MCT USE ONLY.STUDENT USE PROHIBITED L1-1 Module 1: Deploying and Managing Windows Server 2012 Lab: Deploying and Managing Windows Server 2012 R2 Exercise 1: Deploying Windows Server 2012 R2 X Task 1: Install the Windows Server® 2012 server 1. Open the Hyper-V® Manager console. 2. Click 20410C-LON-SVR3. 3. In the Actions pane, click Settings. 4. Under Hardware, click DVD Drive. 5. Click Image file, and then click Browse. 6. Browse to D:\Program Files\Microsoft Learning\20410\Drives, and then click Windows2012R2RTM.iso. 7. Click Open, and then click OK. 8. In the Hyper-V Manager console, double-click 20410C-LON-SVR3. 9. In the Virtual Machine Connection Window, in the Action menu, click Start. 10. In the Windows Setup Wizard, on the Windows Server 2012 R2 page, verify the following settings, and then click Next. o Language to install: English (United States) o Time and currency format: English (United States) o Keyboard or input method: US 11. On the Windows Server 2012 R2 page, click Install now. 12. On the Select the operating system you want to install page, select Windows Server 2012 R2 Datacenter Evaluation (Server with a GUI), and then click Next. 13. On the License terms page, review the operating system license terms, select the I accept the license terms check box, and then click Next. 14. On the Which type of installation do you want? page, click Custom: Install Windows only (advanced). 15. On the Where do you want to install Windows? page, verify that Drive 0 Unallocated Space has enough space for the Windows Server 2012 R2 operating system, and then click Next. Note: Depending on the speed of the equipment, the installation takes approximately 20 minutes. The virtual machine will restart several times during this process. 16. On the Settings page, in both the Password and Reenter password boxes, enter the password Pa$$w0rd, and then click Finish. X Task 2: Change the server name 1. Sign in to LON-SVR3 as Administrator with the password Pa$$w0rd. 2. In Server Manager, click Local Server. 3. Click the randomly-generated name next to Computer name. 4. In the System Properties dialog box, on the Computer Name tab, click Change. 5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter the name LON-SVR3, and then click OK. 6. In the Computer Name/Domain Changes dialog box, click OK. 7. Close the System Properties dialog box. 8. In the Microsoft Windows dialog box, click Restart Now. X Task 3: Change the date and time 1. Sign in to server LON-SVR3 as Administrator with the password Pa$$w0rd. 2. On the taskbar, click the time display. A pop-up window with a calendar and a clock appears. 3. In the pop-up window, click Change date and time settings. 4. In the Date and Time dialog box, click Change Time Zone. 5. In the Time Zone Settings dialog box, set the time zone to your current time zone, and then click OK. 6. In the Date and Time dialog box, click Change Date and Time. 7. Verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom, and then click OK. 8. To close the Date and Time dialog box, click OK. X Task 4: Configure the network 1. On LON-SVR3, in the Server Manager console, click Local Server. 2. In the Server Manager console, next to Ethernet, click IPv4 Address Assigned by DHCP, IPv6 Enabled. 3. In the Network Connections dialog box, right-click Ethernet, and then click Properties. MCT USE ONLY. STUDENT USE PROHIBITED L1-2 Deploying and Managing Windows Server 2012 4. In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 5. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address, enter the following IP address information, and then click OK: o IP address: 172.16.0.101 o Subnet Mask: 255.255.0.0 o Default Gateway: 172.16.0.1 o Preferred DNS server: 172.16.0.10 6. Click Close to close the Ethernet Properties dialog box. 7. Close the Network Connections dialog box. X Task 5: Add the server to the domain 1. On LON-SVR3, in the Server Manager console, click Local Server. 2. Next to Workgroup, click WORKGROUP. 3. In the System Properties dialog box, on the Computer Name tab, click Change. 4. In the Computer Name/Domain Changes dialog box, in the Member Of area, click the Domain option. 5. In the Domain box, type adatum.com, and then click OK. 6. In the Windows Security dialog box, enter the following details, and then click OK: o Username: Administrator o Password: Pa$$w0rd 7. In the Computer Name/Domain Changes dialog box, click OK. 8. When informed that you must restart the computer to apply changes, click OK. 9. In the System Properties dialog box, click Close. 10. In the Microsoft Windows dialog box, click Restart Now. 11. After LON-SVR3 restarts, sign in as Adatum\Administrator with the password Pa$$w0rd. MCT USE ONLY. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L1-3 Results: After completing this exercise, you should have deployed Windows Server 2012 R2 on LON-SVR3. You also should have configured LON-SVR3, including name change, date and time, networking. Exercise 2: Configuring Windows Server 2012 R2 Server Core X Task 1: Set computer name 1. Sign in to LON-CORE as Administrator with the password Pa$$w0rd. 2. At the command prompt, type sconfig.cmd and press Enter. 3. To select Computer Name, type 2, and then press Enter. 4. Enter the computer name LON-CORE, and then press Enter. 5. In the Restart dialog box, click Yes. 6. Sign in to server LON-CORE using the Administrator account with the password Pa$$w0rd. 7. At the command prompt, type hostname, and then press Enter to verify the computer’s name. X Task 2: Change the computer’s date and time 1. Ensure you are signed in to server LON-CORE as Administrator with the password Pa$$w0rd. 2. At the command prompt, type sconfig.cmd, and then press Enter. 3. To select Date and Time, type 9, and then press Enter. 4. In the Date and Time dialog box, click Change time zone. Set the time zone to the same time zone that your classroom uses, and then click OK. 5. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. To dismiss the dialog boxes, click OK two times. 6. In the Command Prompt window, type 15, and then press Enter to exit Server Configuration. X Task 3: Configure the network 1. Ensure that you are signed in to server LON-CORE using the account Administrator and password Pa$$w0rd. 2. At the command prompt, type sconfig.cmd, and then press Enter. 3. To configure Network Settings, type 8, and then press Enter. 4. Type the index number of the network adapter that you want to configure, and then press Enter. MCT USE ONLY. STUDENT USE PROHIBITED L1-4 Deploying and Managing Windows Server 2012 5. On the Network Adapter Settings page, type 1, and then press Enter. This sets the Network Adapter Address. 6. To select static IP address configuration, type S, and then press Enter. 7. At the Enter static IP address: prompt, type 172.16.0.111, and then press Enter. 8. At the Enter subnet mask prompt, Type 255.255.0.0, and then press Enter. 9. At the Enter default gateway prompt, type 172.16.0.1, and then press Enter. 10. On the Network Adapter Settings page, type 2, and then press Enter. This configures the DNS server address. 11. At the Enter new preferred DNS server prompt, type 172.16.0.10, and then press Enter. 12. In the Network Settings dialog box, click OK. 13. Press Enter to not configure an alternate DNS server address. 14. Type 4, and then press Enter to return to the main menu. 15. Type 15, and then press Enter to exit sconfig.cmd. 16. At the command prompt, type ping lon-dc1.adatum.com to verify connectivity to the domain controller from LON-CORE. X Task 4: Add the server to the domain 1. Ensure that you are signed in to server LON-CORE using the account Administrator with password Pa$$w0rd. 2. At the command prompt, type sconfig.cmd, and then press Enter. 3. To switch to configure Domain/Workgroup, type 1, and then press Enter. 4. To join a domain, type D, and then press Enter. 5. At the Name of domain to join prompt, type adatum.com and press Enter. 6. At the Specify an authorized domain\user prompt, type Adatum\Administrator, and then press Enter. 7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and then press Enter. 8. At the Change Computer Name prompt, click No. 9. In the Restart dialog box, click Yes. 10. Sign in to server LON-CORE with the Adatum\Administrator account and the password Pa$$w0rd. Results: After completing this exercise, you should have configured a Windows Server 2012 R2 Server Core deployment and verified the server’s name. 6. select the Restart the destination server automatically if required check box. Use the arrow to add LON-CORE and LON-SVR3 to the server group. On the Select features page. click Next.Adatum. click Dashboard. click Next. 8. click LAB-1. and then click Install. Sign in to LON-DC1 with the Administrator account and the password Pa$$w0rd. On the Select destination server page. on the Before you begin page. In Server Manager. 7. On the Web Server Role (IIS) page. 6. verify that LON-CORE. Click OK to close the Create Server Group dialog box. and then click Add Roles and Features. right-click LON-CORE. On the Select installation type page. In Server Manager on LON-DC1. add the Windows Authentication role service. click LAB-1. Click Next. select Web Server (IIS). 17. 10. 7. select both LON-CORE and LON-SVR3. Click Close to close the Add Roles and Features Wizard. In the Server Manager console. and then click Next.MCT USE ONLY. and then click Next. click Role-based or feature-based installation. and then click Add Roles and Features.com is selected. click Role-based or feature-based installation. select Windows Server Backup. and under the Performance section. and then click Next. 3. and then click Find Now. and then click Next. 18.com is selected. In the Server group name box. Right-click LON-CORE. On the Select destination server page. select the Restart the destination server automatically if required check box. On the Confirm installation selections page. 13. and then click Create a server group. click Windows Server Backup. 5. Scroll to the top of the pane. right-click LON-SVR3. Press and hold the Ctrl key. . 14. click Next. 9. In the Add Roles and Features Wizard. On the Features page. On the Select Role Services page. 2. 2. 3. click the Active Directory tab. verify that LON-SVR3. and then click Next. In the Create Server Group dialog box. 15. 4. and then click Start Performance Counters. On the Select installation type page. In the Server Manager console. On the Select server roles page. X Task 2: Deploy features and roles to both servers 1. 16. Scroll down. and then click Next. and then select both LON-CORE and LON-SVR3. On the Confirm installation selections page. In the Add Roles and Features Wizard. and then click Next. 5. click Next. type LAB-1. 12. 11. and then click Install.Adatum. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L1-5 Exercise 3: Managing Servers X Task 1: Create a server group 1. 8. 4. On the Server Roles page. In the Command Prompt window. in the Restart Computer After box. and then click Services. type 2. 9. and then click Computer Management. click Close. and then verify that LON-CORE is listed. Right-click LON-CORE. o Reset fail count after: 1 days o Restart service after: 1 minute 10.19. 7. In the Server Manager console.exe advfirewall firewall set rule group="remote desktop" new enable=yes 3. Once the install commences. 6. Sign in to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd. Click OK to close the World Wide Web Publishing Services Properties dialog box. In the Computer Management console. 12. 2. click the IIS node. In Server Manager. Right-click the World Wide Web Publishing service. and then click Windows PowerShell. Exercise 4: Using Windows PowerShell to Manage Servers X Task 1: Use Windows PowerShell to connect remotely to servers and view information 1. Sign in to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd. X Task 3: Review services and change a service setting 1. configure the following settings. 20. type the following command. expand Services and Applications. and then click OK. 4. verify that the service is configured to use the Local System account. and then click the Restart Computer Options button: o First failure: Restart the Service o Second failure: Restart the Service o Subsequent failures: Restart the Computer. click LAB-1. On the Recovery tab. MCT USE ONLY. In the Restart Computer Options dialog box. on the Log On tab. Results: After completing this exercise. Sign in to LON-CORE with the Adatum\Administrator account and the password Pa$$w0rd. click LAB-1. Right-click LON-CORE. 5. and configured the properties of a service. . you should have created a server group. 3. STUDENT USE PROHIBITED L1-6 Deploying and Managing Windows Server 2012 8. Close the Computer Management console. 2. deployed roles and features. In the World Wide Web Publishing Service dialog box. In Server Manager. and then press Enter: netsh. 11. Verify that the Startup type is set to Automatic. refresh the view. and then click Properties. in the Untitled1. on the taskbar. To review the most recent 10 items in the security log. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L1-7 5.ps1 script pane. and then press Enter: Import-Module ServerManager MCT USE ONLY. from the Tools drop-down menu. X Task 2: Use Windows PowerShell to remotely install new features 1. To review the roles and features installed on LON-CORE. To deploy the XPS Viewer feature on LON-SVR3. type the following command and then press Enter: Get-WindowsFeature -ComputerName LON-SVR3 5. type the following command. type the following. at the command prompt. Close Windows PowerShell. To review the IP addresses assigned to the server. Click the Save icon. In the Windows PowerShell ISE window. type the following. and then press Enter: Get-process 8. To verify that the XPS Viewer feature has now been deployed on LON-SVR3. type the following. type the following command. To view a list of processes on LON-CORE. To verify that the XPS Viewer feature has not been installed on LON-SVR3.status -eq "Running"} 7. at the command prompt. click the Windows PowerShell icon. click Windows PowerShell ISE. 2. and then press Enter: Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3 4. In the Server Manager console. at the command prompt. pressing Enter after each line: Import-Module ServerManager Install-WindowsFeature WINS -ComputerName LON-SVR3 Install-WindowsFeature WINS -ComputerName LON-CORE 7. and then press Enter: Get-WindowsFeature 6. type the following. On LON-DC1. At the command prompt. and then press Enter: Get-NetIPAddress | Format-table 9. 6. type the following. and then press Enter: Get-EventLog Security -Newest 10 10. To review the running services on LON-CORE. type the following. at the command prompt. and then press Enter: Get-WindowsFeature -ComputerName LON-SVR3 3. type the following. at the command prompt.4. . and then press Enter: Get-service | where-object {$_. switch to the Hyper-V Manager console. revert the virtual machines back to their initial state. right click 20410C-LON-DC1. MCT USE ONLY. Create a new folder named Scripts.ps1. In the Virtual Machines list. 3. To do this. To run the script. complete the following steps: 1. In the Revert Virtual Machine dialog box. Repeat steps 2 and 3 for 20410C-LON-CORE and 20410C-LON-SVR3. STUDENT USE PROHIBITED L1-8 Deploying and Managing Windows Server 2012 . Select the root of Local Disk (C:). 10. press the F5 key. and then click Revert. click Revert. 9. you should have used Windows PowerShell to perform a remote installation of features on multiple servers. 4.8. and then save the script in that folder as InstallWins. 2. X Prepare for the next module After you complete the lab. Results: After completing this exercise. On the host computer. on the command bar. 11. In the Select a domain from the forest dialog box. 6. click Close to close the Add Roles and Features Wizard.com is highlighted. in the Name (CN) box. The Active Directory Domain Services Configuration Wizard will open. Click OK to close the Add Servers dialog box. In the Add Servers dialog box. On LON-DC1. select the Active Directory Domain Services check box. type LON-SVR1. click All Servers. Installation will take several minutes. and then click Next. in the Password box type Pa$$w0rd and then click OK. On LON-DC1. 6. 7. right-click LON-SVR1. click Add Features. on the Deployment Configuration page. In the Active Directory Domain Services Configuration Wizard. STUDENT USE PROHIBITED L2-9 Module 2: Introduction to Active Directory Domain Services Lab: Installing Domain Controllers Exercise 1: Installing a Domain Controller X Task 1: Add an Active Directory Domain Services (AD DS) role to a member server 1. Right-click All Servers. click LON-SVR1. and then click Add Servers.Adatum. beside the Domain line. 14. and then click Find Now. 3. X Task 2: Configure a server as a domain controller 1. click Next. 2. click the Notifications icon—it looks like a flag. On the Active Directory Domain Services page. 5. Under Post-deployment Configuration. click Next. click adatum. 12. and then select Add Roles and Features. and then click the arrow to add the server to the Selected column. click Change. 2. Under Server Pool. In the Add Roles and Features Wizard. click Select. On the Select installation type page. click Promote this server to a domain controller. In the Windows Security dialog box. On the Confirm installation selections page. 4.MCT USE ONLY. in the Servers pane. When the installation completes. in the left column. 15. and then click Next. On the Select server roles page. 5. ensure that Role-based or feature-based installation is selected. verify that LON-SVR1. . 8. 13. and then click Install. and then. select the Restart the destination server automatically if required check box. in the Username box type Administrator. 9.com. 10. Under Name. Beside the Supply the credentials to perform this operation line. On the Select destination server page. 3. and then click OK. 4. In Server Manager. in Server Manager. On the Select features page. ensure that Add a domain controller to an existing domain is selected. in Server Manager. and then click Next. ensure that Select a server from the server pool is selected. click Next. expand Default-First-Site-Name. 12. Click Next. ensure that Domain Name System (DNS) server is selected. In the left column. but for the purpose of this lab. in the Password box. click View Script. 6. 18. On the Review Options page. In the Type the Directory Services Restore Mode (DSRM) password section. 14. When Active Directory Sites and Services opens. click Next. and then click Properties. On the Additional Options page. On the Deployment Configuration page. Note: You would usually also want to enable the global catalog. accept the default folders. Wait for LON-SVR1 to restart. X Task 3: Configure a server as a global catalog server 1. and then click Next. select Global Catalog (GC). in the Username box.7. right-click NTDS Settings. In the NTDS Settings Properties dialog box. On the Prerequisites Check page. On the DNS Options page. 17. and then click OK. and then click Active Directory Sites and Services. Close Active Directory Sites and Services. type Adatum\Administrator. 16. 5. and then click Next. and then click OK. expand Sites. On the Domain Controller Options page. and then click Install. read any warning messages. click Next. type Pa$$w0rd. When the task completes successfully. this is done in the next lab task. 2. Close the Notepad window. 4. 3. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. type Pa$$w0rd in both text boxes. and then deselect Global Catalog (GC). 13. click Close. In Server Manager. Results: After completing this exercise. 9. In the Windows Security dialog box. 10. On the Review Options page. and then expand LON-SVR1. MCT USE ONLY. 11. expand Servers. 19. you will have explored Server Manager and promoted a member server to be a domain controller. STUDENT USE PROHIBITED L2-10 Introduction to Active Directory Domain Services . On the Paths page. click Tools. click Next. 8. 15. examine the Windows PowerShell script that the wizard generates. and. 15.Exercise 2: Installing a Domain Controller by Using IFM X Task 1: Use the Ntdsutil tool to generate IFM MCT USE ONLY. In the lower-left corner of the screen. if required. type CMD. click Active Directory Domain Services. 13. 8. type the following. click Next. click Manage. On the Select server roles page.Adatum. 6. On the Active Directory Domain Services page. Switch to Server Manager. verify that LON-SVR2. Wait for the IFM command to complete and then close the command prompt. 16. sign in as Adatum\Administrator with the password Pa$$w0rd. At a command prompt.com is highlighted. type CMD. On the Confirm installation selections page. . click Local Server. 12. In the Add Roles and Features Wizard. On the Start screen. click Close. and then click Next. and then click Next. 2. 14. in the lower-left corner of the screen. On the Select installation type page. click Add Features. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L2-11 1. and then click Add Roles and Features. After the installation completes. and then press Enter: Net use k: \\LON-DC1\c$\IFM 5. From the list on the left. right click Command Prompt and then click Run as administrator. On the Before you begin page. Click Yes at the message box. In the toolbar. click Next. and then press Enter. 3. click OK. ensure that Role-based or feature-based installation is selected. 2. On the Start screen. On the Select destination server page. 11. Switch to LON-SVR2. click the Start button. 10. On LON-DC1. On the Select Features page. 17. 4. and then click Next. 9. 3. click the Start button. click Restart the destination server automatically if required. click Next. 7. Click Install. Type the following command. pressing Enter after each line: Ntdsutil Activate instance ntds Ifm Create sysvol full c:\ifm 4. Note: If you see a message stating that a delegation for the DNS server cannot be created. X Task 2: Add the AD DS role to the member server 1. 3. On the Review Options page. Wait for the server to restart. and 20410C-LON-SVR2. type C:\ifm. on the command bar. in the Install from media path box. 9. In the Virtual Machines list. and then observe the Active Directory Domain Services Configuration Wizard as it performs a check for prerequisites. 4. Repeat steps 2 and 3 for 20410C-LON-SVR1. ensure that Add a domain controller to an existing domain is selected. Close the Command Prompt window. and then click Revert. In Server Manager. read the information messages that display on the screen. click Next. and then click verify. 8. and then press Enter: Robocopy k: c:\ifm /copyall /s 2. click the Notifications icon. On the DNS Options page. At the command prompt. start Hyper-V® Manager. Click Install. While this task is running. On the Additional Options page. click Next. ensure that both Domain Name System (DNS) server and Global Catalog (GC) are selected. Results: After completing this exercise. On LON-SVR2. For the DSRM password. When the path has been verified. select Install from media. 3. STUDENT USE PROHIBITED L2-12 Introduction to Active Directory Domain Services . On the host computer. On the Paths page. 13. On the Deployment Configuration page. you will have installed an additional domain controller for the branch office by using IFM. In the Revert Virtual Machine dialog box. 5.X Task 3: Use IFM to configure a member server as a new domain controller 1. 12. type the following command. and confirm that adatum. right-click 20410C-LON-DC1. revert the virtual machines back to their initial state. and then click Next. 7. 11. complete the following steps: 1. MCT USE ONLY. The Active Directory Domain Services Configuration Wizard will open. To do this. 6. click Next. 10. and wait while AD DS is configured. 4. 20410C-LON-RTR. Under Post-deployment Configuration. click Promote this server to a domain controller. click Revert. click Next. X Prepare for the next module When you have completed the lab. Click Next. 2. type Pa$$w0rd in both boxes.com is the target domain. On the Domain Controller Options page. MCT USE ONLY. in Group name.com. Click Power. click Adatum. and then click Organizational Unit. Switch to LON-DC1. right-click Branch Office 1. click Delegate Control. point to New. 17. In the Move dialog box. and then click Active Directory Users and Computers. 2. 10. In the navigation pane. 13. Repeat steps 6 and 7 using Branch 1 Users as the new group name. right-click LON-CL1. 15. In the Move dialog box. 23. point to New. Right-click Adatum. type Branch Office 1. Repeat steps 6 and 7 using Branch 1 Administrators as the new group name. right-click Holly Dickson. and then click Group. 21.com. Point the mouse at the lower-right corner of the screen. and then click OK. In Active Directory Users and Computers. and then click Next. When the computer has restarted. type Branch 1 Help Desk. and then click OK. In the navigation pane. and then click Settings. and then click Restart. and then click Move. In Server Manager. In the navigation pane. 18. Switch to LON-CL1. switch to Active Directory Users and Computers. If necessary. 7. In the details pane. and then click Move. click Computers. sign in as Adatum\Administrator with the password Pa$$w0rd. 8. click Branch Office 1. Switch to LON-DC1. click Tools. 5. STUDENT USE PROHIBITED L3-13 Module 3: Managing Active Directory Domain Services Objects Lab: Managing Active Directory Domain Services Objects Exercise 1: Delegating Administration for a Branch Office X Task 1: Delegate administration for Branch Administrators 1. 11. 6. and then click OK. 3. click IT. 4. 20. 12. and then click OK. in Name. 19. Right-click Branch Office 1. In the New Object – Organizational Unit dialog box. 22. In the New Object – Group dialog box. 16. 9. click Branch Office 1. In the details pane. Repeat steps 10 through 12 for the following OU’s and users: o Development and the user Bart Duncan o Managers and the user Ed Meadows o Marketing and the user Connie Vrettos o Research and the user Barbara Zighetti o Sales and the user Arlene Huff 14. . or Groups dialog box. or Groups dialog box. right-click Branch Office 1. On the Users or Groups page. STUDENT USE PROHIBITED L3-14 Managing Active Directory Domain Services Objects . In the Select Users. On the Completing the Delegation of Control Wizard page. and then click Next. select Only the following objects in the folder. in Enter the object names to select (examples). MCT USE ONLY. Computers. in Enter the object names to select (examples). On the Users or Groups page. 25. select the following check boxes. delete. click Add. click Finish. On the Users or Groups page. On the Users or Groups page. On the Tasks to Delegate page. 31. and then click Next: o Create. click Next. and then click Next: o Computer objects o Create selected objects in this folder o Delete selected objects in this folder 35. In the Select Users. 33. in Enter the object names to select (examples). or Groups dialog box. and then click Next. and then click OK. in the navigation pane. 5. select both General and Full Control. 30. click Create a custom task to delegate. In the Select Users. 2. delete and manage groups o Modify the membership of a group o Manage Group Policy links 28. type Branch 1 Help Desk. and then click OK. in the Delegate the following common tasks list. On the Active Directory Object Type page. 3. 4. 27. and then click Next: 6. 34. click Next. On LON-DC1. and then click OK. 29. On the Tasks to Delegate page. type Branch 1 Administrators. On the Completing the Delegation of Control Wizard page. 36. On the Permissions page.24. click Delegate Control. On the Users or Groups page. X Task 2: Delegate a user administrator for the Branch Office Help Desk 1. and manage user accounts o Reset user passwords and force password change at next logon o Read all user information o Create. On the Users or Groups page. click Next. select the following check boxes. in the Delegate the following common tasks list. Computers. Computers. and then click Next. 26. o Reset user passwords and force password change at next logon o Read all user information o Modify the membership of a group On the Completing the Delegation of Control Wizard page. In the navigation pane. On the Tasks to Delegate page. click Finish. click Finish. click Add. and then click Next. select the following check boxes. type Branch 1 Administrators. click Delegate Control. 32. click Add. right-click Branch Office 1. 5. in Enter the object names to select (examples). right-click Holly Dickson. In the Select Groups dialog box. In the Active Directory Domain Services dialog box. You can sign in locally at a domain controller because Holly belongs indirectly to the Server Operators domain local group. click OK. 14. click Server Manager. In the navigation pane. In the Active Directory Domain Services dialog box. type Server Operators. in the details pane. 6. 6. 17. 2. right-click Aaren Ekelund. On LON-DC1. In the navigation pane. 3. type Branch 1 Administrators. click Ctrl+Alt+Delete. 15. in User name. Close Active Directory Users and Computers. and then click OK. 11. type Branch 1 Help Desk. and then click Add to a group. 12. 3. and then click Add to a group. 13. In the Active Directory Domain Services dialog box. type Pa$$w0rd. In Password. 5. and then click Yes. click Branch Office 1. On LON-DC1. . On your host computer. In Server Manager. in User name. On the taskbar. click the Server Manager icon. and then click OK.com. and then click Active Directory Users and Computers. In the User Account Control dialog box. Click Yes to confirm. right-click Branch 1 Administrators. Click Yes to confirm. 20. In the details pane. expand Adatum. In the Select Groups dialog box. in the navigation pane. click Sales. 19. On LON-DC1. and then click Delete. in Enter the object names to select (examples). 9. Close Server Manager. click OK. 8. click Tools. In the Select Groups dialog box. 18. and then click Delete. In the details pane. In the details pane. click Sign out. type Holly. 21. 16. In the User Account Control dialog box. X Task 4: Add a member to the Branch Help Desk group 1. on the Action menu. in the 20410C-LON-DC1 window. and then click Add to a group.X Task 3: Add a member to the Branch Administrators MCT USE ONLY. 4. In Active Directory Users and Computers. in Enter the object names to select (examples). click OK. Sign in to LON-DC1 as Adatum\Holly with the password Pa$$w0rd. right-click Ed Meadows. You are successful because you have the required permissions. Click OK to acknowledge that you do not have permissions to perform this task. 2. type Adatum\Administrator. 10. click Branch Office 1. In the details pane. right-click Bart Duncan. and then click OK. On the desktop. 7. 4. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L3-15 1. 25. in the 20410C-LON-DC1 window. Click Yes to confirm. 17. In Server Manager.com. On the desktop. type Pa$$w0rd. Sign in as Adatum\Bart with the password Pa$$w0rd. click Sign out.7. click Tools. right-click Connie Vrettos. In the Select Groups dialog box. 13. Results: After completing this exercise. Click OK to confirm the successful password reset. click Ctrl+Alt+Delete. On LON-DC1. In the Reset Password dialog box. In Active Directory Users and Computers. click Active Directory Users and Computers. In the navigation pane. in New password and Confirm password. 18. MCT USE ONLY. and then click OK. On your host computer.com. In the details pane. expand Adatum. 10. 29. 9. you must have permissions beyond those available to the Branch 1 Administrators group. 27. 11. In Active Directory Users and Computers. Note: To modify the Server Operators membership list. type Pa$$w0rd. and then click Reset Password. in User name. 22. and delegated administration of it to the appropriate group. 12. On LON-DC1. In the User Account Control dialog box. expand Adatum. click Branch Office 1. 8. 24. and then click Yes. 28. and then click Delete. click Sign out. 19. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. click Server Manager. click Branch Office 1. In Server Manager. Click Active Directory Users and Computers. In the details pane. . and then click OK. and then click Add to a group. and then click Yes. 21. type Pa$$w0rd. STUDENT USE PROHIBITED L3-16 Managing Active Directory Domain Services Objects You can sign in locally at a domain controller because Bart belongs indirectly to the Server Operators domain local group. In the Active Directory Domain Services dialog box. In the Tools list. on the Action menu. Click OK. 16. 31. 30. In the navigation pane. you will have successfully created an OU. You are unsuccessful because Bart lacks the required permissions. click Tools. in the 20410C-LON-DC1 window. 20. type Server Operators. on the Action menu. type Bart. Right-click Connie Vrettos. 26. 23. On your host computer. 32. right-click Branch 1 Help Desk. in Enter the object names to select (examples). 15. click OK. 14. In Password. In Password. click Ctrl+Alt+Delete. In the New Object – User dialog box. and then click Add. and then click User. 15. and then click Properties. 2. In the Select Groups dialog box. on the Address tab. type _Branch_template. for the Full Control permission select the Allow check box. In Server Manager. X Task 2: Configure the template settings 1. 2. In the Permissions for branch1-userdata dialog box. 5. and then in the branch1-userdata Properties dialog box. click Close. 13. and then click Next. Right-click Branch Office1. in Full name. point to New. In Last name. and then click OK. Click Finish. In Password and Confirm password. 3. 4. Type branch1-userdata. 3. in Enter the object names to select (examples). click Connect. and then click Copy. and then click Active Directory Users and Computers. 5. right-click _Branch_template. click the File Explorer icon.MCT USE ONLY. on the Sharing tab. on the taskbar. On the menu. click Tools. 4. In User logon name. type _Branch_template. and in the To box. type Branch 1 Users. . Double-click Local Disk (C:). On LON-DC1.com. 8. In the Advanced Sharing dialog box. 10. In the branch1-userdata Properties dialog box. Right-click branch1-userdata. 7. and then expand Adatum. 3. On LON-DC1. and then click New folder. 6. Click the Member Of tab. 6. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L3-17 Exercise 2: Creating and Configuring User Accounts in AD DS X Task 1: Create a user template for the branch office 1. type Ed. Select the Account is disabled check box. 7. Click Apply. in City. and then click Next. type Pa$$w0rd. In the _Branch_template Properties dialog box. type Slough. and then click OK. 16. click Home. On LON-DC1. click OK. and then click Permissions. In the Copy Object – User dialog box. type Ed. from within the Branch Office 1 OU. Click the Profile tab. and then press Enter. Select Share this folder. 9. and then click Next. right-click _Branch_template. 14. click Advanced Sharing. and then click OK. based on the template 1. and then click Properties. type \\lon-dc1\branch1-userdata\%username%. 2. 12. In User logon name. in First name. 4. 11. Under Home folder. type Meadows. X Task 3: Create a new user for the branch office. on the Address tab. 11. If you receive no errors. On your host computer. 7. click Ctrl+Alt+Delete. 4. click the Server Manager icon. 10. 13. Click the Member Of tab. and then click Next. Sign in to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. you have been successful. MCT USE ONLY. 3. 4. type Holly. 7. STUDENT USE PROHIBITED L3-18 Managing Active Directory Domain Services Objects .5. On LON-DC1. In the User Account Control dialog box. on the Action menu. in User name. On LON-CL1. X Task 4: Sign in as a user to test account settings 1. In Server Manager. Notice that the home folder location is already configured. click Ctrl+Alt+Delete. On your host computer. click Ctrl+Alt+Delete. click Tools. 6. Right-click Ed Meadows. 10. in the 20410C-LON-CL1 window. 5. On LON-DC1. click Switch User. and then click Yes. on the menu. 9. type File Explorer and then press Enter. click Sign out. Results: After completing this exercise. On your host computer. type Pa$$w0rd. In Password and Confirm password. in the 20410C-LON-DC1 window. In the Ed Meadows Properties dialog box. 8. notice that the City is already configured. Click OK. 9. Click the Profile tab. Switch to LON-CL1. sign in as Adatum\Holly with the password Pa$$w0rd. Clear the User must change password at next logon check box. Notice that Ed belongs to the Branch 1 Users group. type Pa$$w0rd. click Sign out. you will have successfully created and tested a user account created from a template. Double-click Ed (\\lon-dc1\branch1-userdata) (Z:). 3. On LON-CL1. 8. on the Action menu. 14. and then click Active Directory Users and Computers. 6. 5. in the 20410C-LON-CL1 window. Exercise 3: Managing Computer Objects in AD DS X Task 1: Reset a computer account 1. 12. and then click Properties. 2. Verify that drive Z is present. Clear the Account is disabled check box. Click Finish. On the Start screen. 2. On the taskbar. In Password. click Do not add a domain user account. 8. expand Adatum. complete the following steps: 1. You are successful because the computer had been successfully rejoined. you will have successfully reset a trust relationship. click Advanced system settings. In the User Account and Domain Information dialog box. Sign in as Adatum\Ed with the password Pa$$w0rd. . right-click LON-CL1. and domain name for your domain account page.6. 3. 2. On the You will need the following information page. 4. 3. click Control Panel. 9. 7. 13. 3. In Control Panel. MCT USE ONLY. 14. and then click OK. Leave the other boxes completed.com. in Password. click Branch Office 1. 5. In the navigation list. and then click Revert. and in the Apps list. and then click OK. In the Virtual Machines list. 2. 8. L3-19 X Task 2: Observe the behavior when a client logs on 1. 7. Click Finish. On the host computer. click Restart Now. In Active Directory Users and Computers. password. 12. On the Type your user name. click Next. On the Do you want to enable a domain user account on this computer? page. X Prepare for the next module When you have completed the lab. click the Computer Name tab. 2. start Hyper-V® Manager. In System Properties. In the navigation pane. click Large icons. To do this. and then click Next. click Yes. and then click Network ID. On LON-CL1 click the back arrow and switch to Adatum\Administrator with the password Pa$$w0rd. In the Revert Virtual Machine dialog box. In the Active Directory Domain Services dialog box. Click OK. and then click Next. Sign in as Adatum\Ed with the password Pa$$w0rd. Switch to LON-CL1. In the Microsoft Windows dialog box. click Next. On the Is your company network on a domain? page. click Next. right-click the display. Repeat steps 2 and 3 for 20410C-LON-DC1. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 A message appears stating that The trust relationship between this workstation and the primary domain failed. In the details pane. 9. revert the virtual machines back to their initial state. and then click Reset Account. 11. click Yes. in the View by list. right-click 20410C-LON-CL1. click All apps. type Pa$$w0rd. Results: After completing this exercise. X Task 3: Rejoin the domain to reconnect the computer account 1. On the Start screen. and then click System. On the Select the option that describes your network page. 4. 10. 6. click Revert. STUDENT USE PROHIBITED .MCT USE ONLY. MCT USE ONLY. Type the following command. When prompted for the current password. On LON-CL1. and then press Enter: Get-ADGroupMember LondonBranchUsers Results: After completing this exercise. To create a new global security group for users in the London branch office. and then press Enter. and then press Enter: New-ADUser -Name Ty -DisplayName "Ty Carlson" -GivenName Ty -Surname Carlson -Path "ou=LondonBranch. To confirm that Ty has been added as a member of LondonBranchUsers. and then press Enter: Set-ADAccountPassword Ty 5. type Pa$$w0rd. 8. When prompted for the desired password. . and then press Enter. type the following command.dc=adatum.dc=com" 4. on the taskbar. 6. type the following command. type the following command. At the Windows PowerShell prompt. type Enable-ADAccount Ty. click the Windows PowerShell icon.dc=com" -GroupScope Global -GroupCategory Security 2. on LON-DC1. press Enter. STUDENT USE PROHIBITED L4-21 Module 4: Automating Active Directory Domain Services Administration Lab: Automating AD DS Administration by Using Windows PowerShell Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell X Task 1: Create a user account by using Windows PowerShell 1. 2. 10. sign in as Ty with the password Pa$$w0rd. 9. and then press Enter: New-ADGroup LondonBranchUsers -Path "ou=LondonBranch. Type the following command. and then press Enter. 7. and then press Enter: Add-ADGroupMember LondonBranchUsers -Members Ty 3. X Task 2: Create a group by using Windows PowerShell 1. Verify that the sign-in is successful and then sign out of LON-CL1.dc=adatum. type the following command. To add Ty as a member of LondonBranchUsers. On LON-DC1. at the Windows PowerShell prompt. type Pa$$w0rd. At the Windows PowerShell prompt. and then press Enter: New-ADOrganizationalUnit LondonBranch 3. When prompted to repeat the password. you will have created user accounts and groups by using Windows PowerShell. STUDENT USE PROHIBITED L4-22 Automating Active Directory Domain Services Administration Results: After completing this exercise.ps1. click the Windows PowerShell icon. 10. At the Windows PowerShell prompt. On LON-DC1.ps1.ps1.dc=com" with "ou=LondonBranch. and then identify the requirements for the header in the . and then click Mod04. Close Notepad. type cd E:\Labfiles\Mod04. and then click Edit. MCT USE ONLY. 2. In Windows PowerShell ISE. 4. Close Windows PowerShell ISE. expand Labfiles. under Variables. X Task 2: Prepare the script 1. you will have used Windows PowerShell to create user accounts in bulk. X Task 3: Run the script 1. click Notepad.Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk X Task 1: Prepare the . In File Explorer. In Notepad.csv file 1. Scroll down and review the contents of the script. replace C:\path\file. on the taskbar. On LON-DC1.DefaultPassword 9. . 2. Right-click LabUsers. 4. and then click Save. in File Explorer.dc=com".dc=domain.LastName. 3. Click File.csv with E:\Labfiles\Mod04\LabUsers. Type the following command.\LabUsers. and then press Enter. 3. right-click LabUsers. On LON-DC1. Under Variables. on the taskbar.csv. replace "ou=orgunit. In Windows PowerShell Integrated Scripting Environment (ISE). and then click Save. 5. Close Windows PowerShell ISE. type the following line at the top of the file: FirstName. Close Windows PowerShell. and then press Enter. click the File Explorer icon. and then click Edit. 2. expand drive E:. In File Explorer.csv)? message.csv file. read the comments at the top of the script.csv. On LON-CL1. 6. Click File. Type . In the How do you want to open this type of file (. 8. 4. 3. 7. 6. double-click LabUsers. 5. sign in as Luka with the password Pa$$w0rd.dc=adatum. and then press Enter: Get-ADUser -Filter * -SearchBase "ou=LondonBranch. 6.dc=adatum.Department.dc=com" 5. right-click the user accounts. To modify the previous command to force all user to change their password the next time they sign in. 2. 4. at the Windows PowerShell prompt.dc=com" | Set-ADUser -ChangePasswordAtLogon $true 5. and then press Enter: Get-ADUser -Filter * -SearchBase "ou=LondonBranch. 2. at the Windows PowerShell Prompt. and then click OK. 4. On the host computer. To create a query for user accounts in the LondonBranch OU. Repeat steps 2 to 3 for 20410C-LON-DC1. click United Kingdom.dc=com" | Format-Wide DistinguishedName MCT USE ONLY. in Server Manager. In the Street box. X Prepare for the next module When you finish the lab. In the Revert Virtual Machine dialog box. type Branch Office. type London. click the Windows PowerShell icon. click Tools. 7. Click the Type column header to sort based on the object type. and then press Enter: Get-ADUser -Filter * -SearchBase "ou=LondonBranch. 3. On LON-DC1. Results: After completing this exercise. you will have modified user accounts in bulk. and then click Revert. Close Windows PowerShell. select the Address check box. 3. and then click Active Directory Administrative Center. expand Adatum (local) and double-click LondonBranch. on the taskbar. type the following command. On LON-DC1. Select all user accounts. type the following command. 6. In the Multiple Users pane. revert all virtual machines back to their initial state by performing the following steps: 1. X Task 2: Configure the address for user accounts in LondonBranch 1.dc=adatum. 5. start Hyper-V® Manager. In the Virtual Machines list. 2. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 3. In the City box. 4. and then click Properties. In the Country/Region box. click Revert. 8. under Organization.dc=adatum. . In Active Directory Administrative Center. in the navigation pane. right-click 20410C-LON-CL1. 9. Verify that only users from the LondonBranch organizational unit (OU) are listed. Close Active Directory Administrative Center.L4-23 Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk X Task 1: Force all user accounts in LondonBranch to change their passwords at next sign in 1. STUDENT USE PROHIBITED .MCT USE ONLY. This can accommodate up to 62 hosts on each subnet and uses the other half of the address pool. Only a single class C–sized address with 254 hosts has been allocated. X Task 2: Calculate subnet masks and network IDs 1. 3. then all subnets must use 7 bits to support 126 hosts.10000000 255. The server and future expansion subnets are 6-host bits. Three subnets of 126 hosts would not fit. If all subnets are the same size. How many bits are required to support 10 hosts on the server subnet? Answer: Four bits are required to support 10 hosts on the server subnet (24-2=14. This allocation can accommodate up to 126 hosts and uses half of the allocated address pool. 2. Therefore.11111111. Answer: The client subnet is 7 host bits.255. Which feature allows a single network to be divided into subnets of varying sizes? Answer: Variable length subnet masking allows you to define different subnet masks when subnetting.128 . 26-2=62). you can use 25 bits for the subnet mask. 6. 23-2=6). what is the subnet mask that you will use for the client subnet? Calculate the subnet mask in binary and decimal. 5. Binary Decimal 11111111. How many host bits will you use for each subnet? Use the simplest allocation possible. x The client subnet is using 7 bits for the host ID. which is one large subnet and two equal-sized smaller subnets.11111111. STUDENT USE PROHIBITED L5-25 Module 5: Implementing IPv4 Lab: Implementing IPv4 Exercise 1: Identifying Appropriate Subnets X Task 1: Calculate the bits required to support the hosts on each subnet 1. can they be accommodated? Answer: No. If all subnets are the same size.MCT USE ONLY. How many bits are required to support 40 hosts on the future expansion subnet? Answer: Six bits are required to support 40 hosts on the future expansion subnet (26-2=62. How many bits are required to support 100 hosts on the client subnet? Answer: Seven bits are required to support 100 hosts on the client subnet (27-2=126. Given the number of host bits allocated.255. 25-2=30). variable length subnet masking allows you to have subnets of varying sizes. 4. Therefore. 01111111 192.10101000. last available host.168.10101000.1 Last host 11000000.168. Therefore. In the following table. Given the number of host bits allocated.168.1100010.255.98. first available host. 5.168. Calculate the binary and decimal versions of each address.98.1100010. Description Binary Decimal Network ID 11000000.129 Last host 11000000.10101000.255. define the network ID. The server subnet is using 6 bits for the host ID. In the following table.127 For the server subnet.168.10101000.192 Given the number of host bits allocated. the bits in bold are part of the network ID.11111111.11000000 255.255.10000001 192. what is the subnet mask that you can use for the server subnet? Calculate the subnet mask in binary and decimal.98.10101000. Assume that the server subnet is the second subnet allocated from the available address pool. The future expansion subnet is using 6 bits for the host ID.10111110 192.11000000 255. Therefore. Assume that the client subnet is the first subnet allocated from the available address pool.00000000 192. and broadcast address.98. Calculate the binary and decimal versions of each address.168.98.10000000 192.1100010. last available host.1100010.10101000.10101000.10111111 192. what is the subnet mask that you can use for the future expansion subnet? Calculate the subnet mask in binary and decimal.168. the bits in bold are part of the network ID.168.98.255. first available host.192 For the client subnet. you can use 26 bits for the subnet mask.1100010. define the network ID.11111111.10101000.98.11111111.11111111. x 4.1100010. Binary Decimal 11111111. and broadcast address.00000001 192.0 First host 11000000.1100010. STUDENT USE PROHIBITED L5-26 Implementing IPv4 .126 Broadcast 11000000.01111110 192.191 MCT USE ONLY. Binary Decimal 11111111.128 First host 11000000. you can use 26 bits for the subnet mask. x 3.2. Description Binary Decimal Network ID 11000000.98.1100010.190 Broadcast 11000000. and that the following warning message appears: “Name resolution of lon-dc1 failed – Status: HostNotFound.168. type the following.255 Results: After completing this exercise. and then press Enter: Test-NetConnection LON-DC1 3. In the following table.6.10101000. at the Windows PowerShell prompt. Calculate the binary and decimal versions of each address. Verify that you receive a reply that contains PingSucceded:False from LON-DC1.98. Exercise 2: Troubleshooting IPv4 X Task 1: Prepare for troubleshooting 1.11111111 192. last available host. On LON-SVR2. L5-27 For the future allocation subnet.10101000. type the following cmdlet. define the network ID. Verify that you receive a reply that contains PingSucceded:True from LON-DC1.ps1. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 Notice that the host is unable to find the default gateway.10101000. At the Windows PowerShell prompt. type the following. Close File Explorer. Description Binary Decimal Network ID 11000000. click the Windows PowerShell icon. X Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1 1.1100010. you should have identified the subnets required to meet the requirements of the lab scenario.168. and then click Run with PowerShell.” . Right-click Break2.193 Last host 11000000. and broadcast address. At the Windows PowerShell Prompt. 2.168.1100010.192 First host 11000000.98. Assume that the future allocation subnet is the third subnet allocated from the available address pool. on the taskbar.11000000 192. 4. 5.10101000.254 Broadcast 11000000. and then press Enter: Test-NetConnection LON-DC1 2.11111110 192.11000001 192. Open a File Explorer window. Note: This script creates the problem that you will troubleshoot and repair in the next task. and browse to \\LON-DC1\E$\Labfiles\Mod05.98.98. the bits in bold are part of the network ID. 6.1100010.168. and then press Enter: Test-NetConnection –TraceRoute LON-DC1 MCT USE ONLY. On LON-SVR2.1100010. first available host. 3. At the Windows PowerShell Prompt. click Revert.1.10. type the following. and then press Enter: Get-NetRoute Notice that the default route and the default gateway information is missing in the routing table. At the Windows PowerShell Prompt. and then click Revert. type the following.0.0.1.0. Notice that the default route and the default gateway information is present in the routing table by locating DestinationPrefix 0. right-click 20410C-LON-DC1. and then press Enter: New-NetRoute –InterfaceAlias “Ethernet” –DestinationPrefix 0. Notice that the default gateway is responding by verifying that you receive a reply that contains PingSucceded:True from 10. 10. At the Windows PowerShell Prompt. 1.10.1 6.10. type the following. start Hyper-V Manager. At the Windows PowerShell prompt. To do this.0. Results: After completing this lab.10. you should have resolved an IPv4 connectivity problem.0/0 and NextHop 10.1 Note: The New-NetRoute cmdlet will create the default route and the default gateway information that was missing. X Prepare for the next module After you finish the lab. At the Windows PowerShell Prompt.1.0/0 –NextHop 10. Note: You should not be able to locate DestinationPrefix 0. 3. On the host computer. 5.0. In the Virtual Machines list.0. Verify that you receive a reply that contains PingSucceded:True from LON-DC1. revert the virtual machines back to their initial state. MCT USE ONLY. 4. complete the following steps. Repeat steps 2 and 3 for 20410C-LON-RTR and 20410C-LON-SVR2. 8.0/0 and NextHop 10. and then press Enter: Get-NetRoute 9.0.0.0. STUDENT USE PROHIBITED L5-28 Implementing IPv4 .0. type the following.10. and then press Enter: Test-NetConnection LON-DC1 11.0. In the Revert Virtual Machine dialog box.4. type the following. 7. 2. and then press Enter: Test-NetConnection 10. type Branch Office. X Task 2: Configure the DHCP scope and options 1.190 x End IP address: 172. 5. and then click Refresh. click lon-svr1.200 x Length: 16 x Subnet mask: 255. click Next.MCT USE ONLY. expand and right-click IPv4. and then click Next. On the Select features page. expand and then right-click lon-svr1. 3. On the Installation progress page. 10. click Install. 7. STUDENT USE PROHIBITED L6-29 Module 6: Implementing Dynamic Host Configuration Protocol Lab: Implementing DHCP Exercise 1: Implementing DHCP X Task 1: Install the Dynamic Host Configuration Protocol (DHCP) server role 1.100 x End IP address: 172.0. and then click Authorize. 5. click Next. in the navigation pane.com” message appears. click Tools.com. On the Select server roles page. On the DHCP Server page. In the Add Roles and Features Wizard. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. 6. On the Select installation type page. and then click DHCP. In the New Scope Wizard.16.0. 8. complete the page using the following information: x Start IP address: 172. 3.16. and then click New Scope. and then click Close. click Next. wait until the “Installation succeeded on lon-svr1. 2. 9.255.200 . and then click Next. click Next.adatum. select the DHCP Server check box. Notice that the icons next to IPv4 IPv6 changes color from red to green.com.16. and then click Next: 8. On the IP Address Range page. click Add Features. 11. In the Server Manager Dashboard. On the Select destination server page.0. On the Scope Name page. click Next.adatum. In the Add Roles and Features Wizard. In Server Manager. x Start IP address: 172. right-click lon-svr1. 4. On the Confirm installation selections page. 6. In the DHCP console.0. 7. In the DHCP console. complete the page using the following information. click Add roles and features.0.0 On the Add Exclusions and Delay page. in the Name box. In the DHCP console. 4.com. click Next.16. which means that the DHCP server has been authorized in Active Directory® Domain Services (AD DS). 2.adatum.adatum. and then press Enter: ipconfig /all 2. Write down the Physical Address of LON-CL1 network adapter. 15. in the IP address box. click Next. On the Router (Default Gateway) page. Right-click the Start button. Switch to LON-SVR1. right-click Ethernet. and then click Close. and then click Properties.0. and then test the configuration 1. . X Task 3: Configure the client to use DHCP.9. type 172. subnet mask. and then click DHCP. On the Start page. click Internet Protocol Version 4 (TCP/IPv4). click OK. 11. select the Obtain DNS server address automatically radio button. On the Activate Scope page. at a command prompt. click Change adapter settings. 4. 14. type the following. at the command prompt. select the Obtain an IP address automatically radio button. click Add. On the Configure DHCP Options page. and then click Next. 8. click Next. Click Add. 7. under Network and Internet. at a command prompt. 10. In the Network Connections window. On the WINS Servers page. In the Command Prompt window. and then press Enter: ipconfig /all Note: This command returns information such as IP address. 16. click Next. click Tools. type Control Panel. and DHCP enabled status. Sign in to 20410C-LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box. 3. and then press Enter: ipconfig /renew 10. In the Ethernet Properties window. MCT USE ONLY.1. click Next. In Control Panel. On the Domain Name and DNS Servers page. click Next. and then press Enter. which should be Yes. type the following. type the following. 13. In the Server Manager dashboard. To test the configuration and verify that LON-CL1 has received an IP address from the DHCP scope. 6. 3. and then click Properties. In the Command Prompt window. click Finish. In the Network and Sharing Center window. STUDENT USE PROHIBITED L6-30 Implementing Dynamic Host Configuration Protocol 12. X Task 4: Configure a lease as a reservation 1. 5. and then click Next. click View Network Status and Tasks. and then click Command Prompt. 9. On the Lease Duration page. 2. On the Completing the New Scope Wizard page.16. 4. com.155. 4.0. In the New Reservation window: x In the Reservation Name field. select and then right-click Reservations. x In the IP address field. In the Command Prompt window. type the physical address you wrote down in step 2.0. 5. and then click Close. type the following. 3. type the following. and then press Enter: ipconfig /renew This causes LON-CL1 to lease any reserved IP addresses.0.adatum. 10.5. expand IPv4. right-click 20410C-LON-CL1. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L6-31 7. Repeat steps 1 through 3 for 20410C-LON-SVR1.16. Switch to LON-CL1. MCT USE ONLY. configured DHCP scope and options. In the DHCP console. 9. x Click Add. x In the MAC address field. Results: After completing this exercise. In the Revert Virtual Machine dialog box. and then click Revert. . On the host computer. Start 20410C-LON-SVR1. start Hyper-V Manager. you should have implemented DHCP. and then click New Reservation.16. 2. type 172. X Prepare for the optional exercise If you are going to complete the optional lab.16. at a command prompt. 6. At a command prompt. and then press Enter: ipconfig /release This causes LON-CL1 to release any currently leased IP addresses.155. In the Virtual Machines list. Verify that the IP address of LON-CL1 is now 172. type LON-CL1.0] Branch Office. expand Scope [172. revert the 20410C-LON-CL1 and 20410C-LON-SVR1 virtual machines by performing the following steps: 1. 8. click Revert. and configured a DHCP reservation. expand lon-svr1. you need to create another DHCP scope.0.0. 6. MCT USE ONLY. and then press Enter.10. 2.0. On the Start screen. and then click New Routing Protocol.0. 2. and then click Properties. In the Network and Sharing Center window. 7. Right-click DHCP Relay Agent.0. 3. and then click New Interface. click Ethernet 2. In the New Interface for DHCP Relay Agent dialog box. click OK. in the Server address box. 3.0. right-click General. 3. click Tools. type the following. In the Desktop. In the Routing protocols list. and then click Properties.0.10. 4. and then click Routing and Remote Access. At a Windows PowerShell command prompt.0 –State Active 4.11. b.200 –SubnetMask 255. type 172.10. click DHCP Relay Agent.10. To test the client.100 –EndRange 10. expand LON-RTR (local).190 –EndRange 10. click Add. Add the DHCP relay agent to the router by performing the following steps: a. In the navigation pane.1 Set-DhcpServerv4Scope –ScopeID 10. pressing Enter after each line: Add-WindowsFeature -IncludeManagementTools dhcp netsh dhcp add securitygroups Restart-service dhcpserver Add-DhcpServerInDC LON-SVR1 172.11 Add-DhcpServerv4Scope –Name "Branch Office 2" –StartRange 10. In the DHCP Relay Agent Properties dialog box.16.0 Add-Dhcpserverv4ExclusionRange –ScopeID 10. In the navigation pane. Sign in to LON-RTR as Adatum\Administrator with the password Pa$$w0rd. 6. and then click OK. and then click OK.10. 5.0. expand IPv4.0 –StartRange 10.16. In the DHCP Relay Agent Properties – Ethernet 2 Properties dialog box. click Change Adapter Settings. 5. type Control Panel. switch to LON-CL2. right-click DHCP Relay Agent. STUDENT USE PROHIBITED L6-32 Implementing Dynamic Host Configuration Protocol .Exercise 2: Implementing a DHCP Relay Agent (Optional Exercise) X Task 1: Install a DHCP relay agent 1. and then click OK.0. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. Close Routing and Remote Access.0. right-click the PowerShell icon and select Run as administrator.255. In Server Manager. X Task 3: Test the DHCP relay agent with a client Note: To test how a client receives an IP address from the DHCP relay agent in another subnet. 1. click View network status and tasks.10.10. 2. X Task 2: Configure a DHCP relay agent 1.200 Set-DhcpServerv4OptionValue –Router 10. Under Network and Internet. right-click Ethernet. Right-click the Start button and then click Command Prompt. and then press Enter: ipconfig /renew 12. you should have implemented a DHCP relay agent. 20410C-LON-RTR.200/16. Results: After completing this exercise. click Obtain DNS server address automatically. start Hyper-V Manager. click Revert. On the host computer. click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. In the Ethernet Properties window. right-click 20410C-LON-DC1. at a command prompt.10. . MCT USE ONLY. In the Command Prompt window. 11. 9.0. type the following.100/16 to 10. In the Revert Virtual Machine dialog box. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box. and then click Revert. and 20410C-LON-CL2. installed on LON-SVR1. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope Branch Office 2. click Obtain an IP address automatically. and then click Close.10. Note: The IP address should be in the following range: 10. 2. complete the following steps: 1. 3. revert the virtual machines back to their initial state.0. In the Virtual Machines list.8. X Prepare for the next module After you finish the lab. click OK. Repeat steps 2 and 3 for 20410C-LON-SVR1. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L6-33 10. To do this. 4. MCT USE ONLY. STUDENT USE PROHIBITED . and then click Next. and then click Next. On the Domain Controller Options page. STUDENT USE PROHIBITED L7-35 Module 7: Implementing DNS Lab: Implementing DNS Exercise 1: Installing and Configuring DNS X Task 1: Configure LON-SVR1 as a domain controller without installing the Domain Name System (DNS) server role 1. click Next. 22. On the Confirm installation selections page. 6. select Active Directory Domain Services. 8. 18. 10. 4. On the title bar where Configuration required for Active Directory Domain Services at LON-SVR1 is visible. On the All Server Task Details and Notifications page. click Next. 19. click AD DS. 5. When Add Roles and Features Wizard appears. click Next. click Close. click Add Features. and leave the Global Catalog (GC) check box selected. On the Prerequisites Check page. On the Before you begin page. deselect the Domain Name System (DNS) server check box. 15. Note: The LON-SVR1 server automatically restarts as part of the procedure. On the Installation progress page. 17. On the Paths page. click Next. click Close. In the Server Manager console. click Promote this server to a domain controller. 3. 9. On LON-SVR1. sign in as Adatum\Administrator with the password Pa$$w0rd. In the Active Directory Domain Services Configuration Wizard. 2. 7. on the navigation page. click Install. and then click Next.com is selected. . On the Select features page. On the Review Options page. click Next. 13. and then click Next.MCT USE ONLY. On the You’re about to be signed out blue bar. On the Active Directory Domain Services page. click Install. when the Installation succeeded message appears. On the Additional Options page. On the Select server roles page. 16. click Next.Adatum. 20. 14. 21. click More. on the Deployment Configuration page. ensure that LON-SVR1. 12. ensure that Add a domain controller to an existing domain is selected. On the Select destination server page. 11. Type Pa$$w0rd in both text fields. click Next. click Add roles and features. After LON-SVR1 restarts. in the Server Manager console. On the Select installation type page. . 3. click Next. Click Add Host. 7. click Add roles and features. and then click Next.100. On the Before you begin page. 4. On the Completing the New Zone Wizard page. 6. In the New Host window. and observe the output returned: Get-DnsServerRootHint Get-DnsServerForwarder Note that both cmdlets are the respective Windows PowerShell equivalents of the DNS Console actions performed in steps 2 and 3 above. click Next. click Next. 3. 12. Click OK and then click Done. click Tools. X Task 4: Add the DNS server role for the branch office on the domain controller 1. Expand Forward Lookup Zones. pressing Enter after each.0. 5. Expand LON-DC1. and then click Properties.com zone on LON-DC1 1. 9. 2. 14. type the following cmdlets. On the Zone File page. On LON-SVR1. Ensure that the list displays no entries. click Finish. In the IP address box type 172.com. Ensure that root hints servers display. in the Server Manager console. On the Zone Type page. Click Cancel. in the Name textbox type www. On LON-DC1. On the Dynamic Update page. 13. 11. In the LON-DC1 Properties dialog box. click Next.X Task 2: Create and configure Contoso. and then click Next. and then click DNS. 8. On the Select installation type page. STUDENT USE PROHIBITED L7-36 Implementing DNS 1. in the Server Manager console. and that the Use root hints if no forwarders are available option is selected. type Contoso. click and then right-click LON-DC1. In Windows PowerShell. On the LON-DC1 virtual machine. 6. Click the Forwarders tab. On the Zone Name page. Leave DNS Manager console open. 2. click Next. In the New Zone Wizard. on the Welcome to the New Zone Wizard page.com zone and click New Host (A or AAAA) 10. in the DNS Manager console. 7. click the Windows PowerShell icon. click the Root hints tab. and then select and right-click contoso. right-click Forward Lookup Zones. 2.16. 3. 4. deselect the Store the zone in Active Directory check box. In the taskbar. 5. Close the DNS Manager console. and then select New Zone. X Task 3: Review configuration settings on the existing DNS server to confirm root hints MCT USE ONLY. Write this number here: ____________ 4. On the list of tools. expand Default-First-Site-Name. in the Server Manager console. 4.Adatum. click Add Features. X Task 6: Use Windows PowerShell commands to test non-local resolution 1.com is selected. 5. right-click the LON-SVR1 replication connection. type the following cmdlet. ensure that LON-SVR1. and then try again. In Windows PowerShell. type the following cmdlet. In the Active Directory Sites and Services console. when the “Installation succeeded” message appears. 2. expand LON-SVR1. In the right pane. On LON-SVR1. expand Servers. 6. 7. When the Add Roles and Features Wizard appears. right-click Forward Lookup Zones. and then click Active Directory Sites and Services. In Windows PowerShell.MCT USE ONLY. In the navigation pane. and then retry this step after 3-4 minutes.com and Adatum. and then click NTDS Settings.com Active Directory®–integrated zone 1. Note the entries labeled Ethernet in the InterfaceAlias column. 10. click Tools. and then click Next. Switch back to the DNS Manager console. click Tools. If this retry fails. In the Interface Index column. click Next. click DNS. Note: If you receive an error message. On the Installation progress page. In the DNS Manager console. 6. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L7-37 4. wait a few more minutes. proceed to the next step. note the Interface Index number that is in the same row as Ethernet and IPv4. where X is the specific Interface Index number you wrote down in the last step.com containers display. 5. 8. 10. click Next. and then click OK. 8. and then click Refresh. click Replicate Now. click Close. click Install. 7. and select Replicate Now. and then click Next. expand LON-SVR1.0 .Adatum. On the Confirm installation selections page. and then press Enter: Set-DnsClientServerAddress –InterfaceIndex X –ServerAddress 0. Ensure that both the _msdcs. expand Sites. expand LON-DC1.0. On the Select Features page. on the taskbar. 11. On LON-SVR1. 3. X Task 5: Verify replication of the Adatum. On the Select server roles page. and then press Enter: Get-DnsClient 3. and then expand Forward Lookup Zones. select DNS Server. click the Windows PowerShell icon. right-click the LON-DC1 replication connection. Switch back to Server Manager. 9. Close DNS Manager.0. and then click NTDS Settings. On the DNS Server page. 2. In the right pane. This container is probably empty. 9. On the Select destination server page. contoso. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. and then press Enter: Restart-Computer X Task 8: Use Windows PowerShell to confirm name resolution 1.16. switch to a Windows PowerShell window.contoso. On the Start screen. On LON-CL1. 2. At the Windows PowerShell prompt. In Windows PowerShell.com Ensure that you receive an IP address for this host as a non-authoritative answer. Close Windows PowerShell. type Control Panel. you should have installed and configured DNS on 20410CLON-SVR1. STUDENT USE PROHIBITED L7-38 Implementing DNS . In Control Panel.contoso. type the following cmdlet. and then press Enter: nslookup 7. At the nslookup > prompt. type the following cmdlet. MCT USE ONLY. type the following and then press Enter: www. and then press Enter: nslookup www. 3. On LON-SVR1.” 8. 3. and then press Enter: Exit Leave the Windows PowerShell window open. No response from server.com You should see an error message. and then press Enter.0. 6.5. Exercise 2: Creating Host Records in DNS X Task 1: Configure a client to use LON-SVR1 as a DNS server 1. Type the following. click View network status and tasks.10' –PassThru 2. Type the following cmdlet. and then press Enter: Resolve-DNSName www. type the following. and then press Enter: Set-DnsServerForwarder –IPAddress '172. 2.com. 4. type the following.com You should see the following reply: “*** Unknown can’t find www. X Task 7: Configure Internet name resolution to forward to the head office 1. At the Windows PowerShell prompt. In Windows PowerShell. Results: After completing this exercise.contoso. sign in as Adatum\Administrator using the password Pa$$w0rd. expand LON-SVR1. On LON-DC1.16. right-click the Windows icon.com. 5. and then click Adatum.com. expand Forward Lookup Zones. 7. expand Forward Lookup Zones. 2.adatum.201 Click Add Host.MCT USE ONLY.adatum. It might take several minutes for the records to display. In the Command Prompt window. in the Server Manager console. and then click New Host (A or AAAA). . Right-click Ethernet. and then click Refresh.com.16. and then press Enter. and then click DNS.200 5. 5.16. Click Add Host. click Tools. in the Open text box. configure the following settings: o Name: www o IP address: 172. click Tools.com. In the Ethernet Properties dialog box. in the Server Manager console. 4.com. X Task 4: Use the ping command to locate new records from LON-CL1 1. In the Run pop-up window. Ensure that both www and ftp resource records display. 2. Right-click Adatum. type ping ftp. 4. right-click Adatum. 3. click Internet Protocol Version 4 (TCP/Ipv4). click OK. On LON-SVR1.0. Note: You will not receive replies. In the preferred DNS server box.0. and then click Run. In the New Host window. 3. X Task 3: Verify replication of new records to LON-SVR1 1. expand LON-DC1. o Name: ftp o IP address: 172. and then press Enter. and then click OK. X Task 2: Create several host records for web apps in the Adatum. 6. 6. At a command prompt. and then click Properties. 2.200.com. Note: If the www and ftp resource records do not display within several minutes. Click Change adapter settings. In the DNS Manager console.0. configure the following settings: 7. and then click DNS. and then click Properties. on the taskbar. type cmd. and then click Done. overwrite the IP address for preferred DNS server with 172. at a command prompt. type ping www. and then click Adatum. Ensure that the name resolves to 172. On LON-CL1.11.com domain 1. and then press Enter. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L7-39 4.0. In the New Host window. 3. In the DNS Manager console. click OK. and then click Close.16. 100. (You will not receive replies. In the Command Prompt window.contoso. and then click OK. expand Forward Lookup Zones.) 7. at a command prompt.16.6. and then click Properties.0. Switch to LON-SVR1. STUDENT USE PROHIBITED L7-40 Implementing DNS 1.10. 5. Switch to LON-CL1. In the Command Prompt window.100) is still displayed. On LON-CL1. 3. expand the Cached Lookups node. expand com. Leave the Command Prompt window open.16. In the right pane. and then click DNS. open DNS Manager. 3. 8. you should have configured DNS records. type the following. X Task 2: Update an Internet record to point to the LON-DC1 IP address 1. click Tools.com. and then click Advanced. Click LON-SVR1. Exercise 3: Managing the DNS Server Cache X Task 1: Use the ping command to locate an Internet record from LON-CL1 1. Results: After completing this exercise. 3. expand LON-DC1. and then click contoso. click the View menu. Change the IP address to 172. and then press Enter.com is resolving to 172. right-click www. Ping does not work.16.0.0.contoso.16. 2.100.201.(root). type ping www. 2. Look for cached entries and notice that www. . 6. In the DNS Manager console. and then press Enter: ping www. On LON-DC1. 5. and then click contoso. 7. 2.16.100. In the Server Manager console. at a command prompt. type ipconfig /displaydns. Ensure that the name resolves to the IP address 172. and then press Enter. in the Command Prompt window. In the right pane. and that the old IP address (which is 172. expand . X Task 3: Examine the content of the DNS cache MCT USE ONLY. Expand LON-SVR1.contoso. Switch back to LON-CL1.0. at a command prompt. 4.com. 6. Leave the Command Prompt window open. examine the cached content and note that the www record has the IP address: 172.0.0. 4.com Note that ping does not work.16. Ensure that name resolves to 172. Ping now should work on address 172. right-click 20410C-LON-DC1.com. and then press Enter.10. In the Revert Virtual Machine dialog box. On LON-SVR1.X Task 4: Clear the cache. In a Command Prompt window. 2. 3. In the Virtual Machines list.com. 2. Type y. and then press Enter. 1. and retry the ping command 1. you should have examined the DNS server cache. MCT USE ONLY. Repeat steps 2 and 3 for 20410C-LON-SVR1 and 20410C-LON-CL1. X Prepare for the next module After you finish the lab. In the Command Prompt window. start Hyper-V Manager. at a command prompt. and then press Enter. Results: After completing this exercise. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L7-41 6. and then press Enter. type ipconfig /flushdns. In the Command Prompt window. 4. type ping www. 3.contoso. at a command prompt. type ping www. 4. type Clear-DNSServerCache. click Revert. 5. 7. Switch to LON-CL1. On the host computer. The result still returns the old IP address.0. on the taskbar.contoso. .16. click the Windows PowerShell icon. and then press Enter. At the Windows PowerShell prompt. revert the virtual machines to their initial state. and then click Revert. MCT USE ONLY. STUDENT USE PROHIBITED . click Local Server. 3. in Server Manager. . In the Local Server Properties dialog box. LON-DC1 is now an IPv4-only host. Notice that Get-NetIPAddress cmdlet returns a link-local IPv6 address. 4. in Server Manager. click the Windows PowerShell icon. clear the Internet Protocol Version 4 (TCP/IPv4) check box.11. X Task 2: Disable IPv6 on LON-DC1 1. on the taskbar. Notice that there are four replies from 172. On LON-DC1. and then click OK. 6.0. 2. click 10. At the Windows PowerShell prompt. right-click Ethernet. Close the Network Connections window. and then click OK. You may need to refresh the view. In the Network Connections window. click 172. 3.16. and then press Enter. In the Ethernet Properties dialog box. In Server Manager.16. 4. 4. X Task 3: Disable IPv4 on LON-SVR2 1. right-click Ethernet. and then press Enter. and then press Enter. In the Network Connections window. In Server Manager. 5. In the Properties window. Verify that the only IPv6 address listed is a link-local address that cannot be routed. 6. and then click Properties. In the Ethernet Properties dialog box. clear the Internet Protocol Version 6 (TCP/IPv6) check box.MCT USE ONLY. 5. Type Get-NetIPAddress. click Local Server.10. Close the Network Connections window. and then click Properties. next to the Ethernet section. 2.10. next to Ethernet.0.16. 2.0. verify that Ethernet now lists only IPv6 enabled. You may need to refresh the view.0. Type ipconfig. LON-SVR2 is now an IPv6-only host. IPv6 enabled. type ping lon-dc1. On LON-SVR2. STUDENT USE PROHIBITED L8-43 Module 8: Implementing IPv6 Lab: Implementing IPv6 Exercise 1: Configuring an IPv6 Network X Task 1: Verify IPv4 routing 1.10.10. 3. On LON-SVR2. verify that Ethernet lists only 172. IPv6 enabled. and then click DNS. and then press Enter: New-NetRoute -InterfaceAlias " Ethernet 2" -DestinationPrefix 2001:db8:0:1::/64 -Publish Yes 3. 4. 5. Close DNS Manager. type 172. on the taskbar. expand Forward Lookup Zones. Configure a network address that will be used on the IPv6 network. type the following cmdlet. click the Windows PowerShell icon. and then press Enter. click the Windows PowerShell icon. MCT USE ONLY. on the taskbar. 3. 7. X Task 5: Verify IPv6 on LON-SVR2 1. expand LON-DC1. In DNS Manager.com. On LON-RTR. Results: After completing the exercise. STUDENT USE PROHIBITED L8-44 Installing and Configuring Windows Server® 2012 Notice that Ethernet 2 now has an IPv6 address on the 2001:db8:0:1::/64 network. This address is used for communication on the IPv6-only network. At the Windows PowerShell prompt. 8. and then click Adatum. click Tools. In the IP address box. Click OK to clear the success message. 2. On LON-DC1.com. type the following cmdlet. At the Windows PowerShell prompt. 2. . On LON-SVR2. Exercise 2: Configuring an ISATAP Router X Task 1: Add an ISATAP host record to DNS 1. and then click Add Host. ISATAP clients resolve this host name to find the ISATAP router.0.1. you will have configured an IPv6–only network. type ISATAP. and then press Enter. in Server Manager. 2. Allow clients to obtain the IPv6 network address automatically from LON-RTR.16. type ipconfig. and then press Enter: Set-NetIPInterface -InterfaceAlias "Ethernet 2" -AddressFamily IPv6 -Advertising Enabled 4. Type ipconfig. At the Windows PowerShell prompt. 6.X Task 4: Configure an IPv6 network on LON-RTR 1. Notice that the Ethernet now has an IPv6 address on the 2001:db8:0:1::/64 network. The network address was obtained from the router through stateless configuration. Click Done to close the New Host window. in the Name box. and then click New Host (A or AAAA). Right-click Adatum. In the New Host window. and then press Enter: Get-NetIPAddress -InterfaceIndex IndexYouRecorded 9. Type the following command. and then press Enter: Set-NetIsatapConfiguration -State Enabled 2. type the following cmdlet. Type the following command. Record the InterfaceIndex of the ISATAP interface that has an IPv6 address that includes 172. The ISATAP interface for an ISATAP router must have forwarding enabled and advertising enabled. Interface index: 4. X Task 4: Enable LON-DC1 as an ISATAP client 1. At the Windows PowerShell prompt.1. At the Windows PowerShell prompt. type Restart-Service DNS -Verbose. MCT USE ONLY. dnscmd /config /globalqueryblocklist wpad 2.16. and then press Enter: New-NetRoute -InterfaceIndex IndexYouRecorded -DestinationPrefix 2001:db8:0:2::/64 -Publish Yes 8.0. Verify that an IPv6 address is listed on the 2001:db8:0:2::/64 network.1.IPv6Address 3. X Task 3: Remove ISATAP from the Global Query Block List 1. configure the IP address of the Ethernet adapter as the ISATAP router.1 2.InterfaceIndex.L8-45 X Task 2: Enable the ISATAP router on LON-RTR 1. and then press Enter. 6. and then press Enter: Set-NetIPInterface -InterfaceIndex IndexYouRecorded -Advertising Enabled 7. and then press Enter: Get-NetIPAddress | Format-Table InterfaceAlias. Create a new IPv6 network that will be used for the ISATAP network. On LON-DC1. and then press Enter.0. and then press Enter. Type the following command. Type ping isatap. On LON-DC1. Type the following command. Type the following command.16. 3. On LON-RTR. and then press Enter: Set-NetIsatapConfiguration -Router 172. View the IP address configuration for the ISATAP interface. at the Windows PowerShell prompt. and then press Enter.0. type the following command. at the Windows PowerShell prompt. Verify that Forwarding is enabled for the interface and that Advertising is disabled. The name should resolve and you should receive four replies from 172.16. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 Type ipconfig. . type the following command. and then press Enter: Get-NetIPInterface -InterfaceIndex IndexYouRecorded -PolicyStore ActiveStore | Format-List 5. 4. right-click 20410C-LON-DC1. In Server Manager. click Use the following DNS server addresses. click Revert. click Internet Protocol Version 6 (TCP/IPv6). and then press Enter: ping 2001:db8:0:2:0:5efe:172. revert the virtual machines back to their initial state. 3. next to Ethernet. Results: After completing this exercise. start Hyper-V® Manager. At the Windows PowerShell prompt. 6. . click Close. and then click OK. click Local Server. In the Local Server Properties dialog box. Close the Network Connections window. X Prepare for the next module After you finish the lab. type 2001:db8:0:2:0:5efe:172. In the Revert Virtual Machine dialog box. at the Windows PowerShell prompt. Notice that this address includes the IPv4 address of LON-DC1. In the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box. 8. 20410C-LON-RTR and 20410C-LON-SVR2.16. 5. Repeat steps 2 and 3 for 20410C-LON-SVR1.3. if necessary. 1. X Task 5: Test connectivity 1. complete the following steps.16. Notice that four replies are received from LON-DC1. On the host computer. you will have configured an ISATAP router on LON-RTR to allow communication between an IPv6–only network and an IPv4–only network.0. In the Network Connections window. and then press Enter. 7. 3. 4. STUDENT USE PROHIBITED L8-46 Installing and Configuring Windows Server® 2012 2. In the Virtual Machines list. In the Ethernet Properties dialog box. and then click Revert. and then click Properties. Note: A ping from LON-DC1 to LON-SVR2 does not respond because the firewall configuration on LON-SVR2 blocks ping requests. 2. right-click Ethernet.0. In the Preferred DNS server box. and then click Properties. To do this. 10. In the Ethernet Properties dialog box. type the following command. 9.10 MCT USE ONLY. On LON-SVR2. type ping LON-DC1.10. Verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network. click IPv6 enabled. MCT USE ONLY. STUDENT USE PROHIBITED L9-47 Module 9: Implementing Local Storage Lab: Implementing Local Storage Exercise 1: Installing and Configuring a New Disk X Task 1: Initialize a new disk 1. Sign in to LON-SVR1 with the username Adatum\Administrator and the password Pa$$w0rd. 2. In Server Manager, click the Tools menu, and then click Computer Management. 3. In the Computer Management console, under the Storage node, click Disk Management. 4. In the Disks pane, right-click Disk2, and then click Online. 5. Right-click Disk2, and then click Initialize Disk. 6. In the Initialize Disk dialog box, select the Disk 2 check box, click GPT (GUID Partition Table), and then click OK. X Task 2: Create and format two simple volumes on the disk 1. In the Computer Management console, in Disk Management, right-click the black marked box right of Disk 2, and then click New Simple Volume. 2. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next. 3. On the Specify Volume Size page, in the Simple volume size MB field, type 4000, and then click Next. 4. On Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that F is selected in from the drop-down menu, and then click Next. 5. On the Format Partition page, from the File system drop-down menu, click NTFS, in the Volume label text box, type Volume1, and then click Next. 6. On Completing the New Simple Volume Wizard page, click Finish. 7. In the Disk Management window, right-click the black box right of Disk 2, and then click New Simple Volume. 8. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next. 9. On the Specify Volume Size page, in the Simple volume size in MB field, type 5000, and then click Next. 10. On the Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, verify that G is listed as the drive letter, and then click Next. 11. On the Format Partition page, from the File system drop-down menu, click ReFS, in the Volume label text box, type Volume2, and then click Next. 12. On the Completing the New Simple Volume Wizard page, click Finish. X Task 3: Verify the drive letter in a File Explorer window 1. On the taskbar, open a File Explorer window, expand This PC, and then click Volume1 (F:). 2. In File Explorer, click Volume2 (G:), right-click Volume2 (G:), point to New, and then click Folder. 3. In the New folder field, type Folder1, and then press Enter. MCT USE ONLY. STUDENT USE PROHIBITED L9-48 Implementing Local Storage Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and then formatted them. You should also have verified that the drive letters you assigned are available in File Explorer. Exercise 2: Resizing Volumes X Task 1: Shrink Volume1 1. On LON-SVR1, switch to the Computer Management console. 2. In the Computer Management console, in Disk Management, in the middle-pane, right-click Volume1 (F:), and then click Shrink Volume. 3. In the Shrink F: window, in the Enter the amount of space to shrink in MB field, type 1000, and then click Shrink. X Task 2: Extend Volume2 1. On LON-SVR1, in Disk Management, in the middle-pane, right-click Volume2 (G:), and then click Extend Volume. 2. In Extend Volume Wizard, on the Welcome to the Extended Volume Wizard page, click Next. 3. On the Select Disks page, in the Select the amount of space in MB field, type 1000, and then click Next. 4. On the Completing the Extended Volume Wizard page, click Finish. 5. In a File Explorer window, click Volume2 (G:), and verify that Folder1 is available on the volume. Results: After this lab, you should have made one volume smaller, and extended another. Exercise 3: Configuring a Redundant Storage Space X Task 1: Create a storage pool from five disks that are attached to the server 1. On LON-SVR1, on the taskbar, click the Server Manager icon. 2. In Server Manager, in the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools. 3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down menu, click New Storage Pool. 4. In the New Storage Pool Wizard window, on the Before you begin page, click Next. 5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1, and then click Next. 6. MCT USE ONLY. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L9-49 On the Select physical disks for the storage pool page, click the following physical disks, and then click Next: o PhysicalDisk3 o PhysicalDisk4 o PhysicalDisk5 o PhysicalDisk6 o PhysicalDisk7 7. On the Confirm selections page, click Create. 8. On the View results page, wait until the task completes, and then click Close. X Task 2: Create a three-way mirrored virtual disk 1. On LON-SVR1, in Server Manager, in the Storage Spaces pane, click StoragePool1. 2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down menu, click New Virtual Disk. 3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next. 4. On the Select the storage pool page, click StoragePool1, and then click Next. 5. On the Specify the virtual disk name page, in the Name box, type Mirrored Disk, and then click Next. 6. On the Select the storage layout page, in the Layout list, click Mirror, and then click Next. 7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next. 8. On the Specify the provisioning type page, click Thin, and then click Next. 9. On the Specify the size of the virtual disk page, in the Specify Size box, type 10, and then click Next. 10. On the Confirm selections page, click Create. 11. On the View results page, wait until the task completes. 12. Ensure that the Create a volume when this wizard closes check box is selected, and then click Close. 13. In the New Volume Wizard window, on the Before you begin page, click Next. 14. On the Select the server and disk page, in the Disk pane, click the Mirrored Disk virtual disk, and then click Next. 15. On the Specify the size of the volume page, click Next to confirm the default selection. 16. On the Assign to a drive letter or folder page, in the Drive letter drop-down menu, ensure that H is selected, and then click Next. 17. On the Select file system settings page, in the File system drop-down menu, click ReFS, in the Volume label box, type Mirrored Volume, and then click Next. 18. On the Confirm selections page, click Create. 19. On the Completion page, wait until the creation completes, and then click Close. X Task 3: Copy a file to the volume, and verify that it is visible in File Explorer 1. Click to the Start screen, type command prompt, and then press Enter. 2. In the Command Prompt window, at the command prompt, type the following command, and then press Enter: Copy C:\windows\system32\write.exe H:\ 3. Close the Command Prompt window. 4. On the taskbar, click the File Explorer icon. 5. In the File Explorer window, click Mirrored Volume (H:). 6. Verify that write.exe displays in the file list. 7. Close File Explorer. X Task 4: Remove a physical drive 1. On Host machine, in Hyper-V Manager®, in the Virtual Machines pane, right-click 0410C-LON-SVR1, and then click Settings. 2. In Settings for 20410C-LON-SVR1, in the Hardware pane, click Hard Drive that begins with 20410C-LON-SVR1-Disk5. 3. In the Hard Drive pane, click Remove, and then click OK. Click Continue. X Task 5: Verify that the write.exe file is still accessible 1. Switch to LON-SVR1. 2. On the taskbar, click the File Explorer icon. 3. In the File Explorer window, click Mirrored Volume (H:). 4. In the file list pane, verify that write.exe is still available. 5. Close File Explorer. 6. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button. Notice the warning that displays next to Mirrored Disk. 7. In the VIRTUAL DISK pane, right-click Mirrored Disk, and then click Properties. 8. In the Mirrored Disk Properties dialog box, in the left pane, click Health. MCT USE ONLY. STUDENT USE PROHIBITED L9-50 Implementing Local Storage Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete, Unknown or Degraded. 9. Click OK to close the Mirrored Disk Properties dialog box. X Task 6: Add a new disk to the storage pool and remove a broken disk 1. Switch to LON-SVR1. 2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button. 3. In the STORAGE POOLS pane, right-click StoragePool1, and then click Add Physical Disk. 4. In the Add Physical Disk window, click PhysicalDisk8 (LON-SVR1), and then click OK. 5. Click Windows Powershell on the Task Bar. Type Get-PhysicalDisk. In the Revert Virtual Machine dialog box. Type Remove-PhysicalDisk –PhysicalDisks $disk -StoragePoolFriendlyName StoragePool1 and press Enter. complete the following steps. you should have verified that the virtual disk was still available and could be accessed. 7. right-click 20410C-LON-DC1. 8. and repeat steps 5-10. Note the FriendlyName for the disk that shows an OperationalStatus of Lost Communication. click the Refresh “Storage Pools” button to see the warnings disappear. start Hyper-V Manager. On the host computer. in the STORAGE POOLS pane. you should have added another physical disk to the storage pool. restart LON-SVR1. and press Enter. 11.MCT USE ONLY. It can take some time for the mirrored disk to be resynchronized after a disk has been removed and another disk added. To do this. Repeat steps 2 and 3 for 20410C-LON-SVR1. on the menu bar. Finally. 1. Then you should have created a three-way mirrored. In Server Manager. X Prepare for the next module After you finish the lab. In the Virtual Machines list. Type $Disk = Get-PhysicalDisk –FriendlyName diskname and press ENTER. Replace diskname with the name of the disk you noted in Step 7. click Revert. 9. Results: After completing this lab. 12. you should have created a storage pool and added five disks to it. If you get a warning that the disk cannot be removed. 2. 3. and then press Enter. revert the virtual machines back to their initial state. and then click Revert. sign in as Adatum\Administrator using the password Pa$$w0rd. Type Y. 4. . 10. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L9-51 6. wait five minutes and then run the last command again. after removing a physical drive. Next. thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. If you still cannot remove the disk after five minutes. STUDENT USE PROHIBITED .MCT USE ONLY. In the Permissions for Development dialog box. and then click OK. 18. type Development. navigate to drive E. type Data. click New folder. click Convert inherited permissions into explicit permissions on this object. 14. in the navigation pane. On the Security tab. and then click Properties. click Check names. 3. and then press Enter. and then click Advanced. Double-click the Data folder. In File Explorer. In the Permissions for Development dialog box. and then click Allfiles (E:). 7. expand This PC. and then click Properties. on the taskbar. click Add. 5. click New folder. 2. Research. 15. right-click the Data folder. In the Advanced Security Settings for Development dialog box. select Modify permission. click Disable Inheritance. 19. In the Data Properties dialog box. 4. Click OK to close the Permissions for Development dialog box. assigning Modify permissions to the Marketing. 4. Click OK to close the Development Properties dialog box. . 8. 10. Click OK to close the Advanced Security Settings for Data dialog box. and then click Advanced. 3. In the Block Inheritance dialog box. under Allow. In the Development Properties dialog box. 2. 16. Click OK to close the Data Properties dialog box. 6. and then press Enter. In the Advanced Security Settings for Data dialog box. Remove the two permissions entries for Users (LON-SVR1\Users). Repeat step 5 for the following new folder names: o Marketing o Research o Sales X Task 2: Configure NTFS permissions on the folder structure 1. Research. and Sales folders. Type Development.MCT USE ONLY. click Edit. On the menu toolbar. click Disable Inheritance. click Convert inherited permissions into explicit permissions on this object. 6. 17. 12. click Security. and Sales groups for their respective folders. double-click the Data folder. In the Block Inheritance dialog box. STUDENT USE PROHIBITED L10-53 Module 10: Implementing File and Print Services Lab: Implementing File and Print Services Exercise 1: Creating and Configuring a File Share X Task 1: Create the folder structure for the new share 1. 9. 5. 13. On the menu toolbar. click Home. In File Explorer. 11. Repeat steps 8 through 18 for the Marketing. Right-click the Development folder. On LON-SVR1. click Home. click Security. In File Explorer. and then click OK. click the File Explorer icon. and then press Enter. On the taskbar. type \\LON-SVR1\Data. Click OK to close the Advanced Sharing dialog box. X Task 4: Test access to the shared folder 1. In the Data Properties dialog box. click the File Explorer icon. Type Authenticated Users. select Share this folder. click Settings. select Change permission. click Check names. and then select Enable access-based enumeration. Click Close to close the Data Properties dialog box. In Server Manager. Click OK to close the Permissions for Data dialog box. even though he does not have access to their contents. in the navigation pane. 9. 3. 7. Switch to LON-SVR1. Note: Bernard can still see the other folders. 6. In the Permissions for Data dialog box. In the Permissions for Data dialog box. right-click Data. In the Shares pane. click Authenticated Users. right-click the Data folder. 6. and then click Properties. 3. and Sales folders. Note: Bernard should have access to the Development folder. Double-click the Development folder. 6. 5. in the navigation pane. In the Data Properties dialog box. 2. NTFS permissions on these folders prevents you from doing this. and then click OK. click the Sharing tab. 3. On the Start screen. click Desktop. Research. Sign out of LON-CL1. 4. 5. Note: Bernard is a member of the Development group. click Shares. 2. click the Server Manager icon. In the File and Storage Services window. In File Explorer. X Task 5: Enable access-based enumeration 1. in the address bar. On the taskbar. STUDENT USE PROHIBITED L10-54 Implementing File and Print Services . navigate to drive E. 2. 4. and then click Advanced Sharing. 8. In File Explorer. 4. and then click Properties. 5. In the Advanced Sharing dialog box. MCT USE ONLY. and then under Allow. click Add. click File and Storage Services. and then click Permissions. Attempt to access the Marketing. Sign in to LON-CL1 as Adatum\Bernard with the password Pa$$w0rd.X Task 3: Create the shared folder 1. 7. In the Offline Settings dialog box. click the File Explorer icon. In the drive Shadow Copies dialog box. type \\LON-SVR1\Data. and then click Caching. Note: Bernard should have access to the Development folder. On the taskbar. Switch to LON-SVR1. 2. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 . Note: Bernard can now view only the Development folder. Sign out of LON-CL1. 5. 4. in the address bar. click Yes. Double-click the Development folder. 4. click Settings. the folder for which he has been assigned permissions. right-click the Data folder. and then click Enable. click Advanced Sharing. 3. L10-55 X Task 6: Test access to the share 1. 4. 6. you will have created a new shared folder for use by multiple departments. right-click Allfiles (E:). In File Explorer. 2. Navigate to drive E. Close Server Manager. X Task 7: Disable Offline Files for the share 1. On the taskbar. navigate to drive E. 8. 6. In File Explorer. and then click Configure Shadow Copies. Exercise 2: Configuring Shadow Copies X Task 1: Configure shadow copies for the file share 1. Sign in to LON-CL1 as Adatum\Bernard with the password Pa$$w0rd. and then click Properties. MCT USE ONLY. Results: After completing this exercise. click No files or programs from the shared folder are available offline. 2. Click OK to close the Advanced Sharing dialog box. On LON-SVR1. In the Shadow Copies dialog box. and then press Enter. Open File Explorer. In the Enable Shadow Copies dialog box. 6. and then click OK. click drive E. Click Close to close the Data Properties dialog box. In the Data Properties dialog box. click the File Explorer icon. 5.7. Click OK to close the Data Properties dialog box. click the Sharing tab. 7. 3. 5. 3. Click the Desktop tile. 9. 12. right-click the Development folder. click Schedule. 6. Results: After completing this exercise. select Repeat task. STUDENT USE PROHIBITED L10-56 Implementing File and Print Services 8. On LON-SVR1. open File Explorer. On LON-SVR1. Switch back to the Shadow Copies dialog box. change Schedule Task to Daily. Right-click Report. 4. . Click the most recent folder version for Development. 7.txt is in the folder. right-click the Development folder. X Task 3: Recover a deleted file from a shadow copy 1. In the other File Explorer window. 2. 5. and then click Properties. 11. This opens the drive E:\ dialog box. 5. and then click Paste. click the Windows PowerShell® icon.txt.7. you will have enabled shadow copies on the file server. click the Previous Versions tab. Type Report. 8. 13. X Task 2: Create multiple shadow copies of a file 1. 10. Close File Explorer. Click OK and close all open windows. At the command prompt type the following command and press Enter: Add-WindowsFeature FS-SyncShareService Note that the name of the feature is case-sensitive. In the Settings dialog box. Confirm that Report. click Home. change Start time to 12:00 AM and then click Advanced. and then click Text Document. and then click Copy. Click OK twice. Close the File Explorer window that just opened. Click OK to close the Settings dialog box. Click Create Now. and then press Enter. 6. Exercise 3: Enabling and Configuring Work Folders X Task 1: Install the Work Folders role service 1. In drive E:\ dialog box. On LON-SVR1. and then set the frequency to every 1 hours. Navigate to E:\Data\Development. 2. 3.txt. and then click Open. 10. right-click Report. In the Advanced Schedule Options dialog box. Leave the drive Shadow Copies dialog box open. In the Development Properties dialog box. In File Explorer. MCT USE ONLY. and change the time value to 11:59 PM. on the taskbar. 2. 3. switch back to File Explorer. it should still be opened on the Shadow Copies tab. 4. Select Time. On the menu toolbar. and then click Delete. 9. click New item. In the Work Folders folder. 9. right-click an empty space. Navigate to C:\Labfiles\Mod10 and double-click WorkFolders. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. type http://lon-svr1. 6. X Task 4: Test synchronization 1. Close all open windows.Adatum. This adds a registry entry to allow unsecured connections to the work folders. 11.com. If required. in Work Folders URL. On LON-DC1. 12. Click Enabled and. In the New GPO dialog box. 2. and then click Text Document. In the Group Policy Management Editor window. in Server Manager. Name the new text document TestFile2. 6. 4. 3. In the details pane. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. 8. Click the Desktop tile and click File Explorer. 9. 2. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 On LON-SVR1. 10. 3. MCT USE ONLY. Right-click Adatum. point to New. 8. go to Forest:Adatum. 7. In the Group Policy Management Console. On the Start screen. go to User Configuration\Policies \Administrative Templates\Windows Components\Work Folders. X Task 3: Automate settings for users via Group Policy 1. 7. . double-click Specify Work Folders settings.L10-57 X Task 2: Create a Sync Share on the File Server 1. Click File and Storage Services. 5. on the taskbar. and then press Enter. click Desktop. Sign out of LON-CL1. 3.com.com and click Create a GPO in this domain. On the taskbar. 10. and then click OK. click the Server Manager icon to open Server Manager. in Name. 4. 4. Right-click the Work Folders GPO and then click Edit. Switch to LON-SVR1 and click File Explorer.bat. click the Start button. In the lower-left corner of the screen. Click Work Folders and ensure the Corp sync share exists. and Link it here.com\Domains\Adatum. type Work Folders. 5. in the Windows PowerShell command window type the following command and press Enter: New-SyncShare Corp –path C:\CorpData –User “Adatum\Domain Users” 2. click the File Explorer icon. Select Force automatic setup and click OK. Double-click the Work Folders folder. click Tools and click Group Policy Management. 11. Click Add Roles and Features. 6. 14. On LON-SVR1. 10. and then click Next. Results: After completing this exercise. On LON-SVR1. on the taskbar. click the Server Manager icon. Navigate to C:\CorpData\Administrator. and then click Next. under Printers. click Next. X Task 2: Install a printer 1.200. In Server Manager. The default server is the local server. you will have installed the Work Folders role service. On the Print and Document Services page. and then click Next. 7. and then click Next. 8.13. click Microsoft XPS Class Driver. STUDENT USE PROHIBITED L10-58 Implementing File and Print Services 3. Expand Printer Servers. clear Auto detect the printer driver to use. in the Server Manager. right-click Printers. Ensure the new text file named TestFile2 exists. on the menu toolbar. 5. Click Install to install the required role services. select Print and Document Services. Exercise 4: Creating and Configuring a Printer Pool X Task 1: Install the Print and Document Services server role 1. 4. and then click Add Printer. You will have also tested the settings. 2. The Network Printer Installation Wizard starts. On the Select Role Services page. and then click Print Management. On the Network Printer Installation Wizard page. click Add Features. click Manage. and then click Next. On the Select server roles page. 6.16. click Generic Network Card. On the Select Server Roles page. click Tools. On the Select destination server page. In the Add Roles and Features Wizard. click Next. MCT USE ONLY. click the server on which you want to install the Print and Document Services. created a sync share. In Host name or IP address. 13. and then click Next. 2. . 8. click Next. Click Role-based or feature-based Installation. On the Select Features page. 3. Change the Type of Device to TCP/IP Device. Click Microsoft as the Manufacturer. type 172. click Next. and created a Group Policy Object to deliver the settings to the users automatically. and then click Next. Under Device Type. click Add a TCP/IP or Web Services Printer by IP address or hostname. review the Notes for the administrator. Close all open Windows.0. 4. 9. 12. Click Close. 7. Click Install a new driver. click Next until the Confirm Installation Selections page displays. 5. expand LON-SVR1. 16. and then click the 172. click the Ports tab. Results: After completing this exercise. Click Finish to close the Network Printer Installation Wizard. In Printer Name or IP Address. Click Next two times to accept the default printer name and share name. In the Additional port information required dialog box. type 172. 6. In Control Panel.9. revert the virtual machines back to their initial state. and click Control Panel. 10. In the Print Management console. and then click New Port. The device installs automatically. select List in the directory. click Revert. and then click Enable Branch Office Direct Printing. In the Revert Virtual Machine dialog box. In the Print Management console. and then select Properties. To do this. In the Print Management console. In the Add a device dialog box. right-click Branch Office Printer. and then click Next. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L10-59 Change the Printer Name to Branch Office Printer. complete the following steps. 11. On the host computer. 9. click Next. 1. X Prepare for the next module After you finish the lab. 7. In the Print Management console. 10. 11. right-click the Branch Office Printer. Repeat steps 2 and 3 for 20410C-LON-CL1 and 20410C-LON-DC1. Click the Sharing tab. click Next. 12. under Hardware and Sound. 3. 4. X Task 3: Configure printer pooling 1. right-click Ports. 3. right-click the Start button. in the lower-left corner of the screen. 2. Click OK to close the Branch Office Printer Properties dialog box. and then click Revert. under LON-SVR1. you will have installed the Print and Document Services server role and installed a printer with printer pooling. and then click Next. In the Printer Ports dialog box. and then click Properties. Close the Print Management Console.201. MCT USE ONLY.201 port to select it as the second port. 3. select Enable printer pooling. . right-click 20410C-LON-SVR1. Click Finish to close the Add Standard TCP/IP Printer Port Wizard. click Add a device.0. In the Branch Office Printer Properties dialog page. 2. and then click Next. 2. 8. and then click Add Port. 5. right-click the Branch Office Printer. 13. click Branch Office Printer on LON-SVR1. Click Close to close the Printer Ports dialog box. On LON-CL1. start Hyper-V® Manager. 4. In the Virtual Machines list. click Standard TCP/IP Port.0. 14. click Printers. X Task 4: Install a printer on a client computer 1. and to install the printer. In the Add Standard TCP/IP Printer Port Wizard.16. and then click OK. STUDENT USE PROHIBITED .MCT USE ONLY. expand Adatum. and then expand the Group Policy Objects folder. click in the details pane. and then press CTRL+A. and then click Edit. 2. 2. and then open the PolicyDefinitions folder. and then click Group Policy Management. 4. STUDENT USE PROHIBITED L11-61 Module 11: Implementing Group Policy Lab: Implementing Group Policy Exercise 1: Configuring a Central Store X Task 1: View the location of administrative templates in a Group Policy Object (GPO) 1.MCT USE ONLY. right-click a blank area. 5. On the taskbar.com. expand Adatum. Expand Local Disk (C:). Name the folder PolicyDefinitions. expand Windows. expand Policies. expand sysvol. In the Group Policy Management Editor window.admx files) retrieved from the local computer. expand sysvol. expand SYSVOL. expand Forest: Adatum. under User Configuration. In Server Manager. In the File Explorer window. 6. go to C:\Windows. 2. and open the PolicyDefinitions folder. click New. click the File Explorer icon. 3. Select the entire contents of the PolicyDefinitions folder. expand Policies. 7. 4. and note that the location is Administrative Templates: Policy definitions (. click Tools. In the Group Policy Management Console (GPMC). 3.com.com. Right-click the selection. . expand Domains. Point to the Administrative Templates folder. and then double-click Policies. Sign in to LON-DC1 as Administrator with a password of Pa$$w0rd. Close the Group Policy Management Editor window. Right-click the Default Domain Policy. expand Local Disk (C:). and then click Copy. expand the Default Domain Policy. expand Adatum. X Task 3: Copy administrative templates to the Central Store 1. and then click Folder. 4.com. 5. 3. X Task 2: Create a Central Store 1. expand SYSVOL. expand Windows. Note: Hint: To select all the content. This opens the Group Policy Management Editor window. and then click Administrative Templates. In the details pane. Right-click in the empty folder area. In File Explorer. and then click Paste. Results: After completing this exercise. 8. 5. click the drop-down box. In the GPMC. and then click Filter Options. In the search results. in the Comment field. In the Filter for word(s): field. . and then click Create a GPO in this domain. In the GPMC. Right-click All Settings. 3. and then click OK. 2. select the Enable Keyword Filters check box. in the Name field. Close the Group Policy Starter GPO Editor window. you should have configured a Central Store. 3. right-click the Adatum. point to the Administrative Templates folder and read the local information text. in the Name field. right-click the Starter GPOs folder. click Exact. In the New GPO dialog box. Administrative Templates.” 3. right-click the Default Domain Policy. X Task 2: Configure the Internet Explorer Restriction starter GPO MCT USE ONLY. 2. and then click All Settings. type Internet Explorer Restrictions. and then click OK. Under Source Starter GPO. type General page. and then click Edit. 6. and then click OK. STUDENT USE PROHIBITED L11-62 Implementing Group Policy 1. type This GPO disables the General page in Internet Options. 2. Beside the Filter for word(s) field. X Task 4: Test the GPO for Domain Users 1. In the GPMC. X Task 3: Create an Internet Explorer Restrictions GPO from the Internet Explorer Restrictions starter GPO 1. which reads: “Administrative Templates: Policy definitions (ADMX files) retrieved from the Central Store.com domain. and Link it here. type IE Restrictions. click Enabled. type Control Panel. 2. 7. 9. click Control Panel. and then click New.X Task 4: Verify the administrative template location in GPMC 1. In the New Starter GPO dialog box. 2. right-click the Internet Explorer Restrictions GPO. and then click OK. In the Group Policy Management Editor window. 4. and then click Edit. In the GPMC. In the Filter Options dialog box. Beside Within. click the drop-down list box. Sign in to LON-CL1 as Adatum\Brad with a password of Pa$$w0rd. Close the Group Policy Management Editor window. Exercise 2: Creating GPOs X Task 1: Create a Windows Internet Explorer Restriction default starter GPO 1. expand User Configuration. deselect the Help Text and the Comment checkboxes. under the Starter GPOs folder. In the Everywhere search box. In the Group Policy Management Editor window. 3. Point the mouse at the lower-right edge of the screen and click the Search charm when it appears. expand Polices. 4. Double-click the Disable the General page setting. select Internet Explorer Restrictions. click Add. In the IE Restrictions Security Settings dialog box. 4. 3. 2. In the Control Panel. Point the mouse at the lower-right edge of the screen and click the Search charm when it appears. click the IT (Adatum\IT) group. 6. click Network and Internet. In Control Panel. 3.MCT USE ONLY. type Control Panel. click Network and Internet. In the Everywhere search box. click Change your homepage. 5. 3. Close all open windows and sign out from LON-CL1. and then in the left pane. 6. next to the Apply group policy permission. 6. Close all open windows. In Control Panel. In the Network and Internet dialog box. 8. click the Delegation tab. type Control Panel. click Control Panel. expand the Group Policy Objects folder. 7. Read the message box that appears informing you that this feature has been disabled. and all settings are available. In the GPMC. 4. click the IE Restrictions policy. 4. Point the mouse at the lower-right edge of the screen and click the Search charm when it appears. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L11-63 5. Computers. 2. In the search results window. In the search results window. click Change your homepage. with the password Pa$$w0rd. click Control Panel. 8. X Task 7: Test Application of the GPO for other domain users 1. Sign in to LON-CL1 as Boris with a password of Pa$$w0rd. In Control Panel. 7. type IT. click Internet Options. In the IE Restrictions Security Settings dialog box. Service Accounts. In the Everywhere search box. Switch to LON-CL1. 5. 6. In the Network and Internet dialog box. 2. On the Delegation tab. and then click OK. In the Network and Internet dialog box. . click Network and Internet. The Internet Properties dialog box opens to the General tab. click Change your homepage. or Groups window. 5. in the Enter the object names to select (examples) box. and then click OK. 7. X Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy 1. and sign out from LON-CL1. A message box appears informing you that this feature has been disabled. select the Deny check box. 8. 9. Notice that in the Internet Properties dialog box the General tab does not display. In the details pane. Switch to LON-DC1. In the Select Users. and then click OK. X Task 6: Test the GPO app for IT department users 1. Click Yes to acknowledge the Windows Security dialog box. click the Advanced button. Sign in to LON-CL1 as Brad. right-click 20410C-LON-DC1. 9. Close all open windows. complete the following steps: 1. revert the virtual machines back to their initial state. Results: After completing this lab. 3. notice that the General tab does not display. and then click Revert. Repeat steps 2 and 3 for 20410C-LON-CL1. 8. start Hyper-V Manager. In the Internet Properties dialog box. click Revert. you should have created a GPO. MCT USE ONLY. 4. In the Virtual Machines list. and sign out from LON-CL1.7. STUDENT USE PROHIBITED L11-64 Implementing Group Policy . In the Revert Virtual Machine dialog box. To do this. Click OK to acknowledge the message. Click Internet Options. On the host computer. X Prepare for the next module After you finish the lab. 2. In the New GPO window. in Group Name. click New. and then click Group Policy Management. .Organizational Unit window. right-click Member Servers OU. 3. right-click the selection. in Server Manager. go to Computer Configuration\Policies \Windows Settings\Security Settings\Restricted Groups. click Computers container. X Task 2: Create a Server Administrators group 1. 3. 4. in the Group Policy Objects window. and then click OK. In the New Object . expand Forests: Adatum. in the navigation pane. 2. click the Group Policy Objects container. right-click Group Policy Objects. and then click Group. expand Adatum. and then click Organizational Unit. In the Move window. and then click OK. 2. in Name. in Active Directory Users and Computers. click Member Servers OU. 4. Press and hold the CTRL key. X Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins 1. expand Domains. and then click Link an Existing GPO. On LON-DC1.com. in the Server Manager window. click Member Server Security Settings. type Member Servers OU. right-click the Member Servers OU. in the navigation pane. type Server Administrators.com. right-click Adatum. type Member Server Security Settings. On LON-DC1.MCT USE ONLY. 2. In Active Directory Users and Computers. and then click Active Directory Users and Computers. In the Select GPO window. 6. In the Group Policy Management Editor window. 5. 2. If necessary. STUDENT USE PROHIBITED L12-65 Module 12: Securing Windows Servers Using Group Policy Objects Lab A: Increasing Security for Server Resources Exercise 1: Using Group Policy to Secure Member Servers X Task 1: Create a Member Servers organizational unit (OU) and move servers into it 1.com. click Tools. and then click New. In the Group Policy Management Console. In the Group Policy Management Console. in the Name box. X Task 3: Create a Member Server Security Settings Group Policy Object (GPO) and link it to the Member Servers OU 1. On LON-DC1. In Active Directory Users and Computers. open the Group Policy Management Console. click both LON-SVR1 and LON-SVR2. In the details pane. and then click OK. click Tools. and then click Move. In the New Object – Group window. and then click OK. click New. in the navigation pane. On LON-DC1. 3. right-click Default Domain Policy. and then click Edit. and then click OK. 5. 6. In the Add User or Group window. In the right-hand pane. and then click OK. and then press Enter: Gpupdate /force 4. click the Windows PowerShell® icon. 5. 7. In the Add User or Group window. 7. select the Define these policy settings check box. Click Cancel. X Task 5: Verify that Computer Administrators has been added to the local Administrators group 1. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members. and then click Add User or Group. 2. next to Members of this group. 6. click Add. 2. 5. In the Allow log on locally Properties dialog box. and then click OK. in the Group Policy Management Console. In the Add Member dialog box type Adatum\Server Administrators. and then click OK twice. right-click Member Server Security Settings. Switch to LON-SVR1. click Add. and then click Properties. and then click OK. in the Group Policy Management Editor window. In the Server Manager window. Close the Computer Management console. In the Computer Management console. right-click Allow log on locally. type Domain Admins. go to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\User Rights Assignment. 3. At the Windows PowerShell prompt. click Group Policy Objects. and then click Add Group. In the right-hand pane. 8. type Administrators. 4. 7. On LON-DC1.4. 6. double-click Administrators. X Task 6: Modify the Member Server Security Settings GPO to remove Users from Allow Log On Locally 1. 3. Next to Members of this group. In the right-hand pane. and then click Computer Management. and then click Properties. in Group name. click Tools. and then click OK twice. 2. click Groups. 8. X Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Built-in Administrator account 1. On LON-DC1. type Administrators. 9. and then in the right-hand pane. In the Group Policy Management Editor window. In the Add Member dialog box type Adatum\Domain Admins. right-click User Account Control: Admin Approval Mode for the Built-in Administrator account. go to Computer Configuration \Policies\Windows Settings\Security Settings\Local Policies\Security Options. and then click Edit. Right-click Restricted Groups. type the following command. 5. MCT USE ONLY. expand Local Users and Groups. Click Add User or Group. In the Add Group dialog box. Close the Group Policy Management Editor window. 10. STUDENT USE PROHIBITED L12-66 Securing Windows Servers Using Group Policy Objects . On the taskbar. In the Administrators Properties dialog box. go to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies. Switch to LON-DC1. Exercise 2: Auditing File System Access X Task 1: Modify the Member Server Security Settings GPO to enable object access auditing 1. Click New folder. 2. select the Define these policy settings check box. Try to sign in to LON-SVR1 as Adatum\Adam with the password Pa$$w0rd. type the following command. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 . Click Audit Policy. click the File Explorer icon. Switch to LON-SVR1. select both the Success and Failure check boxes. 5. and then press Enter. Results: After completing this exercise. 3. In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties dialog box. X Task 8: Verify that a non-administrative user cannot sign in to a member server 1. and sign back in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. you should have used Group Policy to secure Member servers. and then click OK. ensure that Enabled is selected. click the Windows PowerShell icon. In the right-hand pane. 3. right-click Member Server Security Settings. Switch to LON-SVR1. 2. and then click Home. and that a logon error message is displayed. On the taskbar. 5.com\Domains\Adatum.com. In the Audit object access Properties dialog box. In the Group Policy Management Console. double-click Local Disk (C). 6. and then click Properties. right-click Audit object access. 6. Verify that you cannot sign in to LON-SVR1. In the right-hand pane. 9. 7. MCT USE ONLY. and then click Edit. Click Group Policy Objects.L12-67 3. sign out of LON-SVR1. To prepare for the next exercise. In File Explorer. Close the Group Policy Management Editor window. X Task 2: Create and share a folder 1. on the taskbar. 2. Sign out of LON-SVR1. 8. 4. in the navigation pane. 4. In the Group Policy Management Editor window. go to Forest: Adatum. 3. select the Define this policy settings check box. 4. Sign out from LON-DC1. type Marketing. and then press Enter: Gpupdate /force 4. At the Windows PowerShell prompt. and then click OK. On LON-SVR1. 8. 6. and then press Enter: gpupdate /force 5. and then click Specific people. in File name. right-click the Marketing folder. click Home. and then click Advanced. In the Auditing Entry for Marketing window. 9. and then click Properties. X Task 5: View the results in the security log on the domain controller 1. 6. and then press Enter. 7. 2. In the Search box type \\LON-SVR1\Marketing. and then click Done. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. click the Security tab. At the Windows PowerShell prompt. Close the Command Prompt window. 8. On the taskbar. 3. click the Auditing tab. and then click the Search charm when it appears. click Select a principal. Point to the lower-right corner of the screen. In the Marketing Properties window. and then click the Search charm when it appears. In the Marketing window. In the Computer window. select All. In the Auditing Entry for Marketing window. 10. expand Windows Logs. click Share with. In the Select User. and then click Event Viewer. under the Permission list. Sign out from LON-CL1. click Continue. In the Server Manager window. click Text Document. type the following command. Sign out from LON-CL1. in Enter the object name to select. 4. 7. and then press Enter. right-click the Marketing folder. and then press Enter. Open the Command Prompt window. and at the command prompt. and then click OK. click New item. Computer.5. In the Auditing Entry for Marketing window. X Task 3: Enable auditing on the Marketing folder for Domain Users MCT USE ONLY. In the Search box type cmd. . Switch to LON-SVR1. 5. and then click Add. X Task 4: Create a new file in the file share from LON-CL1 1. In the File Sharing window. in the Local Disk (C:) window. 4. Service Account or Group window. from the Type drop-down menu. and then click OK three times. type Employees. and then press Enter: gpupdate /force 10. click Tools. Point to the lower-right corner of the screen. 2. and then click Add. STUDENT USE PROHIBITED L12-68 Securing Windows Servers Using Group Policy Objects 1. Change the Permission Level to Read/Write. 6. 7. 3. type Adam. select the Write check box. 9. On LON-SVR1. In the Event Viewer window. type Domain Users. click Share. In the Advanced Security Settings for Marketing window. and then click Security. and then sign in again as Adatum\Adam with the password Pa$$w0rd. Close the Windows PowerShell window. type the following command. 2. click the Windows PowerShell icon. 3. go to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies. click Tools. In the Search box type cmd. select both the Success and Failure check boxes. On LON-DC1. 7. Click Group Policy Objects. Point to the lower-right corner of the screen. and then press Enter: gpupdate /force 5. and then click Properties. and then click Edit. 11. MCT USE ONLY. select the Define these policy settings check box. on the taskbar. and then click Group Policy Management. and then click the Search charm when it appears. Click Audit Policy. in the Group Policy Management Console. 4. Point to the lower-right corner of the screen. 4. At the command prompt. 9. 2. In the Search box type cmd. 2.com \Domains\Adatum. 13. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L12-69 10. 12. 3. 3. and then press Enter. Exercise 3: Auditing Domain Logons X Task 1: Modify the Default Domain Policy GPO 1. and then click the Search charm when it appears. 5. On LON-DC1.4. right-click Audit account logon events. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. 8. In the Group Policy Management Editor window. In the Server Manager window.com. and then press Enter: gpupdate /force X Task 2: Run GPUpdate 1. right-click Default Domain Policy. type the following command. In the Audit account logon events Properties dialog box. go to Forest: Adatum. At the command prompt. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. type the following command. Close the Command Prompt window. click the Server Manager icon. 6. and then press Enter. you should have enabled file system access auditing. In the right-hand pane. In the right-hand pane. . and sign out from LON-CL1. Verify that the following event and information is displayed: o Source: Microsoft Windows Security Auditing o Event ID: 4663 o Task category: File System o An attempt was made to access an object Results: After completing this exercise. and then click OK. X Task 4: Review event logs on LON-DC1 1. click Tools. 3. expand Windows Logs. Note: This password is correct.X Task 3: Sign in to LON-CL1 with an incorrect password x Sign in to LON-CL1 as Adatum\Adam with the password password. Review the event logs for the following message: “Event ID 4624 An account was successfully logged on. Switch to LON-DC1. 2. 3. you should have enabled domain logon auditing. 2. Note: This password is intentionally incorrect to generate a security log entry that shows that that an unsuccessful sign in attempt has been made. MCT USE ONLY. and you should be able to sign in successfully as Adam.” X Task 5: Sign in to LON-CL1 with the correct password 1.” Results: After completing this exercise. In the Server Manager window. X Task 6: Review event logs on LON-DC1 1. expand Windows Logs. Account Information: Security ID: ADATUM\Adam. STUDENT USE PROHIBITED L12-70 Securing Windows Servers Using Group Policy Objects . and then click Security. and then click Event Viewer. Sign out of LON-CL1. Review the event logs for following message: “Event ID 4771 Kerberos pre-authentication failed. in Server Manager. In the Event Viewer window. In the Event Viewer window. Sign in to LON-CL1 as Adatum\Adam with the password Pa$$w0rd. On LON-DC1. X Prepare for the next lab x To prepare for the next lab. 2. click Tools. 4. leave the virtual machines running. New Logon: Security ID: ADATUM\Adam. and then click Security. and then click Event Viewer. Repeat the previous step for Windows Installer Rules. in the Name text box type Software Control GPO. and then in the right-hand pane. select the Configured check box. 5. in the navigation pane. Right-click Group Policy Objects. 2.com. 9. In the AppLocker Properties dialog box. and then click Edit. and then from the drop-down menu. go to Computer Configuration/Policies /Windows Settings/Security Settings/Application Control Policies/AppLocker. 4. click Tools. in the navigation pane. X Task 2: Move LON-CL1 to the Client Computers OU 1. click Computers container. go to Computer Configuration/Policies /Windows Settings/Security Settings. and then click Group Policy Management. In the Application Identity Properties dialog box. In New GPO window. click New. Repeat the previous step for Windows Installer Rules. select Audit only. In the New Object . 7. right-click LON-CL1. Switch to LON-DC1. In Server Manager. in Active Directory Users and Computers. and then click New. In the Move window. in Server Manager. In the details pane. and then click Move. right-click Executable Rules. and Packaged app Rules. and then double-click Application Identity. click AppLocker. In the Group Policy Management Console. 2. X Task 3: Create a Software Control GPO and link it to the Client Computers OU 1.com. 10. 14. Script Rules. and then click OK. and then click Active Directory Users and Computers. 3. 4. click Define this policy setting.com/Domains/Adatum. and then click Organizational Unit. 12. In the Group Policy Management Editor window. 3. go to Forests: Adatum. On LON-DC1. and then click OK.MCT USE ONLY. 8. Script Rules. 2. Click System Services. 13. Under AppLocker. and Packaged app Rules. click Configure rule enforcement. In the right-hand pane. right-click Adatum.Organizational Unit window. On LON-DC1. under Executable rules. In the navigation pane. . and then click Create Default Rules. 3. click Client Computers OU. In Active Directory Users and Computers. type Client Computers OU. 11. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L12-71 Lab B: Configuring AppLocker and Windows Firewall Exercise 1: Configuring AppLocker Policies X Task 1: Create an OU for client computers 1. click Tools. and then click OK. 6. In the Group Policy Management Editor window. and then click OK. right-click Software Control GPO. In the Event Viewer window.msc. In the Select GPO window. and then click the Search charm when it appears. 18. and then press Enter. In the Command Prompt window. type following command. expand Microsoft. type the following command. and then press Enter: gpupdate /force 5. restart LON-CL1 and repeat steps 1 through 4. and then press Enter: gpresult /R Review the result of the command and ensure that Software Control GPO is displayed under Computer Settings. 7. right-click Client Computers OU. STUDENT USE PROHIBITED L12-72 Securing Windows Servers Using Group Policy Objects . click Automatic. Click Power.bat X Task 6: View AppLocker events in an event log 1. In the Search box type cmd. and then click OK. expand Windows. 4. and then press Enter. Switch to LON-CL1. and then press Enter: C:\CustomApp\app1. Close the Group Policy Management Editor window. 6. In the Group Policy Management Console. In the Search box type cmd. X Task 5: Run app1. type following command. 17. Applied Group Policy Objects. MCT USE ONLY. and then click OK. At the command prompt. and then click the Settings charm when it appears. 8. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. 16. 7. If Software Control GPO is not displayed. Close the Command Prompt window. and then click Restart. click Software Control GPO. 5. In the Search box type eventvwr. 3. and then press Enter. and then click the Search charm when it appears. 2. Under Select service startup mode. 3. At the command prompt. 4. and then expand AppLocker. expand Application and Services Logs. Point to the lower-right corner of the screen. Point to the lower-right corner of the screen. and then click Link an Existing GPO. and then click the Search charm when it appears. X Task 4: Run GPUpdate 1. 6. in the Group Policy Objects list. Point to the lower-right corner of the screen. On LON-CL1. 3.bat in the C:\CustomApp folder 1. 2. and then click the Search charm when it appears. Point to the lower-right corner of the screen. point to the lower-right corner of the screen. In the Search box type cmd.15. and then press Enter. 2. 7. Sign in to LON-CL1 as Adatum\Tony with the password Pa$$w0rd. and then click the Settings charm when it appears. type Custom App Rule. 6. Point to the lower-right corner of the screen. In the Command Prompt window. and then click OK. right-click Software Control GPO.4. On the Path page. Click Power. and try again. In the Group Policy Management Editor window. type the path %OSDRIVE%\CustomApp\app1. Close the Group Policy Management Editor window. and then click Group Policy Management.BAT was allowed to run. 3. and then in the righthand pane. in Name. 2. Switch to LON-CL1. 4. On LON-DC1. Repeat the previous step for Windows Installer Rules. select the Configured check box. and then press Enter. 4. and click Edit. On the Permissions page. In the Search box type cmd. and then click Next. On the Before You Begin page. 8. in Server Manager. Script Rules. In the Software control GPO window. under Executable rules. click Next. in the navigation pane. . On the Exception page. expand the Group Policy Objects node. click Allow. and then from drop-down menu. In AppLocker Properties dialog box. click Next. click Configure rule enforcement. Right-click Script rules and click Create New Rule. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L12-73 Click MSI and Scripts and review event log 8005 that contains the following text: %OSDRIVE%\CUSTOMAPP\APP1. in Path. and then click Next. 7. Note: If no events are displayed. click Path. and then click Create. 2. ensure that the Application Identity service has started. 3. 6. On the Name and Description page. click Enforce rules. On the Conditions page. and then click the Search charm when it appears. and then press Enter: gpupdate /force 5. click AppLocker. In the Group Policy Management Console. 4. Close the Command Prompt window. X Task 8: Modify the Software Control GPO to enforce rules 1. Point to the lower-right corner of the screen. X Task 7: Create a rule that allows software to run from a specific location 1. 9. type the following command. click Tools. MCT USE ONLY. 10. go to Computer Configuration/Policies /Windows Settings/Security Settings/Application Control Policies/AppLocker. 3. 8.bat. 5. and Packaged app Rules. X Task 9: Verify that an application can still be run 1. 2. and then click Next. and then click Restart. and then click OK. and then click Properties. double-click the CustomApp folder. 3. On LON-CL1. Switch to LON-DC1.bat X Task 10: Verify that an app cannot be run MCT USE ONLY. In Active Directory Users and Computers. you should have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU. In the Enter the object names to select box type LON-SVR1. Point to the lower-right corner of the screen. and then press Enter. in the navigation pane. In the Command Prompt window. and then click Group. click Tools. and then click Paste. In the New Object – Group window. Exercise 2: Configuring Windows Firewall X Task 1: Create a group named Application Servers 1.” 7. in Group Name. in the navigation pane. In Active Directory Users and Computers. Service Accounts or Groups. and then click Active Directory Users and Computers. double-click Local Disk (C:). and sign out from LON-CL1. In Select Users. type Application Servers. and then press Enter: C:\customapp\app1. 10. click Computer. 5. and then click Copy. click the File Explorer icon. click Computers. click the Members tab. contact your system administrator. STUDENT USE PROHIBITED L12-74 Securing Windows Servers Using Group Policy Objects 1. 3. click New. type C:\Users\Tony\Documents\app1. The policies you configured should allow these users to run apps that are located in the folders C:\Windows and C:\Program Files. In the CustomApp window. and run the custom-developed app app1. 4. and then click the Search charm when it appears. In the Application Server Properties dialog box. type following command. In the Search box type cmd. For more information. Close all open windows. and that the following message is displayed: “This program is blocked by Group Policy. 4. 2. In the Command Prompt window. .bat. In File Explorer. and then click OK. 4. in the details pane right-click Application Servers group. Verify that apps cannot be run from the Documents folder. Results: After completing this exercise. In the Application Server Properties dialog box.9. and then click OK. right-click the Member Servers OU. in the navigation pane. 5. In the Server Manager window. 2. In the Computer window. and then click Add. 2. 6. Computers. and then press Enter. on the taskbar. click Object Types. 3. rightclick app1. on the navigation pane. X Task 2: Add LON-SVR1 as a group member 1.bat. right-click the Documents folder. click the Member Servers OU. click OK.bat in the C:\CustomApp folder. 11. 7. and then click New. click Specific Ports. click OK. click TCP. 13. and then click Finish. click Application Servers GPO. 5. 6. type Application Servers GPO. in Server Manager. 17. and then click Next. click Inbound Rules. 12. click Tools. In the New GPO window. On LON-DC1. click Add. On LON-DC1. In the Group Policy Management Editor window. and then click Next. click Authenticated Users. type Application Servers. 11. 16. on the Rule Type page. Right-click Inbound Rules. 5. In the Confirmation dialog box. Close the Group Policy Management Editor window. 4. and then click the Application Servers GPO link. Click Windows Firewall with Advanced Security . and then click Next. On LON-DC1. 8. In the Group Policy Management Editor window. clear both the Private and Public check boxes. 2.com. On the Program page. and then click OK. under Security Filtering. 2. 3. 10. click Custom. in the Group Policy Management Console. In the Select User.X Task 3: Create a new Application Servers GPO MCT USE ONLY. in Name. Computer. right-click Group Policy Objects.LDAP://CN={GUID}. In the Group Policy Management Console. click OK. go to Computer Configuration/Policies /Windows Settings/Security Settings/Windows Firewall with Advanced Security. On the Name page. and then click OK. In the Group Policy Management Console message box. or Group dialog box. X Task 4: Link the Application Servers GPO to the Member Servers OU 1. 2. In the right-hand pane. click Next. Expand the Member Servers OU. right-click Application Servers GPO. right-click Member Servers OU. and then click Remove. click Allow the connection. 3. 6. and then click Link an Existing GPO. in the text box type 8080. In the details pane.com. 9. 15. in the Group Policy objects list. in the Protocol type list. In the Local port list. 14. and then click OK. . In the Select GPO window. 7. In the New Inbound Rule Wizard. On the Profile page. 4. and then click Edit. On the Scope page. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L12-75 1. expand Domains. in the Group Policy Management Console. and then click Next. In the Group Policy Management Console. and then click Group Policy Management. X Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group 1. expand Forests: Adatum. On the Protocol and Ports page. click Member Servers OU. click Next. On the Action page. under Security Filtering. in the Name box type Application Server Department Firewall Rule. expand Adatum. and then click New Rule. Verify that you cannot edit the Application Server Department Firewall Rule. click Tools. In Server Manager. In the Search box type cmd. and then press Enter. 6. and then click Windows Firewall with Advanced Security. Repeat steps 2 and 3 for 20410C-LON-SVR1 and 20410C-LON-CL1. X Task 7: View the firewall rules on LON-SVR1 1. In the Windows Firewall with Advanced Security window. X Prepare for the next module When you finish the lab. 2. 5. verify that the Application Server Department Firewall Rule that you created earlier using Group Policy is configured. 2. In the Revert Virtual Machine dialog box. and then click the Search charm when it appears. In the Command Prompt window. Switch to LON-SVR1. type following command. 3. STUDENT USE PROHIBITED L12-76 Securing Windows Servers Using Group Policy Objects Results: After completing this exercise. and then click Revert. MCT USE ONLY. 3. revert the virtual machines to their initial state by performing the following steps: 1. right-click 20410C-LON-DC1. you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules for app servers. 4. 3. Point to the lower-right corner of the screen. because it is configured through Group Policy. Switch to LON-SVR1 and sign in as Adatum\Administrator with the password Pa$$w0rd. 4. On the host computer. 2. Restart LON-SVR1. . and then press Enter: gpupdate /force 5. click Inbound rules. Close the Command Prompt window. 4. and then sign back in as Adatum\Administrator with the password of Pa$$w0rd. start Hyper-V® Manager.X Task 6: Run GPUpdate on LON-SVR1 1. click Revert. In the right-hand pane. In the Virtual Machines list. 0. IPv6 enabled link. On the Select destination server page. 8. 22. 16.MCT USE ONLY. On the Select installation type page. o IP Address: 172. 2.31 o Subnet mask: 255.0 o Default gateway: 172. On the Select server roles page. click Internet Protocol Version 4 (TCP/IPv4). On the Default Stores page. 21. Click OK to close the Properties dialog box. click Use the following IP address. and then click Next. 19. 10. In the Properties dialog box of the network object click Close. In the Add Roles and Features Wizard.16. On the Virtual Switches page. verify that no selections have been made. On LON-HOST1.16. On the Hyper-V page.255. STUDENT USE PROHIBITED L13-77 Module 13: Implementing Server Virtualization with Hyper-V Lab: Implementing Server Virtualization with Hyper-V Exercise 1: Installing the Hyper-V® Role onto a Server X Task 1: Install the Hyper-V role onto a server 1. 14. In the Properties pane. click Add Features. on the General tab. 11. click Next. and then click Next. click Next. click Next. .1 On the General tab. click Restart the destination server automatically if required.16. review the location of the Default Stores. from the Manage menu.10 7. On the Select features page. 15. on the Before you begin page.0. 20. 17. and then click Properties. In the Properties dialog box. select Hyper-V. In the Server Manager console. In the Add Roles and Features Wizard. and then click Next. and then click Properties. 12. click Local Server. 13. click Next. 9. 18. 5. click Next. On the Confirm installation selections page. click Add Roles and Features. click Use the following DNS server addresses. In the Properties dialog box. right-click the network object. and then configure the following: 6. click Role-based or feature-based installation.0. in Server Manager. Close the Network Connections dialog box. click the IPv4 address assigned by DHCP. On the Virtual Machine Migration page. 3. ensure that LON-HOST1 is selected. In the Network Connections dialog box. On the Select server roles page. and then configure the following: o Preferred DNS server: 172. and then click Next. 4.0. . and then click Hyper-V Manager. 4. and then click Yes. In the Virtual Switch Properties area. In the Hyper-V Settings for LON-HOST1 dialog box.23. (This varies depending on the host computer. 24. 4. click Virtual Switch Manager. o Name: Switch for External Adapter o External Network: Mapped to the host computer’s physical network adapter. X Task 2: Complete Hyper-V role installation and verify settings 1. and then click LON-HOST1. Under Virtual Switches. 2. 3. click Install. In the Hyper-V Manager console. In the Hyper-V Settings for LON-HOST1 dialog box. Verify that the location of the default folder to store Virtual Hard Disk files is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks. click New virtual network switch. Verify that the Keyboard is set to the Use on the virtual machine option. click LON-HOST1. 6. click Close to close the Add Roles and Features Wizard. In the Hyper-V Manager console. In the Server Manager console. enter the following information. click Virtual Switch Manager. The computer will restart several times. click New virtual network switch. you should have installed the Hyper-V role onto a physical server. After a few minutes. In the Virtual Switch Manager for LON-HOST1 dialog box. and then click OK: 5. click the Keyboard item. From the Actions menu. 5. click Hyper-V Settings. and then click Create Virtual Switch. STUDENT USE PROHIBITED L13-78 Implementing Server Virtualization with Hyper-V Results: After completing this exercise. 4. Under Create virtual switch. click the Tools menu. 3. X Task 2: Create a private network 1. and then click OK. 2. 2. click LON-HOST1. Ensure that External is selected. From the Actions menu. click the Virtual Hard Disks item. and then click Yes. In Server Manager. On the Confirm Installation Selections page. In the Add Roles and Features Wizard. In the Hyper-V Manager console. click Private. with LON-HOST1 selected.) In the Apply Networking Changes dialog box. When the installation of the Hyper-V tools completes. review the message regarding automatic restarts. MCT USE ONLY. review the warning. 7. on the Tools menu. Ensure that you restart the machine from the boot menu as 20410C-LON-HOST1. Exercise 2: Configuring Virtual Networking X Task 1: Configure the external network 1. the server restarts automatically. 3. in the Actions pane. 8. and then click Create Virtual Switch. open Hyper-V Manager. Sign in to LON-HOST1 using the account Administrator with the password Pa$$word. On the Actions menu. . From the Actions menu. 3. 2. In the Base folder. expand Microsoft Learning. 2. 3. In the Virtual Switch Manager dialog box. open Hyper-V Manager. In the Virtual Switch Manager dialog box. In Server Manager. in the Virtual Switch Properties section. on the Tools menu.vhd hard disk image file is present. o Minimum: 00-15-5D-0F-AB-A0 o Maximum: 00-15-5D-0F-AB-EF Close the Hyper-V Manager console. configure the following values. In Server Manager. 4. configure the following settings. configure the following settings. open Hyper-V Manager. click Virtual Switch Manager. and then click OK: o Name: Internal Network o Connection type: Internal network X Task 4: Configure the Media Access Control (MAC) address range 1. and then click OK: o Name: Private Network o Connection type: Private network X Task 3: Create an internal network MCT USE ONLY. and then click LON-HOST1. and then expand Base. click Virtual Switch Manager. Expand This PC. 4. Under Create virtual switch. and then click LON-HOST1. 3. On the taskbar. you should have configured virtual switch options on a physicallydeployed Windows Server 2012 server running the Hyper-V role. in the Virtual Switch Properties section. and then click OK: 5. On MAC Address Range settings. click Internal and then click Create Virtual Switch. verify that the Base14A-WS12R2. Note: The drive letter may depend upon the number of drives on the physical host machine.5. 2. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L13-79 1. Exercise 3: Creating and Configuring a Virtual Machine X Task 1: Create differencing virtual hard disks 1. click MAC Address Range. Results: After completing this exercise. expand Program Files. expand drive E. Under Global Network Settings. click the File Explorer icon. click New virtual network switch. Under Virtual Switches. 5. on the Tools menu. In the Virtual Hard Disk Properties dialog box. 7. and then click Finish. type the location: E:\Program Files\Microsoft Learning\Base \Base14A-WS12R2. 3. In the Open dialog box. and then click Next. and then click Hyper-V Manager. 6. 17. At the Windows PowerShell prompt.vhd" 15. on the Before You Begin page. select the Use Dynamic Memory for this virtual machine option. Right-click each folder and rename the folders to the following names: o LON-GUEST1 o LON-GUEST2 5. On the Specify Name and Location page. click Next.vhd o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\ 12. Close File Explorer. and then click Hard Disk. browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\. In the Hyper-V Manager console. In the Server Manager console. and then click Next. on the taskbar. and then click Next: o Name: LON-GUEST1. In the Hyper-V Manager console. 6. 9. On the Assign Memory page. On the Configure Disk page. click New.4. 13. click Tools. click LON-GUEST2. select Generation 1 and then click Next. On the Choose Disk Type page. In the New Virtual Machine Wizard. 8. On the desktop. and then click LON-HOST1. on the Before You Begin page. click New. In the New Virtual Hard Disk Wizard.vhd. click Inspect Disk. in the Actions pane. 18. enter a value of 1024 MB.vhd" -ParentPath "E:\Program Files\Microsoft Learning\Base\ Base14A-WS12R2.vhd. 11. 16. On the Choose Disk Format page. On the Specify Generation page. click Store the virtual machine in a different location. STUDENT USE PROHIBITED L13-80 Implementing Server Virtualization with Hyper-V 14. X Task 2: Create virtual machines 1. click Next. click VHD. open Hyper-V Manager. and then click the New Folder icon twice to create two new folders. . 10. and then click Open. Click the Home tab. 2. verify that LON-GUEST2. and then press Enter: New-VHD "E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2. In the Hyper-V Manager console. and then click Virtual Machine. click the Windows PowerShell® icon. on the Tools menu. On the Specify Name and Location page. and then click Close. type the following command to create a new differencing virtual hard disk to be used with LON-GUEST2. specify the following details. click Differencing. and then click Next: o Name: LON-GUEST1 o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\ 5. and then click Next. In Server Manager. Close Windows PowerShell. MCT USE ONLY.vhd is configured as a differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base \Base14A-WS12R2. in the Actions pane. 4. enter the following values. in the Actions pane.vhd as a parent. 8. enter the following commands to enable resource metering on the virtual machines.vhd" -SwitchName "Private Network" 11.vhd. 14. click LON-GUEST1. 13. click Start. click I Accept. 12. click Private Network. and set the Automatic Stop Action to Shut down the guest operating system. Close Windows PowerShell. In the LON-GUEST1 on LON-HOST1 . Click Browse. click Automatic Start Action. click Next to accept the Region and Language settings. 16. In the Actions pane. 2. Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box. In the Settings for LON-GUEST2 on LON-HOST1 dialog box. on the taskbar. pressing Enter at the end of each line: Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2 Results: After completing this exercise.Virtual Machine Connection window. 15. On the Configure Networking page. and then click Finish. 3. o On the Settings page. In the Settings for LON-GUEST2 on LON-HOST1 dialog box. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L13-81 7. 4. and then click Finish. click Settings. 2. browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1. . type the password Pa$$w0rd twice. click the Windows PowerShell icon. click the Windows PowerShell icon. you should have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing virtual hard disks. On the desktop. type the following command to create a new virtual machine named LON-GUEST2. On the taskbar. and set the Automatic Start Action to Nothing. click Automatic Stop Action. At the Windows PowerShell prompt. In the Hyper-V Manager console. At the Windows PowerShell prompt. On the Connect Virtual Hard Disk page. under LON-GUEST2.MCT USE ONLY. click Use an existing virtual hard disk. click LON-GUEST2. In the Actions pane. 9. X Task 3: Enable resource metering 1. and then press Enter: New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath "E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2. perform the following steps: o On the Settings page. In the Hyper-V Manager console. Double-click LON-GUEST1 to open the Virtual Machine Connection Window. o On the Settings page. Exercise 4: Using Virtual Machine Checkpoints X Task 1: Deploy Windows Server 2012 in a virtual machine 1. click Open. and then click Next. 10. for the connection. In the LON-GUEST1 on LON-HOST1 . In the Checkpoint Name dialog box. 9. and verify that the name of the computer is set to LON-GUEST1. 10. Sign in to the virtual machine using the account Administrator and the password Pa$$w0rd. type LON-Computer1. 3. 5. click Change. Sign in to the LON-GUEST1 virtual machine using the Administrator account and the password Pa$$w0rd 2. 2. Sign back in to the LON-GUEST1 virtual machine using the Administrator account and the password Pa$$w0rd. In the Computer Name field. from the Action menu. type the name Before Change.Virtual Machine Connection window. Click Close to close the System Properties dialog box. X Task 4: Revert to the existing virtual machine checkpoint 1. 3. 11. click LON-GUEST1. In the Server Manager console. and then click OK. 7. X Task 3: Modify the virtual machine 1. click Local Server. Close the System Properties dialog box. In the System Properties dialog box. in the Virtual Machines list. In the Microsoft Windows dialog box. In the Virtual Machine Connection window. X Task 2: Create a virtual machine checkpoint MCT USE ONLY. 7. In the Microsoft Windows dialog box. In the Computer Name field. and then click Yes. click Restart Now. 8. On the virtual machine. on the Computer Name tab. STUDENT USE PROHIBITED L13-82 Implementing Server Virtualization with Hyper-V 1. 6. in the Local Server node. click Restart Now. type LON-GUEST1. In the Virtual Machine Connection window. 3. and then click the randomly assigned name next to the computer name. 8. on the Computer Name tab. click OK. 2. and then next to Computer name. click Local Server. click Revert. in the Server Manager console. In the Server Manager console.5. In the System Properties dialog box. In the Revert Virtual Machine dialog box. 4. verify that the Computer Name is now set to LON-GUEST1. . click Local Server. click CTRL+Alt+Delete. and then click OK. In the Computer Name/Domain Changes dialog box. 4. click the Local Server node. 6. click Revert. In the Computer Name/Domain Changes dialog box. from the Action menu. 12. click Change. click OK. click Checkpoint. In the Server Manager console. In the Server Manager console. and verify that the server name is set to LON-Computer1. from the Action menu. at the Windows PowerShell prompt. 2. type the following command. .X Task 5: View resource metering data MCT USE ONLY. select Windows Server 2012. From the Windows Boot Manager. and then press Enter: Measure-VM LON-GUEST1 Note the average CPU. click the Windows PowerShell icon. Close the Windows PowerShell window. click the Windows PowerShell icon. Results: After completing this exercise. 3. At the Windows PowerShell command prompt. On the taskbar. and total disk usage figures. you should have used virtual machine checkpoints to recover from a virtual machine misconfiguration. enter the following command. restart the computer in Windows Server 2012 by performing the following steps: 1. and then press Enter: Shutdown /r /t 5 3. STUDENT USE PROHIBITED 20410C: Installing and Configuring Windows Server® 2012 L13-83 1. On LON-HOST1. on the taskbar. average random access memory (RAM). To retrieve resource metering information. X Revert the virtual machines After you finish the lab. 2. MCT USE ONLY. STUDENT USE PROHIBITED .