OFFICIAL MICROSOFT LEARNING PRODUCT 6430B. Lab Instructions and Answer Key: Planning for Windows Server 2008 Servers

Transcription

1 OFFICIAL MICROSOFT LEARNING PRODUCT 6430B Lab Instructions and Answer Key: Planning for Windows Server 2008 Servers

2 ii Lab Instructions and Answer Key: Planning for Windows Server 2008 Servers Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein Microsoft Corporation. All rights reserved. Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media, Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Product Number: 6430B Part Number: X16: Released: 11/2009

3 Lab Instructions: Planning Windows Server 2008 Deployment 1 Module 1 Lab Instructions: Planning Windows Server 2008 Deployment Contents: Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment 3 Exercise 2: Planning a Windows Server 2008 Deployment 6

4 2 Lab Instructions: Planning Windows Server 2008 Deployment Lab: Planning a Windows Server 2008 Deployment Note: Your instructor may run this lab as a class discussion. A. Datum Corporation has a single head office with a single datacenter that hosts all servers. The servers in the datacenter are running a mix of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2. The organization has entered into a new volume licensing agreement with Microsoft that allows all servers to be updated to Windows Server 2008.

5 Lab Instructions: Planning Windows Server 2008 Deployment 3 Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment Scenario You have been tasked with creating a flowchart to help the IT staff in A. Datum Corporation decide how to upgrade or migrate individual servers to Windows Server This flowchart needs to help determine how the process is accomplished and which edition of Windows Server 2008 will be used. Sara Davis, the IT manager, has provided some information about what she expects the flowchart to include and how to approach the task. The main tasks for this exercise are as follows: 1. Read the supporting documentation. 2. Create the flowchart.

6 4 Lab Instructions: Planning Windows Server 2008 Deployment Task 1: Read the supporting documentation Supporting Documentation thread of correspondence with Sara Davis: Gregory Weber From: Sara Davis Sent: 18 July :30 To: Subject: Re: Server Upgrade Flowchart Greg, I don t have a lot of preconceived notions about this should be put together. I just know that we need some sort of tool to help us in our decision-making process during the upgrades. I d rather have one person (you) do the research and planning once than have the process repeated each time we do a server upgrade. Since we ve entered into the new volume licensing agreement, it makes sense to implement Windows Server 2008 whenever possible. I don t have a complete list of criteria that need to be taken into account. You ll need to determine what is appropriate. However, some of the criteria I was thinking of are: 32-bit vs. 64-bit Upgrade vs. migrate Application compatibility The best way to approach this project is to generate a list of relevant criteria for the decision-making process. Then you can arrange them into a flowchart that represents the decision-making process. In some cases, we ll have new hardware. In some cases, we won t have new hardware. Your flowchart will need to take into account both situations. Regards, Sara.

7 Lab Instructions: Planning Windows Server 2008 Deployment Original Message From: Gregory Weber [[email protected]] Sent: 18 July :01 To: [email protected] Subject: Server Upgrade Flowchart Sara, I would like to confirm some of the details regarding the flowchart assignment you gave me in the meeting this morning. As I understand it, you would like others on the team to be able to use this flowchart to determine how any given server in our organization can be updated to using Windows Server Is this correct? Do you have any specific criteria that you think need to be taken into account? Are there any assumptions I can make about new hardware? Regards, Greg Task 2: Create the flowchart 1. On a piece of paper, generate a list of relevant criteria that must be considered during the upgrade or migration process. 2. Use the list of criteria you have generated to create a flowchart for determining whether to upgrade or migrate. 3. Use the list of criteria you have generated to create a flowchart for determining which edition of Windows Server 2008 you should use. 4. Use the list of criteria you have generated to create a flowchart for determining whether to use a 32-bit or 64-bit operating system. Results: After this exercise, you should have created flowcharts to help to determine how to upgrade or migrate an existing server to Windows Server

8 6 Lab Instructions: Planning Windows Server 2008 Deployment Exercise 2: Planning a Windows Server 2008 Deployment Scenario Several servers in the A. Datum Corporation datacenter have been identified as the first candidates for migration to Windows Server For each of these servers, you must determine the process to be used. The main tasks for this exercise are as follows: 1. Create a deployment plan for the archive file server. 2. Create a deployment plan for the main file server. 3. Create a deployment plan for the antivirus server. 4. Create a deployment plan for the human resources application server.

9 Lab Instructions: Planning Windows Server 2008 Deployment 7 Gregory Weber From: Alan Steiner [[email protected]] Sent: 22 July :05 To: [email protected] Subject: Re: First batch of server upgrades to Windows Server 2008 Attachments: Archive File Server.docx Main File Server.docx Antivirus Server.docx Human Resources Application Server.docx Greg, I ve attached a document for each server. It includes the relevant information we ve documented for each server as well as the questions we need answered to perform the upgrade or migration. Regards Alan Original Message From: Gregory Weber [[email protected]] Sent: 20 July :45 To: [email protected] Subject: First batch of server upgrades to Windows Server 2008 Alan, We re going to be doing some server upgrades to Windows Server 2008 soon. Can you please send me the analysis that you performed on the archive file server, main file server, antivirus server, and human resources application server? Thanks. Greg

10 8 Lab Instructions: Planning Windows Server 2008 Deployment Deployment Plan: Archive File Server Document Reference Number: GW0688/1 Document Author Date Gregory Weber 20th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server The archive file server is used to store older data that is accessed only occasionally. Extended outages are possible with notification. It is used only as a file server. It has no other functions. The hardware is relatively new, and no new hardware has been allocated for this server. Additional Information This server is currently running a 32-bit version of Windows Server 2003 R2. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used?

11 Lab Instructions: Planning Windows Server 2008 Deployment 9 Deployment Plan: Main File Server Document Reference Number: GW0689/1 Document Author Date Gregory Weber 20th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server The main file server is mission critical and cannot be taken out of production during business hours. Downtime must be limited to less than one day. It is used only as a file server. It has no other functions. This server should support cross-file replication for DFS. This may be implemented in the future to support remote offices, and the cross-file replication will reduce synchronization traffic on the WAN. Data for this file server is stored on a Fiber Channel Storage Area Network (SAN). New hardware has been allocated for this server if required. Additional Information Clients access this file server through mapped drive letters that are created by a logon script. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used? 4. How will downtime be minimized?

12 10 Lab Instructions: Planning Windows Server 2008 Deployment Deployment Plan: Antivirus Server Document Reference Number: GW0690/1 Document Author Date Gregory Weber 25th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to standardize the server operating systems. The antivirus server can experience an outage of 24 hours without impacting clients. New hardware has been allocated for this server. Additional Information The antivirus application has not been tested by the vendor in 64-bit environments and is not supported in 64-bit environments. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used?

13 Lab Instructions: Planning Windows Server 2008 Deployment 11 Deployment Plan: Human Resources Application Server Document Reference Number: GW0691/1 Document Author Date Gregory Weber 25th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the performance improvements in IIS 7. The existing server is consistently short on memory, and a new server with 8 GB of memory has been allocated to address this. The application data is also stored on this server and must be taken into account. There can be no downtime during business hours. The new server should support failover clustering, as it is being considered for the future. Additional Information None Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used? 4. What process will you use to minimize downtime?

14 12 Lab Instructions: Planning Windows Server 2008 Deployment Task 1: Create a deployment plan for the archive file server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Task 2: Create a deployment plan for the main file server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Task 3: Create a deployment plan for the antivirus server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Task 4: Create a deployment plan for the human resources application server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Results: After this exercise, you should have created a deployment plan for the archive file server, the main file servers, the antivirus server, and the human resources application server.

15 Lab Instructions: Planning Network Infrastructure for Windows Server Module 2 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Contents: Exercise 1: Determining an Appropriate Network Addressing Scheme 3 Exercise 2: Planning the Placement of Network Servers 9 Exercise 3: Implementing the Planned Network Services 13

16 2 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Lab: Planning Network Infrastructure for Windows Server 2008 Note: Your instructor may run this lab as a class discussion. Adatum has created a new regional sales force. As a result, branch offices are being fitted out to support the various regional sales teams. You are responsible for planning the network infrastructure for these new branch offices. Joe Healy, the national Sales Manager, has been communicating with you about his specific requirements for the regional office. In addition, Alan Steiner, a colleague in IT, has visited some of the branch offices.

17 Lab Instructions: Planning Network Infrastructure for Windows Server Exercise 1: Determining an Appropriate Network Addressing Scheme Scenario You have been tasked with designing an IPv4 addressing scheme to support the western region branch offices. There are 10 new offices, 3 in this region, and each with around 100 computers. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document.

18 4 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Supporting Documentation thread of correspondence with Joe Healy and Alan Steiner: Gregory Weber From: Joe Healy Sent: 21 July :30 To: Subject: Re: Network applications for branches Greg, Well, I'm not terribly technical myself, but in terms of what the sales people use, it's mostly office productivity software. They do have a sales database, of course, which I believe to be built on SQL Server. Currently, that data is held on several different databases, but we're merging that right now to create a national database. I understand from your colleague, Alan Steiner, that we're going to create regional replicas of the data in that database. As to network traffic, I guess you'd need to ask Alan. Hope that is useful. Regards, Joe Original Message From: Gregory Weber [[email protected]] Sent: 20 July :01 To: [email protected] Subject: Network applications for branches Joe, I'm about to start working on this branch offices deployment. We're at the stage of planning the network infrastructure. Can you tell me something about the applications that the sales team uses? I'm trying to get a feel for network traffic and usage patterns. Regards, Greg

19 Lab Instructions: Planning Network Infrastructure for Windows Server Gregory Weber From: Alan Steiner [[email protected]] Sent: 22 July :05 To: [email protected] Subject: Re: Branch office network traffic analysis Attachments: Adatum Western Region Branch Network Plan.vsd Greg, Each branch will be connected via a router to the head office; I've attached a basic schematic of the western regional offices. We've allocated the network address /21 for all branches in this region. In terms of traffic, the database synchronization takes place overnight so should not impact traffic overly. I think the traffic in the head office sales subnets right now should be fairly indicative. Rather than send you the output, I'll just say that we figure on around 50 computers per subnet. Regards, Alan Original Message From: Gregory Weber [[email protected]] Sent: 22 July :45 To: [email protected] Subject: Branch office network traffic analysis Alan, Do you have any information about network traffic at the new branches? I understand there is to be a database with regional replicas. Do you have any information on that? I'm trying to figure out the number of subnets I'm going to need per branch. Any other information gratefully received! Greg

20 6 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Adatum Western Region Branch Network Plan.vsd

21 Lab Instructions: Planning Network Infrastructure for Windows Server Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: IPv4 Addressing document. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW0709/1 Document Author Date Gregory Weber 25th July Requirements Overview Design an IPv4 addressing scheme for the Adatum western regional branch sales offices, shown in the exhibit. The block address /21 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25% growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet. Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch.

22 8 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 (continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Proposals 1. How many subnets do you envisage requiring for this region? 2. How many hosts will you deploy in each subnet? 3. What subnet mask will you use for each branch? 4. What are the subnet addresses for each branch? 5. What range of host addresses are in each branch? Results: After this exercise, you should have a completed IP addressing plan for the western region branch offices.

23 Lab Instructions: Planning Network Infrastructure for Windows Server Exercise 2: Planning the Placement of Network Servers Scenario Having determined the appropriate addressing scheme for the branch offices in the western region sales division, you must now determine how best to deploy network services to support users working in those locations. Alan Steiner has sent you an with some additional information about the requirements. Using the information in the supporting documentation, and bearing in mind the subnet addressing scheme you previously planned, complete the Branch Office Network Infrastructure Plan: Network Services document. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.

24 10 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner Sent: 24 July :00 To: Subject: Re: Branch office network services Greg, Answers in line below, Regards, Alan Original Message From: Gregory Weber Sent: 24 July :30 To: Subject: Branch office network services Alan, OK, I have worked out an IP addressing scheme for the branches. Next I need to think about the infrastructure. Could you answer the following questions? 1. How are IP addresses to be assigned for this region? [Alan] By DHCP 2. Is there anything I should know about the DNS name space for the sales offices? [Alan] The sales computers will be in their own DNS name space, sales.adatum.com 3. I have a vague recollection that one of the line-of-business applications that sales uses requires NetBIOS. Is that right? [Alan] You're right, Greg, they need NetBIOS name resolution in sales. Thanks, Greg

25 Lab Instructions: Planning Network Infrastructure for Windows Server Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document. Branch Office Network Infrastructure Plan: Network Services Document Reference Number: GW0709/2 Document Author Date Gregory Weber 25th July Requirements Overview Specify which network services are required in each sales office, and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure does not adversely affect users.

26 12 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 (continued) Branch Office Network Infrastructure Plan: Network Services Proposals 1. How many DHCP servers do you propose to deploy in the region? 2. Where do you propose to deploy these servers? 3. What name resolution services are required? 4. To support the DNS name space in the sales division, how would you propose to configure DNS? 5. Will you require WINS? 6. If so, how many WINS servers will you require for the region? 7. If not, how do you propose to support single-label names? Results: After this exercise, you should have a completed plan for the deployment of network services in the western regional branch offices.

27 Lab Instructions: Planning Network Infrastructure for Windows Server Exercise 3: Implementing the Planned Network Services Scenario You are on-site at one of the regional offices, and you must now configure network services to support your proposals. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Deploy the DHCP server role. 3. Configure scopes to support the branch office. 4. Configure DNS to support the branch office. 5. Enable DNS/WINS integration to support NetBIOS applications. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Deploy the DHCP Server role on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Use Server Manager to deploy the DHCP Server role. Use the following information to complete the process: a. On the Select Network Connection Bindings page, click Next. b. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server IPv4 Address box, type , and then click Next.

28 14 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 c. On the Specify IPv4 WINS Server Settings page, click Next. d. On the Add or Edit DHCP Scopes page, click Next. e. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next. f. On the Authorize DHCP Server page, click Next. Task 3: Configure the primary DHCP scope for subnet 1 Create a new scope. Use the following information to help complete the process: Scope Name: Branch 1 subnet 1 scope 1 IP address range: > Subnet mask: 25 bits Exclusions: > Lease duration: default Router: Task 4: Configure the secondary DHCP scope for subnet 2 Create a new scope. Use the following information to help complete the process: Scope Name: Branch 1 subnet 2 scope 2 IP address range: > Subnet mask: 25 bits Exclusions: > Lease duration: default Router:

29 Lab Instructions: Planning Network Infrastructure for Windows Server Task 5: Create a subdomain in DNS 1. Switch to the SEA-DC1 computer. 2. Open the DNS Manager. 3. Add a new domain in the Adatum.com zone. Task 6: Configure zone transfers for the Adatum.com zone In the DNS Manager, enable zone transfers for the Adatum.com zone. Task 7: Deploy the DNS role on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Using Server Manager, deploy the DNS Server role on SEA-SVR1. Task 8: Configure a secondary zone on SEA-SVR1 Create a new forward lookup zone on SEA-SVR1. Use the following information to help complete the process: Zone type: secondary Zone name: Adatum.com Master DNS server: Task 9: Enable the WINS feature, and configure DNS/WINS integration 1. Using Server Manager, on SEA-SVR1, add the WINS Server feature. 2. Switch to the SEA-DC1 computer. 3. In DNS Manager, enable WINS Forward Lookup: a. Right-click Adatum.com, and then click Properties. b. On the WINS tab, select the Use WINS forward lookup check box. c. In the IP address box, type , press Add, and then click OK.

30 16 Lab Instructions: Planning Network Infrastructure for Windows Server Switch to the SEA-SVR1 computer. 5. In DNS Manager, right-click Adatum.com, and then click Transfer from Master. Note: You might need to wait a few moments before you see the WINS record. Press Refresh if needed. Task 10: Configure DHCP options to support the deployed services 1. On SEA-SVR1, in the DHCP console, right-click Server Options, and then click Configure Options. 2. Configure the following options: 006 DNS Servers: DNS Domain Name: sales.adatum.com 044 WINS/NBNS Servers: Results: After this exercise, you should have successfully deployed branch office network services. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

31 Lab Instructions: Planning for Active Directory 1 Module 3 Lab Instructions: Planning for Active Directory Contents: Exercise 1: Selecting a Forest Topology 4 Exercise 2: Planning Active Directory for a Branch Network 11 Exercise 3: Deploying a Branch Domain Controller 15

32 2 Lab Instructions: Planning for Active Directory Lab: Planning for Active Directory Note: Your instructor may run this lab as a class discussion. Adatum Corporation has recently acquired Contoso, a company with a range of compatible products. Allison Brown, the IT Manager, has asked you to create a document with recommendations about how best to incorporate the Contoso network infrastructure into that of Adatum. Adatum has a large, wholly U.S.-based network, with offices across the United States. Contoso has operations in the U.S., but also in Europe and the Far East. The following table summarizes the high-level information: Adatum Contoso Total number of computers 10,000 10,000 Number of countries 1 5 Current directory service Windows Server 2008 Windows NT 4.0 single-master

33 Lab Instructions: Planning for Active Directory 3 Adatum AD DS Contoso domain model

34 4 Lab Instructions: Planning for Active Directory (continued) Adatum Contoso Number of forests 1 0 External DNS name Adatum.com Contoso.com Number of domains 1 5 Exercise 1: Selecting a Forest Topology Scenario You begin to conduct a survey and exchange a number of s with colleagues that have been on-site at Contoso. You determine that Contoso currently uses a Windows NT 4.0 domain infrastructure consisting of five domains with appropriate trust relationships connecting the domains. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Contoso Domain Migration document. Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Contoso Domain Migration document with your planned forest topology Answer the questions in the Contoso Domain Migration document.

35 Lab Instructions: Planning for Active Directory 5 Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner [[email protected]] Sent: 31 July :50 To: [email protected] Subject: Re: Contoso Domain Migration Attachments: Windows NT4.0 Single-Master Model.doc Greg, I ve attached a document I located in an old TechNet library CD. It provides some useful tips. The only comment I d make is that the single-master domain model is usually implemented in order to keep all the user accounts in one account-holding domain, and all the resources in multiple resource-holding domains. These days, you d probably want to use organizational units within a domain to hold the resources like computers and so forth. You d almost certainly need to reduce the number of domains. Regards, Alan Original Message From: Gregory Weber [[email protected]] Sent: 31 July :45 To: [email protected] Subject: Contoso Domain Migration Hello Alan, Allison has asked me to draw up a proposal for a migration of the Contoso network into our network infrastructure. I understand it s running Windows NT 4.0. I m simply trying to determine the number and configuration of forests at this point, but don t have much experience with these older Windows NT 4.0 domain models. Do you have any guidance or general advice? Regards, Greg

36 6 Lab Instructions: Planning for Active Directory Windows NT4.0 Single-Master Model.doc Windows NT supports four domain models: Single domain. In this model, there is only one domain. The domain holds both user/group accounts and resources. There is a single administrator for both resources and user/group accounts. Single-master domain. In this model, there is an account-holding domain and as many resource-holding domains as required to support an organization s requirements. There is separation of administration because the accountholding administrator has no administrative control on the resource-holding domains, and the administrators in the resource-holding domains do not have administrative control over the account-holding domain, nor each other s resource-holding domain. One-way trusts are established between the resource-holding and account-holding domains so that users and group from the account-holding domain (trusted) can be granted permissions, through the trust, to resources in the resource-holding domain (trusting) at the discretion of the resource-holding administrator. Multimaster domain. Windows NT 4.0 supports a maximum of around 15,000 user accounts in a single domain. Where organizations require the administrative separation of the single-master domain model, but have a large user base, they opt for the multimaster model. Additional trusts are required to facilitate this model. Complete trust. In this model, all domains trust all other domains. This provides for the ability for users in any domain potentially to gain access to resources held in any other domain. This model is the most similar to what AD DS provides.

37 Lab Instructions: Planning for Active Directory 7 Gregory Weber From: Alan Steiner [[email protected]] Sent: 04 August :45 To: [email protected] Subject: Re: Details of Contoso domain model Attachments: Adatum AD DS Overview.vsd; Contoso NT 4 Domain Overview.vsd Greg, I do, and I ve attached it together with one of the Adatum.com domains. As you know, we have a single AD DS domain, and use organizational units to manage resources and sites for replication control. Contoso, of course, cannot use organizational units or sites, as Windows NT 4.0 domains do not support them. This is probably why they have several domains to better control Windows NT 4.0 domain replication. It s possibly why they have four resource domains, too. Regards, Alan Original Message From: Gregory Weber [[email protected]] Sent: 03 August :10 To: [email protected] Subject: Details of Contoso domain model Alan, Thanks for that Windows NT 4.0 document; it was very helpful. Do you happen to have any diagrams of the actual domain infrastructure? Thanks, Greg

38 8 Lab Instructions: Planning for Active Directory Adatum AD DS Overview.vsd Contoso NT 4 Domain Overview.vsd

39 Lab Instructions: Planning for Active Directory 9 Contoso Domain Migration Document Reference Number: GW0809/1 Document Author Date Gregory Weber 5th August Requirement Overview To devise an appropriate forest and domain topology for the merged companies. Additional Information The new company will continue to operate with dual names; that is, the Adatum and Contoso brands are equally important. It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as part of the migration process. Proposals 1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server 2008? 2. How many forests do you anticipate? 3. How many domains do you plan to implement? 4. How many trees do you envisage? 5. What trust relationships, aside from those created automatically, will you require?

40 10 Lab Instructions: Planning for Active Directory (continued) Contoso Domain Migration Proposals (continued) 6. Provide a sketch of the completed forest. Results: After this exercise, you should have a completed Contoso Domain Migration document.

41 Lab Instructions: Planning for Active Directory 11 Exercise 2: Planning Active Directory for a Branch Network Scenario Adatum has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Branch Office Planning document. Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner [[email protected]] Sent: 24 August :02 To: [email protected] Subject: Re: Branch Office Plan Attachments: Sales Office Details.doc Greg, Take a look at the attached document. Get back to me with any questions. I got this from Joe Healy, the Sales manager. Alan Original Message From: Gregory Weber [[email protected]] Sent: 24 August :30 To: [email protected] Subject: Branch Office Plan Alan, What can you tell me about these new sales offices? Thanks, Greg

42 12 Lab Instructions: Planning for Active Directory Sales Office Details.doc In the sales offices, we have a number of line-of-business applications, including a Microsoft SQL Server based database. The local sales office updates and replicates back to the head office overnight. The SQL Server database needs access to a directory of customers. In the western region, we have three offices, each with around 100 computers. We have a routed connection back to the head office. Alan Steiner tells me that name resolution is provided by WINS and DNS, as we have a legacy NetBIOS application. There was some talk of creating a separate name space for sales, such as Sales.adatum.com, but we have implemented this only as an domain. The computers are all part of the Adatum.com domain. We ve had some issues in the past with security; we often have members of the public in our sales offices, and consequently security is a critical factor. We don t always have the option of a secure computer room, and so our laptops are locked to the desks. Servers are often to be found in a closet, or small office. Each branch office consists of a number of subnets; two for hosting the sales staff laptops and another for branch network servers.

43 Lab Instructions: Planning for Active Directory 13 Branch Office Planning Document Reference Number: GW0809/2 Document Author Date Gregory Weber 1st September Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services. Proposals 1. Do you intend to deploy a domain controller(s) in the branch offices? How many? 2. Will you deploy an RODC(s)? 3. How will you optimize the directory replication for the branches? 4. How will domain controllers know in which branch they are located? 5. Do you anticipate the need for global catalog services? 6. How will you configure global catalog and DNS? 7. What additional Active Directory related services are required to support the branch office line-of-business applications?

44 14 Lab Instructions: Planning for Active Directory Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Branch Office Planning document with your proposals Answer the questions in the Branch Office Planning document. Results: After this exercise, you should have a completed Branch Office Planning document.

45 Lab Instructions: Planning for Active Directory 15 Exercise 3: Deploying a Branch Domain Controller Scenario You have been tasked with performing the deployment of the new domain controller at the Redmond sales branch office. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Raise the domain and forest functional level. 3. Create a new site and subnet object. 4. Configure the replication interval for the new site. 5. Prepare the forest for the new RODC. 6. Deploy the new RODC. 7. Configure the password replication policy and prepopulate the password cache. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Raise the domain functional level 1. Switch to the SEA-DC1 computer. 2. Open Active Directory Users and Computers.

46 16 Lab Instructions: Planning for Active Directory 3. Raise the domain functional level to Windows Server Close Active Directory Users and Computers. Task 3: Raise the domain forest level 1. Open Active Directory Domains and Trusts. 2. Raise the forest functional level to Windows Server Close Active Directory Domains and Trusts. Task 4: Create the Redmond site 1. Open Active Directory Sites and Services. 2. Create a new site with the following properties: Name: Redmond Associated site link: DEFAULTIPSITELINK Task 5: Configure the replication interval 1. In Active Directory Sites and Services, expand Inter-Site Transports, expand IP, and then click IP. 2. Modify the replication interval for DEFAULIPSITELINK: Replicate every: 15 minutes Task 6: Create the /16 subnet 1. In Active Directory Sites and Services, in the console, right-click Subnets, and click New Subnet. 2. Create a new subnet with the following properties: Prefix: /16 Site Name: Redmond 3. Close Active Directory Sites and Services.

47 Lab Instructions: Planning for Active Directory 17 Task 7: Prepare the forest for the RODC 1. Open the Command Prompt. 2. At the command prompt, type each of the following commands, and then press ENTER: D: Cd\Labfiles\Mod03\adprep Adprep /rodcprep 3. Close the command prompt. Task 8: Promote a new domain controller for the branch office 1. Switch to the SEA-SVR1 computer. 2. Run dcpromo with advanced mode installation. 3. Use the following options to complete the process: Operating System Compatibility page: default. Choose a Deployment Configuration page: Existing forest. Network Credentials page: default. Select a Domain page: default. Select a Site page: default. Additional Domain Controller Options page: select the Read-only domain controller (RODC) check box. (Note: Leave the other check boxes selected.) In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned IP address (not recommended). Specify the Password Replication Policy page: default. Delegation of RODC Installation and Administration page: default. Install from Media page: default. Source Domain Controller page: default.

48 18 Lab Instructions: Planning for Active Directory Location for Database, Log Files, and SYSVOL page: default. Directory Services Restore Mode Administrator Password page: Password: Pa$$w0rd. Confirm: Pa$$w0rd. In the Active Directory Domain Services Installation dialog box, select the Reboot on completion check box. Task 9: Configure the password replication policy 1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of Pa$$w0rd. 2. Switch to the SEA-DC1 computer. 3. Open Active Directory Users and Computers. 4. Locate SEA-SVR1 in the Domain Controllers folder. 5. View the Password Replication Policy page of the SEA-SVR1 Properties dialog box. 6. Grant the SalesGG global group the Allow passwords for the account to replicate to this RODC permission. 7. Click Apply, and then click Advanced. 8. From the Resultant Policy tab of the Advanced Password Replication Policy for SEA-SVR1 dialog box, verify that Joe s account is allowed to cache its password.

49 Lab Instructions: Planning for Active Directory 19 Task 10: Prepopulate the password cache 1. From the Policy Usage tab of the Advanced Password Replication Policy for SEA-SVR1 dialog box, click Prepopulate Passwords. 2. Prepopulate the following user accounts passwords: Joe; Jim; Parul; Heiko; Claus 3. Close Active Directory Users and Computers. Results: After this exercise, you should have successfully deployed an RODC for the Redmond sales office. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

50 Lab Instructions: Planning for Group Policy 1 Module 4 Lab Instructions: Planning for Group Policy Contents: Exercise 1: Creating a Group Policy Plan 2 Exercise 2: Implementing Group Policy 7

51 2 Lab Instructions: Planning for Group Policy Lab: Planning for Group Policy Note: Your instructor may run this lab as a class discussion. A. Datum has never implemented group policy other than for basic password configuration in the domain using the default GPOs. After attending a recent seminar, the IT manager wants to use group policy more effectively for the organization. Exercise 1: Creating a Group Policy Plan Scenario You have been tasked with creating a plan for implementing group policy. Your IT manager has provided you with a list of requirements that must be met by your plan. The main tasks for this exercise are as follows: 1. Read the supporting documentation. 2. Create an OU structure. 3. Create a list of required GPOs.

52 Lab Instructions: Planning for Group Policy 3 Supporting Documentation thread of correspondence with Allison Brown: Gregory Weber From: Allison Brown [[email protected]] Sent: 21 July :30 To: [email protected] Subject: group policy implementation Greg, As we discussed in the meeting this morning, I d like you to take the lead on planning our implementation of group policy. At this time, we have only the default GPOs in place for the domain and domain controllers. Here are some of the requirements that have come up that I believe can be addressed best by using group policy: Read and write access to removable drives should be blocked for all office computers, including servers. Since we ve upgraded all of the computers to Windows Vista and Windows Server 2008, this should be no problem. We must ensure that another GPO does not override this setting. Due to the creation of the three new branch offices, we are hiring a new person to manage those offices. We d like the new person to be able to manage group policy for those remote offices, but not the head office. I d like to start using group policy preferences for drive mappings, rather than logon scripts. We want the drive letters to be consistent in each location, but the server names will vary in each location. Application installation and updates for the branches will be done by using group policy. In the branch offices, the sales staff and office staff will have different applications. We need to be able to roll applications out one location at a time during initial deployment. However, later updates can be done for all branches at once. Application installation files should be stored in DFS and replicated to each branch.

53 4 Lab Instructions: Planning for Group Policy The computer training lab in the head office should not be subject to the restriction on removable drives. We ll be using USB drives to configure these computers for various courses. The user desktops on the Terminal Server running Windows Server 2003 need to be locked down. The Desktop and Start Menu should be simplified to display only the application that users have access to. All users should have the same configuration when logged on to the Terminal Server regardless of the OU they are located in. At minimum, I need to you to figure out how these can be implemented. As part of your plan, please create an OU structure and define where each group policy will be linked. Let me know if you require any clarification. Regards, Allison

54 Lab Instructions: Planning for Group Policy 5 Task 1: Read the supporting documentation 1. Read the supporting documentation. 2. On SEA-DC1, use Active Directory Users and Computers to review the existing Active Directory structure. 3. Use the group policy Management Console to review the existing Active Directory configuration. Task 2: Create an OU structure Draw a diagram of an OU structure that will allow you to meet the requirements given to you by Allison.

55 6 Lab Instructions: Planning for Group Policy Task 3: Create a list of required GPOs Create a list of GPOs required to implement the requirements given to you by Allison. GPO Name Settings Linked to Filters Results: After this exercise, you should have a completed group policy plan for A. Datum.

56 Lab Instructions: Planning for Group Policy 7 Exercise 2: Implementing Group Policy Scenario After completing the group policy plan, you must now implement it. The main tasks for this exercise are as follows: 1. Start the virtual machine and log on. 2. Create the OU structure. 3. Create the GPO for enforced security. 4. Create the GPO for Branch 1 preferences. 5. Create the GPOs for applications. 6. Create the GPO for Terminal Servers. 7. Verify application of policies for Branch1 sales staff. 8. Verify application of policies for Branch1 sales staff on the Terminal Server. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. Minimize the Lab Launcher window. Task 2: Create the OU structure 1. On SEA-DC1, open Active Directory Users and Computers. 2. Create an organizational unit named Head Office in the root of the Adatum.com domain. 3. Create an organizational unit named Branches in the root of the Adatum.com domain. 4. Create an organizational unit named Branch1 in the Branches OU.

57 8 Lab Instructions: Planning for Group Policy 5. Create an organizational unit named Branch2 in the Branches OU. 6. Create an organizational unit named Branch3 in the Branches OU. 7. Create an organizational unit named Terminal Servers in the root of the Adatum.com domain. Task 3: Create the GPO for enforced security 1. Use Active Directory Users and Computers to create a new global security group in the Head Office OU. Group name: Lab Computers 2. Use Active Directory Users and Computers to create a new computer account in the Head Office OU. Computer name: Lab1 3. Add Lab1 as a member of the Lab Computers group. 4. Use group policy Management to create the enforced security GPO. Name: Enforce Security Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access, Enabled Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access, Enabled Linked to Adatum.com 5. On the Enforced Security link to Adatum.com, make the policy Enforced. 6. On the Delegation tab of Enforced Security, use the Advanced button to Deny Read permission for the Lab Computers group.

58 Lab Instructions: Planning for Group Policy 9 Task 4: Create the GPO for Branch1 preferences 1. Use Group Policy Management to create a new GPO in the Group Policy Objects container. Name: Branch1 Preferences User Configuration\Preferences\Windows Settings\Drive Maps Map drive letter S to \\Branch1Srv\Shared. 2. Link Branch1 Preferences to the Branch1 OU. Task 5: Create the GPOs for applications 1. Use Active Directory Users And Computers to create a new global security group in the Branches OU. Group name: Sales Staff 2. Use Active Directory Users And Computers to create a new global security group in the Branches OU. Group name: Office Staff 3. Use Group Policy Management to create a new GPO in the Group Policy Objects container. Name: Sales Applications 4. Use Group Policy Management to create a new GPO in the Group Policy Objects container. Name: Office Applications 5. Configure security filtering for the Sales Applications GPO on the Scope tab: Remove the Authenticated Users group from the Security Filtering area. Add the Sales Staff group to the Security Filtering area. 6. Configure security filtering for the Office Applications GPO on the Scope tab: Remove the Authenticated Users group from the Security Filtering area. Add the Office Staff group to the Security Filtering area. 7. Link the Sales Applications GPO to the Branch1 OU. 8. Link the Office Applications GPO to the Branch1 OU.

59 10 Lab Instructions: Planning for Group Policy Task 6: Create the GPO for Terminal Servers Use Group Policy Management to create a new GPO that is linked to the Terminal Servers OU. Name: TS Lockdown Computer Configuration\Policies\Administrative Templates \System\Group Policy\User Group Policy loopback processing mode, Enabled, Replace mode User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands, Enabled User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove Run menu from Start Menu, Enabled User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Add Logoff to the Start Menu, Enabled Task 7: Verify application of policies for Branch1 sales staff 1. Use Group Policy Management to model the application of policies for Branch1 sales staff. Use any domain controller User container: Branch1 Computer container: Branch1 Advanced Simulation Options: none User Security Groups: add the Sales Staff group Skip to the final page after entering the User Security Groups information 2. Review the applied and denied GPOs for the computer. 3. Review the applied and denied GPOs for the user.

60 Lab Instructions: Planning for Group Policy 11 Task 8: Verify application of policies for Branch1 sales staff on the Terminal Server 1. Use Group Policy Management to model the application of policies for Branch1 sales staff. Use any domain controller User container: Branch1 Computer container: Terminal Servers Advanced Simulation Options: Loopback processing, Replace User Security Groups: add the Sales Staff group Skip to the final page after entering the User Security Groups information 2. Review the applied and denied GPOs for the computer. 3. Review the applied and denied GPOs for the user. Results: After this exercise, you should have successfully implemented group policy. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

61 Lab Instructions: Planning Application Servers 1 Module 5 Lab Instructions: Planning Application Servers Contents: Exercise 1: Creating a Plan for Application Servers 2 Exercise 2: Implementing Windows SharePoint Services 6 Exercise 3: Implementing Terminal Services 8

62 2 Lab Instructions: Planning Application Servers Lab: Planning Application Servers Note: Your instructor may run this lab as a class discussion. A. Datum has recently identified the need to implement new applications to meet the needs of a growing organization. The first is a portal for collaborating on projects. Windows SharePoint Services has been selected for this purpose. The second need is a new financial application that will be deployed by using Terminal Services. Exercise 1: Creating a Plan for Application Servers Scenario You have been tasked with creating a plan for implementing Windows SharePoint Services for collaboration and Terminal Services to support a financial application. You determine how these application servers will be implemented based on requirements provided by the IT manager.

63 Lab Instructions: Planning Application Servers 3 Supporting Documentation thread of correspondence with Allison Brown: Gregory Weber From: Allison Brown [[email protected]] Sent: 30 July :25 To: [email protected] Subject: Group Policy implementation Greg, As we discussed in the meeting this morning, I d like you to take the lead on planning our implementation of the new application servers. The first application server is for Windows SharePoint Services. We are implementing this only as a pilot project at this point. A new server (sharepoint.adatum.com) has been allocated for this task and has SQL Server 2008 Express already installed with an instance named SQLEXPRESS. If we move this project out of the pilot phase, then we ll consider updates for better performance. Windows SharePoint Services creates two Web sites on the server. One Web site is for managing WSS and the other is for accessing content. The content that users enter for the pages is stored in the SQL Server database. Some of the things I need your input on are: What server roles and features do you think will be required? Do you have any concerns about hardware specifications? What sort of maintenance schedule will this application require? How will we ensure that this server and application are secure? How can we simplify access to this application for internal users? How should this be backed up? The second application server is a Terminal Server that will be used by the new financial application. This is also a pilot project that we need to test before rolling it out to other users. Some of the users are at head office and some others are at remote branches that will be accessing over the WAN. I really need your input as to what benefits using Terminal Services provides to us. I have to admit, I m not entirely clear as to why we want to do it this way. However, the vendor recommended it.

64 4 Lab Instructions: Planning Application Servers In addition, I need your input on: Are there any benefits to using Windows Server 2008 for Terminal Services rather than Windows Server 2003 in our scenario? What are our licensing requirements? What will the overall system look like from a user perspective when it is implemented? Let me know if you require any clarification. Regards Allison The main tasks for this exercise are as follows: 1. Read the supporting documentation. 2. Create a plan for implementing Windows SharePoint Services. 3. Create a plan for implementing Terminal Services. Task 1: Read the supporting documentation Read the supporting documentation. Determine if you need any more information and ask your instructor to clarify if required. Task 2: Create a plan for implementing Windows Share Point Services What server roles and features do you think will be required for implementing WSS? Do you have any concerns about hardware specifications for the WSS server? How can increasing workloads be accommodated? What sort of maintenance schedule will WSS require? How will we ensure that this server and WSS are secure? How can we simplify access to WSS for internal users? How should WSS be backed up?

65 Lab Instructions: Planning Application Servers 5 Task 3: Create a plan for implementing Terminal Services What are the benefits of using Terminal Services for the financial application? Are there any drawbacks to using Terminal Services? Are there any benefits to using Windows Server 2008 for Terminal Services rather than Windows Server 2003 in our scenario. What are our licensing requirements? What will the overall system look like from a user perspective when it is implemented? Results: After this exercise, you should have created a plan for implementing WSS and Terminal Services.

66 6 Lab Instructions: Planning Application Servers Exercise 2: Implementing Windows SharePoint Services Scenario After planning how WSS will be supported, you need to install it and review the installed components. You will also perform a backup of WSS. The main tasks for this exercise are as follows: 1. Start the virtual machines and then log on. 2. Install Windows SharePoint Services. 3. Review the Web site configuration. 4. Configure Internet Explorer for Windows Authentication. 5. Back up Windows SharePoint Services. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Minimize the Lab Launcher window. Task 2: Install Windows SharePoint Services 1. Browse to D:\Labfiles\Mod05 and run SharePoint.exe. 2. Perform a Basic installation. 3. When installation is complete, run the SharePoint Products and Technologies Configuration Wizard. 4. When the configuration is complete, log on to the SharePoint site as Adatum\Administrator with a password of Pa$$w0rd. Question: What is the URL of the SharePoint site?

67 Lab Instructions: Planning Application Servers 7 Task 3: Review the Web site configuration 1. Open Internet Information Services (IIS) Manager. 2. View the application pools. 3. View the Web sites. 4. View the Authentication for the SharePoint - 80 Web site. Task 4: Configure Internet Explorer for Windows Authentication 1. Open the Internet Options dialog box. 2. Add to the Local Intranet zone. 3. Use Internet Explorer to access the SharePoint site at Question: Were you prompted for credentials? Task 5: Back up Windows SharePoint Services 1. Create the folder C:\SPBackup. 2. From Administrative Tools, open SharePoint 3.0 Central Administration. 3. On the Operations tab, perform a full backup of the farm to C:\SPBackup. Results: After this exercise, you should have successfully implemented Windows SharePoint Services and verified the configuration.

68 8 Lab Instructions: Planning Application Servers Exercise 3: Implementing Terminal Services Scenario After planning how Terminal Services will be supported, you need to install Terminal Services and deploy an application by using TS RemoteApp. The main tasks for this exercise are as follows: 1. Install Terminal Services. 2. Install the financial application. 3. Prepare the financial application for distribution as a RemoteApp program. 4. Test the new application. Task 1: Install Terminal Services 1. On SEA-DC1, open Server Manager. 2. Add the Terminal Services role with the Terminal Server role service and the following options: Authentication method: Do not require Network Level Authentication Licensing mode: Configure later Users and groups allowed to access Terminal Server: Administrators 3. Restart the server to complete the installation. Task 2: Install the financial application 1. On SEA-DC1, browse to D:\Labfiles\Mod05 and run CalcPlus.msi. 2. Install to the default location. 3. Make the application available to Everyone.

69 Lab Instructions: Planning Application Servers 9 Task 3: Prepare the financial application for distribution as a RemoteApp program 1. On SEA-DC1, open TS RemoteApp Manager, and then add Microsoft Calculator Plus as a RemoteApp program. 2. Select Microsoft Calculator Plus and then Create Windows Installer Package. Location to save packages: C:\Program Files\Packaged Programs Other package setting: default Create a shortcut on the Desktop and Start menu folder in Remote Programs 3. Share the C:\Program Files\Packaged Programs folder with default settings. 4. Use Group Policy Management to edit the Default Domain Policy and create a new user policy for software installation: Package: \\SEA-DC1\Packaged Programs\CalcPlus.msi Deployment type: Assigned Install this application at logon (in Properties or by using Advanced) Task 4: Test the new application 1. On SEA-CL1, log on as Adatum\Administrator with a password of Pa$$w0rd. 2. If the application shortcut does not appear on the desktop, run gpupdate and then log on again.

70 10 Lab Instructions: Planning Application Servers 3. Configure single sign-on for Terminal Services by using the local group policy editor. Start gpedit.msc. Browse to Computer Configuration\Administrative Templates\System \Credentials Delegation. Enable Allow Delegating Default Credentials and add termsrv/sea- DC1.adatum.com. 4. Start the Microsoft Calculator Plus application. Results: After this exercise, you should have successfully implemented Terminal Services and distributed a Terminal Services application. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

71 Lab Instructions: Planning File and Print Services 1 Module 6 Lab Instructions: Planning File and Print Services Contents: Exercise 1: Planning File and Print Services for a Branch Office 3 Exercise 2: Implementing File and Print Services in a Branch Office 8

72 2 Lab Instructions: Planning File and Print Services Lab: Planning File and Print Services Note: Your instructor may run this lab as a class discussion. Adatum has a number of new sales offices in the western region. Allison Brown, the IT manager, has asked you to look into deploying the necessary server roles to support users in the region. The sales department users access a number of shared folders at the head office location, and want access to that content in the regional branch offices. In addition, you determine that storage management is a concern in the regions; the branch servers will be deployed with DAS, and ensuring that they do not run out of disk space is an important factor in your plans.

73 Lab Instructions: Planning File and Print Services 3 Exercise 1: Planning File and Print Services for a Branch Office Scenario Your colleague, Alan Steiner, has been in discussion with Joe Healy, the Sales manager. You communicate with Alan with some additional questions. The main tasks for this exercise are as follows: Read the supporting documentation. Update the Sales Branch Offices: File and Print Services document with your proposals. Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Sales Branch Offices: File and Print Services document with your proposals Answer the questions in the Sales Branch Offices: File and Print Services document.

74 4 Lab Instructions: Planning File and Print Services Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner Sent: 11 October :41 To: Subject: Re: Sales offices: file and print services Attachments: Requirements.doc Greg, Yes, Joe and I had a meeting and he sent over the attached document. I ve added my comments, so it should have all the information you require. Regards Alan Original Message From: Gregory Weber [[email protected]] Sent: 10 October :10 To: [email protected] Subject: Sales offices: file and print services Alan, I m trying to determine which server roles I need to deploy to the regional sales offices. I know you ve been talking to Joe Healy. Rather than me repeat all the same questions, what information did he provide about the way the department shares its data? Regards, Greg

75 Lab Instructions: Planning File and Print Services 5 Requirements.doc Alan, As promised an overview of what we require at the branches. We have a sales database, and that s in the process of being consolidated; currently, it s distributed across a couple of disparate systems. We also have some shared folders on the main sales server in the head office. We d like to get local copies of the content in these shared folders out to the regional offices. In addition, any changes made at either end should be synchronized in some way. These shared folders have been getting quite a headache of late, and users are having problems remembering the UNC names; it would be great if we could have a single UNC to access all shared content from. Recently, users have been copying all sorts of inappropriate files into the shared folders; I don t think it s malicious, just ill informed. The result is a badly structured folder hierarchy. I d like to impose limitations on what type of files can be stored, and where. We ve been running short on server storage space. I know you re planning a SAN for each branch office as the sales teams move out to the regions; but that s not going to help us short-term. We need to be efficient in disk consumption, so I d like a way of preventing users consuming too much space. Joe Healy, Sales Manager Additional comments added [Alan Steiner, IT Department] I ve investigated the database issue; it won t affect us on your initial roll-out. We should prevent executable files from being placed in the data areas because these seem to be the main problem. 200 MB is ample storage for each user in the shared data area; few, if any, are using more than around 100 MB. The shared folder should follow corporate standards regarding permissions; that is, Modify permissions granted to the appropriate global group. We should be thinking about easy ways to deploy printers to these regions. Alan Steiner, IT

76 6 Lab Instructions: Planning File and Print Services Sales Branch Offices: File and Print Services Document Reference Number: GW1510/1 Document Author Date Gregory Weber 15 October Requirement Overview Deploy the required services to the branch sales offices to meet the needs outlined in the Requirements document. Additional Information The requirements are summarized as follows: Deploy server roles to support file and print services. Create a single UNC name to allow access to all sales shared resources. This single UNC name should not be a single point of failure. Provide for a means of synchronizing data between the branch and head office sales shared folders. Impose restrictions to prevent creation of executable files in data areas. Impose hard limit on amount of disk space each user can consume in the data folder. Deploy printers to client computers quickly and easily. Proposals 1. What server roles will you need to deploy to the branch servers to satisfy these requirements? 2. Will you need to make any changes to the infrastructure at the head office to support these requirements? 3. What folder and shared folder permissions would you recommend for sales data areas?

77 Lab Instructions: Planning File and Print Services 7 (continued) Sales Branch Offices: File and Print Services Proposals (continued) 4. How will you address the requirement for a single UNC name for all sales shared resources and avoid a single point of failure? 5. How will you synchronize the sales data at each location? 6. What role or feature enables you to impose a restriction on the types of files that users can create in designated folders? 7. What role or feature enables you to impose a restriction on the disk space users can consume in designated folders? 8. Provide additional details about the specifics of the process you will use to provide for the previous two requirements: 9. How do you intend to deploy printers to client computers? Results: After this exercise, you should have a completed Sales Branch Offices: File and Print Services document.

78 8 Lab Instructions: Planning File and Print Services Exercise 2: Implementing File and Print Services in a Branch Office Scenario Your proposal for file and print services for the sales branch offices has been approved. You must now implement a subset of your plan at a branch office. The main tasks for this exercise are as follows: 1. Start the virtual machines, and log on. 2. Deploy the necessary server roles to support your plan. 3. Create, secure, and share data folders for the sales department. 4. Configure a DFS namespace. 5. Configure DFS-R to support your plan. 6. Configure FSRM to support your plan. 7. Deploy a shared printer for the branch office. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 7. Log on to 6430B-SEA-CL1 as ADATUM\Joe with the password Pa$$w0rd. 8. Minimize the Lab Launcher window.

79 Lab Instructions: Planning File and Print Services 9 Task 2: Deploy the required server roles at the branch server 1. Switch to the SEA-SVR1 computer. 2. Open Server Manager. 3. Add the following roles: File Services File Server Distributed File System. Click Create a namespace later using the DFS Management snap-in in Server Manager. File Server Resource Manager Print Services Default 4. Close Server Manager. Task 3: Add additional role services on the SEA-DC1 computer 1. Switch to the SEA-DC1 computer. 2. Open Server Manager. 3. Add the Distributed File System roles service to the File Services role. Click Create a namespace later using the DFS Management snap-in in Server Manager. 4. Close Server Manager. Task 4: Create, secure, and share the Sales-data folders 1. On SEA-DC1, create a folder called D:\Sales-data. 2. Modify the default security: Remove the ADATUM\Users permission from the folder. Grant ADATUM\SalesGG Modify access on the folder.

80 10 Lab Instructions: Planning File and Print Services 3. Share the folder: Share name: Sales-data Shared permissions: Everyone Full Control 4. Close all open windows. 5. On SEA-SVR1, create a folder called C:\Sales-data. 6. Modify the default security: Remove the ADATUM\Users permission from the folder. Grant ADATUM\SalesGG Modify access on the folder. 7. Share the folder: Share name: Sales-data Shared permissions: Everyone Full Control 8. Close all open windows. Task 5: Configure a DFS namespace 1. Switch to the SEA-DC1 computer. 2. Open DFS Management. 3. Create a new namespace with the following properties: Server to host namespace: SEA-DC1 Name: Sales Type: Domain-based namespace Task 6: Add a namespace server 1. Add a new namespace server to the \\Adatum.com\Sales namespace: Server name: SEA-SVR1 2. In DFS Management, expand Namespaces, click \\Adatum.com\Sales, and then in the results pane click the Namespace Servers tab. Verify that two servers are listed.

81 Lab Instructions: Planning File and Print Services 11 Task 7: Add a DFS folder 1. In DFS Management, in the navigation tree, right-click \\Adatum.com\Sales, and then click New Folder. 2. Create a new folder with the following properties: Name: Corporate Sales Data Folder target: \\sea-dc1\sales-data Task 8: Add a folder target In DFS Management, right-click Corporate Sales Data, and then click Add Folder Target: Path to folder target: \\sea-svr1\sales-data You are prompted to establish replication. In the Replication dialog box, click Yes. Task 9: Create a Replication group 1. In the Replicate Folder Wizard, click Next. 2. On the Replication Eligibility page, click Next. 3. Use the following information to complete the process: Primary member: SEA-DC1 Topology selection: Full mesh Replication Group Schedule: defaults 4. In the Replication Delay dialog box, click OK. 5. Close DFS Management. Task 10: Configure quotas on the branch server 1. Switch to the SEA-SVR1 computer. 2. Open File Server Resource Manager.

82 12 Lab Instructions: Planning File and Print Services 3. Create a new quota with the following properties: Quota path: C:\Sales-data Select Auto apply template and create quotas on existing and new subfolders. Quota : 200MB Limit Reports to User Task 11: Configure a file screen for the branch server In File Server Resource Manager, create a new file screen with the following properties: File screen path: C:\Sales-data Block executable files Task 12: Configure FSRM options 1. In the navigation tree, right click File Server Resource Manager (Local), and then click Configure Options. 2. Scroll along the tabs, and then click the File Screen Audit tab. 3. Select the Record file screening activity in auditing database check box, and then click OK. Task 13: Test the file screen settings 1. Switch to the SEA-CL1 computer. 2. Map drive letter Z to \\sea-svr1\sales-data. 3. Open a command prompt and execute the following commands: Z: Copy c:\windows\*.exe Question: Were you successful? 4. Switch to the SEA-SVR1 computer 5. In File Server Resource Manager, click Storage Reports and Management.

83 Lab Instructions: Planning File and Print Services In the action pane, click Generate Reports Now. 7. Create a new report with the following properties: Folder name: C:\Sales-data Reports to generate: File Screen Audit In the Generate Storage Reports dialog box, click OK. Question: In Internet Explorer, examine the report. Which user attempted to create executables in the C:\Sales-data folder? 8. Close all open windows. Task 14: Deploy a shared printer with group policy 1. On SEA-SVR1, open Print Management. 2. Add a new printer to SEA-SVR1 with the following properties: Add a new printer using an existing port: LPT1: (Printer Port). Manufacturer: Canon Type: Canon Inkjet MP700 On the Printer Name and Sharing Settings page, click Next. On the Printer Found page, click Next, and then click Finish. 3. Right-click Canon Inkjet MP700, and then Deploy with Group Policy. 4. Locate and select the Default Domain Policy. 5. In the Deploy with Group Policy dialog box, select the The users that this GPO applies to (per user) check box, and then click Add and OK. 6. In the Printer Management dialog box, click OK. 7. Click OK to close the Deploy with Group Policy dialog box.

84 14 Lab Instructions: Planning File and Print Services Task 15: Test the printer deployment 1. Switch to the SEA-CL1 computer. 2. Refresh the group policy, and then log off. 3. Log on to 6430B-SEA-CL1 as ADATUM\Joe with the password Pa$$w0rd. 4. Click Start, click Control Panel, and then click Printer. Question: Is the Canon printer listed? 5. Close all open windows. Results: After this exercise, you should have successfully configured file and print services for the branch office. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

85 Lab Instructions: Planning Server and Network Security 1 Module 7 Lab Instructions: Planning Server and Network Security Contents: Exercise 1: Creating a Plan for Server and Network Security 2 Exercise 2: Implementing Windows Firewall Rules 7 Exercise 3: Implementing a VPN Server 10 Exercise 4: Implementing NAP with DHCP Enforcement 14

86 2 Lab Instructions: Planning Server and Network Security Lab: Planning Server and Network Security Note: Your instructor may run this lab as a class discussion. Exercise 1: Creating a Plan for Server and Network Security Scenario A. Datum has two security-related tasks that need to be planned out. A new Webbased application is being implemented for the finance department and requires a security plan. Also, as part of a security review, a plan needs to be developed for preventing malware on the A. Datum network. You have been tasked with creating a plan for the new finance application and creating a plan for preventing malware on the network. Your IT manager has provided you with a list of requirements that must be met by your plan. The main tasks for this exercise are as follows: 1. Read the supporting documentation. 2. Create a security plan for the new finance application. 3. Create a plan for preventing malware on the network.

87 Lab Instructions: Planning Server and Network Security 3 Supporting Documentation thread of correspondence with Allison Brown: Gregory Weber From: Allison Brown [[email protected]] Sent: 4 Aug :22 To: [email protected] Subject: Security Plan for Finance Application Greg, As we discussed in the meeting this morning, I d like you to take the lead on planning security for the new Web-based finance application. Here are some of the requirements that have come up: All users of the application must be authenticated. All data transferred over the network to or from the application must be encrypted. Access must be limited to only domain-joined computers in the finance department. The IT management committee has really bought in to the idea of Defense-in- Depth that you presented at the last committee meeting. I think it would be helpful if you could present the security plan for this server in that context. Let me know if you require any clarification. Regards Allison

88 4 Lab Instructions: Planning Server and Network Security Gregory Weber From: Allison Brown Sent: 4 Aug :32 To: [email protected] Subject: Malware Prevention Plan Greg, The IT management committee is also looking for a plan to prevent malware within the organization. A competitor had an incident recently where customer data was stolen, and it generated a lot of bad publicity for them, not to mention the cost of monitoring the potential identity theft. I m sure we already have reasonable measures in place, but the committee would like to have a plan that lists potential sources of malware and how they can be prevented. Just list any options you can think of. This will be a starting point for discussion. Please also put this information in context with Defense-in-Depth like the security plan for the finance application. Let me know if you require any clarification. Regards Allison

89 Lab Instructions: Planning Server and Network Security 5 Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Create a security plan for the new finance application Fill in the following table with potential risks and mitigations for each layer of the Defense-in-Depth model related to the new finance application. Layer Risk Mitigation Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness

90 6 Lab Instructions: Planning Server and Network Security Task 3: Create a plan for preventing malware on the network Fill in the following table with potential risks and mitigations for each layer of the Defense-in-Depth model related to preventing malware on the network. Layer Risk Mitigation Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness Results: After this exercise, you should have a completed security plan for new finance application and a plan for preventing malware on the network.

91 Lab Instructions: Planning Server and Network Security 7 Exercise 2: Implementing Windows Firewall Rules Scenario Your security plan for the new finance application calls for the implementation of computer-specific firewall rules. Only computers in the finance department will be allowed to access the finance application. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Create a group for the finance computers. 3. Create a connection security rule for authentication to the finance server. 4. Create a firewall rule to restrict access to the finance application. 5. Force Group Policy updates. 6. Test the application of rules. Task 1: Start the virtual machines and log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Create a group for the finance computers 1. On SEA-DC1, open Active Directory Users and Computers. 2. Create a global security group named Finance Computers in the computers container. 3. Add SEA-CL1 to the Finance Computers group.

92 8 Lab Instructions: Planning Server and Network Security Task 3: Create a connection security rule for authentication to the finance server 1. On SEA-DC1, use Group Policy Management to create the enforced security GPO. Name: Secure Financial Application Linked to Adatum.com 2. Edit the Secure Financial Application GPO and create a new Connection Security Rule. Computer Configuration\Policies\Windows Settings\Security Settings \Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Connection Security Rules. Rule type: Server-to-server Endpoint 1: Endpoint 2: Any IP address Request authentication for inbound and outbound connections Authentication method, Advanced: Computer (Kerberos V5) Profiles: All Name: Enable Authentication Task 4: Create a firewall rule to restrict access to the finance application On SEA-DC1, use Window Firewall with Advanced Security to create a new inbound rule. Rule type: Port Protocols and ports: TCP 80,443 Action: Allow the connection if it is secure and Require the connections to be encrypted User and computers: Only allow connections from the Finance Computers group. Profiles: All Name: Restrict Access to Finance Application

93 Lab Instructions: Planning Server and Network Security 9 Task 5: Force Group Policy updates 1. On SEA-DC1, run gpupdate at a command prompt. 2. On SEA-CL1, run gpupdate at a command prompt. 3. Restart SEA-CL1 and log on as Administrator with a password of Pa$$w0rd. Task 6: Test the application of rules 1. On SEA-CL1, use Internet Explorer to open This is successful because the computer is authenticated and allowed. 2. Use Windows Firewall with Advanced Security to view the Main Mode Security Associations in the Monitoring node. This shows that an IPsec connection has been created. Results: After this exercise, you should have successfully implemented firewall rules.

94 10 Lab Instructions: Planning Server and Network Security Exercise 3: Implementing a VPN Server Scenario Your security plan requires a VPN to be implemented for some remote users. Because all of the laptops are running Windows Vista, you have decided to use an SSTP VPN for the highest level of compatibility with hotel firewalls and proxy servers. Initially, you are configuring this only for domain Admins while testing. The main tasks for this exercise are as follows: 1. Install Active Directory Certificate Services. 2. Create an SSL Certificate. 3. Configure RRAS. 4. Create a network policy to allow VPN access. 5. Configure the client with a trusted root certificate. 6. Configure and test an SSTP VPN connection. Task 1: Install Active Directory Certificate Services On SEA-DC1, use Server Manager to add the Active Directory Certificate Services role. Role services: Certification Authority and Certification Authority Web Enrollment Add required role services CA type: Enterprise Root CA Create a new private key Cryptography: default CA name: default Validity period: default Database and log locations: default.

95 Lab Instructions: Planning Server and Network Security 11 Task 2: Create an SSL certificate On SEA-DC1, use Internet Information Services Manager to request a new server certificate for SEA-DC1. Create Domain Certificate Common name: SEA-DC1.adatum.com Organization: A. Datum Organizational unit: IT City/locality: Seattle State/province: Washington Country/region: US Online Certification Authority: Adatum-SEA-DC1-CA\SEA- DC1.Adatum.com Friendly name: WebSSL Task 3: Configure RRAS On SEA-DC1, use the Routing and Remote Access administrative tool to enable routing and remote access. Configuration: Custom configuration Custom configuration: VPN access Start the service Note: A custom configuration is used because SEA-DC1 has only a single network adapter. You must have two network adapters to select the Remote Access (Dial-Up Or VPN) configuration.

96 12 Lab Instructions: Planning Server and Network Security Task 4: Create a network policy to allow VPN access On SEA-DC1, use Network Policy Server to create a new network policy. Policy name: Allow Domain Admins Condition: Windows Groups Adatum\Domain Admins Access permission: Access Granted Authentication type: default Constraints: default Settings: default Task 5: Configure the client with a trusted root certificate 1. On SEA-CL1, use Internet Explorer to open the Certificate Services Web site at 2. Log on as Adatum\Administrator with a password of Pa$$w0rd. 3. Download a CA certificate, open it, and install it. Automatically select the certificate store based on the type of certificate. 4. Open an empty MMC console and add: The Certificates snap-in focused on My user account The Certificates snap-in focused on Local computer 5. Copy the Adatum-SEA-DC1-CA certificate from Certificates Current User\ Intermediate Certification Authorities\Certificates to Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.

97 Lab Instructions: Planning Server and Network Security 13 Task 6: Configure and test an SSTP VPN connection 1. On SEA-CL1, open Connect To from the Start menu. 2. Set up a new connection Connect to a workplace Use my Internet connection (VPN) I ll set up an Internet connection later Internet address: SEA-DC1.Adatum.com Destination name: Adatum VPN Leave the username and password blank 3. Open Connect To from the Start menu. 4. Open the properties of the Adatum VPN connection and select SSTP as the type of VPN on the Networking tab. 5 Connect the Adatum VPN. 6. Open Connect To from the Start menu and verify that the Adatum VPN connection is connected. 7. Disconnect the VPN connection Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting Up The SSTP Listener And Verifying It in the Routing And Remote Access Blog at In particular, you must manually remove and replace the certificate used by SSTP if you want to replace it. Results: After this exercise, you should have successfully implemented an SSTP VPN.

98 14 Lab Instructions: Planning Server and Network Security Exercise 4: Implementing NAP with DHCP Enforcement Scenario As part of your security plan, you have decided to implement NAP with DHCP enforcement. This prevents unhealthy computers from connecting to the network and helps to prevent the spread of malware. The main tasks for this exercise are as follows: 1. Install Network Policy Server. 2. Configure NPS. 3. Configure DHCP. 4. Configure NAP Client by using Group Policy. 5. Configure networking on the client. 6. Configure the SHV. 7. Test compliance and auto-remediation on the client. 8. Close all virtual machines and discard undo disks. Task 1: Install Network Policy Server On SEA-DC1, use Server Manager to add the Network Policy and Access Services server role. Include the Network Policy Server role service. Task 2: Configure NPS 1. On SEA-DC1, use the Network Policy Server administrative tool to select the Network Access Protection (NAP) standard configuration and then configure NAP. Connection method: Dynamic Host Configuration Protocol (DHCP) Policy name: NAP DHCP RADIUS clients: None DHCP scopes: None User and machines groups: None

99 Lab Instructions: Planning Server and Network Security 15 Remediation server groups: None Windows Security Health Validator Enable auto-remediation of client computers Deny full network access to NAP-ineligible client computers 2. Review the connection request policies created by the wizard. 3. Review the network policies created by the wizard. 4. Review the health policies created by the wizard. Task 3: Configure DHCP 1. On SEA-DC1, use the DHCP administrative tool to enable Network Access Protection for the Adatum Scope, and use the Default Network Access Protection profile. 2. On the Advanced tab of Scope Options, for the User Class: Default Network Access Protection Class, configure the following: 006 DNS Servers: DNS Domain Name: restricted.adatum.com Task 4: Configure NAP Client by using Group Policy 1. On SEA-DC1, use Active Directory Users and Computers to create a new organizational unit, named NAP Clients, in the root of the Adatum.com domain. 2. Move the SEA-CL1 computer object into the NAP Clients organizational unit. 3. Use the Group Policy Management administrative tool to create a new Group Policy object, named DHCP NAP Client, linked to the NAP Clients organizational unit and with the following settings: Computer Configuration\Policies\Windows Settings/Security Settings \System Services\Network Access Protection Agent: Automatic Computer Configuration/Policies/Windows Settings/Security Settings\Network Access Protection\NAP Client Configuration \Enforcement Clients\DHCP Quarantine Enforcement Client: Enable

100 16 Lab Instructions: Planning Server and Network Security Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration: Apply from context menu Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center\Turn on Security Center (Domain PCs only): Enabled Task 5: Configure networking on the client 1. Restart SEA-CL1, and log on as Administrator with a password of Pa$$w0rd. 2. On SEA-CL1, open a command prompt and use the following command to update group policy settings: gpupdate 3. Reconfigure Local Area Connection to use DHCP to obtain an IP address and DNS server. 4. Open a command prompt and use the following command to view the configured IP address: ipconfig /all 5. Notice that an IPv4 address has been configured, but the subnet mask is and the Connection-specific DNS suffix is restricted.adatum.com. Task 6: Configure the SHV On SEA-DC1, use the Network Policy Server administrative tool to configure the Windows Security Health Validator in Network Access Protection. Test only for an enabled firewall

101 Lab Instructions: Planning Server and Network Security 17 Task 7: Test compliance and auto-remediation on the client 1. On SEA-CL1, renew the IP address by using the command ipconfig /renew. 2. Notice that SEA-CL1 now has a default gateway, a subnet mask of , and the Connection-specific DNS suffix is Adatum.com. 3. In the Control Panel Security settings, turn off Windows Firewall. 4. Notice that Windows Firewall status is off only briefly, before being turned back on by the NAP client Results: After this exercise, you should have successfully implemented NAP with DHCP enforcement. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

102 Lab Instructions: Planning Server Administration 1 Module 8 Lab Instructions: Planning Server Administration Contents: Exercise 1: Planning for Branch Office Administration 2 Exercise 2: Delegating Administration to Branch Office Personnel 6

103 2 Lab Instructions: Planning Server Administration Lab: Planning Server Administration Note: Your instructor may run this lab as a class discussion. The Sales department branch offices have been operational for some time. Joe Healy has requested that he has more control over the administration of the Sales branches. Exercise 1: Planning for Branch Office Administration Scenario You track down a corporate document that provides more information about which elements of the IT infrastructure are centrally managed. Alan Steiner has appended some comments to this document that are pertinent to Sales. You must determine which administrative tasks you can delegate to Joe. The main tasks for this exercise are as follows: Read the supporting documentation. Update the Branch Office Delegation document with your proposals.

104 Lab Instructions: Planning Server Administration 3 Supporting Documentation A Datum Corporate Security Policy.doc No infrastructure roles should be delegated; DHCP, DNS, WINS, and WDS should all be managed centrally by IT. Group Policy Objects must only be created by IT. Whenever delegation takes place, users must never be assigned permissions directly; rather, an appropriate group strategy must be implemented. Additional comments added [Alan Steiner, IT Department] Branch offices are equipped with Read-Only Domain Controllers (RODCs), so any edits to Active Directory objects must be made at the writable domain controllers (DCs). Joe needs to be able to determine which Group Policy settings will apply directly to the sales team. Any really important stuff is configured at the domain level with enforcement of the relevant GPO. Joe needs to be able to manage user, group, and computer objects in the Sales OU only. We don t want to bother deploying administration tools to the client computer desktops, so any administration must be handled over Remote Desktop Protocol (RDP). We re building up a library of useful Windows PowerShell scripts. I imagine we ll want to let Joe have access to those.

105 4 Lab Instructions: Planning Server Administration Branch Office Delegation Document Reference Number: GW0511/1 Document Author Date Gregory Weber 5th November Requirement Overview Determine which tasks can be delegated to Joe Healy in Sales. Specify how this delegation will be achieved. Additional Information Proposals 1. Which features will you need to install on a recently deployed departmental server to support administrative delegation? 2. How will you manage the requirement that Joe needs to be able to manage which GPOs apply to the Sales OU without giving him the ability to edit the GPO settings? 3. What delegated permissions will you give to Joe in Active Directory? 4. How will you achieve this? 5. Because you are not permitted to grant Joe any delegated permissions directly, how will you achieve the required delegation?

106 Lab Instructions: Planning Server Administration 5 Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Branch Office Delegation document with your proposals Answer the questions in the Branch Office Delegation document. Results: After this exercise, you should have a completed Branch Office Delegation proposal document.

107 6 Lab Instructions: Planning Server Administration Exercise 2: Delegating Administration to Branch Office Personnel Scenario Having determined which tasks you intend to delegate and to whom, you must now implement your plan. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Create the necessary security group. 3. Delegate control of the Sales OU. 4. Configure group membership on the SEA-SVR1 server. 5. Enable Remote Desktop on SEA-SVR1. 6. Install Windows PowerShell and RSAT on SEA-SVR1. 7. Perform branch administration. 8. Create and run a Windows PowerShell script. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 7. Minimize the Lab Launcher window.

108 Lab Instructions: Planning Server Administration 7 Task 2: Create the necessary security group 1. Switch to the SEA-DC1 computer. 2. Create a new Global Security with the following properties: Location: Sales organizational unit Name: Sales-Admins Members: Joe Healy Task 3: Delegate control of the Sales organizational unit 1. Using the Delegate Control Wizard, delegate the following common tasks to the Sales-Admins group on the Sales OU: Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Manage Group Policy links 2. In Active Directory Users and Computers, enable the Advanced Features view. 3. Grant the Sales-Admins group the following permissions on the Sales OU: Create Computer objects/allow Delete Computer objects/allow 4. Grant the Sales-Admins group the following additional permissions Descendant Computer objects in the Sales OU: Full control/allow 5. Close Active Directory Users and Computers.

109 8 Lab Instructions: Planning Server Administration Task 4: Configure group membership on the SEA-SVR1 server 1. Switch to the SEA-SVR1 computer. 2. Open Server Manager, and then in Server Manager, in the navigation tree, expand Configuration, expand Local Users and Groups, and then click Groups. 3. Add the Adatum\Sales-Admins global group to the local Administrators group. Task 5: Enable Remote Desktop on SEA-SVR1 1. Click Start, right-click Computer, and then click Properties. 2. In the Tasks list, click Remote settings. 3. Enable Remote Desktop with the highest level of security. 4. Enable members of the Sales-Admins global group to access this computer remotely. 5. Close System. Task 6: Install Windows PowerShell and RSAT on SEA-SVR1 1. From Server Manager, add the following features: Remote Server Administration Tools: Active Directory Domain Services Tools Windows PowerShell 2. Restart when prompted. 3. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 4. Complete the installation and then close Server Manager.

110 Lab Instructions: Planning Server Administration 9 Task 7: Perform branch administration 1. Switch to the SEA-CL1 computer. Note: If you are already logged on as Joe, please log off and then proceed with the lab. 2. Open Remote Desktop Connection: IP address: Username: adatum\joe Password: Pa$$w0rd 3. Open Active Directory Users and Computers. 4. Delete the user Tom Higginbotham from the Sales OU. 5. Create a new computer account in the Sales OU called Sales-1. Task 8: Create and run a Windows PowerShell script 1. Open Windows PowerShell with elevated privileges. 2. At the Windows PowerShell Command Prompt, type notepad user.ps1, and then press ENTER. 3. In Notepad, type the following lines of code: $objou = [ADSI] "LDAP://OU=sales,DC=Adatum,DC=com" $objusr = $objou.create("user","cn=tom Higginbotham") $objusr.put("samaccountname","tom") $objusr.setinfo() 4. Save the file and close Notepad. 5. Set the script execution policy to remote signed only: Type set-executionpolicy remotesigned, and then press ENTER 6. Run the script: Type./user.ps1, and then press ENTER

111 10 Lab Instructions: Planning Server Administration 7. Switch to Active Directory Users and Computers and verify creation of the Tom account in the Sales OU. 8. Close all open windows. Results: After this exercise, you should have successfully delegated administration to the branch personnel. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

112 Lab Instructions: Planning and Implementing Monitoring and Maintenance 1 Module 9 Lab Instructions: Planning and Implementing Monitoring and Maintenance Contents: Exercise 1: Evaluating Performance Metrics 2 Exercise 2: Monitoring Performance Metrics 5 Exercise 3: Configuring Data Collector Sets 6 Exercise 4: Evaluating Trends 7

113 2 Lab Instructions: Planning and Implementing Monitoring and Maintenance Lab: Planning and Implementing Monitoring and Maintenance Scenario Some of the users at A. Datum Corporation are reporting issues with certain servers in the New York offices that have been identified as running slowly. The IT manager, Allison Brown, has forwarded to you some performance log files from the problematic server. You must evaluate data that is collected from performance logs and identify where potential problems may exist. Exercise 1: Evaluating Performance Metrics Scenario In this exercise, you will review data collector sets to locate problems and provide troubleshooting advice to technical specialists.

114 Lab Instructions: Planning and Implementing Monitoring and Maintenance 3 The main tasks for this exercise are as follows: 1. Start the virtual machines, and log on. 2. Identify performance problems with Windows Server Part A. 3. Identify performance problems with Windows Server Part B. 4. Identify performance problems with Windows Server Part C. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Identify performance problems with Windows Server Part A You know that the server 6430A-NYC-SVR1 experiences low network traffic and has limited disk activity, but the help desk is receiving many reports that the server is slow. Switch to the SEA-SVR1 computer and review the data collector log at D:\Labfiles\Mod09\Ex1A\EX1A.blg on the server 6430A-NYC-SVR1. Question: What appears to be the problem on this server? Question: Write a brief report that outlines your findings and suggests possible solutions to the problem.

115 4 Lab Instructions: Planning and Implementing Monitoring and Maintenance Task 3: Identify performance problems with Windows Server Part B You know that the server 6430A-NYC-SVR1 is not running processor-intensive applications, but the help desk is receiving many reports that the server is slow. On the SEA-SVR1 computer, review the data collector log at D:\Labfiles\Mod09\Ex1B\EX1B.blg on the server 6430A-NYC-SVR1. Question: What appears to be the problem on this server? Question: Write a brief report that outlines your findings and suggests possible solutions to the problem. Task 4: Identify performance problems with Windows Server Part C You know that the server 6430A-NYC-SVR1 experiences low network traffic and is not running processor-intensive applications, but the help desk is receiving many reports that the server is slow. On the SEA-SVR1 computer, review the data collector log at D:\Labfiles\Mod09\Ex1C\EX1C.blg on the server 6430A-NYC-SVR1. Question: What appears to be the problem on this server? Question: Write a brief report that outlines your findings and suggests possible solutions to the problem. Results: After this exercise, you should have identified performance issues with servers and suggested steps to resolve the problems.

116 Lab Instructions: Planning and Implementing Monitoring and Maintenance 5 Exercise 2: Monitoring Performance Metrics Scenario In this exercise, you will plan the performance metrics that are required to measure the scalability of a server. The main task for this exercise is to create a data collector set to measure server requirements. Task 1: Create a data collector set to measure server requirements On the SEA-SVR1 computer, create a data collector set to measure the performance requirements of a file server. This forms the base performance metrics for measuring the capacity of this server. Question: Which specific counters do you anticipate will require careful analysis? Results: After this exercise, you should have identified steps to create a data collector set for measuring file server performance.

117 6 Lab Instructions: Planning and Implementing Monitoring and Maintenance Exercise 3: Configuring Data Collector Sets Scenario In this exercise, you will configure data collector sets to generate an alert. The main task for this exercise is to generate an alert by using a data collector set. Task 1: Generate an alert by using a data collector set On the SEA-SVR1 computer, create a user-defined data collector set and configure an alert to trigger when the CPU reaches a critical state. Results: After this exercise, you should have created a performance alert by using Windows System Resource Manager (WSRM).

118 Lab Instructions: Planning and Implementing Monitoring and Maintenance 7 Exercise 4: Evaluating Trends Scenario In this exercise, you will compare your answers to the previous exercises with the rest of the class, share your answers with other students, and learn alternative methods to identify performance issues. The main task for this exercise is to discuss your solutions with the class. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

119 Lab Instructions: Planning High Availability and Disaster Recovery 1 Module 10 Lab Instructions: Planning High Availability and Disaster Recovery Contents: Exercise 1: Planning for Branch Office High Availability and Data Recovery 3 Exercise 2: Implementing the High Availability and Disaster Recovery Plan 7

120 2 Lab Instructions: Planning High Availability and Disaster Recovery Lab: Planning High Availability and Disaster Recovery The sales department at A. Datum Corporation has an application that has a Webbased front end. The back end is provided by a Microsoft SQL Server database application. Recently, a failure in the front end caused system unavailability for several hours. Joe Healy, the Sales manager, has contacted Allison Brown, the IT manager, and requested she finds a solution for the availability issue.

121 Lab Instructions: Planning High Availability and Disaster Recovery 3 Exercise 1: Planning for Branch Office High Availability and Data Recovery Note: Your instructor may run this exercise as a class discussion. Scenario Read any of the supporting documentation, and then propose a high-availability solution that meets the requirements in the High Availability for Sales Database document. The main tasks for this exercise are as follows: Read the supporting documentation. Update the High Availability for Sales Database document with your proposals.

122 4 Lab Instructions: Planning High Availability and Disaster Recovery Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner Sent: 14 February :30 To: Subject: Re: Sales Database Greg, The sales database is currently in the head office only, although that is set to change; we re creating a distributed version of the database later this year. The distributed version will work essentially the same way, but there will be localized versions of the databases replicated among the sales branch offices. It has a SQL Server back-end, and the front-end is Web-based; IIS provides the front-end access. The actual database is stored on disks attached to an iscsi SAN. The outage was caused when the Web server hosting the front end suffered a power supply failure; it just started to smoke and then went offline! In terms of backup, we currently perform a full backup to tape each Friday using a third-party system; thereafter, we perform incremental backups to tape each work day evening. Of course, SQL Server is performing replication during the working day, so multiple instances of the data do exist. It would be nice to be able to perform the backups more quickly. Hope all that helps you, Alan Original Message From: Gregory Weber [[email protected]] Sent: 14 February :29 To: [email protected] Subject: Sales Database Alan, I ve got to come up with a solution to that database outage in Sales last month. What can you tell me about it? Also, while I think about it, how is backup handled? Thanks, Greg

123 Lab Instructions: Planning High Availability and Disaster Recovery 5 High Availability for Sales Database Document Reference Number: GW1602/1 Document Author Date Gregory Weber 16th February Requirement Overview To provide a high-availability solution that ensures that the failure of any single component will not cause the Sales database to become unavailable. To ensure that the database is recoverable in the event of multiple disk failures. Additional Information All servers are installed with Windows Server 2008 Enterprise Edition. Proposals 1. In the current system, what component(s) is a point of failure? 2. For each element, how would you propose to prevent a system failure resulting from a component failure? 3. What Windows Server 2008 role or feature could help provide for each of these proposals? 4. After implementing the roles or features proposed, is there any remaining component that represents a single point of failure? 5. Have you any recommendations regarding this component(s)?

124 6 Lab Instructions: Planning High Availability and Disaster Recovery Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the High Availability for Sales Database document with your proposals Answer the questions in the High Availability for Sales Database document. Results: After this exercise, you should have a completed High Availability for Sales Database proposal document.

125 Lab Instructions: Planning High Availability and Disaster Recovery 7 Exercise 2: Implementing the High Availability and Disaster Recovery Plan Scenario You will now implement a part of your high-availability and recovery plan. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Install NLB and IIS on both SEA-SVR1 and SEA-SVR2. 3. Create a simple Web site on both servers. 4. Create the NLB cluster. 5. Install Windows Server Backup Features and enable Shadow Copies on SEA-SVR1. 6. Secure the backup process. 7. Perform a backup. 8. Test the NLB cluster. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. In the Lab Launcher, next to 6430B-SEA-SVR2, click Launch. 5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 7. Log on to 6430B-SEA-SVR2 as ADATUM\Administrator with the password Pa$$w0rd. 8. Minimize the Lab Launcher window.

126 8 Lab Instructions: Planning High Availability and Disaster Recovery Task 2: Install NLB on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Use Server Manager to add the Network Load Balancing feature. Task 3: Install IIS on SEA-SVR1 1. Use Server Manager to add the Web Server (IIS) server role. 2. Accept defaults during the role installation process. Task 4: Create a Web site on SEA-SVR1 1. Open a command prompt, and enter the following commands to copy a simple Web site to the local server: Cd\inetpub\wwwroot Xcopy \\sea-dc1\c$\inetpub\wwwroot\intranet\*.* /s 2. Close the command prompt. Task 5: Install NLB on SEA-SVR2 1. Switch to the SEA-SVR2 computer. 2. Use Server Manager to add the Network Load Balancing feature. Task 6: Install IIS on SEA-SVR2 1. Use Server Manager to add the Web Server (IIS) server role. 2. Accept defaults during the role installation process.

127 Lab Instructions: Planning High Availability and Disaster Recovery 9 Task 7: Create a Web site on SEA-SVR2 1. Open a command prompt, and enter the following commands to copy a simple Web site to the local server: Cd\inetpub\wwwroot Xcopy \\sea-dc1\c$\inetpub\wwwroot\intranet\*.* /s 2. Close the command prompt. Task 8: Create the NLB cluster 1. Switch to the SEA-DC1 computer and open Server Manager. 2. Add the Network Load Balancing Tools Feature. This is located under Remote Server Administration Tools Feature Administration Tools. 3. Open Network Load Balancing Manager and create a new cluster: In the New Cluster: Connect dialog box, in the Host field, type SEA-SVR1, click Connect, and then click Next. On the Cluster IP Addresses page, click Add. In the Add IP Address dialog box, in the IPv4 address field, type , and press TAB. Then in the Subnet mask field, type Click OK, and then click Next. On the Cluster Parameters page, in the Full Internet name field, type webfarm.adatum.com. Click Multicast, and then click Next. On the Port Rules page, click Edit. In the Add/Edit Port Rule dialog box, in the From field, type 80, and in the To field, type 80. Under Protocols, click TCP. For Affinity, click None. Click OK, and then click Finish. In the console tree, right-click webfarm.adatum.com, and then click Add Host to Cluster.

128 10 Lab Instructions: Planning High Availability and Disaster Recovery In the Add Host to Cluster: Connect dialog box, in the Host field, type SEA-SVR2, and then click Connect. Click Next. On the Host Parameters page, click Next. On the Port Rules page, click Finish. Task 9: Configure DNS records 1. Open DNS Manager. 2. Create a new Host Record with the following properties, and then close DNS Manager: Location: Adatum.com zone Name: webfarm Note: Only enter the name webfarm; the domain suffix is added automatically. IP address: Note: You will test the cluster at the end of the exercise. Task 10: Install the Windows Server Backup features 1. Switch to the SEA-SVR1 computer. 2. Use Server Manager to add the Windows Server Backup Features server feature. 3. Close Server Manager. Task 11: Enable shadow copies 1. Click Start, click Computer, right-click Local Disk (C:), and then click Configure Shadow Copies. 2. Enable shadow copies.

129 Lab Instructions: Planning High Availability and Disaster Recovery Modify the shadow copy schedule to include both Saturdays and Sundays. 4. Create a manual shadow copy. Task 12: Verify the presence of previous versions of the Web site 1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub, right-click wwwroot, and then click Properties. 2. Verify that there are previous versions listed. Task 13: Establish groups to secure the backup process 1. Open Server Manager once more. 2. In Server Manager, expand Configuration, expand Local Users and Groups, and then click Groups. 3. Modify the local Backup Operators group to include the member Joe from the Adatun.com domain. 4. Log off. Task 14: Perform a backup of the branch server 1. Log on to 6430B-SEA-SVR1 as ADATUM\Joe with the password Pa$$w0rd. 2. Load Windows Server Backup. 3. Perform a one-off backup with the following properties: Backup configuration: Custom Destination: \\sea-dc1\public Advanced option: Vss copy backup (recommended) 4. After the backup has started, close Windows Server Backup.

130 12 Lab Instructions: Planning High Availability and Disaster Recovery Task 15: Test the NLB cluster 1. Switch to the SEA-DC1 computer. 2. Open Microsoft Internet Explorer. 3. In the Internet Explorer address bar, type and then press ENTER. The A Datum Intranet appears. 4. Turn off the SEA-SVR1 computer. In the Close box, select Turn off machine and discard changes. Click OK. 5. On SEA-DC1, type and then press ENTER. Note: Even though an NLB Cluster member is unavailable, the Web site is still available. Results: After this exercise, you should have successfully implemented your highavailability and recovery plan. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

131 Lab Instructions: Planning Virtualization 1 Module 11 Lab Instructions: Planning Virtualization Contents: Exercise 1: Creating a Virtualization Plan 2 Exercise 2: Implementing Virtualization (Optional) 6

132 2 Lab Instructions: Planning Virtualization Lab: Planning Virtualization Note: Your instructor may run this lab as a class discussion. Exercise 1: Creating a Virtualization Plan Scenario A. Datum Corporation has an IT management committee that is responsible for overall technology direction. The committee recently asked you to provide them with an overview of server virtualization benefits. Several weeks after that presentation, you are approached by your manager to create a plan for a pilot project for implementing Hyper-V as a virtualization host in your data center. Your manager has sent you an detailing the overall requirements for the project and a list of servers. You need to create a plan for the pilot project. The main tasks for this exercise are as follows: Read the supporting documentation. Create a plan for a virtualization pilot project.

133 Lab Instructions: Planning Virtualization 3 Supporting Documentation thread of correspondence with Allison Brown: Gregory Weber From: Allison Brown [[email protected]] Sent: 4 Aug :22 To: [email protected] Attachments: Servers.doc Subject: Security Plan for Finance Application Greg, Thanks again for taking the lead on this project. I need my most knowledgeable server person to take care of this for me. I really don t trust anyone else to come up with the right answers. The IT management committee likes the idea of beginning to virtualize our servers. The cost savings and flexibility were very compelling for them. I need you to come up with a plan for our pilot project. We have a limited budget, so the pilot will involve only a single host for now, and try to keep the requirements somewhat modest. What I need in the plan is: Which servers will be virtualized? How will those servers be virtualized? Why were those servers selected? Do we need any additional tools besides Hyper-V? What are the hardware specifications for the server? Which operating system should be used on the hosts? I ve attached a list of our servers and their specification to get you started. Regards Allison

134 4 Lab Instructions: Planning Virtualization Servers.doc Name Purchase date Processor utilization Memory utilization Disk space ExchangeNode1 July % 3GB 120 GB ExchangeNode2 July % 500 MB 20GB FinanceApp June % 1.5 GB 30 GB SQLProd Sept % 2 GB 80 GB PServer Feb % 500 MB 7 GB File1 Feb % 500 MB 200 GB PayrollApp Oct % 500 MB 20 GB Terminal June % 1.5 GB 30 GB SQLTest Nov % 1 GB 80 GB Billing Mar % 1 GB 40 GB Notes: ExchangeNode1 and ExchangeNode2 are part of a cluster. PayrollApp is used only twice a month for submitting payroll information to the bank. SQLProd is used by applications in production. SQLTest is used only by technical support staff when testing updates to applications. Billing is used each day to perform time tracking and is considered mission critical.

135 Lab Instructions: Planning Virtualization 5 Task 1: Read the supporting documentation Read the supporting documentation. Determine if you need any more information and ask your instructor to clarify if required. Task 2: Create a plan for a virtualization pilot project Which servers will be virtualized? Why were those servers selected? How will those servers be virtualized? Do we need any additional tools besides Hyper-V? What are the hardware specifications for the server? Which operating system should be used on the host? Results: After this exercise, you should have a completed plan for a virtualization pilot project.

136 6 Lab Instructions: Planning Virtualization Exercise 2: Implementing Virtualization (Optional) Scenario After completing your plan for a virtualization pilot project, you need to install and configure a Hyper-V host. Then you need to create a virtual machine to test the functionality of the host. The main tasks for this exercise are as follows: 1. Configure the computer BIOS for Hyper-V. 2. Install Windows Server 2008 on the host. 3. Install the Hyper-V role update. 4. Install the Hyper-V role. 5. Create a new virtual machine. 6. Install Windows Server 2008 in the virtual machine. Note: The BIOS configuration steps in this exercise are correct for a Dell Optiplex 755 with an Intel processor. The steps may vary depending on the model of the computer you are using, BIOS revision, and the processor type. For example, the name of specific settings may be different or already enabled. Ask your instructor for help if required. Task 1: Configure the computer BIOS for Hyper-V 1. Enter the computer BIOS setup. 2. Enable support for Hyper-V in the BIOS settings. Virtualization: On VT for Direct I/O: On Trusted Execution: Off Execute Disable: On 3. Save the changes to the BIOS settings.

137 Lab Instructions: Planning Virtualization 7 Task 2: Install Windows Server 2008 on the host 1. Start your computer by using the Windows Server 2008 installation DVD. Note: You will be provided with the software required to complete this lab from your instructor. It may or may not be a DVD. 2. Install Windows Server 2008 Enterprise edition (x64). Language: US English Do not activate automatically online Version: Windows Server 2008 (Full Installation) x64 Accept the license agreement Delete any existing partitions Select Disk 0 for installation Enter Pa$$w0rd as the password 3. Configure the host name as SEA-HOSTx, where x is a number assigned by your instructor. Task 3: Install the Hyper-V role update 1. Log on as Administrator with the password Pa$$w0rd. 2. Copy the Hyper-V update, Windows6.0-KB x64.msu, to the computer. 3. Run Windows6.0-KB x64.msu. Task 4: Install the Hyper-V role 1. Log on as Administrator with the password Pa$$w0rd. 2. Use the Server Manager console to install the Hyper-V role. Network adapter: Local Area Connection

138 8 Lab Instructions: Planning Virtualization Task 5: Create a new virtual machine Use the Hyper-V Manager console to create a new virtual machine. Name: SEA-VMx, where x is number assigned by your instructor Memory: 1024 Network: your network card Virtual hard disk settings: default Task 6: Install Windows Server 2008 on the virtual machine 1. Start the virtual machine by using the Windows Server 2008 installation DVD. 2. Install the Windows Server 2008 Enterprise edition (x64). Language: US English Do not activate automatically online Version: Windows Server 2008 (Full Installation) x64 Accept the license agreement Select Disk 0 for installation Enter password as Pa$$w0rd 3. Install Hyper-V Integration Services from the Action menu. Results: After this exercise, you should have successfully implemented a Hyper-V host and created a virtual machine.

139 Lab Answer Key: Planning Windows Server 2008 Deployment 1 Module 1 Lab Answer Key: Planning Windows Server 2008 Deployment Contents: Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment 2 Exercise 2: Planning a Windows Server 2008 Deployment 8

140 2 Lab Answer Key: Planning Windows Server 2008 Deployment Lab: Planning a Windows Server 2008 Deployment Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Create the flowchart 1. On a piece of paper, generate a list of relevant criteria that must be considered during the upgrade or migration process. Is new hardware available? Does downtime window allow for data to be migrated to a new server? Is testing of the new server required before placing into production? Is the hardware 64-bit? Are there 64-bit drivers for the hardware? Is the existing operating system 32-bit or 64-bit? Is server core being implemented? Are there applications running on the server? Are the applications compatible with Windows Server 2008? Are the applications compatible with a 64-bit environment? Is cross-file Distributed File System (DFS) replication required? Is failover clustering required?

141 Lab Answer Key: Planning Windows Server 2008 Deployment 3 Is hot add memory required? How much RAM is required? Will this be a virtualization host with more than four guests? 2. Use the list of criteria you have generated to create a flowchart for determining whether to upgrade or migrate. 3. Use the list of criteria you have generated to create a flowchart for determining which edition of Windows Server 2008 you should use.

142 4 Lab Answer Key: Planning Windows Server 2008 Deployment

143 Lab Answer Key: Planning Windows Server 2008 Deployment 5 Use the list of criteria you have generated to create a flowchart for determining whether to use a 32-bit of 64-bit operating system.

144 6 Lab Answer Key: Planning Windows Server 2008 Deployment

145 Lab Answer Key: Planning Windows Server 2008 Deployment 7 Results: After this exercise, you should have created flowcharts to help to determine how to upgrade or migrate an existing server to Windows Server 2008.

146 8 Lab Answer Key: Planning Windows Server 2008 Deployment Exercise 2: Planning a Windows Server 2008 Deployment Task 1: Create a deployment plan for the archive file server Read the supporting documentation. Answer the questions in the Deployment Plan for the archive server. Deployment Plan: Archive File Server Document Reference Number: GW0688/1 Document Author Date Gregory Weber 20th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server The archive file server is used to store older data that is accessed only occasionally. Extended outages are possible with notification. It is used only as a file server. It has no other functions. The hardware is relatively new, and no new hardware has been allocated for this server. Additional Information This server is currently running a 32-bit version of Windows Server 2003 R2. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? Answer: Because no new hardware has been allocated, this server must be upgraded. The file server role is a limited risk for upgrading. It should be recognized by the upgrade process. 2. Which edition of Windows Server 2008 will be used? Answer: Windows Server 2008 Standard can be used. There are no requirements that necessitate the use of Windows Server 2008 Enterprise or Datacenter. 3. Will 32-bit or 64-bit Windows Server 2008 be used? Answer: A 32-bit version of Windows Server 2008 will be used, because you cannot upgrade between processor architectures.

147 Lab Answer Key: Planning Windows Server 2008 Deployment 9 Task 2: Create a deployment plan for the main file server Read the supporting documentation. Answer the questions in the Deployment Plan for the main file server. Deployment Plan: Main File Server Document Reference Number: GW0689/1 Document Author Date Gregory Weber 20th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server The main file server is mission critical and cannot be taken out of production during business hours. Downtime must be limited to less than one day. It is used only as a file server. It has no other functions. This server should support cross-file replication for DFS. This may be implemented in the future to support remote offices, and the cross-file replication will reduce synchronization traffic on the WAN. Data for this file server is stored on a Fiber Channel Storage Area Network (SAN). New hardware has been allocated for this server if required. Additional Information Clients access this file server through mapped drive letters that are created by a logon script. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? Answer: New hardware has been allocated, so this server should be migrated. 2. Which edition of Windows Server 2008 will be used? Answer: This server will use Windows Server 2008 Enterprise to support the use of cross-file replication for DFS.

148 10 Lab Answer Key: Planning Windows Server 2008 Deployment (continued) Deployment Plan: Main File Server Proposals (continued) 3. Will 32-bit or 64-bit Windows Server 2008 be used? Answer: There is no indication of any reason not to use 64-bit, so a 64-bit operating system should be used. 4. How will downtime be minimized? Answer: Even though there is a large amount of data, the migration of this data is not a concern. The data is stored on a SAN, and the new server can point at the existing storage on the SAN. Clients can be directed to the new server by updating their logon script.

149 Lab Answer Key: Planning Windows Server 2008 Deployment 11 Task 3: Create a deployment plan for the antivirus server Read the supporting documentation. Answer the questions in the Deployment Plan for the antivirus server. Deployment Plan: Antivirus Server Document Reference Number: GW0690/1 Document Author Date Gregory Weber 25th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to standardize the server operating systems. The antivirus server can experience an outage of 24 hours without impacting clients. New hardware has been allocated for this server. Additional Information The antivirus application has not been tested by the vendor in 64-bit environments and is not supported in 64-bit environments. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? Answer: New hardware has been allocated for this server. So, it should be migrated. 2. Which edition of Windows Server 2008 will be used? Answer: Windows Server 2008 Standard can be used because there are no requirements that necessitate the use of Windows Server 2008 Enterprise or Datacenter. 3. Will 32-bit or 64-bit Windows Server 2008 be used? Answer: A 32-bit version of Windows Server 2008 should be used, because the antivirus application is not supported on a 64-bit operating system. When 64-bit support is available, an upgrade to a 64-bit version of Windows Server 2008 can be considered.

150 12 Lab Answer Key: Planning Windows Server 2008 Deployment Task 4: Create a deployment plan for the human resources application server Read the supporting documentation. Answer the questions in the Deployment Plan for the human resources application server. Deployment Plan: Human Resources Application Server Document Reference Number: GW0691/1 Document Author Date Gregory Weber 25th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the performance improvements in IIS 7. The existing server is consistently short on memory, and a new server with 8GB of memory has been allocated to address this. The application data is also stored on this server and must be taken into account. There can be no downtime during business hours. The new server should support failover clustering, as it is being considered for the future. Additional Information None

151 Lab Answer Key: Planning Windows Server 2008 Deployment 13 (continued) Deployment Plan: Human Resources Application Server Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? Answer: A new server has been allocated with additional memory. A migration should be performed. 2. Which edition of Windows Server 2008 will be used? Answer: The memory requirement is 8 GB. This is possible with a 64-bit version of Windows Server 2008 Standard. However, Windows Server 2008 Enterprise is required to support failover clustering. 3. Will 32-bit or 64-bit Windows Server 2008 be used? Answer: A 64-bit version of Windows Server 2008 should be used to best access the 8 GB of memory. 4. What process will you use to minimize downtime? Answer: To minimize downtime, the new server should be implemented in parallel with the existing server. After the new server has been thoroughly tested, then you can perform a final data migration. Downtime is only required for the final data migration. Results: After this exercise, you should have created a deployment plan for the archive file server, the main file servers, the antivirus server, and the human resources application server.

152 Lab Answer Key: Planning Network Infrastructure for Windows Server Module 2 Lab Answer Key: Planning Network Infrastructure for Windows Server 2008 Contents: Exercise 1: Determining an Appropriate Network Addressing Scheme 2 Exercise 2: Planning the Placement of Network Servers 5 Exercise 3: Implementing the Planned Network Services 7

153 2 Lab Answer Key: Planning Network Infrastructure for Windows Server 2008 Lab: Planning Network Infrastructure for Windows Server 2008 Exercise 1: Determining an Appropriate Network Addressing Scheme Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the proposal document with your planned course of action Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW0709/1 Document Author Date Gregory Weber 25th July Requirement Overview Design an IPv4 addressing scheme for the Adatum western regional branch sales offices, shown in the exhibit. The block address /21 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25% growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.

154 Lab Answer Key: Planning Network Infrastructure for Windows Server (continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? Answer: There are 300 computers in the region. The specification states that around 50 computers should be deployed in each subnet. We also need to plan for growth of around 25%. Six subnets are required in the region to host computers, but an additional subnet per location should be planned for to host the growth in computers. This is a total of nine subnets. 2. How many hosts will you deploy in each subnet? Answer: The specification states we must deploy a maximum of 50 host computers per subnet. 3. What subnet mask will you use for each branch? Answer: The current network address for the region is /21. This leaves 11 bits to allocate to subnets and hosts. To express 9 subnets, we would require 4 bits, as 3 bits only provides for 8 subnets. 4 bits actually provides for 16 subnets, which is plenty. This is a decimal mask of What are the subnet addresses for each branch? Answer: Branch 1: / / /25 Branch 2: / / /25 Branch 3: / / /25

155 4 Lab Answer Key: Planning Network Infrastructure for Windows Server 2008 (continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Proposals (continued) 5. What range of host addresses are in each branch? Answer: Branch 1: > > > Branch 2: > > > Branch 3: > > > Results: After this exercise, you should have a completed IP addressing plan for the western region branch offices.

156 Lab Answer Key: Planning Network Infrastructure for Windows Server Exercise 2: Planning the Placement of Network Servers Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document. Branch Office Network Infrastructure Plan: Network Services Document Reference Number: GW0709/2 Document Author Date Gregory Weber 25th July Requirement Overview Specify which network services are required in each sales office, and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. Perhaps one DHCP server in each location would be sufficient. For fault tolerance, duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule, would provide for addressing fault tolerance. 2. Where do you propose to deploy these servers? Answer: One DHCP server in each regional office. 3. What name resolution services are required? Answer: Both DNS and NetBIOS name resolution are required.

157 6 Lab Answer Key: Planning Network Infrastructure for Windows Server 2008 (continued) Branch Office Network Infrastructure Plan: Network Services Proposals (continued) 4. To support the DNS name space in the sales division, how would you propose to configure DNS? Answer: There are two choices: a. Configure a subdomain for sales in the existing Adatum.com DNS name space. Then create sufficient DNS servers for deployment to the region as secondary servers of the Adatum.com zone. b. Create a delegation for the sales.adatum.com zone in the Adatum.com zone. Provide at least two name servers to support this delegated zone. 5. Will you require WINS? Answer: Possibly. 6. If so, how many WINS servers will you require for the region? Answer: Probably two, configured as replicas. 7. If not, how do you propose to support single-label names? Answer: Instead of WINS, the GNZ could be used. Results: After this exercise, you should have a completed plan for the deployment of network services in the western regional branch offices.

158 Lab Answer Key: Planning Network Infrastructure for Windows Server Exercise 3: Implementing the Planned Network Services Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Deploy the DHCP Server role on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Click Start, and then click Server Manager. 3. In Server Manager, in the console, click Roles. 4. In the results pane, under Roles Summary, click Add Roles. 5. In the Add Roles Wizard, click Next. 6. On the Select Server Roles page, in the Roles list, select the DHCP Server check box, and then click Next. 7. On the DHCP Server page, click Next. 8. On the Select Network Connection Bindings page, click Next. 9. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server IPv4 Address box, type , and then click Next. 10. On the Specify IPv4 WINS Server Settings page, click Next. 11. On the Add or Edit DHCP Scopes page, click Next. 12. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next.

159 8 Lab Answer Key: Planning Network Infrastructure for Windows Server On the Authorize DHCP Server page, click Next. 14. On the Confirm Installation Selections page, click Install. 15. On the Installation Results page, click Close. Task 3: Configure the primary DHCP scope for subnet 1 1. Click Start, click Administrative Tools, and then click DHCP. 2. In the DHCP Console, expand sea-svr1.adatum.com, expand IPv4, and then click IPv4. 3. Right-click IPv4, and then click New Scope. 4. In the New Scope Wizard, click Next. 5. On the Scope Name page, in the Name box, type Branch 1 subnet 1 scope 1, and then click Next. 6. On the IP Address Range page, in the Start IP address box, type In the End IP address box, type In the Length box, type 25, and then click Next. 9. On the Add Exclusions page, in the Start IP address box, type In the End IP address box, type , click Add, and then click Next. 11. On the Lease Duration page, click Next. 12. On the Configure DHCP Options page, click Next. 13. On the Router (Default Gateway) page, in the IP address box, type , click Add, and then click Next. 14. On the Domain Name and DNS Servers page, click Next. 15. On the WINS Servers page, click Next. 16. On the Activate Scope page, click Next, and then click Finish.

160 Lab Answer Key: Planning Network Infrastructure for Windows Server Task 4: Configure the secondary DHCP scope for subnet 2 1. Right-click IPv4, and then click New Scope. 2. In the New Scope Wizard, click Next. 3. On the Scope Name page, in the Name box, type Branch 1 subnet 2 scope 2, and then click Next. 4. On the IP Address Range page, in the Start IP address box, type In the End IP address box, type In the Length box, type 25, and then click Next. 7. On the Add Exclusions page, in the Start IP address box, type In the End IP address box, type , click Add, and then click Next. 9. On the Lease Duration page, click Next. 10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type , click Add, and then click Next. 12. On the Domain Name and DNS Servers page, click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next, and then click Finish. Task 5: Create a subdomain in DNS 1. Switch to the SEA-DC1 computer. 2. Click Start, click Administrative Tools, and then click DNS. 3. In DNS Manager, expand Forward Lookup Zones, and then expand Adatum.com. 4. Right-click Adatum.com, and then click New Domain. 5. In the New DNS Domain dialog box, in the text box, type sales, and then click OK.

161 10 Lab Answer Key: Planning Network Infrastructure for Windows Server 2008 Task 6: Configure zone transfers for the Adatum.com zone 1. Right-click Adatum.com, and then click Properties. 2. Click the Zone Transfers tab. 3. Select the Allow zone transfers check box, and then click OK. Task 7: Deploy the DNS role on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Switch to Server Manager. 3. In Server Manager, click Add Roles, and then click Next. 4. On the Select Server Roles page, in the Roles list, select the DNS Server check box, and then click Next. 5. On the DNS Server page, click Next. 6. On the Confirm Installation Selections page, click Install. 7. On the Installation Results page, click Close. Task 8: Configure a secondary zone on SEA-SVR1 1. Click Start, click Administrative Tools, and then click DNS. 2. In DNS Manager, expand SEA-SVR1, and then expand Forward Lookup Zones. 3. Right-click Forward Lookup Zones, and then click New Zone. 4. Click Next, and on the Zone Type page, click Secondary zone, and then click Next. 5. On the Zone Name page, in the Zone name box, type Adatum.com, and then click Next. 6. On the Master DNS Servers page, in the IP Address list, type , and then press ENTER. 7. Click Next, and then click Finish. 8. In DNS Manager, expand the Adatum.com zone.

162 Lab Answer Key: Planning Network Infrastructure for Windows Server Task 9: Enable the WINS feature, and configure DNS/WINS integration 1. Switch to Server Manager. 2. In the console, click Features. 3. In the results pane, click Add Features. 4. In the Features list, select the WINS Server check box, and then click Next. 5. On the Confirm Installation Selections page, click Install. 6. On the Installation Results page, click Close. 7. Switch to the SEA-DC1 computer. 8. In DNS Manager, right-click Adatum.com, and then click Properties. 9. Click the WINS tab, and then select the Use WINS forward lookup check box. 10. In the IP address box, type , press Add, and then click OK. 11. Switch to the SEA-SVR1 computer. 12. In DNS Manager, right-click Adatum.com, and then click Transfer from Master. Note: You might need to wait a few moments before you see the WINS record. Press Refresh if needed. Task 10: Configure DHCP options to support the deployed services 1. Switch to the DHCP console. 2. Right-click Server Options, and then click Configure Options. 3. In the Available Options list, select the 006 DNS Servers check box. 4. In the IP address box, type , and then click Add. 5. In the Available Options list, select the 015 DNS Domain Name check box.

163 12 Lab Answer Key: Planning Network Infrastructure for Windows Server In the String value box, type sales.adatum.com, and then click Apply. 7. In the Available Options list, select the 044 WINS/NBNS Servers check box. 8. In the IP address box, type , click Add, and then click OK. Results: After this exercise, you should have successfully deployed branch office network services. To prepare for the next module For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. In the Close box, select Turn off machine and discard changes. Click OK.

164 Lab Answer Key: Planning for Active Directory 1 Module 3 Lab Answer Key: Planning for Active Directory Contents: Exercise 1: Selecting a Forest Topology 2 Exercise 2: Planning Active Directory for a Branch Network 4 Exercise 3: Deploying a Branch Domain Controller 6

165 2 Lab Answer Key: Planning for Active Directory Lab: Planning for Active Directory Exercise 1: Selecting a Forest Topology Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Contoso Domain Migration document with your planned forest topology Answer the questions in the Contoso Domain Migration document. Contoso Domain Migration Document Reference Number: GW0809/1 Document Author Date Gregory Weber 5th August Requirement Overview To devise an appropriate forest and domain topology for the merged companies. Additional Information The new company will continue to operate with dual names; that is, the Adatum and Contoso brands are equally important. It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as part of the migration process. Proposals 1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server 2008? Answer: Answers will vary. It seems sensible to base the plan on the assumption that the domain controllers will be upgraded. This means that an AD DS solution can be implemented. If you do not intend to upgrade the domain controllers, it will be necessary to establish multiple external trust relationships between the AD DS domains in Adatum and the Windows NT 4.0 domain in Contoso.

166 Lab Answer Key: Planning for Active Directory 3 (continued) Contoso Domain Migration Proposals (continued) 2. How many forests do you anticipate? Answer: Answers will vary; either one or two forests. You could implement a single forest that supports two trees: Adatum.com and Contoso.com. Alternatively, you could implement two forests, one for each organization. The choice largely depends on how administration is to be effected in the merged organization; if the two parts of the organization are to be separately administered, then opt for two forests; otherwise, select one forest. 3. How many domains do you plan to implement? Answer: Answers will vary. Currently, Adatum has a single domain. There is no compelling reason the existing Windows NT 4.0 resource domains in Contoso could not be merged into a single AD DS domain, and use organizational units to manage resources. 4. How many trees do you envisage? Answer: Answers will vary. Either a single tree per forest if you select two forests, or else two trees in a single Adatum.com forest: Adatum.com and Contoso.com. 5. What trust relationships, aside from those created automatically, will you require? Answer: Answers will vary. Assuming that you opt for a single forest, no additional trusts are required. If you opted for two forests, then a pair of forest root trusts would be required. If you opted to remain in Windows NT 4.0 mode, then many trusts would be required; without additional information, it is difficult to assess precisely how many. Remember that in Windows NT, trusts are one-way and non-transitive. 6. Provide a sketch of the completed forest. Answer: A possible solution consisting of a single forest of two trees: Results: After this exercise, you should have a completed Contoso Domain Migration document.

167 4 Lab Answer Key: Planning for Active Directory Exercise 2: Planning Active Directory for a Branch Network Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Branch Office Planning document with your proposals Answer the questions in the Branch Office Planning document. Branch Office Planning Document Reference Number: GW0809/2 Document Author Date Gregory Weber 1st September Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to logon to the network and access services. Proposals 1. Do you intend to deploy a domain controller(s) in the branch offices? How many? Answer: Yes, one domain controller per branch. 2. Will you deploy an RODC(s)? Answer: The need for security is important; an RODC provides for a more secure way of deploying a domain controller. 3. How will you optimize the directory replication for the branches? Answer: Each branch will be represented in Active Directory by a site object. 4. How will domain controllers know in which branch they are located? Answer: Subnet objects should also be created and associated with a site. The domain controllers, and other computers, use their IP configuration to determine their site location in Active Directory.

168 Lab Answer Key: Planning for Active Directory 5 (continued) Branch Office Planning Proposals (continued) 5. Do you anticipate the need for global catalog services? Answer: Yes. Many services require access to global catalog. 6. How will you configure global catalog and DNS? Answer: An RODC can support the global catalog and DNS role. 7. What additional Active Directory related services are required to support the branch office line-of-business applications? Answer: A line-of-business application requires access to a directory service. AD LDS might be suitable. Results: After this exercise, you should have a completed Branch Office Planning document.

169 6 Lab Answer Key: Planning for Active Directory Exercise 3: Deploying a Branch Domain Controller Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Raise the domain functional level 1. Switch to the SEA-DC1 computer. 2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 3. In the console, right-click Adatum.com, and then click Raise domain functional level. 4. In the Raise domain functional level dialog box, in the Select an available domain functional level list, click Windows Server 2008, and then click Raise. 5. In the Raise domain functional level dialog box, click OK. 6. In the subsequent Raise domain functional level dialog box, click OK. 7. Close Active Directory Users and Computers.

170 Lab Answer Key: Planning for Active Directory 7 Task 3: Raise the forest functional level 1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. 2. In the console, right-click Active Directory Domains and Trusts [SEA- DC1.Adatum.com], and then click Raise Forest Functional Level. 3. In the Raise forest functional level dialog box, in the Select an available forest functional level list, click Windows Server 2008, and then click Raise. 4. In the Raise forest functional level dialog box, click OK. 5. In the subsequent Raise forest functional level dialog box, click OK. 6. Close Active Directory Domains and Trusts. Task 4: Create the Redmond site 1. On the SEA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console, expand Sites, right-click Sites, and then click New Site. 3. In the New Object Site dialog box, in the Name box, type Redmond. 4. In the Link Name list, click DEFAULTIPSITELINK, and then click OK. 5. In the Active Directory Domain Services dialog box, click OK. Task 5: Configure the replication interval 1. In the console, expand Inter-Site Transports, expand IP, and then click IP. 2. In the results pane, in the list, right-click DEFAULTIPSITELINK, and then click Properties. 3. In the DEFAULTIPSITELINK Properties dialog box, in the Replicate every list, type 15 and then click OK.

171 8 Lab Answer Key: Planning for Active Directory Task 6: Create the /16 subnet 1. In the console, right-click Subnets, and then click New Subnet. 2. In the New Object Subnet dialog box, in the Prefix box, type / In the Site Name list, click Redmond, and then click OK. 4. Close Active Directory Sites and Services. Task 7: Prepare the forest for the RODC 1. ON SEA-DC1, click Start, and then click Command Prompt. 2. At the command prompt, type D:, and then press ENTER. 3. At the command prompt, type cd\labfiles\mod03\adprep, and then press ENTER. 4. At the command prompt, type adprep /rodcprep, and then press ENTER. 5. Close the command prompt. Task 8: Promote a new domain controller for the branch office 1. Switch to the SEA-SVR1 computer. 2. Click Start, and in the Start Search box, type dcpromo, and then press ENTER. 3. In the Active Directory Domain Services Installation Wizard, select the Use advanced mode installation check box, and then click Next. 4. On the Operating System Compatibility page, click Next. 5. On the Choose a Deployment Configuration page, click Existing forest, and then click Next. 6. On the Network Credentials page, click Next.

172 Lab Answer Key: Planning for Active Directory 9 7. On the Select a Domain page, click Next. 8. On the Select a Site page, click Next. 9. On the Additional Domain Controller Options page, select the Read-only domain controller (RODC) check box, and then click Next. Note: Leave the other check boxes selected. 10. In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned IP address (not recommended). 11. On the Specify the Password Replication Policy page, click Next. 12. On the Delegation of RODC Installation and Administration page, click Next. 13. On the Install from Media page, click Next. 14. On the Source Domain Controller page, click Next. 15. On the Location for Database, Log Files, and SYSVOL page, click Next. 16. On the Directory Services Restore Mode Administrator Password page, in the Password box, type Pa$$w0rd. 17. In the Confirm password box, type Pa$$w0rd, and then click Next. 18. On the Summary page, click Next. 19. In the Active Directory Domain Services Installation Wizard, select the Reboot on completion check box. Task 9: Configure the password replication policy 1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of Pa$$w0rd. 2. Switch to the SEA-DC1 virtual machine. 3. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 4. In the console, expand Domain Controllers.

173 10 Lab Answer Key: Planning for Active Directory 5. In the results pane, right-click SEA-SVR1, and then click Properties. 6. In the SEA-SVR1 Properties dialog box, click the Password Replication Policy. 7. Click Add, and in the Add Groups, Users and Computers dialog box, click Allow passwords for the account to replicate to this RODC, and then click OK. 8. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type SalesGG, click Check Names, and then click OK. 9. In the SEA-SVR1 Properties dialog box, click Apply, and then click Advanced. 10. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click the Resultant Policy tab. 11. Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type Joe, click Check Names, and then click OK. Task 10: Pre-populate the password cache 1. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click the Policy Usage tab, and then click Prepopulate Passwords. 2. In the Select Users or Computers dialog box, in the Enter the object names to select box, type joe; Jim; Parul; Heiko; Claus, click Check Names, and then click OK. 3. In the Prepopulate Passwords dialog box, click Yes. 4. In the Prepopulate Password Success dialog box, click OK. 5. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click Close. 6. In the SEA-SVR1 Properties dialog box, click OK. 7. Close Active Directory Users and Computers. Results: After this exercise, you should have successfully deployed an RODC for the Redmond sales office.

174 Lab Answer Key: Planning for Active Directory 11 To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

175 Lab Answer Key: Planning for Group Policy 1 Module 4 Lab Answer Key: Planning for Group Policy Contents: Exercise 1: Creating a Group Policy Plan 2 Exercise 2: Implementing Group Policy 5

176 2 Lab Answer Key: Planning for Group Policy Module 4: Planning Group Policy Lab: Planning for Group Policy Exercise 1: Creating a Group Policy Plan Task 1: Read the supporting documentation 1. Read the supporting documentation. 2. On SEA-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. 3. Review the Active Directory structure as necessary. 4. Close Active Directory Users and Computers. 5. Click Start, point to Administrative Tools, and click Group Policy Management. 6. Review the existing Group Policy configuration as necessary. 7. Close Group Policy Management.

177 Lab Answer Key: Planning for Group Policy 3 Task 2: Create an OU structure Draw a diagram of an OU structure that will allow you to meet the requirements given to you by Allison. Task 3: Create a list of required GPOs Create a list of GPOs required to implement the requirements given to you by Allison. GPO Name Settings Linked to Filters Enforced Security Block read and write access to removable drives Domain - Enforced Security filter: Lab computers group denied apply permission Head office preferences Drive letter mappings for head office Head Office None Branch 1 preferences Drive letter mappings for branch 1 Branch 1 None

178 4 Lab Answer Key: Planning for Group Policy (continued) GPO Name Settings Linked to Filters Branch 2 preferences Drive letter mappings for branch 2 Branch 2 None Branch 3 preferences Drive letter mappings for branch 3 Branch 3 None Branch Sales Applications Applications for branch sales staff Branch 1 Branch 2 Branch 3 Security filter: Branch Sales Group Branch Office Applications Applications for branch office staff. Branch 1 Branch 2 Branch 3 Security filter: Branch Office Group Terminal server Lockdown desktop Loopback: Replace mode Terminal Servers None Results: After this exercise, you should have a completed Group Policy plan for A. Datum.

179 Lab Answer Key: Planning for Group Policy 5 Exercise 2: Implementing Group Policy Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. Minimize the Lab Launcher window. Task 2: Create the OU structure 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, if necessary, expand Adatum.com, and then click Adatum.com. 3. Right-click Adatum.com, point to New, and then click Organizational Unit. 4. In the New Object - Organizational Unit window, in the Name box, type Head Office, and then click OK. 5. Right-click Adatum.com, point to New, and then click Organizational Unit. 6. In the New Object - Organizational Unit window, in the Name box, type Branches, and then click OK. 7. Right-click Branches, point to New, and then click Organizational Unit. 8. In the New Object - Organizational Unit window, in the Name box, type Branch1, and then click OK. 9. Right-click Branches, point to New, and then click Organizational Unit. 10. In the New Object - Organizational Unit window, in the Name box, type Branch2, and then click OK. 11. Right-click Branches, point to New, and then click Organizational Unit. 12. In the New Object - Organizational Unit window, in the Name box, type Branch3, and then click OK.

180 6 Lab Answer Key: Planning for Group Policy 13. Right-click Adatum.com, point to New, and then click Organizational Unit. 14. In the New Object - Organizational Unit window, in the Name box, type Terminal Servers, and then click OK. 15. Close Active Directory Users and Computers. Task 3: Create the GPO for enforced security 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, right-click Head Office, point to New, and then click Group. 3. In the New Object Group window, in the Group name box, type Lab Computers, and then click OK. 4. Right-click Head Office, point to New, and then click Computer. 5. In the New Object Computer window, in the Computer name box, type Lab1, and then click OK. 6. Click Head Office, right-click Lab1, and then click Add to a group. 7. In the Select Groups window, in the Enter the object names to select box, type Lab Computers, and then click OK. 8. Click OK to close the message stating that the operation was successful. 9. Close Active Directory Users and Computers. 10. Click Start, point to Administrative Tools, and then click Group Policy Management. 11. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com. 12. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here. 13. In the New GPO window, in the Name box, type Enforced Security, and then click OK. 14. Right-click Enforced Security, and then click Edit.

181 Lab Answer Key: Planning for Group Policy In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Removable Storage Access. 16. In the right pane, double-click Removable Disks: Deny read access. 17. In the Removable Disks: Deny Read Access Properties window, click Enabled, and then click OK. 18. In the right pane, double-click Removable Disks: Deny write access. 19. In the Removable Disks: Deny write access Properties window, click Enabled, and then click OK. 20. Close the Group Policy Management Editor. 21. In the Group Policy Management window, right-click Enforced Security, and then click Enforced. 22. In the left pane, click Enforced Security. 23. In the Group Policy Management Console window, select the Do not show this message again check box, and then click OK. 24. Click the Delegation tab, and then click Advanced. 25. In the Enforced Security Settings window, click Add, type Lab Computers, and then click OK. 26. In the Permissions for Lab Computers area, select the Deny Read check box, and then click OK. 27. In the Windows Security window, click Yes to continue. Task 4: Create the GPO for Branch1 preferences 1. In the Group Policy Management window, in the left pane, click Group Policy Objects. 2. Right-click Group Policy Objects, and then click New. 3. In the New GPO window, in the Name box, type Branch1 Preferences, and then click OK. 4. Right-click Branch1 Preferences, and then click Edit. 5. In the Group Policy Management Editor window, under User Configuration, expand Preferences, expand Windows Settings, and then click Drive Maps.

182 8 Lab Answer Key: Planning for Group Policy 6. Right-click Drive Maps, point to New, and then click Mapped Drive. 7. In the Location box, type \\Branch1Srv\Shared. 8. In the Drive letter area, select drive letter S, and then click OK. 9. Close the Group Policy Management Editor window. 10. In the Group Policy Management window, in the left pane, expand Branches, and then click Branch Right-click Branch1, and then click Link an Existing GPO. 12. In the Select GPO window, click Branch1 Preferences, and then click OK. Task 5: Create the GPOs for applications 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, right-click Branches, point to New, and then click Group. 3. In the New Object Group window, in the Group name box, type Sales Staff, and then click OK. 4. Right-click Branches, point to New, and then click Group. 5. In the New Object Group window, in the Group name box, type Office Staff, and then click OK. 6. Close Active Directory Users and Computers. 7. In the Group Policy Management window, in the left pane, click Group Policy Objects. 8. Right-click Group Policy Objects, and then click New. 9. In the New GPO window, in the Name box, type Sales Applications, and then click OK. 10. Right-click Group Policy Objects, and then click New. 11. In the New GPO window, in the Name box, type Office Applications, and then click OK. 12. In the left pane, expand Group Policy Objects, and then click Sales Applications.

183 Lab Answer Key: Planning for Group Policy In the Security Filtering area, click Authenticated Users, and then click Remove. 14. Click OK to confirm. 15. Click Add, type Sales Staff, and then click OK. 16. In the left pane, click Office Applications. 17. In the Security Filtering area, click Authenticated Users, and then click Remove. 18. Click OK to confirm. 19. Click Add, type Office Staff, and then click OK. 20. Right-click Branch1, and then click Link an Existing GPO. 21. In the Select GPO window, click Sales Applications, and then click OK. 22. Right-click Branch1, and then click Link an Existing GPO. 23. In the Select GPO window, click Office Applications, and then click OK. Task 6: Create the GPO for Terminal Servers 1. In the Group Policy Management window, right-click Terminal Servers, and then click Create a GPO in this domain, and Link it here. 2. In the New GPO window, in the Name box, type TS Lockdown, and then click OK. 3. Right-click TS Lockdown, and then click Edit. 4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Group Policy. 5. Double-click User Group Policy loopback processing mode. 6. In the User Group Policy Loopback Processing Mode Properties window, click Enabled. In the Mode box, select Replace, and then click OK. 7. Under User Configuration, expand Policies, expand Administrative Templates, and then click Start Menu and Taskbar.

184 10 Lab Answer Key: Planning for Group Policy 8. Double-click Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands. 9. On the Setting tab, click Enabled, and then click OK. 10. Double-click Remove Run menu from Start Menu. 11. On the Setting tab, click Enabled, and then click OK. 12. Double-click Add Logoff to the Start Menu. 13. On the Setting tab, click Enabled, and then click OK. 14. Close Group Policy Management Editor. Task 7: Verify application of policies for Branch1 sales staff 1. In the Group Policy Management window, in the left pane, click Group Policy Modeling. 2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. 3. In the Group Policy Modeling Wizard window, click Next. 4. On the Domain Controller Selection page, click Next to accept the default setting of Any available domain controller running Windows Server 2003 or later. 5. On the User and Computer Selection page, in the User information area, click Browse. 6. In the Choose User Container window, expand Adatum, expand Branches, click Branch 1, and then click OK. 7. On the User and Computer Selection page, in the Computer information area, click Browse. 8. In the Choose Computer Container window, expand Adatum, expand Branches, click Branch 1, and then click OK. 9. On the User and Computer Selection page, click Next. 10. On the Advanced Simulation Options page, click Next to select no options.

185 Lab Answer Key: Planning for Group Policy On the User Security Groups page, click Add, type Sales Staff, and then click OK. 12. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next. 13. On the Summary of Selections page, click Next. 14. To view the model, click Finish. 15. In the Branch1 on Branch1 area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Default Domain Policy has computer settings and is applied to computers in Branch1. Enforced Security has computer settings and is applied to computers in Branch1. Office Applications is denied due to security filtering. The computer is not a member of the necessary group. Sales Applications is denied due to security filtering. The computer is not a member of the necessary group. Branch1 Preferences is denied because there are no relevant settings for computers. If computer settings are added to Branch1 Preferences, then they would be applied. 16. Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Branch1 Preferences has user settings and is applied to users in Branch1. Enforced Security is denied because there are no relevant settings for users. If user settings are added to Enforced Security, then they would be applied. Default Domain Policy is denied because there are no relevant settings for users. If user settings are added to Default Domain Policy, then they would be applied. Office Applications is denied due to security filtering. The user is not a member of the necessary group. Sales Applications is denied because there are no relevant settings for users. After the sales applications are added to the policy, then they will be distributed to members of the Sales Staff group.

186 12 Lab Answer Key: Planning for Group Policy Task 8: Verify application of policies for Branch1 sales staff on the Terminal Server 1. In the Group Policy Management window, in the left pane, click Group Policy Modeling. 2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. 3. In the Group Policy Modeling Wizard window, click Next. 4. On the Domain Controller Selection page, click Next to accept the default setting of Any available domain controller running Windows Server 2003 or later. 5. On the User and Computer Selection page, in the User information area, click Browse. 6. In the Choose User Container window, expand Adatum, expand Branches, click Branch1, and then click OK. 7. On the User and Computer Selection page, in the Computer information area, click Browse. 8. In the Choose Computer Container window, expand Adatum, click Terminal Servers, and then click OK. 9. On the User and Computer Selection page, click Next. 10. On the Advanced Simulation Options page, select the Loopback processing check box, verify that Replace is selected, and then click Next. 11. On the User Security Groups page, click Add, type Sales Staff, and then click OK. 12. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next. 13. On the Summary of Selections page, click Next. 14. To view the model, click Finish.

187 Lab Answer Key: Planning for Group Policy In the Branch1 on Terminal Servers area, under Computer Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. Default Domain Policy has computer settings and is applied to computers in Terminal Servers. TS Lockdown has computer settings and is applied to computers in Terminal Servers. Enforced Security has computer settings and is applied to computers in Terminal Servers. 16. Under User Configuration Summary, expand Group Policy Objects, expand Applied GPOs, and expand Denied GPOs. TS Lockdown has user settings and is applied to Branch1 users logging on to the Terminal Server. Default Domain Policy is denied because there are no relevant settings for users. If user settings are added to Default Domain Policy, then they would be applied. Enforced Security is denied because there are no relevant settings for users. If user settings are added to Enforced Security, then they would be applied. Notice that none of the user policies that would typically apply to Branch 1 users are being applied due to loopback replace mode being used. For example, Branch1 Preferences is not being applied. 17. Close Group Policy Management. Results: After this exercise, you should have successfully implemented group policy. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

188 Lab Answer Key: Planning Application Servers 1 Module 5 Lab Answer Key: Planning Application Servers Contents: Exercise 1: Creating a Plan for Application Servers 2 Exercise 2: Implementing Windows SharePoint Services 5 Exercise 3: Implementing Terminal Services 8

189 2 Lab Answer Key: Planning Application Servers Lab: Planning Application Servers Exercise 1: Creating a Plan for Application Servers Task 1: Read the supporting documentation Read the supporting documentation. Determine if you need any more information and ask your instructor to clarify if required. Task 2: Create a plan for implementing Windows SharePoint Services What server roles and features do you think will be required for implementing WSS? Answer: WSS requires: Web Server (IIS), the.net Framework 3.0, and ASP.NET enabled. Do you have any concerns about hardware specifications for the WSS server? Answer: Application servers with dynamic content such as WSS may have high processor and memory utilization. SQL Server 2008 may also have high processor and memory utilization. These should be closely monitored as the workload continues to grow and this server is moved out of the pilot stage. How can increasing workloads be accommodated? Answer: There are two main issues: hardware capacity and database size. As the load on the server grows, the SQL Server database can be moved to a separate server to increase performance. Also SQL Server Express is limited to a 4 GB database. This may not be enough to handle the data stored in WSS as site usage begins to grow. An upgrade to SQL Server Standard Edition may be required. What sort of maintenance schedule will WSS require? Answer: A maintenance window for WSS will need to be defined. The exact time of the maintenance windows will have to be negotiated with the users of WSS. The maintenance window should be outside of normal business hours so that it does not interfere with use of the application.

190 Lab Answer Key: Planning Application Servers 3 How will we ensure that this server and WSS are secure? Answer: To secure any application server, you should ensure that only required components are installed. In addition, an SSL certificate should be implemented on the server to encrypt communication. The subject name for the certificate needs to match the server name used in the URL for accessing the SharePoint site. How can we simplify access to WSS for internal users? Answer: Using Windows integrated authentication allows user to authenticate to WSS without entering their credentials. The credentials used on the workstation will automatically be passed up to WSS. This simplifies logon for the users. How should WSS be backed up? Answer: WSS stores data in a SQL Server database. You can use backup software with a SQL Server agent to back up the database. Or you can use a maintenance plan to back up the database to disk and then back up the file by using your backup software. In addition, some backup software has a WSS agent available that simplifies the restore of specific data components rather than the whole database. You can perform a full backup each day while the volume of data is relatively small. When the server holds a large amount of data, you may need to start using incremental backups to shorten the backup time. Task 3: Create a plan for implementing Terminal Services What are the benefits of using Terminal Services for the financial application? Answer: In this scenario, Terminal Services provides two benefits: ease of updates and faster remote access. It is easier to perform application updates on a single Terminal Server rather than many client computers. For remote users accessing data over a WAN link, the application will run much faster from the Terminal Server that is located close to the data. Are there any drawbacks to using Terminal Services? Answer: The main drawback in this scenario is the risk that the Terminal Server will fail. This failure would affect the productivity of all users. You can mitigate this risk by implementing network load balancing.

191 4 Lab Answer Key: Planning Application Servers Are there any benefits to using Windows Server 2008 for Terminal Services rather than Windows Server 2003 in our scenario? Answer: Windows Server 2008 has several new features that are useful in this scenario. Single sign-on allows users to access Terminal Services without providing credentials. This simplifies the use of Terminal Services for users. Also, Easy Print makes it much easier and more reliable to print by using Terminal Services. Finally, TS RemoteApp allows just a single application window to be opened rather than a remote desktop. This is less confusing for some users. What are our licensing requirements? Answer: To use Terminal Services, each user or device must have a TS CAL. If users are not accessing the application from multiple locations, it may be beneficial to use device-based licensing. For our server, we can use device CALs or user CALs, but not both. We also need to make sure that the financial application supports licensing for Terminal Servers. Because using Terminal Services was recommended by the vendor, it is likely. However, we should review how many licenses will be required and their cost. What will the overall system look like from a user perspective when it is implemented? Answer: Because access is only for a single application, TS RemoteApp and single sign-on should be used. Users will click an icon on their desktop and they will be connected to the application. From the user perspective, it will be just like opening an application installed locally on their computer. Results: After this exercise, you should have a completed plan for implementing WSS and Terminal Services.

192 Lab Answer Key: Planning Application Servers 5 Exercise 2: Implementing Windows SharePoint Services Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Minimize the Lab Launcher window. Task 2: Install Windows SharePoint Services 1. On SEA-DC1, click Start, and click Run. 2. In the Open box, type D:\Labfiles\Mod05\SharePoint.exe, and then click OK. 3. On the Read The Microsoft Software License Terms page, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose The Installation You Want page, click Basic. 5. Verify that Run the SharePoint Products and Technologies Configuration Wizard now is selected, and then click Close. 6. In the SharePoint Products And Technologies Configuration Wizard, click Next. 7. Click Yes to close the warning window. Installation may take up to 10 minutes. 8. On the Configuration Successful page, click Finish. Internet Explorer will open automatically and prompt you for a logon. 9. Log on as Adatum\Administrator with a password of Pa$$w0rd. Initial logon will be slow because all of the scripts start for the first time. 10. Verify that you have successfully logged on to WSS. Note that the path used to access the server is Close Internet Explorer.

193 6 Lab Answer Key: Planning Application Servers Task 3: Review the Web site configuration 1. On SEA-DC1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand SEA-DC1, and click Application Pools. Notice that two new application pools have been created for SharePoint. 3. Click Sites. Notice that there are two new Web sites. SharePoint 80 is the main SharePoint site bound to Port 80. SharePoint Central Administration is for administering SharePoint on a random port number. 4. Double-click SharePoint 80, and then double-click Authentication. Notice that Windows Authentication is enabled. 5. Close Internet Information Services (IIS) Manager. Task 4: Configure Internet Explorer for Windows Authentication 1. On SEA-DC1, click Start, type Internet Options, and then press ENTER. 2. In the Internet Properties window, click the Security tab, click Local Intranet, and then click Sites. 3. In the Add this website to the zone box, type and then click Add. 4. If prompted, click Yes to move the site to the Local intranet zone. 5. Click Close, and then click OK. 6. Click Start, point to All Programs, and then click Internet Explorer. 7. In the Address bar, type and then press ENTER. Notice that you are no longer prompted for credentials. 8. Close Internet Explorer.

194 Lab Answer Key: Planning Application Servers 7 Task 5: Back up Windows SharePoint Services 1. On SEA-DC1, click Start, and then click Command Prompt. 2. Type md C:\SPBackup, and then press ENTER. 3. Close the command prompt. 4. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 5. Click the Operations tab. 6. Under Backup and Restore, click Perform a backup. 7. Select the Farm check box, and then click Continue to Backup Options. 8. Enter the following settings, and then click OK. Backup content: Farm Type of Backup: Full Backup File Location: C:\SPBackup 9. Click Refresh every minute or so until the backup job is complete. 10. Close Internet Explorer. Results: After this exercise, you should have successfully implemented Windows SharePoint Services and verified the configuration.

195 8 Lab Answer Key: Planning Application Servers Exercise 3: Implementing Terminal Services Task 1: Install Terminal Services 1. On SEA-DC1, click Start, and click Server Manager. 2. In the left pane, click Roles, and then click Add Roles. 3. In the Add Roles Wizard, click Next. 4. On the Select Server Roles page, select the Terminal Services check box, and then click Next. 5. Read the Terminal Services page, and then click Next. 6. On the Select Role Services page, select the Terminal Server check box. 7. In the warning window, click Install Terminal Server anyway (not recommended), and then click Next. 8. Read the Uninstall And Reinstall Application For Compatibility page, and then click Next. 9. Read the Specify Authentication Method For Terminal Server page, click Do not require Network Level Authentication, and then click Next. 10. On the Specify Licensing Mode page, click Configure later, and then click Next. 11. On the Select User Groups Allowed Access To This Terminal Server page, click Next. 12. On the Confirm Installation Selections page, click Install. 13. On the Installation Results page, click Close. 14. Click Yes to restart the server. 15. Log on as Adatum\Administrator with a password of Pa$$w0rd. 16. Wait for the configuration to complete, and then click Close. 17. Close Server Manager

196 Lab Answer Key: Planning Application Servers 9 Task 2: Install the financial application 1. Click Start, and then click Computer. 2. Browse to D:\Labfiles\Mod05, and double-click CalcPlus.msi. 3. In the Microsoft Calculator Plus window, click Next. 4. On the License Agreement page, click I Agree, and then click Next. 5. On the Select Installation Folder page, use C:\Program Files\Microsoft Calculator Plus\, click Everyone, and then click Next. 6. Click Close, and then close the Windows Explorer window. Task 3: Prepare the financial application for distribution as a RemoteApp program 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the actions pane, click Add RemoteApp Programs. 3. In the RemoteApp Wizard, click Next. 4. Select the Microsoft Calculator Plus check box, and then click Next. 5. Click Finish. 6. In the RemoteApp Programs area, click Microsoft Calculator Plus. 7. Under Other Distribution Options, click Create Windows Installer Package. 8. In the RemoteApp Wizard, click Next. 9. On the Specify Package Settings page, click Next. 10. On the Configure Distribution Package page, select the Desktop check box, and then click Next. 11. Click Finish. 12. In the Packaged Programs window, browse up to C:\Program Files. 13. Right-click Packaged Programs, and then click Share. 14. Click Advanced Sharing. 15. Select the Share this folder check box, and then click OK.

197 10 Lab Answer Key: Planning Application Servers 16. Click Close, and then close all open windows. 17. Click Start, point to Administrative Tools, and then click Group Policy Management. 18. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit. 19. Under User Configuration, expand Policies, expand Software Settings, rightclick Software installation, point to New, and then click Package. 20. Browse to \\SEA-DC1\Packaged Programs, click CalcPlus.msi, and then click Open. 21. In the Deploy Software window, click Advanced, and then click OK. 22. In the Microsoft Calculator Plus Properties window, click the Deployment tab. 23. Under Deployment type, click Assigned. 24. Under Deployment options, select the Install this application at logon check box, and then click OK. 25. Close all open windows. Task 4: Test the new application 1. Log on SEA-CL1 as Administrator with a password of Pa$$w0rd. 2. If the Microsoft Calculator Plus icon does not appear on the desktop, then perform the following steps: a. Click Start, type cmd, and then press ENTER. b. At the command prompt, type gpupdate, and then press ENTER. c. Close the command prompt. d. Restart SEA-CL1, and log on again as Administrator. 3. Click Start, type gpedit.msc, and then press ENTER. 4. Under Computer Configuration, expand Administrative Templates, expand System, and then click Credentials Delegation.

198 Lab Answer Key: Planning Application Servers Double-click Allow Delegating Default Credentials, click Enabled, and then click Show. 6. In the Show Contents window, click Add, type termsrv/sea- DC1.adatum.com, and then click OK. 7. In the Show Contents window, click OK. 8. In the Allow Delegating Default Credentials Properties window, click OK. 9. Close the Local Group Policy Editor. Note: In a production environment, you would configure the group policy setting by using a GPO rather than the local Group Policy. 10. On the desktop, double-click the Microsoft Calculator Plus icon. 11. Select the Don t ask me again for remote connections to the computer check box, and then click Connect. 12. Wait while the application starts. This may take a few moments to log on to the Terminal Server. 13. Close Microsoft Calculator Plus. Note: Opening the application a second time is much faster. Results: After this exercise, you should have successfully implemented a Terminal Server and distributed a Terminal Services application. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

199 Lab Answer Key: Planning File and Print Services 1 Module 6 Lab Answer Key: Planning File and Print Services Contents: Exercise 1: Planning File and Print Services for a Branch Office 2 Exercise 2: Implementing File and Print Services in a Branch Office 5

200 2 Lab Answer Key: Planning File and Print Services Lab: Planning File and Print Services Exercise 1: Planning File and Print Services for a Branch Office Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Sales Branch Offices: File and Print Services document with your proposals Answer the questions in the Sales Branch Offices: File and Print Services document. Sales Branch Offices: File and Print Services Document Reference Number: GW1510/1 Document Author Date Gregory Weber 15 October Requirement Overview Deploy the required services to the branch sales offices to meet the needs outlined in the Requirements document. Additional Information The requirements are summarized as follows: Deploy server roles to support file and print services. Create a single UNC name to allow access to all sales shared resources. This single UNC name should not be a single point of failure. Provide for a means of synchronizing data between the branch and head office sales shared folders. Impose restrictions to prevent creation of executable files in data areas. Impose hard limit on amount of disk space each user can consume in the data folder. Deploy printers to client computers quickly and easily.

201 Lab Answer Key: Planning File and Print Services 3 (continued) Sales Branch Offices: File and Print Services Proposals 1. What server roles will you need to deploy to the branch servers to satisfy these requirements? Answer: File Services and Print Services 2. Will you need to make any changes to the infrastructure at the head office to support these requirements? Answer: Certain File Services service roles will need to be available to support DFS. 3. What folder and shared folder permissions would you recommend for sales data areas? Answer: Data folders should be secured with the Modify permission for the relevant global group in this case, SalesGG. The shared folder can be configured as Everyone Full Control because the agreed upon permissions are therefore Modify for the SalesGG through the share onto the folder. 4. How will you address the requirement for a single UNC name for all sales shared resources and avoid a single point of failure? Answer: By deploying a DFS domain-based name space and adding folders to the namespace. Adding additional namespace servers will provide fault tolerance of the namespace. 5. How will you synchronize the sales data at each location? Answer: By using DFS-R. A full mesh topology would be suitable. 6. What role or feature enables you to impose a restriction on the types of files that users can create in designated folders? Answer: FSRM file screening. 7. What role or feature enables you to impose a restriction on the disk space users can consume in designated folders? Answer: FSRM quotas.

202 4 Lab Answer Key: Planning File and Print Services (continued) Sales Branch Offices: File and Print Services 8. Provide additional details about the specifics of the process you will use to provide for the previous two requirements: Answer: File screen: the Block Executable Files would be an appropriate template on which to base the file screen. Quotas: use of the 200 MB Limit Reports to User template is indicated. 9. How do you intend to deploy printers to client computers? Answer: Creating, sharing, and then deploying with group policy. Results: After this exercise, you should have a completed Sales Branch Offices: File and Print Services document.

203 Lab Answer Key: Planning File and Print Services 5 Exercise 2: Implementing File and Print Services in a Branch Office Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 7. Log on to 6430B-SEA-CL1 as ADATUM\Joe with the password Pa$$w0rd. 8. Minimize the Lab Launcher window. Task 2: Deploy the required server roles at the branch server 1. Switch to the SEA-SVR1 computer. 2. Click Start, and then click Server Manager. 3. In Server Manager, in the navigation tree, click Roles. 4. In the results pane, under Roles Summary, click Add Roles. 5. In the Add Roles Wizard, on the Before You Begin page, click Next. 6. On the Select Server Roles page, in the Roles list, select both the File Services and Print Services check boxes, and then click Next. 7. On the Print Services page, click Next. 8. On the Select Role Services page, click Next. 9. On the File Services page, click Next.

204 6 Lab Answer Key: Planning File and Print Services 10. On the Select Role Services page, select the following check boxes, and then click Next: a. File Server b. Distributed File System c. File Server Resource Manager 11. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. 12. On the Configure Storage Usage Monitoring page, click Next. 13. On the Confirm Installation Selections page, click Install. 14. On the Installation Results page, click Close. 15. Close Server Manager. Task 3: Add additional role services on the SEA-DC1 computer 1. Switch to the SEA-DC1 computer. 2. Click Start, and then click Server Manager. 3. In Server Manager, in the navigation tree, click Roles. 4. In the results pane, under Roles Summary, click File Services. 5. In the results pane, click Add Role Services. 6. On the Select Role Services page, select the Distributed File System check box, and then click Next. 7. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager, and then click Next. 8. On the Confirm Installation Selections page, click Install. 9. On the Installation Results page, click Close. 10. Close Server Manager.

205 Lab Answer Key: Planning File and Print Services 7 Task 4: Create, secure, and share the Sales-data folders 1. Click Start, click Computer, and then double-click Allfiles (D:). 2. Click Organize, and then click New Folder. 3. Type Sales-data, and then press ENTER. 4. Right-click Sales-data, and then click Properties. 5. In the Sales-data Properties dialog box, on the Security tab, click Advanced. 6. In the Advanced Security Settings for Sales-data dialog box, click Edit, clear the Include inheritable permissions from this object s parent check box, and then click Copy. 7. In the Advanced Security Settings for Sales-data dialog box, click OK. 8. Click OK again, and in the Sales-data Properties dialog box, click Edit. 9. In the Permissions for Sales-data dialog box, in the Group or user names list, click Users (ADATUM\Users), and then click Remove. 10. Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type SalesGG, click Check Names, and then click OK. 11. In the Permissions for Sales-data dialog box, in the Permissions for SalesGG list, select the Allow/Modify check box, and then click OK. 12. In the Sales-data Properties dialog box, click the Sharing tab. 13. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the Share this folder check box, and then click Permissions. 14. In the Permissions for Sales-data dialog box, select the Allow/Full Control check box, and then click OK. 15. In the Advanced Sharing dialog box, click OK. 16. In the Sales-data Properties dialog box, click Close. 17. Close Windows Explorer. 18. Switch to the SEA-SVR1 computer. 19. Click Start, click Computer, and then double-click Local Disk (C:).

206 8 Lab Answer Key: Planning File and Print Services 20. Click Organize, and then click New Folder. 21. Type Sales-data, and then press ENTER. 22. Right-click Sales-data, and then click Properties. 23. In the Sales-data Properties dialog box, on the Security tab, click Advanced. 24. In the Advanced Security Settings for Sales-data dialog box, click Edit, clear the Include inheritable permissions from this object s parent check box, and then click Copy. 25. In the Advanced Security Settings for Sales-data dialog box, click OK. 26. Click OK again, and in the Sales-data Properties dialog box, click Edit. 27. In the Permissions for Sales-data dialog box, in the Group or user names list, click Users (SEA-SVR1\Users), and then click Remove. 28. Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type SalesGG, click Check Names, and then click OK. 29. In the Permissions for Sales-data dialog box, in the Permissions for SalesGG list, select the Allow/Modify check box, and then click OK. 30. In the Sales-data Properties dialog box, click the Sharing tab. 31. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the Share this folder check box, and then click Permissions. 32. In the Permissions for Sales-data dialog box, select the Allow/Full Control check box, and then click OK. 33. In the Advanced Sharing dialog box, click OK. 34. In the Sales-data Properties dialog box, click the Close. 35. Close Windows Explorer. Task 5: Configure a DFS namespace 1. Switch to the SEA-DC1 computer. 2. Click Start, point to Administrative Tools, and then click DFS Management. 3. In DFS Management, in the navigation tree, click Namespaces.

207 Lab Answer Key: Planning File and Print Services 9 4. In the action pane, click New Namespace. 5. In the New Namespace Wizard, on the Namespace Server page, in the Server box, type SEA-DC1, and then click Next. 6. On the Namespace Name and Settings page, in the Name box, type Sales, and then click Next. 7. On the Namespace Type page, click Domain-based namespace, and then click Next. 8. On the Review Settings and Create Namespace page, click Create. 9. On the Confirmation page, click Close. Task 6: Add a namespace server 1. In DFS Management, in the navigation tree, click Namespaces, and in the results pane, right-click \\Adatum.com\Sales, and then click Add Namespace Server. 2. In the Add Namespace Server dialog box, in the Namespace server box, type SEA-SVR1, and then click OK. 3. In the Warning dialog box, click Yes. 4. In DFS Management, expand Namespaces, click \\Adatum.com\Sales, and then in the results pane, click the Namespace Servers tab. Task 7: Add a DFS folder 1. In DFS Management, in the navigation tree, right-click \\Adatum.com\Sales, and then click New Folder. 2. In the New Folder dialog box, in the Name box, type Corporate Sales Data. 3. Click Add, and in the Add Folder Target dialog box, in the Path to folder target box, type \\sea-dc1\sales-data, and then click OK. 4. In the New Folder dialog box, click OK.

208 10 Lab Answer Key: Planning File and Print Services Task 8: Add a folder target 1. In DFS Management, expand Namespace, expand \\Adatum.com\Sales, right-click Corporate Sales Data, and then click Add Folder Target. 2. In the New Folder Target dialog box, in the Path to folder target box, type \\sea-svr1\sales-data, and then click OK. 3. In the Replication dialog box, click Yes. Task 9: Create a Replication group 1. In the Replicate Folder Wizard, click Next. 2. On the Replication Eligibility page, click Next. 3. On the Primary Member page, in the Primary member list, click SEA-DC1, and then click Next. 4. On the Topology Selection page, click Full Mesh, and then click Next. 5. On the Replication Group Schedule and Bandwidth page, click Next. 6. On the Review Settings and Create Replication Group page, click Create. 7. On the Confirmation page, click Close. 8. In the Replication Delay dialog box, click OK. 9. Close DFS Management. Task 10: Configure quotas on the branch server 1. Switch to the SEA-SVR1 computer. 2. Click Start, point to Administrative Tools, and then click File Server Resource Manager. 3. In File Server Resource Manager (Local), expand Quota Management, and then click Quotas. 4. Right-click Quotas, and then click Create Quota. 5. In the Create Quota dialog box, in the Quota path box, type C:\Sales-data. 6. Click Auto apply template and create quotas on existing and new subfolders.

209 Lab Answer Key: Planning File and Print Services In the Quota template list, click 200 MB Limit Reports to User. 8. Click Create. Task 11: Configure a file screen for the branch server 1. In the navigation tree, expand File Screening Management, and then click File Screens. 2. Right-click File Screens, and then click Create File Screen. 3. In the Create File Screen dialog box, in the File screen path box, type C:\Sales-data, and in the list, click Block Executable Files. Then click Create. Task 12: Configure FSRM options 1. In the navigation tree, right-click File Server Resource Manager (Local), and then click Configure Options. 2. Scroll along the tabs, and then click the File Screen Audit tab. 3. Select the Record file screening activity in auditing database check box, and then click OK. Task 13: Test the file screen settings 1. Switch to the SEA-CL1 computer. 2. Click Start, right-click Computer, and then click Map Network Drive. 3. In the Map Network Drive dialog box, in the Folder box, type \\seasvr1\sales-data, and then click Finish. 4. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 5. At the command prompt, type the following commands, pressing ENTER after each one: a. Z: b. Copy c:\windows\*.exe Question: Were you successful? Answer: No

210 12 Lab Answer Key: Planning File and Print Services 6. Switch to the SEA-SVR1 computer. 7. In File Server Resource Manager, click Storage Reports and Management. 8. In the action pane, click Generate Reports Now. 9. In the Storage Report Task Properties dialog box, click Add. 10. In the Browse For Folder dialog box, expand Local Disk (C:), click Salesdata, and then click OK. 11. In the Select reports to generate list, select the File Screening Audit check box and then click OK. 12. In the Generate Storage Reports dialog box, click OK. Question: In Internet Explorer, examine the report. Which user attempted to create executables in the C:\Sales-data folder? Answer: ADATUM\Joe. 13. Close all open Windows. Task 14: Deploy a shared printer with group policy 1. On SEA-SVR1, click Start, point to Administrative tools, and then click Print Management. 2. In Print Management, expand Print Server, expand SEA-SVR1(local), and then click Printers. 3. Right-click Printers, and then click Add Printer. 4. In the Network Printer Installation Wizard, on the Printer Installation page, click Add a new printer using an existing port, and in the list, click LPT1: (Printer Port). 5. Click Next, and on the Printer Driver page, click Next. 6. On the Printer Installation page, in the Manufacturer list, click Canon, in the Printers list, click Canon Inkjet MP700, and then click Next. 7. On the Printer Name and Sharing Settings page, click Next. 8. On the Printer Found page, click Next, and then click Finish. 9. Right-click Canon Inkjet MP700, and then Deploy with Group Policy.

211 Lab Answer Key: Planning File and Print Services In the Deploy with Group Policy dialog box, click Browse. 11. In the Browse for a Group Policy Object dialog box, click Default Domain Policy, and then click OK. 12. In the Deploy with Group Policy dialog box, select the The users that this GPO applies to (per user) check box, and then click Add and OK. 13. In the Printer Management dialog box, click OK. 14. Click OK to close the Deploy with Group Policy dialog box. Task 15: Test the printer deployment 1. Switch to the SEA-CL1 computer. 2. At the command prompt, type gpupdate /force, and press ENTER. 3. Log off. 4. Log on to 6430B-SEA-CL1 as ADATUM\Joe with the password Pa$$w0rd. 5. Click Start, click Control Panel, and then click Printer. Question: Is the Canon printer listed? Answer: Yes. 6. Close all open windows. Results: After this exercise, you should have successfully configured file and print services for the branch office. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

212 Lab Answer Key: Planning Server and Network Security 1 Module 7 Lab Answer Key: Planning Server and Network Security Contents: Exercise 1: Creating a Plan for Server and Network Security 2 Exercise 2: Implementing Windows Firewall Rules 6 Exercise 3: Implementing a VPN Server 10 Exercise 4: Implementing NAP with DHCP Enforcement 15

213 2 Lab Answer Key: Planning Server and Network Security Lab: Planning Server and Network Security Exercise 1: Creating a Plan for Server and Network Security Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Create a security plan for the new finance application Fill in the following table with potential risks and mitigations for each layer of the Defense-in-Depth model related to the new finance application. Layer Risk Mitigation Data Application data is accessed by unauthorized users Application data is accessed from unauthorized computers Locate application database on a secure server with limited permissions Use connection security rules to restrict access to appropriate computers in an inbound rule Application Application is vulnerable to denial of service Application is vulnerable to buffer overflow attacks Apply application patches as they become available

214 Lab Answer Key: Planning Server and Network Security 3 (continued) Layer Risk Mitigation Host Operating system vulnerability results in denial of service Hardware failure results in loss of service Passwords are guessed for a user account with access to data Ensure that operating system updates are applied Ensure the hardware in server is redundant Ensure that complex passwords are required Use the Security Configuration Wizard to reduce the attack surface Use NAP to prevent malware Internal network Perimeter Physical security Policies, procedures, and awareness Data is viewed while in transit Internet users gain access to the application Server data is accessed by using a boot CD The service is physically damaged by accident An administrator makes changes to the server without authorization, resulting in a service outage Use SSL to encrypt data and authentication Use firewalls to prevent access to the application server from the Internet Store the server in a secure location where unauthorized staff do not have access Document all procedures related to the server, such as maintenance windows and configuration Enforce a change management process

215 4 Lab Answer Key: Planning Server and Network Security Task 3: Create a plan for preventing malware on the network Fill in the following table with potential risks and mitigations for each layer of the Defense-in-Depth model related to preventing malware on the network. Layer Risk Mitigation Data Application Host Application installations attachments Application flaws Web pages Portable storage Operating system flaws Portable computers Allow only administrators to install new applications Implement malware scanning for all incoming e- mail Ensure that applications are updated when updates are released Use SmartScreen Filter in Microsoft Internet Explorer 8 Prevent the use of portable storage devices for computers Ensure that Windows updates are being applied Use real-time scanning in Windows Defender Use NAP to prevent unhealthy computers from connecting to the network Run antivirus software that can be centrally monitored with daily updates Internal network Portable computers Use intrusion detection to monitor for unusual network traffic Perimeter Web pages Implement malware scanning on a Web proxy

216 Lab Answer Key: Planning Server and Network Security 5 (continued) Layer Risk Mitigation Physical security Policies, procedures, and awareness Staff may try to circumvent security policies with portable storage. Create an acceptable use policy and ensure that staff are educated about its contents Results: After this exercise, you should have a completed security plan for the new finance application and a plan for preventing malware on the network.

217 6 Lab Answer Key: Planning Server and Network Security Exercise 2: Implementing Windows Firewall Rules Task 1: Start the virtual machines and log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Create a group for the finance computers 1. On SEA-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, if necessary, expand Adatum.com and then click Computers. 3. Right-click Computers, point to New, and then click Group. 4. In the Group name box, type Finance Computers and then click OK. 5. Right-click SEA-CL1 and click Add to a group. 6. In the Enter the object names to select box, type Finance Computers and then click OK. 7. Click OK to clear the message about successful completion. 8. Close Active Directory Users and Computers.

218 Lab Answer Key: Planning Server and Network Security 7 Task 3: Create a connection security rule for authentication to the finance server 1. On SEA-DC1, click Start, point to Administrative Tools, and click Group Policy Management. 2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and click Adatum.com. 3. Right-click Adatum.com and click Create a GPO in this domain, and Link it here. 4. In the New GPO window, in the Name box, type Secure Financial Application and click OK. 5. Right-click Secure Financial Application, and click Edit. 6. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and click Connection Security Rules. 7. Right-click Connection Security Rules and click New Rule. 8. In the New Connection Security Rule Wizard window, on the Rule Type page, click Server-to-server, and then click Next. 9. On the Endpoints page, in the Endpoint 1 area, click These IP addresses, and then click Add. 10. In the IP Address window, in the This IP address or subnet box, type , and then click OK. 11. On the Endpoints page, click Next. 12. On the Requirements page, click Request authentication for inbound and outbound connections, and then click Next. 13. On the Authentication Method page, click Advanced and then click Customize. 14. In the Customize Advanced Authentication Methods window, in the First authentication area, click Add, click Computer (Kerberos V5), and click OK.

219 8 Lab Answer Key: Planning Server and Network Security 15. In the Customize Advanced Authentication Methods window, click OK and then click Next. 16. On the Profile page, click Next. 17. On the Name page, in the Name box, type Enable Authentication and then click Finish. 18. Close all open windows. Task 4: Create a firewall rule to restrict access to the finance application 1. On SEA-DC1, click Start, point to Administrative Tools, and click Windows Firewall with Advanced Security. 2. In the left pane, click Inbound Rules. 3. Right-click Inbound Rules and then click New Rule. 4. In the New Inbound Rule Wizard window, on the Rule Type page, click Port and then click Next. 5. On the Protocol and Ports page, click TCP. 6. In the Specific local ports box, type 80,443 and then click Next. 7. On the Action page, click Allow the connection if it is secure, select the Require the connections to be encrypted check box, and then click Next. 8. On the Users and Computers page, select the Only allow connections from these computers check box and then click Add. 9. In the Enter the object names to select box, type Finance Computers and then click OK. 10. Click Next to continue. 11. On the Profile page, click Next. 12. On the Name page, in the Name box, type Restrict Access to Finance Application and then click Finish. 13. Close all open windows.

220 Lab Answer Key: Planning Server and Network Security 9 Task 5: Force Group Policy updates 1. On SEA-DC1, click Start, click Run, type gpupdate, and press ENTER. 2. On SEA-CL1, click Start, click Run, type gpupdate, and press ETER. 3. Restart SEA-CL1 and log on as Adatum\Administrator with a password of Pa$$w0rd. Task 6: Test the application of rules 1. On SEA-CL1, click Start and click Internet. 2. In Internet Explorer, in the address bar, type and then press ENTER. 3. Click Start, type Firewall, and then click Windows Firewall with Advanced Security. 4. Expand Monitoring, expand Security Associations, and then click Main Mode. Notice that there is a connection between and Close all open windows. Note: Negotiation of IPsec policies may be slow in the virtualized environment. A wait of 2 or 3 minutes is possible before the negotiation is complete and you are able to access the Web site at Results: After this exercise, you should have successfully implemented firewall rules.

221 10 Lab Answer Key: Planning Server and Network Security Exercise 3: Implementing a VPN Server Task 1: Install Active Directory Certificate Services 1. On SEA-DC1, click Start and click Server Manager. 2. In the left pane, click Roles and then click Add Roles. 3. Click Next to begin the Add Roles Wizard. 4. Select the Active Directory Certificate Services check box and click Next. 5. Click Next on the Introduction to Active Directory Certificate Services page. 6. Ensure that the Certification Authority check box is selected. 7. Select the Certification Authority Web Enrollment check box, click Add Required Role Services, and click Next. 8. Ensure that Enterprise is selected, and click Next. 9. Ensure that Root CA is selected, and click Next. 10. Ensure that Create a new private key is selected, and click Next. 11. Click Next to accept the default cryptography settings. 12. Click Next to accept the default CA name of Adatum-SEA-DC1-CA. 13. Click Next to accept the default validity period of 5 years. 14. Click Next to accept the default database and log locations. 15. Click Next on the Web Server (IIS) page. 16. Click Next on the Select Role Services page. 17. Click Install on the Confirm Installation Selections page. 18. After installation is complete, click Close and close Server Manager. Task 2: Create an SSL certificate 1. On SEA-DC1, click Start, point to Administrative Tools, and click Internet Information Services (IIS) Manager. 2. In the left pane, click SEA-DC1 (Adatum\Administrator) and double-click Server Certificates. 3. In the actions pane, click Create Domain Certificate.

222 Lab Answer Key: Planning Server and Network Security Enter the following and then click Next: a. Common name: SEA-DC1.Adatum.com b. Organization: A. Datum c. Organizational unit: IT d. City/locality: Seattle e. State/province: Washington f. Country/region: US 5. In the Specify Online Certification Authority box, type Adatum-SEA-DC1- CA\SEA-DC1.Adatum.com. 6. In the Friendly name box, type WebSSL and click Finish. 7. Close Internet Information Services (IIS) Manager. Task 3: Configure RRAS 1. On SEA-DC1, click Start, point to Administrative Tools, and click Routing and Remote Access. 2. Right-click SEA-DC1 (local) and click Configure and Enable Routing and Remote Access. 3. Click Next to start the Routing And Remote Access Server Setup Wizard. 4. Click Custom configuration and click Next. Note: A custom configuration is required because this server has only a single network card. In most cases, you could use the Remote Access (Dial-Up Or VPN) configuration. 5. Select the VPN access check box and click Next. 6. Click Finish. 7. Click Start Service.

223 12 Lab Answer Key: Planning Server and Network Security Task 4: Create a network policy to allow VPN access 1. On SEA-DC1, click Start, point to Administrative Tools, and click Network Policy Server. 2. In the left pane, expand Policies and click Network Policies. 3. Right-click Network Policies and click New. 4. In the Policy name box, type Allow Domain Admins, and then click Next. 5. In the Specify Conditions window, click Add. 6. Click Windows Groups and click Add. 7. Click Add Groups, type Domain Admins, and click OK. 8. Click OK, and then click Next. 9. Click Access granted and then click Next. 10. Click Next to accept the default authentication types. 11. Click Next to accept the default constraints. 12. Click Next to accept the default settings. 13. Click Finish and close Network Policy Server. Task 5: Configure the client with a trusted root certificate 1. On SEA-CL1, click Start and click Internet. 2. In the address bar, type and press ENTER. 3. Log on as Adatum\Administrator with a password of Pa$$w0rd. 4. Click Download a CA certificate, certificate chain, or CRL. 5. If necessary, click Close to clear the information about the information bar. 6. Click Download CA certificate and click Open. 7. When the Certificate window opens, click Install Certificate. 8. Click Next to start the Certificate Import Wizard. 9. Select Automatically select the certificate store based on the type of certificate and click Next. 10. Click Finish.

224 Lab Answer Key: Planning Server and Network Security Click OK to close the Certificate Import Wizard dialog box. 12. Click OK to close the Certificate window. 13. Close Internet Explorer. 14. Click Start, and in the Start Search box, type mmc, then press ENTER. 15. Click File and click Add/Remove Snap-in. 16. Double-click Certificates, click My user account and click Finish. 17. Double-click Certificates, click Computer account, and click Next. 18. Click Local computer: (the computer this console is running on) and click Finish. 19. Click OK. 20. In the left pane, expand Certificates Current User, expand Intermediate Certification Authorities, and click Certificates. 21. Right-click Adatum-SEA-DC1-CA and click Copy. 22. In the left pane, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 23. Right-click Certificates and click Paste. 24. Close the MMC window. 25. Click No when prompted to save settings. Task 6: Configure and test an SSTP VPN connection 1. On SEA-CL1, click Start and click Connect To. 2. Click Set up a connection or network. 3. Click Connect to a workplace and click Next. 4. Click Use my Internet connection (VPN). 5. Click I ll set up an Internet connection later. 6. In the Internet address box, type SEA-DC1.Adatum.com. 7. In the Destination name box, type Adatum VPN and then click Next.

225 14 Lab Answer Key: Planning Server and Network Security 8. Click Create without entering a username and password. 9. Click Close. 10. Click Start and click Connect To. 11. Right-click Adatum VPN and click Properties. 12. Click the Networking tab. 13. In the Type of VPN box, select Secure Socket Tunneling Protocol (SSTP) and then click OK. 14. Click Connect. 15. Log on as Adatum\Administrator with a password of Pa$$w0rd. 16. Click Close to close the Connect To A Network window. 17. Click Start and click Connect To. Verify that the status of the connection is connected. 18. Click Disconnect. 19. Close all open windows. Note: If you experience an error during your connection attempt, review the configuration of your SSTP listener by using the instructions from Setting Up The SSTP Listener And Verifying It in the Routing and Remote Access Blog at In particular, you must manually remove and replace the certificate used by SSTP if you want to change it.

226 Lab Answer Key: Planning Server and Network Security 15 Exercise 4: Implementing NAP with DHCP Enforcement Task 1: Install Network Policy Server 1. On SEA-DC1, click Start and click Server Manager. 2. In the left pane, expand Roles and then click Network Policy and Access Services. 3. If necessary, scroll down, and then click Add Role Services. 4. On the Select Role Services page, select the Network Policy Server check box, and then click Next. 5. On the Confirm Installation Selections page, click Install. 6. When installation is complete, click Close. 7. Close Server Manager. Task 2: Configure NPS 1. On SEA-DC1, click Start, point to Administrative Tools, and then click Network Policy Server. 2. If necessary, in the left pane, click NPS (Local). 3. In the Standard Configuration area, select Network Access Protection (NAP) and click Configure NAP. 4. In the drop-down list box, select Dynamic Host Configuration Protocol (DHCP) as the connection method. 5. Accept NAP DHCP as the policy name, and click Next. 6. Click Next to skip the configuration of RADIUS clients. This is not necessary because DHCP is running on the NPS server. 7. On the Specify DHCP Scopes page, click Next. 8. On the Configure User Group and Machine Groups page, click Next. 9. On the Specify a NAP Remediation Server Group and URL page, click Next.

227 16 Lab Answer Key: Planning Server and Network Security 10. On the Define NAP Health Policy page, ensure that the following are selected, and then click Next. a. Windows Security Health Validator b. Enable auto-remediation of client computers c. Deny full network access to NAP-ineligible client computers. Allow access to a restricted network only. 11. Review the settings and click Finish. 12. Expand Policies and click Connection Request Policies. Notice that a NAP DHCP policy has been created by the wizard. 13. Click Network Policies. Notice that several policies for NAP have been created by the wizard. 14. Click Health Policies. Notice that two policies for NAP have been created by the wizard. 15. Close Network Policy Server. Task 3: Configure DHCP 1. Click Start, point to Administrative Tools, and then click DHCP. 2. Expand SEA-DC1.adatum.com, expand IPv4, and then click Scope [ ] Adatum. 3. Right-click Scope [ ] Adatum, and click Properties. 4. Click the Network Access Protection tab, click Enable for this scope, click Use default Network Access Protection profile, and then click OK. 5. Expand Scope [ ] Adatum Scope, click Scope Options, right-click Scope Options, and click Configure Options. 6. Click the Advanced tab, and in the User class box, select Default Network Access Protection Class. 7. Select the 006 DNS Servers check box. In the IP Address box, type , and then click Add. 8. Select the 015 DNS Domain Name check box. In the String value box, type restricted.adatum.com, and click OK. 9. Close DHCP.

228 Lab Answer Key: Planning Server and Network Security 17 Task 4: Configure NAP Client by using Group Policy 1. On SEA-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In the left pane, right-click Adatum.com, point to New, and click Organizational Unit. 3. In the Name box, type NAP Clients, and then click OK. 4. In the left pane, click Computers. 5. Right-click SEA-CL1 and click Move. 6. Click NAP Clients, and click OK. 7. Close Active Directory Users and Computers. 8. Click Start, point to Administrative Tools, and click Group Policy Management. 9. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click NAP Clients. 10. Right-click NAP Clients and click Create a GPO in this domain, and Link it here. 11. In the Name box, type DHCP NAP Client and click OK. 12. Right-click DHCP NAP Client and click Edit. 13. In the left pane, browse to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center. 14. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. 15. Browse to Computer Configuration\Policies\Windows Settings\Security Settings\System Services and double-click Network Access Protection Agent. 16. Select the Define this policy setting check box, click Automatic, and click OK. 17. In the left pane, in Security Settings, expand Network Access Protection, expand NAP Client Configuration, and then click Enforcement Clients. 18. Right-click DHCP Quarantine Enforcement Client and click Enable.

229 18 Lab Answer Key: Planning Server and Network Security 19. In the left pane, right-click NAP Client Configuration and click Apply. 20. Close the Group Policy Management Editor. 21. Close Group Policy Management. Task 5: Configure networking on the client 1. Restart SEA-CL1, and log on as Adatum\Administrator with a password of Pa$$w0rd. 2. Click Start, in the Start Search box, type cmd, and then press ENTER. 3. Type gpupdate and press ENTER. If an error occurs, wait a few moments and try again. The error is the result of the authentication negotiation for the connection security rule in a previous exercise. To verify connectivity to SEA-DC1, you can use Internet Explorer to access the Web site. 4. Close the command prompt. 5. Click Start, right-click Network, and click Properties. 6. Under Tasks, click Manage network connections. 7. Right-click Local Area Connection and click Properties. 8. Click Internet Protocol Version 4 (TCP/IPv4) and click the Properties button. 9. Click Obtain an IP address automatically, click Obtain DNS server address automatically, and then click OK. 10. Click Close and close all open windows. Wait a few moments, and in most cases a warning about limited network access will appear in the system tray. If this warning does not appear after a few moments, continue with the next step. You will verify that the client computer is on the restricted network in step Click Start, in the Start Search box, type cmd, and then press ENTER. 12. At the command prompt, type ipconfig /all and press ENTER. Notice that an IPv4 address has been configured, but the subnet mask is and the Connection-specific DNS suffix is restricted.adatum.com. 13. Close the command prompt.

230 Lab Answer Key: Planning Server and Network Security 19 Task 6: Configure the SHV 1. On SEA-DC1, click Start, point to Administrative Tools, and then click Network Policy Server. 2. In the left pane, expand Network Access Protection and click System Health Validators. 3. Right-click Windows Security Health Validator, and click Properties. 4. Click the Configure button. 5. On the Windows Vista tab, deselect all check boxes except A firewall is enabled for all network connections, and then click OK. 6. Click OK to close the Windows Security Health Validator Properties window. 7. Close Network Policy Server. Task 7: Test compliance and auto-remediation on the client 1. On SEA-CL1, click Start, type cmd, and press ENTER. 2. Type ipconfig /renew and press ENTER. Notice that SEA-CL1 now has a default gateway, a subnet mask of , and the Connection-specific DNS suffix is Adatum.com. 3. Close the command prompt. 4. Click Start, and click Control Panel. 5. Click Security, and click Windows Firewall. 6. Click Change settings. 7. Click Off and click OK. Notice that Windows Firewall status is off only briefly before being turned back on by the NAP client. 8. Close all open windows. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

231 Lab Answer Key: Planning Server Administration 1 Module 8 Lab Answer Key: Planning Server Administration Contents: Exercise 1: Planning for Branch Office Administration 2 Exercise 2: Delegating Administration to Branch Office Personnel 4

232 2 Lab Answer Key: Planning Server Administration Lab: Planning Server Administration Exercise 1: Planning for Branch Office Administration Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Branch Office Delegation document with your proposals Answer the questions in the Branch Office Delegation document. Branch Office Delegation Document Reference Number: GW0511/1 Document Author Date Gregory Weber 5th November Requirement Overview Determine which tasks can be delegated to Joe Healy in Sales. Specify how this delegation will be achieved. Additional Information None Proposals 1. Which features will you need to install on a recently deployed departmental server to support administrative delegation? Answer: Answers will vary, but in order to support the Windows PowerShell scripts, the server will require Windows PowerShell. Because client computers are not allowed to host management and administration tools, the local server must have the Remote Server Administration Tools feature installed.

233 Lab Answer Key: Planning Server Administration 3 (continued) Branch Office Delegation Proposals (continued) 2. How will you manage the requirement that Joe needs to be able to manage which GPOs apply to the Sales OU without giving him the ability to edit the GPO settings? Answer: Assign a group to which Joe belongs, the Manage Group Policy links Active Directory permission on the Sales OU. 3. What delegated permissions will you give to Joe in Active Directory? Answer: Aside from the Manage Group Policy links permission, these additional permissions are required on the Sales OU in order to administer Users, Groups, and Computers: Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Create and delete computer objects 4. How will you achieve this? Answer: The Delegate Control wizard will enable you to establish most of these permissions as common tasks. However, the computer administration permissions need to be assigned manually, or as custom tasks. 5. Because you are not permitted to grant Joe any delegated permissions directly, how will you achieve the required delegation? Answer: Create a global group and add Joe to the group; grant that group permissions. Results: After this exercise, you should have a completed Branch Office Delegation proposal document.

234 4 Lab Answer Key: Planning Server Administration Exercise 2: Delegating Administration to Branch Office Personnel Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch. 5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 7. Minimize the Lab Launcher window. Task 2: Create the necessary security group 1. Switch to the SEA-DC1 computer. 2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 3. In Active Directory Users and Computers, click the Sales organizational unit. 4. Right-click Sales, click New, and then click Group. 5. In the New Object Group dialog box, in the Group name box, type Sales- Admins, and then click OK. 6. In the results pane, double-click Sales-Admins. 7. In the Sales-Admins Properties dialog box, click the Members tab, and then click Add. 8. In the Select Users, Contacts, Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type Joe, click Check Names, and then click OK. 9. In the Sales-Admins Properties dialog box, click OK.

235 Lab Answer Key: Planning Server Administration 5 Task 3: Delegate control of the Sales organizational unit 1. In the navigation pane, right-click Sales, and then click Delegate Control. 2. In the Delegation of Control Wizard, click Next. 3. On the Users or Groups page, click Add. 4. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type Sales-admins, click Check Names, and then click OK. 5. On the Users or Groups page, click Next. 6. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next: Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Manage Group Policy links 7. On the Completing the Delegation of Control Wizard page, click Finish. 8. In Active Directory Users and Computers, click View, and then click Advanced Features. 9. Right-click Sales, and then click Properties. 10. In the Sales Properties dialog box, click the Security tab, and then click Advanced. 11. In the Advanced Security Settings for Sales dialog box, click Add. 12. In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples) box, type Sales-admins, click Check Names, and then click OK. 13. In the Permission Entry for Sales dialog box, in the Permissions list, select the following check boxes, and then click OK: Create Computer objects/allow Delete Computer objects/allow

236 6 Lab Answer Key: Planning Server Administration 14. In the Advanced Security Settings for Sales dialog box, click Add. 15. In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples) box, type Sales-admins, click Check Names, and then click OK. 16. In the Permission Entry for Sales dialog box, in the Apply to list, click Descendant Computer objects. 17. In the Permissions list, click Full control/allow, and then click OK. 18. In the Advanced Security Settings for Sales dialog box, click OK. 19. In the Sales Properties dialog box, click OK. 20. Close Active Directory Users and Computers. Task 4: Configure group membership on the SEA-SVR1 server 1. Switch to the SEA-SVR1 computer. 2. Click Start, and then click Server Manager. 3. In Server Manager, in the navigation tree, expand Configuration, expand Local Users and Groups, and then click Groups. 4. In the Groups list, double-click Administrators. 5. In the Administrators Properties dialog box, click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type Sales-admins, click Check Names, and then click OK. 6. In the Administrators Properties dialog box, click OK. Task 5: Enable remote desktop on SEA-SVR1 1. Click Start, right-click Computer, and then click Properties. 2. In the Tasks list, click Remote settings. 3. In the System Properties dialog box, click Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure). 4. In the Remote Desktop dialog box, click OK. 5. In the System Properties dialog box, click Select Users.

237 Lab Answer Key: Planning Server Administration 7 6. In the Remote Desktop Users dialog box, click Add. 7. In the Select Users or Groups dialog box, in the Enter the object name to select (examples) box, type Sales-admins, click Check Names, and then click OK. 8. In the Remote Desktop Users dialog box, click OK. 9. In the System Properties dialog box, click OK. 10. Close System. Task 6: Install Windows PowerShell and RSAT on SEA-SVR1 1. Click Start, and then click Server Manager. 2. In Server Manager, in the navigation tree, click Features. 3. In the results pane, under Features Summary, click Add Features. 4. In the Add Features Wizard, on the Select Features page, expand Remote Server Administration Tools. 5. Expand Role Administration Tools, and then select the Active Directory Domain Services Tools check box. 6. Select the Windows PowerShell check box, and then click Next. 7. On the Confirm Installation Selections page, click Install, and then when prompted, click Close, and in the Add Features Wizard dialog box, click Yes. 8. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 9. In the Resume Configuration Wizard, click Close. 10. Close Server Manager. Task 7: Perform branch administration 1. Switch to the SEA-CL1 computer. Note: if you are already logged on as Joe, please log off and then proceed with the lab. 2. Log on as ADATUM\Joe with the password Pa$$w0rd.

238 8 Lab Answer Key: Planning Server Administration 3. Click Start, and in the Start Search box, type mstsc.exe, and then press ENTER. 4. In the Remote Desktop Connection dialog box, in the Computer list, type , and then click Connect. 5. In the Windows Security dialog box, in the User name box, type adatum\joe. 6. In the Password box, type Pa$$w0rd, and then click OK. 7. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 8. In the User Account Control dialog box, click Continue. 9. In Active Directory Users and Computers, expand Adatum.com, and then click the Sales organizational unit. 10. In the results pane, right-click Tom Higginbotham, and then click Delete. 11. In the Active Directory Domain Services dialog box, click Yes. 12. Right-click Sales, click New, and then click Computer. 13. In the New Object Computer dialog box, in the Computer name box, type Sales-1 and then click OK. Task 8: Create and run a Windows PowerShell script 1. Click Start, point to All Programs, click Windows PowerShell 1.0, right-click Windows PowerShell, and then click Run as administrator. 2. In the User Account Control dialog box, click Continue. 3. At the Windows PowerShell Command Prompt, type notepad user.ps1 and then press ENTER. 4. In the Notepad dialog box, click Yes. 5. In Notepad, type the following lines of code: $objou = [ADSI]"LDAP://OU=sales,DC=Adatum,DC=com" $objusr = $objou.create("user","cn=tom Higginbotham") $objusr.put("samaccountname","tom") $objusr.setinfo() 6. Click File, click Save, and then close Notepad.

239 Lab Answer Key: Planning Server Administration 9 7. At the Windows PowerShell Command Prompt, type set-executionpolicy remotesigned, and then press ENTER. 8. At the Windows PowerShell Command Prompt, type./user.ps1 and then press ENTER. 9. Switch to Active Directory Users and Computers. 10. Refresh the view. 11. Right-click Tom Higginbotham, and then click Enable Account. 12. Close all open windows. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

240 Lab Answer Key: Planning and Implementing Monitoring and Maintenance 1 Module 9 Lab Answer Key: Planning and Implementing Monitoring and Maintenance Contents: Exercise 1: Evaluating Performance Metrics 2 Exercise 2: Monitoring Performance Metrics 6 Exercise 3: Configuring Data Collector Sets 7 Exercise 4: Evaluating Trends 8

241 2 Lab Answer Key: Planning and Implementing Monitoring and Maintenance Lab: Planning and Implementing Monitoring and Maintenance Exercise 1: Evaluating Performance Metrics Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Identify performance problems with Windows Server Part A You know that the server 6430A-NYC-SVR1 experiences low network traffic and has limited disk activity, but the help desk is receiving many reports that the server is slow. 1. Switch to the SEA-SVR1 computer. 2. Click Start, point to Administrative Tools, and then click Reliability and Performance Monitor. 3. Expand Monitoring Tools, and then click Performance Monitor.

242 Lab Answer Key: Planning and Implementing Monitoring and Maintenance 3 4. In Performance Monitor, click the View Log Data button (CTRL+L). 5. In the Performance Monitor Properties dialog box, on the Source tab, click Log Files, and then click Add. 6. In the Select Log File dialog box, in the File name box, type D:\Labfiles\Mod09\Ex1A\EX1A.blg, and then click Open. 7. In the Performance Monitor Properties dialog box, click OK. 8. In Performance Monitor, click Add (CTRL+I). 9. In the Add Counters dialog box, under Available counters, expand Processor, and then click % Processor Time. 10. Under Instances of selected object, click 0, and then click Add. 11. In the Add Counters dialog box, under Available counters, expand System, click Processor Queue Length, click Add, and then click OK. 12. View the graph of the CPU usage on 6430A-NYC-SVR1: a. The maximum value is 100 percent. b. The average value is percent. 13. In Performance Monitor, click Add (CTRL+I). 14. In the Add Counters dialog box, under Available counters, expand Process, and then click % Processor Time. 15. Under Instances of selected object, select <All Instances>, click Add, and then click OK. 16. Review the % Processor Time used by each process. It is useful to use the Highlight button (CTRL+ H) to view each instance. Identify the process that is consuming the CPU. Answer: The cpustres process is consuming most of the CPU time. 17. Close Reliability and Performance Monitor.

243 4 Lab Answer Key: Planning and Implementing Monitoring and Maintenance Task 3: Identify performance problems with Windows Server 2008 Part B You know that the server 6430A-NYC-SVR1 is not running processor-intensive applications, but the help desk is receiving many reports that the server is slow. 1. Click Start, point to Administrative Tools, and then click Reliability and Performance Monitor. 2. Expand Monitoring Tools, and then click Performance Monitor. 3. In Performance Monitor, click View Log Data (CTRL+L). 4. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add. 5. In the Select Log File dialog box, in the File name box, type D:\Labfiles\Mod09\Ex1B\EX1B.blg, and then click Open. 6. In the Performance Monitor Properties dialog box, click OK. 7. In Performance Monitor, click Add (CTRL+I). 8. In the Add Counters dialog box, under Available counters, expand Physical Disk, and then click Avg. Disk Queue Length. 9. Under Instances of selected object, click 0 C:, and then click Add. 10. Under Available counters, click Current Disk Queue Length. 11. Under Instances of selected object, click 0 C:, and then click Add. 12. Under Available counters, click Disk Transfers/sec. 13. Under Instances of selected object, click 0 C:, and then click Add. 14. Under Available counters, expand Process, and then click IO Data Bytes/sec. 15. Under Instances of selected object, click <All Instances>, click Add, and then click OK. 16. Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button (Ctrl+H) to view each instance. Identify the process that is consuming the disk transfer capacity. Answer: The explorer process is consuming the disk resources. 17. Close the Reliability and Performance Monitor.

244 Lab Answer Key: Planning and Implementing Monitoring and Maintenance 5 Task 4: Identify performance problems with Windows Server 2008 Part C You know that the server 6430A-NYC-SVR1 experiences low network traffic and is not running processor-intensive applications, but the help desk is receiving many reports that the server is slow. 1. Click Start, point to Administrative Tools, and then click Reliability and Performance Monitor. 2. Expand Monitoring Tools, and then click Performance Monitor. 3. In Performance Monitor, click View Log Data (CTRL+L). 4. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add. 5. In the Select Log File dialog box, in the File name box, type D:\Labfiles\Mod09\Ex1C\EX1C.blg, and then click Open. 6. In the Performance Monitor Properties dialog box, click OK. 7. In Performance Monitor, click Add (CTRL+I). 8. In the Add Counters dialog box, under Available counters, expand Process, and then click Working Set -Private. 9. Under Instances of selected object, click <All Instances>, and then click Add. 10. Under Available counters, expand Paging File, click % Usage, hold down CTRL, and then click % Usage Peak. 11. Under Instances of selected object, click \??\C:\pagefile.sys, and then click Add. 12. Under Available counters, expand Memory, click % Committed Bytes In Use, hold down CTRL and click Available MBytes, Committed Bytes, Page Faults/sec, Pages/sec, Pool Nonpaged Bytes, Pool Paged Bytes, click Add, and then click OK. 13. View the graph of the memory and process usage on 6430A-NYC-SVR1. Review the minimum and maximum values for each process to locate the problem. (The value for Available Mbytes drops to 4 MB.). Review the Working Set - Private value for each process. It is useful to use the highlight button (CTRL+H) to view each instance. Determine which process is consuming memory. Answer: The leakyapp processes are consuming memory.

245 6 Lab Answer Key: Planning and Implementing Monitoring and Maintenance Exercise 2: Monitoring Performance Metrics Task 1: Create a data collector set to measure server requirements 1. In Reliability and Performance Monitor, expand Data Collector Sets, and then click User Defined. 2. On the Action menu, point to New, and then click Data Collector Set. 3. In the Create new Data Collector Set dialog box, in the Name box, type File- Server-Monitoring, and then click Next. 4. On the Which template would you like to use? page, ensure that System Performance is selected, and then click Next. 5. On the Where would you like the data to be saved? page, accept the default location, and then click Next. 6. On the Create the data collector set? page, click Finish. 7. In Reliability and Performance Monitor, double-click File-Server-Monitoring, and then double-click Performance Counter. Review the properties and add any additional objects and counters that are required. In the Performance Counter Properties dialog box, click OK. 8. Right-click File-Server-Monitoring, and then click Properties. 9. In the File-Server-Monitoring Properties dialog box, on the Stop Condition tab, in the Overall duration box, type 2, and then click OK. 10. In Reliability and Performance Monitor, right-click File-Server-Monitoring, and then click Start. 11. In Reliability and Performance Monitor, on the Action menu, click Latest Report. 12. Review the collected data. (After approximately two minutes, the report should show the results of the data collector.) 13. Close the Reliability and Performance Monitor.

246 Lab Answer Key: Planning and Implementing Monitoring and Maintenance 7 Exercise 3: Configuring Data Collector Sets Task 1: Generate an alert by using a data collector set Create a user-defined data collector set and configure an alert to trigger when the CPU reaches a critical state. 1. Click Start, point to All Programs, point to Administrative Tools, and then click Reliability and Performance Monitor. 2. Select Data Collector Sets, and then double-click User Defined. 3. On the Action menu, point to New, and then click Data Collector Set. 4. In the Create new Data Collector Set dialog box, in the Name box, type High- CPU-Monitoring 5. Click Create manually (Advanced), and then click Next. 6. On the What type of data do you want to include? page, click Performance Counter Alert, and then click Next. 7. On the Which performance counters would you like to monitor? page, click Add. 8. Under Available counters, expand Processor, and then click %Processor Time. 9. Under Instances of selected object, click 0, click Add, and then click OK. 10. On the Which performance counters would you like to monitor? page, in the Limit box, type 95 and then click Next. 11. On the Create the data collector set? page, click Finish. 12. In Reliability and Performance Monitor, double-click High-CPU-Monitoring, and then double-click DataCollector01. (You may need to adjust the sample interval time to trigger the alert.) 13. In the DataCollector01 Properties dialog box, on the Alert Action tab, select the Log an entry in the application event log check box, and then click OK. 14. Close Reliability and Performance Monitor.

247 8 Lab Answer Key: Planning and Implementing Monitoring and Maintenance Exercise 4: Evaluating Trends Scenario In this exercise, you will compare your answers to the previous exercises with the rest of the class, share your answers with other students, and learn alternative methods to identify performance issues. The main task for this exercise is to discuss your solutions with the class. You should compare the performance counters that have been used and explain why you have used specific counters to make your decision. You should also consider other counters that other students have used. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

248 Lab Answer Key: Planning High Availability and Disaster Recovery 1 Module 10 Lab Answer Key: Planning High Availability and Disaster Recovery Contents: Exercise 1: Planning for Branch Office High Availability and Data Recovery 2 Exercise 2: Implementing the High Availability and Disaster Recovery Plan 4

249 2 Lab Answer Key: Planning High Availability and Disaster Recovery Lab: Planning High Availability and Disaster Recovery Exercise 1: Planning for Branch Office High Availability and Data Recovery Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the High Availability for Sales Database document with your proposals Answer the questions in the High Availability for Sales Database document. High Availability for Sales Database Document Reference Number: GW1602/1 Document Author Date Gregory Weber 16th February Requirement Overview To provide a high-availability solution that ensures that the failure of any single component will not cause the Sales database to become unavailable. To ensure that the database is recoverable in the event of multiple disk failures. Additional Information All servers are installed with Windows Server 2008 Enterprise Edition.

250 Lab Answer Key: Planning High Availability and Disaster Recovery 3 (continued) High Availability for Sales Database Proposals (continued) 1. In the current system, what component(s) is a point of failure? Answer: The back-end database; the front-end Web servers; the storage that hosts the database; the supply of power to all systems. 2. For each element, how would you propose to prevent a system failure resulting from a component failure? Answer: The back-end database. Implement Failover Clustering; this is required because the database is stateful that is, it contains data that changes, and each client computer s view of the system is different at a point in time. The front-end Web servers. Implement Network Load Balancing; the front end is stateless, and contains no changing data. Client computers are indifferent as to which Web server they connect through. The storage that hosts the database. Consider implementing a RAID solution for the storage that hosts the database. The supply of power to all systems. An uninterruptable power supply (UPS) does provide some uptime during a power failure, and often enough to properly shut down a database to avoid corruption. 3. What Windows Server 2008 role or feature could help provide for each of these proposals? Answer: Windows Server 2008 provides the Network Load Balancing and Failover Clustering features. Although disk fault tolerance can be provided through the software, it is usually more appropriate to implement a faulttolerant array through hardware. 4. After implementing the roles or features proposed, is there any remaining component that represents a single point of failure? Answer: Loss or unavailability of a datacenter. 5. Have you any recommendations regarding this component(s)? Answer: Alan Steiner mentioned that the database is to be replicated among the branches. This will provide a contingency in the event of link-failure. Results: After this exercise, you should have a completed High Availability for Sales Database proposal document.

251 4 Lab Answer Key: Planning High Availability and Disaster Recovery Exercise 2: Implementing the High Availability and Disaster Recovery Plan Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. In the Lab Launcher, next to 6430B-SEA-SVR2, click Launch. 5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 7. Log on to 6430B-SEA-SVR2 as ADATUM\Administrator with the password Pa$$w0rd. 8. Minimize the Lab Launcher window. Task 2: Install NLB on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Click Start, and then click Server Manager. 3. In the navigation tree, click Features. 4. In the results pane, click Add Features. 5. In the Add Features Wizard, select the Network Load Balancing check box, and then click Next. 6. On the Confirm Installation Selections page, click Install. 7. On the Installation Results page, click Close.

252 Lab Answer Key: Planning High Availability and Disaster Recovery 5 Task 3: Install IIS on SEA-SVR1 1. In Server Manager, in the navigation tree, click Roles. 2. In the results pane, click Add Roles. 3. In the Add Roles Wizard, click Next. 4. In the Roles list, select the Web Server (IIS) check box. Then in the Add Roles Wizard dialog box, click Add Required Features, and click Next. 5. On the Web Server (IIS) page, click Next. 6. On the Select Role Services page, click Next. 7. On the Confirm Installation Selections page, click Install. 8. On the Installation Results page, click Close. 9. Close Server Manager. Task 4: Create a Web site on SEA-SVR1 1. Click Start, and then click Command Prompt. 2. Type the following commands at the command prompt, and press ENTER after each command: Cd\inetpub\wwwroot Xcopy \\sea-dc1\c$\inetpub\wwwroot\intranet\*.* /s Exit Task 5: Install NLB on SEA-SVR2 1. Switch to the SEA-SVR2 computer. 2. Click Start, and then click Server Manager. 3. In the navigation tree, click Features. 4. In the results pane, click Add Features. 5. In the Add Features Wizard, select the Network Load Balancing check box, and then click Next.

253 6 Lab Answer Key: Planning High Availability and Disaster Recovery 6. On the Confirm Installation Selections page, click Install. 7. On the Installation Results page, click Close. Task 6: Install IIS on SEA-SVR2 1. In Server Manager, in the navigation tree, click Roles. 2. In the results pane, click Add Roles. 3. In the Add Roles Wizard, click Next. 4. In the Roles list, select the Web Server (IIS) check box. Then in the Add Roles Wizard dialog box, click Add Required Features, and click Next. 5. On the Web Server (IIS) page, click Next. 6. On the Select Role Services page, click Next. 7. On the Confirm Installation Selections page, click Install. 8. On the Installation Results page, click Close. 9. Close Server Manager. Task 7: Create a Web site on SEA-SVR2 1. Click Start, and then click Command Prompt. 2. Type the following commands at the command prompt, and press ENTER after each command: Cd\inetpub\wwwroot Xcopy \\sea-dc1\c$\inetpub\wwwroot\intranet\*.* /s Exit Task 8: Create the NLB cluster 1. Switch to the SEA-DC1 computer. 2. Click Start, and then click Server Manager. 3. In the navigation tree, click Features.

254 Lab Answer Key: Planning High Availability and Disaster Recovery 7 4. In the results pane, click Add Features. 5. In the Features list, expand Remote Server Administration Tools, expand Feature Administration Tools, select the Network Load Balancing Tools check box, and then click Next. 6. Click Install, and then click Close. 7. Close Server Manager. 8. Click Start, point to Administrative Tools, and then click Network Load Balancing Manager. 9. When the Network Load Balancing Manager window opens, maximize the window. 10. In the navigation tree, right-click Network Load Balancing Clusters, and then click New Cluster. 11. In the New Cluster: Connect dialog box, in the Host field, type SEA-SVR1, and then click Connect. 12. Click Next. 13. Click Next on the Host Parameters page. 14. On the Cluster IP Addresses page, click Add. 15. In the Add IP Address dialog box, in the IPv4 address field, type , and press TAB. Then in the Subnet mask field, type Click OK, and then click Next. 17. On the Cluster Parameters page, in the Full Internet name field, type webfarm.adatum.com. 18. Click Multicast, and then click Next. 19. On the Port Rules page, click Edit. 20. In the Add/Edit Port Rule dialog box, in the From field, type 80, and in the To field, type Under Protocols, click TCP. 22. For Affinity, click None. 23. Click OK, and then click Finish.

255 8 Lab Answer Key: Planning High Availability and Disaster Recovery 24. In the console tree, right-click webfarm.adatum.com, and then click Add Host to Cluster. 25. In the Add Host to Cluster: Connect dialog box, in the Host field, type SEA-SVR2, and then click Connect. 26. Click Next. 27. On the Host Parameters page, click Next. 28. On the Port Rules page, click Finish. Task 9: Configure DNS records 1. Click Start, point to Administrative Tools, and then click DNS. 2. In DNS Manager, expand SEA-DC1, expand Forward Lookup Zones, expand adatum.com, and then right-click Adatum.com. 3. Click New Host (A or AAAA). 4. In the New Host dialog box, in the Name box, type webfarm. 5. In the IP address box, type , and then click Add Host. 6. In the DNS dialog box, click OK. 7. In the New Host dialog box, click Done. 8. Close DNS Manager. Note: You will test the cluster at the end of the exercise. Task 10: Install the Windows Server Backup features 1. Switch to the SEA-SVR1 computer. 2. Click Start, and then click Server Manager 3. In Server Manager, in the navigation tree, click Features. 4. In the results pane, click Add Features. 5. In the Features list, select the Windows Server Backup Features check box, and then click Next.

256 Lab Answer Key: Planning High Availability and Disaster Recovery 9 6. On the Confirm Installation Selections page, click Install. 7. On the Installation Result page, click Close, and then close Server Manager. Task 11: Enable shadow copies 1. Click Start, click Computer, right-click Local Disk (C:), and then click Configure Shadow Copies. 2. In the Shadow Copies dialog box, click Enable. 3. In the Enable Shadow Copies dialog box, click Yes. 4. In the Shadow Copies dialog box, click Settings. 5. In the Settings dialog box, click Schedule. 6. In the C:\ dialog box, select both the Sat and Sun check boxes, and then click OK. 7. In the Settings dialog box, click OK. 8. In the Shadow Copies dialog box, click Create Now, and then click OK. Task 12: Verify the presence of previous versions of the Web site 1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub, right-click wwwroot, and then click Properties. 2. In the wwwroot Properties dialog box, click the Previous Versions tab. 3. Verify that there are previous versions listed, and then click OK. Task 13: Establish groups to secure the backup process 1. Click Start, and then click Server Manager. 2. In Server Manager, expand Configuration, expand Local Users and Groups, and then click Groups. 3. In the Groups list, double-click Backup Operators. 4. In the Backup Operators Properties dialog box, click Add. 5. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type Joe, click Check Names, and then click OK.

257 10 Lab Answer Key: Planning High Availability and Disaster Recovery 6. In the Backup Operators Properties dialog box, click OK. 7. Log off. Task 14: Perform a backup of the branch server 1. Log on to 6430B-SEA-SVR1 as ADATUM\Joe with the password Pa$$w0rd. 2. Click Start, point to Administrative Tools, and then click Windows Server Backup. 3. In the User Account Control dialog box, in the Password box, type Pa$$w0rd, and then click OK. 4. In Windows Server Backup (Local), in the actions pane, click Backup Once. 5. In the Backup Once Wizard, on the Backup options page, click Next. 6. On the Select backup configuration page, click Custom, and then click Next. 7. On the Select backup items page, click Next. 8. On the Specify destination type, click Remote shared folder, and then click Next. 9. On the Specify remote folder page, in the Type the path to the remote shared folder box, type \\sea-dc1\public, and then click Next. 10. On the Specify advanced option page, click Vss copy backup (recommended), and then click Next. 11. On the Confirmation page, click Backup. 12. After the backup has started, click Close. 13. Close Windows Server Backup. Task 15: Test the NLB cluster 1. Switch to the SEA-DC1 computer. 2. Click Start, point to All Programs, and then click Internet Explorer. 3. In the Microsoft Internet Explorer address bar, type and then press ENTER. The A Datum Intranet appears.

258 Lab Answer Key: Planning High Availability and Disaster Recovery Turn off the SEA-SVR1 computer. In the Close box, select Turn off machine and discard changes. Click OK. 5. On SEA-DC1, in the Internet Explorer address bar, type and then press ENTER. Note: Even though an NLB Cluster member is unavailable, the Web site is still available. Results: After this exercise, you should have successfully implemented your highavailability and recovery plan. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

259 Lab Answer Key: Planning Virtualization 1 Module 11 Lab Answer Key: Planning Virtualization Contents: Exercise 1: Creating a Virtualization Plan 2 Exercise 2: Implementing Virtualization (Optional) 4

260 2 Lab Answer Key: Planning Virtualization Lab: Planning Virtualization Exercise 1: Creating a Virtualization Plan Task 1: Read the supporting documentation Read the supporting documentation. Determine if you need any more information and ask your instructor to clarify if required. Task 2: Create a plan for a virtualization pilot project Note: Your answers may vary from the lab answer key in this plan. There are several acceptable combinations of servers to virtualize. This is only one example. Which servers will be virtualized? Answer: The first servers to be virtualized are SQLTest and PServer. Why were those servers selected? Answer: Those servers were selected because there were relatively low utilization for memory, older hardware, and relatively low risk. If they were unavailable for a few hours it would not impact production too much. How will those servers be virtualized? Answer: A physical-to-virtual conversion will be performed to convert the servers. This is faster and more reliable than just backing up and restoring the servers. Do we need any additional tools besides Hyper-V? Answer: Yes, System Center Virtual Machine Manager is required to perform the physical-to-virtual migrations. This tool will also be beneficial for centralized management as our virtualization environment grows.

261 Lab Answer Key: Planning Virtualization 3 What are the hardware specifications for the server? Answer: The requirements for virtualizing these servers are relatively light, but we should buy sufficient hardware that we can use for additional virtual machines down the road. I suggest the following specifications: Dual processor, quad core 24 GB of RAM 6 hot swap SCSI drives, two disks mirrored for the host operating system, and 3 disks in a RAID 5 array with a hot spare for the virtual machines Which operating system should be used on the host? Answer: To run Hyper-V, we need a 64-bit version of Windows Server Standard edition supports up to 32 GB of RAM, which is more than adequate for our needs. Standard edition also supports up to 4 processors, which also meets our needs. We already own licenses for the virtual machines we will be creating, so licensing is not a concern. However, in the long run we may want to consider Enterprise or Datacenter editions because they include multiple virtualization licenses. Results: After this exercise, you should have a completed plan for a virtualization pilot project.

262 4 Lab Answer Key: Planning Virtualization Exercise 2: Implementing Virtualization (Optional) Task 1: Configure the computer BIOS for Hyper-V Note: The first set of BIOS configuration steps in this exercise are correct for a Dell Optiplex 755 with an Intel processor. Also included are steps for a HP DC5850 machine. The steps will vary depending on the model of the computer you are using, BIOS revision, and the processor type. For example, the name of specific settings may be different or already enabled. Ask your instructor for help if required. 1. Start your computer. 2. Press F2 to enter the BIOS setup. 3. Use the down arrow key to select Performance, and then press ENTER to expand Performance. 4. Use the down arrow key to select Virtualization, and then press ENTER. 5. Select On, and then press ENTER. 6. Use the down arrow key to select VT for Direct I/O, and then press ENTER. 7. Select On, and then press ENTER. 8. Use the down arrow key to select Trusted Execution, and then press ENTER. 9. Select Off, and then press ENTER. 10. Use the down arrow key to select Security, and then press ENTER to expand Security. 11. Use the down arrow key to select Execute Disable, and then press ENTER. 12. Select On, and then press ENTER. 13. Press ESC. 14. Select Save/Exit, and then and press ENTER.

263 Lab Answer Key: Planning Virtualization 5 The following are BIOS setting steps are based on an HP DC5850. Configure the computer BIOS for Hyper-V: 1. Start your computer. 2. Press F10 to enter the BIOS setup. 3. Select English, and then press ENTER. 4. Use the right arrow key to select the Security menu, press the down arrow key to select System Security, and then press ENTER. 5. Press the down arrow key once, and then press the right arrow key once to enable the Virtualization Technology. Press ENTER. 6. Press F10 to accept the changes. 7. Press the left arrow key to select the File menu. 8. Use the down arrow key to select Save Changes and Exit, and then press ENTER. Task 2: Install Windows Server 2008 on the host 1. Place the Windows Server 2008 DVD in the DVD drive, and then restart your computer. Note: You will be provided with the software required to complete the lab installation from your Instructor. It may or may not be a DVD. 2. To access the boot menu of a Dell Optiplex 755 computer, press F12. Read the POST screen of your computer to determine the appropriate key for your computer. 3. Select the DVD-ROM drive, and then press ENTER. 4. If prompted, press a key to start the computer from DVD. 5. To accept the default language as US English, click Next. 6. Click Install now. 7. Clear the Automatically activate Windows when I m online check box, and then click Next.

264 6 Lab Answer Key: Planning Virtualization 8. To clear the warning, click No. 9. Click Windows Server 2008 Enterprise (Full Installation) x64, select the I have selected the version of Windows that I purchased check box, and then click Next. 10. Select the I accept the license terms check box, and then click Next. 11. Click Custom (advanced). 12. Click Drive options (advanced). 13. To delete all existing partitions, click an existing partition. 14. Click Delete. 15. Click OK to confirm. 16. Repeat steps to delete all partitions. 17. Click Disk 0, and then click Next. 18. After the computer restarts, click OK. 19. In the New password and Confirm password boxes, type Pa$$w0rd, and then press ENTER. 20. To clear the password change confirmation message, click OK. 21. In the Initial Configuration Tasks window, click Provide computer name and domain. 22. In the System Properties window, on the Computer Name tab, click Change. 23. In the Computer name box, type SEA-HOSTx, where x is number assigned by your instructor, and then click OK. 24. To close the message about restarting to apply changes, click OK. 25. In the System Properties window, click Close. 26. Click Restart Now.

265 Lab Answer Key: Planning Virtualization 7 Task 3: Install the Hyper-V role update 1. Log on as Administrator with the password Pa$$w0rd. 2. Obtain the Hyper-V update, Windows6.0-KB x64.msu, by going to 3. Place the update on the desktop of SEA-HOSTx. 4. To begin installation, double-click Windows6.0-KB x64.msu, and then click OK. 5. When installation is complete, click Restart Now. Task 4: Install the Hyper-V role 1. Log on as Administrator with a password of Pa$$w0rd. 2. Click Start, and then click Server Manager. 3. In the left pane of Server Manager, click Roles. 4. In the right pane of the console, click Add Roles, and then click Next. 5. Select the Hyper-V check box, and then click Next. 6. Read the Introduction to Hyper-V page, and then click Next. 7. Select the Local Area Connection check box, and then click Next. 8. Click Install. 9. When the role installation is complete, click Close. 10. When prompted to restart, click Yes. 11. Log on as Administrator with the password Pa$$w0rd. 12. Wait for the installation of the Hyper-V role to complete, and then click Close. 13. Close Server Manager.

266 8 Lab Answer Key: Planning Virtualization Task 5: Create a new virtual machine 1. Click Start, point to Administrative Tools, and then click Hyper-V Manager. 2. In the left pane of the Hyper-V Manager console, click SEA-HOST1. 3. In the actions pane, click New, and then click Virtual Machine. 4. On the Before You Begin page, click Next. 5. In the Name box, type SEA-VMx, where x is a number assigned by your instructor, and then click Next. 6. In the Memory box, type 1024, and then click Next. 7. In the Network list, select your network adapter, and then click Next. 8. To accept the default virtual hard disk settings, click Next. 9. On the Installation Options page, click Next. 10. Click Finish. Task 6: Install Windows Server 2008 on the virtual machine 1. Place the Windows Server 2008 installation DVD in your DVD drive. 2. In the Virtual Machines area of the Hyper-V Manager console, right-click SEA-VMx, and then click Settings. 3. In the Hardware area, click DVD Drive. 4. In the right pane, click Physical CD/DVD drive, and then click OK. 5. In the Virtual Machines area, right-click SEA-VMx, and then click Start. 6. In the Virtual Machines area, right-click SEA-VMx, and then click Connect. This opens a new window for viewing the SEA-VMx virtual machine. 7. In the SEA-VMx On Localhost Virtual Machine Connection window, click Next to install using the default language of US English, and then click Install Now. 8. Clear the Automatically activate Windows when I m online check box, and then click Next. 9. To clear the warning, click No.

267 Lab Answer Key: Planning Virtualization Click Windows Server 2008 Enterprise (Full Installation) x64, select the I have selected the version of Windows that I purchased check box, and then click Next. 11. Select the I accept the license terms check box, and then click Next. 12. Click Custom (advanced). 13. Click Disk 0 Unallocated Space, and then click Next. 14. After the computer restarts, click OK. 15. In the New password and Confirm password boxes, type Pa$$w0rd, and then press ENTER. 16. To clear the password change confirmation message, click OK. 17. In the SEA-VMx On Localhost Virtual Machine Connection window, click Action, and then click Insert Integration Services Setup Disk. 18. In the Autoplay window, click Install Hyper-V Integration Services. 19. To upgrade or repair the installation, click OK. 20. To restart, click Yes. Results: After this exercise, you should have successfully implemented a Hyper-V host and created a virtual machine.