Microsoft Server 2008 Term Journal

Microsoft Server 2008 Term Journal

Active Directory provides a centralized authentication service for Microsoft Networks. Using Active Directory one can efficiently manage users, computers, groups, printers, applications and other directory enabled objects. Ill be keeping a Journal in conjunction with MOAC Lab to document the installation and troubleshooting process of Active Directory on Windows Server 2008.

Windows Server 2008 system requirements: Processor- Minimum 1GHZ or(x86) 1.4(x64) Recommended- 2GHZ or faster Memory- Minimum 512Mb RAM Recommended- 2GHZ or faster Drive- DVD-ROM

Group configured a total of four machines with Active Directory, using same: Administrative Password: MSPress#1 Default Gateway: 192.168.0.1 Subnet Mask: 255.255.255.0

Machine #1- Configured as root Domain Controller Domain Name: domain01.local I.P. Address: 192.168.0.2 Comp Name: RWDC01

Microsoft Server 2008 Term Journal

Machine #2- Configured as a Read Only Domain Controller Domain Name: domain01.local I.P. Address: 192.168.0.3 Comp Name: RODC01

Machine #3- Configured as a Re-Writeable Child Domain Controller Domain Name: child02.domain01.local I.P. Address: 192.168.0.5 Comp Name: RWDC02

Machine #4- Configured with Server 2008 Server Core Domain Name: domain01.local I.P. Address: 192.168.0.4 Comp Name: SCDC01

Exploring the Windows Server 2008 Interface

Modify basic server settings: Installed Server 2008 on Machine #1, configured as our root Domain controller. Log on as Administrator (Important to write down and save password) Expand Initial Configuration Tasks window to full screen Click Set Time Zone and select appropriate time zone, click OK

Microsoft Server 2008 Term Journal

Click Enable Automatic Updating and Feedback, click Close Click Window Automatic Update and click Close Click Provide Computer Name and Domain, on computer name tab click change: RWDC01 Click OK to Restart Log back on to as Administrator, place checkmark next to Do Not Show This Window at Logon Click close and the Server Manager window is displayed automatically Configure TCP/IP settings: From the Server Manager window click View Network Connections Right click on the Network Connection and select Properties Click TCP/IPv4 and select Properties Select, Use the following I.P. Address radio button; enter I.P. info for RWDC01 click OK Log off In the process of installing Server 2008 on machine #2, the group had issues with the machine not recognizing the optical drive. The group was able to locate an external drive, changed the boot order in the BIOS and the software was installed successfully. Follow the same installation process as machine #1 (RWDC01) via the Initial Configuration Task window. The group named this Domain controller, RODC01. Next, we configure TCP/IP settings; enter IP information for RODC01 and Log off.

Microsoft Server 2008 Term Journal

Follow the same installation process as machine #1(RWDC01) via the Initial Configuration Task window for machine #3. The group named this Domain Controller, RWDC02. Next, we configure TCP/IP settings; enter IP information for RWDC02 and Log off. Installed a final machine to run Windows Server 2008 Server Core. To configure this machine was a little trickier than the other machines, in that the process is mostly all command driven. Log on as Administrator and the command window initiates Key timedate.cpl and press enter, Click Change Time Zone and select appropriate time zone, click OK. Key hostname, press enter Key netdom renamecomputer <currentname> /newname:SCDC01 key y and press enter Key shutdown /r press enter Configuring a Static I.P. Address From command prompt key ipconfig /all, press enter Ket netsh, press enter Key interface, press enter Key ipv4, press enter Key set address name Local Area Connection source=static address=192.168.0.4 mask=255.255.255.0 gateway=192.168.0.1 gwmetric=1 and press enter. Key ipconfig /all

Microsoft Server 2008 Term Journal

Key netsh advfirewall set all profiles settings remotemanagement enable to allow remote access to the server via the MMC Log off

Installing the Active Directory Domain Services role:

Log on to RWDC01 as Administrator Left pane of Server Manager, double click Roles Click Active Directory Domain Services Click Run the ADDS Installation Wizard Place a checkmark next to Use Advance Mode Installation and click next OS compatibility window is displayed Read and click next. The Choose a Deployment Configuration Window is displayed Check the Create A New Domain in a New Forest radio button and click next Key domain01.local as the FQDN and click next to accept the NetBios name. Select Windows Server 2003 from the Forest Functional Level drop down box and click Next Click Next to accept Windows Server 2003 as the Domain Functional Level, accept and continue Key Administration password and click next Review installation choices and click next to continue

Microsoft Server 2008 Term Journal

Click Finish when prompted, click Restart Now Verifying SRV Record Creation Log on as Administrator to RWDC01, on command prompt key nslookup and press enter Key set type=srv and press enter. Key _ldap._tcp.dc_msdcs.domain01.local and press enter An error message appears, key exit and press enter Creating User Accounts Log on as Administrator on RWDC01 Click start, admin tools, Active Directory Users and Computers. Click+ next to domain01.local Right click users, select new and then select user. Create name, click next and create password Click next, click Finish to create user, close console Configure accounts with Administrative access to the forest root domain Click start, admin tools, Active Directory Users and Computers. Click+ next to domain01.local Right click enterprise admins and select Properties. Click Member tab, click add, name and OK Installing a child domain First step is to configure computer to perform DNS resolution: Log on to RWDC2 as Administrator, click View Network Connections. Right click network connection and select properties. Click TCP/IPv4 and select properties

Microsoft Server 2008 Term Journal

Select the Use the Following DNS server address radio button. Enter info for the writeable domain controller thats configured for domain01.local. Click OK to save and log off Configure the RWDC02 Computer as the First DC in the child.domain01.local Child Domain in the domain01.local Active Directory Forest Log on as Administrator on RWDC02 Left pane of Server Manager, double click Roles, in the right pane you will see number of roles installed on this server and names of those roles. Click ADDS, click Run the ADDS installation wizard, place a checkmark next to use advanced mode installation and click next Read info, click next. Click Existing Forest radio button and then select Create a New Domain in an Existing Forest Click Next, in the type the name of any domain in the forest where you plan to install this Domain Controller text box, key domain01.local Click Set to Specify an Alternate Set of Credentials to create the child domain Key name and the password for account then OK. Click next In the FQDN of the parent domain text box, key domain01.local. In the single-label DNS Name of Child Domain text box, key child02. Click Next 4xs Place a checkmark next to Global Catalog and DNS server and click Next, yes on Wizard warning

Microsoft Server 2008 Term Journal

Click next 2xs, key Admin password then next. Review installation choices and click next Click finish and click Restart Now Creating an Administrative account in the child domain Log on to RWDC02 as Administrator account of the forest root domain Click Start, Admin Tools, Active Directory Users and Computers, next to child02.domain01.local Click Users container, right click users, select new and select user In the full name and user logon name fields key child02name then next password and confirm password. Review selections and click finish to create user account Click+ next to domain01.local, click users container, right click domain admins select properties Click Member Tab, click add, the Enter Object Names to Select window is displayed. Key child02name and click OK Verifying Child Domain SRV Records Log on to RWDC02 as Administrator; click Start, Admin Tools, DNS Management Click+ next to server name, click forward lookup zones, click domain01.local, click child02.domain01.local- click _msdcs, and then click dc Click _tcp in the left pane, in the right pane double click _ldap Close the DNS Management Console and Log off

Microsoft Server 2008 Term Journal

10

Verifying LDAP Records for the child domain using nslookup Log on to RWDC02 as Administrator Open the command prompt, key nslookup, press enter. Key set type=srv, press enter Key _ldap._tcp.dc_msdcs.child02.domain01.local and press enter A summary output is displayed, key exit and press enter Close command prompt and Log off Create a Local Administrator for the Read-Only DC in the Forest Root Domain Log on to RWDC01, username Click start, Admin Tools, Active Directory Users and Computers Click Next to domain01.local, click the users container, right click users, select New, select User In the Full Name and User Log on fields key RODCadminxx, click Next to continue Enter Password to be used, click Next. Review selections and click Finish to create account Configure a Read-Only DC in the Forest Root Domain Log on to RODC01 and log on as Administrator Click View Network Connections, right click Network Connections and select Properties

Microsoft Server 2008 Term Journal

11

Click TCP/IPv4 and select Properties. Select the Use the Following DNS Server Addresses radio button. In the Preferred DNS server text box enter the IP Address info for writeable DC that is configured as the Domain Controller for domain01.local (192.168.0.2) Click OK 2xs to save In the left pane of Server Manager, double click Roles. Click Add Role, Next to bypass window Place a checkmark next to Active Directory Domain Services, click Next, read info and click Next Read info, click Install and click Close this Wizard and Launch ADDS Installation Wizard Place a checkmark next to Use Advance Mode Installation and click Next, read info, click Next Click the Existing Forest radio button and click Add a Domain Controller to an Existing Domain and click Next. In the Type the Name of Any Domain in the Forest Where You Plan to Install this Domain key in domain01.local Click Set to Specify an Alternate Set of Credentials to Add the New Domain Controller Key namexx and password for this account and click OK, select domain01.local domain, Next Place a checkmark next to RODC and click Next, click Yes on Wizard Warnings, confirm Click Set to Specify a Local Administrator for the ROCD that does not have Administrative Permissions within AD. Key RODCadminxx and click OK Accept the default selections and click Next, key Password, click Next, review and click Finish

Microsoft Server 2008 Term Journal

12

Confirm Local Administrator Functionality on the Forest Root Read-Only DC Log on to RODC01 as Administrator (username will be rodcadminxx) Start, Admin Tools, Event Viewer, when you receive UAC prompt click Continue Click Windows Logs and then click Security, close the Event Viewer Start, Admin Tools, Active Directory Users and Computers, click OK Browse as needed to select domain01.local and then click Users, right click Administrator and click Reset Password, enter new password, click OK, click cancel, close the AD Users and Computer Console Configure a Server Core Domain Controller in the Forest Root Domain Log on to SCDC01 as Administrator, in the Command Prompt key netsh interface ipv4 set dnsservername=SCDC01 static 192.168.0.2 primary Press enter, key ipconfig /all Key notepad and press enter, Refer to Page 42 of the MOAC Lab Manual to create an unattended configuration file for the dcpromo process into Notepad. Save file as c:\unattend.txt and close Notepad, key dcpromo /unnattend:c:\unattend.txt then press Enter

Working with Active Directory Sites

AD replication process is used to communicate changes from one domain controller to all other domain controllers in a domain or forest. Intrasite replication takes place within the same site and will transmit changes as soon as they occur. Itersite replication is scheduled or every 15 min.

Microsoft Server 2008 Term Journal

13

by default. AD will designate a bridgehead server in each site to act as a gatekeeper in managing site-to-site replication. Replications Management (Forcing Replication) Log on to RWDC01 as Administrator Open the Active Directory Sites And Services MMC snap-in, click Start, click Administrative Tools, and then click Active Directory Sites and Services In the left pane, expand the Sites folder, expand the Click the Default-First-Site-Name Click the Servers folder, expand the icon for the server that you are using. In the left pane, click NTDS Settings. In the right pane, select on the replication connections that has been configures for your server. Right click the connection and the click Replicate Now. A Replicate Now message box is displayed, indicating Active Directory has replicated connection. Click OK and close the Active Directory Sites And Services console Managing Connections Objects Open the AD Sites and Services console. In the left pane expand the Sites folder and then expand the Default-First-Site-Name Expand the Sites folder, and then expand the computer name of the server that you are using. In the left console pane, click NTDS Settings Right Click NTDS Settings, and then New AD Domain Services Connection. The find Domain Controllers dialog box is displayed

Microsoft Server 2008 Term Journal

14

Select the name from the list of computer names displayed in the search results window pane; Click OK, an AD message box is displayed indication that there is already a connection and asking you if you want to create another connection. Click Yes, A New Object Connection dialog box is displayed To accept the default setting, click OK. The new connection is created. Two connections should be displayed: the automatically generated connection and the manually generated connection In the right pane, right click the manually created connection and click Delete, and AD message box is displayed, click Yes to confirm that want to delete the connection object Identifying the Global Catalog In the Active Directory Sites and Services consoles left pane, right click NTDS Settings and then click Properties, on the General Tab, you can see that the Global Catalog checkbox is selected Creating a new site Log on to RWDC01 as Administrator, open the AD Sites and Services console In the left pane, right click Sites and then click New Site. The New Object-Site dialog box is displayed In the Name text box, key MainSite, click DEFAULTIPSITELINK and then click OK. A message box is displayed, indicating that you must complete additional steps to configure the site, OK Group also configured a new site, following the same steps, with RWDC02 and named it BranchSite.

Microsoft Server 2008 Term Journal

15

Renamed Default-First-Site-Name to HQ by right-clicking on site and selecting Rename Creating a Subnet Object Log on to RWDC01 as Administrator, open Active Directory Sites and Services console Left pane, right click Subnets and then click New Subnet, The New Object Subnet dialog box is displayed. Key 192.168.x.0/24 in the Prefix text box, in the Site Name portion click MainSite and click OK Group also created a Subnet object for RWDC02 for site named Branchsite Moving Computers to the Appropriate Site Log on to RWDC01 as Administrator, open the Active Directory Sites and Services console. Verify that the default site was renamed to HQ. In the left pane, expand HQ site and then expand the Servers folder Right click RWDC01, then click move. The Move Server dialog box is displayed, click Mainsite,OK Left pane, expand MainSite, expand Servers object below MainSite. You should see the 01 computer object Try to force replication using the connection object of the 01 computer, should also see a message indicating that these servers are in different sites. Click OK Right click RWDC02 and then click Move. The Move Server dialog box is displayed click BranchSite, click Ok

Microsoft Server 2008 Term Journal

16

In the left pane, expand BranchSite and then expand the Servers folder. You should see the 02 computer object Creating a Site Link Object from the RWDC02 computer For replication to take place between RWDC01 and RWDC02 in separate sites, you must create a site link object between these sites Log on to RWDC02 using the Domainxx\name account In the domain01.local domain. Open the Active Directory Sites and Services console In the left pane, expand the Inter-Site Transports folder. Right click IP, click New Site Link. The New Object-Site Link dialog box is displayed In the Name text box, key EvenLink. Tn the Sites Not In This Site Link box, click MainSite and then click Add In the Sites Not in This Site Link box, click BranchSite and then click Add, OK to save changes Group also created a Site Link Object from RWDC01 named OddLink Group also followed the POST-LAB CLEANUP portion of the LAB Pg. 66 of the MOAC Lab Manual Window Server 2008 provides tools to allow for problem discovering, diagnosis and resolution i.e. Event log in Event Viewer. Dcdiag and repadmin both can be run from the command-line. Dcdiag can report DNS reg problems, analyze the permission required for replication, the state

Microsoft Server 2008 Term Journal

17

of DCs within the forest. Repadmin can view the replication topology, force replication and view the replication metadata (actual data and USN info)

Global Catalog and FSMO Roles

Global Catalog has four functions: Facilitate searches for objects in the forest, resolve UPNs, maintain universal group membership info and maintain a copy of all objects in the domain. For sites that do not have a global catalog server available a feature called universal group membership caching is used. It eliminates the need to place a global catalog in a remote location and maximize resources. Raise the Parent Domain Functional Level Log on to RWDC01 as Administrator, open the Active Directory Domains and Trusts console Right click the domain01.local node, click Raise Domain Functional Level. The Raise Domain Functional Level dialog box is displayed Dropdown, select Windows Server 2008 and then click Raise, read the message and confirm A second message is displayed indicating that the domain functional level has been raised Group also raised the Functional Level to the child domain following same steps Raise the Forest Functional Level Log on to RWDC01 as Administrator, Open Active Directory Domains And Trusts console

Microsoft Server 2008 Term Journal

18

Right click the top-level node ADDAT (RWDC01.domain01.local) and then click Raise Forest Functional Level, dialog box is displayed Dropdown selections box click Windows Server 2008 and then click Raise, read the message then confirm and a second message is displayed, click OK Enabling Universal Group Membership Caching Log on to RWDC01 as Administrator, Open the Active Directory Sites And Services console In the left pane, click Sites and the click Default-First-Site-Name. Right click NTDS Site Settings and click Properties. Place a checkmark next to Enable Universal Membership Group Caching and click OK, force AD replication Working with Flexible Single Master Operation Roles Viewing Operations Masters First, determine which server holds the schema operations master role On RWDC02 log on as Administrator, click start, key ntdsutil, key roles, key connections, key connect to server RWDC01.domain01.local press enter Key quit, key select operation target, key list roles for connected server, review output- what FSMO roles are assigned to RWDC01? Key quit , key connections, key connect to server RWDC02.child02.domain01.local press enter, key quit, key select operation target, key list roles for connected server and press enter

Microsoft Server 2008 Term Journal

19

Key quit and close the command-prompt window and log off Transferring the Schema Master to a Different Domain Controller Log on to RWDC01 as Administrator, click Start, key ntdsutil and press enter Key roles, key connections, key connect to server RWDC02.child02.domain01.local and press enter. Key quit, key transfer schema master, confirm click yes. Review the output of the ntdsutil window to confirm that RWDC02 is now listed as the schema operations master Close command-prompt and log off Group transferred schema master roles back to RWDC01 Total of five FSMO roles- Three are domain specific which are Relative Identifier Master, responsible for assigning relative identifiers to domain controllers in the domain. Infrastructure Master, responsible for reference updates from its domain to other domains and primary Domain Controller Emulator, manages password changes, account lockouts, time synchronization. The two forest wide roles are: Domain Naming Master has the authority to manage the creation and deletion of domains, domain trees and application data partitions in the forest. Schema Master is responsible for managing changes to the AD schema

Creating Administrative Accounts

In this unit the group configured one the most common administrative tasked performed when working with AD. Created administrative user accounts, Changed group memberships, created global and universal groups to assign permission to user accounts

Microsoft Server 2008 Term Journal

20

Creating Administrative Accounts Create an account to the Parent Domain Log on to the Forest Domain as default domain administrator (domain01.local/administrator) Open the AD Users and Computers MMC Snap-in, expand object domain01.local Right click Users, New then User, create new user named DomAdmin with default password Make sure that the Users container is selected, right window pane of AD Users and Computers Right click DomAdmin for properties, click MemberOf tab, click add, key Domain Admins in the Object Name box DomAdmin Properties, click Domain Admins in the MemberOf, make the primary group Domain Admins. Click Domain Users in the MemberOf selection box. Click Remove to make Domain Admins the only group membership for this user account. Repeated the same process to create two additional accounts named SchAdmin (member of Schema Admins group) and EntAdmin(member of Enterprise Admin group) Creating Administrative Accounts on the Child Domain Log on to the Child Domain with username Administrator default password, open AD Users and Computers MMC snap in. Expand child01domain01.local, right click Users, click New Create new user account named DomAdmins, verify that DomAdmins is part of the Domain

Microsoft Server 2008 Term Journal

21

Admins group(refer to manual). Created two additional accounts named SchAdmin, EntAdmin, Didnt configure membership at this time Adding Child User Accounts to Enterprise-wide Administrative Roles Log on to Child Domain as default Domain Administrator, open AD Users and Computers Expand domain01.local, select Users container, Right click the Enterprise Admins group, click properties, click Members tab and click Add. Click locations and expand the domaion01 object, expand child01.domain01 domain. Click Users uder the child domain and key EntAdmin, check name and make sure that the EntAdmin user from the child domain is displayed and underlined Repeat steps to add SchAdmin user account from the child01 domain to the Schema Admins Group on the parent account Allowing Users to Log On to Domain Controllers Typically you wouldnt want to grant Users permission to log on to the Domain Controller, for testing purposes Under Group Policy Management Console, expand the tree until you find Domain Controllers, Right-click the Default Domain Controllers Policy and click Edit. Expand Computer Configuration, expand Policies, expand Window Settings, Security Settings, Local Policies and click User Rights Assignment. Double click the Allow Logon Locally policy object, check box for

Microsoft Server 2008 Term Journal

22

Define these Policy settings. Add user or Group, key Administrators, key Users in the Users And Group Names text box. OK again in the allow Logon Locally Properties dialog box. Determine Which Account Can Create Sites, Users and Attributes Group followed Lab Manual for Project 5.2 Testing Administrative Access, to test the capabilities of each user account that has been created from the previous projects. After completing the Project the conclusion was that EntAdmin account was able to create sites, users and attributes. DomAdmin account was able to create sites and not sites or attributes. SchAdmin was able to add attributes and not able to add users groups or sites. Creating Global and Universal Group Logged on to the parent and child domain, created a Global group named LAdmin01 for parent and LAdmin02 for child. Next we added LAdmin01,02 as part of a Universal Group, granting Administrator privileges. Next we created a user named LocalAdmin01,02 in the Parent and Child Domain, made it part of the LAdmin group(page 97 MOAC Lab Manual)

Employing Security Concepts

Using Naming Standards and Secure Passwords Group created a user account on the Root Domain using the Naming Standard, full name of Reed Koch to the following: RKoch01 with default password and make sure the User Must Change Password at Next Logon is not selected. Also created a user account on the Child Domain using the Naming Standard, full name of Brannon Jones to the following: BJones02

Microsoft Server 2008 Term Journal

23

Employing Administrator Account Security Refer to page 107-109 of MOAC Lab Manual for the various methods for using the runas utiliy from the command prompt and as a Shortcut, reducing the exposure or administrative accounts Delegating Administrative Responsibility Delegating Control on the Parent Domain Log on to RWDC01 as default administrator, open command-prompt window(refer to pg.109 for commands to create user accounts), open the AD Users and Computers console. Right-click the domain01.local object, click New, Organizational Unit, key Mgmt1 and OK Right-Mgmt1 and click Delegate control. The Delegation of Control Wizard is displayed, click Next, the Users Or Groups, click Add select Users, key Manager in the Object Names and click OK to Check Names. In the Users Or Groups page, click Next. The Tasks To Delegate page is displayed, move the User1 account from the Users container to the Mgmt1 OU(click and drag), open command-prompt(refer to Pg.110 for commands) In the left pane of AD User and Computers, select the Mgmt01 and make sure User1 and User2 are displayed. To Delegate Control on the Child Domain would be the same process. The group created User3,4 and created an OU with the name Mgmt2. Then we moved User3,4 to the OU Mgmt2. We also tested Delegated Permissions on the Parent and Child Domain, in order to delete users from the OU the Delegated User must have proper credentials.

Microsoft Server 2008 Term Journal

24

Configuring the Local Computer Policy

Group Policy is a method of controlling settings across the Network. You can configure one or more GPOs within a domain and then use a process called linking, which applies these settings to various containers within AD Removing the Child Domain Log on as Administrator and using Notepad, create a file called c:\demote.txt(refer to page 121 for the information file must contain). Open command-prompt window, key dcpromo /answer: c:\demote.txt and press enter, after the domain controller is demoted, it will rebo ot automatically. Log back on to RWDC02 as Administrator, open Server Manager, browse to Computer Information and click Change System Properties. On the Computer Name tab, click Change. Click More and remove the child02.domain01.local primary DNS suffix. Browse to Roles Summary and click Remove Roles, restart computer. Confirm that the computer is configured to use the IP address of RWDC01 as its primary DNS server The group also configured the Child Domain to Remove the Properties Option When Right Clicking My Computer via the gpedit.msc(The Group Policy Object Editor) pg.122 Configure the Computer Properties Context Menu Setting On The Domain Log on as RWDC01 as Administrator, Open Group Policy Management Console from the Amin Tools folder. Drill down to the Group Policy Objects Node

Microsoft Server 2008 Term Journal

25

Right-click Default Domain Policy and click Edit, Under User Configuration, click Policies and click Admin Templates, Desktop node. In the right window, double click the Remove Properties from the Computer Icon Context Menu setting, click Disable and OK Create Domain Users for Testing Under AD Users And Computers console, the group created a user account named L7DomUser in the Users container of Domain01.local, created a new top-level OU named L7Test1 Created a user account in the L7Test1 OU named L7Test1User Created GPO Links for the Domain Log on to RWDC01 as administrator, open the GP Management Console from the Admin Tools folder, down to the Domain01 node. Right-click the domain01 node and select Create A GPO In This Domain and Link it Here, name the new GPO(RemoveHelp1) and press enter Navigate to the Group Policy Objects Node, Right-click the RemoveHelp1 GPO and click Edit Browse to User Configuration, click Policies, click Admin Templates node, select Start Menu and Taskbar object. In the right pane, double-click the Remove Help Menu From Start Menu Setting Select the Enabled radio button, close the GP Management Editor, Right-click the domain01 node and select Create A GPO In This Domain And Link It Here, name the new GPO (RemoveSearch01)enter. Repeat steps to enable the Remove Search Link From Start Menu setting for the new GPO

Microsoft Server 2008 Term Journal

26

Create GPO Links for an OU Open the GP Management Console and drill down to the L7Test1 OU and select Create A GPO In This Domain And Link It Here, name the new GPO AddHelp1 and press enter Repeat from previous steps to disable the Remove Help Menu Fom Start Menu setting in the AddHelp1 GPO(close the GP Management Editor). Create and link another GPO to the L7Test1 OU named RemoveComputerProperties2. Enable the RPFTCICM setting in the

RemoveComputerProperties2 GPO. Close the GP Management editor and Console Group tested the results Using Block Policy Inheritance and Enforce The group deleted 2 GPO links from the L7Test01 OU, on RWDC01 drill down to the L7Test1 OU, right-click Block Inheritance. Open the GP Management Console from Admin Templates, drill down to domain01 node, right click Default Domain Policy GPO link and click Enforced Inheritance can be altered by using the Enforce and Block Policy Inheritance settings Using Group Policy Loopback Processing Create a new top-level OU named L7test2 in domain01.local, left pane, click the Computers container, right-click RWDC02 and click Move, select the L7Test2 OU and click OK Open the GP Management Console from the Amin Tools Folder, drill down to the L7Test2 node Right-click the L7Test2 node and select Create A GPO In This Domain, And Link It Here

Microsoft Server 2008 Term Journal

27

Name the newly created GPO DisableCP, Navigate to the Group Policy Objects node. Right-click DisableCP and click Edit, drill down to User configuration, click Policies, click Admin Templates and then Control Panel. Enable the Prohibit Access To The Control Panel setting Edit the DisableCP GPO, navigate to Computer Configuration, click Policies, click Admin Templates, click System and click GP. Enable the User GP Loopback Processing Mode setting, leave drop-down box to replace. Close The GPM Editor.

Managing Users and Computers with Group Policy

To configure a domain-wide password policy, browse to Computer Configuration, policies, Window Settings, Security Settings, Account Policies, Password Policy. To configure a domainwide Louckout policy, drill down to Account Policies under Computer Configuration, configure the Account Lockout Threshold setting for invalid Logon attempts. Audit Policy allows administrators to log successful and failed security events, can be used to track user and system activities. Configure Folder Redirection and Disk Quotas Folder Redirection provides the administrator with the ability to redirect the contents to certain folders to a network location. Group created a new folder on the C:\ drive named Lab8MyDocs1. Created a new GPO named Redirect1 and linked it to the Marketing OU. Drilled down to Folder Redirection under Edit GPO. Ensured that the Target Folder Location is Create A Folder For Each User Under The Root Path and key in proper DC with name of folder. Disk quotas can be used to limit the amount of space available on the server for user data. Group created and linked a new

Microsoft Server 2008 Term Journal

28

GPO named DiskQuota1. Opened Group Policy Editor, drilled down to disk quotas and enabled disk quotas to a value of 512kb. (pg.145). The group also learned how to use gpudate, a command-line tool used to manually force an update

Software Distribution
Preparing the Distribution share Windows Installer-enabled applications must be used to install software through Group Policy. There are two ways to deploy Software: Assigning or Publishing. When an application is assigned to a user, the application is advertised on the Start menu of the users workstation. When an application is published, it is advertised in Add Or Remove Programs in the Control Panel. Insert Windows Server 2008 cd and create a folder named C:\MSI , right click and click share. Key in Everyone to share on network, click share and close. Copy the contents of the \upgrade\netfx folder on the Windows Server 2008 CD-ROM into the MSI folder Group created a New GPO named SoftDist1, under User Configuration-Policies-Software Settings, right clicked software. File name(rwdc01\msi), clicked Netfx and deployed software via Published. Click Categories, select to med the Development Tools category in the Selected Categories and select OK to close

Microsoft Server 2008 Term Journal

29

To Assign Software, drill down to Forest Domain, Edit GPO, User Configuration-Policies-Software Settings-Software Installation. Right-click Microsft .NET Framework 1.1 then Properties. Under deployment select Assigned Using Software Restriction Policies Drill down to User Configuration-Policies-Windows Settings-Security Settings-Software Restriction Polices. Browse for file to be restricted under New Path rule. Group restricted IE from the Desktop for testing purposes. Group also found a way around this restriction, copy from folder and paste to desktop. In order to complete the user from accessing files, is if New Hash Rule is selected

Controlling Group Policy

To meet the need for refined control over the application of group policies, two additional filtering methods can be used. Security Group Filtering uses the GPOs Security Tab to determine user and group access to the policy. WMI provides management information and control, allow administrators to create queries based on hardware, software, OS, and services. WMI filters can be used to control which user or computers will be affected by a GPO based on defined criteria. Resultant set of Policy (RSoP) is a tool used to assist administrators in determining the effects of policies. Using the RSoP wizard allows administrators to simulate policy effects prior to implementing. GPresults is a feature in Group Policy Management that obtains RSoP information from the client computer to show the actual effects the policies have on the client computer and user enviorment

Microsoft Server 2008 Term Journal

30

To use the Resultant Set of Policy Wizard (refer to page 171 of MOAC Lab manual) and to use the GPResult feature (refer to page 171 of MOAC Lab manual) Group Configured Security Group Filtering created an OU and created a group called 10BGroup1 within the OU. Drill down to forest domains-domain01.local-Group Policy Objects, select GPO and highlight Authenticated Users and click Remove, click add to add 10BGroup1 click OK. To create a WMI filter (refer to page 175 for commands).

Disaster Recover and Maintenance

Group configured three new user accounts on RWDC01 inside the Administration OU that was also created, named the user accounts Misty, Samantha, and Denise. Simulated a replication delay by disabling the network connection, preventing replication. Created another OU named Accounting in the RWDC01 domain. On RWDC02 we created two new users accounts inside Accounting named Wedge and Wood and deleted for testing purposes. Now enable network connection on RWDC01 to allow to replicate changes. In the AD User and Computers console, ensure that the Avananced Features view option is enabled. In The left pane, click the LostAndFound container. This container should have the deleted user accounts that were created. To resolve the loss of the Administration OU, create a new Administration OU, and then move the users from the LostandFound container to the new one. Performing a System State Data Backup Installing the Windows Server Backup Feature and performing the System State Backup

Microsoft Server 2008 Term Journal

31

Server Manager, browse to Features, in the right pane, click Add Features. Place a checkmark next to: Windows Powershel, Windows Server Backup Features- Windows Server Backup, Windows Server Backup Features-Command-line tools and close. To perform backup: Administrative Tools, Windows Server Backup, click Action and then Backup once. Next, Custom and then Next. In the Backup Destination dropdown list, confirm that the second hard drive is selected. Read the Description of the VSS copy back and click next to begin backup process To perform an offline defragmentation of the AD datatbase(refer to page 190 of MOAC Lab Manual) Theres two ways to restore Active Directory, restorin g using Normal Replication, using other Domain Controllers that exist in the forest. Restoring AD using WBADMIN and NTDSUTIL, wbadmin is a command-line component to perform and unauthoritative restore, which restores a single AD DC to its state before the backup. This method is used with the normal restore to allow certain database information to be marked as authoritative or most current, so that the replication process will not overwrite this data.

Configuring Name Resolution and Additional Services

DNS is the primary means of name resolution for Active Directory as well as the Internet and TCP/IP networks. TCP/IP communication is based on IP Addresses. When you use a name instead of an address in an application the computer must convert the name into the proper IP address. The name to address conversion is called name resolution. DNS is the name resolution mechanism computers use for all Internet communications.

Microsoft Server 2008 Term Journal

32

Creating a Reverse Lookup Zone Click Start, Administrative Tools, click DNS, drill down to Forward Lookup Zones node. For this Lab there was a forward Lookup Zone. Drill down to the Reverse Lookup Zone, theres no Reverse Lookup Zone. To create, right click New Zone, wizard will display, click Primary zone. Place a checkmark next to Store The Zone IN Active Directory. The AD Zone Replication Scope screen is displayed. Accept default selection and click Next. Select IPv4 Reverse Lookup Zone and next. In a Zone Transfer the server hosting the primary zone copies the primary master zone database file to the secondary zone to make their resource records identical. This enables the secondary zone to perform authoritative name resolutions for the domains in the zone, just as the primary does. To create a Secondary Zone, right click the Forward Lookup Zones node and select New Zone (page 203 of MOAC Lab) Active Directory Rights Management Service is a service you can use to protect sensitive data on a Windows network such as word processing or spreadsheet applications by controlling who can open, modify, or print a document and even who can print or forward confidential email messages. To configure and install AD Rights Management Service Role (refer to Page 204-205 MOAC Lab Manual).