Active Directory Deployment and Management Enhancements Windows Server 2012 Hands-on lab In this lab, you will learn how to deploy Active Directory domain controllers with Windows Server 2012. You will deploy domain controllers using the new Server Manager, as well as deploy remote domain controllers using Windows PowerShell. You will explore the new Active Directory Management tool and use its Windows PowerShell History Viewer. In addition, you will explore the new Active Directory Replication Tools, group Managed Service Accounts and prepare a domain controller for cloning. Produced by HynesITe, Inc. Version 4.1 03/20/2013
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright 2013 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Hyper-V, Windows PowerShell, and Windows Server 2012 are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Introduction Estimated time to complete this lab 30 minutes Objectives After completing this lab, you will be able to: Deploy additional domain controllers using Server Manager. Deploy additional domain controllers using Windows PowerShell. Explore new UI enhancements in Active Directory Administrative Center. Prerequisites Before working on this lab, you must have: An understanding of Active Directory deployment. The ability to work with Windows PowerShell. An understanding of Active Directory management tools and procedures. Overview of the lab In this lab, you will learn how to deploy Active Directory domain controllers with Windows Server 2012. You will deploy domain controllers using the new Server Manager, as well as deploy remote domain controllers using Windows PowerShell. You will explore the new Active Directory Management tool and use its Windows PowerShell History Viewer. In addition, you will explore the new Active Directory Replication Tools, group Managed Service Accounts and prepare a domain controller for cloning. Intended audience This lab is intended for individuals who are responsible for deploying Active Directory and wish to leverage the newer features of Windows Server 2012 to simplify the process for deploying new domain controllers. This lab is also designed for individuals who are responsible for automation of Active Directory tasks. Virtual machine technology This lab is completed using virtual machines that run on Windows Server 2012 Hyper-V technology. To log on to the virtual machines, press CTRL+ALT+END and enter your logon credentials. Computers in this lab This lab uses computers as described in the following table. Before you begin the lab, you must ensure that the virtual machines are started and then log on to the computers. Virtual Machine Role DC An existing domain controller. Server1 A future domain controller created during the lab. Server2 A future domain controller created during the lab. All user accounts in this lab use the password Passw0rd! Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 3
Note regarding pre-release software Portions of this lab may include software that is not yet released, and as such may still contain active or known issues. While every effort has been made to ensure this lab functions as written, unknown or unanticipated results may be encountered as a result of using pre-release software. Note regarding user account control Some steps in this lab may be subject to user account control. User account control is a technology which provides additional security to computers by requesting that users confirm actions that require administrative rights. Tasks that generate a user account control confirmation are denoted using a shield icon. If you encounter a shield icon, confirm your action by selecting the appropriate button in the dialog box that is presented. Note on activation The virtual machines for these labs may have been built by using software that has not been activated. This is by design in the lab to prevent the redistribution of activated software. The unactivated state of software has been taken into account in the design of the lab. Consequently, the lab is in no way affected by this state. For operating systems other than Windows 8, please press Cancel or Close if prompted by an activation dialog box. If you are prompted by an Activate screen for Windows 8, press the Windows key to display the Start screen. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 4
Exercise 1: Deploying Remote Domain Controllers In this exercise, you will use Server Manager to deploy remote domain controllers to Server1 and Server2. Server1 and Server2 are basic Windows Server 2012 installations with no additional configuration completed. Add Active Directory Domain Services In this step, you will add the Active Directory Domain Services role which is required before configuring the server as a domain controller. 1. Open Server Manager, and then click Add other servers to manage. 2. In the Name (CN): dialog box type Server1, and then click Find Now. 3. Click Server1, and then click the add arrow. 4. Repeat steps 2-4 to add Server2, and then click OK. 5. In Server Manager, click All Servers 6. Highlight Server1, click Manage, and then click Add Roles and Features. 7. Click Next until you reach Select destination server. 8. Click Server1, and then click Next. 9. Check the Active Directory Domain Services check box, click Add Features, and then click Next. 10. Click Next until you reach the end of the wizard, and then click Install. NOTE: This does not configure a domain controller, but installs the Active Directory components. 11. Once the installation has started, click Close. Deploy a second domain controller In this step, you will use Server Manager to deploy a second domain controller on a remote server in your domain. 1. In Server Manager, click the notification flag, and then click Task Details. IMPORTANT: You may need to wait for the installation activity from the previous exercise to complete before proceeding. 2. When the feature installation is complete, in the Task Details dialog box, click the Add Roles and Features action. A configuration is required message is displayed. Click Close. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 5
3. In the Task Details dialog box, locate the task with the message Configuration required for Active Directory Domain Services at Server1, and then click Promote this server to a domain controller. 4. On the Deployment Configuration page, click Change, type Contoso\administrator and the password Passw0rd!, and then click OK. 5. Click Next. 6. On the Domain Controller Options page, under Type the Directory Services Restore Mode (DSRM) password, in Password and Confirm password, type Passw0rd!, and then click Next. 7. Click Next until you reach the Review Options page. 8. Click View Script. 9. Save the script file as InstallDC.txt on your desktop. 10. Close Notepad. 11. Click Next, and then when the prerequisites check completes, click Install. NOTE: The installation progress will be shown in Server Manager. Wait for this to complete. 12. Click OK if prompted, and then click Close. 13. Close the Task Details dialog box. IMPORTANT: You will need to wait for the server to restart before moving to the next step in this lab. Verify the new domain controller In this step, you will verify that the new domain controller is operational. 1. Open Server Manager, if not already open. 2. On the Tools menu, click Active Directory Sites and Services. 3. Navigate to Sites/Default-First-Site-Name, and then click Servers. 4. Verify that you see DC and Server1 as domain controllers. 5. Minimize the Active Directory Sites and Services console. Deploy a third domain controller In this step, you will use the Active Directory module for Windows PowerShell to deploy a third domain controller. Perform this task logged on to DC as Contoso\Administrator using the password Passw0rd! 1. On the taskbar, click Windows PowerShell. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 6
2. Type the following commands, pressing ENTER after each one. Install-WindowsFeature Name AD-Domain-Services ComputerName Server2 Invoke-Command ComputerName Server2 ScriptBlock {Import-Module ADDSDeployment;Install-ADDSDomainController NoGlobalCatalog:$False CreateDNSDelegation:$False Credential (Get-Credential) CriticalReplicationOnly:$False DatabasePath C:\Windows\NTDS DomainName Contoso.com InstallDNS:$True LogPath C:\Windows\NTDS NoRebootOnCompletion:$False SiteName Default-First-Site-Name SysVolPath C:\Windows\SysVol } TIP: You can use tab completion on all parameters to simplify typing. 3. When prompted for credentials, enter the username Contoso\Administrator and the password Passw0rd!. 4. When prompted for a SafeModeAdministratorPassword, type Passw0rd!, and then press ENTER. 5. When prompted to confirm the SafeModeAdministratorPassword, type Passw0rd!, and then press ENTER. 6. When prompted that the server will be configured as a domain controller, press Y, and then press ENTER. 7. Wait for the command to complete, and then close the Windows PowerShell window. Verify the new domain controller In this step, you will verify that the new domain controller is deployed. 1. From the taskbar, maximize the Active Directory Sites and Services console you minimized in a previous step. 2. Navigate to Sites/Default-First-Site-Name, and then click Servers. 3. Verify that you see DC, Server1 and Server2 as domain controllers. TIP: You may need to press F5 to refresh the view. 4. Close Active Directory Sites and Services. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 7
Exercise 2: Exploring Enhancements in Active Directory Administrative Center In this exercise, you will explore how Active Directory Administrative Center simplifies two common tasks: management of the Active Directory Recycle Bin, and Password Settings. These two tasks previously required the use of Windows PowerShell and did not include a built-in interface. IMPORTANT: Leave Active Directory Administrator Center open. If you close it then the Windows PowerShell history will not be available for a later task. Create a user object in a new organizational unit In this task, you will create a new user account in an organizational unit. 1. Open Server Manager, if not already open. 2. On the Tools menu, click Active Directory Administrative Center. 3. Navigate to contoso (local)\managed-objects. 4. In the Tasks pane, under Managed-Objects, click New, and then click Organizational Unit. 5. In Name, type Sales. 6. Clear the Protect from accidental deletion check box, and then click OK. 7. Open Sales. 8. Click New, and then click User. 9. Create a new user with the following properties, and then click OK. Property Value First Name Don Last Name Hall Full Name Don Hall User UPN Logon DONHALL Password Passw0rd! Confirm Password Passw0rd! Department Sales_APAC Enable the Active Directory Recycle Bin In this step, you will enable the Active Directory Recycle Bin. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 8
1. In Active Directory Administrative Center, click Contoso (local). 2. On the Tasks menu, under Contoso (local), click Enable Recycle Bin, and then in the Enable Recycle Bin Confirmation message box, click OK. 3. Click OK, and then press F5. NOTE: Note the addition of the Deleted Objects container. Delete and restore a user and an organizational unit In this step, you will delete and restore a user and an organizational unit. 1. In Active Directory Administrative Center, navigate to Managed-Objects. 2. Right-click Sales, and then click Delete. 3. In the Delete Confirmation message box, click Yes. 4. In the Confirm Subtree Deletion dialog box, click Yes. 5. Navigate to Deleted Objects. 6. Click Don Hall, and then on the Tasks menu, click Locate Parent. NOTE: It highlights the Sales OU, since it was the last parent OU. 7. Click Don Hall, and then on the Tasks menu, click Restore To. 8. In the navigation window, select Users, and then click OK. 9. Navigate to Contoso (local)\users. NOTE: Don Hall is now restored to the Users container. Create password settings In this step, you will create a new password settings object. 1. In Active Directory Administrative Center, navigate to Contoso(local)\System\Password Settings Container. 2. On the Tasks menu, click New, and then click Password Settings. 3. In Name, type Domain User Password Requirements. 4. In Precedence, type 100. 5. Click Add. 6. In Select Users or Groups, type Domain Users, and then click OK. 7. Click OK. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 9
8. Click New, and then click Password Settings. 9. In Name, type Domain Admin Password Requirements. 10. In Precedence, type 1. 11. In Minimum password length (characters), type 14. 12. Click Add. 13. In Select Users or Groups, type Domain Admins, and then click OK. 14. Click OK. Validate the application of password settings In this step, you will validate the application of password settings. 1. In Active Directory Administrative Center, click Global Search. 2. In Search, type Administrator, and then press ENTER. 3. Click Administrator, and then click View resultant password settings. NOTE: The administrator now has a stronger password requirement. 4. Click Cancel. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 10
Exercise 3: Working with Windows PowerShell History In this exercise, you will explore how the Active Directory Administrative Center provides a history and audit trail on all activities performed by providing the corresponding Windows PowerShell commands. View Windows PowerShell History In this step, you will review the recent actions recorded as Windows PowerShell commands. 1. In Active Directory Administrative Center, expand Windows PowerShell History. NOTE: This is located on the bottom edge of the Active Directory Administrative Center console. 2. Scroll through and review the recent actions recorded as Windows PowerShell commands. 3. In Windows PowerShell History, click Start Task, and then type CreateOU. 4. Navigate to Contoso\Managed-Objects. 5. Under Managed-Objects, click New, and then click Organizational Unit. 6. In Name, type _Template. 7. Uncheck Protect from accidental deletion. 8. Click OK. 9. In Managed-Objects, right-click the _Template OU. 10. Click Properties. 11. Under Organizational Unit, in Country/Region, select Japan, and then click OK. 12. In Windows PowerShell History, click End Task. Use Windows PowerShell History In this step, you will use Windows PowerShell History to quickly create a new script. 1. Open Server Manager. 2. On the Tools menu, click Windows PowerShell ISE. 3. In Windows PowerShell ISE, maximize the window, and then expand the Script pane. 4. In Active Directory Administrative Center, in Windows PowerShell History, highlight CreateOU, highlight the two script tasks below it, and then click Copy. 5. In Windows PowerShell ISE, click in the Show Script Pane. 6. On the Edit menu, click Paste. 7. Replace all instances of _Template with Japan. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 11
IMPORTANT: Ensure that NewADorganizationalUnit is the first command used. If needed, switch the two lines around. 13. On the File menu, click Run. 14. Switch to Active Directory Administrative Center, and then verify the creation of your new Organizational Unit. TIP: You may have to refresh the display. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 12
Exercise 4: Using Windows PowerShell to manage Active Directory In this exercise, you will explore how Windows PowerShell can be used to manage Active Directory. You will perform 3 tasks using the Active Directory Module for Windows PowerShell. You will create a new Organizational Unit and move a user based on criteria into that Organizational Unit. You will then create a new Active Directory site and move a domain controller into the new site. Enable a user object in Active Directory In this task, you will enable an existing Active Directory user object using Windows PowerShell. 1. Open Server Manager. 2. On the Tools menu, click Active Directory Module for Windows PowerShell. 3. Type the following command, and then press ENTER. Get-Command *-AD* NOTE: The full list of Active Directory cmdlets is listed. These are sourced from the Active Directory module and the Active Directory deployment modules. These are the only installed modules currently; however there are other modules available to manage Active Directory roles. 4. Type the following command, and then press ENTER. Get-WindowsFeature NOTE: The full list of available modules is listed. Scroll up to see the Active Directory modules, and the additional Remote Server Administration Tools (RSAT) modules. 5. To browse the Active Directory domain using Windows PowerShell, type the following commands, pressing ENTER after each one. CD AD: DIR Format-Table Auto CD DC=Contoso, DC=Com DIR 6. To list all objects in a container and then filter to only users, type the following commands, pressing ENTER after each one. CD CN=Users DIR FT a Get-ADUser Filter {name like * } NOTE: The built-in Guest account is showing as disabled. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 13
7. To enable the built-in Guest account, type the following commands, pressing ENTER after each one. Enable-ADAccount Identity Guest Get-ADUser -Filter {name -like "*"} Select DistinguishedName, Enabled Format-Table -Auto NOTE: The Guest account is now enabled. Notice that Don Hall s account is located in the Users container after you recovered the account earlier. Create a user object in a new organizational unit In this task, you will create a new user account in an organizational unit using Windows PowerShell. with the Active Directory Module for Windows PowerShell open from the previous task. 1. Type the following commands, pressing ENTER after each one. New-ADOrganizationalUnit Name APAC Path OU=Managed-Objects, DC=Contoso, DC=Com Get- ADOrganizationalUnit OU=APAC,OU=Managed-Objects, DC=Contoso, DC=Com Properties * NOTE: The properties of the new Organizational Unit, located under Managed-Objects, are now displayed. 2. Type the following commands, pressing ENTER after each one. New-ADUser Name Mark Hassall -SamAccountName "MarkHassall" - GivenName "Mark" -Surname "Hassall" -DisplayName "Mark Hassall" -Path OU=APAC,OU=Managed-Objects, DC=Contoso, DC=Com Department Sales_APAC" -AccountPassword (Read-Host -AsSecureString "AccountPassword") 3. When prompted for an AccountPassword, type Passw0rd!, and then press ENTER. NOTE: This has now created a new user named Mark Hassall with the password of Passw0rd! in the APAC OU. Move an existing user object into an organizational unit In this task, you will find and move all user accounts for the Sales_APAC Department into the APAC OU using Windows PowerShell. with the Active Directory Module for Windows PowerShell open from the previous task. 1. Type the following commands, pressing ENTER after each one. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 14
Get-ADuser Filter {Department like Sales_APAC } Get-ADuser Filter {Department like Sales_APAC } Move-ADObject Targetpath OU=APAC,OU=Managed-Objects,DC=Contoso,DC=Com Get-ADuser Filter {Department like Sales_APAC } NOTE: Don Hall s account no longer shows as it has moved from the Users container to the APAC OU. 2. Close Active Directory Module for Windows PowerShell. Create a new Active Directory site and site links In this task, you will create a new Active Directory site and then create site-replication links. 1. Open Server Manager. 2. On the Tools menu, click Active Directory Module for Windows PowerShell. 3. Type the following command, and then press ENTER. Get-ADReplicationSite 4. Type the following commands, pressing ENTER after each one. New-ADReplicationSite Sydney Get-ADReplicationSiteLink filter * NOTE: There is only a single Site Link, and it does not include the newly created Sydney site. 5. Type the following commands, pressing ENTER after each one. New-ADReplicationSiteLink Default-Sydney SitesIncluded Default- First-Site-Name,Sydney cost 100 ReplicationFrequencyInMinutes 15 InterSiteTransportProtocol IP Get-ADReplicationSiteLink filter * NOTE: The new site link has been created with a cost of 100 and a replication frequency of 15 minutes using the IP protocol. Move a domain controller into an Active Directory site In this task, you will move the Server2 domain controller into the Sydney Active Directory site using Windows PowerShell. with the Active Directory Module for Windows PowerShell open from the previous task. 1. Type the following commands, pressing ENTER after each one. Get-ADDomainController Filter * FT Hostname, Site Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 15
Get-ADDomainController Server2 Move-ADDirectoryServer Site Sydney Get-ADDomainController Filter * FT Hostname, Site NOTE: Server2 has moved from the Default-First-Site-Name site to Sydney. Manage Active Directory replication In this task, you will ensure that all the domain controllers are up to date by first listing the replication partners, and then observing the up-to-dateness vector, and then listing any replication failures. with the Active Directory Module for Windows PowerShell open from the previous task. 1. Type the following commands, pressing ENTER after each one. Get-ADReplicationPartnerMetaData target dc.contoso.com Get-ADReplicationPartnerMetaData target server2.contoso.com NOTE: The DC has multiple replication partners while Server2 only has one. 2. Type the following command, and then press ENTER. Get-ADReplicationUpToDatenessVectorTable * sort Partner, Server FT Partner, Server, UsnFilter NOTE: The USNFilter values do not need to be exactly the same; however if they are significantly different, this can indicate an issue with replication. 3. Type the following commands, pressing ENTER after each one. Get-ADReplicationFailure Server2.contoso.com Get-ADReplicationFailure Server1.contoso.com Get-ADReplicationFailure DC.contoso.com NOTE: Any replication failures would be listed after these commands. If there are no results returned, then there have been no failures. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 16
Exercise 5: Group Managed Accounts In this exercise, you will learn how to create Group Managed Accounts. When a client computer connects to a service which is hosted on a server farm using network load balancing (NLB) or some other method where all the servers appear to be the same service to the client, then authentication protocols supporting mutual authentication such as Kerberos cannot be used unless all the instances of the services use the same principal. This means that each service has to use the same passwords/keys to prove their identity. With Windows Server 2012, services or service administrators do not need to manage password synchronization between service instances when using group Managed Service Accounts (gmsa). You provision the gmsa in Active Directory, and then configure the service which supports Managed Service Accounts. Check domain prerequisites and configure for group Managed Service Accounts In this task, you will ensure that the forest functional level is Windows Server 2012, which is the key requirement to create a group Managed Service Account, and then create the KDS Root key. 1. Open Server Manager. 2. On the Tools menu, click Active Directory Administrative Center. 3. Navigate to contoso (local). 4. On the Tasks menu, under contoso (local), click Properties. NOTE: The Forest Functional level is Windows Server 2012. The Active Directory schema in the gmsa domain s forest needs to be at the Windows Server 2012 version in order to create a gmsa. 5. Click Cancel. 6. Switch to Server Manager. 7. On the Tools menu, click Active Directory Module for Windows PowerShell. 8. Type the following commands, pressing ENTER after each line. Add-KDSRootkey EffectiveImmediately Add-KDSRootkey EffectiveTime ((get-date).addhours(-10)) NOTE: The second command is to bypass a built in wait time of 10 hours. This is only supported in a lab. In a production environment, the first command would be run and then the administrator would need to wait for 10 hours before proceeding to ensure that replication has completed. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 17
Create and configure a group Managed Service Account In this task, you will create a new group Managed Service account, and then grant the domain controllers group the ability to use it. with the Active Directory Module for Windows PowerShell open. 1. In Active Directory Module for Windows PowerShell, type the following command, and then press ENTER. New-ADServiceAccount name gmsa_sql DNSHostName gmsa_sql.contoso.com PrincipalsAllowedToRetrieveManagedPassword Domain Controllers 2. Switch to Active Directory Administrative Center. 3. Navigate to contoso (local)/managed Service Accounts. NOTE: The newly created group Managed Service Account is displayed. Install and configure a group Managed Service Account In this task, you will install the Group Managed Service Account you created on the domain controller, and then test that it works. While this step is not always needed, it is good practice to ensure that the account works on the host you want to leverage it from. with the Active Directory Module for Windows PowerShell open. 1. In Active Directory Module for Windows PowerShell, type the following command, and then press ENTER. Install-ADServiceAccount gmsa_sql Test-ADServiceAccount gmsa_sql NOTE: The value of true indicates that the gmsa_sql account is active and able to be retrieved from the host machine. NOTE: To use the account to leverage for access as a Service Account, modify the logon credentials of the service to use the account name, such as Contoso\gMSA_SQL, and a blank password. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 18
Exercise 6: Preparing to Clone a Domain Controller Windows Server 2012 introduced support for cloning a domain controller. There is now a VM-Generation- ID unique identifier which is included as an additional attribute of a domain controller s computer object in Active Directory. When the domain controller starts Windows Server 2012, it looks for a mismatch between the identifier on the virtual machine and the identifier on the domain controller s object in Active Directory. If there is a mismatch identified, then the latest RID pool and USN is then pushed to the domain controller. In this exercise, you will prepare a domain controller for cloning; however you will not be able to complete the cloning process. Authorize the source domain controller In this task, you will add Server1 to a new Active Directory Group named Cloneable Domain Controllers. This is the same group that the cloned domain controllers will be added to after cloning. 1. Open Server Manager. 2. On the Tools menu, click Active Directory Administrative Center. 3. Navigate to contoso (local)/users. 4. In the Users pane, select Cloneable Domain Controllers. 5. In Tasks, under Cloneable Domain Computers, click Properties. 6. In Cloneable Domain Controllers, click Members. 7. In Members, click Add. 8. In the Select, Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object types, select Computers, and then click OK. 9. In Enter the object names to select, type Server1, and then click Check Names. 10. Click OK. 11. Click OK. NOTE: After cloning the Server1 domain controller, it would be best practice to remove it from the Cloneable Domain Controllers group. Check for compatible services to clone In this task, you will ensure that all the services on Server1 are compatible for cloning and generate an XML file with any exclusions, Perform this task logged on to Server1 as Contoso\Administrator with the password Passw0rd! Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 19
IMPORTANT: Make sure you switch the Server1 virtual machine. 1. Open Server Manager. 2. On the Tools menu, click Active Directory Module for Windows PowerShell. 3. Type the following command, and then press ENTER. Get-ADDCCloningExcludedApplicationList NOTE: The services displayed are currently excluded from the cloning process. 4. Type the following command, and then press ENTER. Get-ADDCCloningExcludedApplicationList GenerateXml NOTE: If you see a dialog box with a message that the content is blocked, click Close to close the dialog box. NOTE: The CustomDCCloneAllowList.xml holds the additional services that will be included in the cloning process. If you need to exclude any services, then edit the XML to remove their entries. Configure setting for the cloned domain controller In this task, you will create an XML file which will be used by the cloned domain controller when it first boots. Perform this task logged on to Server1 as Contoso\Administrator with the password Passw0rd! with the Active Directory Module for Windows PowerShell open. 1. Type the following command, and the press ENTER. New-ADDCCloneConfigFile IPv4Address 192.168.10.20 IPv4DefaultGateWay 192.168.10.1 IPv4SubnetMask 255.255.255.0 IPv4DNSResolver 192.168.10.1 Static SiteName Sydney CloneComputerName DC2 NOTE: The settings that will be read by the new cloned domain controller on start are now displayed. NOTE: In the lab environment, this is as far as the steps can be completed. The next steps to complete the cloning process would be to shut down and export the virtual machine, import and rename the new cloned virtual machine, and then power it on. On startup, the cloned DC will read and apply the contents of the DCCloneConfig.xml file. Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page 20