OFFICIAL MICROSOFT LEARNING PRODUCT 6430B. Lab Instructions and Answer Key: Planning for Windows Server 2008 Servers

Transcription

1 OFFICIAL MICROSOFT LEARNING PRODUCT 6430B Lab Instructions and Answer Key: Planning for Windows Server 2008 Servers

2 ii Lab Instructions and Answer Key: Planning for Windows Server 2008 Servers Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein Microsoft Corporation. All rights reserved. Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media, Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Product Number: 6430B Part Number: X16: Released: 11/2009

3 Lab Instructions: Planning Windows Server 2008 Deployment 1 Module 1 Lab Instructions: Planning Windows Server 2008 Deployment Contents: Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment 3 Exercise 2: Planning a Windows Server 2008 Deployment 6

4 2 Lab Instructions: Planning Windows Server 2008 Deployment Lab: Planning a Windows Server 2008 Deployment Note: Your instructor may run this lab as a class discussion. A. Datum Corporation has a single head office with a single datacenter that hosts all servers. The servers in the datacenter are running a mix of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2. The organization has entered into a new volume licensing agreement with Microsoft that allows all servers to be updated to Windows Server 2008.

5 Lab Instructions: Planning Windows Server 2008 Deployment 3 Exercise 1: Creating a Planning Flowchart for a Windows Server 2008 Deployment Scenario You have been tasked with creating a flowchart to help the IT staff in A. Datum Corporation decide how to upgrade or migrate individual servers to Windows Server This flowchart needs to help determine how the process is accomplished and which edition of Windows Server 2008 will be used. Sara Davis, the IT manager, has provided some information about what she expects the flowchart to include and how to approach the task. The main tasks for this exercise are as follows: 1. Read the supporting documentation. 2. Create the flowchart.

6 4 Lab Instructions: Planning Windows Server 2008 Deployment Task 1: Read the supporting documentation Supporting Documentation thread of correspondence with Sara Davis: Gregory Weber From: Sara Davis Sent: 18 July :30 To: Subject: Re: Server Upgrade Flowchart Greg, I don t have a lot of preconceived notions about this should be put together. I just know that we need some sort of tool to help us in our decision-making process during the upgrades. I d rather have one person (you) do the research and planning once than have the process repeated each time we do a server upgrade. Since we ve entered into the new volume licensing agreement, it makes sense to implement Windows Server 2008 whenever possible. I don t have a complete list of criteria that need to be taken into account. You ll need to determine what is appropriate. However, some of the criteria I was thinking of are: 32-bit vs. 64-bit Upgrade vs. migrate Application compatibility The best way to approach this project is to generate a list of relevant criteria for the decision-making process. Then you can arrange them into a flowchart that represents the decision-making process. In some cases, we ll have new hardware. In some cases, we won t have new hardware. Your flowchart will need to take into account both situations. Regards, Sara.

7 Lab Instructions: Planning Windows Server 2008 Deployment Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 18 July :01 To: Sara@adatum.com Subject: Server Upgrade Flowchart Sara, I would like to confirm some of the details regarding the flowchart assignment you gave me in the meeting this morning. As I understand it, you would like others on the team to be able to use this flowchart to determine how any given server in our organization can be updated to using Windows Server Is this correct? Do you have any specific criteria that you think need to be taken into account? Are there any assumptions I can make about new hardware? Regards, Greg Task 2: Create the flowchart 1. On a piece of paper, generate a list of relevant criteria that must be considered during the upgrade or migration process. 2. Use the list of criteria you have generated to create a flowchart for determining whether to upgrade or migrate. 3. Use the list of criteria you have generated to create a flowchart for determining which edition of Windows Server 2008 you should use. 4. Use the list of criteria you have generated to create a flowchart for determining whether to use a 32-bit or 64-bit operating system. Results: After this exercise, you should have created flowcharts to help to determine how to upgrade or migrate an existing server to Windows Server

8 6 Lab Instructions: Planning Windows Server 2008 Deployment Exercise 2: Planning a Windows Server 2008 Deployment Scenario Several servers in the A. Datum Corporation datacenter have been identified as the first candidates for migration to Windows Server For each of these servers, you must determine the process to be used. The main tasks for this exercise are as follows: 1. Create a deployment plan for the archive file server. 2. Create a deployment plan for the main file server. 3. Create a deployment plan for the antivirus server. 4. Create a deployment plan for the human resources application server.

9 Lab Instructions: Planning Windows Server 2008 Deployment 7 Gregory Weber From: Alan Steiner [Alan@adatum.com] Sent: 22 July :05 To: Gregory@adatum.com Subject: Re: First batch of server upgrades to Windows Server 2008 Attachments: Archive File Server.docx Main File Server.docx Antivirus Server.docx Human Resources Application Server.docx Greg, I ve attached a document for each server. It includes the relevant information we ve documented for each server as well as the questions we need answered to perform the upgrade or migration. Regards Alan Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 20 July :45 To: Alan@adatum.com Subject: First batch of server upgrades to Windows Server 2008 Alan, We re going to be doing some server upgrades to Windows Server 2008 soon. Can you please send me the analysis that you performed on the archive file server, main file server, antivirus server, and human resources application server? Thanks. Greg

10 8 Lab Instructions: Planning Windows Server 2008 Deployment Deployment Plan: Archive File Server Document Reference Number: GW0688/1 Document Author Date Gregory Weber 20th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server The archive file server is used to store older data that is accessed only occasionally. Extended outages are possible with notification. It is used only as a file server. It has no other functions. The hardware is relatively new, and no new hardware has been allocated for this server. Additional Information This server is currently running a 32-bit version of Windows Server 2003 R2. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used?

11 Lab Instructions: Planning Windows Server 2008 Deployment 9 Deployment Plan: Main File Server Document Reference Number: GW0689/1 Document Author Date Gregory Weber 20th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the more efficient file-sharing protocols in Windows Server The main file server is mission critical and cannot be taken out of production during business hours. Downtime must be limited to less than one day. It is used only as a file server. It has no other functions. This server should support cross-file replication for DFS. This may be implemented in the future to support remote offices, and the cross-file replication will reduce synchronization traffic on the WAN. Data for this file server is stored on a Fiber Channel Storage Area Network (SAN). New hardware has been allocated for this server if required. Additional Information Clients access this file server through mapped drive letters that are created by a logon script. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used? 4. How will downtime be minimized?

12 10 Lab Instructions: Planning Windows Server 2008 Deployment Deployment Plan: Antivirus Server Document Reference Number: GW0690/1 Document Author Date Gregory Weber 25th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to standardize the server operating systems. The antivirus server can experience an outage of 24 hours without impacting clients. New hardware has been allocated for this server. Additional Information The antivirus application has not been tested by the vendor in 64-bit environments and is not supported in 64-bit environments. Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used?

13 Lab Instructions: Planning Windows Server 2008 Deployment 11 Deployment Plan: Human Resources Application Server Document Reference Number: GW0691/1 Document Author Date Gregory Weber 25th July Requirement Overview This server is to be upgraded or migrated to Windows Server 2008 to take advantage of the performance improvements in IIS 7. The existing server is consistently short on memory, and a new server with 8 GB of memory has been allocated to address this. The application data is also stored on this server and must be taken into account. There can be no downtime during business hours. The new server should support failover clustering, as it is being considered for the future. Additional Information None Proposals 1. Will this server be upgraded on existing hardware or migrated to new hardware? 2. Which edition of Windows Server 2008 will be used? 3. Will 32-bit or 64-bit Windows Server 2008 be used? 4. What process will you use to minimize downtime?

14 12 Lab Instructions: Planning Windows Server 2008 Deployment Task 1: Create a deployment plan for the archive file server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Task 2: Create a deployment plan for the main file server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Task 3: Create a deployment plan for the antivirus server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Task 4: Create a deployment plan for the human resources application server 1. Read the supporting documentation for the archive file server. 2. Update the proposal document by answering the questions. Results: After this exercise, you should have created a deployment plan for the archive file server, the main file servers, the antivirus server, and the human resources application server.

15 Lab Instructions: Planning Network Infrastructure for Windows Server Module 2 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Contents: Exercise 1: Determining an Appropriate Network Addressing Scheme 3 Exercise 2: Planning the Placement of Network Servers 9 Exercise 3: Implementing the Planned Network Services 13

16 2 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Lab: Planning Network Infrastructure for Windows Server 2008 Note: Your instructor may run this lab as a class discussion. Adatum has created a new regional sales force. As a result, branch offices are being fitted out to support the various regional sales teams. You are responsible for planning the network infrastructure for these new branch offices. Joe Healy, the national Sales Manager, has been communicating with you about his specific requirements for the regional office. In addition, Alan Steiner, a colleague in IT, has visited some of the branch offices.

17 Lab Instructions: Planning Network Infrastructure for Windows Server Exercise 1: Determining an Appropriate Network Addressing Scheme Scenario You have been tasked with designing an IPv4 addressing scheme to support the western region branch offices. There are 10 new offices, 3 in this region, and each with around 100 computers. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document.

18 4 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Supporting Documentation thread of correspondence with Joe Healy and Alan Steiner: Gregory Weber From: Joe Healy Sent: 21 July :30 To: Subject: Re: Network applications for branches Greg, Well, I'm not terribly technical myself, but in terms of what the sales people use, it's mostly office productivity software. They do have a sales database, of course, which I believe to be built on SQL Server. Currently, that data is held on several different databases, but we're merging that right now to create a national database. I understand from your colleague, Alan Steiner, that we're going to create regional replicas of the data in that database. As to network traffic, I guess you'd need to ask Alan. Hope that is useful. Regards, Joe Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 20 July :01 To: Joe@adatum.com Subject: Network applications for branches Joe, I'm about to start working on this branch offices deployment. We're at the stage of planning the network infrastructure. Can you tell me something about the applications that the sales team uses? I'm trying to get a feel for network traffic and usage patterns. Regards, Greg

19 Lab Instructions: Planning Network Infrastructure for Windows Server Gregory Weber From: Alan Steiner [Alan@adatum.com] Sent: 22 July :05 To: Gregory@adatum.com Subject: Re: Branch office network traffic analysis Attachments: Adatum Western Region Branch Network Plan.vsd Greg, Each branch will be connected via a router to the head office; I've attached a basic schematic of the western regional offices. We've allocated the network address /21 for all branches in this region. In terms of traffic, the database synchronization takes place overnight so should not impact traffic overly. I think the traffic in the head office sales subnets right now should be fairly indicative. Rather than send you the output, I'll just say that we figure on around 50 computers per subnet. Regards, Alan Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 22 July :45 To: Alan@adatum.com Subject: Branch office network traffic analysis Alan, Do you have any information about network traffic at the new branches? I understand there is to be a database with regional replicas. Do you have any information on that? I'm trying to figure out the number of subnets I'm going to need per branch. Any other information gratefully received! Greg

20 6 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Adatum Western Region Branch Network Plan.vsd

21 Lab Instructions: Planning Network Infrastructure for Windows Server Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: IPv4 Addressing document. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW0709/1 Document Author Date Gregory Weber 25th July Requirements Overview Design an IPv4 addressing scheme for the Adatum western regional branch sales offices, shown in the exhibit. The block address /21 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25% growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet. Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch.

22 8 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 (continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Proposals 1. How many subnets do you envisage requiring for this region? 2. How many hosts will you deploy in each subnet? 3. What subnet mask will you use for each branch? 4. What are the subnet addresses for each branch? 5. What range of host addresses are in each branch? Results: After this exercise, you should have a completed IP addressing plan for the western region branch offices.

23 Lab Instructions: Planning Network Infrastructure for Windows Server Exercise 2: Planning the Placement of Network Servers Scenario Having determined the appropriate addressing scheme for the branch offices in the western region sales division, you must now determine how best to deploy network services to support users working in those locations. Alan Steiner has sent you an with some additional information about the requirements. Using the information in the supporting documentation, and bearing in mind the subnet addressing scheme you previously planned, complete the Branch Office Network Infrastructure Plan: Network Services document. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document.

24 10 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner Sent: 24 July :00 To: Subject: Re: Branch office network services Greg, Answers in line below, Regards, Alan Original Message From: Gregory Weber Sent: 24 July :30 To: Subject: Branch office network services Alan, OK, I have worked out an IP addressing scheme for the branches. Next I need to think about the infrastructure. Could you answer the following questions? 1. How are IP addresses to be assigned for this region? [Alan] By DHCP 2. Is there anything I should know about the DNS name space for the sales offices? [Alan] The sales computers will be in their own DNS name space, sales.adatum.com 3. I have a vague recollection that one of the line-of-business applications that sales uses requires NetBIOS. Is that right? [Alan] You're right, Greg, they need NetBIOS name resolution in sales. Thanks, Greg

25 Lab Instructions: Planning Network Infrastructure for Windows Server Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: Network Services document. Branch Office Network Infrastructure Plan: Network Services Document Reference Number: GW0709/2 Document Author Date Gregory Weber 25th July Requirements Overview Specify which network services are required in each sales office, and any changes that might be required in the head office to facilitate your proposals. Additional Information It is important that any router, server, or communications link failure does not adversely affect users.

26 12 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 (continued) Branch Office Network Infrastructure Plan: Network Services Proposals 1. How many DHCP servers do you propose to deploy in the region? 2. Where do you propose to deploy these servers? 3. What name resolution services are required? 4. To support the DNS name space in the sales division, how would you propose to configure DNS? 5. Will you require WINS? 6. If so, how many WINS servers will you require for the region? 7. If not, how do you propose to support single-label names? Results: After this exercise, you should have a completed plan for the deployment of network services in the western regional branch offices.

27 Lab Instructions: Planning Network Infrastructure for Windows Server Exercise 3: Implementing the Planned Network Services Scenario You are on-site at one of the regional offices, and you must now configure network services to support your proposals. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Deploy the DHCP server role. 3. Configure scopes to support the branch office. 4. Configure DNS to support the branch office. 5. Enable DNS/WINS integration to support NetBIOS applications. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Deploy the DHCP Server role on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Use Server Manager to deploy the DHCP Server role. Use the following information to complete the process: a. On the Select Network Connection Bindings page, click Next. b. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server IPv4 Address box, type , and then click Next.

28 14 Lab Instructions: Planning Network Infrastructure for Windows Server 2008 c. On the Specify IPv4 WINS Server Settings page, click Next. d. On the Add or Edit DHCP Scopes page, click Next. e. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next. f. On the Authorize DHCP Server page, click Next. Task 3: Configure the primary DHCP scope for subnet 1 Create a new scope. Use the following information to help complete the process: Scope Name: Branch 1 subnet 1 scope 1 IP address range: > Subnet mask: 25 bits Exclusions: > Lease duration: default Router: Task 4: Configure the secondary DHCP scope for subnet 2 Create a new scope. Use the following information to help complete the process: Scope Name: Branch 1 subnet 2 scope 2 IP address range: > Subnet mask: 25 bits Exclusions: > Lease duration: default Router:

29 Lab Instructions: Planning Network Infrastructure for Windows Server Task 5: Create a subdomain in DNS 1. Switch to the SEA-DC1 computer. 2. Open the DNS Manager. 3. Add a new domain in the Adatum.com zone. Task 6: Configure zone transfers for the Adatum.com zone In the DNS Manager, enable zone transfers for the Adatum.com zone. Task 7: Deploy the DNS role on SEA-SVR1 1. Switch to the SEA-SVR1 computer. 2. Using Server Manager, deploy the DNS Server role on SEA-SVR1. Task 8: Configure a secondary zone on SEA-SVR1 Create a new forward lookup zone on SEA-SVR1. Use the following information to help complete the process: Zone type: secondary Zone name: Adatum.com Master DNS server: Task 9: Enable the WINS feature, and configure DNS/WINS integration 1. Using Server Manager, on SEA-SVR1, add the WINS Server feature. 2. Switch to the SEA-DC1 computer. 3. In DNS Manager, enable WINS Forward Lookup: a. Right-click Adatum.com, and then click Properties. b. On the WINS tab, select the Use WINS forward lookup check box. c. In the IP address box, type , press Add, and then click OK.

30 16 Lab Instructions: Planning Network Infrastructure for Windows Server Switch to the SEA-SVR1 computer. 5. In DNS Manager, right-click Adatum.com, and then click Transfer from Master. Note: You might need to wait a few moments before you see the WINS record. Press Refresh if needed. Task 10: Configure DHCP options to support the deployed services 1. On SEA-SVR1, in the DHCP console, right-click Server Options, and then click Configure Options. 2. Configure the following options: 006 DNS Servers: DNS Domain Name: sales.adatum.com 044 WINS/NBNS Servers: Results: After this exercise, you should have successfully deployed branch office network services. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

31 Lab Instructions: Planning for Active Directory 1 Module 3 Lab Instructions: Planning for Active Directory Contents: Exercise 1: Selecting a Forest Topology 4 Exercise 2: Planning Active Directory for a Branch Network 11 Exercise 3: Deploying a Branch Domain Controller 15

32 2 Lab Instructions: Planning for Active Directory Lab: Planning for Active Directory Note: Your instructor may run this lab as a class discussion. Adatum Corporation has recently acquired Contoso, a company with a range of compatible products. Allison Brown, the IT Manager, has asked you to create a document with recommendations about how best to incorporate the Contoso network infrastructure into that of Adatum. Adatum has a large, wholly U.S.-based network, with offices across the United States. Contoso has operations in the U.S., but also in Europe and the Far East. The following table summarizes the high-level information: Adatum Contoso Total number of computers 10,000 10,000 Number of countries 1 5 Current directory service Windows Server 2008 Windows NT 4.0 single-master

33 Lab Instructions: Planning for Active Directory 3 Adatum AD DS Contoso domain model

34 4 Lab Instructions: Planning for Active Directory (continued) Adatum Contoso Number of forests 1 0 External DNS name Adatum.com Contoso.com Number of domains 1 5 Exercise 1: Selecting a Forest Topology Scenario You begin to conduct a survey and exchange a number of s with colleagues that have been on-site at Contoso. You determine that Contoso currently uses a Windows NT 4.0 domain infrastructure consisting of five domains with appropriate trust relationships connecting the domains. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Contoso Domain Migration document. Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Contoso Domain Migration document with your planned forest topology Answer the questions in the Contoso Domain Migration document.

35 Lab Instructions: Planning for Active Directory 5 Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner [Alan@adatum.com] Sent: 31 July :50 To: Gregory@adatum.com Subject: Re: Contoso Domain Migration Attachments: Windows NT4.0 Single-Master Model.doc Greg, I ve attached a document I located in an old TechNet library CD. It provides some useful tips. The only comment I d make is that the single-master domain model is usually implemented in order to keep all the user accounts in one account-holding domain, and all the resources in multiple resource-holding domains. These days, you d probably want to use organizational units within a domain to hold the resources like computers and so forth. You d almost certainly need to reduce the number of domains. Regards, Alan Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 31 July :45 To: Alan@adatum.com Subject: Contoso Domain Migration Hello Alan, Allison has asked me to draw up a proposal for a migration of the Contoso network into our network infrastructure. I understand it s running Windows NT 4.0. I m simply trying to determine the number and configuration of forests at this point, but don t have much experience with these older Windows NT 4.0 domain models. Do you have any guidance or general advice? Regards, Greg

36 6 Lab Instructions: Planning for Active Directory Windows NT4.0 Single-Master Model.doc Windows NT supports four domain models: Single domain. In this model, there is only one domain. The domain holds both user/group accounts and resources. There is a single administrator for both resources and user/group accounts. Single-master domain. In this model, there is an account-holding domain and as many resource-holding domains as required to support an organization s requirements. There is separation of administration because the accountholding administrator has no administrative control on the resource-holding domains, and the administrators in the resource-holding domains do not have administrative control over the account-holding domain, nor each other s resource-holding domain. One-way trusts are established between the resource-holding and account-holding domains so that users and group from the account-holding domain (trusted) can be granted permissions, through the trust, to resources in the resource-holding domain (trusting) at the discretion of the resource-holding administrator. Multimaster domain. Windows NT 4.0 supports a maximum of around 15,000 user accounts in a single domain. Where organizations require the administrative separation of the single-master domain model, but have a large user base, they opt for the multimaster model. Additional trusts are required to facilitate this model. Complete trust. In this model, all domains trust all other domains. This provides for the ability for users in any domain potentially to gain access to resources held in any other domain. This model is the most similar to what AD DS provides.

37 Lab Instructions: Planning for Active Directory 7 Gregory Weber From: Alan Steiner [Alan@adatum.com] Sent: 04 August :45 To: Gregory@adatum.com Subject: Re: Details of Contoso domain model Attachments: Adatum AD DS Overview.vsd; Contoso NT 4 Domain Overview.vsd Greg, I do, and I ve attached it together with one of the Adatum.com domains. As you know, we have a single AD DS domain, and use organizational units to manage resources and sites for replication control. Contoso, of course, cannot use organizational units or sites, as Windows NT 4.0 domains do not support them. This is probably why they have several domains to better control Windows NT 4.0 domain replication. It s possibly why they have four resource domains, too. Regards, Alan Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 03 August :10 To: Lan@adatum.com Subject: Details of Contoso domain model Alan, Thanks for that Windows NT 4.0 document; it was very helpful. Do you happen to have any diagrams of the actual domain infrastructure? Thanks, Greg

38 8 Lab Instructions: Planning for Active Directory Adatum AD DS Overview.vsd Contoso NT 4 Domain Overview.vsd

39 Lab Instructions: Planning for Active Directory 9 Contoso Domain Migration Document Reference Number: GW0809/1 Document Author Date Gregory Weber 5th August Requirement Overview To devise an appropriate forest and domain topology for the merged companies. Additional Information The new company will continue to operate with dual names; that is, the Adatum and Contoso brands are equally important. It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as part of the migration process. Proposals 1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server 2008? 2. How many forests do you anticipate? 3. How many domains do you plan to implement? 4. How many trees do you envisage? 5. What trust relationships, aside from those created automatically, will you require?

40 10 Lab Instructions: Planning for Active Directory (continued) Contoso Domain Migration Proposals (continued) 6. Provide a sketch of the completed forest. Results: After this exercise, you should have a completed Contoso Domain Migration document.

41 Lab Instructions: Planning for Active Directory 11 Exercise 2: Planning Active Directory for a Branch Network Scenario Adatum has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals. The main tasks for this exercise are as follows: Read the supporting documentation. Answer the questions in the Branch Office Planning document. Supporting Documentation thread of correspondence with Alan Steiner: Gregory Weber From: Alan Steiner [Alan@adatum.com] Sent: 24 August :02 To: Gregory@adatum.com Subject: Re: Branch Office Plan Attachments: Sales Office Details.doc Greg, Take a look at the attached document. Get back to me with any questions. I got this from Joe Healy, the Sales manager. Alan Original Message From: Gregory Weber [Gregory@adatum.com] Sent: 24 August :30 To: Alan@adatum.com Subject: Branch Office Plan Alan, What can you tell me about these new sales offices? Thanks, Greg

42 12 Lab Instructions: Planning for Active Directory Sales Office Details.doc In the sales offices, we have a number of line-of-business applications, including a Microsoft SQL Server based database. The local sales office updates and replicates back to the head office overnight. The SQL Server database needs access to a directory of customers. In the western region, we have three offices, each with around 100 computers. We have a routed connection back to the head office. Alan Steiner tells me that name resolution is provided by WINS and DNS, as we have a legacy NetBIOS application. There was some talk of creating a separate name space for sales, such as Sales.adatum.com, but we have implemented this only as an domain. The computers are all part of the Adatum.com domain. We ve had some issues in the past with security; we often have members of the public in our sales offices, and consequently security is a critical factor. We don t always have the option of a secure computer room, and so our laptops are locked to the desks. Servers are often to be found in a closet, or small office. Each branch office consists of a number of subnets; two for hosting the sales staff laptops and another for branch network servers.

43 Lab Instructions: Planning for Active Directory 13 Branch Office Planning Document Reference Number: GW0809/2 Document Author Date Gregory Weber 1st September Requirement Overview To determine the placement and configuration of domain controllers and related services at the western region sales offices. Additional Information It is important that in the event of a link failure between the head office and branch offices, users are still able to log on to the network and access services. Proposals 1. Do you intend to deploy a domain controller(s) in the branch offices? How many? 2. Will you deploy an RODC(s)? 3. How will you optimize the directory replication for the branches? 4. How will domain controllers know in which branch they are located? 5. Do you anticipate the need for global catalog services? 6. How will you configure global catalog and DNS? 7. What additional Active Directory related services are required to support the branch office line-of-business applications?

44 14 Lab Instructions: Planning for Active Directory Task 1: Read the supporting documentation Read the supporting documentation. Task 2: Update the Branch Office Planning document with your proposals Answer the questions in the Branch Office Planning document. Results: After this exercise, you should have a completed Branch Office Planning document.

45 Lab Instructions: Planning for Active Directory 15 Exercise 3: Deploying a Branch Domain Controller Scenario You have been tasked with performing the deployment of the new domain controller at the Redmond sales branch office. The main tasks for this exercise are as follows: 1. Start the virtual machines and log on. 2. Raise the domain and forest functional level. 3. Create a new site and subnet object. 4. Configure the replication interval for the new site. 5. Prepare the forest for the new RODC. 6. Deploy the new RODC. 7. Configure the password replication policy and prepopulate the password cache. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch. 4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password Pa$$w0rd. 6. Minimize the Lab Launcher window. Task 2: Raise the domain functional level 1. Switch to the SEA-DC1 computer. 2. Open Active Directory Users and Computers.

46 16 Lab Instructions: Planning for Active Directory 3. Raise the domain functional level to Windows Server Close Active Directory Users and Computers. Task 3: Raise the domain forest level 1. Open Active Directory Domains and Trusts. 2. Raise the forest functional level to Windows Server Close Active Directory Domains and Trusts. Task 4: Create the Redmond site 1. Open Active Directory Sites and Services. 2. Create a new site with the following properties: Name: Redmond Associated site link: DEFAULTIPSITELINK Task 5: Configure the replication interval 1. In Active Directory Sites and Services, expand Inter-Site Transports, expand IP, and then click IP. 2. Modify the replication interval for DEFAULIPSITELINK: Replicate every: 15 minutes Task 6: Create the /16 subnet 1. In Active Directory Sites and Services, in the console, right-click Subnets, and click New Subnet. 2. Create a new subnet with the following properties: Prefix: /16 Site Name: Redmond 3. Close Active Directory Sites and Services.

47 Lab Instructions: Planning for Active Directory 17 Task 7: Prepare the forest for the RODC 1. Open the Command Prompt. 2. At the command prompt, type each of the following commands, and then press ENTER: D: Cd\Labfiles\Mod03\adprep Adprep /rodcprep 3. Close the command prompt. Task 8: Promote a new domain controller for the branch office 1. Switch to the SEA-SVR1 computer. 2. Run dcpromo with advanced mode installation. 3. Use the following options to complete the process: Operating System Compatibility page: default. Choose a Deployment Configuration page: Existing forest. Network Credentials page: default. Select a Domain page: default. Select a Site page: default. Additional Domain Controller Options page: select the Read-only domain controller (RODC) check box. (Note: Leave the other check boxes selected.) In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned IP address (not recommended). Specify the Password Replication Policy page: default. Delegation of RODC Installation and Administration page: default. Install from Media page: default. Source Domain Controller page: default.

48 18 Lab Instructions: Planning for Active Directory Location for Database, Log Files, and SYSVOL page: default. Directory Services Restore Mode Administrator Password page: Password: Pa$$w0rd. Confirm: Pa$$w0rd. In the Active Directory Domain Services Installation dialog box, select the Reboot on completion check box. Task 9: Configure the password replication policy 1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of Pa$$w0rd. 2. Switch to the SEA-DC1 computer. 3. Open Active Directory Users and Computers. 4. Locate SEA-SVR1 in the Domain Controllers folder. 5. View the Password Replication Policy page of the SEA-SVR1 Properties dialog box. 6. Grant the SalesGG global group the Allow passwords for the account to replicate to this RODC permission. 7. Click Apply, and then click Advanced. 8. From the Resultant Policy tab of the Advanced Password Replication Policy for SEA-SVR1 dialog box, verify that Joe s account is allowed to cache its password.

49 Lab Instructions: Planning for Active Directory 19 Task 10: Prepopulate the password cache 1. From the Policy Usage tab of the Advanced Password Replication Policy for SEA-SVR1 dialog box, click Prepopulate Passwords. 2. Prepopulate the following user accounts passwords: Joe; Jim; Parul; Heiko; Claus 3. Close Active Directory Users and Computers. Results: After this exercise, you should have successfully deployed an RODC for the Redmond sales office. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

50 Lab Instructions: Planning for Group Policy 1 Module 4 Lab Instructions: Planning for Group Policy Contents: Exercise 1: Creating a Group Policy Plan 2 Exercise 2: Implementing Group Policy 7

51 2 Lab Instructions: Planning for Group Policy Lab: Planning for Group Policy Note: Your instructor may run this lab as a class discussion. A. Datum has never implemented group policy other than for basic password configuration in the domain using the default GPOs. After attending a recent seminar, the IT manager wants to use group policy more effectively for the organization. Exercise 1: Creating a Group Policy Plan Scenario You have been tasked with creating a plan for implementing group policy. Your IT manager has provided you with a list of requirements that must be met by your plan. The main tasks for this exercise are as follows: 1. Read the supporting documentation. 2. Create an OU structure. 3. Create a list of required GPOs.

52 Lab Instructions: Planning for Group Policy 3 Supporting Documentation thread of correspondence with Allison Brown: Gregory Weber From: Allison Brown [Allison@adatum.com] Sent: 21 July :30 To: Gregory@adatum.com Subject: group policy implementation Greg, As we discussed in the meeting this morning, I d like you to take the lead on planning our implementation of group policy. At this time, we have only the default GPOs in place for the domain and domain controllers. Here are some of the requirements that have come up that I believe can be addressed best by using group policy: Read and write access to removable drives should be blocked for all office computers, including servers. Since we ve upgraded all of the computers to Windows Vista and Windows Server 2008, this should be no problem. We must ensure that another GPO does not override this setting. Due to the creation of the three new branch offices, we are hiring a new person to manage those offices. We d like the new person to be able to manage group policy for those remote offices, but not the head office. I d like to start using group policy preferences for drive mappings, rather than logon scripts. We want the drive letters to be consistent in each location, but the server names will vary in each location. Application installation and updates for the branches will be done by using group policy. In the branch offices, the sales staff and office staff will have different applications. We need to be able to roll applications out one location at a time during initial deployment. However, later updates can be done for all branches at once. Application installation files should be stored in DFS and replicated to each branch.

53 4 Lab Instructions: Planning for Group Policy The computer training lab in the head office should not be subject to the restriction on removable drives. We ll be using USB drives to configure these computers for various courses. The user desktops on the Terminal Server running Windows Server 2003 need to be locked down. The Desktop and Start Menu should be simplified to display only the application that users have access to. All users should have the same configuration when logged on to the Terminal Server regardless of the OU they are located in. At minimum, I need to you to figure out how these can be implemented. As part of your plan, please create an OU structure and define where each group policy will be linked. Let me know if you require any clarification. Regards, Allison

54 Lab Instructions: Planning for Group Policy 5 Task 1: Read the supporting documentation 1. Read the supporting documentation. 2. On SEA-DC1, use Active Directory Users and Computers to review the existing Active Directory structure. 3. Use the group policy Management Console to review the existing Active Directory configuration. Task 2: Create an OU structure Draw a diagram of an OU structure that will allow you to meet the requirements given to you by Allison.

55 6 Lab Instructions: Planning for Group Policy Task 3: Create a list of required GPOs Create a list of GPOs required to implement the requirements given to you by Allison. GPO Name Settings Linked to Filters Results: After this exercise, you should have a completed group policy plan for A. Datum.

56 Lab Instructions: Planning for Group Policy 7 Exercise 2: Implementing Group Policy Scenario After completing the group policy plan, you must now implement it. The main tasks for this exercise are as follows: 1. Start the virtual machine and log on. 2. Create the OU structure. 3. Create the GPO for enforced security. 4. Create the GPO for Branch 1 preferences. 5. Create the GPOs for applications. 6. Create the GPO for Terminal Servers. 7. Verify application of policies for Branch1 sales staff. 8. Verify application of policies for Branch1 sales staff on the Terminal Server. Task 1: Start the virtual machines, and then log on 1. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6430B. The Lab Launcher starts. 2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch. 3. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password Pa$$w0rd. 4. Minimize the Lab Launcher window. Task 2: Create the OU structure 1. On SEA-DC1, open Active Directory Users and Computers. 2. Create an organizational unit named Head Office in the root of the Adatum.com domain. 3. Create an organizational unit named Branches in the root of the Adatum.com domain. 4. Create an organizational unit named Branch1 in the Branches OU.

57 8 Lab Instructions: Planning for Group Policy 5. Create an organizational unit named Branch2 in the Branches OU. 6. Create an organizational unit named Branch3 in the Branches OU. 7. Create an organizational unit named Terminal Servers in the root of the Adatum.com domain. Task 3: Create the GPO for enforced security 1. Use Active Directory Users and Computers to create a new global security group in the Head Office OU. Group name: Lab Computers 2. Use Active Directory Users and Computers to create a new computer account in the Head Office OU. Computer name: Lab1 3. Add Lab1 as a member of the Lab Computers group. 4. Use group policy Management to create the enforced security GPO. Name: Enforce Security Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access, Enabled Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access, Enabled Linked to Adatum.com 5. On the Enforced Security link to Adatum.com, make the policy Enforced. 6. On the Delegation tab of Enforced Security, use the Advanced button to Deny Read permission for the Lab Computers group.

58 Lab Instructions: Planning for Group Policy 9 Task 4: Create the GPO for Branch1 preferences 1. Use Group Policy Management to create a new GPO in the Group Policy Objects container. Name: Branch1 Preferences User Configuration\Preferences\Windows Settings\Drive Maps Map drive letter S to \\Branch1Srv\Shared. 2. Link Branch1 Preferences to the Branch1 OU. Task 5: Create the GPOs for applications 1. Use Active Directory Users And Computers to create a new global security group in the Branches OU. Group name: Sales Staff 2. Use Active Directory Users And Computers to create a new global security group in the Branches OU. Group name: Office Staff 3. Use Group Policy Management to create a new GPO in the Group Policy Objects container. Name: Sales Applications 4. Use Group Policy Management to create a new GPO in the Group Policy Objects container. Name: Office Applications 5. Configure security filtering for the Sales Applications GPO on the Scope tab: Remove the Authenticated Users group from the Security Filtering area. Add the Sales Staff group to the Security Filtering area. 6. Configure security filtering for the Office Applications GPO on the Scope tab: Remove the Authenticated Users group from the Security Filtering area. Add the Office Staff group to the Security Filtering area. 7. Link the Sales Applications GPO to the Branch1 OU. 8. Link the Office Applications GPO to the Branch1 OU.

59 10 Lab Instructions: Planning for Group Policy Task 6: Create the GPO for Terminal Servers Use Group Policy Management to create a new GPO that is linked to the Terminal Servers OU. Name: TS Lockdown Computer Configuration\Policies\Administrative Templates \System\Group Policy\User Group Policy loopback processing mode, Enabled, Replace mode User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands, Enabled User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove Run menu from Start Menu, Enabled User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Add Logoff to the Start Menu, Enabled Task 7: Verify application of policies for Branch1 sales staff 1. Use Group Policy Management to model the application of policies for Branch1 sales staff. Use any domain controller User container: Branch1 Computer container: Branch1 Advanced Simulation Options: none User Security Groups: add the Sales Staff group Skip to the final page after entering the User Security Groups information 2. Review the applied and denied GPOs for the computer. 3. Review the applied and denied GPOs for the user.

60 Lab Instructions: Planning for Group Policy 11 Task 8: Verify application of policies for Branch1 sales staff on the Terminal Server 1. Use Group Policy Management to model the application of policies for Branch1 sales staff. Use any domain controller User container: Branch1 Computer container: Terminal Servers Advanced Simulation Options: Loopback processing, Replace User Security Groups: add the Sales Staff group Skip to the final page after entering the User Security Groups information 2. Review the applied and denied GPOs for the computer. 3. Review the applied and denied GPOs for the user. Results: After this exercise, you should have successfully implemented group policy. To prepare for the next module 1. For each running virtual machine, close the Virtual Machine Remote Control (VMRC) window. 2. In the Close box, select Turn off machine and discard changes. Click OK.

61 Lab Instructions: Planning Application Servers 1 Module 5 Lab Instructions: Planning Application Servers Contents: Exercise 1: Creating a Plan for Application Servers 2 Exercise 2: Implementing Windows SharePoint Services 6 Exercise 3: Implementing Terminal Services 8

62 2 Lab Instructions: Planning Application Servers Lab: Planning Application Servers Note: Your instructor may run this lab as a class discussion. A. Datum has recently identified the need to implement new applications to meet the needs of a growing organization. The first is a portal for collaborating on projects. Windows SharePoint Services has been selected for this purpose. The second need is a new financial application that will be deployed by using Terminal Services. Exercise 1: Creating a Plan for Application Servers Scenario You have been tasked with creating a plan for implementing Windows SharePoint Services for collaboration and Terminal Services to support a financial application. You determine how these application servers will be implemented based on requirements provided by the IT manager.