Lab Instructions and Lab Answer Key: Planning and Implementing Windows Server® 2008

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6433A and Lab Answer Key: Lab Instructions
Planning and Implementing Windows Server 2008
Information in this document, including URL and other Internet website references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third-party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Product Number: 6433A Part Number: X17-90743 Released: 09/2011
Lab Instruction: Planning Server Deployment and Upgrade
Module 1
Lab Instructions: Planning Server Deployment and Upgrade
Contents:
Exercise 1: Planning a Windows Server 2008 R2 Deployment Exercise 2: Modifying a Windows Server 2008 R2 Image Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image 3 6 7
Lab: Planning and Implementing Server Deployment
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 to 4 for 6433A-NYC-SVR1.
Lab Scenario
Contoso has been running their head office network infrastructure on the Windows Server 2003 platform. In the branch offices, UNIX is used to host a line-of-business application. Contoso has decided to upgrade their head office network infrastructure to Windows Server 2008 R2, and at the same time, replace the UNIX hosts with Windows Server 2008 R2 hosts. You have been assigned the task of planning a suitable deployment method, creating a standard server image for deployment, and finally, preparing deployment tools to implement the deployment. For this project, you must complete the following tasks: Plan a suitable deployment method for Contoso.
Modify an existing server image by using command-line tools. Prepare to deploy Windows Server by using the modified image and WDS.
Exercise 1: Planning a Windows Server 2008 R2 Deployment

Scenario
Contoso has decided to upgrade from Windows Server 2003 and to replace UNIX hosts in the branch offices. You must examine the email communication between members of the project team, and then complete the Contoso Windows Server 2008 R2 Deployment Plan document. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Examine the suggested proposals in the Lab Answer Key.
Supporting Documentation Charlotte Weiss

From: Sent: To: Subject: Attached: Charlotte, Ed Meadows [Ed@contoso.com] 27May2011 09:12 Charlotte@contoso.com Re: Contoso Windows Server 2008 R2 Deployment Plan Deployed Server Datasheet.doc
No problem. Details are in the attached datasheet. Its worth noting the utilization figures for the deployed servers. Also, remember that some of the research staff are working on isolated networks with no Internet access. Regards, Ed ----- Original Message ----From: Charlotte Weiss [Charlotte@contoso.com] Sent: 26May 2011 08:42 To: Ed@contoso.com Subject: Contoso Windows Server 2008 R2 Deployment Plan Ed, Can you provide me with details about the deployed servers in both the head office and the branch offices? Charlotte
Deployed Server Datasheet.doc (subset) NYC-DC1 Function(s) Domain Controller File services Certificate services Utilization 80 percent Additional information Windows Server 2003 Enterprise Edition (64-bit) NYC-SVR1 Function(s) File services DNS DHCP WSUS Utilization 75 percent Additional information Windows Server 2003 Enterprise Edition (64-bit) NYC-SVR2 Function(s) File services Domain Controller DNS Utilization 25 percent Additional information Windows Server 2003 Standard Edition (32-bit) Physical security at the branch is difficult to maintain NYC-SVR3 Branch Office 2 Branch Office 2 Head Office Head Office
Function(s) Supports line-of-business application Utilization
Deployed Server Datasheet.doc (subset) 10 percent Additional information UNIX operating system
Note The utilization figure is an amalgamated value intended to give an overview of the overall workload on the server, rather than a quoted value for a specific Windows performance counter.
Task 1: Read the supporting documentation.

1. Read the supporting documentation.
Task 2: Update the proposal document with your planned course of action.
1. Answer the questions in the Contoso Windows Server 2008 R2 Deployment Plan document. Contoso Windows Server 2008 R2 Deployment Plan Document Reference Number:CW2805/1 Document Author Date Charlotte Weiss May 28
Requirements Overview To provide information to help plan the upgrade/migration to Windows Server 2008 R2. Additional Information Branch Office 2 supports forty client computers and two servers. Branch Office 2 is isolated from the Internet. Branch Office 2 has no server room and servers are placed in the main office space. Proposals 1. 2. 3. 4. 5. 6. 7. In Eds email, he recommended that Charlotte should examine the server utilization figures. Why is this significant when planning server deployment? Ed also reminded Charlotte that some departments used servers and client workstations that are isolated from the Internet. What is the impact of this in terms of deployment? In environments where there are isolated servers and workstations, which factors determine the activation technology that you use? Are there situations where virtualization is indicated? How would you help to improve security at Branch Office 2? Which activation method would you use at Branch Office 2? All the other branches have similar server configurations to those in Branch Office 2. Assuming Contoso accepts your proposals for the branch servers at Branch Office 2, how would you propose to deploy the servers at this office and the other ten branch offices in the New York area?
Task 3: Examine the suggested proposals in the Lab Answer Key.

1. Examine the completed Contoso Windows Server 2008 R2 Deployment Plan in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you should have successfully planned the Windows Server 2008 R2 deployment.
Exercise 2: Modifying a Windows Server 2008 R2 Image

Scenario
In this exercise, you will modify the default installation image to include the Hyper-V role. The main tasks for this exercise are as follows: Map a network drive to the image store on NYC-SVR1. List the existing images. Mount the existing image. Add the Hyper-V feature to the image.
Task 1: Map a network drive to the image store on NYC-SVR1.

1. 2. Switch to NYC-DC1. Map drive Z to \\nyc-svr1\d$.
Task 2: List the existing images.

1. 2. 3. 4. Open the Deployment Tools Command Prompt. Change to Z:\labfiles\Mod01\Images. List the image files located in this folder. Get the index number for the Windows Server 2008 R2 SERVERENTERPRISECORE edition of Windows in the Install.wim image file. At the Command Prompt window, run the following command.
Dism /get-wiminfo /wimfile:Z:\labfiles\Mod01\images\install.wim
Task 3: Mount the existing image.

1. At the Command Prompt window, type Dism /mount-wim /wimfile:Z:\labfiles\Mod01\images\Install.wim /index:4 /mountdir:D:\labfiles\Mod01\servicing, and then press Enter. Verify that you have mounted the correct version. Type Dism /get-mountedwiminfo, and then press Enter. Verify that the image is mounted in D:\labfiles\Mod01\Servicing. Type Dir D:\labfiles\Mod01\servicing, and then press Enter.
2. 3.
Task 4: Add the Hyper-V feature to the image.

1. Install the Hyper-V feature by running the following command:.
Dism /image:D:\labfiles\mod01\servicing /enable-feature /featurename:Microsoft-Hyper-V
2.
Run the following command to verify that Microsoft-Hyper-V is enabled.
Dism /image:D:\labfiles\mod01\servicing /get-features
3.
Wait until the status of Microsoft-Hyper-V is Enable Pending, and then run the following command.
Dism/unmount-wim /mountdir:D:\labfiles\Mod01\servicing /commit
Results: At the end of this exercise, you will have prepared the branch office image.
Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image

Scenario
In this exercise, you will add and configure the WDS server role to deploy the branch offices image. The main tasks for this exercise are as follows: Install the Windows Deployment Services role. Configure Windows Deployment Services. Add a Windows Preinstallation Environment (Windows PE) boot image. Use WDSUtil to add a boot image. Add an install image. Configure Automatic Naming. Configure Admin Approval. Configure Windows Deployment Services Server for multicast transmission.
Task 1: Install the Windows Deployment Services role.

1. 2. 3. 4. Switch to the NYC-SVR1 computer. Open Server Manager. Install the Windows Deployment Services server role with both role services. Close Server Manager.
Task 2: Configure Windows Deployment Services.

1. 2. 3. Open Windows Deployment Services from Administrative Tools. Right-click NYC-SVR1.Contoso.com, and then click Configure Server. Use the following information to complete the configuration: a. b. c. d. On the Remote Installation Folder Location page, accept the defaults. Accept the System Volume Warning message. On the PXE Server Initial Settings page, select the Respond to all client computers (known and unknown) option. When prompted, choose to not add images to the server.
Task 3: Add a Windows Preinstallation Environment (Windows PE) boot image.

1. In Windows Deployment Services, add a new boot image by using the following information to complete the process: a. b. c. d. 2. On the Image File page, use the following file name: \\nyc-dc1\c$\ProgramFiles\Windows AIK\Tools\PETools\x86\winpe.wim. Accept the defaults on the Image Metadata page. Accept the defaults on the Summary page. On the Task Progress page, click Finish.
Minimize Windows Deployment Services.
Task 4: Use WDSUtil to add a boot image.

1. Open a Command Prompt window, type the following command, and then press Enter.
wdsutil /progress /add-image /imagefile:"D:\labfiles\mod01\images\boot.wim" /imagetype:boot /name:"Microsoft Windows Setup (x64)"
2. 3.
Close the Command Prompt window. Switch to Windows Deployment Services, and then verify the presence of the new boot image. Question: How many boot images are listed?
Task 5: Add an install image.

1. 2. In Windows Deployment Services, add a new Image Group with the image group name of Windows Server 2008 R2. Add a new install image to this group by using the following information to complete the process: a. b. c. d. On the Image File page, use the following file name: D:\labfiles\mod01\images\install.wim. On the Available Images page, clear all check boxes, except Windows Server 2008 R2SERVERENTERPRISECORE, and then click Next. Accept the defaults on the Summary page. Click Finish on the Task Progress page.
Task 6: Configure automatic naming.

1. 2. In Windows Deployment Services, view the properties of NYC-SVR1.Contoso.com. On the AD DS tab, use the following information to configure automatic naming: a. b. In the Format box, type BRANCH-SVR-%02#. Under Computer Account Location, select the Research OU in the Contoso.com domain.
Task 7: Configure administrator approval.

1. 2. 3. In Windows Deployment Services, view the properties of NYC-SVR1.Contoso.com. On the PXE Response tab, select Require administrator approval for unknown computers. Also change the PXE Response Delay to 3 seconds. Open a command prompt, and then type the following command to create a message for installers to view while awaiting admin approval.
WDSUTIL /Set-Server /AutoAddPolicy /Message:TheContoso administrator is authorizing this request. Please wait.
4.
Close the Command Prompt window.
Task 8: Configure Windows Deployment Services server for multicast transmission.

1. Create a new multicast transmission by using the following information to complete the process: a. b. c. d. Transmission name: Windows Server 2008 R2 Branch Servers Image group: Windows Server 2008 R2 Image: Windows Server 2008 R2 SERVERENTERPRISECORE Multicast type: Auto-Cast
Results: At the end of this exercise, you will have successfully prepared WDS to support Windows Server deployment to the branch offices.
To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1.
Lab Instructions: Planning Server Management and Delegated Administration
Module 2
Contents:
Exercise 1: Creating an Administrative-Level Role Group Exercise 2: Creating an Account Management Group Exercise 3: Enabling and Configuring Auditing for Sensitive Groups 3 3 4
Lab: Implementing Role-Based Systems Administration
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. is currently beginning an Active Directory redesign project. There are two members of the IT departmentKenn Sutton and Christine Koch. Their group will require full control over Active Directory objects in the Contoso domain. Ryan Ihrig, a new intern, has been assigned user management tasks in the Research department to alleviate department load, while Kenn and Christine are working on the project. You have been asked to provide the Active Directory groups and permissions that will allow these changes to take place. You have also been asked to enable auditing on the Domain Admins group, Enterprise Admins group, and any newly created groups that have been granted administrative-level permissions. For this project, you must complete the following tasks: Create an administrative-level role group.
Create a user management role group. Enable and configure auditing for sensitive groups.
Exercise 1: Creating an Administrative-Level Role Group

Scenario
You have been asked to create an Active Directory group named ADRedesign for the Active Directory redesign project team. This group should be created in the Users container and be given full control over all Active Directory objects in the domain. Kenn Sutton and Christine Koch from the IT department should be members of this group. The main tasks for this exercise are as follows: 1. 2. 3. Create the AD Redesign group in the Users container. Place the user accounts for Kenn Sutton and Christine Koch into the ADRedesign group. Delegate full control over all Active Directory objects in the Contoso.com domain to the ADRedesign group.
Task 1: Create the ADRedesign group in the Users container.

1. 2. 3. Switch to the 6433A-NYC-DC1 computer. Open Active Directory Users and Computers. Create a new Global security group in the Users container named ADRedesign.
Task 2: Place the user accounts for Kenn Sutton and Christine Koch into the ADRedesign group.
1. 2. In Active Directory Users and Computers, open the Properties page of the ADRedesign group in the Users container. Add Kern Sutton and Christine Koch as members of the ADRedesign group.
Task 3: Delegate full control over the Contoso.com domain to the ADRedesign group.
1. 2. In Active Directory Users and Computers, start the Delegation of Control Wizard on the Contoso.com domain node. Grant the ADRedesign full control permissions for all objects in the domain.
Results: After completing this exercise, you should have created an administrative-level role group.
Exercise 2: Creating an Account Management Group

Scenario
You have been asked to create an Active Directory group named AcctMgmt, which will be used for delegating account management tasks in the Research OU. You are to assign membership in this group to Ryan Ihrig in the IT department. The main tasks for this exercise are as follows: 1. Create the AcctMgmt group in the Users container.
2. 3.
Place the user account for Ryan Ihrig into the AcctMgmt group. Grant create, delete, and manage user accounts privileges to the AcctMgmt group for the Research OU.
1. 2. 3.
Task 1: Create the AcctMgmt group in the Users container

Switch to the 6433A-NYC-DC1 computer. Open Active Directory Users and Computers. Create a new global security group in the Users container named AcctMgmt.
Task 2: Place the user account for Ryan Ihrig into the AcctMgmt group.
1. 2. In Active Directory Users and Computers, open the Properties page of the AcctMgmt group in the Users container. Add Ryan Ihrig as a member of the AcctMgmt group.
Task 3: Grant create, delete, and manage user accounts privileges to the AcctMgmt group.
1. 2. In Active Directory Users and Computers, start the Delegation of Control Wizard on the Research OU. Grant the AcctMgmt group create, delete, and manage user accounts privileges in the Research OU.
Results: After completing this exercise, you should have created an account management group.
Exercise 3: Enabling and Configuring Auditing for Sensitive Groups

Scenario
You have been asked to enable and configure auditing for the Domain Admins, Enterprise Admins, ADRedesign, and AcctMgmt groups. The main tasks for this exercise are as follows: 1. 2. 3. Enable auditing by using Group Policy. Configure auditing settings for the Domain Admins, Enterprise Admins, ADRedesign, and AcctMgmt groups. Test auditing configuration.
Task 1: Enable auditing by using Group Policy.

1. 2. 3. 4. 5. 6. Open the Group Policy Management console from the Administrative Tools menu. Open the Default Domain Policy in the Group Policy Management Editor. Navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node. Enable the Audit object access policy setting. Close the Group Policy Management Editor. Close the Group Policy Management Console.
Task 2: Configure auditing settings for the Domain Admins, Enterprise Admins, ADRedesign, and AcctMgmt groups.
1. 2. 3. 4. 5. 6. Enable Advanced Features from the View menu in Active Directory Users and Computers. Right-click the Domain Admins group, and then click Properties. In the Security tab, click the Advanced button to access the Auditing tab. Enable full control auditing for the Authenticated Users group. Close the Properties windows. Repeat steps 1 to 4 for the Enterprise Admins, ADRedesign, and AcctMgmt groups.
Task 3: Test auditing configuration.

1. 2. 3. 4. 5. Open Active Directory Users and Computers. Add Ed Meadows to the ADRedesign group. Close Active Directory Users and Computers. Open Event Viewer and navigate to the Security Log. Check for an Active Directory object access entry for the AdRedesign group.
Results: After completing this exercise, you should have enabled and configured auditing for sensitive groups

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Lab Instructions: Planning Network Addressing and Name Resolution
Module 3
Contents:
Exercise 1: Planning the Deployment of DHCP and DNS Servers Exercise 2: Implementing DNS Exercise 3: Implementing DHCP 3 5 6
Lab: Planning and Implementing DHCP and DNS
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps 2 to 4 for 6433A-NYC-SVR2, 6433A-NYC-RTR, and 6433A-NYC-CL2.
Lab Scenario
Contoso, Ltd has created a new regional research team. As a result, branch offices are being fitted out to support the various regional research functions. You are responsible for planning the network infrastructure for these new branch offices. Dylan Miller, the national Research Manager, has been communicating with you about his specific requirements for the regional offices. In addition, Ed Meadows, a colleague in IT, has visited some of the branch offices. For this project, you must complete the following tasks: Plan the deployment of DHCP and DNS servers. Implement DNS in the branch offices.
Implement DHCP in the branch offices. Implement a transition to IPv6 in the branch offices
Exercise 1: Planning the Deployment of DHCP and DNS Servers

Scenario
You must determine how best to deploy network services to support users working in the branch office locations. Ed Meadows has sent you an email message with some additional information about the requirements. Using the information in the supporting documentation (Network Services document), complete the Branch Office Network Infrastructure Plan: The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Compare your solution with the one provided in the Lab Answer Key.
Supporting Documentation
Email thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Ed Meadows [Ed@contoso.com] 24 July 2011 17:00 Charlotte@contoso.com Re: Branch office network services
Answers in line below, Regards, Ed ----- Original Message ----From: Charlotte Weiss [Charlotte@contoso.com] Sent: 24 July 2011 13:30 To: Ed@contoso.com Subject: Branch office network services Ed, I need to think about the infrastructure for the branch offices. Could you answer the following questions? 1. How are IP addresses to be assigned for this region? [Ed] By DHCP 2. Is there anything I should know about the DNS name space for these offices? [Ed] The research computers will be in their own DNS name space, research.contoso.com 3. I have a vague recollection that one of the line-of-business applications that research uses requires NetBIOS. Is that right? [Ed] You're right, Charlotte, they need NetBIOS name resolution in research. Thanks, Charlotte

Read the email and the proposal document. Branch Office Network Infrastructure Plan: Network Services Document Reference Number: CW0711/1 Document Author Date Charlotte Weiss 25th July
Requirements Overview Specify which network services are required in each branch office and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Branch Office Network Infrastructure Plan: Network Services Proposals 1. 2. 3. 4. 5. 6. 7. How many DHCP servers do you propose to deploy in the region? Where do you propose to deploy these servers? What name resolution services are required? To support the DNS name space in the sales division, how would you propose to configure DNS? Will you require WINS? If so, how many WINS servers will you require for the region? If not, how do you propose to support single-label names?
Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.
Task 3: Compare your solution with the one provided in the Lab Answer Key.
Compare your solution with the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you planned the placement of DHCP and DNS servers for the Contoso branch offices.
Exercise 2: Implementing DNS

Scenario
In this exercise, you will implement DNS to support the new branch offices. The main tasks for this exercise are as follows: 1. Configure the suffix for NYC-SVR2.
2. 3. 4.
Install the DNS server role on NYC-SVR2. Create the research.contoso.com DNS zone. Create the research.contoso.com delegation.
Task 1: Configure the suffix for NYC-SVR2.

1. 2. 3. 4. Switch to NYC-SVR2. Change the computers primary DNS suffix to research.contoso.com. Restart the computer. When the computer has restarted, log on with the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Task 2: Install the DNS server role on NYC-SVR2.

1. 2. Using Server Manager, install the DNS Server role on NYC-SVR2. Close Server Manager.
Task 3: Create the research.contoso.com DNS zone.

1. 2. On NYC-SVR2, open DNS Manager. Create a forward lookup zone with the following properties: Type: Primary zone Name: research.contoso.com Zone file name: default Dynamic update: Allow both nonsecure and secure dynamic updates
Task 4: Create the research.contoso.com delegation.

1. 2. 3. 4. Switch to NYC-DC1. Open DNS Manager. Delete the research subdomain. This is necessary in order to create the delegation. In Contoso.com, create a new delegation with the following properties: Delegated domain name: research Name servers: NYC-SVR2.research.contoso.com IP address 172.16.16.2
Results: In this exercise, you deployed the DNS server to the first branch office.
Exercise 3: Implementing DHCP

Scenario
Contoso, Ltd is deploying DHCP to its branch offices. Fault tolerance is important, and you are tasked with configuring the DHCP services in the head office and branch offices to support the requirements
In this exercise, you will select a suitable DHCP configuration to support the branch office environment. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install the DHCP role on NYC-SVR2. Enable DHCP Relay. Create the required scope for branch. Add the branch office scope on NYC-DC1. Configure NYC-CL2 for DHCP.
Task 1: Install the DHCP role on NYC-SVR2.

1. 2. Switch to NYC-SVR2. Open Server Manager and install the DHCP Server role. Accept all defaults during the Add Role wizard, except: DNS settings: 3. Parent domain: research.contoso.com Preferred DNS server IPv4 address: 172.16.16.2 Alternate DNS server IPv4 address: 10.10.0.10
Disable DHCPv6 stateless mode for this server
Close Server Manager.
Task 2: Enable DHCP Relay.

1. 2. 3. Switch to NYC-RTR. Open Routing and Remote Access. Use the following steps to add the DHCP Relay agent to the router: 4. In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol. In the Routing protocols list, click DHCP Relay Agent and then click OK. In the navigation pane, right-click DHCP Relay Agent and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK. In the DHCP Relay Properties Local Area Connection 2 Properties dialog box, click OK. Repeat these steps for Local Area Connection 3. Right-click DHCP Relay Agent and then click Properties. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK.
Close Routing and Remote Access.
Task 3: Create the required scope for branch.

1. Switch to NYC-SVR2 and open the DHCP console.
2. 3.
In DHCP, in the navigation pane, expand nyc-svr2.research.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: Name: Branch Office IP Address range: 172.16.16.4 > 172.16.16.254 Subnet mask: 255.255.255.0 Exclusions: 172.16.16.200 > 172.16.16.254 Other settings use default values Configure options: Router: 172.16.16.1 Parent domain: research.contoso.com DNS servers: 172.16.16.2 and 10.10.0.10 Other settings use default values
Activate scope
Task 4: Add the branch office scope on NYC-DC1.

1. 2. 3. 4. Switch to NYC-DC1. Open DHCP. In DHCP, in the navigation pane, expand nyc-dc1.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: Name: Branch Office Backup Scope IP Address range: 172.16.16.4 > 172.16.16.254 Subnet mask: 255.255.255.0 Exclusions: 172.16.16.4 > 172.16.16.199 Other settings use default values Configure options: Router: 172.16.16.1 Parent domain: research.contoso.com DNS servers: 172.16.16.2 and 10.10.0.10 Other settings use default values
Activate scope
Task 5: Configure NYC-CL2 for DHCP.

1. 2. Switch to NYC-CL2. Reconfigure the Local Area Connection 3:
Configure Internet Protocol Version 4 (TCP/IPv4): Obtain an IP address automatically Obtain DNS server address automatically
3. 4. 5. 6.
Open a command prompt, and answer the following questions: What is the IP address of NYC-CL2? What is the DHCP server IP address? Leave windows open for next (optional) exercise.
Results: In this exercise, you implemented DHCP for the branch offices.
To prepare for the next module.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR2, 6433A-NYC-RTR, and 6433A-NYC-CL2.
Lab Instructions: Planning and Provisioning Active Directory Domain Services
Module 4
Contents:
Exercise 1: Planning an Active Directory Structure Exercise 2: Active Directory Domain Services Backup and Recovery Exercise 3: Configuring Active Directory Recycle Bin 3 5 6
Lab: Planning for Active Directory Domain Services
Lab Setup
Lab Scenario
Contoso, Ltd. has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals. Contoso is preparing to migrate to Windows Server 2008 R2 domain controllers. The New York Branch has already migrated and you have been asked to test the backup and restore functionality for the Contoso.com Active Directory Domain Services structure. In addition, you have been asked to raise the forest functional level for the forest and enable the Active Directory Recycle Bin feature for the Contoso.com domain. For this project, you must complete the following tasks: Plan an Active Directory structure.
Backup and restore the Active Directory Domain Services database. Configure the Active Directory Recycle Bin.
Exercise 1: Planning an Active Directory Structure

Scenario
Contoso has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Branch Office Planning document.
E-mail thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner [Alan@Contoso.com] Sent: 24 August 2011 14:02 To: Gregory@Contoso.com Subject: Re: Branch Office Plan Attachments: Sales Office Details.doc Greg, Take a look at the attached document. Get back to me with any questions. I got this from Joe Healy, the sales manager. Alan ----- Original Message ----From: Gregory Weber [Gregory@Contoso.com] Sent: 24 August 2011 13:30 To: Alan@Contoso.com Subject: Branch Office Plan Alan, What can you tell me about these new sales offices? Thanks, Greg
Sales Office Details.doc

In the sales offices, we have a number of line-of-business applications, including a Microsoft SQL Serverbased database. The local sales office updates and replicates back to the head office overnight. The SQL Server database needs access to a directory of customers. In the western region, we have three offices, each with around 100 computers. We have a routed connection back to the head office. Alan Steiner tells me that name resolution is provided by WINS and DNS, as we have a legacy NetBIOS application.
There was some talk of creating a separate name space for sales, such as Sales.Contoso.com, but we have implemented this only as an e-mail domain. The computers are all part of the Contoso.com domain. Weve had some issues in the past with security; we often have members of the public in our sales offices, and consequently, security is a critical factor. We do not always have the option of a secure computer room, and so our laptops are locked to the desks. Servers are often to be found in a closet, or small office. Each branch office consists of a number of subnets; two for hosting the sales staff laptops and another for branch network servers. Branch Office Planning Document Reference Number: GW0809/2 Document Author Date Gregory Weber September 1
Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services. Proposals 1. Do you intend to deploy a domain controller(s) in the branch offices? How many? 2. 3. 4. 5. 6. 7. Will you deploy an RODC(s)? How will you optimize the directory replication for the branches? How will domain controllers determine in which branch they are located? Do you anticipate the need for global catalog services? How will you configure global catalog and DNS? What additional Active Directoryrelated services are required to support the branch office line-ofbusiness applications?

Read the supporting documentation.
Task 2: Update the Branch Office Planning document with your proposals.
Answer the questions in the Branch Office Planning document.
Results: At the end of this exercise, you will have planned an Active Directory Domain Services strategy.
Exercise 2: Active Directory Domain Services Backup and Recovery

Scenario
Contoso, Ltd. is preparing to migrate to Windows Server 2008 R2 domain controllers. The New York Branch has already migrated and you have been asked to test the backup and restore functionality for the Contoso.com Active Directory Domain Services structure. In this exercise, you will select a suitable DHCP configuration to support the branch office environment. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the Windows Server Backup Feature. Back up the system state on NYC-DC1. Simulate unwanted changes to the Active Directory Domain Services structure. Restore the Active Directory Domain Services database.
Task 1: Install the Windows Server Backup Feature.

1. 2. 3. Switch to NYC-DC1. Open Server Manager. Navigate to the Features node and add the Windows Server Backup feature.
Task 2: Perform a system state backup of NYC-DC1.

1. 2. Open Windows Server Backup. Perform a system state backup, saving the backup to D:\.
Task 3: Simulate unwanted changes to the AD DS structure.

1. 2. 3. Open Active Directory Users and Computers. Delete the IT OU from the Contoso.com domain. Close Active Directory Users and Computers.
Task 4: Restore the AD DS database from backup.

1. 2. 3. 4. 5. On NYC-DC1, open the System Configuration tool (msconfig.exe). On the Boot tab, select Safe Mode with the Active Directory repair option and restart the computer. Log on to NYC-DC1 as NYC-DC1\Administrator, with the password, Pa$$w0rd. Open a command prompt. At the command prompt, type the following and press Enter. This will list the available backups to recover from, on drive D: for NYC-DC1. Record the Version Identifier information.
Wbadmin get versions
6.
At the command prompt, type the following and press Enter. This will restore the system state from the backup to NYC-DC1. Use the version identifier recorded in the previous step, in place of <versionidentifier>.
Wbadmin start systemstaterecovery -version:<versionidentifier>
Note 7. 8. 9.
Type Y and press Enter when prompted. Restore will take approximately 45 minutes
Restart NYC-DC1 when prompted. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Click Start, click Run, and in the Open field, type msconfig, and then press Enter.
10. In the System Configuration window, click the Boot tab. 11. On the Boot tab, clear the check box to deselect Safe boot, and then click OK. 12. In the System Configuration pop-up window, click Restart. The computer will restart. On restart, NYC-DC1 will run Active Directory Domain Services integrity checks to confirm the integrity of the newly restored Active Directory Domain Services database. 13. Log on to NYC-DC1 as NYC-DC1\Administrator, with the password, Pa$$w0rd. 14. Open Active Directory Users and Computers. 15. Confirm that the IT OU has been restored. 16. Close Active Directory Users and Computers. Results: At the end of this exercise, you will have successfully backed up and recovered Active Directory Domain Services.
Exercise 3: Configuring Active Directory Recycle Bin

Scenario
Numerous accidental deletions of Active Directory Domain Services object by regional administrators has led your supervisor to recommend the implementation of the Active Directory Recycle Bin for your forest. You have been asked to raise the forest functional level to Windows Server 2008 R2, enable Active Directory Recycle Bin for Contoso.com and test its functionality to ensure that it is working properly.
Exercise Overview
The main tasks for this exercise are as follows: 1. 2. 3. 4. Raise the forest functional level for Contoso.com. Enable Active Directory Recycle Bin. Create and delete a test object in the Contoso.com domain. Restore the test object from Active Directory Recycle Bin.
Task 1: Raise the forest functional level for Contoso.com.

1. 2. 3. Switch to NYC-DC1. Open the Active Directory Module for Windows PowerShell. Run the following command to raise the forest functional level for Contoso.com.
Set-ADForestMode Identity contoso.com -ForestMode Windows2008R2Forest
Task 2: Enable Active Directory Recycle Bin.

1. Run the following command to enable Active Directory Recycle Bin for Contoso.com.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com Scope ForestOrConfigurationSet Target contoso.com
2.
Close the Active Directory module for Windows PowerShell window.
Task 3: Create and delete a test object in the Contoso.com domain.

1. 2. 3. 4. 5. 6. Open Active Directory Users and Computers Navigate to the IT OU and create a new user account. Assign the new user account a first name and account name of Mary. Assign the new user account a password of Pa$$w0rd. Complete the remaining wizard tasks. In Active Directory Users and Computers, delete the Mary user account.
Task 4: Restore the deleted test object from Active Directory Recycle Bin.
1. 2. Open the Active Directory Module for Windows PowerShell. Run the following command to view objects in Active Directory Recycle Bin with a display name of Mary.
Get-ADObject -Filter {displayName -eq"Mary"} -IncludeDeletedObjects
3.
Run the following command to restore the object located in the previous step.
Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject
4. 5. 6. 7. 8.
Close the Active Directory module for Windows PowerShell window. Open Active Directory Users and Computers. Navigate to the IT OU and confirm that the Mary user account is present. Delete the Mary test account. Close Active Directory Users and Computers.
Results: At the end of this exercise, you will have configured the Active Directory Recycle Bin.

Lab Instructions: Planning Group Policy Strategy
Module 5
Contents:
Exercise 1: Planning Group Policy Exercise 2: Implementing the Proposed GPO Plan 3 4
Lab: Planning and Implementing Group Policy
Lab Setup
Lab Scenario
Ed Meadows has asked you to look at the existing GPO infrastructure with a view to updating it to support the requirements of new branch offices. A list of requirements is provided, and you must consider these requirements and then propose a GPO solution that addresses these requirements. For this project, you must complete the following tasks: Plan group policies for Contoso. Implement the GPOs required by your plan.
Email thread of correspondence with Ed Meadows: Charlotte Weiss
From: Sent: To: Subject: Charlotte,
Ed Meadows [Ed@contoso.com] September 15, 2011 17:30 Charlotte@contoso.com Group policy implementation
Id like you to take the lead on planning our implementation of group policy. At this time, we have only the default GPOs in place for the domain and domain controllers. Here are the requirements: Read and write access to removable drives should be blocked for all office computers, including servers. Because weve upgraded all the computers to Windows 7 and Windows Server 2008 R2, this should be no problem. We must ensure that another GPO does not override this setting. Because of the creation of the three new branch offices for the Research Department, we are hiring a new person to manage those offices. Wed like the new person to be able to manage group policy for those remote offices, but not the head office. Id like to start using group policy preferences for drive mappings, rather than logon scripts. We want the drive letters to be consistent in each location, but the server names will vary in each location. Application installation and updates for the branches will be done by using group policy. In the branch offices, the sales staff and office staff will have different applications. We need to be able to roll applications out one location at a time, during initial deployment. However, later updates can be done for all branches at once. Application installation files should be stored in DFS and replicated to each branch. The computer training lab in the head office should not be subject to the restriction on removable drives. Well be using USB drives to configure these computers for various courses.
At a minimum, I need to you to determine how these can be implemented. As part of your plan, please create an OU structure and define where each group policy will be linked. Let me know if you require any clarification. Ed
Exercise 1: Planning Group Policy

Scenario
In this exercise, you will plan a GPO strategy for Contoso, based on factors and requirements in the supporting documentation. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Compare your solution with the one provided in the Lab Answer Key.

1. 2. Read the email message and the proposal document. Where necessary, review the existing Active Directory Domain Services (AD DS) and Group Policy infrastructure.
Answer the questions in the Contoso Group Policy Plan document. Contoso Group Policy Plan Document Reference Number:CW0911/1 Document Author Date Charlotte Weiss September 16
Requirements Overview Create the AD DS infrastructure required to support GPO deployment. Create GPOs and link them to the containers in AD DS. Configure filtering and loopback processing as required to fine-tune the GPO application. Proposals 1. 2. 3. 4. How will you accommodate the requirement to block access to removable read and write storage devices on office computers, and ensure that this setting cannot be overridden? How do you intend to allow the new user in the branch offices to be able to manage branch office GPOs, but not head office GPOs? How do you propose to support the different application needs of sales and office staff in the branch offices? What changes to your plans must you make to support the training lab requirements?
Compare your solution to the suggested solution in the Lab Answer Key and be prepared to discuss your own solution with the class.
Results: In this exercise, you completed the Contoso Group Policy Plan.
Exercise 2: Implementing the Proposed GPO Plan

Scenario
In this exercise, you will study the finalized Group Policy planning documentation and then implement the plan. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Study the additional planning documentation. Create the OU structure Create the GPO for enforced security Create the GPO for Branch 1 preferences Create the GPOs for applications Verify application of policies for Branch 1 sales staff You will implement only a portion of the settings.
Task 1: Study the additional planning documentation.

View the organizational unit plan and study the Group Policy Objects table.
GPO Name Enforced Security
Settings Block read and write access to removable drives Drive letter mappings for head office Drive letter mappings for branch 1 Drive letter mappings for branch 2 Drive letter mappings for branch 3 Applications for branch sales staff
Linked to Domain Enforced Head Office
Filters Security filter: Lab computers group denied apply permission None
Head office Preferences Branch 1 Preferences Branch 2 Preferences Branch 3 Preferences Branch Sales Applications
Branch 1
None
Branch 2
None
Branch 3
None
Branch 1 Branch 2 Branch 3 Branch 1 Branch 2 Branch 3
Security filter: Branch Sales Group
Branch Office Applications
Applications for branch office staff
Security filter: Branch Office Group
Task 2: Create the OU structure.

1. 2. 3. Switch to NYC-DC1. Open Active Directory Users and Computers. Create the organizational unit hierarchy as shown in the exhibit.
Task 3: Create the GPO for enforced security.

1. In Active Directory Users and Computers, create the following group: 2. Object type: Security group Name: Lab Computers Location: Contoso.com\Head Office Type and scope: Defaults
Create the following computer object: Object type: Computer Name: Lab1 Location: Contoso.com\Head Office
3. 4. 5.
Add Lab1 to the Lab Computers group. Open Group Policy Management. Create a new GPO with the following properties: Name: Enforced Security Location: Forest: Contoso.com\Domains\Contoso.com
6.
Enable the following settings in the Enforced Security GPO: Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access
7. 8. 9.
Close Group Policy Management Editor. Enforce the Enforced Security GPO. Grant the following delegation permissions on the Enforced Security GPO: Lab Computers: Deny Read Lab Computers: Deny Apply group policy
Task 4: Create the GPO for Branch 1 Preferences.

1. Create a new Group Policy object with the following properties: 2. Name: Branch1 Preferences Location: Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects
Edit the new GPO:
Navigate to User Configuration >Preferences> Windows Settings> Drive Maps. Add a new drive map: Location: \\branchsvr1\shared Drive letter: S:
3. 4.
Close the Group Policy Management Editor. Link the new GPO to the Branch1 organizational unit.
Task 5: Create the GPOs for applications.

1. 2. Switch to Active Directory Users and Computers. In Active Directory Users and Computers, create the following group: 3. Object type: Security group Name: Sales Staff Location: Contoso.com\Head Office\Branches Type and scope: Defaults
In Active Directory Users and Computers, create the following group: Object type: Security group Name: Office Staff Location: Contoso.com\Head Office\Branches Type and scope: Defaults
4. 5. 6.
Close Active Directory Users and Computers. Switch to Group Policy Management. Create a new Group Policy object with the following properties: Name: Sales Applications Location: Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects
7.
Create a new Group Policy object with the following properties: Name: Office Applications Location: Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects
8.
Click the Sales Applications GPO. Remove the Authenticated Users object from the Security Filtering list. Add Sales Staff to the Security Filtering list.
9.
Click the Office Applications GPO. Remove the Authenticated Users object from the Security Filtering list. Add Office Staff to the Security Filtering list.
10. Link both policies to the Branch1 organizational unit.
Task 6: Verify application of policies for Branch 1 sales staff.

1. 2. 3. In the Group Policy Management window, in the left pane, click Group Policy Modeling. Start the Group Policy Modeling Wizard. Complete the wizard by using the following settings: 4. Domain Controller Selection page: Default User and Computer Selection page: User information\Container: Branch1 User and Computer Selection page: Computer information\Container: Branch1 Advanced Simulation Options page: Default User Security Groups page: Add the Sales Staff group Skip to the final page.
In the Branch1 on Branch1 area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Which policies apply and do not apply, and why? Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Which policies apply and do not apply, and why?
5.
Results: In this exercise, you implemented the appropriate group policies for users in Branch 1.

When you finish the lab, revert the virtual machine to its initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Lab Instructions: Planning Active Directory Certificate Services
Module 6
Contents:
Exercise 1: Certificate Services Deployment Planning Exercise 2: Stand-Alone Root and Enterprise Subordinate CA Exercise 3: Configure Key Archiving and Recovery Exercise 4: Online Certificate Status Protocol Array
3 4 6 8
Lab: Configuring Certificate Services
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps 2 to 4 for 6433A-NYC-SVR1, 6433A-NYC-CA1, and 6433A-NYC-CL1. For NYCCA1, log on as Administrator with the password of Pa$$w0rd.
Lab Scenario
Contoso has a head office site located in Melbourne, Australia and state branch offices located in Sydney, Perth, Adelaide, and Hobart. Contoso requires the deployment of two certificate servers. One certificate server will be placed on the perimeter network and will be used to issue certificates to partners and third parties. The second certificate server will be deployed on the internal network and will be the primary point for the distribution of organizational certificates. You will configure this CA to support key archiving and recovery. You will also configure this CA to support an OCSP array. For this project, you must complete the following tasks:
Plan a suitable deployment Certificate Services deployment for Contoso. Configure a stand-alone root and enterprise subordinate CA Configure Key Archiving and recovery. Configure an Online Certificate Status Protocol array.
Exercise 1: Certificate Services Deployment Planning

Task 1: Read the Contoso Certificate Services Deployment Plan document.
1. Read the Contoso Certificate Services Deployment Plan. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date Sam Abolrous 26 January
Requirements Overview
1.
Contoso Australia wants to use Active Directory Certificate Services to deploy certificates to support the following certificate types: Computer certificates for SSL and TLS and DirectAccess Encrypting File System certificates BitLocker and EFS Data Recovery Agents Key Recovery Agent certificates
2. Contoso Australias head office location is in Melbourne Australia. There are branch offices in the state capital cities of Sydney, Adelaide, Perth, and Hobart. 3. Your design needs to ensure that certificates can be renewed in the event of a WAN failure. 4. Your design needs to ensure that revocation checks can occur in the event of a WAN failure. 5. Your design should minimize the impact that revocation checks have on network utilization. 6. The root Certification Authority should be made as secure as possible.
Task 2: Update the Visio diagram, placing AD CS servers at each site.

1. 2. On NYC-CL1, open the Visio diagram that represents the Contoso Australia network. You can find this document located on NYC-CL1 in the D:\Labfiles\Mod05 folder. Copy items representing each type of the Active Directory Certificate Services component type to each site. You may need to use the same item in more than one location, and you may need to deploy multiple items to the same location.
Task 3: Discuss your AD CS deployment plan.

1. Discuss your solutions with the class including the impact that Certificate Services configuration decisions, such as whether certificate renewal and CRL checks can occur when the WAN link is down. Consider the following answers to the questions posed in the student handbook: What sort of Root CA should you deploy to ensure maximum security? What type of issuing CAs should you deploy and where should you deploy them to ensure that certificates can be renewed if WAN links are down? What steps could you take to reduce certificate revocation checking traffic? How can you ensure that certificate revocation checks for any certificate issued at any branch site can be resolved locally?
Results: In this exercise, you planned an appropriate certificate services configuration for Contoso.
Exercise 2: Stand-Alone Root and Enterprise Subordinate CA

In this exercise, you will configure a stand-alone root CA and publish the CA certificate to Active Directory. You will also install enterprise subordinate CA that will be subordinate to the enterprise root CA installed on NYC-DC1.
Task 1: Install Stand-alone Root CA.

In this task, you will install a stand-alone root CA and then publish the CAs certificate to Active Directory. 1. 2. Switch to NYC-SVR1. Open an elevated command prompt and enter the following commands, pressing Enter after each command:
Mkdir c:\CERTS Net share CERTS=c:\CERTS /grant:everyone,change
3. 4. 5. 6. 7. 8. 9.
Close the command prompt. Switch to NYC-CA1. Click Start, right-click Computer, and then click Properties. Click Advancedsystem settings and click Computer Name. Click Change and then click More. In the Primary DNS suffix of this computer dialog box, type contoso.com. Close the dialog box and restart the computer.
10. When the server restarts, log on as Administrator with the password Pa$$w0rd. 11. Open Server Manager, and then click Add Roles. . 12. On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next twice 13. On the Select Role Services page, and select the Certification Authority and Certification Authority Web Enrollment check boxes. 14. When prompted, click Add Required Role Services.
15. On the Specify Setup Type page, click Stand-alone. 16. On the Specify CA Type page, ensure that Root CA is selected. 17. On the Set Up Private Key page, ensure that Create a new private key is selected. 18. On the Configure Cryptography for CA page, set the Key character length to 4096. 19. On the Configure CA Name page, click Next. 20. On the Set Validity Period page, set the validity to 6 years, and then click Next five times. 21. On the Confirm Installation Selections page, click Install. Close the wizard when it completes. 22. Open the Certification Authority console. 23. Expand contoso-NYC-CA1-CA,right-click the Revoked Certificates node, click All Tasks, and then click Publish. On the Publish CRL page, click OK. 24. Open an elevated command prompt and issue the following command and press Enter.
Copy c:\windows\system32\certsrv\certenroll\*.* \\nyc-svr1\certs
25. Switch to NYC-DC1 26. Open an elevated command prompt and issue the following command, pressing Enter at the end of each line:
Dnscmd /recordadd contoso.com nyc-ca1 A 10.10.0.20 Certutil -dspublish -f \\nyc-svr1\certs\NYC-CA1.contoso.com_contoso-NYC-CA1-CA.crt
Note This will publish the stand-alone root CAs root certificate to the enterprise root store in Active Directory.
Task 2: Install Enterprise Subordinate CA.

In this task, you will configure an Enterprise Subordinate CA. This CA will be a subordinate of the Enterprise Root CA installed on NYC-DC1. 1. 2. Switch to NYC-SVR1. Open an elevated command prompt and run the following command
gpupdate /force
3. 4. 5. 6. 7. 8.
Open the Server Manager console, click Roles, click Add Roles and then click Next. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next three times. On the Specify Setup Type page, select Enterprise, and then click Next. On the Specify CA Type page, select Subordinate CA, and then click Next. On the Set Up Private Key page, select Create a new private key, and then click Next three times. On the Request Certificate From a Parent CA page, click Browse, and then click ContosoCA. Click OK, click Next twice, and then click Install.
9.
When the installation completes, click Close.
Results: In this exercise, you installed both a Stand-alone Root and an EnterpriseSubordinate CA.
Exercise 3: Configure Key Archiving and Recovery

In this exercise, you will create an advanced EFS certificate template and configure that template for key archiving. You will then issue a certificate from this template and then perform recovery on the key.
Task 1: Configure a Key Recovery Agent.

In this task, you will configure a key recovery agent by configuring a CA to issue key recovery agent certificates, enrolling a user in that certificate, and then configuring the CA to use the certificate for key recovery. 1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, open the Certification Authority console. Expand Contoso-NYC-SVR1-CA, right-click the Certificate Templates node, click Manage. Right-click the Key Recovery Agent template, and click Properties. Ensure that Publish certificate in Active Directory is selected, and then click OK. Close the Certificate Templates Console. In the Certification Authority console, right-click the Certificate Templates node, click New, and then click Certificate Template to Issue. Select the Key Recovery Agent template, and then click OK. Create a custom MMC with the Certificates Snap-In set to focus on Myuser account. Expand Certificates, right-click Personal, click All Tasks, and then click Request New Certificate. Enroll in the Key Recovery Agent certificate.
10. In the Certification Authority console, click Pending Requests. Issue the certificate. 11. Right-click Contoso-NYC-SVR1-CA and then click Properties. 12. On the Recovery Agents tab, select Archive the Key, and then click Add. 13. On the Key Recovery Agent Selection dialog box, click OK. Click Apply. Note If no Key Recovery Agent is present, open an elevated command prompt and issue the command certutil -pulse and reopen the CA properties dialog box. 14. Restart Active Directory Certificate Services. 15. Click the Issued Certificates node. Right-click the listed certificate, click All Tasks, and then click Export Binary Data. 16. Select Save binary data to a file and save the file as Recovery_Agent.cer to the Desktop 17. In the Certificates console, right-click the Personal node, click All Tasks, and then click Import. 18. Select Recovery_Agent.cer on the Desktop and then click Open. Click OK.
Task 2: Configure a new Certificate Template that can be Archived.

In this task, you will configure a new certificate template so that certificates issued from the template will automatically be archived. 1. 2. 3. 4. 5. 6. 7. 8. On NYC-SVR1, right-click the Certificate Templates node in the Certification Authority Console, and then click Manage. Duplicate the Basic EFS certificate template. On the Duplicate Template dialog box, click Windows Server 2008 Enterprise, and click OK. In the Properties of New Template dialog box, set the Template display name to Advanced EFS. On the Request Handling tab, click Archive subjects encryption private key. On the Superseded Templates tab, add Basic EFS. Click OK to close the Properties of New Template dialog box. In the Certification Authority console, right-click the Certificate Templates node, click New, and then click Certificate Template To Issue. Click Advanced EFS, and then click OK.
Task 3: Issue, delete, and recover a certificate.

In this task, you will issue a certificate, delete that certificate, and then recover the certificate 1. 2. 3. 4. 5. 6. 7. 8. On MMC that has the Certificates - Current User Snap-In, right-click Personal, click All Tasks, and click Request New Certificate, and then click Next twice. Select Advanced EFS and then click Enroll. Click Finish. In MMC that has Certificates - Current User Snap-In, expand the Personal\Certificates node. Double-click the Encrypting File System certificate. On the Details tab, make note of the certificate serial number. Close the Properties dialog box. Delete the certificate. Review the warning about being unable to decrypt data, and then click Yes. In the Certification Authority console, select the Issued Certificates node, double-click the Advanced EFS certificate that was issued. On the Details tab, verify that the serial number matches the serial number you made a note of in Step 5. Note Looking through the list of issued certificates is the easiest way to determine the serial number of the certificate you wish to recover. 9. Open an elevated command prompt and change to the c:\certs directory.
10. Issue the command CertUtil -GetKey SearchToken EFSKEY.cer where SearchToken is the certificate serial number that you made note of in step 14. Note Do not put any spaces in the serial number when recovering the private key.
11. In the MMC that has Certificates - Current User Snap-In, right-click the Personal\Certificates node, click All Tasks, click Import, and then click Next.
12. Click Browse and navigate to c:\certs\EFSKEY.cer, and then click Next twice, and click Finish. Then, click OK. Results: In this exercise, you configured a Key RecoveryAgent, configured a certificate template so that private keys are archived and performed a private key recover.
Exercise 4: Online Certificate Status Protocol Array

In this exercise, you will configure an online responder for the enterprise subordinate CA.
Task 1: Install OCSP and configure an OCSP Response Signing template.

1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, open Server Manager, right-click Roles\Active Directory Certificate Services, and click Add Role Services. Click Online Responder and then click Add Required Role Services. Install this role service. Open the Certification Authority Console, expand Contoso-NYC-SVR1-CA,right-click the Certificate Templates node, and then click Manage. Duplicate the OCSP Response Signing template. Set the Template display name to Advanced OCSP Response Signing and check the Publish certificate in Active Directory option. On the Security tab add NYC-SVR1 and assign the Read, Enroll, and Auto enroll permissions Click OK to close the Properties dialog box and then close the Certificate Templates Console.
Task 2: Configure the CA to use the Online Responder.

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, switch to the Certification Authority console. Right-click Contoso-NYC-SVR1-CA, and then click Properties. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and click Add. In the Location textbox, enter http://nyc-svr1/ocsp, and then click OK. With http://nyc-svr1/ocsp selected, check the Include in the online certificate status protocol (OCSP) extension option, and click OK. Restart Active Directory Certificate Services. Right-click the Certificate Templates node, click New, and then click Certificate Template to Issue. Click Advanced OCSP Response Signing. Create a custom MMC with the Certificates Snap-In loaded and the Local Computer in focus.
10. Right-click the Personal\Certificates node, click All Tasks, and click Request New Certificate. 11. Enroll in the Advanced OCSP Response Signing certificate. 12. Expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click the new certificate, click All Tasks, and click Manage Private Keys. 13. On the Security tab, click Add. Enter Network Service. Assign Full control permission.
Task 3: Create a revocation configuration.

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, open the Online Responder Management console from the Administrative Tools menu. Right-click Revocation Configuration, click Add Revocation Configuration, and then click Next. On the Name the Revocation Configuration page, enter NYC-SVR1.Click Next. On the Select CA Certificate Location page, select the Select a certificate for an Existing enterprise CA option, and click next. On the Choose CA Certificate page, select Browse CA certificates published in Active Directory, and click Browse. Click Contoso-NYC-SVR1-CA and then click OK. Click Next. On the Select Signing Certificate page, ensure that Automatically select a signing certificate and Auto-Enroll for an OCSP signing certificate are selected and click Next. On the Revocation Provider page, click Finish. Verify that the Revocation Configuration Status is set to Working.
Task 4: Verify revocation configuration.

1. 2. 3. On the MMC that has the Certificates - Current User Snap-In, right-click Personal, click All Tasks, and click Request New Certificate.(Be sure to use the Current User snap-in). Enroll in an Administrator certificate In the MMC that has the Certificates - Current User Snap-In, expand the Personal\Certificates node and verify that a certificate is present for the purpose of Microsoft Trust List Signing, Encrypting File System, Secure E-mail, Client Authentication. Make a note of the certificate serial number and then close the Certificate dialog box. On the Certification Authority console, revoke the Administrator certificate that was just issued. On the Certificate Revocation dialog box, set the Reason Code to Change of Affiliation and then click Yes. Publish a new CRL. Using the Certificates - Current User Snap-In, export the certificate in DER Encoded Binary X.509 (.CER) format to C:\Certs\Admin.cer. Do not export the private key. Open an elevated command prompt and issue the following command:
4. 5. 6. 7. 8. 9.
Certutil -url c:\certs\admin.cer
10. On the URL Retrieval Tool ensure that OCSP (from AIA) is selected and then click Retrieve. 11. Click Exit to close the URL Retrieval Tool. Note As all these actions are occurring quickly, the OCSP, while present, may not have picked up the revoked status of the certificate.
10
Results: In this exercise, you configured an online responder array that can respond to CRL checks for certificates issued by the enterprise subordinate CA.
Preparing for the Next Module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1,6433A-NYC-CA1 and 6433A-NYC-CL16433A6433A.
Lab Instructions: Planning and Provisioning Application Servers
Module 7
Contents:
Exercise 1: Planning Application Deployment Exercise 2: Configuring Group Policy Settings for Remote Desktop Policies Exercise 3: Installing and Configuring a Remote Desktop Gateway
3 5 6
Lab: Planning and Provisioning Application Servers
Lab Setup
Repeat these steps 2 to 4 for 6433A-NYC-SVR1.
Lab Scenario
You have been tasked with making changes to Contoso, Ltds application server infrastructure to accommodate the recent Windows Server 2008 migration. All application servers have been upgraded to Windows Server 2008 R2. Your supervisor, Ed Meadows, has sent you an e-mail containing a new request for an application deployment for the Marketing department. Ed would like you to review the request and provide a recommendation for deploying the application. Finally, you are to create a Group Policy object containing settings for the soon-to-beimplemented CRM application As well, you have been asked to provide connectivity for outside users via Remote Desktop Gateway. For this project, you must complete the following tasks:
Plan the deployment of an application Configure Group Policy settings for Remote Desktop Services Install and Configure Remote Desktop Gateway.
Exercise 1: Planning Application Deployment

Scenario
You have been provided with information regarding a new Customer Relationship Management (CRM) application that the Marketing department will be using to manage the Contoso, Ltds client information database nationwide. Using the information in the supporting documentation, complete the Application Deployment Plan document. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation Update the proposal document with your planned course of action Compare your solution with the one provided in the Lab Answer Key
E-mail thread of correspondence with Ed Meadows: Charlotte Weiss From: Ed Meadows [Ed@contoso.com] Sent: 25 July 2011 17:00 To: Charlotte@contoso.com Subject: FW: New CRM program Charlotte, Here are the details Ive received from Adam Carter, our national marketing manager regarding their CRM app deployment - the details look pretty complete. From what Adam says in his email, it looks like this will be nationwide all locations. I also want to remind you that we have several of the quad processor servers left over from the Hyper-V implementation that can be allocated to this project if necessary, let me know if you need anything else. Regards, Ed ----- Original Message ----From: Adam Carter [Adam@contoso.com] Sent: 24 July 2011 13:30 To: Ed@contoso.com Subject: New CRM program Ed, Here is what I can tell you so far about the new CRM program.
We will be using this program in all of our branch offices nation-wide to maintain client information. Our branch office staff will all need access to the program as they all handle sales. Most of our Marketing staff share two or three computers out on the floor. These will need to have the program loaded as well. There is a database server component that comes with the software. The program needs to be able to access the database in order to run properly. The plan right now is to put the database server in New York. This application will be a critical part of our Marketing plan nationwide and it has to be available during business hours. Adam

Read the email and the proposal document. Application Deployment Plan Document Reference Number: CW0813/1 Document Author Date Charlotte Weiss 29th July
Requirements Overview Determine the appropriate application delivery method to use for the Marketing departments new CRM application. Application Deployment Plan Proposals 1. What type of application configuration should be used for the CRM application? Answer: Remote Desktop Session Host presentation virtualization should be used for this implementation. Due to the spread-out nature of the users and the specific requirements of the application, this method will provide the best performance and scalability for the application while requiring relatively few new resources. 2. Where should the application host servers be located within Contoso, Ltds branch network? Answer: The application servers should be hosted in New York, where the database server is located. A large amount of network bandwidth will be required between the application servers and the database server. 3. How can the application deployment be implemented to handle the current user load and easily scale to accommodate user growth? Answer: A server farm should be created in the New York location. The Remote Desktop Connection Broker service should be installed to implement application load balancing for the farm. 4. How should the application deployment integrate with the server component of the CRM application? Answer: The applications running on the RD Session Host farm group members should be configured to connect to the CRM database server over the network. Adequate network configuration should be implemented between RD Session Host servers and the database server in
Application Deployment Plan order to avoid negatively impacting the applications performance. 5. What potential issues could arise with the current configuration? How could these issues be rectified? Answer: There is currently only one RD Connection Broker in the deployment. Failure of this server would result in the temporary unavailability of the RD Session Host servers. This could be rectified by configuring the RD Connection Broker server as a member of a failover cluster.
Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.
Results: In this exercise, you planned application deployment.
Exercise 2: Configuring Group Policy Settings for Remote Desktop Policies

Scenario
You have been asked to prepare the environment for the new Remote Desktop Services deployment by configuring a new OU within the Marketing OU named CRMAppServers. You have been asked to configure Group Policy settings for that OU so that Remote Desktop sessions are terminated if they have been disconnected for more than 5 minutes. The main tasks for this exercise are as follows: 1. 2. 3. Create a CRMAppServers OU within the Marketing OU in the Contoso.com domain. Create a Group Policy Object called AppServerPolicy and link it to the CRMAppServers OU. Edit the AppServerPolicy GPO to terminate user sessions if they are disconnected for more than 5 minutes.
Task 1: Create the CRMAppServers Organizational Unit

1. 2. 3. Switch to NYC-DC1. Open the Group Policy Management Console. Browse to the Contoso.com\Marketing OU and create an OU name CRMAppServers OU inside of it.
Task 2: Create a Group Policy Object called AppServerPolicy and link it to the CRMAppServers OU
1. 2. 3. On NYC-DC1, in the Group Policy Management Console, create a new GPO named CRMAppPolicy. Drag the CRMAppPolicy from the Group Policy Objects node onto the CRMAppServers node. Ensure that the GPO is linked.
Task 3: Edit the AppServerPolicy GPO

1. On NYC-DC1, in the Group Policy Management Console, edit the CRMAppPolicy GPO.
2.
In the GPMC Editor window, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session time limits. Enable the Set time limit for disconnected sessions setting and configure it for 5 minutes. Close the Group Policy Management Editor window, close the Group Policy Management console window.
3. 4.
Results: In this exercise, you will have configured remote desktop policies.
Exercise 3: Installing and Configuring a Remote Desktop Gateway

Scenario
To enable users outside the corporate network to access applications running on RD Session Host computers securely, you need to implement an RD Gateway server. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Enable Remote Desktop on NYC-SVR1. Configure Network Settings on NYC-SVR2. Install the Remote Desktop Gateway role service on NYC-SVR2. Export the certificate for Remote Desktop Gateway. Run the Remote Desktop Services Best Practices Analyzer (RDS BPA). Import the certificate on a client computer. Verify the Remote Desktop Gateway functionality.
Task 1: Enable Remote Desktop on NYC-SVR1.

1. 2. 3. 4. 5. Switch to the 6433A-NYC-SVR1 virtual machine On NYC-SVR1, open Server Manager. In the Server Manager window, click Configure Remote Desktop. Select Network Level Authentication mode and add the Contoso\IT and Contoso\Production groups as Allowed Users. Close System Properties and Server Manager.
Task 1: Configure Network Settings on NYC-SVR2.

1. 2. 3. 4. 5. 6. 7. 8. In Hyper-V Manager, right-click on 6433A-NYC-SVR2 and then click Settings. In the Settings for 6433A-NYC-SVR2 window, click on Network Adapter in the left-hand pane. In the right hand pane, click the drop-down menu under Network and select Private Network. Close the settings window. Connect to 6433A-NYC-SVR2, and log on as Contoso\Administrator. Open the network connection properties for Local Area Connection 2. Change the IP address field to 10.10.0.60. Change the Subnet mask field to 255.255.0.0.
9.
Change the Default gateway field to 10.10.0.10.
10. Close the Network Connections window.
Task 2: Install the Remote Desktop Gateway role service.

1. 2. 3. 4. 5. 6. On NYC-SVR2, log on as Contoso\Administrator using the password Pa$$w0rd. Install the Remote Desktop Gateway role service through Server Manager. Install any additional required roles and features. Use a Self-Signed Certificate. Create a RD CAP named TS_CAP_01 that enables the Administrators, information technology (IT), and Production groups to access RDS applications through RD Gateway. Create an RD CAP named TS_RAP_01 that enables access to all computers that are running Remote Desktop.
Task 3: Export the certificate for Remote Desktop Gateway.

1. 2. 3. 4. On NYC-SVR2, open a management console, and load the Certificates snap-in focused on the local computer. Export the certificate that was created during the RD Gateway installation. Save the certificate using the file name c:\CertExport.cer. Close the console without saving changes.
Task 4: Run the Remote Desktop Services Best Practices Analyzer.

1. 2. 3. On NYC-SVR2, in Server Manager, run Best Practices Analyzer for the Remote Desktop Services server role. Review the error and warming messages. Access RD Gateway Manager, and review the properties for NYC-SVR2. Verify that a certificate has been assigned to the server.
Task 5: Import the certificate on a client computer.

1. 2. 3. On NYC-CL1, open a management console, and load the Certificates snap-in focused on the local computer. Import the \\NYC-SVR2\c$\certexport.cer certificate file into the Trusted Root Certification Authority folder in the Certificates console. Close the console without saving changes.
Task 6: Verify the Remote Desktop Gateway functionality.

1. 2. 3. 4. On NYC-CLI, open the Remote Desktop Connection application. Access the application options, access the Advanced tab, and then click Settings. On the Advanced tab, click Settings. Configure the client with the following settings: Server name: NYC-SVR2.contoso.com Logon method: Allow me to select later
5. 6. 7.
Bypass RD Gateway server for local addresses: Clear check box
Connect to NYC-SVR1, and log on as Contoso\Andrea. Verify that you can connect to NYC-SVR1 through the Remote Desktop Gateway. Log off NYC-SVR1.
Results: In this exercise, you deployed and configured the Remote Desktop Gateway role service and verified the RD Gateway functionality.
Lab Instructions: Planning File and Print Services
Module 8
Contents:
Exercise 1: Planning File Services Exercise 2: Implementing File Services in the Branch Office Exercise 3: Implementing Print Services in the Branch Office 3 5 7
Lab: Planning and Implementing File and Print Services
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1,and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps 2 to 4 for 6433A-NYC-RTR, 6433A-NYC-SVR2, and 6433A-NYC-CL2.
Lab Scenario
Ed Meadows has asked you to deploy file and print services at the new branch offices. You have decided to test the deployment with branch 1. Your tasks are to plan the deployment, and then implement both file and print services at the branch. For this project, you must complete the following tasks: Plan the deployment of file and print services. Implement file services in the branch office. Implement print services in the branch office.
Supporting Documentation:
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Thanks for agreeing to head up this deployment. Ive drawn up a list of requirements for the file and print services at the first branch. Although these offices are all new, the departments based there are moving their existing server infrastructure across to the new locations. Here are the initial requirements: The marketing team has an application that stores data files at a local file server. Someone in the team then manually copies these files to a central location where they can be consolidated. We need to automate this process. There are three departments in each branch: marketing, research, and production. We need a data folder for each department. Each user account requires a home folder for personal files. Well use GPO to configure folder redirection for documents to this personal location. Users require standardized desktop settings. Well use GPO to create a folder redirection, but we need the folders that will store these desktop settings and start menus. I think the best approach is to use advanced folder redirection based on security group membership. The production team has a UNIX application. We need to host these files on the branch server. We will migrate the application to Win32 later. Theres an old Windows 2000 file server in the research department. I think we should take the opportunity to migrate the data from that. We need to implement printer locations and publish all printers in AD DS to ensure that visiting users to each branch can quickly locate the nearest printer. Storage is limited at the branch, and the department heads are happy to apportion the cost of storage, based upon departmental usage. Weve had some problems with storage being consumed by large media files. We need to resolve this issue at this new branch before it goes the same way as the head office servers. Ed Meadows [Ed@contoso.com] 22 October 2011 12:30 Charlotte@contoso.com File and print services in the branches
Exercise 1: Planning File Services

Scenario
In this exercise, you will plan a suitable file and print strategy for Contoso. The main tasks for this exercise are as follows: 1. Read the supporting documentation.
2. 3.
Update the Branch Offices File and Print Service Deployment Plan document with your planned course of action. Compare your solution to the one provided in the Lab Answer Key.

Read the email and the proposal document.
Answer the questions in the Branch Offices File and Print Service Deployment Plan document. Branch Offices File and Print Service Deployment Plan Document Reference Number:CW0111/1 Document Author Date Charlotte Weiss 1st November
Requirements Overview Implement file and print services in the branch offices. Migrate data from legacy systems running UNIX and Windows 2000 Server. Support the data storage needs of the three departments at the branch offices, including: Home folders for each user. Departmental shared folders. Folders to store departmental Start Menu and Desktop settings. Automatic consolidation of marketing team data to central location each evening. Deploy print services to support the branch users. Proposals 1. 2. 3. 4. 5. 6. 7. 8. Which file services role service will you deploy to support the needs of the branch office users? Which folder structure do you envisage to support the needs of the branch offices? Which folder permissions do you envisage configuring on these folders? Which shared folders will be required for the branch offices? Which permissions will you configure on these folders? What must you consider when planning to migrate files from the Windows 2000 Server? How will you meet the needs of department heads to determine storage usage? How will you restrict file types that can be stored on the new server?
Task 3: Compare your solution to the one provided in the Lab Answer Key.
Results: At the end of this exercise, you will have planned the file and print services deployment for the branch offices.
Exercise 2: Implementing File Services in the Branch Office

Scenario
In this exercise, you will implement the required file services in the branch office. The main tasks for this exercise are as follows: Install the File Services role. Create the required folders. Enable file and printer sharing and network discovery. Share and secure the marketing data folder. Share and secure the production data folder. Share and secure the research data folder. Share and secure the user data folder. Create the user personal folders. Configure quotas. Implement file screens.
Task 1: Install the File Services role.

1. 2. On NYC-SVR2, open Server Manager. Add the File Services role: Install the File Server Resource Manager role service. Enable Storage Usage Monitoring on Local Disk (C:).
Task 2: Create the required folders.

1. Open Windows Explorer and create the following folders: C:\User Data C:\Departmental Data C:\Departmental Data\Marketing C:\Departmental Data\Production C:\DepartmentalData\Research
Task 3: Enable file and printer sharing, and network discovery.

1. 2. 3. 4. Open Network and Sharing Center. Turn on network discovery. Turn on file and print sharing. Close Network and Sharing Center.
Task 4: Share and secure the marketing data folder.

1. Share the C:\Departmental Data\Marketing folder:
Share name: Marketing Share permissions: Everyone Allow Full Control Local NTFS security permissions: Remove Users permissions. Grant Contoso\Marketing Allow Modify permissions.
Task 5: Share and secure the production data folder.

1. Share the C:\Departmental Data\Production folder: Share name: Production Share permissions: Everyone Allow Full Control Local NTFS security permissions: Remove Users permissions. Grant Contoso\Production Allow Modify permissions.
Task 6: Share and secure the research data folder.

1. Share the C:\Departmental Data\Research folder: Share name: Research Share permissions: Everyone Allow Full Control Local NTFS security permissions: Remove Users permissions. Grant Contoso\Research Allow Modify permissions.
Task 7: Share and secure the user data folder.

1. Share the C:\User Data folder: Share name: Users Share permissions: Everyone Allow Full Control Local NTFS security permissions: Clear Include inheritable permissions from this objects parent and then Add the existing inheritable permissions as explicit permissions.
Task 8: Create the user personal folders.

1. 2. 3. Switch to NYC-DC1. Open Active Directory Users and Computers. For all users in the Marketing, Production, and Research organizational units, modify the Home Folder property: 4. Connect: H: To: \\NYC-SVR2\Users\%username%
Switch to NYC-SVR2 and verify the creation of these new folders.
5.
Close all open windows.
Task 9: Configure quotas.

1. 2. Open File Server Resource Manager. Create a quota for the C:\Departmental Data folder: Auto apply template and create quotas on existing and new subfolders. Derive properties from this quota template (recommended): Monitor 500 MB Share.
Task 10: Implement file screens.

1. Create a file screen for C:\Departmental Data: 2. Derive properties from this file screen template (recommended): Block Audio and Video Files.
Create a file screen for C:\User Data: Derive properties from this file screen template (recommended): Block Audio and Video Files.
3. 4. 5.
In the navigation pane, right-click File Server Resource Manager (Local). and then click Configure Options. On the File ScreenAudit tab enable Record file screening activity in the auditing database. Close File Server Resource Manager.
Results: At the end of this exercise, you will have implemented elements of the branch office file services.
Exercise 3: Implementing Print Services in the Branch Office

Scenario
In this exercise, you will implement the print services for the branch office. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the Print and Document Services role. Configure locations for the enterprise. Configure GPO settings for printing. Create a shared printer. Configure the printer. Test the printer settings.
Task 1: Install the Print and Document Services role.

1. 2. 3. On NYC-SVR2, open Server Manager. Add the Print and Document Services role. Close Server Manager.
Task 2: Configure locations for the enterprise.

1. 2. Switch to NYC-DC1. Open Active Directory Sites and Services.
3.
Create a new subnet: Prefix: 172.16.16.0/24 Site: Default-First-Site-Name Note We are using the Default-First-Site-Name here because we do not have domain controllers in the branches to support separate sites.
4. 5. 6.
Modify the Location string for the subnet: Contoso/New York/Branch Offices/Branch 1 Modify the location string for the Default-First-Site-Name site: Contoso/New York/Branch Offices Close Active Directory Sites and Services.
Task 3: Configure the GPO settings for printing.

1. 2. 3. Open Group Policy Management. Edit the Default Domain Policy. Enable the following value: 4. 5. Computer Configuration > Policies > Administrative Templates > Printers > Pre-populate printer search location text
Close Group Policy Management Editor. Close Group Policy Management.
Task 4: Create a shared printer.

1. 2. Switch to NYC-SVR2. Add a new printer: Type of printer: Local printer Printer port: default Type: HP Color LaserJet 2700 Series PCL6 Name: Research Color Laser Location: Contoso/New York/Branch Offices/Branch 1/Main Office
Task 5: Configure the printer.

1. Change the security settings: Remove the Everyone group and Grant the Research group the Allow Print permission. List the printer in the directory.
Task 6: Test the printer settings.

1. 2. 3. 4. Switch to NYC-CL2. Refresh the Group Policy. Log off from NYC-CL2. Log on with the following credentials:
5.
User name: Dylan Password: Pa$$w0rd Domain: CONTOSO
Add a new printer: On the What type of printer do you want to install page, click Add a network, wireless or Bluetooth printer. The Research Color Laser is listed.
6.
Close all open windows.
Results: At the end of this exercise, you will have configured the branch office printing environment.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 6433A-NYC-RTR, 6433A-NYC-SVR2, and 6433A-NYC-CL2.
Lab Instructions: Planning Network Access
Module 9
Contents:
Exercise 1: Planning Network Access Exercise 2: Implementing Network Access 3 4
Lab: Planning and Implementing Network Access
Lab Setup
Repeat these steps 2 to 4 for 6433A-NYC-EDGE1 and 6433A-NYC-CL1.
Lab Scenario
Contoso has created a new regional research team. As a result, branch offices have been fitted out to support the various regional research functions. You were responsible for planning and implementing the network infrastructure for the branch offices. Dylan Miller, the national Research Manager, has been in contact regarding the need for Research staff to work from home. They still require access to resources both in their branches and the head office. Ed Meadows, a colleague in IT, has just returned from some of the branch offices after conducting a needs analysis with the users and management team.
You need to consider the information resulting from this needs analysis and then determine the appropriate remote network access solution for the branch office users. Next, you must implement a part of the plan. For this project, you must complete the following tasks: Plan network access for branch office users. Implement the network access plan.
E-mail thread of correspondence with Ed Meadows:
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Ive just got back from the branch offices tour. I chatted to various users and to the Research manager, Dylan Miller. Here are my findings: The users need access to all servers to which they usually connect, both in the head office and their branches. Most users work from home, but some work from customer site and from wireless hotspots. Although we provide research workers with laptops, some use their own desktop computers from home. Dylan has stressed that due to the sensitive nature of the work that his staff undertake, security of data in transit is important. Ed Meadows [Ed@contoso.com] 5 November 2011 14:27 Charlotte@contoso.com Branch Office Network Access
From a technical standpoint, Ive had a few thoughts: Just a reminder, we have deferred the IPv6 rollout, so there is currently no IPv6 at the branches or the head office. All client computers are configured by using DHCP. DHCP runs on the NYC-DC1 server at the head office. All clients should be running Windows Firewall.
Regards, Ed
Exercise 1: Planning Network Access

Scenario
In this exercise, you will plan a remote network access solution for users in the branch offices.
The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Compare your solution with the one provided in the Lab Answer Key.

Read the email message and the proposal document.
Answer the questions in the Branch Office Network Access Plan document. Branch Office Network Access Plan Document Reference Number: CW0611/1 Document Author Date Charlotte Weiss 6th November
Requirements Overview Plan a remote network access solution for Research department users based in branch offices. Proposals 1. 2. 3. 4. 5. What remote access solutions would you consider to support the branch offices users? What network access technologies are suggested by the fact that some users access the Contoso network resources from public access points and from their own computers at home? Dylan is concerned about the security of data in transit. What could you do to alleviate his legitimate concerns? How would you propose to allocate IP configurations to remote access clients? What is your remote network access solution? Provide details including server roles required to support the configuration.
Results: In this exercise, you will have completed the Branch Office Network Access Plan document.
Exercise 2: Implementing Network Access

Scenario
In this exercise, you will implement your proposed remote network access solution. The main tasks for this exercise are as follows: Configure a computer certificate. Configure NYC-EDGE1 with NPS functioning as a health policy server.
Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server. Allow ping on NYC-EDGE1. Configure required NAP client settings Move the client to the Internet. Create a VPN on NYC-CL1.
Task 1: Configure a computer certificate.

1. 2. 3. 4. 5. Switch to the NYC-DC1 computer. Open the Certification Authority tool. From the Certificate Templates Console, open the properties of the Computer certificate template. On the Security tab, grant the Authenticated Users group the Allow Enroll permission. Close the Certification Authority tool.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-EDGE1 computer. Create a management console by running mmc.exe. Add the Certificates snap-in with the focus on the local computer account. Navigate to the Personal certificate store and Request New Certificate. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next. Enroll the Computer certificate that is listed. Close the console and do not save the console settings. Using Server Manager, add the NPS Server with the following role services: Network Policy Server and Remote Access Service. Open the Network Policy Server console.
10. Under Network Access Protection, open the Default Configuration for the Windows Security Health Validator. 11. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections. Note In reality, you would leave the default selections. However, to make testing the policy feasible, you are limiting the requirements. 12. Create a health policy with the following settings: a. b. c. Name: Compliant Client SHV checks: Client passes all SHV checks SHVs used in this health policy: Windows Security Health Validator
13. Create a health policy with the following settings:
a. b. c.
Name: Noncompliant Client SHV checks: Client fails one or more SHV checks SHVs used in this health policy: Windows Security Health Validator
14. Disable all existing network policies. 15. Configure a new network policy with the following settings: a. b. c. d. Name: Compliant-Full-Access Conditions: Health Policies = Compliant Access permissions: Access granted Settings: NAP Enforcement = Allow full network access
16. Configure a new network policy with the following settings: a. b. c. Name: Noncompliant-Restricted Conditions: Health Policies = Noncompliant Access permissions: Access granted
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. d. Settings: I. II. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of client computers is not selected. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.
17. Disable existing connection request policies. 18. Create a new Connection Request Policy with the following settings: a. b. c. d. e. Policy name: Branch VPN connections Type of network access server: Remote Access Server (VPN-Dial up) Conditions: Tunnel type = L2TP, SSTP, and PPTP Authenticate requests on this server = true Authentication methods: I. II. III. f. Select Override network policy authentication settings Add Microsoft: Protected EAP (PEAP). Add Microsoft: Secured password (EAP-MSCHAP v2)
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server.
1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. Select Configure and Enable Routing and Remote Access. Use the following settings to complete configuration: a. b. c. d. e. 4. Select Remote access (dial-up or VPN). Select the VPN check box. Choose the interface called Public and clear the Enable security on the selected interface by setting up static packet filters check box. IP Address Assignment: Default. Complete the process by accepting defaults when prompted and confirming any messages by clicking OK.
Switch to the Network Policy Server console. Click the Connection Request Policies node, and press F5 to refresh the display. Disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. Close Network Policy Server management console and the Routing and Remote Access console.
5.
Task 4: Allow ping on NYC-EDGE1.

Note VPN. 1. 2. You perform the following steps in order that you can test connectivity through the
Open Windows Firewall with Advanced Security. Create an Inbound Rule with the following properties: a. b. c. Rule Type: Custom Program: All programs Protocol and Ports: Choose ICMPv4 and then click Customize I. d. e. f. g. Specific ICMP types: Echo Request
Scope: Default scope Action: Allow the connection Profile: Default profile Name: ICMPv4 echo request
3.
Close the Windows Firewall with Advanced Security console.
Task 5: Configure required NAP client settings.

Note You configure the client settings locally rather than use GPO because it is quicker in
the lab environment. 1. 2. Switch to the NYC-CL1 computer. Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center/Turn on Security Center (Domain PCs only) setting. Close the Local Group Policy Editor. Run the NAP Client Configuration tool (napclcfg.msc). Under Enforcement Clients, enable the EAP Quarantine Enforcement Client. Close the NAP Client Configuration tool. Run services.msc and configure the Network Access Protection Agent service for automatic startup. Start the service. Close the services console.
3. 4. 5. 6. 7. 8. 9.
Task 6: Move the client to the Internet.

1. Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection Internet Protocol Version 4 (TCP/IPv4) settings: a. b. c. d. 2. IP address: 131.107.0.10 Subnet mask: 255.255.0.0 Default gateway: blank Preferred DNS server: blank
Verify that you can successfully ping 131.107.0.2.
Task 7: Create a VPN on NYC-CL1.

1. Create a new VPN connection with the following properties: a. b. c. d. e. f. 2. Internet address to connect to: 131.107.0.2 Destination name: Contoso VPN Allow other people to use this connection: true User name: administrator Password: Pa$$word Domain: CONTOSO
After you have created the VPN, modify its settings by viewing the properties of the connection and then selecting the Security tab. Use the following settings to reconfigure the VPN: a. b. Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled). Properties of this authentication type: I. Validate server certificate: true
II. III. IV. V. 3.
Connect to these servers: false Authentication method: Secured password (EAP-MSCHAP v2) Enable Fast Reconnect: false Enforce Network Access Protection: true
Test the VPN connection: a. b. In the Network Connections window, right-click the Contoso VPN connection and then click Connect. In the Connect Contoso VPN window, click Connect.
Note If you do not connect and receive error code 618, switch to NYC-EDGE1 and open the Network Policy Server. Disable any Connection Request policies found under Policy Name except for the Branch VPN Connections policy. c. 4. View the details of the Windows Security Alert. Verify that the correct certificate information is displayed and then click Connect.
Verify that your computer meets the health requirements of the NAP policy: a. b. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted. Ping 10.10.0.10.
5. 6.
Disconnect the Contoso VPN. On NYC-EDGE1, 0pen the Network policy Server and configure the Windows Security Health Validator to require an antivirus application: a. b. Switch to NYC-EDGE1 and open Network Policy Server. Modify the Default Configuration of the Windows Security Health Validator so that An antivirus application is on check box is enabled on the Windows 7/Windows Vista selection.
7. 8. 9.
Switch back to NYC-CL1 and reconnect the VPN. Verify that your computer does not meet the health requirements of the NAP policy. Use IPCONFIG /all to verify that the System Quarantine State is Restricted. Disconnect the VPN.
Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-EDGE1 and 6433A-NYC-CL1.
Lab Instructions: Provisioning Data and Storage
Module 10
Contents:
Exercise 1: Planning Data Access Exercise 2: Installing and Configuring DFS Exercise 3: Enabling and Configuring BranchCache 4 5 7
Lab: Planning and Implementing Data Access
Lab Setup
Note Pay close attention to the instructors guidance on starting, configuring, and reverting virtual machines within this lab. For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1,and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat these steps 2 to 4 for 6433A-NYC-SVR1.
Lab Scenario
Contoso has created a new regional research team. As a result, branch offices have been fitted out to support the various regional research functions. You were responsible for planning and implementing the network infrastructure for the branch offices.
Dylan Miller, the national Research Manager, has been in contact regarding the need for research to access file-based resources from the head office. Some branches have slow links and experience delays with accessing files. You need to consider how to make data available from the head office in the branches, while taking account of various issues, including WAN link speed, to provide a data access solution for the branch office users. Next, you must implement a part of the plan. For this project, you must complete the following tasks: Plan data access for the branch office users. Implement DFS to support branch office needs. Implement BranchCache for those branches with potential access speed issues.
Charlotte Weiss
From: Sent: To: Subject: Charlotte, Dylan has told me that his department requires access to head office data. The trouble is that some of the branches have slow links to the head office and some of these files can be pretty large. In addition, they have an application that uses local data but that needs to be centrally collected. What I need you to do is look at the list of requirements and come up with a plan for configuring data access in the branch offices. Requirements: Research templates must be available from both the head office and the branch offices Data files for the research department must be collated to a central folder at the head office. Data access should be optimized for slow remote links, where necessary. Ed Meadows [Ed@contoso.com] 12 December 2011 10:12 Charlotte@contoso.com Data access for branch offices
We need to think about storage, too. They use a couple of database applications that generate quite a load on the disks. What would you recommend to host their storage? Regards, Ed
Exercise 1: Planning Data Access

Scenario
In this exercise, you will plan a suitable data access strategy for Contoso. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation Update the proposal document with your planned course of action Compare your solution with the one provided in the Lab Answer Key

Answer the questions in the Data Access Plan document. Data Access Plan Document Reference Number:CW0112/1 Document Author Date Charlotte Weiss 1st December
Requirements Overview To plan a suitable data access plan for the branch offices. Proposals 1. 2. 3. 4. 5. 6. What server role will you implement to support the requirement for automated data collection from the branch offices? What data access scenario would you recommend? What technology would you implement to support the slow link requirement? How will you ensure that the client-side settings for this technology apply only to relevant computers? There is a local server installed at each branch office. How would you configure the branch data access technology to support this? To support the database applications, what type of storage would you recommend?
Results: In this exercise, you completed Data Access Plan for Contoso.
Exercise 2: Installing and Configuring DFS

Scenario
In this exercise, you will configure DFS to support the data storage plan you previously completed. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Install the DFS Role Service on NYC-SVR1 Install the DFS Role Service on NYC-DC1 Use the New Namespace Wizard to create the ResearchDocs namespace Enable access-based enumeration for the ResearchDocs namespace Add the ResearchTemplates folder to the ResearchDocs namespace Add the DataFiles folder to the ResearchDocs namespace Verify the ResearchDocs namespace Create another Folder Target for DataFiles Configure Replication for the namespace
Task 1: Install the DFS Role Service on NYC-SVR1.

1. 2. 3. Switch to NYC-SVR1. Open Server Manager and add the Distributed File System role service. Ensure that you select DFS Namespaces and DFS Replication. Choose to create a namespace at a later time. Close Server Manager.
Task 2: Install the DFS Role Service on NYC-DC1.

1. 2. 3. Switch to NYC-DC1. Open Server Manager and add the Distributed File System role service. Ensure that you select DFS Namespaces and DFS Replication. Choose to create a namespace at a later time. Close Server Manager.
Task 3: Use the New Namespace Wizard to create the ResearchDocs namespace.
1. 2. 3. Switch to NYC-SVR1. Open DFS Management. Create a new namespace with the following properties: 4. Server: NYC-SVR1 Name: ResearchDocs Namespace type: Domain-based namespace and select Enable Windows Server 2008 mode
Verify that the namespace has been created.
Task 4: Enable access-based enumeration for the ResearchDocs namespace.

1. In the \\Contoso.com\ResearchDocs Properties dialog box, on the Advanced tab, select the Enable access-based enumeration for this namespace check box.
Task 5: Add the ResearchTemplates folder to the ResearchDocs namespace.

1. Add a new folder to the ResearchDocs namespace: Folder name: ResearchTemplates Add a folder target: Path: \\NYC-DC1\ResearchTemplates Create share Local path: C:\ResearchDocs\ResearchTemplates Permissions: All users have read and write permissions Create folder
Task 6: Add the DataFiles folder to the ResearchDocs namespace.

1. Add a new folder to the ResearchDocs namespace: Folder name: DataFiles Add a folder target: Path: \\NYC-SVR1\DataFiles Create share Local path: C:\ResearchDocs\DataFiles Permissions: All users have read and write permissions Create folder
Task 7: Verify the ResearchDocs namespace.

1. 2. On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\ResearchDocs and then press Enter. Verify that both ResearchTemplates and DataFiles are visible and then close the window.
Task 8: Create another Folder Target for DataFiles.

1. 2. In DFS Management, expand Contoso.com\ResearchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target. Add a new folder target: 3. Path to target: \\NYC-DC1\DataFiles Create share Local path: C:\ResearchDocs\DataFiles Permissions: All users have read and write permissions Create folder
In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 9: Configure Replication for the namespace.

1. Complete the Replicate Folder Wizard:
2.
Primary member: NYC-SVR1 No topology Use defaults elsewhere and accept any messages
Create a new replication topology for the namespace: Type: Full mesh Schedule and bandwidth: defaults
3.
In the details pane, on the Memberships tab, verify that the replicated folder is shown on NYC-DC1 and NYC-SVR1. Right-click NYC-DC1 and then click Make read-only.
Results: In this exercise, you configured DFS.
To prepare for the next exercise

When you finish the exercise, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1.
Exercise 3: Enabling and Configuring BranchCache

Exercise Setup
For this exercise, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. 6. 7. User name: Administrator Password: Pa$$w0rd Domain: Contoso
In Hyper-V Manager, click 6433A-NYC-CL2, and in the Actions pane, click Settings. In the Settings for 6433A-NYC-CL2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop-down list, select Private Network, and then click OK.
Scenario
To support branch staff requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN utilization out to the branch office, BranchCache will be configured for these data. In this exercise, you will enable and configure BranchCache. The main tasks for this exercise are as follows:
1. 2. 3. 4. 5. 6. 7. 8.
Configure NYC-DC1 to use BranchCache Simulate slow link to the branch office Enable a file share for BranchCache Configure client firewall rules for BranchCache Configure clients to use BranchCache in hosted cache mode Install the BranchCache feature on NYC-SVR1 Request a certificate and link it to BranchCache Start the BranchCache Host Server
Task 1: Configure NYC-DC1 to use BranchCache.

1. 2. 3. 4. Switch to NYC-DC1. Open Server Manager and install the BranchCache for network files role service. Open the local group policy editor (gpedit.msc). Navigate to and open Computer Configuration > Administrative Templates > Network > Lanman Server > Hash Publication for BranchCache. Enable this setting, and then select Allow hash publication only for shared folders on which BranchCache is enabled.
Task 2: Simulate slow link to the branch office.

1. 2. Navigate to Computer Configuration > Windows Settings > Policy-based QoS. Create a new policy: 3. Name: Limit to 100 Kbps Specify Outbound Throttle Rate: 100
Close the Local Group Policy Editor.
Task 3: Enable a file share for BranchCache.

1. 2. Create a new folder called C:\Distribution. Share this folder with the following properties: 3. 4. Share name: Distribution Permissions: default Caching: Enable BranchCache
Copy C:\Windows\System32\mspaint.exe to this new folder. Close all open windows.
Task 4: Configure client firewall rules for BranchCache.

1. 2. Open Group Policy Management. Navigate to Forest: Contoso.com > Domains > Contoso.com > Default Domain Policy. Open the policy for editing.
3.
Navigate to Computer Configuration>Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules. Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Content Retrieval (Uses HTTP). Action: Allow
4.
5.
Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Peer Discovery (Uses WSD). Action: Allow
Task 5: Configure clients to use BranchCache in the hosted cache mode.

1. 2. 3. 4. In Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Network > BranchCache. Enable the Turn on BranchCache value. Enable the Set BranchCache Hosted Cache mode value and then configure the Enter the location of hosted Cache value: NYC-SVR1.contoso.com. Enable the Configure BranchCache for network files value and then configure the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office value: 0. Close Group Policy Management Editor and Group Policy Management console. Start the 6433A-NYC-CL1 virtual machine and log on as Contoso\Administrator with the password of Pa$$w0rd. Open a command prompt and refresh the group policy settings (gpupdate /force). At the command prompt window, type netsh branchcache show status all and then press Enter. Start the 6433A-NYC-CL2 virtual machine and log on as Contoso\Administrator with the password of Pa$$w0rd. Reconfigure the computer to obtain an IPv4 address automatically.
5. 6. 7. 8. 9.
10. Restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Open a command prompt and refresh the group policy settings (gpupdate /force). 12. In the command prompt window, type netsh branchcache show status all and then press Enter.
Task 6: Install the BranchCache feature on NYC-SVR1.

1. 2. 3. Start 6433A-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. Open Server Manager and add the BranchCache feature. Close Server Manager.
10
Task 7: Request a certificate and link it to BranchCache.

1. 2. 3. 4. 5. Using the Certificates snap-in, request a new Computer certificate. Open the newly issued certificate (in the Personal store). On the Details tab, view the Thumbprint field. Copy the text from the details section. Open a command prompt. Run the following command, replacing certifcatehashvalue with the contents from the paste buffer, leaving out spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5eea714-454d-8de2-492e4c1bd8f8}
6.
In the command prompt window, type netsh branchcache show status all and then press Enter.
Task 8: Start the BranchCache Host Server.

1. 2. 3. 4. 5. 6. 7. Switch to NYC-DC1. Open Active Directory Users and Computers. Create a new OU called BranchCacheHost and move NYC-SVR1 into this OU. Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU. Close all open windows. Switch to NYC-SVR1 and restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. In the command prompt window, type netsh branchcache set service hostedserver and then press Enter.
Results: In this exercise, you enabled the BranchCache server in the branch office.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1, 6433A-NYC-CL1, and 6433A-NYC-CL2.
Lab Instructions: Planning Update Deployment
Module 11
Contents:
Exercise 1: Analyze WSUS Deployment Plan Exercise 2: Configure a Replica WSUS Server Exercise 3: Configure WSUS for BranchCache
3 4 6
Lab: Multi-Site WSUS Deployment
Lab Setup
Repeat steps 2 to 4 for 6433A-NYC-CL1.
Lab Scenario
Contoso, Ltd has a head office site located in Melbourne, Australia and state branch offices located in Sydney, Perth, Adelaide, and Hobart. WSUS is already deployed at the head office site and you want to configure a replica at the second site. This replica should inherit all approvals, updates, and computer groups from the head office site. You also want to configure WSUS to support BITS and BranchCache so that sites without replica servers minimize the amount of bandwidth that they devote to update traffic.
Exercise 1: Analyze WSUS Deployment Plan

Scenario
Contoso is in the process of preparing to deploy WSUS and have asked for your advice. A deployment plan has been prepared for your review and you have been asked to come up with deployment recommendations for WSUS servers. The main tasks for this exercise are as follows: 1. 2. 3. Read the Contoso WSUS deployment plan. Update the Visio diagram with your proposed WSUS deployment. Discuss your WSUS configuration plan.
Contoso WSUS Server Deployment Plan Document Reference Number: GW1203/1 Document Author: HazemAbolrous Date: 26th January Requirements Overview Contoso, Ltd in Australia wants to reduce the number of operating system updates that are downloaded from the Microsoft Update servers on the Internet as a way of reducing the costs associated with the utilization of bandwidth. Contoso has an agreement with its Internet Service Provider that substantially discounts the cost of traffic transmitted across WAN links when compared to the cost of downloading data directly from locations on the Internet such as Microsoft Update. All branch offices have connections to the Internet as well as dedicated WAN connections. The amount of data transmitted across WAN links should be minimized. Only one WSUS server should be deployed at each site. Administrators in the Melbourne site are responsible for approving updates to computers in the Perth, Adelaide, and Hobart sites. Administrators in the Sydney site are responsible for approving updates to computers in the Sydney site. The cost of transmitting data across the Melbourne to Perth link is equivalent to the cost of downloading data from locations on the Internet such as Microsoft Update.
Task 1: Read the Contoso WSUS Deployment Plan document.

Task 2: Update the Visio diagram, placing WSUS servers at each site.
1. 2. Open the Visio diagram that represents the Contoso Australia WSUS server. The Visio file is located on NYC-CL1 in the D:\Labfiles\Mod09 folder. Copy items representing each WSUS server type to each site. You may need to use the same item in more than one location.
Task 3: Discuss your WSUS configuration plan.

1. Discuss the following questions with the class: Under what conditions could you use BranchCache rather than a WSUS server at the Hobart site? At which site would you place two WSUS servers if you were concerned about redundancy? How would you configure Group Policy to ensure that computers at each location were directed to use the appropriate WSUS server?
Results: In this exercise, you will have planned a suitable WSUS deployment configuration for Contoso.
Exercise 2: Configure a Replica WSUS Server

Scenario
In this exercise, you configure a replica of an existing WSUS Server and configure an automatic approval rule. The main tasks for this exercise are as follows: Verify which updates are present on the existing WSUS server and create WSUS groups. Install a replica WSUS server. Verify approvals and configure automatic approval rules. Configure an automatic approval rule.
Task 1: Check available updates on the NYC-SVR1 WSUS server and create computer groups.
1. 2. 3. 4. 5. Revert 6433A-NYC-CL1 and then start 6433A-NYC-SVR1, 6433A-NYC-RTR, and 6433A-NYCSVR2. Log on to each computer as Administrator with the password of Pa$$w0rd. Switch to NYC-SVR1.On the Administrative Tools menu, click Windows Server Update Services. In the Update Services console, browse to the All Updates node. Modify the status to show Any update and make a note of the number of available updates. Expand the Computers node and under the All Computers node, create the Australia computer group. Create the Melbourne_Sales and Melbourne_Marketing groups as child groups of the Australia computer group.
Task 2: Install and configure a WSUS replica on NYC-SVR2.

1. 2. 3. Switch to NYC-SVR2. Use PING to verify connectivity to NYC-SVR1. Open Windows PowerShell and run the following commands each followed by Enter.
Import-Module ServerManager Add-WindowsFeature Web-Server, Web-Asp-Net, Web-ISAPI-Ext, Web-ISAPI-Filter, WebWindows-Auth, Web-Dyn-Compression, Web-Metabase, Net-Framework
4. 5.
Install ReportViewer.exe located in the D:\Labfiles\Mod09 folder. Run WSUS30-KB972455-x64.exe to start the installation of WSUS 3.0 SP2.
6.
Use the following installation options: Choose the Full server installation including Administration Console option. Accept the terms of the License agreement. Configure the server to Store updates locally. Install the Windows Internal Database locally. Use the existing IIS Default website.
7.
When the Windows Server Update Services Configuration Wizard starts, configure the following options: Do not join the Microsoft Update Improvement Program. Synchronize from another Windows Server Update Services server. Set the upstream server name to NYC-SVR1. Select the This is a replica of the upstream server option. Click the Start Connecting button. Set the Download updates only in these languages option to English. Configure the server to synchronize manually. Configure the Windows Server Update Services console to be launched and initial synchronization to occur.
8.
When synchronization has completed, verify that computer groups and the number of updates available is the same as you noted earlier on NYC-SVR1.
Task 3: Verify approvals on downstream servers and configure automatic approval rules.
1. 2. 3. 4. 5. 6. 7. Switch to NYC-SVR1. In the Update Services console on NYC-SVR1, connect to NYC-SVR2. Under NYC-SVR1, approve update KB976662 for installation for the Melbourne_Marketing group. Under NYC-SVR1, approve update KB975053 for installation for the All Computers group. Synchronize NYC-SVR2 with NYC-SVR1. Verify that update KB976662 is approved on server NYC-SVR2. In the Options node on NYC-SVR1, create an automatic approval rule with the following properties: 8. 9. Rule Name: Australia_Critical Update Classifications: Critical Updates Product: Any product WSUS Groups: Australia, Melbourne_Marketing and Melbourne_Sales
Run the Australia_Critical rule. Revert 6433A-NYC-SVR2.
Results: In this exercise, you created a WSUS replica and an automatic approval rule.
Exercise 3: Configure WSUS for BranchCache

Scenario
In this exercise, you will configure a WSUS server to support the BranchCache feature. The main tasks for this exercise are as follows: Configure group policy to support BranchCache. Verify the BranchCache configuration.
Task 1: Configure WSUS to support BranchCache.

1. 2. 3. 4. 5. Switch to the NYC-DC1 computer. Open the Active Directory Users and Computers console and create an organizational unit named Branch_Office. Move the computer accounts for computers NYC-SVR1 and NYC-CL2 to the Branch_Office OU. Use the Group Policy Management console to create a new GPO named WSUS_Branch. In the WSUS_Branch GPO, browse to the Computer Configuration\Policies\Administrative Templates\Network\BranchCache node and configure the following policy settings: 6. Turn On BranchCache: Enabled. Set BranchCache Distributed Cache Mode: Enabled Configure BranchCache for network files: Enabled. Round trip network latency setting 0 milliseconds
In the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update node, enable the Specify intranet Microsoft update service location policy and configure the policy so that both the intranet update service for detecting updates and intranet statistics server settings are set to http://nyc-svr1. In the Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security node, create two inbound rules by using the following pre-defined settings: BranchCache - Content Retrieval (Uses HTTP) BranchCache - Peer Discovery (Uses WSD)
7.
8. 9.
Link the WSUS_Branch GPO to the Branch_Office OU. On NYC-SVR1, open a Windows PowerShell prompt and run the following commands, pressing Enter after each command.
Import-Module ServerManager Add-WindowsFeature FS-BranchCache, BranchCache
10. Restart NYC-SVR1and then log back on as Contoso\Administrator with the password of Pa$$w0rd.
Task 2: Verify the BranchCache and WSUS configuration.

1. 2. Start 6433A-NYC-CL2 and then log on as Contoso\Administrator with the password of Pa$$w0rd. Open a command prompt. Type the following command and press Enter to verify that the BranchCache service mode is set to Distributed Caching.
netsh branchcache show status all
3. 4.
Use Windows Update to check for updates. Install the update and then restart the computer. Log back on as Contoso\Administrator with the password of Pa$$w0rd. Open Performance Monitor and on the Performance Monitor node, add the following counters to the graph: Local Cache: Cache Complete File Segments Local Cache: Cache Partial File Segments Retrieval: Bytes From Cache Retrieval: Bytes From Server
Results: In this exercise, you configured WSUS to support BranchCache, configured WSUS-related group policy items, and verified client BranchCache settings.

Lab Instructions: Planning High Availability
Module 12
Contents:
Exercise 1: Planning High Availability Exercise 2: Implementing High Availability 4 5
Lab: Planning and Implementing High Availability
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must perform the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. On your host machine, click Start, point to Administrative Tools, and then click Hyper-V Manager. In the Virtual Machines pane, click 6433A-NYC-DC1, and then in the Actions pane, click Start. To connect to the virtual machine, click 6433A-NYC-DC1, and then in the Actions pane, click Connect. Repeat steps 2 and 3 to start the 6433A-NYC-SVR1 and 6433A-NYC-ISCSI virtual machines. In Hyper-V Manager, click 6433A-NYC-SVR2, and in the Actions pane, click Settings. In the Settings for 6433A-NYC-SVR2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop down list, click Private Network, and then click OK. In Hyper-V Manager, click 6433A-NYC-SVR2, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts.
10. Switch to the NYC-SVR2 virtual machine. 11. Log on by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
12. Click Start, and in the Search box, type Network and Sharing, and then press Enter. 13. In Network and Sharing Center, click Change adapter settings.
14. In Network Connections, right-click Local Area Connection 2, and then click Properties. 15. In the Local Area Connection 2 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 16. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, configure the following properties, and then click OK: IP address: 10.10.0.25 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1 Preferred DNS server: 10.10.0.10
17. In the Local Area Connection 2 Properties dialog box, click Close. Close the Network Connections window. 18. Switch to NYC-ISCSI. If necessary, log on as Contoso\Administrator, with the password, Pa$$w0rd. 19. To open the proper ports on Windows Firewall to allow iSCSI communication from clients to the server, open a command prompt, enter the following commands, and press Enter after each command.
netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP3260" dir=in action=allow protocol=TCP localport=3260 netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP135" dir=in action=allow protocol=TCP localport=135 netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service-UDP138" dir=in action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service" dir=in action=allow program="%SystemRoot%\System32\WinTarget.exe" enable=yes netsh advfirewall firewall add rule name="Microsoft iSCSI Software Target Service Status Proxy" dir=in action=allow program="%SystemRoot%\System32\WTStatusProxy.exe" enable=yes
Lab Scenario
The Research department at Contoso has an application that has a web-based front end. The back end is provided by a Microsoft SQL Server database application. Recently, a failure in the front end caused system unavailability for several hours. Dylan Miller, the Research department manager, has contacted Ed Meadows, the IT manager, and requested him to find a solution for the availability issue.
For this project, you must complete the following tasks: Plan a suitable solution to the availability problem for the Research database. Implement part of the availability solution.
Charlotte Weiss
From: Sent: To: Subject: Charlotte, The Research database is currently in the head office only, although that is set to change; we're creating a distributed version of the database later this year. The distributed version will work essentially the same way, but there will be localized versions of the databases replicated among the research branch offices. It has a SQL Server back-end, and the front-end is web-based; IIS provides the front-end access. The actual database is stored on disks attached to an iSCSI SAN. The outage was caused when the web server hosting the front end suffered a power supply failure; it just started to smoke and then went offline! Hope all that helps you, Regards, Ed Ed Meadows [Ed@contoso.com] December 12, 2011 10:12 Charlotte@contoso.com Research database application
Exercise 1: Planning High Availability

Scenario
In this exercise, you will plan a solution to the Research database availability problem. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the High Availability Plan document with your planned course of action. Compare your solution to the one provided in the Lab Answer Key.

Answer the questions in the High Availability Plan document. High Availability Plan Document Reference Number: CW01312/1 Document Author Date Charlotte Weiss 13th December
High Availability Plan Requirements Overview To provide a high-availability solution that ensures that the failure of any single component will not cause the Research database to become unavailable. Proposals 1. In the current system, which component(s) is a point of failure?
2.
For each component, how will you propose to prevent a system failure resulting from a component failure? Which Windows Server 2008 role or feature can help provide for each of these proposals? After implementing the roles or features proposed, is there any remaining component that represents a single point of failure? Have you any recommendations regarding this component(s)?
3. 4. 5.
Results: At the end of this exercise, you will have completed the High Availability Plan document.
Exercise 2: Implementing High Availability

Scenario
Important Before starting this exercise, ensure you have completed the steps necessary to reconfigure the virtual machines to support the lab environment. These steps are provided at the beginning of the lab and repeated in the Lab Answer Key. As a part of the project, you have to prepare the environment for failover clustering. You have to configure storage drives, and create and validate cluster configuration. You have iSCSI-based storage, and you should present disks to your servers. After you have prepared the failover clustering environment, you need to implement clustering on the Printer Services role and then test failover. Later, you will implement the Research departments database on this cluster. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create an iSCSI target on NYC-ISCSI. Add the iSCSI target portal to NYC-SVR1. Add the iSCSI target portal to NYC-SVR2. Configure the shared disks.
5. 6. 7. 8. 9.
Install the Failover Clustering feature. Validate the failover cluster. Use the Create Cluster Wizard to build a simple failover cluster. Install the Print Services role on NYC-SVR1 on NYC-SVR2. Cluster the Print Services role.
10. Fail over the NYC-BR-Print clustered service from NYC-SVR1 to NYC-SVR2. 11. Change the preferred owner of NYC-BR-Print to NYC-SVR2. 12. Change the failback settings to allow failback only to the preferred node between 01:00 and 04:00.
Task 1: Create an iSCSI target on NYC-ISCSI.

1. 2. 3. If necessary, log on to NYC-ISCSI as Administrator, with the password, Pa$$w0rd. Start the Microsoft iSCSI Software Target management console. Create a new iSCSI target with the following configuration: a. b. 4. Target name: LUN-01 iSCSI Initiators Identifiers: IP addresses 10.10.0.24 and 10.10.0.25
Create a new virtual disk with the following configuration: a. b. c. File: C:\Disks\Disk-01.vhd Size: 8000 megabytes (MB) Target name: LUN-01
5.
Create a new virtual disk with the following configuration: a. b. c. File: C:\Disks\Disk-02.vhd Size: 20,000 MB Target name: LUN-01
Task 2: Add the iSCSI target portal to NYC-SVR1.

1. 2. 3. 4. 5. Switch to NYC-SVR1. If necessary, log on as Contoso\Administrator, with the password, Pa$$w0rd. Start the iSCSI Initiatormanagement console. On the Targets tab, connect to the 10.10.0.30 target. Ensure the computer establishes a connection to iqn.1991-05.com.microsoft:NYC-ISCSI-lun-01target. On the Volumes and Devices tab, choose Auto Configure. Verify that two volumes are added to the Volume List.

1. 2. 3. Switch to NYC-SVR2. Start the iSCSI Initiatormanagement console. On the Targets tab, connect to the 10.10.0.30 target.
4. 5.
Ensure the computer establishes a connection to iqn.1991-05.com.microsoft:NYC-ISCSI-lun-01target. On the Volumes and Devices tab, choose Auto Configure. Verify that two volumes are added to the Volume List. If only one volume appears, click Clear, and then click Auto Configure.
Task 4: Configure the shared disks.

1. 2. 3. 4. On NYC-SVR1, open Server Manager, and then access Disk Management. Bring Disk 3 and Disk 4 online, and initialize the disks. On Disk 3, create a new simple volume with the drive letter Q and a volume label of Witness Disk. On Disk 4, create a new simple volume with the drive letter M and a volume label of VM Storage.
Task 5: Install the Failover Clustering feature.

1. 2. On NYC-SVR1, in Server Manager, install the Failover Clustering feature. On NYC-SVR2, in Server Manager, install the Failover Clustering feature.
Task 6: Validate the failover cluster.

1. 2. 3. 4. 5. 6. Switch to NYC-SVR1. Open Failover Cluster Manager. Start the Validate a Configuration wizard Add the server names, NYC-SVR1 and NYC-SVR2. Perform all tests. Wait for the validation to complete (which will take several minutes), and then click View Report. Verify that no errors are reported. Note No errors should be raised, but you may receive warnings that indicate the configuration is not optimal. This is expected and arises because of the limitations of the virtual machine configuration.
Task 7: Use the Create Cluster Wizard to build a simple failover cluster.
1. In Failover Cluster Manager, create a new cluster with the following configuration: a. b. c. 2. Servers: NYC-SVR1 and NYC-SVR2 Name: NYC-Br-Cluster IP Address: 10.10.0.90.
Verify that the cluster is created successfully.
Task 8: Install the Print Services role on NYC-SVR1 and NYC-SVR2.

1. 2. 3. On NYC-SVR1, switch to Server Manager. Start the Add Roles Wizard, and install the Print and Document Services role with default values. Close Server Manager. Switch to NYC-SVR2.
4.
Start the Add Roles Wizard, and install the Print and Document Services role with default values. Close Server Manager.
Task 9: Cluster the Print Services role.

1. 2. Switch to NYC-SVR1 and switch to the Failover Clustering Manager console. In the NYC-Br-Cluster.Contoso.com cluster, create a print server clustered application with the following settings: Name: NYC-BR-Print IP address: 10.10.0.108 Storage volume: Cluster Disk 2
Task 10: Fail over the NYC-BR-Print clustered service from NYC-SVR1 to NYC-SVR2.
1. 2. Move NYC-BR-Print to the passive node. Verify that NYC-BR-Print now shows the current owner as the new node.
Task 11: Change the preferred owner of NYC-BR-Print to NYC-SVR2.

Using the Failover Clustering Manager console, change the preferred owner on NYC-BR-Print to be NYC-SVR2, and move NYC-SVR2 to the top of the Preferred owners list.
Task 12: Change the failback settings to allow failback only to the preferred node between 1 and 4 hours.
Configure the cluster so that failback is allowed only between 1 and 4 hours.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 to for the 6433A-NYC-SVR1, 6433A-NYC-SVR2, and 6433A-NYC-ISCSI virtual machines.
Lab Instructions: Planning Performance and Event Monitoring
Module 13
Contents:
Exercise 1: Planning Enterprise Event Log Management Exercise 2: Configuring Event Subscriptions Exercise 3: Creating Custom Views Exercise 4: Configuring Event Tasks 3 3 5 5
Lab: Planning and Implementing Event Log Management
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1,and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on by using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2-4 for 6433A-NYC-SVR1.
Lab Scenario
Contoso, Ltd. is deploying a three server environment to allow for the testing of new applications that are planned to be introduced into the production environment. The environment currently consists of two servers: NYC-DC1, the domain controller and NYC-SVR1, an application test server. After your initial configuration is complete, 10 more application test servers will be introduced to the test environment. Application servers will be moved in and out of the test groups as need arises, including the original application test server, NYC-SVR1. Because of the nature of the testing process, users in the application test group have been given widereaching permissions on the servers in the test group.
The owner of the project wants to be able to keep track of modifications to application installation and uninstallation without having to directly monitor each server in the environment. You have been asked to plan the implementation of a monitoring and notification system that fulfills the requirements of the project owner, Ed Meadows. For this project, you must complete the following tasks: Plan the configuration of event management. Implement event subscriptions. Implement custom views. Implement event tasks.
Exercise 1: Planning Enterprise Event Log Management

Scenario
Your plan must fulfill the following requirements Ed Meadows would like to review all events related to application installation or uninstallation that occur on the test application servers. All applications use Microsoft Installer (MSI)-based installers. These events should be stored in one location, with only the relevant events in the list. Ed Meadows would also like to quickly view the relevant list for each application server on the local server. Ed Meadows would like local users on the application test servers to be notified locally when an installation-related event occurs.
The main task for this exercise is as follows:
Task 1: Answer the planning questions.

1. 2. 3. 4. 5. How will you facilitate the central collection of events from the application test servers? Where will you collect the events from the application test servers, what event subscription type will you use, and how will you determine which events to collect? How will you provide a list of only the installation-related events on each of the local application test servers? How can you effectively implement these lists on all servers, including those that will be added later? How will you implement the notification system specified in the scenario?
Results: After completing this exercise, you should have planned enterprise log management.
Exercise 2: Configuring Event Subscriptions

Scenario
You have decided to implement event subscriptions to centralize the event viewing process for Ed Meadows. According to your plan, you will centrally collect events by using collector initiated subscriptions from NYC-DC1. Both computers will need to be prepared for event subscriptions prior to creating and testing the subscription. Because the installers for the applications are using MSI, the MsiInstaller source can be used to filter the events in the subscription.
The main tasks for this exercise are as follows: 1. 2. 3. Prepare all computers for event subscriptions. Create the event subscription. Test the event subscription by installing an application.
Task 1: Prepare all computers for event subscriptions.

1. 2. 3. 4. 5. Switch to NYC-DC1. Configure WinRM on NYC-DC1. Configure the Windows Event Collector service on NYC-DC1. Switch to NYC-SVR1. Configure WinRM on NYC-SVR1.
Task 2: Create the event subscription.

1. 2. 3. Switch to NYC-DC1. On NYC-DC1, open the Event Viewer console. Create a new Collector initiated subscription named Application Installations with the following parameters: 4. 5. Collect events in the Fowarded Events log. Add NYC-SVR1 as a source computer. Filter events belonging to the MsiInstaller source. Configure Contoso\Administrator as the user account to run the subscription under.
Confirm the status of the subscription as Active. Confirm the runtime status of the subscription as OK.
Task 3: Test the event subscription by installing an application.

1. 2. 3. 4. 5. 6. Switch to NYC-SVR1. On NYC-SVR1, open Windows Explorer and navigate to the D:\Mod13\Labfiles directory. Run the installation program for xmlnotepad.msi and install the application. Switch to NYC-DC1. Open Event Viewer and browse to the Forwarded Events node. Check for MsiInstaller events from NYC-SVR1. Note 7. The events may take one minute or so to appear in the Forwarded Events view.
Close Event Viewer.
Results: After completing this exercise, you should have configured event subscriptions.
Exercise 3: Creating Custom Views

Scenario
You have decided to use custom views to provide the required event list on each application test server. You will create a custom view on NYC-SVR1. As with the event subscription creation, you can use the MsiInstaller source to filter the local events so that only the relevant events are listed in the view. You will also export this view and test the import process on NYC-SVR1. The main tasks for this exercise are as follows: 1. 2. 3. Create and test a custom view. Export the custom view. Import and test the custom view.
Task 1: Create and test a custom view.

1. 2. 3. 4. Switch to NYC-SVR1. Open the Event Viewer console. Create a custom view named Application Installation Events View that filters events based on the MsiInstaller event source. Open the Application Installation Events View custom view and ensure that the events logged during the application installation in Exercise 2 are present.
Task 2: Export the custom view.

1. 2. 3. Switch to NYC-SVR1. Open the Event Viewer console. Export the custom view created in task 1 to \\NYC-DC1\Share\AppViewExport.xml.
Task 3: Import and test the custom view.

1. 2. 3. On NYC-SVR1, delete the Application Installation Events View. In the Event Viewer, import the custom view that was exported in the previous task. Open the Application Installation Events View custom view and ensure that the events logged during the application installation in Exercise 2 are present.
Results: After completing this exercise, you should have created custom views.
Exercise 4: Configuring Event Tasks

Scenario
You must configure notification for any events forwarded to NYC-DC1 that are recorded as Event 11708, Installation Failure. These notifications should send a notification to Ed Meadows (Ed@Contoso.com) to alert him that an error has occurred. The main tasks for this exercise are as follows: 1. 2. Create an event task. Test the event task by installing an application.
Task 1: Create an event task.

1. 2. 3. Switch to NYC-DC1. Open the Task Scheduler console. Create a Basic Task with the following parameters: Name: Application Install Failure Email Trigger: When an event is logged Log: Forwarded Events Event ID: 11708
Action: Send an email message From: AppInstallNotifier@Contoso.com To: Ed@Contoso.com Subject: Application Installation Failure Text: An application installation has occurred. Please check the Forwarded Events Log on NYC-DC1 for more details. SMTP Server: NYC-SVR1.Contoso.com
Task 2: Test the event task by installing an application.

1. 2. 3. 4. 5. Switch to NYC-SVR1. Run D:\Labfiles\Mod13\xmlnotepad.exe, and remove the product. Re-install the product, but cancel the installation before it completes. Confirm that an event with ID 11708 has been logged on NYC-SVR1 in the Application Log. Check the email inbox at C:\Inetpub\mailroot\Drop for an email message to Ed@Contoso.com. It may take a few minutes for the file to appear.
Results: After completing this exercise, you should have created event tasks.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat the preceding steps for 6433A-NYC-SVR1.
Lab Instructions: Enterprise Backup and Recovery
Module 14
Contents:
Exercise 1: Contoso Disaster Recovery Plan Exercise 2: Configuring Network Backup with Windows Server Backup Exercise 3: Mounting Backup VHD and Extracting Data Exercise 4: Configuring NYC-SVR1 to Boot from Backup VHD
3 5 6 6
Lab: Backing Up and Restoring from VHD
Lab Setup
Repeat the steps 2 to 4 for 6433A-NYC-SVR1.
Lab Scenario
Contoso, Ltd. is a medium-sized organization with its head office in Melbourne, Australia, and two branch offices. The organization employs 300 people, of which 200 are located at its head office, and 50 people work at each of the two branch offices. You have been asked to generate a disaster recovery plan for the Contoso Windows Server 2008 R2 deployment.
Exercise 1: Contoso Disaster Recovery Plan

Scenario
Contoso is in the process of developing a disaster recovery plan. You must examine the organizations requirements and then complete the Contoso Windows Server 2008 R2 Disaster Recovery document. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Discuss your disaster recovery plan.

1. Read the supporting documentation. Contoso Disaster Recovery document Document Reference Number: GW1203/1 Document Author Date Sam Abolrous 26th January
Environment Information Contoso, Ltd. is a medium-sized organization with its head office in Melbourne, Australia, and two branch offices. The organization employs 300 people, of which 200 are located at its head office, and 50 people work at each of the two branch offices. You have been asked to generate a disaster recovery plan for the Contoso Windows Server 2008 R2 deployment. The Contoso server infrastructure consists of the following: Head Office Site: Melbourne Central Business District One physical server running Windows Server 2008 R2 configured with the AD DS, DNS, DHCP, AD CS roles. 8 GB of RAM. 1 terabyte (TB) Hard Disk Drive (HDD). Two physical servers running Windows Server 2008 R2 configured as DFS Replicas and DFS Roots. 8 GB of RAM. 1 TB HDD. One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Web Server 2008 R2 IIS server Windows Server 2008 R2 hosting Exchange Server 2010 server Windows Server 2008 R2 hosting SQL Server 2008 R2 database server Branch Office Site: Moonee Ponds One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server Windows Server 2008 File Server / DFS Replica Branch Office Site: Endeavour Hills One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server
Contoso Disaster Recovery document Windows Server 2008 File Server / DFS Replica Additional Information Contoso is in the process of renting space for a disaster recovery site in the suburb of Dandenong. All servers at Contoso that host the Hyper-V role only have that role installed. Servers at the head office site should never lose more than 3 hours of data in the event of server failure. Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. Requirements Overview Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan. 1. You need to be able to restore backup data from all servers at the head office site in the event that computers at the head office site are completely lost due to fire, flood damage, or other unforeseen catastrophes. 2. A 7-day recovery point objective is acceptable if a site is completely lost. 3. Servers at the head office site should never lose more than 3 hours of data in the event of server failure. 4. Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. 5. You need to be able to run any head office server in the event that the server hardware fails, until that hardware is replaced. 6. You want to minimize the amount of hardware deployed at the proposed Dandenong disaster recovery site. 7. You need to be able to restore up to 7 days of data on each server in the event that data is lost or corrupted.
1. Answer the questions in the Contoso Windows Server 2008 R2 Deployment Plan document. Contoso Disaster Recovery plan Document Reference Number: GW1203/2 Document Author Date Kim Akers 1st April
Proposals Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan.
1. 2. 3. 4. 5.
What steps should you propose to meet the objective of being able to recover up to 7 days of data on each server? What steps could you take to back up the virtual machines by using Windows Server Backup? What steps should you propose to meet the objective of ensuring that any branch office site can be recovered in the event of full site loss? What infrastructure would you provision at the Dandenong disaster recovery site to meet disaster recovery objectives? What infrastructure would you provision at the head office site to ensure that you can continue
Contoso Disaster Recovery plan 6. to provide services in the event that a single server fails completely? What backup schedules would you configure for servers at the head office and branch office sites?
Task 3: Discuss your disaster recovery plan.

1. Examine the Disaster Recovery plan in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you will have planned an appropriate disaster recovery solution for Contoso.
Exercise 2: Configuring Network Backup with Windows Server Backup

In this exercise, you will configure Windows Server Backup to perform a scheduled backup to a network folder. To complete this exercise, perform the following tasks:
Task 1: Install Windows Server Backup.

1. 2. 3. 4. 5. On NYC-SVR1, create a document on the desktop called, Example_Data.txt. Open the text document and enter a short message. Save and close the file. Open Server Manager, add the Windows Server Backup and Command-line Tools features. Switch to NYC-DC1. Open Windows Explorer and create a new folder on volume D called, BackupTarget, and share this folder by using the default settings.
Task 2: Create a scheduled backup to a network location.

1. 2. 3. 4. 5. 6. 7. 8. Switch to NYC-SVR1 and open Windows Server Backup from the Administrative Tools menu. Click Backup Schedule. On the Select Backup Configuration page, select Full server (recommended). On the Specify Backup Time page, next to Select time of day, select 5:00 AM. On the Specify Destination Type page, click Back up to a shared network folder. Click Next, review the warning, and then click OK. On the Specify Remote Shared Folder page, enter \\NYC-DC1\BackupTarget. On the Register Backup Schedule dialog, type Administrator, type the password as Pa$$w0rd, and then click OK. Click Finish, and then click Close.
Task 3: Run a backup by using the scheduled backup settings.

1. 2. Switch to NYC-SVR1, and in the Windows Server Backup console, click Backup Once On the Backup Options page of the Backup Once Wizard, select Scheduled backup options, click Next, and then click Backup.
Note Depending on the speed of the host systems, the backup could take approximately 20 minutes. 3. When the backup completes, click Close.
Results: At the end of this exercise, you will have used Windows Server Backup to create and perform a scheduled backup to a network location.
Exercise 3: Mounting Backup VHD and Extracting Data

In this exercise, you will mount the backup file that you created in Exercise 1 and extract data from it. To complete this exercise, perform the following tasks:
Task 1: Mount the backup VHD and extract data.

1. 2. 3. Switch to NYC-DC1 and open the Server Manager console. Expand the Storage node, and then click Disk Management. Right-click Disk Management, and then click Attach VHD. Attach the largest VHD file in the D:\BackupTarget\WindowsImageBackup\NYC-SVR1\Backup folder. Note 4. 5. 6. This VHD file should be approximately 7.5 GB in size.
Open Windows Explorer and browse to the newly mounted volume. Browse to the \Users\Administrator.Contoso\Desktop folder and verify the contents of Example_Data.txt and then close the file. Detach the VHD.
Results: At the end of this exercise, you will have verified the backup data without having to perform a restore operation.
Exercise 4: Configuring NYC-SVR1 to Boot from Backup VHD

In this exercise, you will configure server NYC-SVR1 to dual-boot into the backup that was taken earlier.
Task 1: Prepare NYC-SVR1 for boot from backup VHD.

1. 2. Open the folder \\NYC-DC1\BackupTarget\WindowsImageBackup\NYC-SVR1\Backupandcopy the largest VHD file to volume F on NYC-SVR1. Rename the VHD file to backup.vhd. Note The copy operation will take approximately seven minutes.
Task 2: Configure NYC-SVR1 to boot from VHD.

1. 2. Open an elevated command prompt and change to the C:\ directory. Type the following command, and then press Enter.
Bcdedit /copy {current} /D Boot_From_Backup
3. 4.
Make a note of the CSLID number that is displayed. You will use this number in the next set of commands. Enter the following commands, substituting the CSLID number. Keep the square parentheses around the drive letter and press Enter after each command.
Bcdedit /set {CSLID} device vhd=[f:]\backup.vhd Bcdedit /set {CSLID} osdevice vhd=[f:]\backup.vhd Bcdedit /set {CSLID} detecthal on
5.
Close the command prompt.
Task 3: Boot into the backup VHD on NYC-SVR1.

1. 2. 3. Restart server NYC-SVR1. At the boot prompt, select Boot_From_Backup. If prompted, select Start Windows Normally, and then press Enter. Log on to NYC-SVR1 as Contoso\Administrator, with the password, Pa$$w0rd.
Results: At the end of this exercise you will have performed recovery of a server operating system volume without having to perform a recovery by using Windows Server Backup.
To revert the virtual machines.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for the 6433A-NYC-SVR1 virtual machine.
Lab Answer Key: Planning Server Deployment and Upgrade
Module 1
Contents:
Exercise 1: Planning a Windows Server 2008 R2 Deployment Exercise 2: Modifying a Windows Server 2008 R2 Image Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image 2 3 4
Lab: Planning and Implementing Server Deployment

Exercise 1: Planning a Windows Server 2008 R2 Deployment
1. Answer the questions in the Contoso Windows Server 2008 R2 Deployment Plan document. Contoso Windows Server 2008 R2 Deployment Plan Document Reference Number:CW2805/1 Document Author Date Charlotte Weiss 28th May
Requirements Overview To provide information to help plan the upgrade/migration to Windows Server 2008 R2. Additional Information Branch Office 2 supports forty client computers and two servers. Branch Office 2 is isolated from the Internet. Branch Office 2 has no server room and servers are placed in the main office space. Proposals 1. In Eds email, he recommended that Charlotte should examine the server utilization figures. Why is this significant when planning server deployment? Answer: Servers that are under-utilized could be combined to reduce the hardware footprint within Contoso. Also, you could consider using server virtualization for those servers that are currently under-utilized. 2. Ed also reminded Charlotte that some departments used servers and client workstations that are isolated from the Internet. What is the impact of this in terms of deployment? Answer: Activation from servers (and client workstations) that are isolated from the Internet must be performed manually with activation keys, or by using KMS or MAK. 3. In environments where there are isolated servers and workstations, which factors determine the activation technology that you use? Answer: The number of servers and workstations determines whether you use MAK or KMS. To use KMS, you need at least 25 servers and workstations. 4. Are there situations where virtualization is indicated? Answer: Most servers, if not all, could be virtualized. However, the servers in Branch Office 2 should be combined and virtualized because their utilization is low. 5. How would you help to improve security at Branch Office 2?
Contoso Windows Server 2008 R2 Deployment Plan Answer: Use of Server Core could help to improve security. It supports the Hyper-V server role and could act as a platform for any virtual servers deployed at the branch. 6. Which activation method would you use at Branch Office 2? Answer: KMS is indicated. 7. All the other branches have similar server configurations to that in Branch Office 2. Assuming Contoso accepts your proposals for the branch servers at Branch Office 2, how would you propose to deploy the servers at this and the other ten branches in the New York area? Answer: Creating an image for the deployment of these servers would save time and ensure a standard server configuration. Using WDS would help to deploy the images more quickly, depending upon network bandwidth to the branches from the deployment server. Also, WDS requires DHCP. This is not shown in the datasheet as being available in the branches. Further investigation is warranted.
Task 3: Examine the suggested proposals in the Lab Answer Key.

1. Examine the completed Contoso Windows Server 2008 R2 Deployment Plan in the Lab Answer Key and be prepared to discuss your solutions with the class.
Result: At the end of this exercise, you should have successfully planned the Windows Server 2008 R2 deployment.
Exercise 2: Modifying a Windows Server 2008 R2 Image

Task 1: Map a network drive to the image store on NYC-SVR1.
1. 2. 3. 4. Switch to NYC-DC1. Click Start, right-click Computer, and then click Map network drive. In the Map Network Drive dialog box, in the Folder box, type \\nyc-svr1\d$, and then click Finish. Close all open windows.
Task 2: List the existing images.

1. 2.
Z:
Click Start, point to All Programs, click Microsoft Windows AIK, and then click Deployment Tools Command Prompt. At the command prompt, type the following command, and then press Enter.
3.
At the command prompt, type the following command, and then press Enter.
Cd\labfiles\Mod01\Images
4.
Dir
5.
Dism /get-wiminfo /wimfile:Z:\labfiles\Mod01\images\install.wim
Note the index number for the image with the Description of Windows Server 2008 R2 SERVERENTERPRISECORE.
Task 3: Mount the existing image.

1. At the command prompt, type the following command, and then press Enter.
Dism /mount-wim /wimfile:Z:\labfiles\Mod01\images\Install.wim /index:4 /mountdir:D:\labfiles\Mod01\servicing
2.
Dism /get-mountedwiminfo
3.
Dir D:\labfiles\Mod01\servicing
Task 4: Add the Hyper-V feature to the image.

Dism /image:D:\labfiles\mod01\servicing /enable-feature /featurename:Microsoft-Hyper-V
2.
Dism /image:D:\labfiles\mod01\servicing /get-features
3. 4.
Verify that Hyper-V is Enable Pending. At the command prompt, type the following command, and then press Enter.
Dism /unmount-wim /mountdir:D:\labfiles\Mod01\servicing /commit
Results: At the end of this exercise, you will have prepared the branch office image.
Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image

Task 1: Install the Windows Deployment Services role.
1. 2. 3. 4. 5. 6. 7. Switch to the NYC-SVR1 computer. Click Start, point to Administrative Tools, and then click Server Manager. In the Roles Summary section, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the Windows Deployment Services check box, and then click Next. On the Overview of Windows Deployment Services page, click Next. On the Select Role Services page, click Next.
8. 9.
On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
10. Close Server Manager.
Task 2: Configure Windows Deployment Services.

1. 2. 3. 4. 5. 6. 7. 8. Click Start, point to Administrative Tools, and then click Windows Deployment Services. In the console tree, expand Servers. Right-click NYC-SVR1.Contoso.com, and then click Configure Server. In the Windows Deployment Services Configuration Wizard, click Next. On the Remote Installation Folder Location page, click Next. In the System Volume Warning dialog box, click Yes. On the PXE Server Initial Settings page, click Respond to all client computers (known and unknown), and then click Next. On the Operation Complete page, clear the Add images to the server now check box, and then click Finish.
Task 3: Add a Windows Preinstallation Environment (Windows PE) boot image.

1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Deployment Services, in the console tree, expand NYC-SVR1.Contoso.com. Right-click Boot Images, and then click Add Boot Image. In the Add Image Wizard, on the Image File page, click Browse. In the Select Windows Image (WIM) File dialog box, in the File name box, type\\nycdc1\c$\Program Files\Windows AIK\Tools\PETools\x86\winpe.wim. Click Open. On the Image File page, click Next. On the Image Metadata page, click Next. On the Summary page, click Next. On the Task Progress page, click Finish. Minimize Windows Deployment Services.
Task 4: Use WDSUtil to add a boot image.

1. 2. Click Start and in the Search box, type cmd, and then press Enter. At the command prompt, type the following command and then press Enter.
wdsutil /progress /add-image /imagefile:"D:\Labfiles\mod01\images\boot.wim" /imagetype:boot /name:"Microsoft Windows Setup (x64)"
3.
At the command prompt, type the following command and then press Enter. exit
4.
Maximize Windows Deployment Services.
5. 6.
In Windows Deployment Services, in the console tree, right-click NYC-SVR1.Contoso.com, and then click Refresh. Expand NYC-SVR1.Contoso.com, and then click Boot Images.
Question: How many boot images are listed? Answer: Two.
Task 5: Add an install image.

1. 2. 3. 4. 5. 6. 7. 8. In Windows Deployment Services, in the console tree, right-click Install Images, and then click Add Install Image. On the Image Group page, in the text box, type Windows Server 2008 R2, and then click Next. In the Add Image Wizard, on the Image File page, click Browse. In the File name box, type D:\Labfiles\mod01\images\install.wim, and then click Open. On the Image File page, click Next. On the Available Images page, clear all check boxes except Windows Server 2008 R2 SERVERENTERPRISECORE, and then click Next. On the Summary page, click Next. On the Task Progress page, click Finish.
Task 6: Configure automatic naming.

1. 2. 3. 4. 5. 6. In Windows Deployment Services, in the console tree, right-click NYC-SVR1.Contoso.com, and then click Properties. Click the AD DS tab. In the Format box, type BRANCH-SVR-%02#. Under Computer Account Location, click The following location, and then click Browse. In the Browse for a Directory Service Folder dialog box, expand Contoso, click Research, and then click OK. In the NYC-SVR1 Properties dialog box, click OK.
Task 7: Configure administrator approval.

1. 2. 3. 4. 5. In Windows Deployment Services, in the console tree, right-click NYC-SVR1.Contoso.com, and then click Properties. Click the PXE Response tab. Select the Require administrator approval for unknown computers check box. Change the PXE Response Delay to 3 seconds, and then click OK. Click Start and in the Search box, type cmd, and then press Enter. At the command prompt, type the following command and then press Enter.
WDSUTIL /Set-Server /AutoAddPolicy /Message:TheContoso administrator is authorizing your request. Please wait.
6.
Close the Command Prompt window.
Task 8: Configure Windows Deployment Services Server for multicast transmission.

1. 2. 3. 4. 5. 6. In Windows Deployment Services, in the console tree, right-click Multicast Transmissions, and then click Create Multicast Transmission. In the Create Multicast Transmission Wizard, on the Transmission Name page, in the Type a name for this transmission field, type Windows Server 2008 R2 Branch Servers, and click Next. On the Image Selection page, in the Select the image group that contains the image list, click Windows Server 2008 R2. In the Name list, click Windows Server 2008 R2 SERVERENTERPRISECORE and then click Next. On the Multicast Type page, verify that Auto-Cast is selected, and then click Next. Click Finish.
Results: At the end of this exercise, you will have successfully prepared WDS to support Windows Server deployment to the branch offices.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1.
Lab Answer Key: Planning Server Management and Delegated Administration
Module 2
Contents:
Exercise 1: Creating an Administrative-Level Role Group Exercise 2: Creating an Account Management Group Exercise 3: Enabling and Configuring Auditing for Sensitive Groups 2 3 4
Lab: Implementing Role-Based Systems Administration

Exercise 1: Creating an Administrative-Level Role Group
Task 1: Create the ADRedesign group in the Users container.
1. 2. 3. 4. 5. Switch to the 6433A-NYC-DC1 computer. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand the Contoso.com domain, and then click the Users container. In the Active Directory Users and Computers window menu, click Action, click New, and then click Group. In the New Object Group window, type ADRedesign in the Group name field, and then click OK.
Task 2: Place the user accounts for Kern Sutton and Christine Koch into the ADRedesign group.
1. 2. 3. On NYC-DC1, in the Active Directory Users and Computers window, right-click the ADRedesign group, and then click Properties. In the ADRedesign Properties window, click the Members tab, and then click the Add button. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Kern Sutton; Christine Koch in the Enter the object names to select field, click the Check Names button, and then click OK. In the ADRedesign Properties window, click OK.
4.
Task 3: Delegate full control over the Contoso.com domain to the ADRedesign group.
1. 2. 3. 4. 5. 6. 7. 8. 9. In Active Directory Users and Computers window, right-click the Contoso.com domain node, and then click Delegate Control. In the Delegation of Control Wizard window, click Next. On the Users or Groups page, click the Add button. In the Select Users, Computers, or Groups window, type ADRedesign into the Enter the object names to select field, click the Check Names button, and then click OK. On the Users or Groups page, click Next. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next. On the Active Directory Object Type page, ensure that This folder, existing objects in this folder, and creation of new objects in this folder is selected, and then click Next. On the Permissions page, select the check box next to Full Control, and then click Next. On the Completing the Delegation of Control Wizard page, click Finish.
10. Close the Active Directory Users and Computers window.
Results: After completing this exercise, you should have created an administrative-level role group.
Exercise 2: Creating an Account Management Group

Task 1: Create the AcctMgmt group in the Users container.
1. 2. 3. 4. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand the Contoso.com domain, and then click the Users container. In the Active Directory Users and Computers window menu, click Action, click New, and then click Group. In the New Object Group window, type AcctMgmt in the Group name field, and then click OK.
Task 2: Place the user account for Ryan Ihrig into the AcctMgmt group.
1. 2. 3. 4. On NYC-DC1, in the Active Directory Users and Computers window, right-click the AcctMgmt group, and then click Properties. In the AcctMgmt Properties window, click the Members tab, and then click the Add button. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Ryan Ihrig in the Enter the object names to select field, click the Check Names button, and then click OK. In the AcctMgmt Properties window, click OK.
Task 3: Grant create, delete, and manage user accounts privileges to the AcctMgmt group.
1. 2. 3. 4. 5. 6. 7. 8. In Active Directory Users and Computers window, right-click the Contoso.com domain node, and then click Delegate Control. In the Delegation of Control Wizard window, click Next. On the Users or Groups page, click the Add button. In the Select Users, Computers, or Groups window, type AcctMgmt in the Enter the object names to select field, click the Check Names button, and then click OK. On the Users or Groups page, click Next. On the Tasks to Delegate page, ensure that Delegate the following common tasks is selected, select the check box to select Create, delete, and manage user accounts, and then click Next. On the Completing the Delegation of Control Wizard page, click Finish. Close the Active Directory Users and Computers window.
Results: After completing this exercise, you should have created an account management group.
Exercise 3: Enabling and Configuring Auditing for Sensitive Groups

Task 1: Enable auditing by using Group Policy.
1. 2. 3. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management. In the Group Policy Management window, browse to and select the Group Policy Objects container, right-click the Default Domain Policy, and then click Edit. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click the Audit Policy node. In the details pane, double-click the Audit object access policy. In the Audit object access Properties window, select the check box to select Define these policy settings, select the check boxes to select Success and Failure, and then click OK. Close the Group Policy Management Editor window. Close the Group Policy Management console.
4. 5. 6. 7.
Task 2: Configure auditing settings for the Domain Admins, Enterprise Admins, ADRedesign, and AcctMgmt groups.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window menu, click View, and then click Advanced Features. In the navigation pane, click Users. In the details pane, right-click the Domain Admins group, and then click Properties. In the Domain Admins Properties window, click the Security tab, and then click the Advanced button. In the Advanced Security Settings for Domain Admins window, click the Auditing tab, and then click the Add button. In the Select User, Computer, Service Account, or Group window, type Authenticated Users in the Enter the object names to select field, click the Check Names button, and then click OK. In the Auditing Entry for Domain Admins window, select the check boxes next to Full control for both the Successful and Failed columns, and then click OK. In the Advanced Security Settings for Domain Admins window, click OK.
10. In the Domain Admin Properties window, click OK 11. Repeat steps 1 to 10 for the Enterprise Admins, ADRedesign, and AcctMgmt groups.
Task 3: Test auditing configuration.

1. 2. 3. 4. Open Active Directory Users and Computers. Add Ed Meadows to the ADRedesign group. Close Active Directory Users and Computers. Open Event Viewer and navigate to the Security Log.
5.
Check for an Active Directory object access entry for the AdRedesign group.
Results: After completing this exercise, you should have enabled and configured auditing for sensitive groups.

Lab Answer Key: Planning Network Addressing and Name Resolution
Module 3
Contents:
Exercise 1: Planning the Deployment of DHCP and DNS Servers Exercise 2: Implementing DNS Exercise 3: Implementing DHCP 2 3 5
Lab: Planning and Implementing DHCP and DNS

Exercise 1: Planning the Deployment of DHCP and DNS Servers
Read the email message and the proposal document in the main module document under Exercise 1.
Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document. Branch Office Network Infrastructure Plan: Network Services Document Reference Number: CW0711/1 Document Author Date Charlotte Weiss 25th July
Requirements Overview Specify which network services are required in each branch office and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure do not adversely affect users. Branch Office Network Infrastructure Plan: Network Services Proposals 1. How many DHCP servers do you propose to deploy in the region? Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. Perhaps, one DHCP server in each location would be sufficient. For fault tolerance, duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule, would provide for addressing fault tolerance. 2. Where do you propose to deploy these servers? Answer: One DHCP server in each regional office 3. What name resolution services are required? Answer: Both DNS and NetBIOS name resolution are required. 4. To support the DNS name space in the sales division, how would you propose to configure DNS? Answer: There are two choices: a. Configure a subdomain for research in the existing contoso.com DNS name space. Then, create sufficient DNS servers for deployment to the region as secondary servers of the contoso.com zone. Create a delegation for the research.contoso.com zone in the contoso.com zone. Provide at least two name servers to support this delegated zone.
b.
5. Will you require WINS?
Branch Office Network Infrastructure Plan: Network Services Answer: Possibly 6. If so, how many WINS servers will you require for the region? Answer: Probably two, configured as replicas. 7. If not, how do you propose to support single-label names? Answer: Instead of WINS, the GlobalNames zone could be used.
Task 3: Compare your solution with the one provided in the Lab Answer Key
Results: In this exercise, you planned the placement of DHCP and DNS servers for the Contoso branch offices.
Exercise 2: Implementing DNS

Task 1: Configure the suffix for NYC-SVR2.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR2. Click Start, right-click Computer, and then click Properties. In System, click Advanced system settings. In the System Properties dialog box, click Computer Name, and then click Change. In the Computer Name/Domain Changes dialog box, click More. In the DNS Suffix and NetBIOS Computer Name dialog box, in the Primary DNS suffix of this computer box, type research.contoso.com. Clear the Change primary DNS suffix when the domain membership changes check box, and then click OK. In the Computer Name/Domain Changes dialog box, click OK. In the Computer Name/Domain Changes prompt, click OK.
10. In the System Properties dialog box, click the Close. 11. In the Microsoft Windows dialog box, click Restart Now. 12. When the computer has restarted, log on with the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Task 2: Install the DNS server role on NYC-SVR2.

1. 2. On the Taskbar, click Server Manager. In Server Manager, in the navigation pane, click Roles.
3. 4. 5. 6. 7. 8. 9.
In the Results pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the DNS Server check box, and then click Next. On the DNS Server page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 3: Create the research.contoso.com DNS zone.

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click DNS. In the navigation pane, expand NYC-SVR2, and then click Forward Lookup Zones. Right-click Forward Lookup Zones, and then click New Zone. In the New Zone Wizard, click Next. On the Zone Type page, click Primary zone, and then click Next. On the Zone Name page, in the Zone name box, type research.contoso.com, and then click Next. On the Zone File page, click Next. On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates, and then click Next. On the Completing the New Zone Wizard page, click Finish.
10. In the navigation pane, click research.contoso.com.
Task 4: Create the research.contoso.com delegation.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools and then click DNS. In DNS Manager, expand Forward Lookup Zones, click Contoso.com, right-click research, and then click Delete. In the DNS dialog box, click Yes. Right-click Contoso.com and then click New Delegation. In the New Delegation Wizard, click Next. On the Delegated Domain Name page, in the Delegated domain box, type research, and then click Next. On the Name Servers page, click Add. In the New Name Server Record dialog box, in the Server fully qualified domain name (FQDN) box, type NYC-SVR2.research.contoso.com and in the IP Address list, type 172.16.16.2.
10. Click OK. 11. On the Name Servers page, click Next. 12. On the Completing the New Delegation Wizard page, click Finish.
Results: In this exercise, you deployed the DNS server to the first branch office.
Exercise 3: Implementing DHCP

Task 1: Install the DHCP role on NYC-SVR2.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR2. On the Taskbar, click Server Manager. In Server Manager, in the navigation pane, click Roles, and then in the details pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the DHCP Server check box, and then click Next. On the Introduction to DHCP Server page, click Next. On the Select Network Connection Bindings page, click Next. On the Specify IPv4 DNS Server Settings page, in the Parent domain box, type research.contoso.com. In the Preferred DNS server IPv4 address box, type 172.16.16.2.
10. In the Alternate DNS server IPv4 address, type 10.10.0.10, and then click Next. 11. On the Specify IPv4 WINS Server Settings page, click Next. 12. On the Add or Edit DHCP Scopes page, click Next. 13. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server and then click Next. 14. On the Authorize DHCP Server page, click Next. 15. On the Confirm Installation Selections page, click Install. 16. On the Installation Results page, click Close, and then close Server Manager.
Task 2: Enable DHCP Relay.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-RTR. Click Start, point to Administrative Tools, and then click Routing and Remote Access. In Routing and Remote Access, in the navigation pane, expand NYC-RTR (local), expand IPv4, rightclick General, and then click New Routing Protocol. In the Routing protocols list, click DHCP Relay Agent, and then click OK. In the navigation pane, right-click DHCP Relay Agent, and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK. In the DHCP Relay Properties Local Area Connection 2 Properties dialog box, click OK. In the navigation pane, right-click DHCP Relay Agent, and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 3, and then click OK.
10. In the DHCP Relay Properties Local Area Connection 3 Properties dialog box, click OK.
11. Right-click DHCP Relay Agent and then click Properties. 12. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK. 13. Close Routing and Remote Access.
Task 3: Create the required scope for branch.

1. 2. 3. 4. 5. 6. Switch to NYC-SVR2. Click Start, point to Administrative Tools, and then click DHCP. In DHCP, in the navigation pane, expand nyc-svr2.research.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office, and then click Next. On the IP Address Range page, complete the page using the following information and then click Next: 7. Start IP address: 172.16.16.4. End IP address: 172.16.16.254 Length: 24 Subnet mask: 255.255.255.0
On the Add Exclusions and Delay page, complete the page by using the following information, click Add, and then click Next: Start IP address: 172.16.16.200 End IP address: 172.16.16.254
8. 9.
On the Lease Duration page, click Next. On the Configure DHCP Options page, click Next.
10. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 11. On the Domain Name and DNS Servers page, in the IP address box, type 172.16.16.2, click Add. 12. In the list of IP addresses, click 172.16.16.2, click Up, and then click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish.
Task 4: Add the branch office scope on NYC-DC1

1. 2. 3. 4. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click DHCP. In DHCP, expand nyc-dc1.contoso.com. In DHCP, in the navigation pane, expand IPv4, right-click IPv4, and then click New Scope.
5. 6. 7.
In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office Backup Scope and then click Next. On the IP Address Range page, complete the page by using the following information and then click Next: Start IP address: 172.16.16.4. End IP address: 172.16.16.254 Length: 24 Subnet mask: 255.255.255.0
8.
On the Add Exclusions and Delay page, complete the page by using the following information, click Add, and then click Next: Start IP address: 172.16.16.4 End IP address: 172.16.16.199
9.
On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, in the Parent domain box, type research.contoso.com. In the IP address box, type 172.16.16.2, click Add. 13. In the list of IP addresses, click 172.16.16.2, click Up, and then click Next. 14. On the WINS Servers page, click Next. 15. On the Activate Scope page, click Next. 16. On the Completing the New Scope Wizard page, click Finish.
Task 5: Configure NYC-CL2 for DHCP.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-CL2 computer. Click Start, and in the Search box, type Network and Sharing and then press Enter. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 3 and then click Properties. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. Click Obtain DNS server address automatically and then click OK. In the Local Area Connection 3 Properties dialog box, click OK. Click Start, and in the Search box, type cmd.exe, and press Enter.
Ipconfig /all
11. Answer the following questions: a) What is the IP address of NYC-CL2? Answers may vary, but it is likely to be 172.16.16.4. b) What is the DHCP server IP address? 172.16.16.2 i.e. NYC-SVR2 12. Leave windows open for next (optional) exercise. Results: In this exercise, you implemented DHCP for the branch offices.

Lab Answer Key: Planning and Provisioning Active Directory Domain Services
Module 4
Contents:
Exercise 1: Planning an Active Directory Structure Exercise 2: Active Directory Domain Services Backup and Recovery Exercise 3: Configuring Active Directory Recycle Bin 2 3 5
Lab: Planning for Active Directory Domain Services

Exercise 1: Planning an Active Directory Structure
Read the supporting documentation.
Task 2: Update the Branch Office Planning document with your proposals.
Answer the questions in the Branch Office Planning document. Branch Office Planning Document Reference Number:GW0809/2 Document Author Date Gregory Weber September 1
Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services. Proposals 1. Do you intend to deploy a domain controller in the branch offices? How many? Answer: Yes, one domain controller per branch. 2. Will you deploy an RODC? Answer: Yes. The need for security is important; an RODC provides for a more secure way of deploying a domain controller. 3. How will you optimize the directory replication for the branches? Answer: Each branch will be represented in Active Directory by a site object. 4. How will domain controllers know in which branch they are located? Answer: Subnet objects should also be created and associated with a site. The domain controllers and other computers use their IP configuration to determine their site location in Active Directory. 5. Do you anticipate the need for global catalog services? Answer: Yes. Many services require access to global catalog. 6. How will you configure global catalog and DNS? Answer: An RODC can support the global catalog and DNS role. 7. Which additional Active Directoryrelated services are required to support the branch office line-of-business applications?
Branch Office Planning Answer: A line-of-business application requires access to a directory service. AD LDS might be suitable.
Results: In this exercise, you planned an AD DS strategy.
Exercise 2: Active Directory Domain Services Backup and Recovery

Task 1: Install the Windows Server Backup Feature.
1.
2.
Switch to NYC-DC1. On NYC-DC1, click Start, click Administrative Tools, and then click Server Manager In the Server Manager window, click the Features node in the left hand pane, and then click Add Features in the right-hand pane. In the Add Features Wizard window, scroll down, expand Windows Server Backup Features, and then click the checkbox to select Windows Server Backup. Click Next. In the Confirm Installation Selections screen, click Install. Installation will take a few moments. In the Installation Results screen, click Close. Close the Server Manager window.
3. 4. 5. 6. 7.
Task 2: Perform a system state backup of NYC-DC1.

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, click Administrative Tools, and then click Windows Server Backup. In the Windows Server Backup window, click Backup Once in the Actions pane. In the Backup Once Wizard window, click Next. In the Select Backup Configuration screen, select Custom, and then click Next. In the Select Items for Backup screen, click Add Items. In the Select Items window, click the check box to select System state and then click OK. In the Select Items for Backup screen click Next. In the Specify Destination Type screen, ensure that Local drives is selected and then click Next. In the Select Backup Destination screen, ensure that Backup Destination is Allfiles (D:), and then click Next.
10. In the Confirmation screen, click Backup. Note Backup will take approximately 30 minutes.
11. When the backup is complete, click Close. 12. Close the Windows Server Backup window.
Task 3: Simulate unwanted changes to the AD DS structure.

1. 2. 3. 4. 5. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand the Contoso.com node, right-click the IT node in the navigation pane, and then click Delete. In the Active Directory Domain Services window, click Yes. In the Confirm Subtree Deletion window, click Yes. Close Active Directory Users and Computers.
Task 4: Restore the AD DS database from backup.

1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, click Run, type msconfig into the Open field and then press Enter. In the System Configuration window, click the Boot tab. On the Boot tab, click the check box to select Safe boot, select Active Directory repair, and then click OK. In the System Configuration pop-up window, click Restart. The computer will restart. Log on to NYC-DC1 as NYC-DC1\Administrator with a password of Pa$$w0rd. On NYC-DC1, click Start, click Run, type cmd into the Open field and then press Enter. At the command prompt, type the following and press Enter. This will list the available backups to recover from on the D: drive for NYC-DC1. Record the Version Identifier information.
Wbadmin get versions
8. At the command prompt, type the following and press Enter. This will restore the system state from the backup to NYC-DC1.Use the version identifier recorded in the previous step in place of <versionidentifier>.
Wbadmin start systemstaterecovery -version:<versionidentifier>
Note 9.
Type Y and press Enter when prompted. Restore will take approximately 45 minutes
At the Press [Y] to restart the computer now prompt, type Y, and then press Enter. The computer will restart.
10. Log on to NYC-DC1 as Contoso\Administrator with a password of Pa$$w0rd. 11. In the notification window, press Enter. 12. Click Start, click Run, type msconfig into the Open field and then press Enter. 13. In the System Configuration window, click the Boot tab. 14. On the Boot tab, click the check box to deselect Safe boot, and then click OK. 15. In the System Configuration pop-up window, click Restart. The computer will restart. On restart, NYC-DC1 will run AD DS integrity checks to confirm the integrity of the newly restored AD DS database. 16. Log on to NYC-DC1 as Contoso\Administrator with a password of Pa$$w0rd.
17. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. 18. In the Active Directory Users and Computers window, ensure that the IT OU appears under the Contoso.com node. 19. Close the Active Directory Users and Computers window Results: In this exercise, you configured AD DS backup and restore.
Exercise 3: Configuring Active Directory Recycle Bin

Task 1: Raise the forest functional level for Contoso.com.
1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. In Active Directory Module for Windows PowerShell, type the following command, and then press Enter.
Set-ADForestMode Identity contoso.com -ForestMode Windows2008R2Forest
3.
Press Y, and then press Enter.
Task 2: Enable Active Directory Recycle Bin.

1. In the Active Directory Module for Windows PowerShell, type the following command, and then press Enter.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com Scope ForestOrConfigurationSet Target contoso.com
2. 3.
Press Y, and then press Enter. Close the Active Directory Module for Windows PowerShell window.
Task 3: Create and delete a test object in the Contoso.com domain.

1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand the Contoso.com domain. Right-click on the IT OU, click New, and then click User. In the New Object User window, type Mary in the First name field, type Mary in the User logon name field, and then click Next. In the New Object User window, type Pa$$w0rd into the Password and Confirm password fields and then click Next. In the New Object User window, click Finish. In the Active Directory Users and Computers window, click on the IT OU, right-click on the Mary user account object and then click Delete.
Task 4: Restore the deleted test object from Active Directory Recycle Bin.
1. 2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. In Active Directory Module for Windows PowerShell, type the following command, and then press Enter.
Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects
Note 3.
The user account named Mary should appear in the list of objects.
In the Active Directory Module for Windows PowerShell, type the following command, and then press Enter.
Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject
4. 5. 6. 7. 8. 9.
Close the Active Directory Module for Windows PowerShell window. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand the Contoso.com domain, click the IT OU and note that the user account for Mary is again present in the IT OU. Right-click the user account for Mary and then click Delete. In the Active Directory Domain Services window, click Yes to confirm deletion. Close the Active Directory Users and Computers window.
Results: In this exercise, you configured Active Directory Recycle Bin.

Lab Answer Key: Planning Group Policy Strategy
Module 5
Contents:
Exercise 1: Planning Group Policy Exercise 2: Implementing the Proposed GPO Plan 2 3
Lab: Planning and Implementing Group Policy

Exercise 1: Planning Group Policy.
1. 2. Read the email message and the proposal document in the main module document under Exercise 1. Where necessary, review the existing Active Directory Domain Services (AD DS) and Group Policy infrastructure: a. b. c. d. e. f. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Review the Active Directory structure as necessary. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, and click Group Policy Management. Review the existing Group Policy configuration as necessary. Close Group Policy Management.
Answer the questions in the Contoso Group Policy Plan document. This is located in the main module document under Exercise 1. Contoso Group Policy Plan Document Reference Number: CW0911/1 Document Author Date Charlotte Weiss 16th September
Requirements Overview To create the AD DS infrastructure required to support GPO deployment. To create GPOs and link them to the containers in AD DS. To configure filtering and loopback processing as required to fine-tune the GPO application. Proposals 1. How will you accommodate the requirement to block access to removable read and write storage devices on office computers and ensure that this setting cannot be overridden? Answer: Create a GPO with the required settings to restrict use of removable storage devices. Link this to the appropriate AD DS container. For example, if all computers in the domain must adhere to this restriction, link the policy to the domain container. To ensure that the settings cannot be overridden, configure Enforced on the new GPO. Recommended settings: Enable both Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access and Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access 2. How do you intend to allow new users in the branch offices to be able to manage branch office
Contoso Group Policy Plan GPOs and not head office GPOs? Answer: Create an AD DS security group and add the new user to this group. Assign the group the required GPO management permissions on the branch offices GPOs. 3. How do you propose to support the different application needs of sales and office staff in the branch offices? Answer: Create a GPO for each group at the branch offices. Use Security filtering to restrict the assignment of the GPO to the required group. For example, create a GPO for assigning a required application to the Sales team. Link the GPO to the branch office organizational unit. Modify the default GPO permissions by removing the Authenticated Users entry from the Access Control List (ACL). Add the Sales security group to the GPOs ACL with the read and apply group policy permissions. 4. What changes to you plans must you make to support the training lab requirements? Answer: The policy to apply the removable storage restriction if applied at the domain level and enforced cannot be easily bypassed; blocking inheritance is overridden by using enforcement. One solution is to apply the removable storage restriction in a GPO that is linked to all organizational units that contain office computers and not to the separate OU that contains the training lab computers. A different approach would be to use security group filtering to deny the apply policy permission to a group that contains lab computers.
Results: In this exercise, you completed the Contoso Group Policy Plan.
Exercise 2: Implementing the Proposed GPO Plan

You will implement only a portion of the settings.
Task 1: Study the additional planning documentation.

View the organizational unit plan and study the Group Policy Objects table located in the main module document beneath the Task 1 heading.
Task 2: Create the OU structure.

1. 2. 3. 4. 5. 6. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, if necessary, expand Contoso.com, and then click Contoso.com. Right-click Contoso.com, point to New, and then click Organizational Unit. In the New Object- Organizational Unit window, in the Name box, type Head Office, and then click OK. Right-click Contoso.com, point to New, and then click Organizational Unit.
7. 8. 9.
In the New Object - Organizational Unit window, in the Name box, type Branches, and then click OK. Right-click Branches, point to New, and then click Organizational Unit. In the New Object - Organizational Unit window, in the Name box, type Branch1, and then click OK.
10. Right-click Branches, point to New, and then click Organizational Unit. 11. In the New Object - Organizational Unit window, in the Name box, type Branch2, and then click OK. 12. Right-click Branches, point to New, and then click Organizational Unit. 13. In the New Object - Organizational Unit window, in the Name box, type Branch3, and then click OK.
Task 3: Create the GPO for enforced security

1. 2. 3. 4. 5. 6. 7. 8. 9. In Active Directory Users and Computers, right-click Head Office, point to New, and then click Group. In the New Object Group window, in the Group name box, type Lab Computers, and then click OK. Right-click Head Office, point to New, and then click Computer. In the New Object Computer window, in the Computer name box, type Lab1, and then click OK. Click Head Office, right-click Lab1, and then click Add to a group. In the Select Groups window, in the Enter the object names to select box, type Lab Computers, and then click OK. Click OK to close the message stating that the operation was successful. Click Start, point to Administrative Tools, and then click Group Policy Management. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com.
10. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here. 11. In the New GPO window, in the Name box, type Enforced Security, and then click OK. 12. Right-click Enforced Security, and then click Edit. 13. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates :Policy definitions (ADMX files) retrieved from the local machine, expand System, and then click Removable Storage Access. 14. In the right pane, double-click Removable Disks: Deny read access. 15. In the Removable Disks: Deny Read Access Properties window, click Enabled, and then click OK. 16. In the right pane, double-click Removable Disks: Deny write access. 17. In the Removable Disks: Deny write access Properties window, click Enabled, and then click OK. 18. Close the Group Policy Management Editor. 19. In the Group Policy Management window, right-click Enforced Security, and then click Enforced.
20. In the left pane, click Enforced Security. 21. If necessary, in the Group Policy Management Console window, select the Do not show this message again check box, and then click OK. 22. Click the Delegation tab, and then click Advanced. 23. In the Enforced Security Security Settings window, click Add, type Lab Computers, and then click OK. 24. In the Permissions for Lab Computers area, select both the Deny Read and Deny Apply group policy check boxes, and then click OK. 25. In the Windows Security window, click Yes to continue.
Task 4: Create the GPO for Branch 1 preferences.

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Group Policy Management window, in the left pane, click Group Policy Objects. Right-click Group Policy Objects, and then click New. In the New GPO window, in the Name box, type Branch1 Preferences, and then click OK. Right-click Branch1 Preferences, and then click Edit. In the Group Policy Management Editor window, under User Configuration, expand Preferences, expand Windows Settings, and then click Drive Maps. Right-click Drive Maps, point to New, and then click Mapped Drive. In the Location box, type \\Branch1Srv\Shared. In the Drive Letter area, select drive letter S, and then click OK. Close the Group Policy Management Editor window.
10. In the Group Policy Management window, in the left pane, expand Branches, and then click Branch1. 11. Right-click Branch1, and then click Link an Existing GPO. 12. In the Select GPO window, click Branch1 Preferences, and then click OK.
Task 5: Create the GPOs for applications.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to Active Directory Users and Computers. In Active Directory Users and Computers, right-click Branches, point to New, and then click Group. In the New Object Group window, in the Group name box, type Sales Staff, and then click OK. Right-click Branches, point to New, and then click Group. In the New Object Group window, in the Group name box, type Office Staff, and then click OK. Close Active Directory Users and Computers. In the Group Policy Management window, in the left pane, click Group Policy Objects. Right-click Group Policy Objects, and then click New. In the New GPO window, in the Name box, type Sales Applications, and then click OK.
10. Right-click Group Policy Objects, and then click New.
11. In the New GPO window, in the Name box, type Office Applications, and then click OK. 12. In the left pane, expand Group Policy Objects, and then click Sales Applications. 13. In the Security Filtering area, click Authenticated Users, and then click Remove. 14. Click OK to confirm. 15. Click Add, type Sales Staff, and then click OK. 16. In the left pane, click Office Applications. 17. In the Security Filtering area, click Authenticated Users, and then click Remove. 18. Click OK to confirm. 19. Click Add, type Office Staff, and then click OK. 20. Right-click Branch1, and then click Link an Existing GPO. 21. In the Select GPO window, click Sales Applications, and then click OK. 22. Right-click Branch1, and then click Link an Existing GPO. 23. In the Select GPO window, click Office Applications, and then click OK.
Task 6: Verify application of policies for Branch 1 sales staff.

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Group Policy Management window, in the left pane, click Group Policy Modeling. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. In the Group Policy Modeling Wizard window, click Next. On the Domain Controller Selection page, click Next to accept the default setting of Any available domain controller running Windows Server 2003 or later. On the User and Computer Selection page, in the User information area, click Browse. In the Choose User Container window, expand Contoso, expand Branches, click Branch1, and then click OK. On the User and Computer Selection page, in the Computer information area, click Browse. In the Choose Computer Container window, expand Contoso, expand Branches, click Branch1, and then click OK. On the User and Computer Selection page, click Next.
10. On the Advanced Simulation Options page, click Next to select no options. 11. On the User Security Groups page, click Add, type Sales Staff, and then click OK. 12. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next. 13. On the Summary of Selections page, click Next. 14. To view the model, click Finish. 15. In the Branch1 on Branch1 area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Default Domain Policy has computer settings and is applied to computers in Branch1.
Enforced Security has computer settings and is applied to computers in Branch1. Office Applications is denied due to security filtering. The computer is not a member of the necessary group. Sales Applications is denied due to security filtering. The computer is not a member of the necessary group. Branch1 Preferences is denied because there are no relevant settings for computers. If computer settings are added to Branch1 Preferences, they would be applied.
16. Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Branch1 Preferences has user settings and is applied to users in Branch1. Enforced Security is denied because there are no relevant settings for users. If user settings are added to Enforced Security, they would be applied. Default Domain Policy is denied because there are no relevant settings for users. If user settings are added to Default Domain Policy, they would be applied. Office Applications is denied due to security filtering. The user is not a member of the necessary group. Sales Applications is denied because there are no relevant settings for users. After the sales applications are added to the policy, they will be distributed to members of the Sales Staff group.
Results: In this exercise, you implemented the appropriate group policies for users in Branch 1.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Lab Answer Key: Planning Active Directory Certificate Services
Module 6
Contents:
Exercise 1: Plan Certificate Services Deployment Exercise 2: Configure Stand-alone Root and Enterprise Subordinate CA Exercise 3: Configuring Key Archiving and Recovery Exercise 4: Configure Online Certificate Status Protocol Array
2 3 5 7
Lab: Configuring Certificate Services

Exercise 1: Plan Certificate Services Deployment
Task 1: Read the Contoso Certificate Services Deployment Plan document.
1. Read the Contoso Certificate Services Deployment Plan. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date Sam Abolrous January 26
Requirements Overview 1. Contoso Australia wants to use Active Directory Certificate Services to deploy certificates to support the following certificate types: Computer certificates for SSL and TLS and DirectAccess Encrypting File System certificates BitLocker and EFS Data Recovery Agents Key Recovery Agent certificates 2. Contoso Australias head office location is in Melbourne, Australia. There are branch offices in the state capital cities of Sydney, Adelaide, Perth, and Hobart. 3. Your design needs to ensure that certificates can be renewed in the event of a WAN failure. 4. Your design needs to ensure that revocation checks can occur in the event of a WAN failure. 5. Your design should minimize the impact that revocation checks have on network utilization. 6. The root certificate authority should be made as secure as possible.
Task 2: Update the Visio diagram, placing AD CS servers at each site.

1. 2. On NYC-CL1, Open the Visio diagram that represents the Contoso Australia network. You can find this document located on NYC-CL1 in the D:\Labfiles\Mod05 folder. Copy items representing each type of Active Directory Certificate Services component type to each site. You may need to use the same item in more than one location, and you may need to deploy multiple items to the same location.
Task 3: Discuss your AD CS deployment plan.

1. Discuss your solutions with the class including the impact that Certificate Services configuration decisions, such as whether certificate renewal and CRL checks can occur when the WAN link is down. Consider the following answers to the questions posed in the student handbook:
You would deploy an offline root CA as the way of doing the most to ensure the security of the root CA. You need to deploy an enterprise subordinate CA in each site to issue and renew the certificate types specified in the objectives and to ensure that certificate renewal and issuance will work when WAN links are down. You would use an online responder array to reduce the amount of data transferred during CRL checks. You need to deploy a member of the online responder array in each site to ensure that CRL checks can occur when WAN links are unavailable
Results: In this exercise, you planned an appropriate certificate services configuration for Contoso.
Exercise 2: Configure Stand-alone Root and Enterprise Subordinate CA

In this exercise, you will configure a stand-alone root CA and publish the CA certificate to Active Directory. You will also install enterprise subordinate CA that will be subordinate to the enterprise root CA installed on NYC-DC1.
Task 1: Install a stand-alone root CA.

In this task, you will install a standalone root CA and then publish the CA certificate to Active Directory. 1. 2. Switch to NYC-SVR1. Open an elevated command prompt and enter the following commands, pressing Enter after each command.
Mkdir c:\CERTS Net share CERTS=c:\CERTS /grant:everyone,change
3. 4. 5. 6. 7. 8. 9.
Close the command prompt. Switch to NYC-CA1. Click Start, right-click Computer, and then click Properties. Click Advanced system settings. Click Computer Name. Click Change, and then click More. In the Primary DNS suffix of this computer input box, enter contoso.com, and then click OK three times. Click Close, and then click Restart Now.
10. When the server restarts, log on as Administrator, with the password, Pa$$w0rd. 11. Open Server Manager, right click Roles, and then click Add Roles. 12. On the Before You Begin page of the Add Roles Wizard, click Next. 13. On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next twice 14. On the Select Role Services page, select the check boxes Certification Authority and Certification Authority Web Enrollment. 15. When prompted, click Add Required Role Services, and then click Next.
16. On the Specify Setup Type page, select Standalone, and then click Next. 17. On the Specify CA Type page, ensure that Root CA is selected, and then click Next 18. On the Set Up Private Key page, ensure that Create a new private key is selected, and click Next. 19. On the Configure Cryptography for CA page, set the Key character length to 4096, and click Next. 20. On the Configure CA Name page, click Next. 21. On the Set Validity Period page, set the validity to 6 years, and then click Next four times. 22. On the Confirm Installation Selections page, click Install. 23. On the Installation Results page, click Close. 24. Open the Certification Authority console from the Administrative Tools menu. 25. Expand contoso-NYC-CA1-CA, right-click the Revoked Certificates node, click All Tasks, and then click Publish. 26. On the Publish CRL page, click OK. 27. Open an elevated command prompt, type the following command, and then press Enter.
Copy c:\windows\system32\certsrv\certenroll\*.* \\nyc-svr1\certs
28. Close the command prompt window. 29. Switch to NYC-DC1 30. Open an elevated command prompt, and type the following commands, pressing Enter at the end of each line.
Dnscmd /recordadd contoso.com nyc-ca1 A 10.10.0.20 Certutil -dspublish -f \\nyc-svr1\certs\NYC-CA1.contoso.com_contoso-NYC-CA1-CA.crt
Note This will publish the root certificate of stand-alone root CA to the enterprise root store in Active Directory. 31. Close the command prompt window.
Task 2: Install the Enterprise Subordinate CA.

In this task, you will configure an Enterprise Subordinate CA. This CA will be a subordinate of the Enterprise Root CA installed on NYC-DC1. 1. 2. Switch to NYC-SVR1. Open an elevated command prompt and run the following command.
gpupdate /force
3. 4. 5.
Close the command prompt Open the Server Manager console, right click Roles, and then click Add Roles. On the Before You Begin page of the Add Roles wizard, click Next.
6. 7. 8. 9.
On the Select Server Roles page, select Active Directory Certificate Services, and then click Next three times. On the Specify Setup Type page, select Enterprise, and then click Next. On the Specify CA Type page, select Subordinate CA, and then click Next. On the Set Up Private Key page, select Create a new private key and click Next three times.
10. On the Request Certificate from a Parent CA page, click Browse, and then click ContosoCA. Click OK. Click Next twice, and then click Install. 11. When the installation completes, click Close. Results: In this exercise, you installed both a stand-alone root CA and an Enterprise Subordinate CA.
Exercise 3: Configuring Key Archiving and Recovery

In this exercise, you will create an advanced EFS certificate template and configure that template for key archiving. You will issue a certificate from this template and then perform recovery on the key.
Task 1: Configure a key recovery agent.

In this task, you will configure a key recovery agent by configuring a CA to issue key recovery agent certificates, enroll a user in that certificate, and then configure the CA to use the certificate for key recovery. 1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, open the Certification Authority console. Expand Contoso-NYC-SVR1-CA, right-click the Certificate Templates node, and then click Manage. Right-click the Key Recovery Agent template, and then click Properties. Ensure that Publish certificate in Active Directory is selected, and then click OK. Close the Certificate Templates console. Right-click the Certificate Templates node, click New, and then click Certificate Template to Issue. Select the Key Recovery Agent template, and then click OK. Click Start, in the Search programs and files textbox type MMC, and then press Enter. On the File menu, click Add/Remove Snap-in.
10. Click Certificates, and then click Add. 11. Click My user account, click Finish, and then click OK. 12. Expand Certificates, right-click Personal, click All Tasks, and then click Request New Certificate. 13. Click Next twice, and then select Key Recovery Agent. Click Enroll. Click Finish. 14. In the Certification Authority console, click Pending Requests. Right-click the certificate in the Pending Request list, click All Tasks, and then click Issue. 15. Right-click Contoso-NYC-SVR1-CA, and then click Properties. 16. On the Recovery Agents tab, select Archive the Key, and then click Add. 17. In the Key Recovery Agent Selection dialog box, click OK, and then click Apply.
Note If no Key Recovery Agent is present, open an elevated command prompt, run the command certutil pulse, and reopen the CA properties dialog box. 18. When prompted to restart Active Directory Certificate Services, click Yes. 19. Click the Issued Certificates node. Right-click the listed certificate, click All Tasks, and then click Export Binary Data. 20. Select Save binary data to a file and then click OK. 21. Save the file as Recovery_Agent.cer to the Desktop. 22. In the Certificates console, right-click the Personal node, click All Tasks, and then click Import. 23. On the Welcome to the Certificate Import Wizard page, click Next. 24. On the File to Import page, click Browse. 25. Select Recovery_Agent.cer on the Desktop, and then click Open. 26. Click Next twice, click Finish, and then click OK.
Task 2: Configure a new certificate template that can be archived.

In this task, you will configure a new certificate template so that certificates issued from the template will automatically be archived. 1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, right-click the Certificate Templates node in the Certification Authority Console, and then click Manage. Right-click the Basic EFS certificate template, and then click Duplicate Template. In the Duplicate Template dialog box, click Windows Server 2008 Enterprise, and then click OK. In the Properties of New Template dialog box, set the Template display name to Advanced EFS, and then click Apply. On the Request Handling tab, click Archive subjects encryption private key, and then click Apply. On the Superseded Templates tab, click Add, click Basic EFS, and click OK. Click OK to close the Properties of New Template dialog box. Close the Certificate Templates Console. Right-click the Certificate Templates node, click New, and then click Certificate Template To Issue.
10. Click Advanced EFS, and then click OK.
Task 3: Issue, delete, and recover a certificate.

In this task, you will issue a certificate, delete that certificate, and then recover the certificate. 1. 2. 3. 4. On the MMC that has the Certificates - Current User Snap-In, right-click Personal, click All Tasks, and then click Request New Certificate. On the Before You Begin page, click Next twice. On the Certificate Enrollment page, select Advanced EFS, and then click Enroll. Click Finish to close the Certificate Enrollment dialog box.
5. 6. 7. 8. 9.
In the MMC that has the Certificates - Current User Snap-In, expand the Personal\Certificates node and verify that the Encrypting File System certificate is present. Double-click the Encrypting File System certificate. On the Details tab, make a note of the certificate serial number. Close the properties dialog box. Right-click the certificate and click Delete. Review the warning about being unable to decrypt data, and then click Yes. In the Certification Authority Console, select the Issued Certificates node, and then double-click the Advanced EFS certificate that was issued. On the Details tab, verify that the serial number matches the serial number you had made a note of, in Step 6 and then close the Certificate window. Note Looking through the list of issued certificates is the easiest way to determine the serial number of the certificate you wish to recover.
10. Open an elevated command prompt, and change to the c:\certs directory. 11. Issue the command, CertUtil -GetKeySearchTokenEFSKEY.cer where Search Token is the certificate serial number that you had made note of, in step 6. Note Do not put any spaces in the serial number when recovering the private key.
12. In the MMC that has the Certificates - Current User Snap-In, right-click the Personal\Certificates node, click All Tasks, and then click Import. 13. On the Certificate Import Wizard welcome page, click Next. 14. Click Browse and navigate to c:\certs\EFSKEY.cer, click Next twice, and click Finish. Click OK. Results: In this exercise, you configured a Key Recovery Agent, configured a certificate template so that private keys are archived, and performed a private key recovery.
Exercise 4: Configure Online Certificate Status Protocol Array

In this exercise, you will configure an online responder for the enterprise subordinate CA.
Task 1: Install OCSP and configure an OSCP Response Signing template.

1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, switch to Server Manager, right-click Roles\Active Directory Certificate Services, and then click Add Role Services. Click Online Responder, and then click Add Required Role Services. Click Next three times, and then click Install. On the Installation Result page, click Close. Open the Certification Authority Console, expand Contoso-NYC-SVR1-CA, right-click the Certificate Templates node, and then click Manage. Right-click the OCSP Response Signing template, and then click Duplicate Template. On the Duplicate Template dialog box, ensure that Windows Server 2008 Enterprise is selected, and then click OK
8. 9.
Set the Template display name to Advanced OCSP Response Signing and check the Publish certificate in Active Directory option. On the Security tab, click Add, click Object Types, select Computers, click OK, enter the name NYCSVR1, and then click CheckNames. Click OK.
10. Set the permissions for NYC-SVR1 to Read, Enroll, and Autoenroll. 11. Click OK to close the Properties dialog box. 12. Close the Certificate Templates Console.
Task 2: Configure the CA to use the Online Responder.

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, switch to the Certification Authority console. Right-click Contoso-NYC-SVR1-CA, and then click Properties. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and then click Add. In the Location text box, enter http://nyc-svr1/ocsp, and then click OK. With http://nyc-svr1/ocsp selected, check the Include in the online certificate status protocol (OCSP) extension option, and then click OK. Click Yes when prompted to restart Active Directory Certificate Services. Right-click the Certificate Templates node. Click New, and then click Certificate Template to Issue. Click Advanced OCSP Response Signing, and then click OK. Click Start, in the Search programs and files textbox type MMC, and then press Enter.
10. Click File, and then click Add/Remove Snap-in. Click Certificates, and then click Add. Click Computer account, and then click Next. Verify that Local computer is selected, and then click Finish. Click OK. 11. Right-click the Personal\Certificates node, click All Tasks, and then click Request New Certificate. 12. On the Certificate Enrollment page, click Next twice. On the Request Certificates page, select Advanced OCSP Response Signing, and then click Enroll. Click Finish. 13. Expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click the new certificate, click All Tasks, and then click Manage Private Keys. 14. On the Security tab, click Add. Enter Network Service and click Check Names. Click OK. 15. Verify that the Network Service account has Full control permission, and then click OK.
Task 3: Create a revocation configuration.

1. 2. 3. 4. On NYC-SVR1, open the Online Responder Management console from the Administrative Tools menu. Right-click Revocation Configuration, click Add Revocation Configuration, and then click Next. On the Name the Revocation Configuration page, enter NYC-SVR1, and then click Next. On the Select CA Certificate Location page, select the Select a certificate for an Existing enterprise CA option, and then click Next.
5. 6. 7. 8. 9.
On the Choose CA Certificate page, select Browse CA certificatespublished in Active Directory, and then click Browse. Click Contoso-NYC-SVR1-CA, and then click OK. Click Next. On the Select Signing Certificate page, ensure that Automatically select a signing certificate and Auto-Enroll for an OCSP signing certificate are selected, and then click Next. On the Revocation Provider page, click Finish. Verify that the Revocation Configuration Status is set to Working.
Task 4: Verify revocation configuration.

1. 2. 3. 4. 5. On the MMC that has the Certificates - Current User Snap-In, right-click Personal, click All Tasks, and then click Request New Certificate. (Be sure to use the Current User snap-in). On the Before You Begin page, click Next twice. On the Certificate Enrollment page, select Administrator, and then click Enroll. Click Finish to close the Certificate Enrollment dialog. In the MMC that has the Certificates - Current User Snap-In, expand the Personal\Certificates node and verify that a certificate is present for the purpose of Microsoft Trust List Signing, Encrypting File System, Secure E-mail, Client Authentication. Double-click this certificate, Click the Details tab, make a note of the certificate serial number, and then close the Certificate dialog. On the Certification Authority console, click the Issued Certificates node, and then locate the certificate with the serial number you determined in step 6. Right-click this certificate, click All Tasks, and then click Revoke Certificate. On the Certificate Revocation dialog box, set the Reason Code to Change of Affiliation, and then click Yes.
6. 7. 8. 9.
10. Right-click the Revoked Certificates node, click All Tasks, and then click Publish. 11. On the Publish CRL dialog box, select New CRL, and then click OK. 12. In the MMC that has the Certificates - Current User Snap-In, expand the Personal\Certificates node, and right-click the certificate that is present for the purpose of Microsoft Trust List Signing, Encrypting File System, Secure E-mail, Client Authentication. 13. Click All Tasks, and then click Export. 14. On the Welcome to the Certificate Export Wizard, click Next. 15. Select No, do not export the private key, and then click Next. 16. Select DER Encoded Binary X.509 (.CER), and then click Next. 17. In the File name text box, enter c:\certs\admin.cer, click Next, click Finish, and then click OK. 18. Open an elevated command prompt and run the following command.
Certutil -url c:\certs\admin.cer
19. On the URL Retrieval Tool, ensure that OCSP (from AIA) is selected, and then click Retrieve. 20. Click Exit to close the URL Retrieval Tool
10
Note As all these actions are occurring quickly, the OSCP, while present, may not have picked up the revoked status of the certificate. Results: In this exercise, you configured an online responder array that can respond to CRL checks for certificates issued by the enterprise subordinate CA.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1, 6433A-NYC-CA1, and 6433A-NYC-CL1.
Lab Answer Key: Planning and Provisioning Application Servers
Module 7
Contents:
Exercise 1: Planning Application Deployment Exercise 2: Configuring Remote Desktop Policies Exercise 3: Installing and Configuring a Remote Desktop Gateway 2 3 4
Lab: Planning and Provisioning Application Servers

Exercise 1: Planning Application Deployment
Read the email and the proposal document in the main module document under Exercise 1.
Answer the questions in the Application Server Deployment Plan document. Application Server Deployment Plan Document Reference Number: CW0729/1 Document Author Date Charlotte Weiss 29th July
Requirements Overview Determine the appropriate application delivery method to use for the Marketing departments new CRM application. Document Reference Number: CW0729/1 Application Deployment Plan Proposals 1. What type of application configuration should be used for the CRM application? Answer: Remote Desktop Session Host presentation virtualization should be used for this implementation. Due to the spread-out nature of the users and the specific requirements of the application, this method will provide the best performance and scalability for the application while requiring relatively few new resources. 2. Where should the application host servers be located within branch network of Contoso, Ltd? Answer: The application servers should be hosted in New York, where the database server is located. A large amount of network bandwidth will be required between the application servers and the database server. 3. How can the application deployment be implemented to handle the current user load and easily scale to accommodate user growth? Answer: A server farm should be created in the New York location. The Remote Desktop Connection Broker service should be installed to implement application load balancing for the farm. 4. How should the application deployment integrate with the server component of the CRM application? Answer: The applications running on the RD Session Host farm group members should be
Application Server Deployment Plan configured to connect to the CRM database server over the network. Adequate network configuration should be implemented between RD Session Host servers and the database server to avoid affecting the applications performance negatively. 5. What potential issues could arise with the current configuration? How could these issues be rectified? Answer: There is currently only one RD Connection Broker in the deployment. Failure of this server would result in the temporary unavailability of the RD Session Host servers. This could be rectified by configuring the RD Connection Broker server as a member of a failover cluster.
Results: In this exercise, you planned the deployment of application servers.
Exercise 2 Configuring Remote Desktop Policies

Task 1: Create the CRMAppServers Organizational Unit
1. 2. 3. 4. Switch to NYC-DC1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click the Marketing OU and then click New Organizational Unit. In the New Organizational Unit window, type CRMAppServers into the Name field and then click OK.
Task 2: Create a Group Policy Object called AppServerPolicy and link it to the CRMAppServers OU.
1. 2. 3. 4. On NYC-DC1, in the Group Policy Management window, click Group Policy Objects, right-click Group Policy Objects, and then click New. In the New GPO window, type CRMAppPolicy, and then click OK. In the Group Policy Management window, expand Marketing, click Group Policy Objects, and then drag the CRMAppPolicy GPO to the CRMAppServers OU. In the Group Policy Management window, click OK.
Task 3: Edit the AppServerPolicy GPO.

1. 2. On NYC-DC1, in the Group Policy Management window, right-click CRMAppPolicy, and then click Edit. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, expand Remote Desktop Session Host, and then click Session Time Limits. In the details pane, double-click Set time limit for disconnected sessions.
3.
4. 5. 6.
In the Set time limit for disconnected sessions window, select Enabled, click the drop-down box to select 5 minutes for End a disconnected session, and then click OK. Close the Group Policy Management Editor window. Close the Group Policy Management window.
Results: In this exercise, you configured Remote Desktop policies.
Exercise 3: Installing and Configuring a Remote Desktop Gateway

Task 1: Enable Remote Desktop on NYC-SVR1.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the 6433A-NYC-SVR1 virtual machine On NYC-SVR1, open Server Manager. In the right-hand pane of the Server Manager window, click Configure Remote Desktop. In the System Properties window, select Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure). In the Remote Desktop Connection pop-up window, click OK. In the System Properties window, click Select Users. In the Remote Desktop Users window, click Add. In the Select Users or Groups dialog box, type IT; Production, and then click OK . In the Remote Desktop Users window, click OK.
10. In the System Properties window, click OK. 11. Close the Server Manager window.
Task 2: Configure Network Settings on NYC-SVR2.

1. 2. 3. 4. 5. 6. 7. 8. 9. In Hyper-V Manager, right-click on 6433A-NYC-SVR2 and then click Settings. In the Settings for 6433A-NYC-SVR2 window, click on Network Adapter in the left-hand pane. In the right hand pane, click the drop-down menu under Network, select Private Network and then click OK. Close the Settings for 6433A-NYC-SVR2 window. Connect to 6433A-NYC-SVR2, and log on as Contoso\Administrator. Click Start, type network in the Start Menu search field and then click View network connections. In the Network Connections window, right-click Local Area Connection 2 and then click Properties. In the Local Area Connection 2 Properties window, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. Change the IP address field to 10.10.0.60.
10. Change the Subnet Mask field to 255.255.0.0. 11. Change the Default gateway field to 10.10.0.10. 12. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click OK.
13. In the Local Area Connection 2 Properties window, click Close. 14. Close the Network Connections window.
Task 3: Install the Remote Desktop Gateway role service.

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR2, open Server Manager. Click Roles, and then click Add Roles. In the Add Roles Wizard, on the Before You Begin page, click Next. On the Select Server Roles page, under roles, select the Remote Desktop Services check box, and then click Next. On the Remote Desktop Services page, click Next. On the Select Role Services page, select the Remote Desktop Gateway check box. Click Add Required Role Services. On the Select Role Services page, click Next. On the Choose a Server Authentication Certificate for SSL Encryption page, click Create a selfsigned certificate for SSL encryption, and then click Next.
10. On the Create Authorization Policies for RD Gateway page, verify that Now is selected, and then click Next. 11. On the Select User Groups That Can Connect Through RD Gateway page, click Add. 12. In the Select Groups dialog box, type IT; Production, and then click OK to close the Select Groups dialog box. Click Next. 13. On the Create an RD CAP for RD Gateway page, enter the name TS_CAP_01 for the Remote Desktop Connection Authorization Policy (RD CAP), verify that Password is selected, and then click Next. 14. On the Create an RD RAP for RD Gateway page, enter the name TS_RAP_01 for the Remote Desktop Resource Authorization Policy (RD RAP), and then select Allow users to connect to any computer on the network. Click Next. 15. On the Network Policy and Access Services page, review the summary information, and then click Next. 16. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next. 17. On the Web Server (IIS) page, review the summary information, and then click Next. 18. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next. 19. On the Confirm Installation Selections page, click Install. 20. On the Installation Results page, click Close.
Task 4: Export the certificate for Remote Desktop Gateway.

1. 2. On NYC-SVR2, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in.
3. 4. 5. 6. 7. 8. 9.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. In the Certificates snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. In the Add or Remove snap-ins dialog box, click OK. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click the certificate NYC-SVR2.contoso.com that was issued by NYC-SVR2.Contoso.com, point to All Tasks, and then click Export. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, verify that No, do not export the private key is selected, and then click Next. 11. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is selected, and then click Next. 12. On the File to Export page, in the File name box, type C:\CertExport.cer, and then click Next. 13. On the Completing the Certificate Export Wizard page, click Finish. 14. After the certificate export completes successfully, a message appears confirming that it was successful. Click OK. 15. Close the Console snap-in without saving any changes.
Task 5: Run the Remote Desktop Service Best Practices Analyzer.

1. 2. 3. 4. 5. 6. 7. 8. On NYC-SVR2, in Server Manager, click Roles. In the Remote Desktop Services section in the right-hand pane, click Got to Remote Desktop Services. On the Remote Desktop Services page, in the Best Practices Analyzer section, click Scan this Role. When the scan finishes, double-click the Error message. Review the contents of the error, and then click Close. Double-click the Warning message. Review the contents of the error, and then click Close. In the left pane, expand Remote Desktop Service, expand RD Gateway Manager, and then click NYC-SVR2 (Local). Right-click NYC-SVR2 (Local), and then click Properties. On the SSL Certificate tab, verify that the NYC-SVR2.Contoso.com certificate is installed, and then click OK.
Task 6: Import the certificate on a client computer.

1. 2. 3. If required, connect to 6433A-NYC-CL1, and log on as Contoso\Administrator. Click Start, in the Search box, type mmc, and then press Enter. On the File menu, click Add/Remove Snap-in.
4. 5. 6. 7. 8. 9.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. In the Certificates snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. In the Add or Remove snap-ins dialog box, click OK. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. Right-click the Certificates folder, point to All Tasks, and then click Import.
10. On the Welcome to the Certificate Import Wizard page, click Next. 11. On the File to Import page, in the File name box, type \\NYC-SVR2\c$\certexport.cer, and then click Next. 12. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next. 13. On the Completing the Certificate Import Wizard page, click Finish, and then click OK. 14. Close the Console1 snap-in without saving changes.
Task 7: Verify the Remote Desktop Gateway functionality.

1. 2. 3. 4. On NYC-CLI, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection. In the Remote Desktop Connection dialog box, click Options. On the Advanced tab, click Settings. On the RD Gateway Server Settings page, click Use these RD Gateway server settings, enter the following settings, and then click OK: 5. 6. 7. 8. Server name: NYC-SVR2.contoso.com Logon method: Allow me to select later Bypass RD Gateway server for local addresses: Clear check box
On the General tab, in the Computer box, type NYC-SVR1, and then click Connect. In the Windows Security dialog box, type Contoso\Andrea as the user name, type Pa$$w0rd as the password, and then click OK. Verify that you can connect to NYC-SVR1 through the Remote Desktop Gateway. Log off NYC-SVR1.
Results: In this exercise, you configured a Remote Desktop Gateway.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 to 3 for 6433A-NYC-SVR1, 6433A-NYC-SVR2, and 6433A-NYC-CL1.
Lab Answer Key: Planning File and Print Services
Module 8
Contents:
Exercise 1: Planning File Services Exercise 2: Implementing File Services in the Branch Office Exercise 3: Implementing Print Services in the Branch Office 2 4 9
Lab: Planning and Implementing File and Print Services

Exercise 1: Planning File Services
Read the email and the Branch Offices File and Print Service Deployment Plan document in the main module document beneath the exercise 1 scenario.
Answer the questions in the Branch Offices File and Print Service Deployment Plan document. Branch Offices File and Print Service Deployment Plan Document Reference Number:CW0111/1 Document Author Date Charlotte Weiss 1st November
Requirements Overview Implement file and print services in the branch offices. Migrate data from legacy systems running UNIX and Windows 2000 Server. Support the data storage needs of the three departments at the branch offices including: Home folders for each user. Departmental shared folders. Folders to store departmental Start Menu and Desktop settings. Automatic consolidation of marketing team data to central location each evening. Deploy print services to support the branch users. Proposals 1. Which file services role service will you deploy to support the needs of the branch office users? Answer: Distributed File System can be deployed to support a number of data consolidation or distribution configurations; it could be used to help to consolidate the marketing data. Services for Network File System will support the needs of the users of the UNIX application in the production team. File Server Resource Manager will enable you to manage storage more effectively at the branch, including managing quotas, implementing file screens to prevent storage of media files, and producing reports for department heads for charging purposes. 2. Which folder structure do you envisage to support the needs of the branch offices? Answer: Answers will vary, but may include a folder structure as shown below.
Branch Offices File and Print Service Deployment Plan
3. Which folder permissions do you envisage configuring on these folders? Answer: Answers may vary, depending upon the folder structure planned. However, the general principles are: Grant Modify NTFS permissions for a departmental security group on each departmental data folder. Grant Full Control NTFS permissions for each user on their own home folder. 4. Which shared folders will be required for the branch offices? Answer: Answers may vary, depending upon the folder structure planned. However, a suggested solution is: Share each departmental folder as a separate share. For example, create a shared folder called, Marketing, for the marketing data folder. Create a single shared folder for all users. For example, share User Data. Users can map a network drive through the user account properties to a subfolder on this parent shared folder. 5. Which permissions will you configure on these folders? Answer: The default permissions (Everyone Allow Read) are inappropriate. Remove this entry and then grant Authenticated users Full Control. This results in the NTFS file system permissions determining the effective permissions through the share. 6. What must you consider when planning to migrate files from the Windows 2000 Server? Answer: A legacy server cannot be migrated by using the migration wizard and you must use FSMT to migrate the data. 7. How will you meet the needs of department heads to determine storage usage? Answer: Implement quotas and use reports to determine usage. 8. How will you restrict file types that can be stored on the new server? Answer: Implement a file screen that prevents the storage of media file types.
Results: At the end of this exercise, you will have planned the file and print services deployment for the branch offices.
Exercise 2: Implementing File Services in the Branch Office

Task 1: Install the File Services role.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR2. On the Taskbar, click Server Manager. In Server Manager, in the navigation pane, click Roles. In the results pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the File Services check box, and then click Next. On the File Services page, click Next. On the Select Role Services page, select the File Server Resource Manager check box, and then click Next. On the Configure Storage Usage Monitoring page, in the Volumes (NTFS volumes only): list, select the Local Disk (C:) check box, and then click Next.
10. On the Set Report Options page, click Next. 11. On the Confirm Installation Selections page, click Install. 12. On the Installation Results page, click Close.
Task 2: Create the required folders.

1. 2. 3. 4. 5. 6. 7. 8. On the Taskbar, click Windows Explorer. In Windows Explorer, in the navigation pane, click Local Disk (C:). On the menu, click New folder, type User Data, and then press Enter. On the menu, click New folder, type Departmental Data, and then press Enter. In Windows Explorer, in the results pane, double-click Departmental Data. On the menu, click New folder, type Marketing, and then press Enter. On the menu, click New folder, type Research, and then press Enter. On the menu, click New folder, type Production, and then press Enter.
Task 3: Enable file and printer sharing, and network discovery.

1. 2. Click Start, and in the Search box, type network and sharing, and then press Enter. In Network and Sharing Center, click Change advanced sharing settings.
3. 4. 5.
In Advanced sharing settings, in the Change sharing options for different networkprofiles list, click Turn on network discovery. Click Turn on file and printer sharing, and then click Save changes. Close Network and Sharing Center.
Task 4: Share and secure the marketing data folder.

1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, in the results pane, right-click Marketing, and then click Properties. In the Marketing Properties dialog box, click the Sharing tab. Click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box. Click Permissions, and in the Permissions for Marketing dialog box, select the Allow Full Control check box, and then click OK. In the Advanced Sharing dialog box, click OK, and in the Marketing Properties dialog box, click the Security tab. Click Advanced, and in the Advanced Security Settings for Marketing dialog box, click Change Permissions. Clear the Include inheritable permissions from this objects parent check box, and in the Windows Security dialog box, click Add, and then click OK. In the Advanced Security Settings for Marketing dialog box, click OK.
10. In the Marketing Properties dialog box, click Edit, and in the Permissions for Marketing dialog box, in the Group or user names list, click Users (NYC-SVR2\Users), and then click Remove. 11. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type marketing, and then click Check Names. 12. Click OK, and in the Permissions for Marketing list, select the Allow Modify check box, and then click OK. 13. In the Marketing Properties dialog box, click Close.
Task 5: Share and secure the production data folder.

1. 2. 3. 4. 5. 6. 7. 8. In Windows Explorer, in the results pane, right-click Production, and then click Properties. In the Production Properties dialog box, click the Sharing tab. Click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box. Click Permissions, and in the Permissions for Production dialog box, select the Allow Full Control check box, and then click OK. In the Advanced Sharing dialog box, click OK, and in the Production Properties dialog box, click the Security tab. Click Advanced, and in the Advanced Security Settings for Production dialog box, click Change Permissions. Clear the Include inheritable permissions from this objects parent check box, and in the Windows Security dialog box, click Add, and then click OK.
9.
In the Advanced Security Settings for Production dialog box, click OK.
10. In the Production Properties dialog box, click Edit, and in the Permissions for Production dialog box, in the Group or user names list, click Users (NYC-SVR2\Users), and then click Remove. 11. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type production, and then click Check Names. 12. Click OK, and in the Permissions for Production list, select the Allow Modify check box, and then click OK. 13. In the Production Properties dialog box, click Close.
Task 6: Share and secure the research data folder.

1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, in the results pane, right-click Research, and then click Properties. In the Research Properties dialog box, click the Sharing tab. Click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box. Click Permissions, and in the Permissions for Research dialog box, select the Allow Full Control check box, and then click OK. In the Advanced Sharing dialog box, click OK, and in the Research Properties dialog box, click the Security tab. Click Advanced, and in the Advanced Security Settings for Research dialog box, click Change Permissions. Clear the Include inheritable permissions from this objects parent check box, and in the Windows Security dialog box, click Add, and then click OK. In the Advanced Security Settings for Research dialog box, click OK.
10. In the Research Properties dialog box, click Edit, and in the Permissions for Research dialog box, in the Group or user names list, click Users (NYC-SVR2\Users), and then click Remove. 11. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type research, and then click Check Names. 12. Click OK, and in the Permissions for Research list, select the Allow Modify check box, and then click OK. 13. In the Research Properties dialog box, click Close.
Task 7: Share and secure the user data folder.

1. 2. 3. 4. 5. 6. In Windows Explorer, in the Address bar, click Local Disk (C:). In the results pane, right-click User Data, and then click Properties. In the User Data Properties dialog box, click the Sharing tab. Click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box. In the Share name box, type Users.
7. 8. 9.
Click Permissions, and in the Permissions for Users dialog box, select the Allow Full Control check box, and then click OK. In the Advanced Sharing dialog box, click OK, and in the User Data Properties dialog box, click the Security tab. Click Advanced, and in the Advanced Security Settings for User Data dialog box, click Change Permissions.
10. Clear the Include inheritable permissions from this objects parent check box, and in the Windows Security dialog box, click Add, and then click OK. 11. In the Advanced Security Settings for User Data dialog box, click OK. 12. In the User Data Properties dialog box, click Close.
Task 8: Create the user personal folders.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Active Directory Usersand Computers. In the navigation pane, expand Contoso.com, and then click Marketing. In the Results pane, click Adam Carter, press Shift, and then click Venky Krishnan. All the users and groups in the organizational unit are highlighted. Press Ctrl and then click Marketing. This deselects the marketing group. Click the Action menu, and then click Properties. In the Properties for Multiple Items dialog box, click the Profile tab. Select the Home folder check box. Click Connect, and in the list, click H:
10. In the To: box, type \\NYC-SVR2\Users\%username%, and then click OK. 11. In the navigation pane, click Production. 12. In the Results pane, click Anders Madsen, press Shift, and then click Tengiz Kharatishvili. All the users and groups in the organizational unit are highlighted. 13. Press Ctrl, and then click Production. This deselects the production group. 14. Click the Action menu, and then click Properties. 15. In the Properties for Multiple Items dialog box, click the Profile tab. 16. Select the Home folder check box. 17. Click Connect, and in the list, click H:. 18. In the To: box, type \\NYC-SVR2\Users\%username%, and then click OK. 19. In the navigation pane, click Research. 20. In the Results pane, click Alan Brewer, press Shift, and then click Stephan Adolphi. All the users and groups in the organizational unit are highlighted. 21. Press Ctrl, and then click Research. This deselects the research group. 22. Click the Action menu, and then click Properties.
23. In the Properties for Multiple Items dialog box, click the Profile tab. 24. Select the Home folder check box. 25. Click Connect, and in the list, click H:. 26. In the To: box, type \\NYC-SVR2\Users\%username%, and then click OK. 27. Switch to NYC-SVR2. 28. In Windows Explorer, in the results pane, double-click User Data. The new folders are automatically created when you define the UNC name of the users home folders. 29. Close all open windows.
Task 9: Configure quotas.

1. 2. 3. 4. 5. 6. Click Start, point to Administrative Tools, and then click File Service Resource Manager. In File Server Resource Manager, in the navigation pane, expand Quota Management, and then click Quotas. Right-click Quotas, and then click Create Quota. In the Create Quota dialog box, in the Quota path box, type C:\Departmental Data. Click Auto apply template and create quotas on existing and new subfolders. Under How do you want to configure quota properties?, in the Derive properties from this quota template (recommended) list, click Monitor 500 MB Share, and then click Create.
Task 10: Implement file screens.

1. 2. 3. 4. 5. 6. 7. 8. 9. In File Server Resource Manager, in the navigation pane, expand File Screening Management, and then click File Screens. Right-click File Screens, and then click Create File Screen. In the Create File Screen dialog box, in the File screen path box, type C:\Departmental Data. Under How do you want to configure file screen properties?, in the Derive properties from this file screen template (recommended) list, click Block Audio and Video Files, and then click Create. Right-click File Screens, and then click Create File Screen. In the Create File Screen dialog box, in the File screen path box, type C:\User Data. Under How do you want to configure file screen properties?, in the Derive properties from this file screen template (recommended) list, click Block Audio and Video Files, and then click Create. In the navigation pane, right-click File Server Resource Manager (Local), and then click Configure Options. In the File Server Resource Manager Options dialog box, click the File Screen Audit tab.
10. Select the Record file screening activity in the auditing database check box, and then click OK. 11. Close File Server Resource Manager. Results: At the end of this exercise, you will have implemented elements of the branch office file services.
Exercise 3: Implementing Print Services in the Branch Office

Task 1: Install the Print and Document Services role.
1. 2. 3. 4. 5. 6. 7. 8. 9. On the Taskbar, click Server Manager. In Server Manager, in the navigation pane, click Roles. In the results pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the Print and Document Services check box, and then click Next. On the Print and Document Services page, click Next. On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
10. Close Server Manager.
Task 2: Configure locations for the enterprise.

1. 2. 3. 4. 5. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. In Active Directory Sites and Services, in the navigation pane, expand Sites, and then click Subnets. Right-click Subnets, and then click New Subnet. In the New Object Subnet dialog box, in the Prefix box, type 172.16.16.0/24. In the Select a site object for this prefix list, click Default-First-Site-Name, and then click OK. Note We are using the Default-First-Site-Name here because we do not have domain controllers in the branches to support separate sites. 6. 7. 8. 9. Right-click 172.16.16.0/24, and then click Properties. Click the Location tab. In the Location box, type Contoso/New York/Branch Offices/Branch 1, and then click OK. Right-click Default-First-Site-Name, and then click Properties. Click the Location tab. In the Location box, type Contoso/New York/Branch Offices, and then click OK.
10. Close Active Directory Sites and Services.
Task 3: Configure the GPO settings for printing.

1. 2. 3. 4. Click Start, point to Administrative Tools, and then click Group Policy Management. In the navigation pane, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Default Domain Policy. Click OK at the prompt. Right-click Default Domain Policy, and then click Edit. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, and then click Printers.
10
5. 6. 7. 8.
In the results pane, double-click Pre-populate printer search location text. In the Pre-populate printer search location text dialog box, click Enabled, and then click OK. Close Group Policy Management Editor. Close Group Policy Management.
Task 4: Create a shared printer.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR2. Click Start, and then click Devices and Printers. In Devices and Printers, click Add a printer. In the Add Printer wizard, on the What type of printer do you want to install page, click Add a local printer. On the Choose a printer port page, click Next. On the Install the printer driver page, in the Manufacturer list, clickHP. In the Printers list, click HP Color LaserJet 2700 Series PCL6, and then click Next. On the Type a printer name page, in the Printer name box, type Research Color Laser, and then click Next. On the Printer Sharing page, in the Location box, type Contoso/New York/Branch Offices/Branch 1/Main Office, and then click Next.
10. On the Youve successfully added Research Color Laser page, click Finish.
Task 5: Configure the printer.

1. 2. 3. 4. 5. 6. 7. In Devices and Printers, right-click Research Color Laser, and then click Printer properties. In the Research Color Laser Properties dialog box, click Security. In the Group or user names list, click Everyone, and then click Remove. Click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type research, and then click Check Names. Click OK, and then click the Sharing tab. Select the List in the directory check box, and then click OK.
Task 6: Test the printer settings.

1. 2. 3. Switch to NYC-CL2. Click Start, and in the Search box, type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter.
Gpupdate /force
4.
Log off from NYC-CL2, and then log on by using the following credentials: User name: Dylan
11
5. 6. 7. 8.
Password: Pa$$w0rd Domain: CONTOSO
Click Start, and then click Devices and Printers. In Devices and Printers, click Add a printer. On the What type of printer do you want to install page, click Add a network, wireless or Bluetooth printer. The Research Color Laser is listed. Close all open windows.
Results: At the end of this exercise, you will have configured the branch office printing environment.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps 2 and 3 for 6433A-NYC-RTR, 6433A-NYC-SVR2, and 6433A-NYC-CL2.
Lab Answer Key: Planning Network Access
Module 9
Contents:
Exercise 1: Planning Network Access Exercise 2: Implementing Network Access 2 3
Lab: Planning and Implementing Network Access

Exercise 1: Planning Network Access
Read the email message and the Branch Office Network Access Plan document in the main module document under Exercise 1.
Answer the questions in the Branch Office Network Access Plan document. Branch Office Network Access Plan Document Reference Number: CW0611/1 Document Author Date Charlotte Weiss 6th November
Requirements Overview Plan a remote network access solution for Research department users based in branch offices. Proposals 1. What remote access solutions would you consider to support the branch offices users? Answer: A VPN solution would address the requirement of allowing users to connect to all their usual servers and resources. DirectAccess is not applicable because there is no IPv6 infrastructure available in the branches or the head office at present. 2. What network access technologies are suggested by the fact that some users access the Contoso network resources from public access points and from their own computers at home? Answer: Users home computers are unmanaged devices. Connecting laptops through public access points poses a security risk if the laptops do not have appropriate security measures in place, such as a host-based firewall, anti-malware software, and recent security patches and updates. Consequently, implementing NAP would help mitigate these risks. 3. Dylan is concerned about the security of data in transit. What could you do to alleviate his legitimate concerns? Answer: Implement strong encryption and a rigorous authentication protocol for the VPN. For example, implement MS-CHAP v2 or EAP with strongest encryption. 4. How would you propose to allocate IP configurations to remote access clients? Answer: The Routing and Remote Access role service supports either a static pool for IP address configuration or a DHCP server configuration. To be conformant with the Contoso policy, DHCP should be selected. 5. What is your remote network access solution? Provide details including server roles required to support the configuration. Answer: Answers might vary slightly, but the solution should include: Deploying the Network Policy and Access Services role on NYC-EDGE1 to support Routing
Branch Office Network Access Plan and Remote Access and Network Access Protection. Configuring NYC-EDGE1 as a VPN Server. Configuring VPN settings for strongest encryption and authentication. Configuring NAP with VPN Enforcement. Configuring IPv4 filters for non-compliant computers to restrict communications to a remediation server. Using Group Policy to deploy required certificates for L2TP VPN tunneling. Use Group Policy to deploy required NAP client settings.
Results: In this exercise, you completed the Branch Office Network Access Plan document.
Exercise 2: Implementing Network Access

Task 1: Configure a computer certificate.
1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then select Manage from the context menu. In the Certificate Templates Console details pane, right-click Computer, and then choose Properties from the context menu. Click the Security tab in the Computer Properties dialog box, and then select Authenticated Users. In the Permissions for Authenticated Users dialog box, select the Allow check box for the Enroll permission, and then click OK. Close the Certificate Templates Console, and then close the certsrv management console.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server.

1. 2. Switch to the NYC-EDGE1 computer. Obtain computer certificate and install on NYC-EDGE1 for server-side PEAP authentication: a. b. c. d. e. Click Start, click Run, type mmc, and then press Enter. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish. Click OK to close the Add or Remove Snap-ins dialog box. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.
f. g. h. i. j. k. 3.
The Certificate Enrollment dialog box opens. Click Next. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next. Select the Computer check box, and then click Enroll. Verify the status of certificate installation as Succeeded, and then click Finish. Close the Console1 window. Click No when prompted to save console settings.
Install the NPS Server role: a. b. c. d. e. f. On NYC-EDGE1, click Start, click Administrative Tools, and then click Server Manager. Click Roles, and then under Roles Summary, click Add Roles, and then click Next. Select the Network Policy and Access Services check box, and then click Next twice. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install. Verify the installation was successful, and then click Close. Close the Server Manager window.
4.
Configure NPS as a NAP health policy server: a. b. c. d. Click Start, point to Administrative Tools, and then click Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, clear all check boxes except A firewall is enabled for all network connections.
Note In reality, you would leave the default selections. However, to make testing the policy feasible, you are limiting the requirements. e. 5. Click OK to close the Windows Security Health Validator dialog box.
Configure health policies: a. b. c. d. e. f. g. h. Expand Policies. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, under Policy name, type Compliant. Under Client SHV checks, verify that Client passes all SHV checks is selected. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
i. j. k. 6.
Under Client SHV checks, select Client fails one or more SHV checks. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK.
Configure network policies for compliant computers: a. b. c. d. e. f. g. h. i. j. k. l. Ensure Policies is expanded. Click Network Policies. Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable. Right-click Network Policies, and then click New. In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next. In the Specify Access Permission window, verify that Access granted is selected. Click Next three times. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish. 7. Configure network policies for noncompliant computers: a. b. c. d. e. f. g. Right-click Network Policies, and then click New. In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next. In the Specify Access Permission window, verify that Access granted is selected.
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients matching these conditions.
h. i. j. k. l.
Click Next three times. In the Configure Settings window, click NAP Enforcement. Select Allow limited access, and clear the Enable auto-remediation of client computers check box. In the Configure Settings window, click IP Filters. Under IPv4, click Input Filters, and then click New. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Inbound Filters dialog box. n. o. p. q. Click OK to close the Inbound Filters dialog box. Under IPv4, click Output Filters, and then click New. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients. Click OK to close the Outbound Filters dialog box. In the Configure Settings window, click Next. In the Completing New Network Policy window, click Finish.
r. s. t. 8.
Configure connection request policies: a. b. c. d. e. f. g. h. i. j. Click Connection Request Policies. Disable the default Connection Request policy found under Policy Name by right-clicking the policy, and then clicking Disable. Right-click Connection Request Policies, and then click New. In the Specify Connection Request Policy Name and Connection Type window, under Policy name, type Branch VPN connections. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next. In the Specify Conditions window, click Add. In the Select condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP, click OK, and then click Next. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next. In the Specify Authentication Methods window, select Override network policy authentication settings. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
k. l.
Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
m. Verify that Enforce Network Access Protection is selected, and then click OK. n. Click Next twice, and then click Finish.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN server.
1. 2. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access. In the Routing and Remote Access console, right-click NYC-EDGE1 (local), and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard. Click Next, select Remote access (dial-up or VPN), and then click Next. Select the VPN check box, and then click Next. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. On the IP Address Assignment page, click Next. On the Managing Multiple Remote Access Servers page, ensure that the No, use Routing and Remote Access to authenticate connection requests check box is already selected and then click Next. Click Finish. Click OK twice, and wait for the Routing and Remote Access Service to start.
3. 4. 5.
6. 7.
8. 9.
10. Switch to the Network Policy Server console. Click the Connection Request Policies node, and press F5 to refresh the display. Disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. 11. Close the Network Policy Server management console. 12. Close Routing and Remote Access.
Task 4: Allow ping on NYC-EDGE1.

Note VPN. 1. 2. 3. 4. You perform the following steps in order that you can test connectivity through the
Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. Click Inbound Rules, right-click Inbound Rules, and then click New Rule. Select Custom, and then click Next. Select All programs, and then click Next.
5. 6. 7. 8. 9.
Next to Protocol type, select ICMPv4, and then click Customize. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next. Click Next to accept the default scope. In the Action window, verify that Allow the connection is selected, and then click Next. Click Next to accept the default profile.
10. In the Name window, under Name, type ICMPv4 echo request, and then click Finish. 11. Close the Windows Firewall with Advanced Security console.
Task 5: Configure required NAP client settings.

Note You configure the client settings locally rather than use GPO because it is quicker in the lab environment. 1. 2. Switch to the NYC-CL1 computer. Configure NYC-CL1 so that Security Center is always enabled: a. b. c. d. e. 3. Click Start, point to All Programs, click Accessories, and then click Run. Type gpedit.msc, and then press Enter. In the console tree, click Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. Close the Local Group Policy Editor.
Enable the remote-access, quarantine-enforcement client: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type napclcfg.msc, and then press Enter. In the console tree, click Enforcement Clients. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable. Close the NAP Client Configuration window.
4.
Enable and start the NAP agent service: a. b. c. d. e. f. Click Start, click Control Panel, click System and Security, and then click Administrative Tools. Double-click Services. In the Services list, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start. Wait for the NAP Agent service to start, and then click OK. Close the Services console, and then close the Administrative Tools, and System and Security windows.
Task 6: Move the client to the Internet

1. Configure NYC-CL1 for the Internet network segment: a. b. c. d. e. f. g. h. i. 2. Click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Change adapter settings. Right-click Local Area Connection 3, and then click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Click Use the following IP address. Next to IP address, type 131.107.0.10. Next to Subnet mask, type 255.255.0.0. Do not configure the Default gateway. Click Use the following DNS server addresses. Click OK, and then click Close to close the Local Area Connection 3 Properties dialog box. Close the Network Connections window.
Verify network connectivity for NYC-CL1: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type cmd, and then press Enter. At the command prompt, type ping 131.107.0.2 and press Enter. Verify that the response reads Reply from 131.107.0.2 Close the command window.
Task 7: Create a VPN on NYC-CL1

1. Configure a VPN connection: a. b. c. d. e. f. g. Click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Set up a new connection or network. On the Choose a connection option page, click Connect to a workplace, and then click Next. On the How do you want to connect page, click Use my Internet connection (VPN). Click Ill set up an Internet connection later. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2. Next to Destination name, type Contoso VPN. Select the Allow other people to use this connection check box, and then click Next. On the Type your user name and password page, type administrator next to User name, and type Pa$$w0rd next to Password. Select the Remember this password check box, type Contoso next to Domain (optional), and then click Create. On The connection is ready to use page, click Close. In the Network and Sharing Center window, click Change adapter settings. Right-click the Contoso VPN connection, click Properties, and then click the Security tab.
h.
i. j. k.
10
l.
Under Authentication, click Use Extensible Authentication Protocol (EAP).
m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties. n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then Ensure that Secured password (EAP-MSCHAP v2) is already selected, under Select Authentication Method. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access Protection check box. Click OK twice to accept these settings.
o. 2.
Test the VPN connection: a. b. c. In the Network Connections window, right-click the Contoso VPN connection, and then click Connect. In the Connect Contoso VPN window, click Connect. You are presented with a Windows Security Alert window the first time this VPN connection is used. Click Details, and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.
Note If you do not connect and receive error code 618, switch to NYC-EDGE1 and open the Network Policy Server. Disable any Connection Request policies found under Policy Name except for the Branch VPN Connections policy. d. e. f. g. h. 3. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and press Enter. View the IP configuration. System Quarantine State should be Not Restricted. In the Command window, type ping 10.10.0.10 and then press Enter. This should be successful. The client now meets the requirement for VPN full connectivity. Close the command prompt. Disconnect from the Contoso VPN.
Configure Windows Security Health Validator to require an antivirus application: a. b. c. d. On NYC-EDGE1, open Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box, and then click OK.
4.
Verify the client is placed on the restricted network: a. b. c. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN, and then click Connect. Click Connect. Wait for the VPN connection to be made.
11
d. e.
Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State should be Restricted. The client does not meet the requirements for the network, and therefore is placed on the restricted network.
f.
Disconnect the Contoso VPN.
Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-EDGE1 and 6433A-NYC-CL1.
Lab Answer Key: Provisioning Data and Storage
Module 10
Contents:
Exercise 1: Planning Data Access Exercise 2: Installing and Configuring DFS Exercise 3: Enabling and Configuring BranchCache 2 3 6
Lab: Planning and Implementing Data Access

Exercise 1: Planning Data Access
Read the email message and the Data Access Plan document in the main module document under Exercise 1.
Answer the questions in the Data Access Plan document. Data Access Plan Document Reference Number:CW0112/1 Document Author Date Charlotte Weiss 1st December
Requirements Overview To plan a suitable data access plan for the branch offices. Proposals 1. What server role will you implement to support the requirement for automated data collection from the branch offices? Answer: DFS. 2. What data access scenario would you recommend? Answer: Data collection. DFS technologies can collect files from a branch office and replicate them to a hub site, allowing the files to be used for several specific purposes. Critical data can be replicated to a hub site by using DFS-R and then backed up at the hub site by using standard backup procedures. 3. What technology would you implement to support the slow link requirement? Answer: BranchCache. 4. How will you ensure that the client-side settings for this technology apply only to relevant computers?
Answer: Configure a GPO with the required settings and then link it to a suitable AD DS container, such as an OU. 5. There is a local server installed at each branch office. How would you configure the branch data access technology to support this? Answer: BranchCache with hosted cache; this mode operates by deploying a computer that is running Windows Server 2008 R2 as a host in the branch office. 6. To support the database applications, what type of storage would you recommend? Answer: If the majority of documents that users must access are file-based, NAS solutions provide the most effective and low-cost networked storage solution. On the other hand, if
Data Access Plan the greatest amount of information to be shared is produced by database applications, SANs have been the most popular solution. A SAN is indicated here.
Results: In this exercise, you completed a Data Access Plan for Contoso.
Exercise 2: Installing and Configuring DFS

Task 1: Install the DFS Role Service on NYC-SVR1.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. On the task bar, click Server Manager. In the navigation pane, click Roles. In the details pane, under the File Services section, click Add Role Services. The Add Role Services wizard opens. On the Select Role Services page, select the Distributed File System check box. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 2: Install the DFS Role Service on NYC-DC1.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. On the task bar, click Server Manager. In the navigation pane, click Roles. In the details pane, under the File Services section, click Add Role Services. The Add Role Services wizard opens. On the Select Role Services page, select the Distributed File System check box. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 3: Use the New Namespace Wizard to create the ResearchDocs namespace.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Click Start, point to Administrative Tools, and then click DFS Management. In the navigation pane, click Namespaces. Right-click Namespaces and then click New Namespace. The New Namespace Wizard starts. On the Namespace Server page, under Server, type NYC-SVR1, and then click Next. On the Namespace Name and Settings page, under Name, type ResearchDocs, and then click Next. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Contoso.com\ResearchDocs. Ensure that the Enable Windows Server 2008 mode check box is selected and then click Next. On the Review Settings and Create Namespace page, click Create.
10. On the Confirmation page, ensure that the Create namespace task is successful and then click Close. 11. In the navigation pane, under Namespaces, click \\Contoso.com\ResearchDocs. 12. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\ResearchDocs.
Task 4: Enable access-based enumeration for the ResearchDocs namespace.

1. 2. 3. In the navigation pane, under Namespaces, right-click \\Contoso.com\ResearchDocs and then click Properties. In the \\Contoso.com\ResearchDocsProperties dialog box, click the Advanced tab. On the Advanced tab, select the Enable access-based enumeration for this namespace check box and then click OK.
Task 5: Add the ResearchTemplates folder to the ResearchDocs namespace.

1. 2. 3. 4. 5. 6. 7. 8. 9. In DFS Management, right-click Contoso.com\ResearchDocs and then click New Folder. The New Folder dialog box opens. In the New Folder dialog box, under Name, type ResearchTemplates. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens. In the Add Folder Target dialog box, type \\NYC-DC1\ResearchTemplates and then click OK. In the Warning dialog box, click Yes. In the Create Share dialog box, in the Local path of shared folder box, type C:\ResearchDocs\ResearchTemplates. Click All users have read and write permissions and then click OK. In the Warning dialog box, click Yes. Click OK again to close the New Folder dialog box.
Task 6: Add the DataFiles folder to the ResearchDocs namespace.

1. 2. 3. 4. 5. 6. 7. 8. 9. In DFS Management, right-click Contoso.com\ResearchDocs and then click New Folder. The New Folder dialog box opens. In the New Folder dialog box, under Name, type DataFiles. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens. In the Add Folder Target dialog box, type \\NYC-SVR1\DataFiles and then click OK. In the Warning dialog box, click Yes. In the Create Share dialog box, in the Local path of shared folder box, type C:\ResearchDocs\DataFiles. Click All users have read and write permissions and then click OK. The permissions will be configured later. In the Warning dialog box, click Yes. Click OK again to close the New Folder dialog box.
Task 7: Verify the ResearchDocs namespace.

1. 2. 3. On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\ResearchDocs. Press Enter. In the ResearchDocs window, verify that both ResearchTemplates and DataFiles are visible. Close the ResearchDocs window.
Task 8: Create another Folder Target for DataFiles.

1. 2. 3. 4. 5. 6. 7. 8. In DFS Management, expand Contoso.com\ResearchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target. Right-click DataFiles and then click Add Folder Target. In the New Folder Target dialog box, under Path to folder target, type \\NYC-DC1\DataFiles and then click OK. In the Warning dialog box, click Yes to create the shared folder on NYC-DC1. In the Create Share dialog box, under Local path of shared folder, type C:\ResearchDocs\DataFiles. In the Create Share dialog box, under Shared folder permissions, select All users have read and write permissions and then click OK. In the Warning dialog box, click Yes to create the folder on NYC-DC1. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 9: Configure Replication for the namespace.

1. 2. 3. 4. In DFS Management, in the Replicate Folder Wizard, on the Replication Group and Replicated Folder Name page, accept the default settings and then click Next. On the Replication Eligibility page, click Next. On the Primary Member page, select NYC-SVR1 and then click Next. On the Topology Selection page, select No topology, and then click Next.
5. 6. 7. 8. 9.
In the Warning dialog box, click OK. On the Review Settings and Create Replication Group page, click Create. On the Confirmation page, click Close. In the Replication Delay dialog box, click OK. In the DFS Management console, expand Replication and then click contoso.com\ResearchDocs\DataFiles.
10. In the action pane, click New Topology. 11. In the New Topology Wizard, on the Topology Selection page, click Full mesh and then click Next. 12. On the Replication Group Scheduleand Bandwidth page, click Next. 13. On the Review Settings and Create Topology page, click Create. 14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK. 15. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYCDC1 and NYC-SVR1. 16. On the Memberships tab, right-click NYC-DC1 and then click Make read-only. This setting will automatically configure the replicated copy to be read-only. Results: In this exercise, you configured DFS.
To prepare for the next exercise

When you finish the exercise, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1.
Exercise 3: Enabling and Configuring BranchCache

Exercise Setup
For this exercise, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6433A-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
5. 6. 7.
In Hyper-V Manager, click 6433A-NYC-CL2, and in the Actions pane, click Settings. In the Settings for 6433A-NYC-CL2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop-down list, select Private Network and then click OK.
Task 1: ConfigureNYC-DC1 to use BranchCache.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Server Manager. In the navigation pane, click Roles. In the details pane, under the File Services section, click Add Role Services. The Add Role Services wizard opens. On the Select Role Services page, in the Role services list, select the BranchCache for network files check box and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager. Click Start, and in the Search box, type gpedit.msc and then press Enter.
10. In the navigation pane of the Local Group Policy Editor console, under ComputerConfiguration, expand AdministrativeTemplates, expand Network, and then click LanmanServer. 11. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache, and then click Edit. 12. In the Hash Publication for BranchCache dialog box, click Enabled. In the Hash publication actions list, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.
Task 2: Simulate slow link to the branch office.

1. 2. In the navigation pane of the Local Group Policy Editor console, under ComputerConfiguration, expand Windows Settings, right-click Policy-based QoS, and then click Create new policy. On the Create a QoS policy page of the Policy-based QoS wizard, in the Policy name box, type Limit to 100 KBps, select the Specify Outbound Throttle Rate: check box, type 100,and then click Next. On the This QoS policy applies to page, click Next. On the Specify the source and destination IP addresses page, click Next. On the Specify the protocol and port numbers page, click Finish. Close the Local Group Policy Editor.
3. 4. 5. 6.
Task 3: Enable a file share for BranchCache.

1. 2. 3. Click Start and then click Computer. In the Computer window, browse to Local Disk (C:). On the menu, click New Folder.
4. 5. 6. 7. 8. 9.
Type Distribution and then press Enter. Right-click Distribution and then click Properties. On the Sharing tab of the DistributionProperties dialog box, click Advanced Sharing. Select the Share this folder check box and then click Caching. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. In the command prompt window, type the following command and then press Enter.
Copy C:\windows\system32\mspaint.exe c:\distribution
13. Close the command prompt. 14. Close Windows Explorer.
Task 4: Configure client firewall rules for BranchCache.

1. 2. 3. Click Start, point to Administrative Tools, and then click Group PolicyManagement. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain Policy, and then click Edit. In the navigation pane of the Group Policy Management Editor console, under Computer Configuration, under Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security. In the navigation pane, under Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security and then click InboundRules. On the Action menu of the Group Policy Management Editor console, click New Rule. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Content Retrieval (Uses HTTP), and then click Next. On the Predefined Rules page, click Next. On the Action page, click Finish to create the firewall inbound rule. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console, select New Rule.
4. 5. 6. 7. 8. 9.
10. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Peer Discovery (Uses WSD), and then click Next. 11. On the PredefinedRules page, click Next. 12. On the Action page, click Finish.
Task 5: Configure clients to use BranchCache in hosted cache mode.

1. In the navigation pane of the Group Policy Management Editor console, under ComputerConfiguration, expand Policies, expand AdministrativeTemplates, expand Network, and then click BranchCache.
2. 3. 4. 5. 6. 7.
In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click Edit. In the Turn on BranchCache dialog box, click Enabled and then click OK. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode and then click Edit. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of hosted Cache box, type NYC-SVR1.contoso.com, and then click OK. In the Setting list of the BranchCache result pane, right-click ConfigureBranchCache for network files and then click Edit. In the Configure BranchCache for network files dialog box, click Enabled. In the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box, type 0, and then click OK. This setting is required to simulate access from a branch office and is not typically required. Close the Group Policy Management Editor console. Close the Group Policy Management console.
8. 9.
10. Start 6433A-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. In the command prompt window, type the following command and then press Enter.
gpupdate /force
13. In the command prompt window, type the following command and then press Enter.
netshbranchcache show status all
14. Start 6433A-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 15. Click Start, and in the Search box, type Network and Sharing and then press Enter. 16. In Network Connections, click Change adapter settings. 17. Right-click Local Area Connection 3 and then click Properties. 18. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. 20. Click Obtain DNS server address automatically and then click OK. 21. In the Local Area Connection 3 Properties dialog box, click OK. 22. Restart the computer. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 23. Click Start, point to All Programs, click Accessories, and then click Commandprompt. 24. In the command prompt window, type the following command and then press Enter.
10
gpupdate /force
25. In the command prompt window, type the following command and then press Enter.
Task 6: Install the BranchCache feature on NYC-SVR1.

1. 2. 3. 4. 5. 6. 7. Start 6433A-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. Click Start, point to AdministrativeTools, and then click ServerManager. In the navigation pane of the Server Manager console, right-click Features and then click AddFeatures. On the Select Features page of the Add Features Wizard, select the BranchCache check box, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 7: Request a certificate and link it to BranchCache.

1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of NYC-SVR1, click Run. In the Open box of the Run dialog box, type mmc and then click OK. On the File menu of the Console1 [Console Root] console, click Add/Remove Snap-ins. In the Available snap-ins area of the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the This snap-in will always manage certificates for page of the Certificates Snap-in Wizard, click Computeraccount and then click Next. On the Select the computer you want this snap-in to manage page, click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the navigation pane of the Console1 [Console Root] console, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
10. On the Select Certificate EnrollmentPolicy page, click Next. 11. On the Request Certificates page, select the Computer check box and then click Enroll. 12. On the Certificate Installation Results page, click Finish. 13. In the navigation pane of the Console1 [Console Root] console, under Personal, click Certificates. 14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com and then click Open. 15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK.
11
16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt. 17. In the command prompt window, type the following command and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces.
netsh http add sslcertipport=0.0.0.0:443 certhash=certificatehashvalueappid={d673f5eea714-454d-8de2-492e4c1bd8f8}
18. At the command prompt, type the following command and then press Enter.
Task 8: Start the BranchCache Host Server.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers. Right-click Contoso.com, point to New, and click Organizational Unit. In the New Object - Organization Unit window, type BranchCacheHost and then click OK. Click the Computers container. Click NYC-SVR1 and drag it to BranchCacheHost. Click Yes to clear the warning about moving objects. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, and click Group Policy Management.
10. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance. 11. On NYC-DC1, close all open windows. 12. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd. 13. On NYC-SVR1, open a command prompt, type the following command, and then press Enter.
netshbranchcache set service hostedserver
14. Close the command prompt. Results: In this exercise, you the BranchCache server in the branch office.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1, 6433A-NYC-CL1, and 6433A-NYC-CL2.
Lab Answer Key: Planning Update Deployment
Module 11
Contents:
Exercise 1: Analyze WSUS Deployment Plan Exercise 2: Configure a Replica WSUS Server Exercise 3: Configure WSUS for BranchCache
2 3 6
Lab: Multi-Site WSUS Deployment

Exercise 1: Analyze WSUS Deployment Plan
Task 1: Read the Contoso WSUS Deployment Plan document.
1. Read the Contoso WSUS deployment document. Contoso WSUS Server Deployment Plan Document Reference Number: GW1203/1 Document Author Date HazemAbolrous 26th January
Requirements Overview 1. Contoso, Ltd in Australia wants to reduce the number of operating system updates that are downloaded from the Microsoft Update servers on the Internet to reduce the costs associated with the utilization of bandwidth. Contoso, Ltd has an agreement with its Internet Service Provider that substantially discounts the cost of traffic transmitted across WAN links when compared with the cost of downloading data directly from locations on the Internet such as Microsoft Update. All branch offices have connections to the Internet as well as dedicated WAN connections. The amount of data transmitted across WAN links should be minimized. Only one WSUS server should be deployed at each site. Administrators in the Melbourne site are responsible for approving updates to computers in the Perth, Adelaide, and Hobart sites. Administrators in the Sydney site are responsible for approving updates to computers in the Sydney site. The cost of transmitting data across the Melbourne to Perth link is equivalent to the cost of downloading data from locations on the Internet such as Microsoft Update.
2.
3. 4. 5. 6. 7.
Task 2: Update the Visio diagram, placing WSUS servers at each site.
1. 2. Open the Visio diagram that represents the Contoso Australia WSUS server. The Visio file is located on NYC-CL1 in the D:\Labfiles\Mod09 folder. Copy items representing each WSUS server type to each site. You may need to use the same item in more than one location.
Task 3: Discuss your WSUS configuration plan.

1. Discuss your solutions with the class including the impact that WSUS configuration decisions, such as whether updates are downloaded before approval, will make on upstream and downstream servers. Consider the following answers to the questions posed in the student handbook: You would use BranchCache at the Hobart site if all computers at the site were running the Windows Server 2008 R2, Windows 7 Enterprise, and Windows 7 Ultimate edition operating systems. If clients were running Windows Vista, Windows XP, or Windows Server 2008 operating
systems, BranchCache would be inappropriate because these clients would be unable to take advantage of the technology. You would place two WSUS servers at the Melbourne site because all the other sites except Perth are likely to use the WSUS server at the Melbourne site as a source of updates. You would apply group policies at the site level to assign computers in each site to the local WSUS server.
Results: In this exercise, you planned a suitable WSUS deployment configuration for Contoso.
Preparing for the Next Exercise

When you finish the exercise, complete the following steps: 1. 2. Revert 6433A-NYC-CL1. Start computers in the following order 6433A-NYC-SVR1, 6433A-NYC-RTR, and 6433A-NYC-SVR2. Log on to each computer as Administrator, with the password of Pa$$w0rd.
Exercise 2: Configure a Replica WSUS Server

Task 1: Check available updates on the NYC-SVR1 WSUS server and create computer groups.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. On the Administrative Tools menu, click Windows Server Update Services. Expand the NYC-SVR1\Updates node, and then click All Updates. In the Status list, click Any, and then click Refresh. Make a note of the total number of updates. Expand the Computers node. Right-click All Computers and then click Add Computer Group. In the Add Computer Group dialog box, type Australia next to Name:, and then click Add. Expand the All Computers node, right-click the Australia computer group and then click Add Computer Group. In the Add Computer Group dialog box, type Melbourne_Sales next to Name:, and then click Add. Repeat steps 7 and 8 to create the computer group Melbourne_Marketing.
Task 2: Install and configure a WSUS replica server on NYC-SVR2.

1. 2. Switch to NYC-SVR2 and open the Command Prompt window. At the command prompt, type the following command and then press Enter to verify connectivity to NYC-SVR1.
Ping NYC-SVR1
3. 4.
Close the command prompt window. On the taskbar, click the Windows PowerShell icon. Run the following commands and then press Enter after each command.
Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-Asp-Net, Web-ISAPI-Ext, Web-ISAPI-Filter, WebWindows-Auth, Web-Dyn-Compression, Web-Metabase, Net-Framework
5. 6. 7. 8. 9.
Close the Windows PowerShell session. Open Windows Explorer and browse to the D:\Labfiles\Mod09 folder. Double-click ReportViewer.exe to start installing Microsoft Report Viewer Redistributable 2008. On the Welcome to Microsoft Report Viewer Redistributable 2008 SP Setup page of the Microsoft Report Viewer Redistributable 2008 SP Setup wizard, click Next. On the License Terms page, accept the terms of the license agreement, and then click Install.
10. On the Setup Complete page, click Finish to dismiss the dialog box when the installer completes. 11. Double-click the file WSUS30-KB972455-x64.exe to begin the installation of WSUS 3.0 SP2. 12. On the Welcome page, click Next. 13. On the Installation Mode Selection page, select the Full server installation including Administration Console option, and then click Next. 14. On the License Agreement page, select the I accept the terms of the License agreement check box, and then click Next. 15. On the Select Update Source page, ensure that Store updates locally is selected, and then click Next. 16. On the Database Options page, ensure that Install Windows Internal Database on this computer is selected, and then click Next. 17. On the Web Site Selection page, ensure that Use the existing IIS Default Web site (recommended) is selected, and then click Next. 18. On the Ready to Install Windows Server Update Services 3.0 SP2 page, review the installation options, and then click Next. When the installation completes, click Finish. 19. When the Windows Server Update Services Configuration wizard starts, click Next. 20. On the Join the Microsoft Update Improvement Program page, clear the Yes, I would like to join the Microsoft Update Improvement Program check box, and then click Next. 21. On the Choose Upstream Server page, click Synchronize from another Windows Server Update Services server. 22. In the Server name box, type NYC-SVR1, select the This is a replica of the upstream server check box, and then click Next. 23. On the Specify Proxy Server page, click Next. 24. On the Connect to Upstream Server page, click Start Connecting. This process will take several minutes. When it completes, click Next. 25. On the Choose Languages page, ensure that in the Download updates only in these languages list, English is selected, and then click Next. 26. On the Set Sync Schedule page, ensure that Synchronize manually is selected, and then click Next.
27. On the Finished page, ensure that the Launch the Windows Server Update Services Administration Console and Begin initial synchronization check boxes are selected, and then click Finish. 28. In the Update Services console, expand the NYC-SVR2\Computers\All Computers node and verify that the Australia, Melbourne_Marketing and Melbourne_Sales computer groups are present. 29. Expand the NYC-SVR2\Updates node, and then click All Updates. 30. In the Status list, click Any, and then click Refresh. Make a note of the total number of updates. This number should match the number shown that you noted earlier.
Task 3: Verify approvals on downstream servers and configure automatic approval rules.
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. In the Update Services console, right-click the Update Services node, and then click Connect to Server. In the Connect To Server dialog box, type NYC-SVR2, and then click Connect. Verify that NYCSVR2 now appears in the Update Services console. Navigate to the NYC-SVR1\Updates\Critical Updates node. In the Approval list, click Unapproved. In the Status list, click Any, and then click Refresh. Select Update for Windows 7 (KB976662). On the Action menu, click Approve. In the Approve Updates dialog box next to the Melbourne_Marketing group, in the list, click Approved for Install, and then click OK.
10. In the Approval Progress dialog box, click Close. 11. Select Update for Windows 7 (KB975053). On the Actions menu, click Approve. 12. In the Approve Updates dialog box, next to the All Computers group, in the drop-down box, select Approved for Install, and then click OK. 13. In the Approval Progress dialog box, click Close. 14. Expand the NYC-SVR2 node, and then click the Synchronizations node. On the Actions menu, click Synchronize Now. 15. Navigate to the NYC-SVR2\Updates\All Updates node. 16. Set the Approval drop-down box to Approved. Set the Status drop-down box to Any, and then click Refresh. 17. Verify that the update approved is approved on NYC-SVR2. 18. Navigate to the NYC-SVR1\Options node, and then click Automatic Approvals. 19. In the Automatic Approvals dialog box, click New Rule. 20. In the Add Rule dialog box, ensure that the When an update is in a specific classification and When an update is in a specific product options are selected. 21. Click the underlined any classification item in the Step 2 box.
22. Clear the All Classifications check box, select Critical Updates, and then click OK. 23. Click the underlined text all computers and then ensure that only the Australia, Melbourne_Marketing, and Melbourne_Sales items are selected. Click OK. 24. In the Specify a name text, type Australia_Critical, and then click OK. 25. In the Automatic Approvals dialog box, click Australia_Critical, and then click Run Rule. 26. In the Run Rule dialog box, click Yes. When the rule has run, click Close. Click OK to close the Automatic Approvals dialog box. 27. Revert 6433A-NYC-SVR2. Results: In this exercise, you configured a downstream WSUS server, verified the inheritance of updates, and configured an automatic approval rule.
Exercise 3: Configure WSUS for BranchCache

Task 1: Configure WSUS to support BranchCache.
1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1, click Start, point to Administrative tools, and then click Active Directory Users and Computers. Create a new Organizational Unit named Branch_Office under the Contoso.com node. Move the computer account for computers NYC-SVR1 and NYC-CL2 from the Computers container to the Branch_Office OU. Click Start, point to Administrative Tools, click Group Policy Management. This will open the Group Policy Management console. Navigate to the Forest:Contoso.com\Domains\Contoso.com\Group Policy Objects node. On the Action menu, click New. In the New GPO dialog box, type WSUS_Branch, and then click OK. Right-click the WSUS_Branch policy, and then click Edit. Navigate to the Computer Configuration\Policies\Administrative Templates\Network\BranchCache node of the WSUS_Branch GPO and configure the following policy settings: 9. Turn On BranchCache: Enabled. Set BranchCache Distributed Cache Mode: Enabled
Double-click the Configure BranchCache for network files policy. Set the policy to Enabled and ensure that the round trip network latency setting is set to 0 milliseconds. Click OK.
10. Navigate to the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update node. 11. Edit the properties of the Specify intranet Microsoft update service location policy. Enable the policy and set both the Intranet update service for detecting updates and Intranet statistics server settings to http://nyc-svr1. Click OK. 12. Navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security node.
13. Right-click the Inbound Rules node and click New Rule. 14. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, select BranchCache Content Retrieval (Uses HTTP), and then click Next twice. Click Finish. 15. Repeat steps 13 and 14 for the BranchCache - Peer Discovery (Uses WSD) rule. 16. Close the Group Policy Management Editor. 17. In the Group Policy Management console, right-click the Branch_Office OU, and then click Link an Existing GPO. 18. In the Select GPO dialog box, click WSUS_Branch, and then click OK. 19. On NYC-SVR1, open Windows PowerShell from the Taskbar and run the following commands and then press Enter after each command.
Import-Module ServerManager Add-WindowsFeature FS-BranchCache, BranchCache
20. Restart NYC-SVR1. 21. Log on to NYC-SVR1 as Contoso\Administrator, with the password of Pa$$w0rd.
Task 2: Verify the BranchCache and WSUS configuration.

1. 2. 3. 4. Start 6433A-NYC-CL2. Log on to NYC-CL2 as Contoso\Administrator, with the password of Pa$$w0rd. Click Start, in the Search box, type cmd.exe, and then press Enter. At the command prompt, type the following command and press Enter.
Netshbranchcache show status all
5. 6. 7. 8. 9.
Verify that the service mode is set to Distributed Caching. Click Start, point to All Programs, and then click Windows Update. Click Check for Updates. When prompted to install the update to allow you to check for updates, click Install now. After the update is installed, restart NYC-CL2. Log on to NYC-CL2 as Contoso\Administrator, with the password of Pa$$w0rd.
10. Click Start, in the Search box, type perfmon.exe, and then press Enter. 11. Click the Performance Monitor node. 12. Right-click the graph display and click Add Counters. 13. Expand BranchCache in the top-left pane and select the following counters: Local Cache: Cache Complete File Segments Local Cache: Cache Partial File Segments Retrieval: Bytes From Cache Retrieval: Bytes From Server
14. Review the counter values and then close the Performance Monitor console.
Results: In this exercise, you configured WSUS to leverage BranchCache.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6433A-NYC-SVR1, 6433A-NYC-RTR, and 6433A-NYC-CL2.
Lab Answer Key: Planning High Availability
Module 12
Contents:
Exercise 1: Planning High Availability Exercise 2: Implementing High Availability 2 3
Lab: Planning and Implementing High Availability

Exercise 1: Planning High Availability
Read the email and the High Availability Plan document in the main module document beneath the exercise 1 scenario.
Answer the questions in the High Availability Plan document. High Availability Plan Document Reference Number:CW01312/1 Document Author Date Charlotte Weiss 13th December
Requirements Overview To provide a high-availability solution that ensures that the failure of any single component will not cause the Research database to become unavailable. Proposals 1. In the current system, which component(s) is a point of failure? Answer: The back-end database; the front-end web servers; the storage that hosts the database; and the supply of power to all systems. 2. For each component, how will you propose to prevent a system failure resulting from a component failure? Answer: The back-end database. Implement Failover Clustering; this is required because the database is statefulthat is, it contains data that changes, and each client computers view of the system is different at a point in time. The front-end web servers. Implement Network Load Balancing; the front end is stateless, and contains no changing data. Client computers are indifferent as to which web server they connect through. The storage that hosts the database. Consider implementing a RAID solution for the storage that hosts the database. The supply of power to all systems. An uninterruptible power supply (UPS) does provide some uptime during a power failure, and often enough time to properly shut down a database to avoid corruption. 3. Which Windows Server 2008 role or feature can help provide for each of these proposals? Answer: Windows Server 2008 provides the Network Load Balancing and Failover Clustering features. Although disk fault tolerance can be provided through the software, it is usually more appropriate to implement a fault-tolerant array through hardware. 4. After implementing the roles or features proposed, is there any remaining component that
High Availability Plan represents a single point of failure? Answer: Loss or unavailability of a data center. 5. Have you any recommendations regarding this component(s)? Answer: Ed Meadows mentioned that the database is to be replicated among the branches. This will provide a contingency in the event of link-failure.
Results: At the end of this exercise, you will have completed the High Availability Plan document.
Exercise 2: Implementing High Availability

Important Before starting this exercise, ensure you have completed the following preparatory steps on NYC-SVR2. Also ensure that the virtual machine is bound to Private Network. If you are uncertain about these preparatory steps, speak with your instructor before commencing this exercise. 1. 2. 3. 4. 5. 6. Switch to NYC-SVR2. Click Start, and in the Search box, type Network and Sharing, and then press Enter. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 2,and then click Properties. In the Local Area Connection 2 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, configure the following properties, and then click OK: 7. IP address: 10.10.0.25 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1 Preferred DNS server: 10.10.0.10
In the Local Area Connection 2 Properties dialog box, click OK. Close the Network Connections window. Important Before starting this exercise, ensure you have completed the following preparatory steps on NYC-ISCSI.
8.
Switch to NYC-ISCSI. If necessary, log on as Contoso\Administrator, with the password, Pa$$w0rd.
9.
To open the proper ports on Windows Firewall to allow iSCSI communication from clients to the server, open a command prompt, enter the following commands, and press Enter after each command.
netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP3260" dir=in action=allow protocol=TCP localport=3260 netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service-TCP135" dir=in action=allow protocol=TCP localport=135 netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service-UDP138" dir=in action=allow protocol=UDP localport=138
netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service" dir=in action=allow program="%SystemRoot%\System32\WinTarget.exe" enable=yes netshadvfirewall firewall add rule name="Microsoft iSCSI Software Target Service Status Proxy" dir=in action=allow program="%SystemRoot%\System32\WTStatusProxy.exe" enable=yes
Task 1: Create an iSCSI target on NYC-ISCSI.

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-ISCSI, click Start, point to Administrative Tools, and then click Microsoft iSCSI Software Target. In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target\Devices] console, right-click iSCSI Targets, and then click Create iSCSI Target. On the Welcome to the Create iSCSI Target Wizard page, click Next. In the iSCSI target name box of the iSCSI Target Identification page, type LUN-01, and then click Next. On the iSCSI Initiators Identifiers page, click Advanced. In the Advanced Identifiers dialog box, click Add. In the Identifier Type box of the Add/Edit Identifier dialog box, click IP Address, in the Value box, type 10.10.0.24, and then click OK. In the Advanced Identifiers dialog box, click Add. In the Identifier Type box of the Add/Edit Identifier dialog box, click IP Address, in the Value box, type 10.10.0.25, and then click OK.
10. In the Advanced Identifiers dialog box, click OK. 11. On the iSCSI Initiators Identifiers page, ensure that the IQN Identifier box displays the text Click Advanced button to view alternate identifiers, and then click Next. 12. On the Completing the Create iSCSI Target Wizard page, click Finish. 13. In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target\Devices] console, under iSCSI Targets, right-click Devices, and then click Create Virtual Disk. 14. On the Welcome to the Create Virtual Disk Wizard page, click Next.
15. In the File box of the File page, type C:\Disks\Disk-01.vhd, and then click Next. 16. In the Size of virtual disk (MB) box of the Size page, type 8000, and then click Next. 17. On the Description page, click Next. 18. On the Access page, click Add. 19. In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK. 20. On the Access page, click Next. 21. On the Completing the Create Virtual Disk Wizard page, click Finish. 22. In the tree pane of the iSCSITarget [Microsoft iSCSI Software Target\Devices] console, under iSCSI Targets, right-click Devices, and then click Create Virtual Disk. 23. On the Welcome to the Create Virtual Disk Wizard click Next. 24. In the File box of the File page, type C:\Disks\Disk-02.vhd, and then click Next. 25. In the Size of virtual disk (MB) box of the Size page, type 20000, and then click Next. 26. On the Description page, click Next. 27. On the Access page, click Add. 28. In the Add Target dialog box, in the Target Name list, click LUN-01, and then click OK. 29. On the Access page, click Next. 30. On the Completing the Create Virtual Disk Wizard page, click Finish.

1. 2. 3. 4. 5. 6. Switch to NYC-SVR1. If necessary, log on as Contoso\Administrator, with the password, Pa$$w0rd. Click Start, point to Administrative Tools, and then click iSCSI Initiator. Click Yes. On the Targets tab of the iSCSI Initiator Properties dialog box, in the Target box, type 10.10.0.30, and then click Quick Connect. In the Quick Connect dialog box, ensure that the status of iqn.1991-05.com.microsoft:NYC-ISCSIlun-01-target is Connected, and then click Done. On the Volumes and Devices tab, click Auto Configure. Verify that two volumes are added to the Volume List. In the iSCSI Initiator Properties dialog box, click OK.

1. 2. 3. 4. 5. Switch to NYC-SVR2. Click Start, point to Administrative Tools, and then click iSCSI Initiator. Click Yes. On the Targets tab of the iSCSI Initiator Properties dialog box, in the Target box, type 10.10.0.30, and then click Quick Connect. In the Quick Connect dialog box, ensure that the status of iqn.1991-05.com.microsoft:NYC-ISCSIlun-01-target is Connected, and then click Done. On the Volumes and Devices tab, click Auto Configure. Verify that two volumes are added to the Volume List. If only one volume is listed, click Clear, and then click Auto Configure.
6.
In the iSCSI Initiator Properties dialog box, click OK.
Task 4: Configure the shared disks.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Click Start, point to Administrative Tools, and then click Server Manager. In the tree pane of the Server Manager console, expand Storage, and then click Disk Management. Right-click Disk 3, and then click Online. Right-click Disk 4, and then click Online. Right-click Disk 3, and then click Initialize Disk. Verify that both Disk 3 and Disk 4 are selected, and then click OK. In the Disk Management result pane, right-click the 7.81 GB Unallocated area next to either Disk 3 or Disk 4, and then click New Simple Volume. On the Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, click Next.
10. On the Assign Drive Letter or Path page, next to Assign the following drive letter, click Q, and then click Next. 11. On the Format Partition page, in the Volume label box, type Witness Disk, and then click Next. 12. On the Completing the New Simple Volume Wizard page, click Finish. 13. In the Disk Management result pane, right-click the 19.53 GB Unallocated area next to either Disk 3 or Disk 4, and then click New Simple Volume. 14. On the Welcome to the New Simple Volume Wizard page, click Next. 15. On the Specify Volume Size page, click Next. 16. On the Assign Drive Letter or Path page, next to Assign the following drive letter, click M, and then click Next. 17. On the Format Partition page, in the Volume label box, type VM Storage, and then click Next. 18. On the Completing the New Simple Volume Wizard page, click Finish.
Task 5: Install the Failover Clustering feature.

1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, in the tree pane of the Server Manager console, right-click Features, and then click Add Features. On the Select Features page of the Add Features Wizard, under Features, select the Failover Clustering check box, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Switch to NYC-SVR2. Click Start, point to Administrative Tools, and then click Server Manager. On NYC-SVR2, in the tree pane of the Server Manager console, right-click Features, and then click Add Features.
8. 9.
On the Select Features page of the Add Features Wizard, under Features, select the Failover Clustering check box, and then click Next. On the Confirm Installation Selections page, click Install.
10. On the Installation Results page, click Close.
Task 6: Validate the failover cluster.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Click Start, point to Administrative Tools, and then click Failover Cluster Manager. In the Actions pane of the Failover Cluster Manager console, click Validate a Configuration. On the Before You Begin page, click Next. In the Enter name box of the Select Servers or a Cluster page, type NYC-SVR1, and then click Add. Type NYC-SVR2, click Add, and then click Next. On the Testing Options page, click Next. On the Confirmation page, click Next. Wait for the validation to complete (which will take several minutes), and then click View Report.
10. Verify that no errors are reported, and then close Internet Explorer. 11. On the Summary page, click Finish. Note No errors should be raised, but you may receive warnings that indicate the configuration is not optimal. This is expected and arises because of the limitations of the virtual machine configuration.
Task 7: Use the Create Cluster Wizard to build a simple failover cluster.
1. 2. 3. 4. 5. 6. 7. In the Actions pane of the Failover Cluster Manager console, click Create a Cluster. On the Before You Begin page, click Next. In the Enter server name box of the Select Servers page, type NYC-SVR1, and then click Add. Type NYC-SVR2, click Add, and then Next. In the Cluster Name box, type NYC-Br-Cluster, in the Address box, type 10.10.0.90, and then click Next. On the Confirmation page, click Next. On the Summary page, click View Report. Scroll to the lowermost part of the report, and verify that the cluster was created by using Node and Disk Majority quorum configuration. Close Internet Explorer. On the Summary page, click Finish.
8.
Task 8: Install the Print Services role on NYC-SVR1 and NYC-SVR2.

1. 2. 3. On NYC-SVR1, switch to Server Manager. In the navigation pane, right-click Roles, and then click Add Roles to start the Add Roles Wizard. On the Before You Begin page, click Next.
4. 5. 6. 7. 8. 9.
Select the Print and Document Services check box on the Select Server Roles page, and then click Next three times. Click Install. When prompted, click Close, and then close Server Manager after the installation is complete. Switch to NYC-SVR2 and switch to Server Manager. In the navigation pane, right-click Roles, and then click AddRoles to start the Add Roles Wizard. On the Before You Begin page, click Next.
10. Select the Print and Document Services check box on the SelectServerRoles page, and then click Next three times. 11. Click Install. 12. Close Server Manager after installation is complete.
Task 9: Cluster the Print Services role.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Switch to Failover Cluster Manager. In the console tree, expand NYC-Br-Cluster.Contoso.com, and then click Services and Applications. Right-click Services and Applications, and then click Configure a Service or Application. Review the text on the first page of the wizard, and then click Next. On the Select Service or Application page, click Print Server, and then click Next. On the Client Access Point page, in the Name box, type NYC-BR-Print. In the Address box, type 10.10.0.108, and then click Next. On the Select Storage page, select Cluster Disk 2 as the storage volume for the print server, click Next, and then on the Confirmation page, click Next.
10. After the wizard runs and the Summary page appears, you can view a report of the tasks the wizard performed by clicking View Report. Review the report, and then close Internet Explorer. 11. Click Finish. 12. In the navigation pane, expand Services and Applications, and verify that the clustered print server NYC-BR-Print has been created.
Task 10: Fail over the NYC-BR-Print clustered service from NYC-SVR1 to NYC-SVR2.
1. 2. 3. 4. 5. In the navigation tree, click NYC-BR-Print. In the results pane, identify the services current owner. In the Actions pane, click Move this service or application to another node. Click Move to node servername, where servername is the cluster node that is not the current owner. In the Please confirm action dialog box, click Move NYC-BR-Print to servername. Wait for the service to move to the new owner. Then, in the results pane, verify that NYC-BR-Print now shows the new current owner and that all components are online.
Task 11: Change the preferred owner of NYC-BR-Print to NYC-SVR2.

1. 2. 3. In the navigation tree, click NYC-BR-Print. In the Actions pane, click Properties. On the General tab, in the Preferred Owners area, select theNYC-SVR2 check box, and then click Up.
Task 12: Change the failback settings to allow failback only to the preferred node between 1 and 4 hours.
1. 2. 3. On the Failover tab, click Allow Failback. Click Failback between. Type 1 in the first box and 4 in the second box, and then click OK.
Results: At the end of this exercise, you will have implemented a failover cluster.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 to revert the 6433A-NYC-SVR1, 6433A-NYC-SVR2, and 6433A-NYC-ISCSI virtual machines.
Lab Answer Key: Planning Performance and Event Monitoring
Module 13
Contents:
Exercise 1: Planning Enterprise Event Log Management Exercise 2: Configuring Event Subscriptions Exercise 3: Creating Custom Views Exercise 4: Configuring Event Tasks 2 2 5 5
Lab: Planning and Implementing Event Log Management

Exercise 1: Planning Enterprise Event Log Management
Task 1: Answer the planning questions.
1. How will you facilitate the central collection of events from the application test servers? Answer: Events should be centrally collected by using event subscriptions. 2. Where will you collect the events from the application test servers, what event subscription type will you use, and how will you determine which events to collect?
Answer: Because of the transient nature of the application test servers, NYC-DC1 should be used to collect the events. A single collector initiated subscription on NYC-DC1 specifying the source application test servers would work best in this case as application servers can be added or removed from the list of computers on the subscription as they are moved into an out of the environment. Because the installers for the applications are all MSI-based, you can use the MsiInstaller source to catch all events that are logged by the installers. 3. How will you provide a list of only the installation-related events on each of the local application test servers?
Answer: On the local application servers, a custom view can be created to display only the MsiInstaller events. 4. How can you effectively implement these lists on all servers, including those that will be added later?
Answer: After a custom view for the MsiInstaller source has been created, it can be exported, stored in a network location, and then imported on each additional application test server that is introduced to the environment. 5. How will you implement the notification system specified in the scenario?
Answer: Using Task Scheduler, a task can be created to run whenever an MsiInstaller event is logged in the Forwarded Events log. This task should create a pop-up notification on the application server that the event has occurred. Results: After completing this exercise, you should have planned enterprise log management.
Exercise 2: Configuring Event Subscriptions

Task 1: Prepare all computers for event subscriptions.
1. 2. 3. 4. Switch to the 6433A-NYC-DC1 virtual machine. On NYC-DC1, click Start, and then click Run In the Run window, in the Open field, type cmd, and then press Enter. In the Administrator C:\Windows\system32\cmd.exe window, type the following command, and then press Enter. This command will enable the WinRM service and enable the default configuration.
Winrmqc
5. 6.
At the Make these changes? prompt, type Y, and then press Enter. In the Administrator C:\Windows\system32\cmd.exe window, type the following command, and then press Enter. This command will enable the Windows Event Collector Service on NYC-DC1 and enable the default configuration.
Wecutilqc
7. 8. 9.
At the service startup prompt, type Y, and then press Enter. Close the Administrator C:\Windows\system32\cmd.exe window. Switch to the 6433A-NYC-SVR1 virtual machine.
10. On NYC-SVR1, click Start, then click Run 11. In the Run window, type cmd into the Open field and then press Enter. 12. In the Administrator C:\Windows\system32\cmd.exe window, type the following command, and then press Enter. This command will enable the WinRM service and enable the default configuration.
Winrmqc
13. At the first Make these changes? prompt, type Y, and then press Enter. 14. At the second Make these changes? prompt, type Y, and then press Enter. 15. Close the Administrator C:\Windows\system32\cmd.exe window.
Task 2: Create the event subscription.

1. 2. 3. Switch to the 6433A-NYC-DC1 virtual machine. On NYC-DC1, click Start, click Administrative Tools, and then click Event Viewer. In the Event Viewer window, right-click the Subscriptions node, and then click Create Subscription. Note If you have not enabled and configured the Windows Event Collector service at this point (you did it in Task 1 of this exercise), you will be prompted to enable the service now. 4. 5. 6. 7. 8. 9. In the Subscription Properties window, in the Subscription name field, type Application Installations. In the Subscription type and source computers section, click the Select Computers button. In the Computers window, click the Add Domain Computers button. In the Select Computer window, type NYC-SVR1, click the Check Names button, and then click OK. In the Computers window, click OK. In the Subscription Properties Application Installations window, click the Select Events button.
10. In the Query Filter window, select By source, click the Event Sources: drop-down box, select the MsiInstaller check box, and then click OK. 11. In the Subscription Properties - Application Installations window, click the Advanced button.
12. In the Advanced Subscription Settings window, select Specific User, and then click the User and Password... button. 13. In the Credentials for Subscription Source window, in the Password field, type Pa$$w0rd, and then click OK. 14. In the Advanced Subscription Settings window, click OK. 15. In the Subscription Properties - Application Installations window, click OK. 16. In the Event Viewer window, click the Subscriptions node. 17. In the details pane, confirm that the Status column next to the Application Installations subscription is Active. 18. In the details pane, right-click the Application Installations subscription, and then click Runtime Status. 19. In the Subscription Runtime Status Application Installations window, confirm that the Status column beside NYC-SVR1.Contoso.com is Active and then click Close.
Task 3: Test the event subscription by installing an application.

1. 2. 3. 4. 5. 6. 7. 8. Switch to the 6433A-NYC-SVR1 virtual machine. On NYC-SVR1, click Start, and then click Computer. In the Computer window, navigate to the D:\Labfiles\Mod13 directory and double-click xmlnotepad.msi. Complete the installation, accepting all defaults. Close the Mod 13 window. Switch to the 6433A-NYC-DC1 virtual machine. In Event Viewer, expand the Windows Logs node, and then click the Forwarded Events node. Confirm that events related to the installation on xmlnotepad.msi have been stored in this location. The event ids should be 1040, 1042, 11707, and 1033. Notice that the Computer column displays the source computer for each event. Note 9. The events may take one minute or so to appear in the Forwarded Events view.
Close the Event Viewer window.
Results: After completing this exercise, you should have configured event subscriptions.
Exercise 3: Creating Custom Views

Task 1: Create a custom view.
1. 2. 3. 4. 5. 6. Switch to the 6433A-NYC-SVR1 virtual machine. On NYC-SVR1, click Start, click Administrative Tools, and then click Event Viewer. In the Event Viewer window, right-click the Custom Views node, and then click Create Custom View. In the Create Custom View window, select By source, click the Event Sources: drop-down box, select the MsiInstaller check box, and then click OK. In the Save Filter to Custom View window, type Application Installation Events View and then click OK. In the Event Viewer window, ensure that the Application Installation Events View is selected in the navigation pane. In the details pane, confirm that the four events from the installation of xmlnotepad.msi in Exercise 2 are present.
Task 2: Export the custom view.

1. 2. On NYC-SVR1, in the Event Viewer window, right-click the Application Installation Events View in the navigation pane, and then click Export Custom View. In the Save As window, in the File name field, type \\NYC-DC1\Share\AppInstView, and then click Save.
Task 3: Import and test the custom view.

1. 2. 3. 4. 5. 6. On NYC-SVR1, in the Event Viewer window, right-click the Application Installation Events View in the navigation pane, and then click Delete. In the Event Viewer pop-up window, click Yes. In the Event Viewer window, right-click the Custom Views node in the navigation pane, and then click Import Custom View. In the Import Custom View window, double-click the AppInstView.xml file. In the Import Custom View File window, click OK. In the Event Viewer window, ensure that the Application Installation Events View is selected in the navigation pane. In the details pane, confirm that the four events from the installation of xmlnotepad.msi in Exercise 2 are present.
Results: After completing this exercise, you should have created custom views.
Exercise 4: Configuring Event Tasks

Task 1: Create an event task.
1. 2. 3. Switch to the 6433A-NYC-DC1 virtual machine. On NYC-DC1, click Start, click Administrative Tools, and then click Task Scheduler. In the Task Scheduler window, right-click the Task Scheduler (local) node in the navigation pane, and then click Create Basic Task.
4. 5. 6. 7. 8. 9.
In the Create Basic Task Wizard window, in the Name field, type Application Install Failure Email, and then click Next. On the Task Trigger page, select When a specific event is logged, and then click Next. On the When a Specific Event is Logged page, click the Log drop-down box, and then click Forwarded Events. In the Event ID field, type 11708, and then click Next. On the Action page, select Send an e-mail, and then click Next. On the Send an E-mail page, populate the fields as follows, and then click Next. From:AppInstallNotifier@Constoso.com To:Ed@Contoso.com Subject: Application Installation Failure Text: An application installation has occurred. Please check the Forwarded Events Log on NYCDC1 for more details. SMTP Server: NYC-SVR1.Contoso.com
10. On the Summary page, click Finish.
Task 2: Test the event task by installing an application.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the 6433A-NYC-SVR1 virtual machine. On NYC-SVR1, click Start, and then click Computer. In Windows Explorer, navigate to the D:\Labfiles\Mod13\ directory. In the details pane, double-click xmlnotepad.msi. On the XML Notepad 2007 Setup page, click Next. On the Modify, Repair or Remove installation page, click Remove. Click the Remove button. Click Finish. In the details pane, double-click xmlnotepad.msi. Start the install by using default settings. Press Cancel before the installation finishes. Switch to the 6433A-NYC-SVR1 virtual machine.
10. On NYC-SVR1, click Start, and then click Computer. 11. In the navigation pane, expand Local Disk (C:), expand inetpub, expand mailroot, and then click the Drop folder. Ensure that there is a file in the folder that has been just created with the .eml extension. This file represents the email from the task configured in Task 1. It may take a few minutes for the file to appear. 12. Close Windows Explorer. Results: After completing this exercise, you should have created an event task.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat the preceding steps for 6433A-NYC-SVR1.
Lab Answer Key: Enterprise Backup and Recovery
Module 14
Contents:
Exercise 1: Contoso Disaster Recovery Plan Exercise 2: Configuring Network Backup with Windows Server Backup Exercise 3: Mounting Backup VHD and Extracting Data Exercise 4: Configuring NYC-SVR1 to boot from the backup VHD
2 4 5 6
Lab: Backing Up and Restoring from VHD

Exercise 1: Contoso Disaster Recovery Plan
Task 1: Read the Contoso disaster recovery requirements plan.
1. Read the Contoso disaster recovery requirements document. Contoso Disaster Recovery document Document Reference Number: GW1203/1 Document Author Date Sam Abolrous 26th January
Environment Information Contoso, Ltd. is a medium-sized organization with its head office in Melbourne, Australia, and two branch offices. The organization employs 300 people, of which 200 are located at its head office, and 50 people work at each of the two branch offices. You have been asked to generate a disaster recovery plan for the Contoso Windows Server 2008 R2 deployment. The Contoso server infrastructure consists of the following: Head Office Site: Melbourne Central Business District One physical server running Windows Server 2008 R2 configured with the AD DS, DNS, DHCP, AD CS roles. 8 GB of RAM. 1 terabyte (TB) Hard Disk Drive (HDD). Two physical servers running Windows Server 2008 R2 configured as DFS Replicas and DFS Roots. 8 GB of RAM. 1 TB HDD. One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Web Server 2008 R2 IIS server Windows Server 2008 R2 hosting Exchange Server 2010 server Windows Server 2008 R2 hosting SQL Server 2008 R2 database server Branch Office Site: Moonee Ponds One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server Windows Server 2008 File Server / DFS Replica Branch Office Site: Endeavour Hills One physical server running Windows Server 2008 R2 with Hyper-V hosting the following virtual machines. 16 GB of RAM. 2 TB HDD. Windows Server 2008 R2 Domain Controller / DNS / DHCP server Windows Server 2008 File Server / DFS Replica Additional Information Contoso is in the process of renting space for a disaster recovery site in the suburb of Dandenong. All servers at Contoso that host the Hyper-V role only have that role installed. Servers at the head office site should never lose more than 3 hours of data in the event of server failure.
Contoso Disaster Recovery document Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. Requirements Overview Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan. 1. You need to be able to restore backup data from all servers at the head office site in the event that computers at the head office site are completely lost due to fire, flood damage, or other unforeseen catastrophes. 2. A 7-day recovery point objective is acceptable if a site is completely lost. 3. Servers at the head office site should never lose more than 3 hours of data in the event of server failure. 4. Servers at branch office sites should never lose more than 24 hours of data in the event of server failure. 5. You need to be able to run any head office server in the event that the server hardware fails until that hardware is replaced. 6. You want to minimize the amount of hardware deployed at the proposed Dandenong disaster recovery site. 7. You need to be able to restore up to 7 days of data on each server in the event that data is lost or corrupted.
Task 2: Update the proposal document with your suggested solutions.

Contoso Disaster Recovery plan Document Reference Number: GW1203/2 Document Author Date Kim Akers 1st April
Proposals Contoso has asked you to accomplish the following objectives in developing a disaster recovery plan.
1.
What steps should you propose to meet the objective of being able to recover up to 7 days of data on each server? It will be necessary to have a local backup storage device attached to each server. A USB 3.0 device provisioned with appropriate storage attached to each server would accomplish this goal.
2.
What steps could you take to back up the virtual machines by using Windows Server Backup? Answers will vary, but you could create virtual volumes on each virtual machine, storing the VHD files these volumes on the backup storage device. Backups could be written to these virtual disks.
3.
What steps should you propose to meet the objective of ensuring that any branch office site can be recovered in the event of full site loss?
Contoso Disaster Recovery plan Backup data must be moved once a week to the DR site to ensure that data is available in the event that the site itself is lost. Once a week, it will be necessary to copy the contents of the backup storage devices to an additional device, such as another disk, and transport that device physically to the DR site. 4. What infrastructure would you provision at the Dandenong disaster recovery site to meet disaster recovery objectives? A server running Hyper-V and that has 32 GB or more of RAM will be able to temporarily host all of the servers that are present at any specific site. This will allow servers to be available until replacement hardware can be appropriated. 5. What infrastructure would you provision at the head office site to ensure that you can continue to provide services in the event that a single server fails completely? A server running Hyper-V that has 16 GB or more of RAM will be able to provide service at the head office site in the event that any single server fails completely. 6. What backup schedules would you configure for servers at the head office and branch office sites? Configure backup to occur every 3 hours at the head office site and once a day at the branch office sites.
Task 3: Discuss your disaster recovery plan.

1. Examine the completed deployment plan in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you will have planned an appropriate disaster recovery solution for Contoso.
Exercise 2: Configuring Network Backup with Windows Server Backup

In this exercise, you will configure Windows Server Backup to perform a scheduled backup to a network folder. To complete this exercise, perform the following tasks:
Task 1: Install Windows Server Backup.

1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, right-click the desktop, click New, and then click Text Document. Set the name of the text document to Example_Data.txt. Open the text document and enter a short message. Save and close the file. Open Server Manager, click the Features node, and then click Add Features. Expand the Windows Server Backup Features node, and then select the check boxes next to Windows Server Backup and Command-line Tools. Click Next, and then click Install. When the installation completes, click Close. Switch to NYC-DC1.
8. 9.
Open Windows Explorer and create a new folder on volume D, called BackupTarget. Share this folder by right clicking on the folder, clicking on Share with, click on Specific people and on the File Sharing dialog box, click Share.
Task 2: Create a scheduled backup to a network location.

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Open Windows Server Backup from the Administrative Tools menu. Click Backup Schedule. On the Getting Started page of the Backup Schedule Wizard, click Next. On the Select Backup Configuration page, click Full server (recommended) and then click Next. On the Specify Backup Time page, next to Select time of day, select 5:00 AM, and then click Next. On the Specify Destination Type page, click Backup to a shared network folder and click Next. Review the warning, and then click OK. On the Specify Remote Shared Folder page, enter \\NYC-DC1\BackupTarget, and then click Next. On the Register Backup Schedule dialog, type Administrator, type the password, Pa$$w0rd, and then click OK. Click Finish, and then click Close.
Task 3: Run a backup by using the scheduled backup settings.

1. 2. 3. Switch to NYC-SVR1. In the Windows Server Backup console, click Backup Once On the Backup Options page of the Backup Once Wizard, select Scheduled backup options, click Next, and then click Backup. Note Depending on the speed of the host systems, backup could take approximately 20 minutes. 4. When the backup completes, click Close.
Results: At the end of this exercise, you will have used Windows Server Backup to create and perform a scheduled backup to a network location.
Exercise 3: Mounting Backup VHD and Extracting Data

In this exercise, you will mount the backup file that you created in Exercise 1 and extract data from it. To complete this exercise, perform the following tasks:
Task 1: Mount the backup VHD and extract data.

1. 2. 3. 4. 5. Switch to NYC-DC1 and open the Server Manager console. Expand the Storage node and then click Disk Management. Click More Actions, and then click Attach VHD. On the Attach Virtual Hard Disk dialog box, click Browse. Navigate to the D:\BackupTarget\WindowsImageBackup\NYC-SVR1 folder
6. 7.
Under this folder, open the folder that is named Backup and has a date and time stamp. Select the largest VHD file in this folder, and then click Open. Note This VHD file should be approximately 7.5 GB in size.
8. 9.
Click OK in the Attach Virtual Hard Disk dialog box. Open Windows Explorer and browse to the newly mounted volume.
10. Navigate to the Users\Administrator.Contoso\Desktop folder and open Example_Data.txt 11. Verify the contents of Example_Data.txt and then close the file. 12. Close Windows Explorer. 13. In the Server Manager console, click the Storage\Disk Management node and right-click the Disk that represents the mounted VHD volume. Click Detach VHD. Click OK. Results: At the end of this exercise, you will have verified the backup data without having to perform a restore operation.
Exercise 4: Configuring NYC-SVR1 to boot from the backup VHD

In this exercise, you will configure server NYC-SVR1 to dual-boot into the backup that was taken earlier.
Task 1: Prepare NYC-SVR1 for boot from the backup VHD.

1. 2. 3. Open the folder \\NYC-DC1\BackupTarget\WindowsImageBackup\NYC-SVR1. Open the folder that has the name that starts with Backup and has the date included. Copy the largest VHD file stored in this directory to the local F volume on NYC-SVR1. Note 4. This operation will take approximately seven minutes.
When the backup file is copied to volume F, rename the VHD file to backup.vhd.
Task 2: Configure NYC-SVR1 to boot from VHD.

1. Type cmd.exe into the Search programs and files textbox on the Start menu, right click on the cmd and click Run as administrator. Change to the C:\ directory by typing the following and pressing Enter.
CD \
2.
Type the following command and press Enter.
Bcdedit /copy {current} /D Boot_From_Backup
3. 4.
Make a note of the CSLID number that is displayed. You will use this number in the next set of commands. Enter the following commands, substituting the CSLID number. Keep the square parentheses around the drive letter and press Enter after each command.
Bcdedit /set {CSLID} device vhd=[f:]\backup.vhd
Bcdedit /set {CSLID} osdevicevhd=[f:]\backup.vhd Bcdedit /set {CSLID} detecthal on
5.
Close the command prompt.
Task 3: Boot into the backup VHD on NYC-SVR1.

1. 2. 3. Restart server NYC-SVR1. At the boot prompt, select Boot_From_Backup. If prompted, select Start Windows Normally and press Enter. Log on to NYC-SVR1 as Contoso\Administrator, with the password, Pa$$w0rd.
Results: At the end of this exercise, you will have performed recovery of a server operating system volume without having to perform a recovery by using Windows Server Backup.
To revert the virtual machines.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6433A-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for the 6433A-NYC-SVR1 virtual machine.

Lab Instructions and Lab Answer Key: Planning and Implementing Windows Server® 2008

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Lab Instructions and Lab Answer Key: Planning and Implementing Windows Server® 2008

Caricato da

Copyright:

Formati disponibili

O F F I C I A L

6433A and Lab Answer Key: Lab Instructions

Planning and Implementing Windows Server 2008

Product Number: 6433A Part Number: X17-90743 Released: 09/2011

Lab Instruction: Planning Server Deployment and Upgrade

Lab Instruction: Planning Server Deployment and Upgrade

Lab: Planning and Implementing Server Deployment

Repeat steps 2 to 4 for 6433A-NYC-SVR1.

Lab Instruction: Planning Server Deployment and Upgrade

Exercise 1: Planning a Windows Server 2008 R2 Deployment

Supporting Documentation Charlotte Weiss

Lab Instruction: Planning Server Deployment and Upgrade

Function(s) Supports line-of-business application Utilization

Lab Instruction: Planning Server Deployment and Upgrade

Task 1: Read the supporting documentation.

Lab Instruction: Planning Server Deployment and Upgrade

Task 3: Examine the suggested proposals in the Lab Answer Key.

Exercise 2: Modifying a Windows Server 2008 R2 Image

Task 1: Map a network drive to the image store on NYC-SVR1.

Task 2: List the existing images.

Dism /get-wiminfo /wimfile:Z:\labfiles\Mod01\images\install.wim

Task 3: Mount the existing image.

Task 4: Add the Hyper-V feature to the image.

Lab Instruction: Planning Server Deployment and Upgrade

Run the following command to verify that Microsoft-Hyper-V is enabled.

Dism /image:D:\labfiles\mod01\servicing /get-features

Dism/unmount-wim /mountdir:D:\labfiles\Mod01\servicing /commit

Exercise 3: Preparing to Deploy the Windows Server 2008 R2 Image

Task 1: Install the Windows Deployment Services role.

Task 2: Configure Windows Deployment Services.

Lab Instruction: Planning Server Deployment and Upgrade

Task 3: Add a Windows Preinstallation Environment (Windows PE) boot image.

Minimize Windows Deployment Services.

Task 4: Use WDSUtil to add a boot image.

Task 5: Add an install image.

Task 6: Configure automatic naming.

Task 7: Configure administrator approval.

Lab Instruction: Planning Server Deployment and Upgrade

Close the Command Prompt window.

Task 8: Configure Windows Deployment Services server for multicast transmission.

To prepare for the next module

Lab Instructions: Planning Server Management and Delegated Administration

Lab Instructions: Planning Server Management and Delegated Administration

Lab: Implementing Role-Based Systems Administration

Lab Instructions: Planning Server Management and Delegated Administration

Exercise 1: Creating an Administrative-Level Role Group

Task 1: Create the ADRedesign group in the Users container.

Exercise 2: Creating an Account Management Group

Lab Instructions: Planning Server Management and Delegated Administration

Task 1: Create the AcctMgmt group in the Users container

Exercise 3: Enabling and Configuring Auditing for Sensitive Groups

Task 1: Enable auditing by using Group Policy.

Lab Instructions: Planning Server Management and Delegated Administration

Task 3: Test auditing configuration.

To prepare for the next module

Lab Instructions: Planning Network Addressing and Name Resolution

Lab Instructions: Planning Network Addressing and Name Resolution

Lab: Planning and Implementing DHCP and DNS

Repeat these steps 2 to 4 for 6433A-NYC-SVR2, 6433A-NYC-RTR, and 6433A-NYC-CL2.

Lab Instructions: Planning Network Addressing and Name Resolution

Exercise 1: Planning the Deployment of DHCP and DNS Servers

Lab Instructions: Planning Network Addressing and Name Resolution