Exercise 5: Installing a Domain Controller by Using IFM

In this exercise, you will learn how to configure a domain controller using the IFM data
file. The Install From Media (IFM) is a feature that allows you to configure a server as a
domain controller. This feature helps you to reduce the network bandwidth consumption
used during the additional domain controller configuration. IFM allows you to export the
Active Directory database file (NTDS) to an external media which can be used to
configure an additional domain controller.

Start the DC1 and SERVER1 virtual machines to perform this exercise.

Task 1: Generating a IFM Data File

1. Sign in to DC1 with the MCSA\Administrator account.
2. Open the Run dialog box, in the Open text box, type cmd, and then press Enter.
3. On the Command Prompt window, type the following commands, and
then press Enter after each one, as shown in the following figure.
Ntdsutil
Activate instance ntds
IFM
Create sysvol full C:\IFM

Task 2: Adding the AD DS Role to the Member Server

1. Switch and sign in to SERVER1 with the MCSALAB\Administrator account.
2. Open the Command Prompt window, type the following command, and
then press Enter, as shown in the following figure.
Net use Z: \DC1\c$\IFM
3. Open the Server Manager console, if required.
4. In the left pane, select Local Server.
5. In the toolbar, click Manage, and then click Add Roles and Features, as shown
in the following figure.

6. On the Before you begin page of the Add Roles and Features Wizard, click
Next.
7. On the Select installation type page, make sure that the Role-based or
feature- based installation radio button is selected, and then click
Next.
8. On the Select destination server page, make sure that the SERVER1 server is
selected, and then click Next.
9. On the Select server roles page, select the Active Directory Domain Services
check box.
10. On the Add Roles and Features Wizard dialog box, click Add Features, and
then click Next.
11. On the Select Features page, click Next.
12. On the Active Directory Domain Services page, click Next.
13. On the Confirm installation selections page, select the Restart the
destination server automatically if required check box.
14. On the Add Roles and Features Wizard message box, as shown in
the following figure, read the message, and then click Yes.
 15. On the Confirm installation selections page, click Install.
16. The installation process will start. Click Close, once the installation is
completed.

Note: If you see a warning regarding the DNS server delegation, click OK.

Task 3: Configuring SERVER1 as a New Domain Controller

Using the IFM Data File
1. On SERVER1, open the Command Prompt window, if required.
2. On the Command Prompt window, type the following commands, and
then press Enter, as shown in the following figure.
Robocopy Z: C:\IFM /copyall /s

3. Close the Command Prompt window, once the copying process is completed.
4. On the Server Manager console, click the Notifications button.
5. In the Post-deployment Configuration box, click the Promote this server to a
domain controller link.
6. On the Deployment Configuration page, make sure that the Add a
domain controller to an existing domain radio button is
selected.
7. Make sure that the mcsalab.local text is written in the Domain text box, as
shown in the following figure.
 8. In the Supply the credentials to perform this operation section, click Change.

Note: If you are already logged in as MCSA\Administrator account, you don’t need to
change the credentials on this page. If so, move directly to the Domain Controller Options
page.

9. On the Windows Security dialog box, in the Username text box, type
MCSALAB\Administrator, in the Password text box, type Password@123.
10. Click OK, and then click Next.
11. On the Domain Controller Options page, make sure that the Domain
Name System (DNS) server and Global Catalog (GC) check boxes are
selected.

12. Under the DSRM password section, type Password@123 in the Password and
Confirm password text boxes and then click Next.
 13. On the DNS Options page, click Next.
14. On the Additional Options page, select the Install from media check box.
15. In the Path text box, type C:\IFM, as shown in the following figure.

16. Click Verify. Once the path has been verified, click Next.
17. On the Paths page, click Next.
18. On the Review Options page, click Next.
19. On the Prerequisites Check page, click Install. The installation process will
start and the server will restart, once the configuration is completed. Wait for
the
server to restart.

Results: After completing this exercise, you will have installed an additional domain
controller for the branch office by using IFM.

Shut down and revert the DC1 and SERVER1 virtual machines to prepare for the next
exercise.
 Exercise 6: Managing Organizational Units and Groups in
AD DS
Active Directory objects are used to access the various network resources for the various
purposes. Once you configured a domain controller, you need to create and manage
Active Directory objects, such as OUs, groups, and users. You can delegate the
administrative permissions to the Active Directory objects.

In this exercise, you will learn how to create Active Directory objects, how to delegate the
permissions, and how to configure home folders. In addition, you will also learn how to
reset and rejoin the computer accounts.

Start the DC1 and CLIENT1 virtual machines to perform this exercise.

Task 1: Managing Organizational Units and Groups

1. Sign in to DC1 with the MCSALAB\Administrator account.
2. On the Server Manager console, click Tools, and then click Active Directory
Users and Computers.
3. On the Active Directory Users and Computers console, select and right-click
mcsalab.local, and then select New, and then click Organizational Unit, as
shown in the following figure.

4. On the New Object – Organizational Unit dialog box, in the Name text
box, type Training, as shown in the following figure, and then click
OK.
5. Select and right-click the Training OU in the left pane, and then select New, and
then click Group.
6. On the New Object – Group dialog box, in the Group name text box, type
Students, as shown in the following figure, and then click OK.

7. Select and right-click mcsalab.local, in the left pane, and then select New, and
then click Organizational Unit.
8. On the New Object – Organizational Unit dialog box, in the Name text box,
type Development, and then click OK.
9. Select and right-click the Development OU, and then select New, and then click
Group.
10. On the New Object – Group dialog box, in the Group name text box, type
Trainers, and then click OK.
11. Select and right-click the Development OU, and then select New, and then click
Group.
12. On the New Object – Group dialog box, in the Group name text box, type
Managers, and then click OK.
13. In the right pane, select and right-click the Trainers group, and then select
Move, as shown in the following figure.

14. On the Move dialog box, select the Training OU, as shown in the following
figure, and then click OK.

15. In the left pane, select the Training OU.

16. In the right pane, select and right-click Trainers, and then select Delete.
17. On the Active Directory Domain Services message box, click Yes. Make sure
that the Trainers group is deleted.
 Task 2: Delegating the Permissions
1. Make sure that the Active Directory Users and Computers console is active on
DC1.
2. In the left pane, select and right-click the Training OU, and then select
Delegate Control, as shown in the following figure.

3. On the welcome page of the Delegation of Control Wizard, and click Next.
4. On the Users or Groups page, click Add.
5. On the Select Users, Computers, or Groups dialog box, in the Enter the
object names to select (examples) text box, type Students, as shown in the
following
figure, and then click OK.

6. On the Users or Groups page, click Next.

7. On the Tasks to Delegate page, make sure that the Delegate the following
common tasks radio button is selected.
8. Select the Create, delete, and manage user accounts check box, as shown
in the following figure, and then click Next.
9. On the Completing the Delegation of Control Wizard page, click Finish.
10. Select and right-click the Training OU, and then select New, and then click
User.
11. On the New Object - User dialog box, type Marsh, in the First name and
User logon name text boxes, as shown in the following figure, and then click
Next.

12. In the Password and Confirm password text boxes, type Password@123.
13. Clear the User must change password at next logon check box, select the
Password never expires check box, as shown in the following figure.
14. Click Next, and then click Finish.
15. Minimize the Active Directory Users and Computers console.

Task 3: Configuring Home Folders for User Accounts

1. On DC1, create a folder named Marsh Data, under the C:\Users\Public folder,
as shown in the following figure.

2. Select and right-click the Marsh Data folder, and then select Properties.
3. On the Marsh Data Properties dialog box, select the Sharing tab, as shown in
the following figure.
4. Click Advanced Sharing.
5. On the Advanced Sharing dialog box, select the Share this folder check box, as
shown in the following figure.

6. Click Permissions.
7. On the Permissions for Marsh Data dialog box, in the Permissions for
Everyone section, select the Full Control check box, as shown in the
following
figure.

8. Click Apply, and then click OK.

9. Click OK to close Advanced Sharing dialog box, and then click Close.
10. Close the Windows Explorer window.
11. Switch to the Active Directory Users and Computers console.
12. Select and right-click the Marsh user, and then select Properties.
13. On the Marsh Properties dialog box, select the Profile tab.
14. Under the Home folder section, select the Connect radio button.
15. In the To text box, type \DC1\Marsh Data\Marsh, as shown in the following
figure, and then click Apply.
 Note: By default all the domain users are denied to sign in to the Domain Controller
server. In the next steps, we are going to make Marsh as the member of Print Operators
group to sign in to Domain Controller to test the exercise. You will learn more about the
user rights and permissions in the upcoming exercises.

16. Select the Member Of tab, and then click Add.

17. On the Select Groups dialog box, in the Enter the object names to select
(example) text box, type Print Operators, as shown in the following
figure.
18. Click Check Names, and then click OK.
19. On the Member Of tab, and click again Add.
20. On the Select Groups dialog box, in the Enter the object names to select
(example) text box, type Students.
21. Click Check Names, and then click OK.

Note: You have added the Marsh user to Students group to test the delegated
permissions.

22. Click OK to close the Marsh Properties dialog box.

23. Close the Active Directory Users and Computers console.

Task 4: Testing and Verifying the Home Folders and

Delegated Permissions
1. On DC1, open the Run dialog box, type logoff and then click OK to sign out
from the MCSALAB\Administrator account, as shown in the following
figure.

2. Switch to Other user and Sign in as Marsh with the password as

Password@123, as shown in the following figure.
3. Press the Windows+E keys to open the Windows Explorer window.
 4. Verify that drive Z is mapped to (\DC1\Marsh Data), as shown in the following
figure.

5. Double-click Marsh (\DC1\Marsh Data) (Z:).

Note: You should be able to access this drive without any errors. If you receive no errors,
you have been successful.

6. Close the Windows Explorer window.

7. Open the Run dialog box, type dsa.msc, in the Open text box, and then press
Enter.
8. On the User Account Control dialog box, in the User name text box, type
Marsh.
9. In the Password text box, type Password@123, as shown in the following
figure, and then click Yes.
10. On the Active Directory Users and Computers console, expand
mcsalab.local.
11. Select and right-click Training, and then click New, and then click User.
12. On the New Object – User dialog box, in the First name and User logon name
text boxes, type Test User2, and then click Next.
13. In the Password and Confirm password text boxes, type Password@123.
14. Click Next, and then click Finish.
15. Make sure that the Test User1 account is created, under the Training OU.
16. Select and right-click Development, and then click New, and then click User.
17. On the New Object – User dialog box, in the First name and User logon name
text boxes, type Test User2, and then click Next.
18. In the Password and Confirm password text boxes, type Password@123, click
Next, and then click Finish.
19. Make sure that you get the following error message.

20. Click OK, and then click Cancel.

21. Close the Active Directory Users and Computers console.
22. Sign out from the Marsh user.
 Task 5: Resetting the Computer Accounts
1. Sign in to DC1 with the MCSALAB\Marsh account.
2. On the Server Manager console, click Tools, and then click Active Directory
Users and Computers.
3. On the Active Directory Users and Computers console, expand mcsalab.local.
4. In the left pane, select Computers.
5. In the right pane, select and right-click CLIENT1, and then click
Reset Account, as shown in the following figure.

6. On the Active Directory Domain Services message box, click Yes, and the click
OK.

Task 6: Examining the Behavior when a User Logins on

Client.
1. Try to Sign in to CLIENT1 with the MCSALAB\Marsh account.
2. A message displays stating that The trust relationship between this
workstation and the primary domain failed, as shown in the following
figure.