Embed Size (px)
Citation preview
Infrastructure – Practical Exercises
Before starting the lab restart the servers. First, restart LON-DC1, then after
it has fully started, restart LON-SVR1. This will put the servers in sync and
avoid replication and time errors.
Overview
This course comes with a virtual lab environment where you can practice what you
learn. Launch the lab environment from the Welcome > Getting Started > Practice
Lab Environment page.
• You will only have four hours in the practical environment.
• The time is cumulative, so you can work a little bit at a time until it adds
up the total time allowed.
• You may not have enough time to complete all the practical exercises.
So, choose wisely. You may want to consider all the hand-on exercises
and decide which ones you want to make sure you work on first.
In most cases, the userid is Adatum\Administrator and the password is
Pa55w.rd, but read the instructions carefully. This is also the password for any
existing users.
If you are having difficulties with the lab environment check out the Student Lab
Guide. This document is available from the Course Handouts page and includes
basic troubleshooting and the support desk link.
Recommendation: Bookmark the Practice Lab Environment page as
you will return to it frequently to perform your hands-on labs!
Notice in the lab environment you can copy information to the virtual machines by
using the Actions > Paste Content window. Before you paste the content, be sure your
cursor is where you want the copied data.
Module 1 – Installation
Remote Desktop Connections
In this exercise you will configure a Remote Desktop Connection and enable Windows
Firewall rules.
Create a Server Group
1. Switch to LON-DC1 and open Server Manager (click the Windows icon).
2. Notice on the left that several server groups have already been created. For
example, All Servers, AD DS, DNS, and File and Storage Services.
3. From the Dashboard click Create a server group.
4. In the Server group name box, type LAB.
5. In the Create Server Group dialog box, click the Active Directory tab, and then
click Find Now.
6. Use the arrow to add LON-SVR1 to the server group.
7. Add LON-DC1 to the group. Save your choices.
8. In the Dashboard, select LAB.
9. Notice that you can select each server and then scroll through items like Events,
Services, and Roles and Features. This is a great way to manage multiple servers
from the dashboard.
Enable Remote Desktop Connections
1. Right-click LON-SVR1 and select Remote Desktop Connection.
2. Notice the error that Remote desktop cannot connect to the computer. One of
the reasons listed is remote access to the computer is not enabled.
3. Switch to LON-SVR1 and open Server Manager (use the Windows icon).
4. Click Local Server and review the available information.
5. Next to Remote Desktop, click Disabled.
6. In the System Properties dialog box, click Allow remote connections to this
computer.
7. Apply your changes.
8. Return to LON-DC1.
9. Right-click LON-SVR1 and select Remote Desktop Connection.
10. When prompted, enter the Adatum\Administrator credentials.
11. It may take a minute for the Desktop to appear.
12. Notice you are viewing the LON-SVR1 GUI. This is one way you can administer
the server remotely.
13. Leave the remote connection open.
Enable Windows Firewall Advanced Settings
1. Return to LON-DC1 Server Manager.
2. Right-click LON-SVR1, and then select Computer Management. It make take a
minute for the snap-ins to load.
3. Notice the error and make a note of the Windows Firewall rules that need to be
enabled. Close the Computer Management console windows.
4. Switch to the Remote Desktop connection (LON-SVR1).
5. In Server Manager, click Tools, and then select Windows Firewall with
Advanced Security.
6. Select In-Bound Rules.
• Enable COM+ Network Access (DCOM-IN)
• Enable all rules (3) in the Remote Event Log Management Group
7. You can close the remote session with LON-SVR1.
Manage Services using Computer Management
1. On LON-DC1, right-click LON-SVR1 and then click Computer Management.
2. Notice the console now launches without errors.
3. Take a minute to review the actions you can take on the remote server.
4. Expand Services and Applications, and then click Services.
5. Right-click on each of the following services and view Properties. Notice how the
Startup Type, Log On, and Recovery information is different.
• Optimize Drives – The Startup Type is manual.
• Netlogon – Recovery options for this service are not available. In case of
failure the service restarts the computer.
• Remote Desktop Services – The Logon does not use the local account.
• Explore other services as you have time then close the Computer
Management console.
6. Return to LON-DC1.
7. In the Lab node with LON-SVR1 selected, scroll down and review the Services
information.
8. Notice you can Start, Stop, and Restart Services from within this SERVICES
section by right clicking the service. To configure the service properties you must
use Computer Management console.
Peformance Monitor
Create a data collector set
1. Switch to LON-SVR1.
2. Click the Windows logo, and type perfmon.exe to launch Performance
Monitor.
3. Expand Data Collector Sets, right-click User Defined, point to New, and
then click Data Collector Set.
• Name: LON-SVR1 Performance.
• Create manually (Advanced). Notice the choice to use a Template.
• Select the Performance counter check box.
• Add a few counters such as Processor\% Processor Time and
PhysicalDisk\% Disk Time
• Take some time to check out the other counters you could add to your
data collector set.
• After adding your counters, set the the Sample interval to 1. This for
the lab, and would not be a best practice in a production environment.
• On the Where would you like the data to be saved? page, make a
note of where the data will be saved.
4. Finish creating your data collector set, right-click the set and Start collecting
data.
Create a disk load on the server
1. Click Start, and then click Windows PowerShell.
2. At the Windows PowerShell prompt, type the following command, and then
press Enter:
Fsutil file createnew bigfile 104857600
3. Copy bigfile to bigfile2
Copy bigfile bigfile2
4. Delete bigfile*.*
Analyze the resulting data in a report
1. Return to Performance Monitor.
2. Right-click your data collector set, and select Stop.
3. Under Monitoring Tools select Performance Monitor.
4. Use the second icon from the left to View log data.
5. On the Source tab, Add your log file by navigating to the LON-SVR1_date-
000001 folder, and then double-clicking DataCollector01.blg.
6. On the Data tab, Add the counters that are part of the data collector set.
7. Take a minute to look at the other tabs to see how you can customize the
graphical view.
Module 2 – Logical Components
Sites and Subnets (Server Manager)
In this exercise you will create a site for the Toronto office and assign a subnet to that
site.
Add another domain controller
Note: We will discuss Domain Controllers in more detail in the next module, but for now
go ahead and follow these simple steps to add another domain controller to the
domain.
1. Sign in to LON-SVR1.
2. In the Server Manager Dashboard, select Add roles and features.
3. Proceed to the Server Roles page and select the Active Directory Domain
Services role. Agree to add any features that are required.
4. Read through the rest of the pages and Install the role.
5. After the role installs, select the Notifications icon on the top bar, and select
Promote this server to a domain controller.
6. In the wizard, select add the domain controller to an existing domain. The
domain is Adatum.com and you are using the Adatum\Administrator
credentials.
7. On the Domain Controller options page, notice the Site Name is Default-First-
Site-Name. For the DSRM password use Pa55w.rd.
8. Read through the rest of the pages, take the defaults, ignore any errors, and the
Install.
9. Follow the prompts to restart the server, and sign in again.
Create a Site for Toronto
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Active Directory Sites and
Services.
3. Expand Sites and notice there is only one site called Default-First-Site-Name.
This site was created when the domain controller was installed.
4. Right-click the Default-First-Site-Name and Rename the site to London.
5. Right-click Sites, and then click New Site.
• Name: Toronto
• Select a site-link object for this site: DEFAULTIPSITELINK
6. Read the messages about additional configuration tasks for the Toronto site such
as: linking to other sites, adding subnets to the site, installing domain controllers
in the site, or moving existing domain controllers into the site.
7. Verify that the Toronto site now displays in the Sites list.
Move a domain controller to the Toronto site
1. Expand the Toronto site and the Servers folder.
2. Notice there are no domain controllers for this site.
3. Expand the London site and the Servers folder.
4. Notice LON-DC1 and LON-SVR1 are listed as domain controllers for the site.
5. Right-click LON-SVR1 and Move the domain controller to the Toronto site.
6. Verify the Toronto site now has a domain controller.
Create IP subnets associated with the Toronto and London sites
1. Right-click Subnets, and then click New Subnet.
• Prefix: 172.16.1.0/24.
• Select a site object for this prefix: Toronto
2. Right-click Subnets, and then click New Subnet.
• Prefix: 172.16.100.0/24.
• Select a site object for this prefix: London
3. In the navigation pane, click the Subnets folder. Verify in the right pane that the
two subnets are created and associated with their appropriate site.
Configure site-links between the sites
1. Expland Inter-Site Transports, and then click the IP folder.
2. Notice there is only one site link that replicates every 180 minutes.
3. Right-click IP, and then click New Site Link.
4. Name the link LON-TOR. This link will configure the replication between London
and Toronto.
5. Right-click the completed LON-TOR site link, and click Properties.
6. Notice you can change the Cost and Replicate every values.
7. Click Change Schedule.
• Using the mouse, click at the Monday at 9:00 AM tile and drag the cursor
to the Friday at 3:00 PM tile.
• Click Replication Not Available.
• Notice the white area where during high traffic times replication to the
Toronto site will not occur.
8. At this point you can delete the DEFAULTIPSITELINK site link.
Site and Subnets (PowerShell)
In this exercise you will use PowerShell to create a site, create a subnet, and create a site
link.
Create another Site for Paris
1. Switch to LON-DC1.
2. Open a PowerShell prompt.
3. View commands that pertain to objects.
Get-Command *object
4. View the Help on Get-ADObject. Review the syntax and parameters.
Get-Help Get-ADObject
5. Use Get-ADObject to view the sites in adatum.com. The SearchBase parameter
values are case sensitive.
Get-ADObject -Filter ‘ObjectClass -eq “site” ‘ -SearchBase
“CN=Configuration,DC=adatum,DC=com”
6. If you completed the previous exercise, the London and Toronto sites are
returned. If you did not complete the previous lab, only the Default-First-Site-
Name site will be returned.
7. View commands that pertain to sites.
Get-Command *site*
8. Use New-ADReplicationSite to create the Paris
New-ADReplicationSite -Name Paris
9. Use the previous Get-ADObject cmdlet to verify the site was created.
Create a subnet and site link for the Paris site
1. View commands that pertain to subnets.
Get-Command *subnet*
2. Use the Help to learn about the New-ADReplicationSubnet cmdlet.
Get-Help New-ADReplicationSubnet
3. Use New-ADReplicationSubnet to create a subnet, 172.16.200.0/24, for the
Paris site. The Location is Paris,France.
New-ADReplicationSubnet -Name "172.16.200.0/24" -Site Paris -Location
"Paris,France"
4. Use Get-ADReplicationSite to verify the Paris Subnet Properties.
Get-ADReplicationSite -Identity Paris -Properties *
5. Use New-ADReplicationSiteLink to create a new Inter-site link from London to
Paris. The cost is 100 and the link uses the IP protocol.
New-ADReplicationSiteLink -Name LON-PARIS -SitesIncluded London,Paris
-Cost 100 -IntersiteTransportProtocol IP -ReplicationFrequencyinMinutes 90
6. Return to Server Manager and Refresh the console. Ensure your new site, subnet,
and site link were created.
Module 3 – Physical Components
Windows Server Roles and Features (Server Manager)
In this exercise you will use Server Manager to explore different Window Server roles
and features, and install a role and feature.
Note: Answers to the questions are at the end of this lab.
1. Switch to LON-DC1.
2. Open Server Manager.
3. Click the Manage menu, notice the Add Roles and Features and Remove Roles
and Features menu selections.
4. Select Add Roles and Features.
5. Click Next until you are on the Server Selection page.
6. Notice you can administer different computers, select LON-DC1.
7. On the Server Roles page notice when you select a Role, a general Description
is shown on the right.
8. Use the Descriptions to answer the following questions.
9. Question: Which server role enables you to centrally configure, mange, and
provide temporary IP addresses and related information for client computers?
10. Question: Which server role provides the services that you can use to create and
manage virtual machines and their resources?
11. Question: Which server role provides a reliable, manageable, and scalable Web
application infrastructure?
12. Question: Which server role stores information about objects on the network
and makes this information available to users and network administrators?
13. Question: Which server role allows network administrators to specify the
Microsoft updates that should be installed on different computers?
14. Select Print and Document Services, and when prompted confirm you would
like the RSAT tools.
15. Click Next until you are on the Features page.
16. Notice when you select a Feature, a general Description is shown on the right.
17. Use the Descriptions to answer the following questions.
18. Question: Which server feature allows multiple servers to work together to
provide high availability of server roles?
19. Question: Which server feature includes snap-ins and command line tools for
remotely managing roles and features?
20. Question: Which server feature distributes network traffic across several servers,
using the TCP/IP protocol?
21. Question: Which server feature includes Windows PowerShell cmdlets that
facilitate migration of server roles, operating system settings, files, and shares
from computers that are running earlier versions of Windows Server?
22. Question: Which server feature provides a central framework for managing your
IP address space and DHCP and DNS servers?
23. Select Windows Server Backup. Notice you have added a role and a feature.
24. Read through the additional information, and then Install the new components.
25. You can close the wizard, and use the Notification icon (top) to view the status.
For these components a restart is not required.
Answers:
9. Dynamic Host Configuration Protocol (DHCP) Server. The DHCP server
enables you to centrally configure, manage, and provide temporary IP addresses
and related information for client computers. IP addresses are used to uniquely
identify the client computers on your network.
10. Hyper-V Server. The Hyper-V Server provides services to create and manage
virtual machines and their resources. Each virtual machine is a virtualized
computer system that operates in an isolated execution environment. This allows
you to run multiple operating systems simultaneously.
11. Web Server (IIS). The Web Server provides a reliable, manageable, and scalable
Web application infrastructure. IIS supports hosting of Web content in
production environments.
12. Active Directory Domain Services (AD DS) Server. The AD DS server stores
information about objects on the network and makes this information available
to users and network administrators. Servers that run the AD DS Server role are
called Domain Controllers. These servers provide network users access to
resources through a single logon process.
13. Windows Server Update Services (WSUS) Server. The WSUS server allows
network administrators to specify the Microsoft updates that should be installed
on different computers. Keeping your computers updated with the latest updates
is an important part of securing the network. With WSUS you can automate this
process and create different update schedules for your computers.
18. Failover Clustering. Failover clustering is often used for File Services, virtual
machines, database applications, and mail applications.
19. Remote Server Administration Tools (RSAT). RSAT Tools are divided into
Feature Administration Tools and Role Administration Tools. Feature
Administration Tools include Failover Clustering Tools, IPAM Client, and Network
Load Balancing Tools. Role Administration Tools include Hyper-V Management
Tools, DHCP Server Tools, and Remote Access Management Tools.
20. Network Load Balancing (NLB). NLB is particularly useful for ensuring stateless
applications, such as Web Servers running IIS, are scalable by adding additional
services as the load increases.
21. Windows Server Migration Tools. Windows Server Migration Tools can also
facilitate migration from one computer that is running Windows Server 2012 to
another server that is running Windows Server 2012. For example when you are
creating a backup server.
22. IP Address Management Server (IPAM). IPAM supports automated discovery
of DHCP and DNS servers in the Active Directory forest. IPAM can also track and
monitor IPv4 and IPv6 addresses, as well as providing utilization tools.
Windows Server Roles and Features (PowerShell)
In this exercise you will use Windows PowerShell to manage Windows Server roles and
features.
1. Switch to LON-DC1.
2. Open a Windows PowerShell prompt and ensure you are running in an
administrator context; this can be done by right-clicking the icon in the taskbar
and selecting Run as Administrator.
3. Use Get-Command to view commands that pertain to Windows features. Notice
the Get-WindowsFeature and Install-WindowsFeature commands.
Get-Command *WindowsFeature
4. Review the help that is available on the Get-WindowsFeature command.
Help Get-WindowsFeature -showwindow
5. Review the roles and features installed on the local machine. Notice the Name
which is used for command line actions. Note the InstallState values: Available,
Installed, Removed.
Get-WindowsFeature | More
6. Review the roles and features installed on LON-SVR1.
Get-WindowsFeature -ComputerName LON-SVR1
7. View just the installed features on LON-SVR1.
Get-WindowsFeature -ComputerName LON-SVR1 | Where InstallState -eq
Installed
8. Deploy the XPS Viewer on the local machine.
Install-WindowsFeature XPS-Viewer
9. Deploy WINS on LON-SVR1.
Install-WindowsFeature WINS -ComputerName LON-SVR1
10. Uninstall the XPS Viewer on the local machine.
Uninstall-WindowsFeature XPS-Viewer
11. Features on Demand lets you add and remove role and feature files, also known
as feature payload, from Window Server. This allows you to reduce and conserve
space. To remove WINS and its payload from LON-SVR1. Notice the remove
parameter.
Uninstall-WindowsFeature WINS -ComputerName LON-SVR1 -Remove
To install a role or feature where the payload was removed, but the
installation media is available on a drive you could use:
Install-WindowsFeature –Restart –Source wim:d:\sources\install.wim:4
AD DS Schema
In this exercise you will use the ADSIEdit tool to view objects in the Active Directory
database.
Note: Don't delete or change objects within the Active Directory partitions as this can
cause your Active Directory environment to stop working correctly. The following is just
to help conceptualize where and how this data is stored and managed.
1. Switch to LON-DC1.
2. Open a PowerShell prompt and type ADSIEdit to start the LDAP editor.
3. ADSIEdit is a tool that can be used to view, change, create and delete any object
in the Active Directory database.
4. In the console tree, right-click ADSI Edit, and then select Connect to...
5. In the Connection Point section, ensure that the Select a well known Naming
Context dropdown menu displays Default naming context and then click OK.
6. As soon as you're successfully connected, in the console tree, double-click
Default naming context [LON-DC1.Adatum.com],DC=Adatum,DC=com, double-
click DC=Adatum,DC=com, and then click OU=Managers.
7. Notice the different class types that are within the Managers object. For example,
user and group.
8. To identify an object, you will use a Distinguished Name. For example, the
Distinguished Name for Ed Meadows is as follows: CN=Adam
Hobbs,OU=Managers,DC=Adatum,DC=com.
9. Right-click CN=Harry Lawrence and view the Properties.
10. Scroll through the Attributes and their associated Values.
11. As you have time, browse other parts of the AD DS database, but don't make any
changes.
12. Did this lab give you a better idea of how AD DS is organized?
RODC with Password Caching (Advanced)
A. Datum is adding a new branch office. You have been asked to configure an RODC to
service logon requests at the branch office. You also need to configure password
policies that ensure caching only of passwords for local users in the branch office.
In this exercise you will verify requirements for installing a RODC, install the RODC, and
configure password replication policies.
Note: If the AD DS role has already been installed on LON-SVR1, you must unistall the
role and restart the machine.
Note: In this lab you will pre-create the RODC computer account. By pre-creating this
account, you can delegate the second part of the RODC deployment to a non-
administrative user. For example, if the remote site (branch office) doesn't have any IT
administrators, a non-IT user at the site can complete the installation. If your intention
is to deploy an RODC yourself and you are a domain administrator, you will often
bypass the pre-creation and just go straight to the deployment.
Move LON-SVR1 to a Workgroup
1. LON-SVR1 will be our new RODC and it can not be on the domain when the
RODC account is created on LON-DC1. So, follow these steps to move it
temporarily to a Workgroup.
2. Switch to LON-SVR1.
3. In Server Manager, select Local Server, and then next to Domain click
Adatum.com
4. Click Change and put LON-SVR1 in a workgroup named TEMPORARY.
5. Acknowledge the message that you will need the Administrator’s password to
rejoin the domain.
6. As prompted, restart LON-SVR1.
Create the RODC account on LON-DC1
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then select Active Directory Users and
Computers.
3. Delete the LON-SVR1 computer account from the Computers container.
4. Read and acknowledge the subtree deletion information.
5. Right-click the Domain Controllers OU, and select Pre-create Read-only
Domain Controller account.
• Network credentials: My current logged on credentials
• Computer name: LON-SVR1
• Site: Default-first-site-name (if you have existing sites, select one of
those)
• Leave selected DNS server and Global catalog
• Delegate to: ADATUM\IT
12. Finish the Wizard and verify LON-SVR1 has been added to the Domain
Controllers OU.
Add the AD DS role to LON-SVR1
1. Switch to LON-SVR1.
2. In the Server Manager Dashboard, click Add roles and features, and then on
the Server Roles page, select the Active Directory Domain Services role.
3. Take all of the default values, and wait for the installation to complete.
4. In Server Manager, click the Notification flag, and select Promote this server
to a domain controller.
5. Complete the post deployment steps using the default options except those
listed below. Notice you are adding a domain controller to an existing domain.
Also, you will use the pre-created RODC account.
• Domain: Adatum.com
• Network credentials: Adatum.com\Administrator
• Password: Pa55w.rd
• Directory Services restore mode password: Pa55w.rd
• Read the Warning message: Use existing RODC account
• Replicate from: LON-DC1.Adatum.com
• Take the defaults for the location of the AD DS database.
• Review your selections and click View Script. Notice the PowerShell
command (Install-ADDSDomainController) that is being used.
6. When the installation is complete, LON-SVR1 will automatically restart.
Configure password replication
1. On LON-DC1, from Server Manager, open Active Directory Users and
Computers.
2. In the Users container, view the membership of the Allowed RODC Password
Replication Group, and verify that there are no current members.
3. In the Research OU, create a new global security group name Remote Office
Users.
4. Right-click the security group and view the Properties.
5. On the Members tab, add Dante, Ida and LON-CL1 to the membership of
Remote Office Users. To add LON-CL1 you will need to add Computers to the
Object Types.
6. In the Domain Controllers OU, open the properties of LON-SVR1.
7. On the Password Replication Policy tab, click Add and include the Remote
Office Users.
8. Click Advanced. On the Resultant Policy tab, add Dante.
Note: If prompted, Allow passwords to for this account to replicate to the RODC.
Monitor credential caching
1. Attempt to sign in to LON-SVR1 as Cai. This sign-in will fail because Cai is not a
member of the IT group.
2. Attempt to sign in to LON-SVR1 as Dante. This sign-in will authenticate.
3. On LON-DC1, in Active Directory Users and Computers, in the Domain
Controllers OU, open the properties of LON-SVR1.
4. On the Password Replication Policy tab, open the Advanced configuration.
5. On the Policy Usage tab, select the Accounts that have been stored on this
Read-only Domain Controller drop-down option. Notice that Dante’s password
has been cached (stored). Cai’s password has not been stored (cached).
6. Select the Accounts that have been authenticated on this Read-only Domain
Controller and notice Cai is listed as having tried to authenticate.
Populate credential caching
1. On LON-DC1, in Active Directory Users and Computers, in the Domain
Controllers OU, right-click LON-SVR1, and then click Properties.
2. On the Password Replication Policy tab, click Advanced.
3. On the Policy Usage tab, prepopulate the password for Ida.
4. Read the list of cached passwords, and then confirm that Ida has been added.
AD DS Database Maintenance
In this exercise you will stop AD DS, defragment the database, check the integrity of the
database, and start AD DS. You will use Server Manager and the NtdsUtil tool to
perform these tasks.
Stop AD DS
1. Switch to LON-DC1.
2. Open a Windows PowerShell prompt.
3. Stop the AD DS service.
Stop-Service ntds
4. Notice that other services are affected by this action including the DNS Server.
Thus, you can't stop the service without using the –Force parameter.
5. Run the Stop-Service ntds –Force command to stop the service.
6. Note that you could also stop the service in Server Manager\Tools\Services.
Perform an offline defragmentation of the AD DS database
1. Run NtdsUtil.exe.
2. At the prompt, view the Help. Pay particular attention to Activate and Files.
?
3. Create an active instance.
activate instance NTDS
4. Manage AD DS database files.
files
5. At the file maintenance prompt, see what is available by typing a question
mark and pressing the Enter key. Notice the compact to and integrity options.
?
6. Compact the database to the c: drive.
compact to c:\
7. Wait for the defragmentation process to complete.
8. Notice the recommendation to backup of the database, now that it is compacted.
Check the integrity of the offline AD DS database
1. Ensure an integrity check of the database completes successfully.
Integrity
2. Run quit two times to exit the utility.
3. At the PowerShell prompt, start the AD DS service
Start-Service ntds
4. Note that you could also start the service in Server Manager\Tools\Services.
Module 4 – Administering AD DS
Windows Server Update Services
Note: There are additional steps to configuring WSUS, but this lab only provides an
overall of the capabilities. In this scenario, LON-SVR1 will be the upstream WSUS
server providing updates to LON-DC1 (downstream server).
Prepare LON-SVR1 as the WSUS update server
1. Switch to LON-SVR1.
2. From Server Manager, launch the Add Roles and Features Wizard, and on
the Server Roles page select the Windows Server Update Services role.
Add any necessary features that are suggested.
3. Continue through the wizard reading the text and taking the defaults.
4. On the Content location selection page, store the updates in
C:\WSUSUpdates.
5. Wait for the installation to complete. It may take a couple of minutes
6. From the Server Manager Tools menu, select Windows Server Update
Services.
7. Read that additional steps are required, then click Run.
8. Wait for the steps to complete, and then close the window.
9. This is all that is needed on LON-SVR1 (role install and update directory
created). You can close the WSUS Configuration Wizard.
Install the WSUS role on LON-DC1 (this server will receive updates from LON-
SVR1)
1. Switch to LON-DC1.
2. From Server Manager, launch the Add Roles and Features Wizard, and on
the Server Roles page select the Windows Server Update Services role.
Add any necessary features that are suggested.
3. Continue through the wizard reading the text and taking the defaults.
4. On the Content location selection page, store the updates in
C:\WSUSUpdates.
5. Wait for the installation to complete. A restart is not required.
Prepare LON-DC1 to receive updates from LON-SVR1
1. Continue on LON-DC1.
2. From the Server Manager Tools menu, select Windows Server Update
Services.
3. Read that additional steps are required, then click Run.
4. Wait for the steps to complete, and then close the window. Continue in the
next wizard that appears. You may see an error after the run, but if the
wizard opens, you will be okay.
Note: If you accidentally close the configuration wizard you can retrieve it
with these steps: In Server Manager, select WSUS from the left menu. In the
Server list, right-click LON-DC1 and select Windows Server Update
Services. Expand LON-DC1, select Options, scroll down in the center pane,
and select Windows Server Configuration Wizard.
5. On the Choose Upstream Server page, click the Synchronize from another
Windows Server Update Services server option, and type LON-
SVR1.Adatum.com. Notice the port is 8530.
6. Click Next and then on the Connect to Upstream Server page, click Start
Connecting. Wait for the upstream server settings to be applied, and then
click Next. This can take a couple of minutes.
7. Notice that you can specify the update languages. Click Next.
8. Notice that you can create a daily synchronization schedule. Click Next.
9. On the Finished page, click the Begin initial synchronization option, and
then click Finish.
10. Note: The wizard may complete with an error. That is okay, we are just
reviewing the basic configuration steps. There are no updates on LON-SVR1.
Explore the WSUS console and configure WSUS groups
1. Continue on LON-DC1, and in the Windows Server Update Services console
(this window may be behind the wizard), expand LON-DC1, and take a
minute to explore the different nodes in the navigation pane.
2. Notice the different types of Updates. This is where you would Approve an
update.
3. Notice the Computers node (All Computers and Unassigned Computers).
Right-click All Computers, and Add Computer Group called Research. This
is how you would organize your computers for Group Policy (next section).
4. Notice by default there are no Downstream Servers from LON-DC1.
5. In the Options pane, click Computers. Notice there are two ways to assign a
computers to update groups. Select Use Group Policy or registry settings
on computers.
6. Notice the Reports node. There are reports for Updates, Computers, and
Synchronization.
Configure Group Policy to deploy WSUS settings to the Research group
1. Continue on LON-DC1 and from the Server Manager Tools menu, open
Group Policy Management.
2. Expand Forest: Adatum.com\Domains\Adatum.com.
3. Right-click the Research organizational unit (OU), and then click Create a
GPO in this domain, and Link it here.
4. Name the new GPO: WSUS Research. Click OK.
5. Expand the Research OU, right-click WSUS Research, and then click Edit.
6. In the Group Policy Management Editor, expand Computer
Configuration\Policies\Administrative Template\Windows Components,
and then click Windows Update.
7. Take a minute to look through all of the different update settings that are
available. If you click the Setting header, it will sort alphabetically.
8. Double-click Configure Automatic Updates, and then click Enabled.
9. Read through the choices for configuring automatic update then select 4 –
Auto download and schedule the install. Click OK.
10. Double-click Specify intranet Microsoft update service location, and then
click Enabled.
11. Read through the choices then in Set the intranet update service for
detecting updates and the Set the intranet statistics server text boxes,
type http://LON-SVR1.Adatum.com:8530. Apply your changes.
12. Double-click Enable client-side targeting. Read through what this policy
does.
13. In the Enable client-side targeting dialog box, click Enabled, in the Target
group name for this computer text box, type Research, and then click OK.
You are applying the policies to the Research group.
14. Close the Group Policy Management Editor and the Group Policy
Management console.
15. In Server Manager, click Tools, and then click Active Directory Users and
Computers.
16. In Active Directory Users and Computers, double-click Adatum.com, click
Computers, right-click LON-CL1, and then click Move.
17. In the Move dialog box, click the Research OU, and then click OK. LON-CL1
will now get the GPOs associated with the Research group.
18. Close Active Directory Users and Computers.
Backup AD DS
In this exercise you will install the Windows Server Backup feature, create a scheduled
backup, perform an interactive backup of the System State.
Note: The backup may take 10 - 20 minutes. To restore the backup (next lab) , you will
need 20- 25 minutes. Ensure you have enough time to complete both labs.
Remove accidental deletion protection on Lab OU
1. Switch to LON-DC1.
2. Open Active Directory Users and Computers.
3. On the View tab, select Advanced Features. This will show you the Protect
object from accidental deletion checkbox.
4. Add a Lab OU to the Research OU.
5. In the right pane, right-click the Lab OU and view the Properties.
6. On the Object tab, deselect the Protect object from accidental deletion option
and then click OK.
Install the Windows Server Backup feature
1. Switch to LON-DC1.
2. In Server Manager, click Add roles and features.
3. Accept the defaults, until the Select features page, and then in the Features list,
select the Windows Server Backup.
4. Read the Description - Windows Server Backup allows you to back up and
recover your operating system, applications, and data.
5. Finish the Wizard by clicking Install.
Create a scheduled backup
1. In Server Manager, click Tools, and then click Windows Server Backup.
2. Click Local Backup, and then click Backup Schedule (Actions pane).
3. In the Backup Schedule Wizard.
• Read about the decisions you need to make about what to back up, when and
how often to back up, and where to store your backups.
• On the Select Backup Configuration page, click Custom. Notice the steps on
the left change.
• Click Add Items, and then select Bare metal recovery. Explore the System
Reserved selection.
• Specify that you would like to back up Once a day at 12:00 am.
• Read about your storage choices and then select Back up to a hard disk that
is dedicated for backups (recommended).
• Click Show All Available Disks, and then select Disk 1.
• The Windows Server Backup dialog box appears, informing you that all data
on the disk will be deleted. Click Yes to continue.
Important: You will cancel the process in the next step to avoid formatting the E:
drive.
o On the Confirmation page, click Cancel to avoid formatting drive E.
Perform an interactive backup
1. In the Actions pane, click Backup Once.
2. In the Backup Once Wizard.
• Select Different options and read about why this choice is used.
• Select a Custom configuration.
• Click Add Items, select System state, and then click Advanced Settings.
• Notice you can use the Exclusions tab to exclude file types such as .mp3.
• On the VSS Settings tab, read about the different options, and then select
VSS full Backup.
• Accept the defaults for the rest of the Wizard, and then click Backup.
3. The backup should take between 10 and 20 minutes to complete.
4. After completing the backup move to the next lab, Restore AD DS.
Restoring AD DS
In this exercise you will create a System State backup, and then perform an authoritative
restore to retrieve a deleted AD object.
Note: Wait until the backup from the previous lab is complete before proceeding.
Delete an organizational unit (OU)
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then Active Directory Users and
Computers.
3. In the Research OU delete the Lab OU.
Restart in Directory Services Restore Mode (DSRM)
1. Open a Windows PowerShell prompt.
2. Configure the server to start in DSRM.
bcdedit /set safeboot dsrepair
3. Restart LON-DC1.
Restart-Computer -Force
Note: To restore the backup you can use either Server Manager (Option 1) or
command-line (Option 2). Choose one or the other. The command line is a little
more challenging but will provide more verbose status information.
Option 1: Server Manager - Restore system state data
1. Switch to LON-DC1as .\Administrator with password Pa55w.rd.
2. Notice you are logging in to the local machine. Notice the Safe Mode
notifications.
3. In Server Manager, click Tools, and then Windows Server Backup.
4. Click Local Backup in the left pane.
5. In the Actions pane, select Recover.
• Notice that a System state backup is available.
• Select System state as the recovery type.
• Accept the remaining defaults in the wizard, and Recover the backup.
6. The restoration will take about 25 minutes.
7. When prompted restart the machine.
Option 2: Command line - Restore System state data
1. Log on to LON-DC1 as .\Administrator with password Pa55w.rd.
2. Notice you are logging in to the local machine. Notice the Safe Mode
notifications.
3. Open a command prompt.
4. Get help on the wbadmin tool.
wbadmin /?
5. Notice wbadmin can also be used be used to create backups.
6. Get the version identifier for the backup.
wbadmin get versions -backuptarget:E: -machine:LON-DC1
7. Restore the System state information. Use the version number from the previous
command. For example: -version: 02/23/2016-18:18
wbadmin start systemstaterecovery -version:version -backuptarget:E: -
machine:LON-DC1
8. Read through the messages and confirm the restore.
9. The restoration will take about 25 minutes.
10. When prompted restart the machine.
Mark restored information as authoritative
1. Log on to LON-DC1 as .\Administrator with password Pa55w.rd.
2. Press Enter to acknowledge the recovery operation completed successfully.
3. Notice you are logging in to the local machine. Notice the Safe Mode
notifications.
4. In Server Manager, click Tools, and then select Windows Server Backup.
5. Click Local Backup and confirm the System state recovery was Successful.
6. You can double-click the System state recovery and view the files that were
recovered.
7. Open an elevated command prompt and start NtdsUtil.
NtdsUtil
8. Get Help on what is available.
?
9. Activate the ntds instance
activate instance ntds
10. Start the authoritative restore.
Authoritative restore
1. Restore the deleted Lab OU. Notice you need the distinguished name for each
item.
restore subtree “ou=Lab,ou=Research,dc=adatum,dc=com”
2. Run quit twice to exist NtdsUtil.
3. Restart the server normally.
bcdedit /deletevalue safeboot
Verify that the data has been restored
1. Log on to LON-DC1 as Adatum\Administrator with the password Pa55w.rd.
2. In Server Manager, click Tools, and then Active Directory Users and
Computers.
3. Verify the presence of the Research\Lab OU.
Recycle Bin (Server Manager)
In this exercise you will enable the Recycle Bin and practice deleting and restoring AD
objects using the ADAC.
Enable the Active Directory Recycle Bin
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Active Directory Administrative
Center.
3. Right-click Adatum (local), and then Enable Recycle Bin.
4. Acknowledge the warning message that the recycle bin cannot be disabled. Read
the warning about replication and then click OK.
5. Rather than wait for the replication to occur, manually replicate the sites.
6. In Server Manager, click Tools, and then select Active Directory Sites and
Services.
7. Expand Sites\London\Servers\LON-DC1, and then open NTDS Settings.
8. Right-click <automatically generated>, click Replicate Now, and then click OK.
9. Repeat these steps for LON-SVR1.
10. In Active Directory Administrative Center, refresh Adatum (local). Notice the
Enable Recycle Bin selection (right panel) is now greyed out.
11. Notice there is now a Deleted Objects container.
Create and then delete test accounts
1. Select Adatum (local), right-click the Research OU, and the create a new user.
• Full name: Test1
• User UPN logon: Test1
• Password: Pa55w.rd
• Confirm password: Pa55w.rd
2. Repeat the previous steps to create a second user, Test2.
3. Expand the Research OU, and delete both Test1 and Test2.
Restore deleted accounts
1. In the ADAC, open the Deleted Objects container.
2. Right-click Test1, click Restore To, and then select the IT OU.
3. Confirm that Test1 is now located in the IT OU.
4. Leave Test2 in the Recycle Bin.
Recycle Bin (PowerShell)
In this exericse you will enable the Recycle Bin and practice deleting and restoring AD
objects using PowerShell.
Verify the Recycle Bin status
1. Open a Windows PowerShell prompt.
2. Enable the recycle bin.
Note: If you enabled the Recycle Bin in the previous lab, there will be an error
that the object already exists. You can restart the lab, if you want to give it try.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional
Features,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adatum,DC=com’ –Scope
ForestOrConfigurationSet –Target ‘adatum.com’
Restore an item from the recycle bin
1. If you completed the previous lab and have a test2 user account in the Deleted
Objects container, then continue. If you did not do the previous lab, quickly
create a user (test2) in the Research OU, and then delete the account.
2. Verify the test2 attributes are obscured and the object cannot be located with a
regular search.
Get-ADObject -Filter {samAccountName -eq “test2”}
3. Run the search again and this time include the Deleted Objects container. Verify
the test2 account is in the container.
Get-ADObject -Filter {samAccountName -eq “test2”} -IncludeDeletedObjects
4. Restore test2 to the IT OU.
Get-ADObject -Filter {samAccountName -eq “test2”} -IncludeDeletedObjects
| Restore-ADObject -TargetPath “OU=IT,dc=adatum,dc=com”
5. Verify test2 has been restored to the IT OU. Remember test2 was originally in
the Research OU.
Get-ADObject -Filter {samAccountName -eq “test2”}
Configure the deleted object lifetime value
1. Verify the deleted object lifetime (tombstoneLifetime) value is 180 days. This
setting is on the Directory Service object.
Get-ADObject -Identity “cn=directory service,cn=windows
nt,cn=services,cn=configuration,dc=adatum,dc=com” -Properties
tombstoneLifetime | FL tombstoneLifetime
2. Change the deleted object lifetime setting to 365 days. This will keep objects in
the Deleted Objects container for one year.
Set-ADObject -Identity “cn=directory service,cn=windows
nt,cn=services,cn=configuration,dc=adatum,dc=com” -
replace:@{“tombstoneLifetime” = 365}
3. Use Get-ADObject (Step #1) to confirm the value has changed.
Microsoft Azure (Optional)
Your practice environment does not have a new Nano server virtual machine, but
you can use Azure to see it in action.
Azure Setup
If you already have a Microsoft Azure subscription, you can skip this section. Otherwise,
follow these steps to create a free trial subscription. You will need to provide a valid
credit card number for verification, but you will not be charged for Azure services – for
more information, see the frequently asked questions on the Azure sign-up page.
1. If you already have a Microsoft account that has not already been used to sign up
for a free Azure trial subscription, you’re ready to get started. If not, don’t worry,
just create a new Microsoft account.
2. After you’ve created a Microsoft account, create your free Microsoft Azure
account. You’ll need to sign-in with your Microsoft account if you’re not already
signed in. Then you’ll need to:
• Enter your cellphone number and have Microsoft send you a text message
to verify your identity.
• Enter the code you have been sent to verify it.
• Provide valid payment details. This is required for verification purposes
only – your credit card won’t be charged for any services you use during
the trial period, and the account is automatically deactivated at the end of
the trial period unless you explicitly decide to keep it active.
PowerShell Setup for Azure
Before you begin, make sure that your client computer has a minimum of PowerShell 4
installed. You can install the latest version of the management framework (including
PowerShell 5.0) by downloading and installing the Windows Management Framework
5.0 software. You can download it from https://www.microsoft.com/en-
us/download/details.aspx?id=50395. Once you verify that your computer has the
minimum required version of PowerShell, you can proceed to download the necessary
modules:
1. From your lab computer, open an elevated PowerShell prompt.
2. Verify Azure related modules are available. If Azure modules are not available
proceed with the following steps.
Get-Module -All
3. Install the AzureRM module for resource management.
Install-Module AzureRM
4. If you get prompted to install and import the NuGet provider, Type Y and then
press the Enter key.
5. If you are notified that the repository is untrusted, confirm that you want to
install the modules by typing Y and then pressing the Enter key. The installation
process will take several minutes as packages are downloaded and installed.
6. After the download and installation is finished, import the module.
Import-Module AzureRM
7. Install the Azure module for service management.
Install-Module Azure command.
8. If you are notified that the repository is untrusted, confirm that you want to
install the modules by typing Y and then pressing the Enter key. The installation
process will take several minutes as packages are downloaded and installed.
9. Once the download and installation is finished, import the module.
Import-Module Azure command.
10. Verify Azure related modules are available.
Get-Module -All
If you have trouble installing the PowerShell modules from the PowerShell gallery, you
can try the WebPI method instead. Visit http://aka.ms/webpi-azps to download and
install the modules.
Create a Windows Server 2016 Nano Server in Azure
In this task, you will create a Windows Nano virtual machine in Azure.
1. Navigate to https://portal.azure.com/ and, when prompted, sign in with your credentials.
2. In the hub menu, on the left-hand side of the portal page, click New (+) > Compute > See all
3. Select Windows Server. A scroll list of Windows Servers is displayed on the right side of the portal.
4. Scroll down and select Windows Server 2016 – Nano Server, then click Create. 5. On the Basics blade, enter a Name for the virtual machine. The name must be 1-15
characters long and it cannot contain special characters. For this exercise, use the name:
• Nano-VM1 6. Select the VM disk type. You have the choice between SSD and HDD. For this
exercise, make sure to select:
• HDD. 7. Enter a User name, and a strong Password that will be used to create a local account
on the VM. The local account is used to sign in to and manage the VM. For this exercise, use the following username and password:
• Student
• Pa55w0rd1234 8. Select an existing Resource group or type the name for a new one. (see terminology
in Module 2 for Resource group information). In this exercise, you will use the existing resource group that automatically appears in the Resource group drop down list.
9. Select an Azure Datacenter Location such as East US. Click OK. 10. Choose a VM size, and then click Select to continue. For this exercise, use:
• Standard_A1 11. Select not to use managed disks. 12. To allow PowerShell Remoting, click on the Network Security Group (firewall) blade.
13. Select Create New. 14. On the Create network security group, remove the predefined default-allow-rdp
rule and replace it with a new rule with the following settings:
• Name: WinRM-https
• Priority: 1000
• Source: Any
• Service: WinRM
• Action: Allow 15. Make sure that the validation passes and, on the Summary blade, click OK.
On the Azure portal dashboard, you will see the Nano Server being deployed. Once it is up and running you will see the Overview > Essentials section of the blade of the new server.
Connect to Windows Server 2016 Nano Server in Azure
In this task, you will connect to a Windows Nano virtual machine in Azure.
In this task, you will connect to the Nano server you deployed in the previous task. In the Azure portal, in the Overview > Essentials section of the blade of the new Nano server, take the note of its public IP address. You can connect to the Nano server using the public IP address and PowerShell remoting. Note: PowerShell Remoting must be setup on the machine you are using
to connect to the Nano server. Also, you will need to add the Nano Server to your trusted host group.
You can now connect to your Nano Server running in Azure. Watch this video “Nano Server and Azure PowerShell” for a look at some of PowerShell’s new features running on Nano Server in Azure - https://channel9.msdn.com/Series/Nano-Server-Team/Nano-Server-and-Azure-PowerShell
