pay close attention to the instructors guidance on starting, configuring, and reverting virtual machines within this lab. For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1,and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso has created a new regional research team. As a result, branch offices have been fitted out to support the various regional research functions. You were responsible for planning and implementing the network infrastructure for the branch offices.
Dylan Miller, the national Research Manager, has been in contact regarding the need for research to access file-based resources from the head office. Some branches have slow links and experience delays with accessing files. You need to consider how to make data available from the head office in the branches, while taking account of various issues, including WAN link speed, to provide a data access solution for the branch office users. Next, you must implement a part of the plan. For this project, you must complete the following tasks: Plan data access for the branch office users. Implement DFS to support branch office needs. Implement BranchCache for those branches with potential access speed issues.
Supporting Documentation
Email thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Dylan has told me that his department requires access to head office data. The trouble is that some of the branches have slow links to the head office and some of these files can be pretty large. In addition, they have an application that uses local data but that needs to be centrally collected. What I need you to do is look at the list of requirements and come up with a plan for configuring data access in the branch offices. Requirements: Research templates must be available from both the head office and the branch offices Data files for the research department must be collated to a central folder at the head office. Data access should be optimized for slow remote links, where necessary. Ed Meadows [Ed@contoso.com] 12 December 2011 10:12 Charlotte@contoso.com Data access for branch offices
We need to think about storage, too. They use a couple of database applications that generate quite a load on the disks. What would you recommend to host their storage? Regards, Ed
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Data Access Plan document. Data Access Plan Document Reference Number:CW0112/1 Document Author Date Charlotte Weiss 1st December
Requirements Overview To plan a suitable data access plan for the branch offices. Proposals 1. 2. 3. 4. 5. 6. What server role will you implement to support the requirement for automated data collection from the branch offices? What data access scenario would you recommend? What technology would you implement to support the slow link requirement? How will you ensure that the client-side settings for this technology apply only to relevant computers? There is a local server installed at each branch office. How would you configure the branch data access technology to support this? To support the database applications, what type of storage would you recommend?
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you completed Data Access Plan for Contoso.
Task 3: Use the New Namespace Wizard to create the ResearchDocs namespace.
1. 2. 3. Switch to NYC-SVR1. Open DFS Management. Create a new namespace with the following properties: 4. Server: NYC-SVR1 Name: ResearchDocs Namespace type: Domain-based namespace and select Enable Windows Server 2008 mode
In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
2.
Primary member: NYC-SVR1 No topology Use defaults elsewhere and accept any messages
Create a new replication topology for the namespace: Type: Full mesh Schedule and bandwidth: defaults
3.
In the details pane, on the Memberships tab, verify that the replicated folder is shown on NYC-DC1 and NYC-SVR1. Right-click NYC-DC1 and then click Make read-only.
In Hyper-V Manager, click 6433A-NYC-CL2, and in the Actions pane, click Settings. In the Settings for 6433A-NYC-CL2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop-down list, select Private Network, and then click OK.
Scenario
To support branch staff requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN utilization out to the branch office, BranchCache will be configured for these data. In this exercise, you will enable and configure BranchCache. The main tasks for this exercise are as follows:
1. 2. 3. 4. 5. 6. 7. 8.
Configure NYC-DC1 to use BranchCache Simulate slow link to the branch office Enable a file share for BranchCache Configure client firewall rules for BranchCache Configure clients to use BranchCache in hosted cache mode Install the BranchCache feature on NYC-SVR1 Request a certificate and link it to BranchCache Start the BranchCache Host Server
3.
Navigate to Computer Configuration>Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules. Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Content Retrieval (Uses HTTP). Action: Allow
4.
5.
Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Peer Discovery (Uses WSD). Action: Allow
5. 6. 7. 8. 9.
10. Restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Open a command prompt and refresh the group policy settings (gpupdate /force). 12. In the command prompt window, type netsh branchcache show status all and then press Enter.
10
6.
In the command prompt window, type netsh branchcache show status all and then press Enter.
Results: In this exercise, you enabled the BranchCache server in the branch office.
Module 11
Lab Instructions: Planning Update Deployment
Contents:
Exercise 1: Analyze WSUS Deployment Plan Exercise 2: Configure a Replica WSUS Server Exercise 3: Configure WSUS for BranchCache
3 4 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd has a head office site located in Melbourne, Australia and state branch offices located in Sydney, Perth, Adelaide, and Hobart. WSUS is already deployed at the head office site and you want to configure a replica at the second site. This replica should inherit all approvals, updates, and computer groups from the head office site. You also want to configure WSUS to support BITS and BranchCache so that sites without replica servers minimize the amount of bandwidth that they devote to update traffic.
Supporting Documentation
Contoso WSUS Server Deployment Plan Document Reference Number: GW1203/1 Document Author: HazemAbolrous Date: 26th January Requirements Overview Contoso, Ltd in Australia wants to reduce the number of operating system updates that are downloaded from the Microsoft Update servers on the Internet as a way of reducing the costs associated with the utilization of bandwidth. Contoso has an agreement with its Internet Service Provider that substantially discounts the cost of traffic transmitted across WAN links when compared to the cost of downloading data directly from locations on the Internet such as Microsoft Update. All branch offices have connections to the Internet as well as dedicated WAN connections. The amount of data transmitted across WAN links should be minimized. Only one WSUS server should be deployed at each site. Administrators in the Melbourne site are responsible for approving updates to computers in the Perth, Adelaide, and Hobart sites. Administrators in the Sydney site are responsible for approving updates to computers in the Sydney site. The cost of transmitting data across the Melbourne to Perth link is equivalent to the cost of downloading data from locations on the Internet such as Microsoft Update.
Task 2: Update the Visio diagram, placing WSUS servers at each site.
1. 2. Open the Visio diagram that represents the Contoso Australia WSUS server. The Visio file is located on NYC-CL1 in the D:\Labfiles\Mod09 folder. Copy items representing each WSUS server type to each site. You may need to use the same item in more than one location.
Results: In this exercise, you will have planned a suitable WSUS deployment configuration for Contoso.
Task 1: Check available updates on the NYC-SVR1 WSUS server and create computer groups.
1. 2. 3. 4. 5. Revert 6433A-NYC-CL1 and then start 6433A-NYC-SVR1, 6433A-NYC-RTR, and 6433A-NYCSVR2. Log on to each computer as Administrator with the password of Pa$$w0rd. Switch to NYC-SVR1.On the Administrative Tools menu, click Windows Server Update Services. In the Update Services console, browse to the All Updates node. Modify the status to show Any update and make a note of the number of available updates. Expand the Computers node and under the All Computers node, create the Australia computer group. Create the Melbourne_Sales and Melbourne_Marketing groups as child groups of the Australia computer group.
Import-Module ServerManager Add-WindowsFeature Web-Server, Web-Asp-Net, Web-ISAPI-Ext, Web-ISAPI-Filter, WebWindows-Auth, Web-Dyn-Compression, Web-Metabase, Net-Framework
4. 5.
Install ReportViewer.exe located in the D:\Labfiles\Mod09 folder. Run WSUS30-KB972455-x64.exe to start the installation of WSUS 3.0 SP2.
6.
Use the following installation options: Choose the Full server installation including Administration Console option. Accept the terms of the License agreement. Configure the server to Store updates locally. Install the Windows Internal Database locally. Use the existing IIS Default website.
7.
When the Windows Server Update Services Configuration Wizard starts, configure the following options: Do not join the Microsoft Update Improvement Program. Synchronize from another Windows Server Update Services server. Set the upstream server name to NYC-SVR1. Select the This is a replica of the upstream server option. Click the Start Connecting button. Set the Download updates only in these languages option to English. Configure the server to synchronize manually. Configure the Windows Server Update Services console to be launched and initial synchronization to occur.
8.
When synchronization has completed, verify that computer groups and the number of updates available is the same as you noted earlier on NYC-SVR1.
Task 3: Verify approvals on downstream servers and configure automatic approval rules.
1. 2. 3. 4. 5. 6. 7. Switch to NYC-SVR1. In the Update Services console on NYC-SVR1, connect to NYC-SVR2. Under NYC-SVR1, approve update KB976662 for installation for the Melbourne_Marketing group. Under NYC-SVR1, approve update KB975053 for installation for the All Computers group. Synchronize NYC-SVR2 with NYC-SVR1. Verify that update KB976662 is approved on server NYC-SVR2. In the Options node on NYC-SVR1, create an automatic approval rule with the following properties: 8. 9. Rule Name: Australia_Critical Update Classifications: Critical Updates Product: Any product WSUS Groups: Australia, Melbourne_Marketing and Melbourne_Sales
Results: In this exercise, you created a WSUS replica and an automatic approval rule.
In the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update node, enable the Specify intranet Microsoft update service location policy and configure the policy so that both the intranet update service for detecting updates and intranet statistics server settings are set to http://nyc-svr1. In the Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security node, create two inbound rules by using the following pre-defined settings: BranchCache - Content Retrieval (Uses HTTP) BranchCache - Peer Discovery (Uses WSD)
7.
8. 9.
Link the WSUS_Branch GPO to the Branch_Office OU. On NYC-SVR1, open a Windows PowerShell prompt and run the following commands, pressing Enter after each command.
10. Restart NYC-SVR1and then log back on as Contoso\Administrator with the password of Pa$$w0rd.
3. 4.
Use Windows Update to check for updates. Install the update and then restart the computer. Log back on as Contoso\Administrator with the password of Pa$$w0rd. Open Performance Monitor and on the Performance Monitor node, add the following counters to the graph: Local Cache: Cache Complete File Segments Local Cache: Cache Partial File Segments Retrieval: Bytes From Cache Retrieval: Bytes From Server
Results: In this exercise, you configured WSUS to support BranchCache, configured WSUS-related group policy items, and verified client BranchCache settings.
Module 12
Lab Instructions: Planning High Availability
Contents:
Exercise 1: Planning High Availability Exercise 2: Implementing High Availability 4 5
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must perform the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. On your host machine, click Start, point to Administrative Tools, and then click Hyper-V Manager. In the Virtual Machines pane, click 6433A-NYC-DC1, and then in the Actions pane, click Start. To connect to the virtual machine, click 6433A-NYC-DC1, and then in the Actions pane, click Connect. Repeat steps 2 and 3 to start the 6433A-NYC-SVR1 and 6433A-NYC-ISCSI virtual machines. In Hyper-V Manager, click 6433A-NYC-SVR2, and in the Actions pane, click Settings. In the Settings for 6433A-NYC-SVR2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop down list, click Private Network, and then click OK. In Hyper-V Manager, click 6433A-NYC-SVR2, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts.
10. Switch to the NYC-SVR2 virtual machine. 11. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
12. Click Start, and in the Search box, type Network and Sharing, and then press Enter. 13. In Network and Sharing Center, click Change adapter settings.
14. In Network Connections, right-click Local Area Connection 2, and then click Properties. 15. In the Local Area Connection 2 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 16. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, configure the following properties, and then click OK: IP address: 10.10.0.25 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1 Preferred DNS server: 10.10.0.10
17. In the Local Area Connection 2 Properties dialog box, click Close. Close the Network Connections window. 18. Switch to NYC-ISCSI. If necessary, log on as Contoso\Administrator, with the password, Pa$$w0rd. 19. To open the proper ports on Windows Firewall to allow iSCSI communication from clients to the server, open a command prompt, enter the following commands, and press Enter after each command.
netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP3260" dir=in action=allow protocol=TCP localport=3260 netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP135" dir=in action=allow protocol=TCP localport=135 netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service-UDP138" dir=in action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service" dir=in action=allow program="%SystemRoot%\System32\WinTarget.exe" enable=yes netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service Status Proxy" dir=in action=allow program="%SystemRoot%\System32\WTStatusProxy.exe" enable=yes
Lab Scenario
The Research department at Contoso has an application that has a web-based front end. The back end is provided by a Microsoft SQL Server database application. Recently, a failure in the front end caused system unavailability for several hours. Dylan Miller, the Research department manager, has contacted Ed Meadows, the IT manager, and requested him to find a solution for the availability issue.
For this project, you must complete the following tasks: Plan a suitable solution to the availability problem for the Research database. Implement part of the availability solution.
Supporting Documentation
Email thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, The Research database is currently in the head office only, although that is set to change; we're creating a distributed version of the database later this year. The distributed version will work essentially the same way, but there will be localized versions of the databases replicated among the research branch offices. It has a SQL Server back-end, and the front-end is web-based; IIS provides the front-end access. The actual database is stored on disks attached to an iSCSI SAN. The outage was caused when the web server hosting the front end suffered a power supply failure; it just started to smoke and then went offline! Hope all that helps you, Regards, Ed Ed Meadows [Ed@contoso.com] December 12, 2011 10:12 Charlotte@contoso.com Research database application
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the High Availability Plan document. High Availability Plan Document Reference Number: CW01312/1 Document Author Date Charlotte Weiss 13th December
High Availability Plan Requirements Overview To provide a high-availability solution that ensures that the failure of any single component will not cause the Research database to become unavailable. Proposals 1. In the current system, which component(s) is a point of failure?
2.
For each component, how will you propose to prevent a system failure resulting from a component failure? Which Windows Server 2008 role or feature can help provide for each of these proposals? After implementing the roles or features proposed, is there any remaining component that represents a single point of failure? Have you any recommendations regarding this component(s)?
3. 4. 5.
Task 3: Compare your solution to the one provided in the Lab Answer Key.
Compare your solution to the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: At the end of this exercise, you will have completed the High Availability Plan document.
5. 6. 7. 8. 9.
Install the Failover Clustering feature. Validate the failover cluster. Use the Create Cluster Wizard to build a simple failover cluster. Install the Print Services role on NYC-SVR1 on NYC-SVR2. Cluster the Print Services role.
10. Fail over the NYC-BR-Print clustered service from NYC-SVR1 to NYC-SVR2. 11. Change the preferred owner of NYC-BR-Print to NYC-SVR2. 12. Change the failback settings to allow failback only to the preferred node between 01:00 and 04:00.
Create a new virtual disk with the following configuration: a. b. c. File: C:\Disks\Disk-01.vhd Size: 8000 megabytes (MB) Target name: LUN-01
5.
Create a new virtual disk with the following configuration: a. b. c. File: C:\Disks\Disk-02.vhd Size: 20,000 MB Target name: LUN-01
4. 5.
Ensure the computer establishes a connection to iqn.1991-05.com.microsoft:NYC-ISCSI-lun-01target. On the Volumes and Devices tab, choose Auto Configure. Verify that two volumes are added to the Volume List. If only one volume appears, click Clear, and then click Auto Configure.
Task 7: Use the Create Cluster Wizard to build a simple failover cluster.
1. In Failover Cluster Manager, create a new cluster with the following configuration: a. b. c. 2. Servers: NYC-SVR1 and NYC-SVR2 Name: NYC-Br-Cluster IP Address: 10.10.0.90.
4.
Start the Add Roles Wizard, and install the Print and Document Services role with default values. Close Server Manager.
Task 10: Fail over the NYC-BR-Print clustered service from NYC-SVR1 to NYC-SVR2.
1. 2. Move NYC-BR-Print to the passive node. Verify that NYC-BR-Print now shows the current owner as the new node.
Task 12: Change the failback settings to allow failback only to the preferred node between 1 and 4 hours.
Configure the cluster so that failback is allowed only between 1 and 4 hours.
Module 13
Lab Instructions: Planning Performance and Event Monitoring
Contents:
Exercise 1: Planning Enterprise Event Log Management Exercise 2: Configuring Event Subscriptions Exercise 3: Creating Custom Views Exercise 4: Configuring Event Tasks 3 3 5 5
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1,and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. is deploying a three server environment to allow for the testing of new applications that are planned to be introduced into the production environment. The environment currently consists of two servers: NYC-DC1, the domain controller and NYC-SVR1, an application test server. After your initial configuration is complete, 10 more application test servers will be introduced to the test environment. Application servers will be moved in and out of the test groups as need arises, including the original application test server, NYC-SVR1. Because of the nature of the testing process, users in the application test group have been given widereaching permissions on the servers in the test group.
The owner of the project wants to be able to keep track of modifications to application installation and uninstallation without having to directly monitor each server in the environment. You have been asked to plan the implementation of a monitoring and notification system that fulfills the requirements of the project owner, Ed Meadows. For this project, you must complete the following tasks: Plan the configuration of event management. Implement event subscriptions. Implement custom views. Implement event tasks.
Results: After completing this exercise, you should have planned enterprise log management.
The main tasks for this exercise are as follows: 1. 2. 3. Prepare all computers for event subscriptions. Create the event subscription. Test the event subscription by installing an application.
Confirm the status of the subscription as Active. Confirm the runtime status of the subscription as OK.
Results: After completing this exercise, you should have configured event subscriptions.
Results: After completing this exercise, you should have created custom views.
Action: Send an email message From: AppInstallNotifier@Contoso.com To: Ed@Contoso.com Subject: Application Installation Failure Text: An application installation has occurred. Please check the Forwarded Events Log on NYC-DC1 for more details. SMTP Server: NYC-SVR1.Contoso.com
Results: After completing this exercise, you should have created event tasks.
Module 14
Lab Instructions: Enterprise Backup and Recovery
Contents:
Exercise 1: Contoso Disaster Recovery Plan Exercise 2: Configuring Network Backup with Windows Server Backup Exercise 3: Mounting Backup VHD and Extracting Data Exercise 4: Configuring NYC-SVR1 to Boot from Backup VHD
3 5 6 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. is a medium-sized organization with its head office in Melbourne, Australia, and two branch offices. The organization employs 300 people, of which 200 are located at its head office, and 50 people work at each of the two branch offices. You have been asked to generate a disaster recovery plan for the Contoso Windows Server 2008 R2 deployment.
Environment Information Contoso, Ltd. is a medium-sized organization with its head office in Melbourne, Australia, and two branch offices. The organization employs 300 people, of which 200 are located at its head office, and 50 people work at each of the two branch offices. You have been asked to generate a disaster recovery plan for the Contoso Windows Server 2008 R2 deployment. The Contoso server infrastructure consists of the following: Head Office Site: Melbourne Central Business District One physical server running Windows Server 2008 R2 configured with the AD DS, DNS, DHCP, AD CS roles. 8 GB of RAM. 1 terabyte (TB) Hard Disk Drive (HDD). Two physical servers running Windows Server 2008 R2 configured as DFS Replicas and DFS Roots. 8 GB of RAM. 1 TB HDD. One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Web Server 2008 R2 IIS server Windows Server 2008 R2 hosting Exchange Server 2010 server Windows Server 2008 R2 hosting SQL Server 2008 R2 database server Branch Office Site: Moonee Ponds One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server Windows Server 2008 File Server / DFS Replica Branch Office Site: Endeavour Hills One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server
Contoso Disaster Recovery document Windows Server 2008 File Server / DFS Replica Additional Information Contoso is in the process of renting space for a disaster recovery site in the suburb of Dandenong. All servers at Contoso that host the Hyper-V role only have that role installed. Servers at the head office site should never lose more than 3 hours of data in the event of server failure. Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. Requirements Overview Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan. 1. You need to be able to restore backup data from all servers at the head office site in the event that computers at the head office site are completely lost due to fire, flood damage, or other unforeseen catastrophes. 2. A 7-day recovery point objective is acceptable if a site is completely lost. 3. Servers at the head office site should never lose more than 3 hours of data in the event of server failure. 4. Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. 5. You need to be able to run any head office server in the event that the server hardware fails, until that hardware is replaced. 6. You want to minimize the amount of hardware deployed at the proposed Dandenong disaster recovery site. 7. You need to be able to restore up to 7 days of data on each server in the event that data is lost or corrupted.
Task 2: Update the proposal document with your planned course of action.
1. Answer the questions in the Contoso Windows Server 2008 R2 Deployment Plan document. Contoso Disaster Recovery plan Document Reference Number: GW1203/2 Document Author Date Kim Akers 1st April
Proposals Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan.
1. 2. 3. 4. 5.
What steps should you propose to meet the objective of being able to recover up to 7 days of data on each server? What steps could you take to back up the virtual machines by using Windows Server Backup? What steps should you propose to meet the objective of ensuring that any branch office site can be recovered in the event of full site loss? What infrastructure would you provision at the Dandenong disaster recovery site to meet disaster recovery objectives? What infrastructure would you provision at the head office site to ensure that you can continue
Contoso Disaster Recovery plan 6. to provide services in the event that a single server fails completely? What backup schedules would you configure for servers at the head office and branch office sites?
Results: At the end of this exercise, you will have planned an appropriate disaster recovery solution for Contoso.
Note Depending on the speed of the host systems, the backup could take approximately 20 minutes. 3. When the backup completes, click Close.
Results: At the end of this exercise, you will have used Windows Server Backup to create and perform a scheduled backup to a network location.
Open Windows Explorer and browse to the newly mounted volume. Browse to the \Users\Administrator.Contoso\Desktop folder and verify the contents of Example_Data.txt and then close the file. Detach the VHD.
Results: At the end of this exercise, you will have verified the backup data without having to perform a restore operation.
3. 4.
Make a note of the CSLID number that is displayed. You will use this number in the next set of commands. Enter the following commands, substituting the CSLID number. Keep the square parentheses around the drive letter and press Enter after each command.
Bcdedit /set {CSLID} device vhd=[f:]\backup.vhd Bcdedit /set {CSLID} osdevice vhd=[f:]\backup.vhd Bcdedit /set {CSLID} detecthal on
5.
Results: At the end of this exercise you will have performed recovery of a server operating system volume without having to perform a recovery by using Windows Server Backup.
Module 1
Lab Answer Key: Planning Server Deployment and Upgrade
Contents:
Exercise 1: Planning a Windows Server 2008 R2 Deployment Exercise 2: Modifying a Windows Server 2008 R2 Image Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image 2 3 4
Task 2: Update the proposal document with your planned course of action.
1. Answer the questions in the Contoso Windows Server 2008 R2 Deployment Plan document. Contoso Windows Server 2008 R2 Deployment Plan Document Reference Number:CW2805/1 Document Author Date Charlotte Weiss 28th May
Requirements Overview To provide information to help plan the upgrade/migration to Windows Server 2008 R2. Additional Information Branch Office 2 supports forty client computers and two servers. Branch Office 2 is isolated from the Internet. Branch Office 2 has no server room and servers are placed in the main office space. Proposals 1. In Eds email, he recommended that Charlotte should examine the server utilization figures. Why is this significant when planning server deployment? Answer: Servers that are under-utilized could be combined to reduce the hardware footprint within Contoso. Also, you could consider using server virtualization for those servers that are currently under-utilized. 2. Ed also reminded Charlotte that some departments used servers and client workstations that are isolated from the Internet. What is the impact of this in terms of deployment? Answer: Activation from servers (and client workstations) that are isolated from the Internet must be performed manually with activation keys, or by using KMS or MAK. 3. In environments where there are isolated servers and workstations, which factors determine the activation technology that you use? Answer: The number of servers and workstations determines whether you use MAK or KMS. To use KMS, you need at least 25 servers and workstations. 4. Are there situations where virtualization is indicated? Answer: Most servers, if not all, could be virtualized. However, the servers in Branch Office 2 should be combined and virtualized because their utilization is low. 5. How would you help to improve security at Branch Office 2?
Contoso Windows Server 2008 R2 Deployment Plan Answer: Use of Server Core could help to improve security. It supports the Hyper-V server role and could act as a platform for any virtual servers deployed at the branch. 6. Which activation method would you use at Branch Office 2? Answer: KMS is indicated. 7. All the other branches have similar server configurations to that in Branch Office 2. Assuming Contoso accepts your proposals for the branch servers at Branch Office 2, how would you propose to deploy the servers at this and the other ten branches in the New York area? Answer: Creating an image for the deployment of these servers would save time and ensure a standard server configuration. Using WDS would help to deploy the images more quickly, depending upon network bandwidth to the branches from the deployment server. Also, WDS requires DHCP. This is not shown in the datasheet as being available in the branches. Further investigation is warranted.
Result: At the end of this exercise, you should have successfully planned the Windows Server 2008 R2 deployment.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click Deployment Tools Command Prompt. At the command prompt, type the following command, and then press Enter.
3.
At the command prompt, type the following command, and then press Enter.
Cd\labfiles\Mod01\Images
4.
At the command prompt, type the following command, and then press Enter.
Dir
5.
At the command prompt, type the following command, and then press Enter.
Note the index number for the image with the Description of Windows Server 2008 R2 SERVERENTERPRISECORE.
2.
At the command prompt, type the following command, and then press Enter.
Dism /get-mountedwiminfo
3.
At the command prompt, type the following command, and then press Enter.
Dir D:\labfiles\Mod01\servicing
2.
At the command prompt, type the following command, and then press Enter.
3. 4.
Verify that Hyper-V is Enable Pending. At the command prompt, type the following command, and then press Enter.
Results: At the end of this exercise, you will have prepared the branch office image.
8. 9.
On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
3.
At the command prompt, type the following command and then press Enter. exit
4.
5. 6.
In Windows Deployment Services, in the console tree, right-click NYC-SVR1.Contoso.com, and then click Refresh. Expand NYC-SVR1.Contoso.com, and then click Boot Images.
WDSUTIL /Set-Server /AutoAddPolicy /Message:TheContoso administrator is authorizing your request. Please wait.
6.
Results: At the end of this exercise, you will have successfully prepared WDS to support Windows Server deployment to the branch offices.
Module 2
Lab Answer Key: Planning Server Management and Delegated Administration
Contents:
Exercise 1: Creating an Administrative-Level Role Group Exercise 2: Creating an Account Management Group Exercise 3: Enabling and Configuring Auditing for Sensitive Groups 2 3 4
Task 2: Place the user accounts for Kern Sutton and Christine Koch into the ADRedesign group.
1. 2. 3. On NYC-DC1, in the Active Directory Users and Computers window, right-click the ADRedesign group, and then click Properties. In the ADRedesign Properties window, click the Members tab, and then click the Add button. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Kern Sutton; Christine Koch in the Enter the object names to select field, click the Check Names button, and then click OK. In the ADRedesign Properties window, click OK.
4.
Task 3: Delegate full control over the Contoso.com domain to the ADRedesign group.
1. 2. 3. 4. 5. 6. 7. 8. 9. In Active Directory Users and Computers window, right-click the Contoso.com domain node, and then click Delegate Control. In the Delegation of Control Wizard window, click Next. On the Users or Groups page, click the Add button. In the Select Users, Computers, or Groups window, type ADRedesign into the Enter the object names to select field, click the Check Names button, and then click OK. On the Users or Groups page, click Next. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next. On the Active Directory Object Type page, ensure that This folder, existing objects in this folder, and creation of new objects in this folder is selected, and then click Next. On the Permissions page, select the check box next to Full Control, and then click Next. On the Completing the Delegation of Control Wizard page, click Finish.
Results: After completing this exercise, you should have created an administrative-level role group.
Task 2: Place the user account for Ryan Ihrig into the AcctMgmt group.
1. 2. 3. 4. On NYC-DC1, in the Active Directory Users and Computers window, right-click the AcctMgmt group, and then click Properties. In the AcctMgmt Properties window, click the Members tab, and then click the Add button. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Ryan Ihrig in the Enter the object names to select field, click the Check Names button, and then click OK. In the AcctMgmt Properties window, click OK.
Task 3: Grant create, delete, and manage user accounts privileges to the AcctMgmt group.
1. 2. 3. 4. 5. 6. 7. 8. In Active Directory Users and Computers window, right-click the Contoso.com domain node, and then click Delegate Control. In the Delegation of Control Wizard window, click Next. On the Users or Groups page, click the Add button. In the Select Users, Computers, or Groups window, type AcctMgmt in the Enter the object names to select field, click the Check Names button, and then click OK. On the Users or Groups page, click Next. On the Tasks to Delegate page, ensure that Delegate the following common tasks is selected, select the check box to select Create, delete, and manage user accounts, and then click Next. On the Completing the Delegation of Control Wizard page, click Finish. Close the Active Directory Users and Computers window.
Results: After completing this exercise, you should have created an account management group.
4. 5. 6. 7.
Task 2: Configure auditing settings for the Domain Admins, Enterprise Admins, ADRedesign, and AcctMgmt groups.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window menu, click View, and then click Advanced Features. In the navigation pane, click Users. In the details pane, right-click the Domain Admins group, and then click Properties. In the Domain Admins Properties window, click the Security tab, and then click the Advanced button. In the Advanced Security Settings for Domain Admins window, click the Auditing tab, and then click the Add button. In the Select User, Computer, Service Account, or Group window, type Authenticated Users in the Enter the object names to select field, click the Check Names button, and then click OK. In the Auditing Entry for Domain Admins window, select the check boxes next to Full control for both the Successful and Failed columns, and then click OK. In the Advanced Security Settings for Domain Admins window, click OK.
10. In the Domain Admin Properties window, click OK 11. Repeat steps 1 to 10 for the Enterprise Admins, ADRedesign, and AcctMgmt groups.
5.
Check for an Active Directory object access entry for the AdRedesign group.
Results: After completing this exercise, you should have enabled and configured auditing for sensitive groups.
Module 3
Lab Answer Key: Planning Network Addressing and Name Resolution
Contents:
Exercise 1: Planning the Deployment of DHCP and DNS Servers Exercise 2: Implementing DNS Exercise 3: Implementing DHCP 2 3 5
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document. Branch Office Network Infrastructure Plan: Network Services Document Reference Number: CW0711/1 Document Author Date Charlotte Weiss 25th July
Requirements Overview Specify which network services are required in each branch office and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure do not adversely affect users. Branch Office Network Infrastructure Plan: Network Services Proposals 1. How many DHCP servers do you propose to deploy in the region? Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. Perhaps, one DHCP server in each location would be sufficient. For fault tolerance, duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule, would provide for addressing fault tolerance. 2. Where do you propose to deploy these servers? Answer: One DHCP server in each regional office 3. What name resolution services are required? Answer: Both DNS and NetBIOS name resolution are required. 4. To support the DNS name space in the sales division, how would you propose to configure DNS? Answer: There are two choices: a. Configure a subdomain for research in the existing contoso.com DNS name space. Then, create sufficient DNS servers for deployment to the region as secondary servers of the contoso.com zone. Create a delegation for the research.contoso.com zone in the contoso.com zone. Provide at least two name servers to support this delegated zone.
b.
Branch Office Network Infrastructure Plan: Network Services Answer: Possibly 6. If so, how many WINS servers will you require for the region? Answer: Probably two, configured as replicas. 7. If not, how do you propose to support single-label names? Answer: Instead of WINS, the GlobalNames zone could be used.
Task 3: Compare your solution with the one provided in the Lab Answer Key
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you planned the placement of DHCP and DNS servers for the Contoso branch offices.
10. In the System Properties dialog box, click the Close. 11. In the Microsoft Windows dialog box, click Restart Now. 12. When the computer has restarted, log on with the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
3. 4. 5. 6. 7. 8. 9.
In the Results pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the DNS Server check box, and then click Next. On the DNS Server page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
10. Click OK. 11. On the Name Servers page, click Next. 12. On the Completing the New Delegation Wizard page, click Finish.
Results: In this exercise, you deployed the DNS server to the first branch office.
10. In the Alternate DNS server IPv4 address, type 10.10.0.10, and then click Next. 11. On the Specify IPv4 WINS Server Settings page, click Next. 12. On the Add or Edit DHCP Scopes page, click Next. 13. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server and then click Next. 14. On the Authorize DHCP Server page, click Next. 15. On the Confirm Installation Selections page, click Install. 16. On the Installation Results page, click Close, and then close Server Manager.
10. In the DHCP Relay Properties Local Area Connection 3 Properties dialog box, click OK.
11. Right-click DHCP Relay Agent and then click Properties. 12. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK. 13. Close Routing and Remote Access.
On the Add Exclusions and Delay page, complete the page by using the following information, click Add, and then click Next: Start IP address: 172.16.16.200 End IP address: 172.16.16.254
8. 9.
On the Lease Duration page, click Next. On the Configure DHCP Options page, click Next.
10. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 11. On the Domain Name and DNS Servers page, in the IP address box, type 172.16.16.2, click Add. 12. In the list of IP addresses, click 172.16.16.2, click Up, and then click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish.
5. 6. 7.
In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office Backup Scope and then click Next. On the IP Address Range page, complete the page by using the following information and then click Next: Start IP address: 172.16.16.4. End IP address: 172.16.16.254 Length: 24 Subnet mask: 255.255.255.0
8.
On the Add Exclusions and Delay page, complete the page by using the following information, click Add, and then click Next: Start IP address: 172.16.16.4 End IP address: 172.16.16.199
9.
10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, in the Parent domain box, type research.contoso.com. In the IP address box, type 172.16.16.2, click Add. 13. In the list of IP addresses, click 172.16.16.2, click Up, and then click Next. 14. On the WINS Servers page, click Next. 15. On the Activate Scope page, click Next. 16. On the Completing the New Scope Wizard page, click Finish.
10. At the command prompt, type the following command, and then press Enter.
Ipconfig /all
11. Answer the following questions: a) What is the IP address of NYC-CL2? Answers may vary, but it is likely to be 172.16.16.4. b) What is the DHCP server IP address? 172.16.16.2 i.e. NYC-SVR2 12. Leave windows open for next (optional) exercise. Results: In this exercise, you implemented DHCP for the branch offices.
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
Module 4
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
Contents:
Exercise 1: Planning an Active Directory Structure Exercise 2: Active Directory Domain Services Backup and Recovery Exercise 3: Configuring Active Directory Recycle Bin 2 3 5
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
Task 2: Update the Branch Office Planning document with your proposals.
Answer the questions in the Branch Office Planning document. Branch Office Planning Document Reference Number:GW0809/2 Document Author Date Gregory Weber September 1
Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services. Proposals 1. Do you intend to deploy a domain controller in the branch offices? How many? Answer: Yes, one domain controller per branch. 2. Will you deploy an RODC? Answer: Yes. The need for security is important; an RODC provides for a more secure way of deploying a domain controller. 3. How will you optimize the directory replication for the branches? Answer: Each branch will be represented in Active Directory by a site object. 4. How will domain controllers know in which branch they are located? Answer: Subnet objects should also be created and associated with a site. The domain controllers and other computers use their IP configuration to determine their site location in Active Directory. 5. Do you anticipate the need for global catalog services? Answer: Yes. Many services require access to global catalog. 6. How will you configure global catalog and DNS? Answer: An RODC can support the global catalog and DNS role. 7. Which additional Active Directoryrelated services are required to support the branch office line-of-business applications?
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
Branch Office Planning Answer: A line-of-business application requires access to a directory service. AD LDS might be suitable.
Switch to NYC-DC1. On NYC-DC1, click Start, click Administrative Tools, and then click Server Manager In the Server Manager window, click the Features node in the left hand pane, and then click Add Features in the right-hand pane. In the Add Features Wizard window, scroll down, expand Windows Server Backup Features, and then click the checkbox to select Windows Server Backup. Click Next. In the Confirm Installation Selections screen, click Install. Installation will take a few moments. In the Installation Results screen, click Close. Close the Server Manager window.
3. 4. 5. 6. 7.
10. In the Confirmation screen, click Backup. Note Backup will take approximately 30 minutes.
11. When the backup is complete, click Close. 12. Close the Windows Server Backup window.
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
8. At the command prompt, type the following and press Enter. This will restore the system state from the backup to NYC-DC1.Use the version identifier recorded in the previous step in place of <versionidentifier>.
Wbadmin start systemstaterecovery -version:<versionidentifier>
Note 9.
Type Y and press Enter when prompted. Restore will take approximately 45 minutes
At the Press [Y] to restart the computer now prompt, type Y, and then press Enter. The computer will restart.
10. Log on to NYC-DC1 as Contoso\Administrator with a password of Pa$$w0rd. 11. In the notification window, press Enter. 12. Click Start, click Run, type msconfig into the Open field and then press Enter. 13. In the System Configuration window, click the Boot tab. 14. On the Boot tab, click the check box to deselect Safe boot, and then click OK. 15. In the System Configuration pop-up window, click Restart. The computer will restart. On restart, NYC-DC1 will run AD DS integrity checks to confirm the integrity of the newly restored AD DS database. 16. Log on to NYC-DC1 as Contoso\Administrator with a password of Pa$$w0rd.
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
17. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. 18. In the Active Directory Users and Computers window, ensure that the IT OU appears under the Contoso.com node. 19. Close the Active Directory Users and Computers window Results: In this exercise, you configured AD DS backup and restore.
3.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com Scope ForestOrConfigurationSet Target contoso.com
2. 3.
Press Y, and then press Enter. Close the Active Directory Module for Windows PowerShell window.
Lab Answer Key: Planning and Provisioning Active Directory Domain Services
Task 4: Restore the deleted test object from Active Directory Recycle Bin.
1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. In Active Directory Module for Windows PowerShell, type the following command, and then press Enter.
Note 3.
The user account named Mary should appear in the list of objects.
In the Active Directory Module for Windows PowerShell, type the following command, and then press Enter.
4. 5. 6. 7. 8. 9.
Close the Active Directory Module for Windows PowerShell window. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand the Contoso.com domain, click the IT OU and note that the user account for Mary is again present in the IT OU. Right-click the user account for Mary and then click Delete. In the Active Directory Domain Services window, click Yes to confirm deletion. Close the Active Directory Users and Computers window.
Module 5
Lab Answer Key: Planning Group Policy Strategy
Contents:
Exercise 1: Planning Group Policy Exercise 2: Implementing the Proposed GPO Plan 2 3
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Contoso Group Policy Plan document. This is located in the main module document under Exercise 1. Contoso Group Policy Plan Document Reference Number: CW0911/1 Document Author Date Charlotte Weiss 16th September
Requirements Overview To create the AD DS infrastructure required to support GPO deployment. To create GPOs and link them to the containers in AD DS. To configure filtering and loopback processing as required to fine-tune the GPO application. Proposals 1. How will you accommodate the requirement to block access to removable read and write storage devices on office computers and ensure that this setting cannot be overridden? Answer: Create a GPO with the required settings to restrict use of removable storage devices. Link this to the appropriate AD DS container. For example, if all computers in the domain must adhere to this restriction, link the policy to the domain container. To ensure that the settings cannot be overridden, configure Enforced on the new GPO. Recommended settings: Enable both Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access and Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access 2. How do you intend to allow new users in the branch offices to be able to manage branch office
Contoso Group Policy Plan GPOs and not head office GPOs? Answer: Create an AD DS security group and add the new user to this group. Assign the group the required GPO management permissions on the branch offices GPOs. 3. How do you propose to support the different application needs of sales and office staff in the branch offices? Answer: Create a GPO for each group at the branch offices. Use Security filtering to restrict the assignment of the GPO to the required group. For example, create a GPO for assigning a required application to the Sales team. Link the GPO to the branch office organizational unit. Modify the default GPO permissions by removing the Authenticated Users entry from the Access Control List (ACL). Add the Sales security group to the GPOs ACL with the read and apply group policy permissions. 4. What changes to you plans must you make to support the training lab requirements? Answer: The policy to apply the removable storage restriction if applied at the domain level and enforced cannot be easily bypassed; blocking inheritance is overridden by using enforcement. One solution is to apply the removable storage restriction in a GPO that is linked to all organizational units that contain office computers and not to the separate OU that contains the training lab computers. A different approach would be to use security group filtering to deny the apply policy permission to a group that contains lab computers.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you completed the Contoso Group Policy Plan.
7. 8. 9.
In the New Object - Organizational Unit window, in the Name box, type Branches, and then click OK. Right-click Branches, point to New, and then click Organizational Unit. In the New Object - Organizational Unit window, in the Name box, type Branch1, and then click OK.
10. Right-click Branches, point to New, and then click Organizational Unit. 11. In the New Object - Organizational Unit window, in the Name box, type Branch2, and then click OK. 12. Right-click Branches, point to New, and then click Organizational Unit. 13. In the New Object - Organizational Unit window, in the Name box, type Branch3, and then click OK.
10. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here. 11. In the New GPO window, in the Name box, type Enforced Security, and then click OK. 12. Right-click Enforced Security, and then click Edit. 13. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates :Policy definitions (ADMX files) retrieved from the local machine, expand System, and then click Removable Storage Access. 14. In the right pane, double-click Removable Disks: Deny read access. 15. In the Removable Disks: Deny Read Access Properties window, click Enabled, and then click OK. 16. In the right pane, double-click Removable Disks: Deny write access. 17. In the Removable Disks: Deny write access Properties window, click Enabled, and then click OK. 18. Close the Group Policy Management Editor. 19. In the Group Policy Management window, right-click Enforced Security, and then click Enforced.
20. In the left pane, click Enforced Security. 21. If necessary, in the Group Policy Management Console window, select the Do not show this message again check box, and then click OK. 22. Click the Delegation tab, and then click Advanced. 23. In the Enforced Security Security Settings window, click Add, type Lab Computers, and then click OK. 24. In the Permissions for Lab Computers area, select both the Deny Read and Deny Apply group policy check boxes, and then click OK. 25. In the Windows Security window, click Yes to continue.
10. In the Group Policy Management window, in the left pane, expand Branches, and then click Branch1. 11. Right-click Branch1, and then click Link an Existing GPO. 12. In the Select GPO window, click Branch1 Preferences, and then click OK.
11. In the New GPO window, in the Name box, type Office Applications, and then click OK. 12. In the left pane, expand Group Policy Objects, and then click Sales Applications. 13. In the Security Filtering area, click Authenticated Users, and then click Remove. 14. Click OK to confirm. 15. Click Add, type Sales Staff, and then click OK. 16. In the left pane, click Office Applications. 17. In the Security Filtering area, click Authenticated Users, and then click Remove. 18. Click OK to confirm. 19. Click Add, type Office Staff, and then click OK. 20. Right-click Branch1, and then click Link an Existing GPO. 21. In the Select GPO window, click Sales Applications, and then click OK. 22. Right-click Branch1, and then click Link an Existing GPO. 23. In the Select GPO window, click Office Applications, and then click OK.
10. On the Advanced Simulation Options page, click Next to select no options. 11. On the User Security Groups page, click Add, type Sales Staff, and then click OK. 12. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next. 13. On the Summary of Selections page, click Next. 14. To view the model, click Finish. 15. In the Branch1 on Branch1 area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Default Domain Policy has computer settings and is applied to computers in Branch1.
Enforced Security has computer settings and is applied to computers in Branch1. Office Applications is denied due to security filtering. The computer is not a member of the necessary group. Sales Applications is denied due to security filtering. The computer is not a member of the necessary group. Branch1 Preferences is denied because there are no relevant settings for computers. If computer settings are added to Branch1 Preferences, they would be applied.
16. Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Branch1 Preferences has user settings and is applied to users in Branch1. Enforced Security is denied because there are no relevant settings for users. If user settings are added to Enforced Security, they would be applied. Default Domain Policy is denied because there are no relevant settings for users. If user settings are added to Default Domain Policy, they would be applied. Office Applications is denied due to security filtering. The user is not a member of the necessary group. Sales Applications is denied because there are no relevant settings for users. After the sales applications are added to the policy, they will be distributed to members of the Sales Staff group.
Results: In this exercise, you implemented the appropriate group policies for users in Branch 1.
Module 6
Lab Answer Key: Planning Active Directory Certificate Services
Contents:
Exercise 1: Plan Certificate Services Deployment Exercise 2: Configure Stand-alone Root and Enterprise Subordinate CA Exercise 3: Configuring Key Archiving and Recovery Exercise 4: Configure Online Certificate Status Protocol Array
2 3 5 7
Requirements Overview 1. Contoso Australia wants to use Active Directory Certificate Services to deploy certificates to support the following certificate types: Computer certificates for SSL and TLS and DirectAccess Encrypting File System certificates BitLocker and EFS Data Recovery Agents Key Recovery Agent certificates 2. Contoso Australias head office location is in Melbourne, Australia. There are branch offices in the state capital cities of Sydney, Adelaide, Perth, and Hobart. 3. Your design needs to ensure that certificates can be renewed in the event of a WAN failure. 4. Your design needs to ensure that revocation checks can occur in the event of a WAN failure. 5. Your design should minimize the impact that revocation checks have on network utilization. 6. The root certificate authority should be made as secure as possible.
You would deploy an offline root CA as the way of doing the most to ensure the security of the root CA. You need to deploy an enterprise subordinate CA in each site to issue and renew the certificate types specified in the objectives and to ensure that certificate renewal and issuance will work when WAN links are down. You would use an online responder array to reduce the amount of data transferred during CRL checks. You need to deploy a member of the online responder array in each site to ensure that CRL checks can occur when WAN links are unavailable
Results: In this exercise, you planned an appropriate certificate services configuration for Contoso.
3. 4. 5. 6. 7. 8. 9.
Close the command prompt. Switch to NYC-CA1. Click Start, right-click Computer, and then click Properties. Click Advanced system settings. Click Computer Name. Click Change, and then click More. In the Primary DNS suffix of this computer input box, enter contoso.com, and then click OK three times. Click Close, and then click Restart Now.
10. When the server restarts, log on as Administrator, with the password, Pa$$w0rd. 11. Open Server Manager, right click Roles, and then click Add Roles. 12. On the Before You Begin page of the Add Roles Wizard, click Next. 13. On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next twice 14. On the Select Role Services page, select the check boxes Certification Authority and Certification Authority Web Enrollment. 15. When prompted, click Add Required Role Services, and then click Next.
16. On the Specify Setup Type page, select Standalone, and then click Next. 17. On the Specify CA Type page, ensure that Root CA is selected, and then click Next 18. On the Set Up Private Key page, ensure that Create a new private key is selected, and click Next. 19. On the Configure Cryptography for CA page, set the Key character length to 4096, and click Next. 20. On the Configure CA Name page, click Next. 21. On the Set Validity Period page, set the validity to 6 years, and then click Next four times. 22. On the Confirm Installation Selections page, click Install. 23. On the Installation Results page, click Close. 24. Open the Certification Authority console from the Administrative Tools menu. 25. Expand contoso-NYC-CA1-CA, right-click the Revoked Certificates node, click All Tasks, and then click Publish. 26. On the Publish CRL page, click OK. 27. Open an elevated command prompt, type the following command, and then press Enter.
Copy c:\windows\system32\certsrv\certenroll\*.* \\nyc-svr1\certs
28. Close the command prompt window. 29. Switch to NYC-DC1 30. Open an elevated command prompt, and type the following commands, pressing Enter at the end of each line.
Dnscmd /recordadd contoso.com nyc-ca1 A 10.10.0.20 Certutil -dspublish -f \\nyc-svr1\certs\NYC-CA1.contoso.com_contoso-NYC-CA1-CA.crt
Note This will publish the root certificate of stand-alone root CA to the enterprise root store in Active Directory. 31. Close the command prompt window.
gpupdate /force
3. 4. 5.
Close the command prompt Open the Server Manager console, right click Roles, and then click Add Roles. On the Before You Begin page of the Add Roles wizard, click Next.
6. 7. 8. 9.
On the Select Server Roles page, select Active Directory Certificate Services, and then click Next three times. On the Specify Setup Type page, select Enterprise, and then click Next. On the Specify CA Type page, select Subordinate CA, and then click Next. On the Set Up Private Key page, select Create a new private key and click Next three times.
10. On the Request Certificate from a Parent CA page, click Browse, and then click ContosoCA. Click OK. Click Next twice, and then click Install. 11. When the installation completes, click Close. Results: In this exercise, you installed both a stand-alone root CA and an Enterprise Subordinate CA.
10. Click Certificates, and then click Add. 11. Click My user account, click Finish, and then click OK. 12. Expand Certificates, right-click Personal, click All Tasks, and then click Request New Certificate. 13. Click Next twice, and then select Key Recovery Agent. Click Enroll. Click Finish. 14. In the Certification Authority console, click Pending Requests. Right-click the certificate in the Pending Request list, click All Tasks, and then click Issue. 15. Right-click Contoso-NYC-SVR1-CA, and then click Properties. 16. On the Recovery Agents tab, select Archive the Key, and then click Add. 17. In the Key Recovery Agent Selection dialog box, click OK, and then click Apply.
Note If no Key Recovery Agent is present, open an elevated command prompt, run the command certutil pulse, and reopen the CA properties dialog box. 18. When prompted to restart Active Directory Certificate Services, click Yes. 19. Click the Issued Certificates node. Right-click the listed certificate, click All Tasks, and then click Export Binary Data. 20. Select Save binary data to a file and then click OK. 21. Save the file as Recovery_Agent.cer to the Desktop. 22. In the Certificates console, right-click the Personal node, click All Tasks, and then click Import. 23. On the Welcome to the Certificate Import Wizard page, click Next. 24. On the File to Import page, click Browse. 25. Select Recovery_Agent.cer on the Desktop, and then click Open. 26. Click Next twice, click Finish, and then click OK.
5. 6. 7. 8. 9.
In the MMC that has the Certificates - Current User Snap-In, expand the Personal\Certificates node and verify that the Encrypting File System certificate is present. Double-click the Encrypting File System certificate. On the Details tab, make a note of the certificate serial number. Close the properties dialog box. Right-click the certificate and click Delete. Review the warning about being unable to decrypt data, and then click Yes. In the Certification Authority Console, select the Issued Certificates node, and then double-click the Advanced EFS certificate that was issued. On the Details tab, verify that the serial number matches the serial number you had made a note of, in Step 6 and then close the Certificate window. Note Looking through the list of issued certificates is the easiest way to determine the serial number of the certificate you wish to recover.
10. Open an elevated command prompt, and change to the c:\certs directory. 11. Issue the command, CertUtil -GetKeySearchTokenEFSKEY.cer where Search Token is the certificate serial number that you had made note of, in step 6. Note Do not put any spaces in the serial number when recovering the private key.
12. In the MMC that has the Certificates - Current User Snap-In, right-click the Personal\Certificates node, click All Tasks, and then click Import. 13. On the Certificate Import Wizard welcome page, click Next. 14. Click Browse and navigate to c:\certs\EFSKEY.cer, click Next twice, and click Finish. Click OK. Results: In this exercise, you configured a Key Recovery Agent, configured a certificate template so that private keys are archived, and performed a private key recovery.
8. 9.
Set the Template display name to Advanced OCSP Response Signing and check the Publish certificate in Active Directory option. On the Security tab, click Add, click Object Types, select Computers, click OK, enter the name NYCSVR1, and then click CheckNames. Click OK.
10. Set the permissions for NYC-SVR1 to Read, Enroll, and Autoenroll. 11. Click OK to close the Properties dialog box. 12. Close the Certificate Templates Console.
10. Click File, and then click Add/Remove Snap-in. Click Certificates, and then click Add. Click Computer account, and then click Next. Verify that Local computer is selected, and then click Finish. Click OK. 11. Right-click the Personal\Certificates node, click All Tasks, and then click Request New Certificate. 12. On the Certificate Enrollment page, click Next twice. On the Request Certificates page, select Advanced OCSP Response Signing, and then click Enroll. Click Finish. 13. Expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click the new certificate, click All Tasks, and then click Manage Private Keys. 14. On the Security tab, click Add. Enter Network Service and click Check Names. Click OK. 15. Verify that the Network Service account has Full control permission, and then click OK.
5. 6. 7. 8. 9.
On the Choose CA Certificate page, select Browse CA certificatespublished in Active Directory, and then click Browse. Click Contoso-NYC-SVR1-CA, and then click OK. Click Next. On the Select Signing Certificate page, ensure that Automatically select a signing certificate and Auto-Enroll for an OCSP signing certificate are selected, and then click Next. On the Revocation Provider page, click Finish. Verify that the Revocation Configuration Status is set to Working.
6. 7. 8. 9.
10. Right-click the Revoked Certificates node, click All Tasks, and then click Publish. 11. On the Publish CRL dialog box, select New CRL, and then click OK. 12. In the MMC that has the Certificates - Current User Snap-In, expand the Personal\Certificates node, and right-click the certificate that is present for the purpose of Microsoft Trust List Signing, Encrypting File System, Secure E-mail, Client Authentication. 13. Click All Tasks, and then click Export. 14. On the Welcome to the Certificate Export Wizard, click Next. 15. Select No, do not export the private key, and then click Next. 16. Select DER Encoded Binary X.509 (.CER), and then click Next. 17. In the File name text box, enter c:\certs\admin.cer, click Next, click Finish, and then click OK. 18. Open an elevated command prompt and run the following command.
Certutil -url c:\certs\admin.cer
19. On the URL Retrieval Tool, ensure that OCSP (from AIA) is selected, and then click Retrieve. 20. Click Exit to close the URL Retrieval Tool
10
Note As all these actions are occurring quickly, the OSCP, while present, may not have picked up the revoked status of the certificate. Results: In this exercise, you configured an online responder array that can respond to CRL checks for certificates issued by the enterprise subordinate CA.
Module 7
Lab Answer Key: Planning and Provisioning Application Servers
Contents:
Exercise 1: Planning Application Deployment Exercise 2: Configuring Remote Desktop Policies Exercise 3: Installing and Configuring a Remote Desktop Gateway 2 3 4
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Application Server Deployment Plan document. Application Server Deployment Plan Document Reference Number: CW0729/1 Document Author Date Charlotte Weiss 29th July
Requirements Overview Determine the appropriate application delivery method to use for the Marketing departments new CRM application. Document Reference Number: CW0729/1 Application Deployment Plan Proposals 1. What type of application configuration should be used for the CRM application? Answer: Remote Desktop Session Host presentation virtualization should be used for this implementation. Due to the spread-out nature of the users and the specific requirements of the application, this method will provide the best performance and scalability for the application while requiring relatively few new resources. 2. Where should the application host servers be located within branch network of Contoso, Ltd? Answer: The application servers should be hosted in New York, where the database server is located. A large amount of network bandwidth will be required between the application servers and the database server. 3. How can the application deployment be implemented to handle the current user load and easily scale to accommodate user growth? Answer: A server farm should be created in the New York location. The Remote Desktop Connection Broker service should be installed to implement application load balancing for the farm. 4. How should the application deployment integrate with the server component of the CRM application? Answer: The applications running on the RD Session Host farm group members should be
Application Server Deployment Plan configured to connect to the CRM database server over the network. Adequate network configuration should be implemented between RD Session Host servers and the database server to avoid affecting the applications performance negatively. 5. What potential issues could arise with the current configuration? How could these issues be rectified? Answer: There is currently only one RD Connection Broker in the deployment. Failure of this server would result in the temporary unavailability of the RD Session Host servers. This could be rectified by configuring the RD Connection Broker server as a member of a failover cluster.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Task 2: Create a Group Policy Object called AppServerPolicy and link it to the CRMAppServers OU.
1. 2. 3. 4. On NYC-DC1, in the Group Policy Management window, click Group Policy Objects, right-click Group Policy Objects, and then click New. In the New GPO window, type CRMAppPolicy, and then click OK. In the Group Policy Management window, expand Marketing, click Group Policy Objects, and then drag the CRMAppPolicy GPO to the CRMAppServers OU. In the Group Policy Management window, click OK.
3.
4. 5. 6.
In the Set time limit for disconnected sessions window, select Enabled, click the drop-down box to select 5 minutes for End a disconnected session, and then click OK. Close the Group Policy Management Editor window. Close the Group Policy Management window.
10. In the System Properties window, click OK. 11. Close the Server Manager window.
10. Change the Subnet Mask field to 255.255.0.0. 11. Change the Default gateway field to 10.10.0.10. 12. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click OK.
13. In the Local Area Connection 2 Properties window, click Close. 14. Close the Network Connections window.
10. On the Create Authorization Policies for RD Gateway page, verify that Now is selected, and then click Next. 11. On the Select User Groups That Can Connect Through RD Gateway page, click Add. 12. In the Select Groups dialog box, type IT; Production, and then click OK to close the Select Groups dialog box. Click Next. 13. On the Create an RD CAP for RD Gateway page, enter the name TS_CAP_01 for the Remote Desktop Connection Authorization Policy (RD CAP), verify that Password is selected, and then click Next. 14. On the Create an RD RAP for RD Gateway page, enter the name TS_RAP_01 for the Remote Desktop Resource Authorization Policy (RD RAP), and then select Allow users to connect to any computer on the network. Click Next. 15. On the Network Policy and Access Services page, review the summary information, and then click Next. 16. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next. 17. On the Web Server (IIS) page, review the summary information, and then click Next. 18. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next. 19. On the Confirm Installation Selections page, click Install. 20. On the Installation Results page, click Close.
3. 4. 5. 6. 7. 8. 9.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. In the Certificates snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. In the Add or Remove snap-ins dialog box, click OK. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click the certificate NYC-SVR2.contoso.com that was issued by NYC-SVR2.Contoso.com, point to All Tasks, and then click Export. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, verify that No, do not export the private key is selected, and then click Next. 11. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is selected, and then click Next. 12. On the File to Export page, in the File name box, type C:\CertExport.cer, and then click Next. 13. On the Completing the Certificate Export Wizard page, click Finish. 14. After the certificate export completes successfully, a message appears confirming that it was successful. Click OK. 15. Close the Console snap-in without saving any changes.
4. 5. 6. 7. 8. 9.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. In the Certificates snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. In the Add or Remove snap-ins dialog box, click OK. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. Right-click the Certificates folder, point to All Tasks, and then click Import.
10. On the Welcome to the Certificate Import Wizard page, click Next. 11. On the File to Import page, in the File name box, type \\NYC-SVR2\c$\certexport.cer, and then click Next. 12. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next. 13. On the Completing the Certificate Import Wizard page, click Finish, and then click OK. 14. Close the Console1 snap-in without saving changes.
On the General tab, in the Computer box, type NYC-SVR1, and then click Connect. In the Windows Security dialog box, type Contoso\Andrea as the user name, type Pa$$w0rd as the password, and then click OK. Verify that you can connect to NYC-SVR1 through the Remote Desktop Gateway. Log off NYC-SVR1.
Module 8
Lab Answer Key: Planning File and Print Services
Contents:
Exercise 1: Planning File Services Exercise 2: Implementing File Services in the Branch Office Exercise 3: Implementing Print Services in the Branch Office 2 4 9
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Offices File and Print Service Deployment Plan document. Branch Offices File and Print Service Deployment Plan Document Reference Number:CW0111/1 Document Author Date Charlotte Weiss 1st November
Requirements Overview Implement file and print services in the branch offices. Migrate data from legacy systems running UNIX and Windows 2000 Server. Support the data storage needs of the three departments at the branch offices including: Home folders for each user. Departmental shared folders. Folders to store departmental Start Menu and Desktop settings. Automatic consolidation of marketing team data to central location each evening. Deploy print services to support the branch users. Proposals 1. Which file services role service will you deploy to support the needs of the branch office users? Answer: Distributed File System can be deployed to support a number of data consolidation or distribution configurations; it could be used to help to consolidate the marketing data. Services for Network File System will support the needs of the users of the UNIX application in the production team. File Server Resource Manager will enable you to manage storage more effectively at the branch, including managing quotas, implementing file screens to prevent storage of media files, and producing reports for department heads for charging purposes. 2. Which folder structure do you envisage to support the needs of the branch offices? Answer: Answers will vary, but may include a folder structure as shown below.
3. Which folder permissions do you envisage configuring on these folders? Answer: Answers may vary, depending upon the folder structure planned. However, the general principles are: Grant Modify NTFS permissions for a departmental security group on each departmental data folder. Grant Full Control NTFS permissions for each user on their own home folder. 4. Which shared folders will be required for the branch offices? Answer: Answers may vary, depending upon the folder structure planned. However, a suggested solution is: Share each departmental folder as a separate share. For example, create a shared folder called, Marketing, for the marketing data folder. Create a single shared folder for all users. For example, share User Data. Users can map a network drive through the user account properties to a subfolder on this parent shared folder. 5. Which permissions will you configure on these folders? Answer: The default permissions (Everyone Allow Read) are inappropriate. Remove this entry and then grant Authenticated users Full Control. This results in the NTFS file system permissions determining the effective permissions through the share. 6. What must you consider when planning to migrate files from the Windows 2000 Server? Answer: A legacy server cannot be migrated by using the migration wizard and you must use FSMT to migrate the data. 7. How will you meet the needs of department heads to determine storage usage? Answer: Implement quotas and use reports to determine usage. 8. How will you restrict file types that can be stored on the new server? Answer: Implement a file screen that prevents the storage of media file types.
Task 3: Compare your solution to the one provided in the Lab Answer Key.
Compare your solution to the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: At the end of this exercise, you will have planned the file and print services deployment for the branch offices.
10. On the Set Report Options page, click Next. 11. On the Confirm Installation Selections page, click Install. 12. On the Installation Results page, click Close.
3. 4. 5.
In Advanced sharing settings, in the Change sharing options for different networkprofiles list, click Turn on network discovery. Click Turn on file and printer sharing, and then click Save changes. Close Network and Sharing Center.
10. In the Marketing Properties dialog box, click Edit, and in the Permissions for Marketing dialog box, in the Group or user names list, click Users (NYC-SVR2\Users), and then click Remove. 11. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type marketing, and then click Check Names. 12. Click OK, and in the Permissions for Marketing list, select the Allow Modify check box, and then click OK. 13. In the Marketing Properties dialog box, click Close.
9.
In the Advanced Security Settings for Production dialog box, click OK.
10. In the Production Properties dialog box, click Edit, and in the Permissions for Production dialog box, in the Group or user names list, click Users (NYC-SVR2\Users), and then click Remove. 11. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type production, and then click Check Names. 12. Click OK, and in the Permissions for Production list, select the Allow Modify check box, and then click OK. 13. In the Production Properties dialog box, click Close.
10. In the Research Properties dialog box, click Edit, and in the Permissions for Research dialog box, in the Group or user names list, click Users (NYC-SVR2\Users), and then click Remove. 11. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type research, and then click Check Names. 12. Click OK, and in the Permissions for Research list, select the Allow Modify check box, and then click OK. 13. In the Research Properties dialog box, click Close.
7. 8. 9.
Click Permissions, and in the Permissions for Users dialog box, select the Allow Full Control check box, and then click OK. In the Advanced Sharing dialog box, click OK, and in the User Data Properties dialog box, click the Security tab. Click Advanced, and in the Advanced Security Settings for User Data dialog box, click Change Permissions.
10. Clear the Include inheritable permissions from this objects parent check box, and in the Windows Security dialog box, click Add, and then click OK. 11. In the Advanced Security Settings for User Data dialog box, click OK. 12. In the User Data Properties dialog box, click Close.
10. In the To: box, type \\NYC-SVR2\Users\%username%, and then click OK. 11. In the navigation pane, click Production. 12. In the Results pane, click Anders Madsen, press Shift, and then click Tengiz Kharatishvili. All the users and groups in the organizational unit are highlighted. 13. Press Ctrl, and then click Production. This deselects the production group. 14. Click the Action menu, and then click Properties. 15. In the Properties for Multiple Items dialog box, click the Profile tab. 16. Select the Home folder check box. 17. Click Connect, and in the list, click H:. 18. In the To: box, type \\NYC-SVR2\Users\%username%, and then click OK. 19. In the navigation pane, click Research. 20. In the Results pane, click Alan Brewer, press Shift, and then click Stephan Adolphi. All the users and groups in the organizational unit are highlighted. 21. Press Ctrl, and then click Research. This deselects the research group. 22. Click the Action menu, and then click Properties.
23. In the Properties for Multiple Items dialog box, click the Profile tab. 24. Select the Home folder check box. 25. Click Connect, and in the list, click H:. 26. In the To: box, type \\NYC-SVR2\Users\%username%, and then click OK. 27. Switch to NYC-SVR2. 28. In Windows Explorer, in the results pane, double-click User Data. The new folders are automatically created when you define the UNC name of the users home folders. 29. Close all open windows.
10. Select the Record file screening activity in the auditing database check box, and then click OK. 11. Close File Server Resource Manager. Results: At the end of this exercise, you will have implemented elements of the branch office file services.
10
5. 6. 7. 8.
In the results pane, double-click Pre-populate printer search location text. In the Pre-populate printer search location text dialog box, click Enabled, and then click OK. Close Group Policy Management Editor. Close Group Policy Management.
10. On the Youve successfully added Research Color Laser page, click Finish.
Gpupdate /force
4.
Log off from NYC-CL2, and then log on by using the following credentials: User name: Dylan
11
5. 6. 7. 8.
Click Start, and then click Devices and Printers. In Devices and Printers, click Add a printer. On the What type of printer do you want to install page, click Add a network, wireless or Bluetooth printer. The Research Color Laser is listed. Close all open windows.
Results: At the end of this exercise, you will have configured the branch office printing environment.
Module 9
Lab Answer Key: Planning Network Access
Contents:
Exercise 1: Planning Network Access Exercise 2: Implementing Network Access 2 3
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Branch Office Network Access Plan document. Branch Office Network Access Plan Document Reference Number: CW0611/1 Document Author Date Charlotte Weiss 6th November
Requirements Overview Plan a remote network access solution for Research department users based in branch offices. Proposals 1. What remote access solutions would you consider to support the branch offices users? Answer: A VPN solution would address the requirement of allowing users to connect to all their usual servers and resources. DirectAccess is not applicable because there is no IPv6 infrastructure available in the branches or the head office at present. 2. What network access technologies are suggested by the fact that some users access the Contoso network resources from public access points and from their own computers at home? Answer: Users home computers are unmanaged devices. Connecting laptops through public access points poses a security risk if the laptops do not have appropriate security measures in place, such as a host-based firewall, anti-malware software, and recent security patches and updates. Consequently, implementing NAP would help mitigate these risks. 3. Dylan is concerned about the security of data in transit. What could you do to alleviate his legitimate concerns? Answer: Implement strong encryption and a rigorous authentication protocol for the VPN. For example, implement MS-CHAP v2 or EAP with strongest encryption. 4. How would you propose to allocate IP configurations to remote access clients? Answer: The Routing and Remote Access role service supports either a static pool for IP address configuration or a DHCP server configuration. To be conformant with the Contoso policy, DHCP should be selected. 5. What is your remote network access solution? Provide details including server roles required to support the configuration. Answer: Answers might vary slightly, but the solution should include: Deploying the Network Policy and Access Services role on NYC-EDGE1 to support Routing
Branch Office Network Access Plan and Remote Access and Network Access Protection. Configuring NYC-EDGE1 as a VPN Server. Configuring VPN settings for strongest encryption and authentication. Configuring NAP with VPN Enforcement. Configuring IPv4 filters for non-compliant computers to restrict communications to a remediation server. Using Group Policy to deploy required certificates for L2TP VPN tunneling. Use Group Policy to deploy required NAP client settings.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you completed the Branch Office Network Access Plan document.
f. g. h. i. j. k. 3.
The Certificate Enrollment dialog box opens. Click Next. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next. Select the Computer check box, and then click Enroll. Verify the status of certificate installation as Succeeded, and then click Finish. Close the Console1 window. Click No when prompted to save console settings.
Install the NPS Server role: a. b. c. d. e. f. On NYC-EDGE1, click Start, click Administrative Tools, and then click Server Manager. Click Roles, and then under Roles Summary, click Add Roles, and then click Next. Select the Network Policy and Access Services check box, and then click Next twice. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install. Verify the installation was successful, and then click Close. Close the Server Manager window.
4.
Configure NPS as a NAP health policy server: a. b. c. d. Click Start, point to Administrative Tools, and then click Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, clear all check boxes except A firewall is enabled for all network connections.
Note In reality, you would leave the default selections. However, to make testing the policy feasible, you are limiting the requirements. e. 5. Click OK to close the Windows Security Health Validator dialog box.
Configure health policies: a. b. c. d. e. f. g. h. Expand Policies. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, under Policy name, type Compliant. Under Client SHV checks, verify that Client passes all SHV checks is selected. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
i. j. k. 6.
Under Client SHV checks, select Client fails one or more SHV checks. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK.
Configure network policies for compliant computers: a. b. c. d. e. f. g. h. i. j. k. l. Ensure Policies is expanded. Click Network Policies. Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable. Right-click Network Policies, and then click New. In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next. In the Specify Access Permission window, verify that Access granted is selected. Click Next three times. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish. 7. Configure network policies for noncompliant computers: a. b. c. d. e. f. g. Right-click Network Policies, and then click New. In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next. In the Specify Access Permission window, verify that Access granted is selected.
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients matching these conditions.
h. i. j. k. l.
Click Next three times. In the Configure Settings window, click NAP Enforcement. Select Allow limited access, and clear the Enable auto-remediation of client computers check box. In the Configure Settings window, click IP Filters. Under IPv4, click Input Filters, and then click New. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Inbound Filters dialog box. n. o. p. q. Click OK to close the Inbound Filters dialog box. Under IPv4, click Output Filters, and then click New. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients. Click OK to close the Outbound Filters dialog box. In the Configure Settings window, click Next. In the Completing New Network Policy window, click Finish.
r. s. t. 8.
Configure connection request policies: a. b. c. d. e. f. g. h. i. j. Click Connection Request Policies. Disable the default Connection Request policy found under Policy Name by right-clicking the policy, and then clicking Disable. Right-click Connection Request Policies, and then click New. In the Specify Connection Request Policy Name and Connection Type window, under Policy name, type Branch VPN connections. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next. In the Specify Conditions window, click Add. In the Select condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP, click OK, and then click Next. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next. In the Specify Authentication Methods window, select Override network policy authentication settings. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
k. l.
Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
m. Verify that Enforce Network Access Protection is selected, and then click OK. n. Click Next twice, and then click Finish.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN server.
1. 2. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access. In the Routing and Remote Access console, right-click NYC-EDGE1 (local), and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard. Click Next, select Remote access (dial-up or VPN), and then click Next. Select the VPN check box, and then click Next. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. On the IP Address Assignment page, click Next. On the Managing Multiple Remote Access Servers page, ensure that the No, use Routing and Remote Access to authenticate connection requests check box is already selected and then click Next. Click Finish. Click OK twice, and wait for the Routing and Remote Access Service to start.
3. 4. 5.
6. 7.
8. 9.
10. Switch to the Network Policy Server console. Click the Connection Request Policies node, and press F5 to refresh the display. Disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. 11. Close the Network Policy Server management console. 12. Close Routing and Remote Access.
Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. Click Inbound Rules, right-click Inbound Rules, and then click New Rule. Select Custom, and then click Next. Select All programs, and then click Next.
5. 6. 7. 8. 9.
Next to Protocol type, select ICMPv4, and then click Customize. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next. Click Next to accept the default scope. In the Action window, verify that Allow the connection is selected, and then click Next. Click Next to accept the default profile.
10. In the Name window, under Name, type ICMPv4 echo request, and then click Finish. 11. Close the Windows Firewall with Advanced Security console.
Enable the remote-access, quarantine-enforcement client: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type napclcfg.msc, and then press Enter. In the console tree, click Enforcement Clients. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable. Close the NAP Client Configuration window.
4.
Enable and start the NAP agent service: a. b. c. d. e. f. Click Start, click Control Panel, click System and Security, and then click Administrative Tools. Double-click Services. In the Services list, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start. Wait for the NAP Agent service to start, and then click OK. Close the Services console, and then close the Administrative Tools, and System and Security windows.
Verify network connectivity for NYC-CL1: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type cmd, and then press Enter. At the command prompt, type ping 131.107.0.2 and press Enter. Verify that the response reads Reply from 131.107.0.2 Close the command window.
h.
i. j. k.
10
l.
m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties. n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then Ensure that Secured password (EAP-MSCHAP v2) is already selected, under Select Authentication Method. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access Protection check box. Click OK twice to accept these settings.
o. 2.
Test the VPN connection: a. b. c. In the Network Connections window, right-click the Contoso VPN connection, and then click Connect. In the Connect Contoso VPN window, click Connect. You are presented with a Windows Security Alert window the first time this VPN connection is used. Click Details, and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.
Note If you do not connect and receive error code 618, switch to NYC-EDGE1 and open the Network Policy Server. Disable any Connection Request policies found under Policy Name except for the Branch VPN Connections policy. d. e. f. g. h. 3. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and press Enter. View the IP configuration. System Quarantine State should be Not Restricted. In the Command window, type ping 10.10.0.10 and then press Enter. This should be successful. The client now meets the requirement for VPN full connectivity. Close the command prompt. Disconnect from the Contoso VPN.
Configure Windows Security Health Validator to require an antivirus application: a. b. c. d. On NYC-EDGE1, open Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box, and then click OK.
4.
Verify the client is placed on the restricted network: a. b. c. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN, and then click Connect. Click Connect. Wait for the VPN connection to be made.
11
d. e.
Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State should be Restricted. The client does not meet the requirements for the network, and therefore is placed on the restricted network.
f.
Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso.
Module 10
Lab Answer Key: Provisioning Data and Storage
Contents:
Exercise 1: Planning Data Access Exercise 2: Installing and Configuring DFS Exercise 3: Enabling and Configuring BranchCache 2 3 6
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the Data Access Plan document. Data Access Plan Document Reference Number:CW0112/1 Document Author Date Charlotte Weiss 1st December
Requirements Overview To plan a suitable data access plan for the branch offices. Proposals 1. What server role will you implement to support the requirement for automated data collection from the branch offices? Answer: DFS. 2. What data access scenario would you recommend? Answer: Data collection. DFS technologies can collect files from a branch office and replicate them to a hub site, allowing the files to be used for several specific purposes. Critical data can be replicated to a hub site by using DFS-R and then backed up at the hub site by using standard backup procedures. 3. What technology would you implement to support the slow link requirement? Answer: BranchCache. 4. How will you ensure that the client-side settings for this technology apply only to relevant computers?
Answer: Configure a GPO with the required settings and then link it to a suitable AD DS container, such as an OU. 5. There is a local server installed at each branch office. How would you configure the branch data access technology to support this? Answer: BranchCache with hosted cache; this mode operates by deploying a computer that is running Windows Server 2008 R2 as a host in the branch office. 6. To support the database applications, what type of storage would you recommend? Answer: If the majority of documents that users must access are file-based, NAS solutions provide the most effective and low-cost networked storage solution. On the other hand, if
Data Access Plan the greatest amount of information to be shared is produced by database applications, SANs have been the most popular solution. A SAN is indicated here.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you completed a Data Access Plan for Contoso.
Task 3: Use the New Namespace Wizard to create the ResearchDocs namespace.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Click Start, point to Administrative Tools, and then click DFS Management. In the navigation pane, click Namespaces. Right-click Namespaces and then click New Namespace. The New Namespace Wizard starts. On the Namespace Server page, under Server, type NYC-SVR1, and then click Next. On the Namespace Name and Settings page, under Name, type ResearchDocs, and then click Next. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Contoso.com\ResearchDocs. Ensure that the Enable Windows Server 2008 mode check box is selected and then click Next. On the Review Settings and Create Namespace page, click Create.
10. On the Confirmation page, ensure that the Create namespace task is successful and then click Close. 11. In the navigation pane, under Namespaces, click \\Contoso.com\ResearchDocs. 12. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\ResearchDocs.
5. 6. 7. 8. 9.
In the Warning dialog box, click OK. On the Review Settings and Create Replication Group page, click Create. On the Confirmation page, click Close. In the Replication Delay dialog box, click OK. In the DFS Management console, expand Replication and then click contoso.com\ResearchDocs\DataFiles.
10. In the action pane, click New Topology. 11. In the New Topology Wizard, on the Topology Selection page, click Full mesh and then click Next. 12. On the Replication Group Scheduleand Bandwidth page, click Next. 13. On the Review Settings and Create Topology page, click Create. 14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK. 15. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYCDC1 and NYC-SVR1. 16. On the Memberships tab, right-click NYC-DC1 and then click Make read-only. This setting will automatically configure the replicated copy to be read-only. Results: In this exercise, you configured DFS.
5. 6. 7.
In Hyper-V Manager, click 6433A-NYC-CL2, and in the Actions pane, click Settings. In the Settings for 6433A-NYC-CL2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop-down list, select Private Network and then click OK.
10. In the navigation pane of the Local Group Policy Editor console, under ComputerConfiguration, expand AdministrativeTemplates, expand Network, and then click LanmanServer. 11. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache, and then click Edit. 12. In the Hash Publication for BranchCache dialog box, click Enabled. In the Hash publication actions list, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.
3. 4. 5. 6.
4. 5. 6. 7. 8. 9.
Type Distribution and then press Enter. Right-click Distribution and then click Properties. On the Sharing tab of the DistributionProperties dialog box, click Advanced Sharing. Select the Share this folder check box and then click Caching. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. In the command prompt window, type the following command and then press Enter.
Copy C:\windows\system32\mspaint.exe c:\distribution
4. 5. 6. 7. 8. 9.
10. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Peer Discovery (Uses WSD), and then click Next. 11. On the PredefinedRules page, click Next. 12. On the Action page, click Finish.
2. 3. 4. 5. 6. 7.
In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click Edit. In the Turn on BranchCache dialog box, click Enabled and then click OK. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode and then click Edit. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of hosted Cache box, type NYC-SVR1.contoso.com, and then click OK. In the Setting list of the BranchCache result pane, right-click ConfigureBranchCache for network files and then click Edit. In the Configure BranchCache for network files dialog box, click Enabled. In the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box, type 0, and then click OK. This setting is required to simulate access from a branch office and is not typically required. Close the Group Policy Management Editor console. Close the Group Policy Management console.
8. 9.
10. Start 6433A-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. In the command prompt window, type the following command and then press Enter.
gpupdate /force
13. In the command prompt window, type the following command and then press Enter.
netshbranchcache show status all
14. Start 6433A-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 15. Click Start, and in the Search box, type Network and Sharing and then press Enter. 16. In Network Connections, click Change adapter settings. 17. Right-click Local Area Connection 3 and then click Properties. 18. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. 20. Click Obtain DNS server address automatically and then click OK. 21. In the Local Area Connection 3 Properties dialog box, click OK. 22. Restart the computer. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 23. Click Start, point to All Programs, click Accessories, and then click Commandprompt. 24. In the command prompt window, type the following command and then press Enter.
10
gpupdate /force
25. In the command prompt window, type the following command and then press Enter.
netshbranchcache show status all
10. On the Select Certificate EnrollmentPolicy page, click Next. 11. On the Request Certificates page, select the Computer check box and then click Enroll. 12. On the Certificate Installation Results page, click Finish. 13. In the navigation pane of the Console1 [Console Root] console, under Personal, click Certificates. 14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com and then click Open. 15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK.
11
16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt. 17. In the command prompt window, type the following command and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces.
netsh http add sslcertipport=0.0.0.0:443 certhash=certificatehashvalueappid={d673f5eea714-454d-8de2-492e4c1bd8f8}
18. At the command prompt, type the following command and then press Enter.
netshbranchcache show status all
10. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance. 11. On NYC-DC1, close all open windows. 12. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd. 13. On NYC-SVR1, open a command prompt, type the following command, and then press Enter.
netshbranchcache set service hostedserver
14. Close the command prompt. Results: In this exercise, you the BranchCache server in the branch office.
Module 11
Lab Answer Key: Planning Update Deployment
Contents:
Exercise 1: Analyze WSUS Deployment Plan Exercise 2: Configure a Replica WSUS Server Exercise 3: Configure WSUS for BranchCache
2 3 6
Requirements Overview 1. Contoso, Ltd in Australia wants to reduce the number of operating system updates that are downloaded from the Microsoft Update servers on the Internet to reduce the costs associated with the utilization of bandwidth. Contoso, Ltd has an agreement with its Internet Service Provider that substantially discounts the cost of traffic transmitted across WAN links when compared with the cost of downloading data directly from locations on the Internet such as Microsoft Update. All branch offices have connections to the Internet as well as dedicated WAN connections. The amount of data transmitted across WAN links should be minimized. Only one WSUS server should be deployed at each site. Administrators in the Melbourne site are responsible for approving updates to computers in the Perth, Adelaide, and Hobart sites. Administrators in the Sydney site are responsible for approving updates to computers in the Sydney site. The cost of transmitting data across the Melbourne to Perth link is equivalent to the cost of downloading data from locations on the Internet such as Microsoft Update.
2.
3. 4. 5. 6. 7.
Task 2: Update the Visio diagram, placing WSUS servers at each site.
1. 2. Open the Visio diagram that represents the Contoso Australia WSUS server. The Visio file is located on NYC-CL1 in the D:\Labfiles\Mod09 folder. Copy items representing each WSUS server type to each site. You may need to use the same item in more than one location.
systems, BranchCache would be inappropriate because these clients would be unable to take advantage of the technology. You would place two WSUS servers at the Melbourne site because all the other sites except Perth are likely to use the WSUS server at the Melbourne site as a source of updates. You would apply group policies at the site level to assign computers in each site to the local WSUS server.
Results: In this exercise, you planned a suitable WSUS deployment configuration for Contoso.
Ping NYC-SVR1
3. 4.
Close the command prompt window. On the taskbar, click the Windows PowerShell icon. Run the following commands and then press Enter after each command.
Import-Module ServerManager
5. 6. 7. 8. 9.
Close the Windows PowerShell session. Open Windows Explorer and browse to the D:\Labfiles\Mod09 folder. Double-click ReportViewer.exe to start installing Microsoft Report Viewer Redistributable 2008. On the Welcome to Microsoft Report Viewer Redistributable 2008 SP Setup page of the Microsoft Report Viewer Redistributable 2008 SP Setup wizard, click Next. On the License Terms page, accept the terms of the license agreement, and then click Install.
10. On the Setup Complete page, click Finish to dismiss the dialog box when the installer completes. 11. Double-click the file WSUS30-KB972455-x64.exe to begin the installation of WSUS 3.0 SP2. 12. On the Welcome page, click Next. 13. On the Installation Mode Selection page, select the Full server installation including Administration Console option, and then click Next. 14. On the License Agreement page, select the I accept the terms of the License agreement check box, and then click Next. 15. On the Select Update Source page, ensure that Store updates locally is selected, and then click Next. 16. On the Database Options page, ensure that Install Windows Internal Database on this computer is selected, and then click Next. 17. On the Web Site Selection page, ensure that Use the existing IIS Default Web site (recommended) is selected, and then click Next. 18. On the Ready to Install Windows Server Update Services 3.0 SP2 page, review the installation options, and then click Next. When the installation completes, click Finish. 19. When the Windows Server Update Services Configuration wizard starts, click Next. 20. On the Join the Microsoft Update Improvement Program page, clear the Yes, I would like to join the Microsoft Update Improvement Program check box, and then click Next. 21. On the Choose Upstream Server page, click Synchronize from another Windows Server Update Services server. 22. In the Server name box, type NYC-SVR1, select the This is a replica of the upstream server check box, and then click Next. 23. On the Specify Proxy Server page, click Next. 24. On the Connect to Upstream Server page, click Start Connecting. This process will take several minutes. When it completes, click Next. 25. On the Choose Languages page, ensure that in the Download updates only in these languages list, English is selected, and then click Next. 26. On the Set Sync Schedule page, ensure that Synchronize manually is selected, and then click Next.
27. On the Finished page, ensure that the Launch the Windows Server Update Services Administration Console and Begin initial synchronization check boxes are selected, and then click Finish. 28. In the Update Services console, expand the NYC-SVR2\Computers\All Computers node and verify that the Australia, Melbourne_Marketing and Melbourne_Sales computer groups are present. 29. Expand the NYC-SVR2\Updates node, and then click All Updates. 30. In the Status list, click Any, and then click Refresh. Make a note of the total number of updates. This number should match the number shown that you noted earlier.
Task 3: Verify approvals on downstream servers and configure automatic approval rules.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. In the Update Services console, right-click the Update Services node, and then click Connect to Server. In the Connect To Server dialog box, type NYC-SVR2, and then click Connect. Verify that NYCSVR2 now appears in the Update Services console. Navigate to the NYC-SVR1\Updates\Critical Updates node. In the Approval list, click Unapproved. In the Status list, click Any, and then click Refresh. Select Update for Windows 7 (KB976662). On the Action menu, click Approve. In the Approve Updates dialog box next to the Melbourne_Marketing group, in the list, click Approved for Install, and then click OK.
10. In the Approval Progress dialog box, click Close. 11. Select Update for Windows 7 (KB975053). On the Actions menu, click Approve. 12. In the Approve Updates dialog box, next to the All Computers group, in the drop-down box, select Approved for Install, and then click OK. 13. In the Approval Progress dialog box, click Close. 14. Expand the NYC-SVR2 node, and then click the Synchronizations node. On the Actions menu, click Synchronize Now. 15. Navigate to the NYC-SVR2\Updates\All Updates node. 16. Set the Approval drop-down box to Approved. Set the Status drop-down box to Any, and then click Refresh. 17. Verify that the update approved is approved on NYC-SVR2. 18. Navigate to the NYC-SVR1\Options node, and then click Automatic Approvals. 19. In the Automatic Approvals dialog box, click New Rule. 20. In the Add Rule dialog box, ensure that the When an update is in a specific classification and When an update is in a specific product options are selected. 21. Click the underlined any classification item in the Step 2 box.
22. Clear the All Classifications check box, select Critical Updates, and then click OK. 23. Click the underlined text all computers and then ensure that only the Australia, Melbourne_Marketing, and Melbourne_Sales items are selected. Click OK. 24. In the Specify a name text, type Australia_Critical, and then click OK. 25. In the Automatic Approvals dialog box, click Australia_Critical, and then click Run Rule. 26. In the Run Rule dialog box, click Yes. When the rule has run, click Close. Click OK to close the Automatic Approvals dialog box. 27. Revert 6433A-NYC-SVR2. Results: In this exercise, you configured a downstream WSUS server, verified the inheritance of updates, and configured an automatic approval rule.
Double-click the Configure BranchCache for network files policy. Set the policy to Enabled and ensure that the round trip network latency setting is set to 0 milliseconds. Click OK.
10. Navigate to the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update node. 11. Edit the properties of the Specify intranet Microsoft update service location policy. Enable the policy and set both the Intranet update service for detecting updates and Intranet statistics server settings to http://nyc-svr1. Click OK. 12. Navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security node.
13. Right-click the Inbound Rules node and click New Rule. 14. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, select BranchCache Content Retrieval (Uses HTTP), and then click Next twice. Click Finish. 15. Repeat steps 13 and 14 for the BranchCache - Peer Discovery (Uses WSD) rule. 16. Close the Group Policy Management Editor. 17. In the Group Policy Management console, right-click the Branch_Office OU, and then click Link an Existing GPO. 18. In the Select GPO dialog box, click WSUS_Branch, and then click OK. 19. On NYC-SVR1, open Windows PowerShell from the Taskbar and run the following commands and then press Enter after each command.
Import-Module ServerManager Add-WindowsFeature FS-BranchCache, BranchCache
20. Restart NYC-SVR1. 21. Log on to NYC-SVR1 as Contoso\Administrator, with the password of Pa$$w0rd.
5. 6. 7. 8. 9.
Verify that the service mode is set to Distributed Caching. Click Start, point to All Programs, and then click Windows Update. Click Check for Updates. When prompted to install the update to allow you to check for updates, click Install now. After the update is installed, restart NYC-CL2. Log on to NYC-CL2 as Contoso\Administrator, with the password of Pa$$w0rd.
10. Click Start, in the Search box, type perfmon.exe, and then press Enter. 11. Click the Performance Monitor node. 12. Right-click the graph display and click Add Counters. 13. Expand BranchCache in the top-left pane and select the following counters: Local Cache: Cache Complete File Segments Local Cache: Cache Partial File Segments Retrieval: Bytes From Cache Retrieval: Bytes From Server
14. Review the counter values and then close the Performance Monitor console.
Module 12
Lab Answer Key: Planning High Availability
Contents:
Exercise 1: Planning High Availability Exercise 2: Implementing High Availability 2 3
Task 2: Update the proposal document with your planned course of action.
Answer the questions in the High Availability Plan document. High Availability Plan Document Reference Number:CW01312/1 Document Author Date Charlotte Weiss 13th December
Requirements Overview To provide a high-availability solution that ensures that the failure of any single component will not cause the Research database to become unavailable. Proposals 1. In the current system, which component(s) is a point of failure? Answer: The back-end database; the front-end web servers; the storage that hosts the database; and the supply of power to all systems. 2. For each component, how will you propose to prevent a system failure resulting from a component failure? Answer: The back-end database. Implement Failover Clustering; this is required because the database is statefulthat is, it contains data that changes, and each client computers view of the system is different at a point in time. The front-end web servers. Implement Network Load Balancing; the front end is stateless, and contains no changing data. Client computers are indifferent as to which web server they connect through. The storage that hosts the database. Consider implementing a RAID solution for the storage that hosts the database. The supply of power to all systems. An uninterruptible power supply (UPS) does provide some uptime during a power failure, and often enough time to properly shut down a database to avoid corruption. 3. Which Windows Server 2008 role or feature can help provide for each of these proposals? Answer: Windows Server 2008 provides the Network Load Balancing and Failover Clustering features. Although disk fault tolerance can be provided through the software, it is usually more appropriate to implement a fault-tolerant array through hardware. 4. After implementing the roles or features proposed, is there any remaining component that
High Availability Plan represents a single point of failure? Answer: Loss or unavailability of a data center. 5. Have you any recommendations regarding this component(s)? Answer: Ed Meadows mentioned that the database is to be replicated among the branches. This will provide a contingency in the event of link-failure.
Task 3: Compare your solution to the one provided in the Lab Answer Key.
Compare your solution to the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: At the end of this exercise, you will have completed the High Availability Plan document.
In the Local Area Connection 2 Properties dialog box, click OK. Close the Network Connections window. Important Before starting this exercise, ensure you have completed the following preparatory steps on NYC-ISCSI.
8.
9.
To open the proper ports on Windows Firewall to allow iSCSI communication from clients to the server, open a command prompt, enter the following commands, and press Enter after each command.
netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP3260" dir=in action=allow protocol=TCP localport=3260 netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP135" dir=in action=allow protocol=TCP localport=135 netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service-UDP138" dir=in action=allow protocol=UDP localport=138
netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service" dir=in action=allow program="%SystemRoot%\System32\WinTarget.exe" enable=yes netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service Status Proxy" dir=in action=allow program="%SystemRoot%\System32\WTStatusProxy.exe" enable=yes
10. In the Advanced Identifiers dialog box, click OK. 11. On the iSCSI Initiators Identifiers page, ensure that the IQN Identifier box displays the text Click Advanced button to view alternate identifiers, and then click Next. 12. On the Completing the Create iSCSI Target Wizard page, click Finish. 13. In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target\Devices] console, under iSCSI Targets, right-click Devices, and then click Create Virtual Disk. 14. On the Welcome to the Create Virtual Disk Wizard page, click Next.
15. In the File box of the File page, type C:\Disks\Disk-01.vhd, and then click Next. 16. In the Size of virtual disk (MB) box of the Size page, type 8000, and then click Next. 17. On the Description page, click Next. 18. On the Access page, click Add. 19. In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK. 20. On the Access page, click Next. 21. On the Completing the Create Virtual Disk Wizard page, click Finish. 22. In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target\Devices] console, under iSCSI Targets, right-click Devices, and then click Create Virtual Disk. 23. On the Welcome to the Create Virtual Disk Wizard click Next. 24. In the File box of the File page, type C:\Disks\Disk-02.vhd, and then click Next. 25. In the Size of virtual disk (MB) box of the Size page, type 20000, and then click Next. 26. On the Description page, click Next. 27. On the Access page, click Add. 28. In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK. 29. On the Access page, click Next. 30. On the Completing the Create Virtual Disk Wizard page, click Finish.
6.
10. On the Assign Drive Letter or Path page, next to Assign the following drive letter, click Q, and then click Next. 11. On the Format Partition page, in the Volume label box, type Witness Disk, and then click Next. 12. On the Completing the New Simple Volume Wizard page, click Finish. 13. In the Disk Management result pane, right-click the 19.53 GB Unallocated area next to either Disk 3 or Disk 4, and then click New Simple Volume. 14. On the Welcome to the New Simple Volume Wizard page, click Next. 15. On the Specify Volume Size page, click Next. 16. On the Assign Drive Letter or Path page, next to Assign the following drive letter, click M, and then click Next. 17. On the Format Partition page, in the Volume label box, type VM Storage, and then click Next. 18. On the Completing the New Simple Volume Wizard page, click Finish.
8. 9.
On the Select Features page of the Add Features Wizard, under Features, select the Failover Clustering check box, and then click Next. On the Confirm Installation Selections page, click Install.
10. Verify that no errors are reported, and then close Internet Explorer. 11. On the Summary page, click Finish. Note No errors should be raised, but you may receive warnings that indicate the configuration is not optimal. This is expected and arises because of the limitations of the virtual machine configuration.
Task 7: Use the Create Cluster Wizard to build a simple failover cluster.
1. 2. 3. 4. 5. 6. 7. In the Actions pane of the Failover Cluster Manager console, click Create a Cluster. On the Before You Begin page, click Next. In the Enter server name box of the Select Servers page, type NYC-SVR1, and then click Add. Type NYC-SVR2, click Add, and then Next. In the Cluster Name box, type NYC-Br-Cluster, in the Address box, type 10.10.0.90, and then click Next. On the Confirmation page, click Next. On the Summary page, click View Report. Scroll to the lowermost part of the report, and verify that the cluster was created by using Node and Disk Majority quorum configuration. Close Internet Explorer. On the Summary page, click Finish.
8.
4. 5. 6. 7. 8. 9.
Select the Print and Document Services check box on the Select Server Roles page, and then click Next three times. Click Install. When prompted, click Close, and then close Server Manager after the installation is complete. Switch to NYC-SVR2 and switch to Server Manager. In the navigation pane, right-click Roles, and then click AddRoles to start the Add Roles Wizard. On the Before You Begin page, click Next.
10. Select the Print and Document Services check box on the SelectServerRoles page, and then click Next three times. 11. Click Install. 12. Close Server Manager after installation is complete.
10. After the wizard runs and the Summary page appears, you can view a report of the tasks the wizard performed by clicking View Report. Review the report, and then close Internet Explorer. 11. Click Finish. 12. In the navigation pane, expand Services and Applications, and verify that the clustered print server NYC-BR-Print has been created.
Task 10: Fail over the NYC-BR-Print clustered service from NYC-SVR1 to NYC-SVR2.
1. 2. 3. 4. 5. In the navigation tree, click NYC-BR-Print. In the results pane, identify the services current owner. In the Actions pane, click Move this service or application to another node. Click Move to node servername, where servername is the cluster node that is not the current owner. In the Please confirm action dialog box, click Move NYC-BR-Print to servername. Wait for the service to move to the new owner. Then, in the results pane, verify that NYC-BR-Print now shows the new current owner and that all components are online.
Task 12: Change the failback settings to allow failback only to the preferred node between 1 and 4 hours.
1. 2. 3. On the Failover tab, click Allow Failback. Click Failback between. Type 1 in the first box and 4 in the second box, and then click OK.
Results: At the end of this exercise, you will have implemented a failover cluster.
Module 13
Lab Answer Key: Planning Performance and Event Monitoring
Contents:
Exercise 1: Planning Enterprise Event Log Management Exercise 2: Configuring Event Subscriptions Exercise 3: Creating Custom Views Exercise 4: Configuring Event Tasks 2 2 5 5
Answer: Because of the transient nature of the application test servers, NYC-DC1 should be used to collect the events. A single collector initiated subscription on NYC-DC1 specifying the source application test servers would work best in this case as application servers can be added or removed from the list of computers on the subscription as they are moved into an out of the environment. Because the installers for the applications are all MSI-based, you can use the MsiInstaller source to catch all events that are logged by the installers. 3. How will you provide a list of only the installation-related events on each of the local application test servers?
Answer: On the local application servers, a custom view can be created to display only the MsiInstaller events. 4. How can you effectively implement these lists on all servers, including those that will be added later?
Answer: After a custom view for the MsiInstaller source has been created, it can be exported, stored in a network location, and then imported on each additional application test server that is introduced to the environment. 5. How will you implement the notification system specified in the scenario?
Answer: Using Task Scheduler, a task can be created to run whenever an MsiInstaller event is logged in the Forwarded Events log. This task should create a pop-up notification on the application server that the event has occurred. Results: After completing this exercise, you should have planned enterprise log management.
Winrmqc
5. 6.
At the Make these changes? prompt, type Y, and then press Enter. In the Administrator C:\Windows\system32\cmd.exe window, type the following command, and then press Enter. This command will enable the Windows Event Collector Service on NYC-DC1 and enable the default configuration.
Wecutilqc
7. 8. 9.
At the service startup prompt, type Y, and then press Enter. Close the Administrator C:\Windows\system32\cmd.exe window. Switch to the 6433A-NYC-SVR1 virtual machine.
10. On NYC-SVR1, click Start, then click Run 11. In the Run window, type cmd into the Open field and then press Enter. 12. In the Administrator C:\Windows\system32\cmd.exe window, type the following command, and then press Enter. This command will enable the WinRM service and enable the default configuration.
Winrmqc
13. At the first Make these changes? prompt, type Y, and then press Enter. 14. At the second Make these changes? prompt, type Y, and then press Enter. 15. Close the Administrator C:\Windows\system32\cmd.exe window.
10. In the Query Filter window, select By source, click the Event Sources: drop-down box, select the MsiInstaller check box, and then click OK. 11. In the Subscription Properties - Application Installations window, click the Advanced button.
12. In the Advanced Subscription Settings window, select Specific User, and then click the User and Password... button. 13. In the Credentials for Subscription Source window, in the Password field, type Pa$$w0rd, and then click OK. 14. In the Advanced Subscription Settings window, click OK. 15. In the Subscription Properties - Application Installations window, click OK. 16. In the Event Viewer window, click the Subscriptions node. 17. In the details pane, confirm that the Status column next to the Application Installations subscription is Active. 18. In the details pane, right-click the Application Installations subscription, and then click Runtime Status. 19. In the Subscription Runtime Status Application Installations window, confirm that the Status column beside NYC-SVR1.Contoso.com is Active and then click Close.
Results: After completing this exercise, you should have configured event subscriptions.
Results: After completing this exercise, you should have created custom views.
4. 5. 6. 7. 8. 9.
In the Create Basic Task Wizard window, in the Name field, type Application Install Failure Email, and then click Next. On the Task Trigger page, select When a specific event is logged, and then click Next. On the When a Specific Event is Logged page, click the Log drop-down box, and then click Forwarded Events. In the Event ID field, type 11708, and then click Next. On the Action page, select Send an e-mail, and then click Next. On the Send an E-mail page, populate the fields as follows, and then click Next. From:AppInstallNotifier@Constoso.com To:Ed@Contoso.com Subject: Application Installation Failure Text: An application installation has occurred. Please check the Forwarded Events Log on NYCDC1 for more details. SMTP Server: NYC-SVR1.Contoso.com
10. On NYC-SVR1, click Start, and then click Computer. 11. In the navigation pane, expand Local Disk (C:), expand inetpub, expand mailroot, and then click the Drop folder. Ensure that there is a file in the folder that has been just created with the .eml extension. This file represents the email from the task configured in Task 1. It may take a few minutes for the file to appear. 12. Close Windows Explorer. Results: After completing this exercise, you should have created an event task.
Module 14
Lab Answer Key: Enterprise Backup and Recovery
Contents:
Exercise 1: Contoso Disaster Recovery Plan Exercise 2: Configuring Network Backup with Windows Server Backup Exercise 3: Mounting Backup VHD and Extracting Data Exercise 4: Configuring NYC-SVR1 to boot from the backup VHD
2 4 5 6
Environment Information Contoso, Ltd. is a medium-sized organization with its head office in Melbourne, Australia, and two branch offices. The organization employs 300 people, of which 200 are located at its head office, and 50 people work at each of the two branch offices. You have been asked to generate a disaster recovery plan for the Contoso Windows Server 2008 R2 deployment. The Contoso server infrastructure consists of the following: Head Office Site: Melbourne Central Business District One physical server running Windows Server 2008 R2 configured with the AD DS, DNS, DHCP, AD CS roles. 8 GB of RAM. 1 terabyte (TB) Hard Disk Drive (HDD). Two physical servers running Windows Server 2008 R2 configured as DFS Replicas and DFS Roots. 8 GB of RAM. 1 TB HDD. One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Web Server 2008 R2 IIS server Windows Server 2008 R2 hosting Exchange Server 2010 server Windows Server 2008 R2 hosting SQL Server 2008 R2 database server Branch Office Site: Moonee Ponds One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server Windows Server 2008 File Server / DFS Replica Branch Office Site: Endeavour Hills One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server Windows Server 2008 File Server / DFS Replica Additional Information Contoso is in the process of renting space for a disaster recovery site in the suburb of Dandenong. All servers at Contoso that host the Hyper-V role only have that role installed. Servers at the head office site should never lose more than 3 hours of data in the event of server failure.
Contoso Disaster Recovery document Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. Requirements Overview Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan. 1. You need to be able to restore backup data from all servers at the head office site in the event that computers at the head office site are completely lost due to fire, flood damage, or other unforeseen catastrophes. 2. A 7-day recovery point objective is acceptable if a site is completely lost. 3. Servers at the head office site should never lose more than 3 hours of data in the event of server failure. 4. Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. 5. You need to be able to run any head office server in the event that the server hardware fails until that hardware is replaced. 6. You want to minimize the amount of hardware deployed at the proposed Dandenong disaster recovery site. 7. You need to be able to restore up to 7 days of data on each server in the event that data is lost or corrupted.
Proposals Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan.
1.
What steps should you propose to meet the objective of being able to recover up to 7 days of data on each server? It will be necessary to have a local backup storage device attached to each server. A USB 3.0 device provisioned with appropriate storage attached to each server would accomplish this goal.
2.
What steps could you take to back up the virtual machines by using Windows Server Backup? Answers will vary, but you could create virtual volumes on each virtual machine, storing the VHD files these volumes on the backup storage device. Backups could be written to these virtual disks.
3.
What steps should you propose to meet the objective of ensuring that any branch office site can be recovered in the event of full site loss?
Contoso Disaster Recovery plan Backup data must be moved once a week to the DR site to ensure that data is available in the event that the site itself is lost. Once a week, it will be necessary to copy the contents of the backup storage devices to an additional device, such as another disk, and transport that device physically to the DR site. 4. What infrastructure would you provision at the Dandenong disaster recovery site to meet disaster recovery objectives? A server running Hyper-V and that has 32 GB or more of RAM will be able to temporarily host all of the servers that are present at any specific site. This will allow servers to be available until replacement hardware can be appropriated. 5. What infrastructure would you provision at the head office site to ensure that you can continue to provide services in the event that a single server fails completely? A server running Hyper-V that has 16 GB or more of RAM will be able to provide service at the head office site in the event that any single server fails completely. 6. What backup schedules would you configure for servers at the head office and branch office sites? Configure backup to occur every 3 hours at the head office site and once a day at the branch office sites.
Results: At the end of this exercise, you will have planned an appropriate disaster recovery solution for Contoso.
8. 9.
Open Windows Explorer and create a new folder on volume D, called BackupTarget. Share this folder by right clicking on the folder, clicking on Share with, click on Specific people and on the File Sharing dialog box, click Share.
Results: At the end of this exercise, you will have used Windows Server Backup to create and perform a scheduled backup to a network location.
6. 7.
Under this folder, open the folder that is named Backup and has a date and time stamp. Select the largest VHD file in this folder, and then click Open. Note This VHD file should be approximately 7.5 GB in size.
8. 9.
Click OK in the Attach Virtual Hard Disk dialog box. Open Windows Explorer and browse to the newly mounted volume.
10. Navigate to the Users\Administrator.Contoso\Desktop folder and open Example_Data.txt 11. Verify the contents of Example_Data.txt and then close the file. 12. Close Windows Explorer. 13. In the Server Manager console, click the Storage\Disk Management node and right-click the Disk that represents the mounted VHD volume. Click Detach VHD. Click OK. Results: At the end of this exercise, you will have verified the backup data without having to perform a restore operation.
When the backup file is copied to volume F, rename the VHD file to backup.vhd.
CD \
2.
3. 4.
Make a note of the CSLID number that is displayed. You will use this number in the next set of commands. Enter the following commands, substituting the CSLID number. Keep the square parentheses around the drive letter and press Enter after each command.
5.
Results: At the end of this exercise, you will have performed recovery of a server operating system volume without having to perform a recovery by using Windows Server Backup.