Windows Server 2019 Administration

Lab Book

This book is a companion Lab Book to the Windows

Server 2019 Administration Study Guide

Author:
Syed Tasmir Faridi (Instructor Taz)
Partner with
Cloud Technology & Training Center

Table of Contents
Table of Contents
Pre-requisite – Lab Setup
LS.1 Confirm if your CPU is VT enabled
LS.2 Enabling Hyper-V
LS.3 Create Template VM & Install Server 2019
LS.4 Creating a VM
LS.5 Install Windows Server 2019
LS.6 Creating an Image
LS.7 Deploying VM from Image
LS.8 Finalizing New VM setup
LS.9 Setup Active Directory Domain Services (ADDS)
LS.10 Joining the Domain
LS.10a How to add a new virtual hard disk to VM
LS.11 Internet accessible Hyper-V virtual machines
LS.11a Configure DNS Forwarder to resolve Internet names
LS.11b Second virtual switch for VM connectivity only
LS.11c Add a Network Adapter to virtual machine
Module 1 - Server Install and Administration
1.1 Download and Install Microsoft Assessment and Planning (MAP)
Toolkit
1.2 Install Windows Server 2019 Core and utilize sconfig utility.
1.3 Download and Install Windows Admin Center.
1.4 Enable Remote Server Administration Tools.
Module 2 - Identity Services
2.1 Add an additional DC to the Domain.
2.2 Add a child Domain in Existing Forest
2.3 Add DomainTree in Existing Forest
2.4 Create Organizational Unit hierarchy.
2.5 Creating AD Users & Groups.
2.6 Delegating control on Organizational Unit.
2.7 Work with Flexible Single Master Operation (FSMO) roles.
2.8 Create Offline Standalone CA and add Enterprise Subordinate CA.
 2.8a Setting up Standalone Root CA
2.8b Adding enterprise Subordinate CA
Module 3 - Network Infrastructure Labs
3.1 Add DHCP role and create a DHCP Scope.
3.2 Setting up DHCP Reservation.
3.3 Configuring DHCP Failover.
3.4 Configuring DHCP Relay Agent.
3.5 Add DNS Role and create secondary DNS zone.
3.6 Create AD Integrated Reverse Lookup Zone.
3.7 DNS Forwarding
3.7a Configure DNS Forwarders
3.7b Configuring DNS Conditional Forwarders.
3.8 Install and manage Remote Access Server role
Module 4 - Storage Services Labs
4.1 Manage volumes, share folders, and set access permissions.
4.1a Creating Volumes
4.1b Share folder and set access permissions
4.2 Configure Storage Spaces.
4.3 iSCSI Storage services.
4.3a Setting up iSCSI Target Server
4.3b Setting up iSCSI Initiator Server
Module 5 - Virtualization Labs
5.1 Virtual Networking in Hyper-V.
5.2 Creating Virtual Machines.
5.2a Creating Generation 1 VM
5.2b Creating Generation 2 VM
5.3 Export and import Virtual Machine utilizing Nested virtualization
Module 6 - High Availability Lab
6.1 Create a Failover Cluster.
Modules 7 - Performance Monitoring Labs
7.1 Capture performance data with Performance Monitor.
 7.2 System and User Data Collector Sets.
7.3 Working with Windows Admin Center
Modules 8 - Disaster Recovery Labs
8.1 Implement Windows Scheduled Backup.
8.2 Implement Windows on-demand Bare Metal backup.
8.3 Bare metal Backup Restore
8.4 Implement Hyper-V Replica
Module 9 – Web Services and Remote Desktop Labs
9.1 Install Web Server and create a Web site.
9.2 Configure Web Server to host secure Web site.
9.3 Remote Desktop for Server Administration.
9.4 Deploying RemoteApp using Remote Desktop Services.

Pre-requisite – Lab Setup

To setup and run labs in this book, we will use a Windows 10 Pro edition (not
version Home) system to create and manage our virtual environment. A
Windows Server with Hyper-V role can also be used. Recommended
hardware configurations for the system are Intel i5 CPU or above, 32GB
RAM, and SSD hard drive.
As we move through this book, please pay special attention to
!**Important**! & !**Prerequisite**! signs. They will provide critical
information to help you complete your labs.
When completing labs in this book, please have patience, complete one
step at a time, make sure we do not skip any step.
!**Important**! Using the process in labs LS.7, LS.8, & LS.10, as we
move between module labs, we will build the following virtual machines to
complete module labs.
 VM Configuration Chart
Virtual HD
VM/Hostname IP Address Subnet Mask Gateway
name
DC DC 192.168.1.225 255.255.255.0 192.168.1.1
DC2 DC2 192.168.1.226 255.255.255.0 192.168.1.1
DC3 DC3 192.168.1.227 255.255.255.0 192.168.1.1
DC4 DC4 192.168.1.228 255.255.255.0 192.168.1.1
DC5 DC5 192.168.1.229 255.255.255.0 192.168.1.1
CLIENTPC CLIENTPC 192.168.1.230 255.255.255.0 192.168.1.1
ROOTCA01 ROOTCA01 192.168.1.250 255.255.255.0 192.168.1.1
CTTC- CTTC-
192.168.1.251 255.255.255.0 192.168.1.1
INTCA01 INTCA01
CTTC-
CTTC-DHCP1 192.68.1.231 255.255.255.0 192.168.1.1
DHCP1
CTTC-DHCP1 CTTC-
10.1.1.1 255.255.255.0 None
(NIC2) DHCP1
CTTC-
CTTC-DHCP2 10.1.1.2 255.255.255.0 10.1.1.1
DHCP2
CTTC-
CTTC-dhcpPC
dhcpPC
CTTC-VPN CTTC-VPN 192.168.1.151 255.255.255.0 192.168.1.1
CTTC-VPN
CTTC-VPN 10.1.1.200 255.255.255.0 None
(NIC2)
Storage-Srvr Storage-Srvr 192.168.1.243 255.255.255.0 192.168.1.1
Storage-Srvr
Storage-Srvr 12.12.12.200 255.255.255.0 None
(iSCSI NIC)
CTTC-
CTTC-Node1 192.168.1.241 255.255.255.0 192.168.1.1
Node1
CTTC-Node1 CTTC-
12.12.12.1 255.255.255.0 None
 (iSCSI NIC) Node1
CTTC-Node1 CTTC-
11.11.11.1 255.255.255.0 None
(Heartbeat NIC) Node1
CTTC-
CTTC-Node2 192.168.1.242 255.255.255.0 192.168.1.1
Node2
CTTC-Node2 CTTC-
12.12.12.2 255.255.255.0 None
(iSCSI NIC) Node2
CTTC-Node2 CTTC-
11.11.11.2 255.255.255.0 None
(Heartbeat NIC) Node2
File-Srvr File-Srvr 192.168.1.155 255.255.255.0 192.168.1.1
Hyperv-
Hyperv-replica 192.168.1.160 255.255.255.0 192.168.1.1
replica
Web-Srvr Web-Srvr 192.168.1.111 255.255.255.0 192.168.1.1
RD-Srvr RD-Srvr 192.168.1.239 255.255.255.0 192.168.1.1

These virtual machines can also be created as we move through different

module labs. Before every lab, prerequisites are defined on which VMs will
be needed for that module.
If you have the Windows Home edition, it can be easily upgraded to Pro
version. Google upgrade from Windows Home to Pro and following the step
on their site.
Labs in this book can also be completed by using other free software e.g.,
Virtual Box or VMware workstation.
LS.1 Confirm if your CPU is VT enabled
Task Manager CPU virtualization section show VT is enabled.

LS.2 Enabling Hyper-V

To turn on Hyper-V feature on your Windows Pro system, CPU of the system
must be VT (Virtual Technology) enabled. If your system is not, then follow
the following steps to configure your system so it can host virtual
environment.
How to enable Virtual Technology (VT) on Intel
processors
Boot your PC into the BIOS. You can typically do this by restarting your
computer and repeatedly tapping F2, F1, or Del keys on the first screen you
see once the power comes back on. If this does not work, try rebooting from
Windows using these steps:

1. Click the Start menu.

2. Click Settings.
3. Click or Type Update & security.
4. Click Recovery in the left panel.
5. Click Restart now under ″Advanced startup.″

6. Click Troubleshoot.
7. Click Advanced options.
8. Click UEFI Firmware Settings.
9. Click Restart to reboot into the BIOS.
10. Find VT setting in BIOS/UEFI and enable it, save, and reboot back
to Windows. Following is an example of a BIOS utility and Intel
Virtual Technology options.
11. Login to Windows, click Start Menu, and type “windows
features”. Select Windows Features and Enable Hyper-V feature.

12. Select restart on reboot prompt. Post reboot click Start Menu and
type hyper-v and launch Hyper-V Manager. System is now ready
to create the virtual environment.
LS.3 Create Template VM & Install Server 2019
In this section, we will create a virtual machine, install Windows Server
2019, and then make the installation into an Image. This Image then we can
use to create new virtual machines.
To obtain installation media, please download (google server 2019 eval copy)
evaluation copy of server 2019 as an .iso file from Microsoft’s evaluation
site. This file will be used to install Server 2019 operating system (OS) on
our VMs. Once the OS is installed, we will prepare our virtual machine as a
template for deploying more VMs to run Server 2019 OS.
LS.4 Creating a VM
LS.4.1 Open Hyper-V Manager and click to create a new virtual machine.

LS.4.2 Define name for the virtual machine.

LS.4.3 Select Generation 2

LS.4.4 Assign 2GB of RAM (2048MB) to the VM & click Next. Select
“Default Switch” virtual switch for VM and click Next.

LS.4.5 On connect virtual hard disk page take defaults and click Next. In
installation Options, click browse and select the downloaded evaluation .iso
file that contains Windows Server 2019 installation files and click Next.
LS.4.6 In Hyper-V Manager, right-click on the virtual machine, select
Settings.

LS.4.7. In VM settings, select Checkpoints Standards, Uncheck “Use

automatic checkpoints” checkbox, and click Ok.

LS.5 Install Windows Server 2019

Now lets start our VM. Right-click on the VM and select connect. Click
on the Start button on the VM console window to start the VM. Press any
key when prompted when the installation starts.
LS.5.1 Installation process will start. In Windows Setup page, select US
English by clicking Next on Language Page. Click Install Now. Select
Datacenter Desktop Edition, click Next.

LS.5.2 Check box for accept license terms, click Next. Click Custom: Install
Windows Only (advanced) option. Click Next on the next page to create one
partition on the entire Disk0 and start Windows Server installation. Windows
installation process will now start to copy files to the hard drive.
LS.5.3 After the installation process reboots the VM, set password as
P@ssw.rd for the local Administrator user and click Finish.

LS.5.4 When VM reaches the desktop, click Action from VM console menu
bar and select Ctrl+Alt+Delete to get the login screen. Login with local
Administrator and its password. At this point you have successfully installed
Windows 2019 OS and are logged in as the local Administrator.
LS.6 Creating an Image
Now that the Server OS have been successfully installed, we will create a
server image from this installation. This image will expedite other VM
deployment with OS already installed. Using an image will save us time
when we create more VMs in our virtual environment.
LS.6.1 After you have logged in to your Template VM, open File Explorer
and execute sysprep.exe. Select OOBE, Generalize, and Shutdown options.
Sysprep removes all computer specific information and prepare the OS
installation for imaging. This means that once sysprep is executed on an
installation, it can then be used to deploy other VMs.
!**Important**! Do not start the VM when sysprep process completes and
the VM shuts down. It must remain turned off. Starting this VM will undo
what we accomplished by running sysprep. Delete the template virtual
machine from Hyper-V Manager, by doing so, it only deletes the VM and
not the virtual hard disk. This way we do not risk of starting this VM
accidentally and undo what sysprep did.
LS.7 Deploying VM from Image
We will use the Image we created to deploy a new VM. After executing
sysprep on our Template VM, we turned it off, by doing so we now can copy
the virtual hard disk of this VM and associate with new VMs that we will
create. We will save time as OS is already installed on this virtual hard disk
and all computer specific information have been removed.
LS.7.1 Open File Explorer and go to the default location where virtual hard
drives are saved (C:\Users\Public\Documents\Hyper-V\Virtual hard disks).
Copy the Template VHDX file in the same folder and rename it “DC”.
!**Important**! Now whenever we will have to create a new virtual
machine, the template file to be copied and renamed according to the new
hostname you need for that VM.
LS.7.2 Go to Hyper-V Manager, click New in Actions, select Virtual
Machine. Use “DC” as VM name and click Next.
!**Important**! Your virtual machine name, virtual hard drive file name,
and Hostname/Computer name should be same, this way when we have
numerous VMs running and issues arrise, it will be easier to map associations
between these three attributes.

1. Select Generation 2 and click Next.

2. Use 2048MB as RAM for VM.
3. Select Default Switch and click Next.
4. In “Connect Virtual Hard Disk” page, select the second option “Use
an existing virtual hard disk”. Click Browse button and select the
copied VHDX file we named “DC”.
 5. Click Finish.
6. Right-click the new VM we just created in Hyper-V Manager and
select Connect to open VM console. Click the Start button to start
VM. VM will go through a mini-install process since we booted it
from a copied image file. Use the same password P@ssw.rd for this
new VM.

LS.8 Finalizing New VM setup

Now that we have created our new VM from template, we will finalize its
setup by giving it a unique hostname and an IP address. This process we will
follow each time when we create a new virtual machine from our template
virtual hard drive.
!**Important**! For each new VM, hostname and IP address must be
unique.
LS.8.1 Click Start and type sysdm.cpl to launch System Properties. In this
window click Change. Provide hostname/Computer name for your server and
click OK. OK again and click Close. Do not Restart the system, Select
Restart Later.

LS.8.2 Now to set this system’s IP configuration, click Start and type
ncpa.cpl and launch Network Connections. Right-click on Ethernet in
Network Connections and select Properties.
LS.8.3 In Ethernet Properties select Internet Protocol Version 4 (TCP/IPv4)
and click Properties button. Configure IP settings and click OK. In this
example we are setting up our first server named DC with IP address
192.168.1.225. It will also be the DNS server. Click OK and Close.

!**Important**! For every VM you create, make sure you have a unique IP
address as defined in the Lab and VM list in the Lab Setup section begining,
point to the correct DNS Server, and Disable Windows Firewall.
LS.8.4 Disable Firewall Now reboot the virtual machine and it is ready to
participate in Labs.
LS.9 Setup Active Directory Domain Services
(ADDS)
In this lab we will make our DC server an Active Directory Domain
controller hosting contoso.com domain.
1. Click Add Roles and Feature in Server Manager and click Next in Before
you begin.
2. Select Role-based or feature-based installation, click Next.
3. Confirm that DC is highlighted in Select destination server and click Next.
4. Check Active Directory Domain Services, select Add Features, and then
click Next.

5. Click Next in Select Features.

6. Click Next in Active Directory Domain Services.
7. Check “Restart the destination server automatically if required”, click Yes,
and click Install.
8. Click Close button when installation completes.

9. Click Notifications flag in Server Manager and select “Promote this

computer to a domain controller”.

10. Select “Add a new forest”, type contoso.com as the “Root domain name:”
and click Next. This adds a new Active Directory installation and sets up
contoso.com domain as the first domain name in our domain forest.
11. Leave default values in Domain Controller options section, type
P@ssw.rd as DSRM password.

12. Take defaults in DNS options, click Next.

13. Keep default NetBIOS domain name as CONTOSO, click Next.
14. Keep defaults in Paths window, click Next.
15. Verify entered configuration in Review Options window, click Next.
16. Disregard warnings in Prerequisites Check window, all checks have
passed, click Install.

17. Click Close in Results window. Server will reboot.

18. Login as Administrator and P@ssw.rd as password. Now to verify ADDS
Install, go to Server Manager click Tools and select Active Directory Users
and Computers and DNS.

19. Confirm that we can see DC server’s computer object under Domain
Controller organizational unit in Active Directory tool and DC server’s
hostname and IP is registered with DNS in DNS Manager.

LS.10 Joining the Domain

Joining the domain must be completed for all virtual machines that will
participate in the lab. Please login to each virtual machine we created and
have them join our contoso.com domain.
1. Start virtual machine, login as Administrator. Confirm each virtual
machine have the right hostname and IP configuration. Click Start, type
cmd.exe, and hit Enter. In command prompt type hostname and then ipconfig
to verify VM setup.

2. In command prompt, type sysdm.cpl to invoke System Properties and click

Change button.
3. Select Domain in member of section and type contoso.com.

4. When prompted, provide contoso.com domain Administrator credentials,

click Ok.
5. Click Ok to the welcome message. Click Ok to you must restart message,
and then click Close.
6. Click Restart Now to reboot system.
7. After reboot completes, click Other user at bottom left, type
contoso\administrator with P@ssw.rd as password to force a domain logon.

LS.10a How to add a new virtual hard disk to VM

In this lab, we will create and attach virtual hard disk to our DC virtual
machine.
Virtual disks created in the Hyper-V environment can be stored as files in
VHD or VHDX format located in the physical disk of the host system.
Virtual hard disks function as the hard disk of a virtual machine (VM).
VHDX is a Hyper-V virtual hard disk (VHD) format found in Windows
Server 2012 and above. The main advantage of switching to VHDX is its
increased storage capacity of 64 TB (terabytes), instead of VHD's standard
storage limit of 2 TB. VHDX files are not compatible with previous versions
of Windows Server.
LS.10a.1 Open Hyper-V Manager > Shutdown DC VM > Right-click on DC
in Virtual machines list and select Settings.
LS.10a.2 In DC virtual machine settings page > Select SCSI Controller >
Hard drive > Add button.

LS.10a.3 Click New button to create a new virtual hard disk > Next in Before
you Begin > Dynamically expanding in choose disk type, Next > Type HD2
in Name, click Next.

LS.10a.4 Choose the default or intended virtual size disk, Next > Finish >
click Apply in DC settings window to save virtual hard disk. You will now
see your HD2 listed under SCSI Controller in DC VM settings page.

LS.10a.5 Now create 5 more virtual disks using same process starting from
4.1.2 but create unique names for these virtual hard disks as HD3, HD4 and
onwards. Disk sizes to be 127, 200, 127, 150, 175. Once all virtual hard disks
are created, you will see following use SCSI Controller in DC settings.
LS.10a.6 Click OK in DC settings page > Start DC VM > login as
contoso\administrator > right-click Start and select Disk Management.
LS.10a.7 All new disks we added are Offline and Not Initialized. If systems
ask them to be Initialized, select that option. If not, then right-click on each
and select online > right-click on disk and select Initialize Disk > Initialize
Disk window will appear, check boxes for all Disks > GPT option > OK. All
new disks will come online. Close Disk Management.

LS.11 Internet accessible Hyper-V virtual machines

In this lab, we will create a new virtual switch that will provide access to our
VMs with resources outside of our Host system. We will then associate this
virtual switch with our VMs.
!**Important**! Hyper-V virtual switch will be used to provide internet
access to our virtual machines. This virtual switch will be connected to your
Host device’s network connection to provide internet or outside connectivity.
This lab assumes that your Hyper-V host connects to network
192.168.1.0/24. If the host connects to any other IP scheme, then these VMs
will not be able to access network outside of the host.
LS.11.1. Open Hyper-V Manager > Virtual Switch Manager (Actions pane) >
Select External and click Create new virtual switch.
LS.11.2. Create the new virtual switch using the following information and
click Apply. You will see this virtual switch now listed as an available switch
that VMs can connect to. Click Ok.
!**Important**! In this lab, since I am using my laptop as the host and it
connects to the Internet via wireless network adapter, I have selected to
associate my WiFi adapter with our virtual switch. If your host uses an
Ethernet NIC, then we need to select that adapter instead.

LS.11.3. Go to Hyper-V Manager > right-click on DC VM > click Settings.

LS.11.4. Network Adapter > click on drop down menu for Virtual switch >
Select our newly created virtual switch > click Apply to save changes > click
Ok.
LS.11.4 Now you can open web browser and access Internet.
LS.11a Configure DNS Forwarder to resolve
Internet names
LS.11a.1 Login to DC server with contoso\administrator user account. Server
Manager > Tools > DNS.
LS.11a.2 Right-click DC server in DNS tool > select properties > in DC
property page click Forwarders tab > click Edit button > in Edit Forwarders
window type an external DNS server’s IP address 8.8.8.8 and hit enter key >
click OK > OK on DC Properties.

LS.11a.3 Now any device on our virtual environment from servers to client
that point to DC server for DNS can now access internet. Make sure that NIC
on DC VM is connected to the External vSwitch virtual switch for external
access.
LS.11b Second virtual switch for VM connectivity
only
LS.11b.1 Go to Hyper-V Manager > click virtual switch manager from
Actions > select Internal > click Create Virtual Switch button.
LS.11b.2 Type Internal vSwitch as the virtual switch name, and confirm
Internal network is selected > OK.

LS.11b.3 In Hyper-V Manager > click virtual switch manager from Actions.
Now you can see the three virtual switches that are available to be assigned to
VM network interface cards.

LS.11c Add a Network Adapter to virtual machine

LS.11c.1 Open Hyper-V Manager > right-click on VM that needs an
additional NIC, select Settings > select Add Hardware > select Network
Adapter > click Add button.
LS.11c.2 Select using the drop-down menu virtual switch this NIC will be
connected to > click Apply > OK.

Module 1 - Server Install and Administration

1.1 Download and Install Microsoft Assessment and

Planning (MAP) Toolkit
!**Prerequisite**! Before we start labs in this module, please download
Windows 10 Enterprise edition evaluation version. Once you have the
evaluation .ISO file, follow the same steps to create and install Windows 10
virtual machine named ClientPC with IP address 192.168.1.230. Follow steps
in LS.4 & LS.5 in Lab Setup section on how to deploy this Windows client as
a virtual machine.
Microsoft Assessment and Planning (MAP) Toolkit is a free utility IT
admins can use to determine whether a particular Windows infrastructure,
software application or user's device is adequately prepared to migrate to a
new operating system, server version or cloud environment. An IT
professional can run MAP Toolkit on one Microsoft computing device and
inventory the entire Windows network.
1.1.1 Google and download MAP toolkit, execute downloaded
MAPsetup.exe to install the toolkit. Take defaults during install and launch
toolkit from Start Menu.
1.1.2 Click “Collect Inventory Data” in Environment section.

1.1.3 In Inventory Scenarios, select Windows Computers & Active Devices

and Users and click Next.

1.1.4 In Discovery methods we can select how the MAP toolkit can collect
inventory data. Choose Active Directory Domain Services (ADDS), click
Next.
1.1.5 Provide Domain credentials to collect inventory data, click Next.

1.1.5 Choose your domain name in Active Directory options, click Next.
1.1.6 In All Computer Credentials, click Create, provide login credentials that
the toolkit will use to complete all requested inventory information. Click
Save button and then Next.

1.1.7 Click Next in Credential Order. Click Finish in Summary.

1.1.8 Click Finish in Summary. Now Data Collection will start.
1.1.9 When assessment is completed, click Close button.
1.1.20 In Inventory results, click Machines Discovered. Now in options,
select “Generate Inventory Results Report”.

1.1.21 This will download a Microsoft Excel .xlsx file with requested
inventory information.

!**Important**! You might see different results than what is shows above,
your information will depend on which virtual machines in your environment
exists, if correct credentials were provided to toolkit to access the devices,
and which ones are turned on at that time.

1.2 Install Windows Server 2019 Core and utilize

sconfig utility.
!**Prerequisite**! Create a new virtual machine named 2019ServerCore.
Attach installation media .ISO file to the VM to install the operation system.
Use steps LS.4 & LS.5 in Lab Setup section to prepare this new VM to install
Windows Server Core.
The Server Core option is a minimal installation option that is available
when you are deploying the Standard or Datacenter edition of Windows
Server. Server Core includes most but not all server roles. Server Core has a
smaller disk footprint, and therefore a smaller attack surface due to a smaller
code base.
1.2.1 Connect to virtual machine’s console and start VM. Press any key if
requested to boot from installation .ISO media already connected to the VM.
1.2.2 In Windows Setup Window, take defaults and click Next.
1.2.3 Click Install Now to proceed. Setup starts.
1.2.4 Select the non Desktop Experience Data Center edition option. This
will install the Core OS. Click Next.

1.2.5 Click check box “I accept the license terms” and click Next.
1.2.6 Select “Custom: Install Windows only (advance)” option. Click next on
Where do you want to install Windows to start the install process of the OS
on the virtual hard disk. At this point, setup process will not copy files from
the installation media over to the virtual hard disk, it will also reboot the
virtual machine. This process to take few minutes.
1.2.7 Setup process will request to change local Administrator user password.
Press Enter to select Ok.

1.2.8 Enter P@ssw.rd twice to confirm as the new password. Press Enter to
accept Ok.

Now you will notice that there are no desktop icons, task bar, or Start Menu
in the Core Server install. All you get is a command prompt window. Server
with Desktop Experience installs the standard graphical user interface,
usually referred to as GUI, and the full package of tools for Windows Server
2019. Server Core is the minimal installation option that comes without a
GUI. Server Core is meant to only be managed remotely, or it can be locally
managed via command line and or PowerShell.
1.2.9 Type sconfig in the command prompt to invoke Server Config menu.

1.2.10 We will use sconfig to rename our system’s hostname. Type “2” to
invoke Computer Name option. Type CTTC-Core1 as the new hostname and
press Enter.

1.2.11 Click Yes to restart the system so changes can take effect.
1.2.12 Post reboot of the system, login as Administrator with P@ssw.rd
password. Type hostname command to confirm system’s hostname have
changed to CTTC-Core1.

1.2.13 Now lets shutdown this Core system, type “shutdown -s -f -t 0” at the
prompt to shutdown the virtual machine.

1.3 Download and Install Windows Admin Center.

We will use ClientPC Windows 10 Enterprise edition virtual machine to
complete this lab.
Windows Admin Center is a locally deployed, browser-based app for
managing Windows servers, clusters, hyper-converged infrastructure, as well
as Windows 10 PCs. It is a free product and is ready to use in production.
1.3.1 Google “ download Windows Admin Center” to find and download the
tool .MSI installation file.

1.3.2 Execute the downloaded file to start the setup process, take defaults,
choose to create a desktop icon, and click Install.

1.3.3 Select default certificate and click Finish.

1.3.4 Invoke the tool from desktop icon. Click Add, click Add button to add a
Windows Server.

1.3.5 Type server2.contoso.com in Server name section and click Add. This
could take few moments before the Add button becomes available. Next use
the same process to add dc.contoso.com. When completed, all systems added
will be listed in the tool.
Now any system can be selected by clicking it to remotely manage. Browser
running Windows Admin Center can now be closed to exit Admin Center.

1.4 Enable Remote Server Administration Tools.

Please use ClientPC Windows 10 Enterprise edition virtual machine to
complete this lab.
RSAT enables IT administrators to remotely manage roles and features in
Windows Server from a computer that is running Windows 10 and Windows
7 Service Pack 1. You cannot install RSAT on computers that are running
Home or Standard editions of Windows. You can install RSAT only on
Professional or Enterprise editions of the Windows client operating system.
1.4.1 Open Control Panel > System and Security > Administrative Tools.
Confirm that we do not have any tools to manage Windows server role e.g.,
Active Directory, DNS, DHCP etc.

1.4.1a Google “download RSAT Windows 10”. If your client OS is x64, then
download the 64bit version that matches your Windows client OS version.
1.4.2 Execute the downloaded file, choose “I accept” in license section and
click Close when installation completes.
1.4.3 Go back to Control Panel > System and Security > Administrative
Tools. Now you will see new tools that were not there before e.g., to manage
Active Directory. These tools can now be used to remotely manage these
services.

On Windows Server, Windows Features can be used to add these

management tools without adding the Server Role.
Module 2 - Identity Services
In module 2 labs we will add a domain controller to our existing contoso.com
domain. ADDS Groups and their memberships. Create Organization Units
OUs and delegate control over these objects. Change Flexible Single Master
Operation roles in domain controllers. Finally, we will setup a certification
authority infrastructure.
!**Prerequisite**! To complete labs in module 2, we need DC2, DC3, DC4,
& DC5 VMs. If these do not exist, then please follow procedure in LS.7 &
LS.8 Lab Setup section to deploy these VMs from the template we created.
!**Important**! Please make sure that DC VM is always running
whenever you are completing labs from any module in this book.
2.1 Add an additional DC to the Domain.
!**Prerequisite**! Make sure you have DC2 VM running. Hostname, IP
configuration, and domain membership have been setup already.
2.1.1 First, we will add ADDS Role. Server Manager > click Add Roles and
Features > Next
2.1.2 Select Role-based option and click Next.
2.1.3 Click Next on Select Destination Server section.
2.1.4 Check Active Directory Domain Services, click Add Features, and click
Next.

2.1.5 Click Next in Select Features section.

2.1.6 Click Next in ADDS section.
2.1.7 Check “Restart the destination server automatically if required”, click
Yes in prompt, and click Install.
2.1.9 When ADDS installation succeeds, click Close.
2.1.10 Click Notifications flag in Server Manager and select “Promote this
computer to a domain controller”.

2.1.11 In deployment configuration section, select Add a domain controller to

an existing domain > confirm contoso.com exists in Domain section > change
credentials from a local administrator user on DC2 system to
contoso\administrator user > click Next.

2.1.13 Keep defaults in Domain Controller options > Add P@ssw.rd as the
DSRM password > click Next.
2.1.14 Click Next in DNS options
2.1.15 Keep defaults in Additional Options, click Next.
2.1.16 Keep defaults settings in Paths section, click Next.

2.1.17 Confirm all configuration in Review Options, click Next.

2.1.18 Click Install in Prerequisite Checks, ADDS installation starts. When
completed, click Close. System will then reboot.
2.1.19 Login as contoso\administrator > Server Manager > Tools > Active
Directory Users & Computers (ADUC) > Expand contoso.com domain >
select Domain Controllers OU > confirm that you now see DC2 under
Domain Controllers OU. This validates DC2 as an additional domain
controller.
!**Important**! Complete the same process now using DC3 server.

2.2 Add a child Domain in Existing Forest

!**Prerequisite**! Make sure you have DC4 VM running. Plus Hostname,
IP configuration, and domain membership have been setup already.
In a domain environment, child domains can be used for separate
departments, and or branches. These child domains can be in the same or
different geographical areas. Child domains help to define administrative
boundaries, security, and resource boundaries. IT admins can apply different
policies, permissions for users, and resources in child domain without
affecting parent domain rules, policies. It provides more control over the
network and its resources.
In this lab, we will add TechGear domain as a child domain to contoso.com.
2.2.1 First, we will add ADDS Role. Server Manager > click Add Roles and
Features > Next
2.2.2 Select Role-based option and click Next.
2.2.3 Click Next on Select Destination Server section.
2.2.4 Check Active Directory Domain Services, click Add Features, and click
Next.

2.2.5 Click Next in Select Features section.

2.2.6 Click Next in ADDS section.
2.2.7 Check “Restart the destination server automatically if required”, click
Yes in prompt, and click Install.
2.2.9 When ADDS installation succeeds, click Close.
2.2.10 Click Notifications flag in Server Manager and select “Promote this
computer to a domain controller”.

2.2.11 In deployment configuration section, select “Add a new domain to an

existing forest” > select Child Domain in domain type > contoso.com in
Parent domain name > Type TechGear in New domain name > change
credentials to contoso\administrator user > click Next.

2.2.12 Take defaults in Domain controller options section > add P@ssw.rd as
DSRM password > Next.
2.2.13 Keep default setting in DNS Options, click Next.

2.2.14 Keep default NetBIOS domain name as TECHGEAR, click Next.

2.2.15 Keep default values in Paths section, click Next.

2.2.16 New review and confirm configuration we have added, click Next.
2.2.17 Click Install in Prerequisites Check. ADDS installation will start and
reboots when completes.
2.2.18 Post reboot, login as TECHGEAR\administrator with P@ssw.rd
password. Open Active Directory Users and Computers (ADUC) from Server
Manager > Tools. Confirm then new child domain.
2.2.19 . Open DNS from Server Manager > Tools. Confirm then new child
domain DNS zone.

2.2.20 Login to DC.contoso.com as contoso\administrator user > Server

Manager > Tools > DNS > expand Forward lookup zone > expand
contoso.com and select TechGear. It shows 192.168.1.228 (DC4) as the
system containing delegated DNS zone for techgear.contoso.com domain.

2.3 Add DomainTree in Existing Forest

!**Prerequisite**! Make sure you have DC5 VM running. Plus Hostname,
IP configuration, and domain membership have been setup already.
In this lab, we will add a new domain tree within our ADDS Forest. Domain
adatum.com will be the root domain for second domain tree in our Forest.
A domain tree is simply a collection of one or more domains that share a
common namespace e.g., techgear.contoso.com is the child domain of
contoso.com, with contoso.com as the name space. A forest is a collection of
one or more domain trees. Our existing domain tree in the Forest is
contoso.com, we will create a new one using name adatum.com.
2.3.1 First, we will add ADDS Role. Server Manager > click Add Roles and
Features > Next
2.3.2 Select Role-based option and click Next.
2.3.3 Click Next on Select Destination Server section.
2.3.4 Check Active Directory Domain Services, click Add Features, and click
Next.

2.3.5 Click Next in Select Features section.

2.3.6 Click Next in ADDS section.
2.3.7 Check “Restart the destination server automatically if required”, click
Yes in prompt, and click Install.
2.3.9 When ADDS installation succeeds, click Close.

2.3.10 Click Notifications flag in Server Manager and select “Promote this
computer to a domain controller”.
2.3.11 In deployment configuration section, select “Add a new domain to an
existing forest” > select Tree Domain in domain type > contoso.com in
Parent domain name > Type adatum.com in New domain name > confirm or
change credentials to contoso\administrator user > click Next.

2.3.12 In domain controller options, take defaults, and type P@ssw.rd as the
DSRM password.

2.3.13 Keep default setting in DNS Options, click Next.

2.3.14 Keep default NetBIOS domain name as ADATUM, click Next.
2.3.15 Keep default values in Paths section, click Next.
2.3.16 Now review and confirm configuration we have added, click Next.
2.3.17 Click Install in Prerequisite Checks, ADDS installation starts. When
completed, click Close. System will then reboot.
2.3.18 Login as adatum\administrator on DC5 > Server Manager > Tools >
Active Directory Users and Computers (ADUC) > Expand adatum.com
domain > select Domain Controllers OU > confirm that you now see DC5
under Domain Controllers OU. This validates DC5 as the domain controller
hosting our domain tree adatum.com.

2.3.19 Server Manager > Tools > DNS > expand Forward lookup zone >
expand contoso.com and select TechGear. It shows 192.168.1.228 (DC4) as
the system containing delegated DNS zone for techgear.contoso.com domain.

2.3.20 Login as contoso\administrator on DC > Server Manager > Tools >

Active Directory Domains and Trusts, view the domain hierarchical structure
of our ADDS with two domain trees contoso.com and adatum.com.
2.4 Create Organizational Unit hierarchy.
In this lab, we will create Organizational Unit object to create an hierarchial
structure. This structure will be used to organize our other AD objects e.g,
users, computers, groups etc.
Organizational units (OUs) in an Active Directory Domain Services (AD DS)
managed domain let you logically group objects such as user accounts,
service accounts, or computer accounts. You can then assign administrators
to specific OUs and apply group policy to enforce targeted configuration
settings. You can create organizational units to mirror your organization's
functional, business, or physical location structure.
2.4.1 Login to DC as contoso\adminstrator > click Start > Type dsa.msc to
launch Active Directory Users Computers.
2.4.2 In ADUC, right-click contoso.com > New > select Organizational Unit.

2.4.3 In new object windows type LA as the OU name and click OK. This
created the top level OU in the hierarchy.
2.4.4 Now right-click on the LA top level OU and select to create an OU >
Type Computers for this OU name > click OK.
2.4.5 Now repeat step in 2.4.4 and create following child OUs below LA OU.
Groups
Service Accounts
Users
2.4.6 Right-click on contoso.com and create NY as the top level OU.

2.4.7 Now right-click on the NY top level OU and create the following child
OUs.
Computers
Users
Service Accounts
Groups

2.5 Creating AD Users & Groups.

In this lab, we will create domain users and groups, add users to group
membership.
A user object in AD is used to represent a real user in an organizational
network environment. These objects are required by users to log on to the
network and access their resources.
Group objects are Collections of user accounts, computers, or other groups
objects created for organizational purposes or for assigning permissions to
shared resources.
Creating Users
2.5.1 Login to DC as contoso\administrator > open ADUC > right-click Users
OU under LA top level OU > New > select User.
2.5.2 In New Object – User window > Type Sarah in First Name > Conner in
Last name > sconner in User logon name > click Next.

2.5.3 Enter P@ssw.rd as the password > uncheck User must change password
at next logon > click Next > Click Finish.
2.5.4 Right-click again on Users OU under LA > New > select User.
2.5.2 In New Object – User window > Type Dominic in First Name > Toretto
in Last name > dtoretto in User logon name > click Next > Enter P@ssw.rd
as the password > uncheck User must change password at next logon > click
Next > Click Finish.

2.5.3 Now create two users under NY/Users OU. Right-click on Users OU
under NY top level OU > New > select User > Create following two users
with same configuration as in step 2.5.2
Clark Kent
Peter Parker

Creating AD Groups
2.5.4 Right-click on Groups OU under LA OU > New > Group.
2.5.5 Type Cool Admins in Group name > keep defaults in group scope and
type > OK.
2.5.6 Right-click on Groups OU under NY OU > New > Group.
2.5.7 Type SuperHero Admins in Group name > keep defaults in group scope
and type > OK.

Group membership
2.5.8 Right-click on SuperHero Admins group > choose Properties > click
members tab > click Add button > Type clark and click Check Names > this
will auto-refill Clark Kent username > Type peter and click Check Name
again > click OK when both usernames are populated > OK on SuperHero
Admin property page to complete membership process.
This process adds users Clark and Peter as members to SuperHero Admin
AD domain group. Now this group can be used to provide collective access
to both users on resources like files, folders etc.
2.5.9 Now using the process in 2.5.8, add users Dominic and Sarah to Cool
Admins group.
2.6 Delegating control on Organizational Unit.
In this lab, we will use delegation process to grant access on Organizational
Units.
Delegation is the ability for the domain administrator to grant a non-domain
administrator the ability to control a portion of the Active Directory
environment. This control could be as large as creating user accounts in a
specified organizational unit (OU) to as small as modifying the phone
number for a single user. AD delegation is critical part of security and
compliance. By delegating control over active directory, you can grant users
or groups the permissions they need without adding users to privileged
groups like Domain Admins and Account Operators.
2.6.1 Login as contoso\administrator on DC > open ADUC > right-click on
NY OU and select Delegate Control… > In Delegation of Control Wizard,
click Next.
2.6.2 In Users or Groups > click Add > in Select Users, omputers, or Groups
window type super and click Check Name button > SuperHero Admins group
will be auto filled > click OK > click Next.

2.6.3 In Tasks to Delegate > check all the boxes as shown below and click
Next > click Finish.

2.6.4 In ADUC > click View in menu bar > click Advance Features.
2.6.5 Right-click on NY OU and select properties > click Security tab >
Advanced button > this shows our delegated permissions for SuperHero
Admins group and confirms our delegation process we completed. Now any
member of the SuperHero Admins group can manage User and Group objects
in the NY and child OUs.
2.7 Work with Flexible Single Master Operation
(FSMO) roles.
In this lab, we will change FSMO role from one domain controller to another.
We will move PDC Emulator FSMO role from DC2 to DC.
Active Directory is the central repository in which all objects in an enterprise
and their respective attributes are stored. It's a hierarchical, multi-master
enabled database that can store millions of objects. Changes to the database
can be processed at any given domain controller (DC) in the enterprise,
regardless of whether the DC is connected or disconnected from the network.
Active Directory has five Flexible Single Master Operations FSMO roles,
two of which are enterprise-level (i.e., one per forest) and three of which are
domain-level (i.e., one per domain). The enterprise-level FSMO roles are
called the Schema Master and the Domain Naming Master. The domain-level
FSMO roles are called the Primary Domain Controller Emulator, the Relative
Identifier Master, and the Infrastructure Master.
!**Prerequisite**! Make sure that both DC and DC2 are online.
2.7.1 Login as contoso\administrator on DC server > open ADUC > Confirm
that ADUC tool is connected to DC.contoso.com domain controller > right-
click on [DC.contoso.com] > click change domain controller.

2.7.2 In Change to section > select DC2 > OK. You will now see ADCU
connected to DC2 server.
2.7.3 Right-click on [DC2.contoso.com] > Operations Masters.

2.7.4 In Operations Masters > Click PDC tab. Top section shows the current
server designated as the PDC role and the bottom to which role can be
changed to. Click Change button > Yes > OK to confirm.

2.8 Create Offline Standalone CA and add

Enterprise Subordinate CA.
In this lab, we will set up a Standalone certificate authority infrastructure
with a CA and an enterprise Subordinate CA. This CA will be considered as
an offline CA so it will not be part of the domain.
In cryptography, a certificate authority or certification authority (CA) is an
entity that issues digital certificates. A digital certificate certifies the
ownership of a public key by the named subject of the certificate. This allows
others (relying parties) to rely upon signatures or on assertions made about
the private key that corresponds to the certified public key. A CA acts as a
trusted third party—trusted both by the subject (owner) of the certificate and
by the party relying upon the certificate. The format of these certificates is
specified by the X.509 or EMV standard.
One particularly common use for certificate authorities is to sign certificates
used in HTTPS, the secure browsing protocol for the World Wide Web.
Another common use is in issuing identity cards by national governments for
use in electronically signing documents. Organizations running on Microsoft
environments can use a Microsoft CA to leverage Active Directory and
Microsoft certificate services to distribute certificates to all your domain-
connected devices through group policies.
!**Prerequisite**! To complete this lab, virtual machines CTTC-
ROOTCA01 & CTTC-INTCA01 will be needed. Using labs LS.7 & LS.8,
LS.10, complete the setup of both virtual machine names. Do not add CTTC-
ROOTCA01 to the domain, it will be a standalone server. Both virtual
machines must be online.
2.8a Setting up Standalone Root CA
2.8.a1 Login as cttc-rootca01\administrator on CTTC-ROOTCA01 > Server
Manager > Add roles and features > Next > Role-based or feature-based
installation > Next > Select CTTC-ROOTCA01 & click Next.

2.8.a2 In Select Server Roles check Active Directory Certificate Services >
click Add Features > Next.

2.8.a3 Take default settings in select features window and click Next.
2.8.a4 Click Next on Active Directory Certificate Services > In Select role
services keep Certification Authority checked and click Next.
2.8.a5 In Confirm installation selections windows > check Restart the
destination server automatically and click Install > Click Close when
installation succeeded.
2.8.a6 Now we will configure this server as the CA. In Server Manager >
Notification Flag click Configure ADCS.

2.8.a7 In Credentials click Next > In Role Services check Certification

Authority box > click Next.
2.8.a8 In Setup Type window select Standalone CA > Next. In CA Type
window > select Root CA.

2.8.a9 Make sure Create a new Private key is selected > Next. Set
Cryptography as shown below > Next.

2.8.a10 In CA Name windows select default name as CTTC-RooTCA01-CA

> Next. Select 5 years validity period > Next. Use default location paths >
Next. Click Configure in Confirmation window > Results window click
Close.
2.8.a10 In Server Manager > Tools > Certification Authority > right-click on
CTTC-RooTCA01-CA > click Properties > in General tab click View
Certificate button to view CA’s self-signed digital certificate > click Details
tab in Certificate window to view certificate attributes e.g., serial number,
validity, issuer etc.
2.8.a11 We will now export CA’s certificate. Click Copy to file button > In
Certificate Export Wizard click Next. In Export file format use DER encoded
binary X.509 option > Next.
2.8.a12 In File to Export type CTTC-RooTCA01-Cert.Export > Next >
confirm path of where this file will be exported to and click Finish > OK >
OK.
2.8.a13 In CTTC-RooTCA01-CA property page > security tab > select
Everyone from Groups or user names and click Remove. Select
Administrators in the same section and check all Allow boxes under
Permissions.

2.8.a14 Click Extensions tab > Make sure you have CRL Distribution Point
(CDP) is selected in Select extension drop down > remove all entries form
the list except local C drive path.
2.8.a15 Now click the Add button and add the following in the location one
at a time > OK
http://cttc-intca01.contoso.com/CertEnroll/<CAName><CRLNameSuffix>
<DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=
<ServerShortName>,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=contoso,DC=com<CDPObjectClass>
2.8.a16 Switch Select extension drop down to Authority Information Access
AIA > remove all entries form the list except local C drive path.
2.8.a17 Now click the Add button and add the following in the location one
at a time > OK > check box for Include in the AIA extension of issued
certificates > Apply > Yes if requested to restart services > OK.
Ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key
Services,CN=Services,CN=Configuration,DC=contoso,DC=com<CAObjectClass>
http://cttc-intca01.contoso.com/CertEnroll/<ServerDNSName>_<CaName>
<CertificateName>.crt

2.8.a18 In Certification Authority window > right-click Revoked Certificates

> Properties. Confirm CRL publication interval is every 1 week > OK >
right-click Revoked Certificates > All Tasks > Publish > if prompted select
OK in Publish CRL window.

2.8.a19 View CRL by going to path

C:\Windows\system32\CertSrv\CertEnroll
2.8.a20 In Certification Authority tool > right-click on CTTC-RooTCA01-
CA > click Properties > in General tab click View Certificate button > click
Details tab > click Copy to file button > In Certificate Export Wizard click
Next. In Export file format use DER encoded binary X.509 option > Next.
2.8.a21 In File to Export > click Browse button and browse to
C:\Windows\system32\CertSrv\CertEnroll > type CTTC-RooTCA01-
Cert.Export in file name > Save > Next > confirm path of where this file will
be exported to and click Finish > OK > OK > OK.
2.8.a22 Open File explorer and go to path
C:\Windows\system32\CertSrv\CertEnroll to confirm export.

2.8.a23 We will now copy this exported certificate file over to our
Intermediate or subordinate CA server CTTC-INTCA01. Right-click the Start
button on Taskbar and select Run. Type \\192.168.1.251\c$ to connect to
CTTC-INTCA01 server. On the remote C drive, create folder CertFiles.
!**Important**! If you are unable to connect, make sure Windows Firewall
is turned off on CTTC-INTCA01 server, disable it if not.
2.8.a24 Now copy all files from CertEnroll folder to this new folder on
CTTC-INTCA01 server. Using these files, we will create our Intermediate or
Subordinate CA.

2.8b Adding enterprise Subordinate CA

2.8.b1 Login as contoso\administrator to CTTC-INTCA01 > Server Manager
> Add roles and features > Next in Before you begin > role-based or feature-
based installation option > Next > In Select destination server make sure
CTTC-INTCA01 is selected and click Next > In Select Server Roles check
Active Directory Certificate Services > click Add Features > Next.

2.8.b2 Next in Select features window > Next in Active Directory Certificate
Services > Select Certification Authority & Certification Authority Web
Enrollment in Select Role services > click Add Features button in pop-up >
click Next > Next in Web Server Role (IIS) window.
2.8.b3 Take defaults in Select role services click Next > check Restart the
destination server automatically if required > Yes in pop-up > click Install
button > when installation succeeds click Close.
2.8.b4 Now we will configure this server as the Subordinate CA. In Server
Manager > Notification Flag click Configure ADCS.

2.8.b5 Confirm contoso\administrator account is listed in credentials > Next

> Select the following two options in Role Services.
2.8.b6 Select Enterprise CA in Setup Type click Next > Select Subordinate
CA in CA Type click Next.
2.8.b7 Select Create a new key in Private Key window click Next > choose
following in Cryptography for CA window > Next.

2.8.b8 Use defaults in CA Name.

2.8.b9 We will not start the process of requesting a certificate for this SubCA
from the Root CA. In certificate request take defaults > Next. A .req request
file will be created at the root of the C drive of CTTC-INTCA01 server.

2.8.b10 Take defaults in CA Database > Next > click Configure in

Configuration windows.
2.8.b11 Read the Certification Authority section to learn how we will obtain
SubCA certificate from parent CA > click Close.
2.8.b12 Open file explorer go to root of C drive > open another file explorer
windows and connect to Root CA administrative share using
\\192.168.1.250\c$ < now copy the the .req file over to the Root CA share.

!**Important**! If you are unable to connect, make sure Windows Firewall

is turned off on CTTC-ROOTCA01 server, disable it if not.
2.8.b13 Login as cttc-rootca01\administrator to CTTC-ROOTCA01 server >
Server Manager > Tools > Certification Authority.
2.8.b14 Right-click CTTC-RootCA01-CA > All Tasks > select Submit new
request.

2.8.b15 Browse to where we saved the .req file

c:\windows\system32\CertSrv\CertEnroll > choose the file > click Open.

2.8.b16 Go back to Certification Authority tool > select Pending Requests.

On the right side you will see the request that we just submitted. Right-click
the request > All Tasks > select Issue.

2.8.b17 Select Issued Certificate folder and see the SubCA certificate we
Issued.

2.8.b18 Double click on the issued certificate to view it > select Certification
path to see the CA hierarchy.

2.8.b19 We will now Export this certificate and then import it on our
SubCA. Click Detalis tab > click button Copy file to > Next in Export
Wizard > select Cryptographic Message option > check box to include all
certificate in the certification path > Next.

2.8.b20 In File to export window > click Browse and go to

c:\windows\system32\CertSrv\CertEnroll > Name file as SubCAIssueCert>
click Save.
2.8.b21 Click Next in File to Export > click Finish > OK to the completion of
process > OK on certificate window.
2.8.b22 Open file explorer and connect to \\192.168.1.251\c$ (SubCA
server). Create folder CertFiles. Open
c:\windows\system32\CertSrv\CertEnroll in another file explorer > Copy
SubCAIssueCert.p7b file to the SubCA server in CertFiles folder.

2.8.23 Log back into CTTC-INTCA01 server > Server Manager > Tools >
Certificate Authority > right-click on the SubCA server icon > All Tasks >
Install CA Certificate.
2.8.24 Browse to c:\CertFiles and select SubCAIssuedCert.p7b file > Open >
OK in root certificate is untrusted. Right-click on SubCA in Certification
Authority > All Tasks > click Start Service. Service will start and server icon
will have a green check mark.

At this point, CA hierarchal infrastructure is there to build on and to start

issues certificates.
Module 3 - Network Infrastructure Labs
Module 3 labs revolve around technologies that are used to manage our
Network Infrastructure. This includes Dynamic Host Configuration Protocol
(DHCP) and Domain Name Service (DNS). DHCP is used to assign IP
configuration to devices so they can communicate with each other. DNS is
used to resolve hostname and other services to IP addresses.
!**Prerequisite**! To complete this lab, virtual machines CTTC-DHCP1,
CTTC-DHCP2, CTTC-VPN (Server 2019) & CTTC-dhcpPC (Win10) will be
needed. CTTC-dhcpPC will not join the domain. Make sure CTTC-
dhcpPC is set to obtain an IP automatically (do not configure static IP). Using
labs LS.7 & LS.8, LS.10, complete the setup of the Server virtual machines.
Connect servers and PC NICs with 10.1.1.x IP address to Internal vSwitch
virtual switch. CTTC-DHCP1 & CTTC-VPN to have two NICs, one connects
to External vSwitch (IP 10.1.1.X) & other Internal vSwitch (IP 192.168.1.x)
virtual switch.
3.1 Add DHCP role and create a DHCP Scope.
In this lab, we will add DHCP role to our server, create a Scope to lease IP
addresses.
A DHCP Server is a network server that automatically provides and assigns
IP addresses, default gateways and other network parameters to client
devices. It relies on the standard protocol known as Dynamic Host
Configuration Protocol or DHCP to respond to broadcast queries by clients.
DHCP scopes are used to define ranges of addresses from which a DHCP
server can assign IP addresses to clients. ... Normal Scope - Allows A, B and
C Class IP address ranges to be specified including subnet masks, Exclusions,
and reservations.
3.1.1 Login as contoso\administrator on CTTC-DHCP1 server > Server
Manager > Add roles and features > click Next in Before you begin window
> Next in Select installation type > Next in Select destination server > check
DHCP Server in select server role window > click Add features > click Next.
3.1.2 Next in Select features > Next in DHCP Server > check restart server
automatically if required > Yes to prompt > click Install > click Close when
installation succeeds.
3.1.3 Go to Server Manager > click Notifications Flag > click complete
DHCP configuration. Click Next in Description window > click Commit >
Close.

3.1.4 Server Manager > Tools > select DHCP. DHCP server must be
authorized in AD before it can lease out any IP addresses. To confirm that
our DHCP server is Activated > right-click on server name in DHCP tool,
you should see Unauthorize option. This confirms that your DHCP server is
Authorized. If it is not, then select Authorize option to complete that process.

3.1.5 Right-click on IPv4 icon under DHCP server > New Scope > Next on
Welcome screen > Type 10.1.1.x-Scope in Name > click Next.
3.1.6 In IP address Range window, complete as following > Next.
3.1.7 In Add Exclusions and Delay window add the following two range of
IP addresses using the Add button > Next.

3.1.8 In Lease Duration, change to only 2 minutes. This will force devices to
release IP address every minute > Next.

3.1.9 In DHCP Options window > No I will configure these options later >
Next > Finish to complete process.

3.1.10 In DHCP tool > expand your new scope > click Address pool. This
shows total range of IP addresses that will be leased for this scope and what
are the Exclusion ranges.
3.1.11 Right-click on Scope Options container > Configure Options > check
003 Router box > type 10.1.1.1 in IP Address and click Add. Check 015 DNS
Domain Name > type contoso.com > click Ok.
Right-click Server Options > Configure Options > check 006 DNS Servers
box > type 192.186.1.225 address > Add > OK.

3.1.12 Now you can click on Scope and Server options in DHCP tool to view
your configuration. Server options settings will apply to all Scopes that are
created in the DHCP server.

3.1.13 Now we will Activate our Scope > right-click on your DHCP Scope >
select Activate. The black arrow pointing downward on the Scope icon will
disappear and Scope is ready to lease out addresses.
!**Important**! Make sure that CTTC-dhcpPC VM’s NIC is connected the
Internal vSwitch virtual switch. This will put the system in the same virtual
network as the DHCP server.
3.1.14 Login to CTTC-dhcpPC using cttc-dhcpPC\administrator (local)
account > Open command prompt > type ipconfig > This will show us an IP
address in 169.254.x.x subnet. PC is set to obtain an IP automatically but is
still waiting for DHCP server to provide one. Now type ipconfig /renew to
obtain IP configuration for the Scope we created.

3.1.15 Now you that you the leased IP address > from command prompt >
type ping 10.1.1.1 > you should get a reply from the server’s address. This
confirms connectivity to the DHCP server.

3.1.16 Move over the CTTC-DHCP1 server > DHCP tool > select Address
Leases under Scope > refresh and see lease entry for CTTC-dhcpPC. Unique
ID identifies client’s MAC address.

3.2 Setting up DHCP Reservation.

In this Lab, we will reserve an IP address for the client. Once configured,
same address will be leased to the client each time.
A DHCP reservation is a permanent IP address assignment. It is a specific IP
address within a DHCP scope that is permanently reserved for leased use to a
specific DHCP client. Users can configure a DHCP reservation in their
DHCP server when they need to reserve a permanent IP address assignment.
This is accomplished by mapping client's MAC address to the desired leased
IP address.
3.2.1 In DHCP tool > expand your Scope > right-click Reservations > New
Reservation.

3.2.2 In New Reservation window > Type client’s hostname in Reservation

name > type IP that needs to be reserved > add a description if needed > click
Add > Close. Configure using the following information.

3.2.3 Go back to DHCP tool > Reservations > this will show our reserved
address. Click Address Leases > we will now see the reserved entry as well.
3.2.4 Go to CTTC-dhcpPC > command prompt > type ipconfig /release. This
will release the current IP address from PC. Type ipconfig /renew > now you
will see the reserved IP address allocated to the PC.

3.2.4 Go back to Address Leases > refresh and see reservation (inactive) is
now (active).

3.3 Configuring DHCP Failover.

In this lab, we will configure to two DHCP servers in a Failover
configuration. Failover helps when primary DHCP server fails.
DHCP Failover concept enables two Microsoft DHCP servers to share
service availability information with each other, providing DHCP high
availability. DHCP failover works by replicating IP address leases and
settings in one or more DHCP scopes from a primary DHCP server to a
failover partner server. All scope information is shared between the two
DHCP servers, including active leases. This enables either DHCP server to
assume responsibility for DHCP clients if the other server becomes
unavailable.
!**Important**! Make sure that CTTC-DHCP2 server VM’s NIC is
connected the Internal vSwitch virtual switch, with an IP address of
10.1.1.2/24 Use IP Host information table in Lab Setup LS.8 and that CTTC-
DHCP2 server has joined contoso.com domain. This will put the system in
the same virtual network as the other DHCP server.
3.3.1 Using steps in lab 3.1, complete steps 3.1.1 to 3.1.4 to add DHCP server
role on CTTC-DHCP2. Make sure that DHCP server is Activated.
3.3.2 Login to CTTC-DHCP1 server as contoso\administrator > Server
Manager > Tools > DHCP. Right-click on IPv4 icon under DHCP server >
Configure Failover. In Introduction to DHCP Failover windows, confirm
10.1.1.0 scope is listed > Next.
3.3.4 Type partner DHCP2 server’s IP address > click Add Server > Add
Server window > select This authorize DHCP server > select DHCP2 or your
partner server > OK > Next.

3.3.5 In failover relationship window uncheck Enable message authentication

box > Next > Finish > Close

3.3.6 Confirm IP lease of CTTC-dhcpPC by selecting Addresses Leases

under your scope in DHCP tool. Now login to CTTC-DHCP2 server > Server
Manager > Tools > DHCP. Varify that our Scope has been replicated over to
this server confirming DHCP Failover configuration works.
3.4 Configuring DHCP Relay Agent.
In this lab we will configure DHCP Relay Agent to relay DHCP Discover
broadcasts from client devices over to the DHCP server.
A DHCP relay agent is any host that forwards DHCP packets between
clients and servers. Relay agents are used to forward requests and replies
between clients and servers when they are not on the same physical subnet.
!**Important**! We are completing this lab on our DHCP server, but in an
actual networks, DHCP Relay Agent is not configured on the DHCP server, it
is configured on switches (working as relay agents) that can relay client
requests to the server. DHCP Relay Agent listens to DHCP Discover
messages from clients and relays them to the DHCP server.
3.4.1 Login to CTTC-DHCP1 as contoso\administrator > Server Manager >
Add roles and features > Next in Before you begin > Role-based or feature-
based installation in Select Installation type, click Next.
3.4.2 Click Next in Select destination server > In Select Server Roles check
Remote Access box and click Next.

3.4.3 In Select features click Next > In Remote Access click Next > In Select
Role Services click Routing & DirectAccess options > click Add Features.

3.4.4 Click Next in Select Role Services > check restart the destination server
automatically if required > Yes > Install. Click Close button when installation
process succeeds.
3.4.5 Server Manager > Tools > select Routing and Remote access > right-
click on server name and select Configure and enable Routing and remote
access.

3.4.6 Wizard pages opens up click Next > In Configuration windows select
the bottom option of Custom configuration and click Next > In Custom
Configuration select LAN Routing and click Next > click Finish > click Start
Service.

3.4.7 In Routing and Remote Access tool > expand IPv4 > right-click
General icon > select to install New Routing Protocol. In New Routing
Protocol window select DHCP Relay Agent and click OK >

3.4.8 Now notice the relay agent protocol added underneath IPv4 container >
right-click on DHCP Relay Agent and select Properties > add all DHCP
server IP addresses one at a time by clicking Add button > OK
3.4.9 We will now add all network interfaces that will participate relaying
DHCP Discover messages to DHCP servers. Right-click on DHCP Relay
Agent and click New Interface.

3.4.9 Select Ethernet from the list and click OK.

3.5 Add DNS Role and create secondary DNS zone.

In this lab, we will add DNS role to our Server 2019, create a secondary
zone, and perform a successful zone transfer.
DNS stands for Domain Name System. The main function of DNS is to
translate domain names into IP Addresses, which computers can understand.
DNS is one of the industry-standard suite of protocols that comprise TCP/IP,
and together the DNS Client and DNS Server provide computer name-to-IP
address mapping name resolution services to computers and users.
Active Directory Domain Services (AD DS) uses DNS as its domain
controller location mechanism. DNS is a very integral part of the Network
Infrastructure as when any of the principal Active Directory operations is
performed, such as authentication, updating, or searching, computers use
DNS to locate Active Directory domain controllers. In addition, domain
controllers use DNS to locate each other.
The DNS Client service is included in all client and server versions of the
Windows operating system and is running by default upon operating system
installation. When you configure a TCP/IP network connection with the IP
address of a DNS server, the DNS Client queries the DNS server to discover
domain controllers, and to resolve computer names to IP addresses.
Forward Lookup Zones allow the DNS Server to resolve queries where the
client sends a name to the DNS Server to request the IP address of the
requested host.
Secondary Zones are a DNS feature that allows the entire DNS database
from a Master DNS server to be transferred to the Secondary. A Secondary
Zones allows an organization to provide fault tolerance and load balancing to
internal names.
3.5.1 Login to CTTC-DHCP1 server with contoso\administrator account >
Server Manager > Add roles and features > Next in Before you begin > in
Select installation type, use default of role-based and click Next > select
CTTC-DHCP1 in Select destination server and click Next > in Select server
roles check DNS Server box > click Add Features > click Next > Next in
Select features > Next in DNS Server window > check restart destination
server automatically if required, click Yes on prompt and click Install.

3.5.2 When installation succeeds click Close > Open Server Manager > Tools
> DNS.
3.5.3 Login to DC server with contoso\administrator user > Server Manager >
Tools > DNS > expand DC > expand Forward Lookup zones > click and then
right-click on constoso.com zone and select Properties.
3.5.4 In contoso.com property page > select zone transfers tab > check Allow
zone transfers box > OK.
3.5.5 Go back to CTTC-DHCP1 server > in DNS > right-click Forward
Lookup zones > New Zone > In new zone wizard click Next > select
Secondary zone in Zone type > Next.

3.5.6 In zone name windows type contoso.com to create secondary zone

(zone name must always be equal to the actual domain name) > Next > In
Master DNS Server type DC server’s IP address 192.168.1.225 (DNS server
address from zone information will be transferred) > Next > Next in
completing New zone wizard > Finish.

3.5.7 Expand contoso.com secondary zone > right-click select Transfer from
Master > click refresh button or hit F5 to refresh > You will see zone
information now is copied over to this secondary zone.
3.6 Create AD Integrated Reverse Lookup Zone.
In this lab, we will create two Reverse lookup zones and register two IP to
Hostname mappings.
A reverse lookup zone is an authoritative DNS zone that is used primarily to
resolve IP addresses to network resource names. This zone type can be
primary, secondary, or Active Directory—integrated.
3.6.1 Login to DC server with contoso\administrator credentials > Server
Manager > Tools > DNS > expand Reverse Lookup zone container > right-
click Reverse Lookup zone and select New Zone. Next in New Zone Wizard
window > select Primary zone and check store the zone in Active Directory
box, Next > select To all DNS servers running on domain controllers in the
forest: contoso.com and click Next > select IPv4 Reverse Lookup Zone and
click Next.
3.6.2 In Reverse Lookup Zone name type 192.168 in Network ID section and
click Next > In dynamic updates windows select Allow both nonsecure and
secure dynamic updates and click Next > click Finish.

3.6.3 Now please add another reverse lookup zone with same configuration
using 10.1 as Network ID.
3.6.4 Open command prompt or power shell and type ipconfig /registerdns.
This will force DC server to register its host and PTR records with DNS
forward and reverse lookup zones. Login to CTTC-DHCP1, open command
prompt or power shell and type ipconfig /registerdns.
3.6.5 Go to DNS on DC server > click Refresh button > expand Reverse
Lookup zone > select each reverse lookup zone to view registered PTR
records. If you do not see the registered PTR records, execute ipconfig
/registerdns command again and refresh zone.

3.7 DNS Forwarding

DNS forwarding is the process by which particular sets of DNS queries are
handled by a designated server, rather than being handled by the initial server
contacted by the client. Usually, all DNS servers that handle address
resolution within the network are configured to forward requests for
addresses that are outside the network to a dedicated forwarder.

3.7a Configure DNS Forwarders

In this lab, we will configure DNS Forwarders on the DC DNS server.
In Domain Name System (DNS) terms, a DNS forwarder is a DNS server
that is used to forward DNS queries for external DNS names to DNS servers
outside that network. It does it to DNS queries that it cannot resolve locally,
meaning DNS queries that it has no personal knowledge of.
3.7a.1 Login to DC server with contoso\administrator user account. Server
Manager > Tools > DNS.
3.7a.2 Right-click DC server in DNS tool > select properties > in DC
property page click Forwarders tab > click Edit button > in Edit Forwarders
window type an external DNS server’s IP address 8.8.8.8 and hit enter key >
click OK > OK on DC Properties.
3.7a.3 Now any device on our virtual environment from servers to client that
point to DC server for DNS can now access internet. Make sure that NIC on
DC VM is connected to the External vSwitch virtual switch for external
access.
3.7b Configuring DNS Conditional Forwarders.
In this lab, we will configure two domain names to be forwarded to different
forwarder addresses.
Conditional forwarders are DNS servers that only forward queries for
specific domain names. Instead of forwarding all queries it cannot resolve
locally to a forwarder, a conditional forwarder is configured to forward name
queries to specific forwarders based on the domain name contained in the
query.
3.7b.1 Login to DC server using contoso\administrator credentials > Server
Manager > Tools > DNS. Right-click Conditional Forwarders container >
New conditional forwarder > type yahoo.com in DNS Domain: > type 8.8.8.8
address as the master server > OK.
3.7b.2 Add another conditional forwarder for domain name bbc.co.uk with
8.8.4.4 as the DNS IP.

3.7b.3 Expand Conditional Forwarders container to see both entries we

added. Each point to a specific DNS server’s IP address.
3.8 Install and manage Remote Access Server role
In this lab, we will configure server CTTC-VPN as the VPN server and use
CTTC-dhcpPC client to establish VPN connection. Virtual network between
them will simulate as internet connection.
A VPN extends a corporate network through encrypted connections made
over the Internet. Because the traffic is encrypted between the device and the
network, traffic remains private as it travels. An employee can work outside
the office and still securely connect to the corporate network. Secure remote
access provides a safe, secure way to connect users and devices remotely to a
corporate network. It includes VPN technology that uses strong ways to
authenticate the user or device.
!**Important**! Server CTTC-VPN will have two NICs, one will have
192.168.1.151 IP connected to External vSwitch & other 10.1.1.200
connected to Internal vSwitch. 10.1.1.x virtual network will simulate an
Internet connection.
3.8.1 Login to CTTC-VPN server as contoso\administrator user. Server
Manager > Add roles and features > click Next in Before you begin > use
default in Select installation type click Next > click Next in select destination
server > In Select Server roles check Remote Access box and click Next >
Click Next in Select Features > In Remote Access window click Next > In
Select Role services check all three and click Next.

3.8.2 In Web Server role (IIS) click Next > Next in Select Role services >
check restart destination server automatically if required > click Yes to
prompt > click Install > click Close when installation succeeds.
3.8.3 In Server Manager > Tools > Routing and Remote Access > right-click
VPN server and select Configure and Enable Routing and Remote Access.

3.8.4 Setup wizard will start click Next > In Configuration windows select
VPN and NAT option, click Next > In VPN connection windows select NIC
with 10.1.1.200 IP address (remember 10.1.1.x network in this lab simulates
Internet connection) and click Next > In IP address assignment select From a
specified range of address and click Next > In Address Range Assignment
window click New button and add IP range 172.16.0.1 – 172.16.0.200 (range
of 200 IP addresses to be leased out to VPN clients) click OK and Next >
Choose default option of No in Managing multiple remote access servers >
click Finish > OK on prompts.

3.8.5 Login to DC with contoso\administrator user. We will now grant

remote login access to Administrator user. In Server Manager > Tools >
Active Directory Users and computers > Users container > right-click on
Administrator select properties > in property page click Dial-in tab and
confirm or select Allow is selected > click OK.
3.8.6 Login to CTTC-dhcpPC as administrator > open command prompt or
power shell > type ipconfig to view IP address assigned.

3.8.6 We will now add a VPN connection to our CTTC-dhcpPC. Click Start
and type settings and click Settings icon > click Network and Internet > click
VPN > click Add a VPN connection.

3.8.7 In Add a VPN connection windows configure connection using the

following > click Save.
3.8.9 Click VPN Client to contoso.com and then Connect > Provide
administrator user and P@ss.wrd password when prompted to authenticate >
click OK. When connection is successfully established, we will see
Connected under the VPN client icon.

3.8.10 Open command prompt or powershell > type ipconfig > here we can
see both adapters, Ethernet and the virtual PPP. PPP virtual adapter is the
point-to-point connection to VPN server and have received IP from the VPN
server in 172.16.x.x subnet.
3.8.11 Now we go back to CTTC-VPN server and confirm this VPN
connection coming for our CTTC-dhcpPC computer. Go back to CTTC-VPN
server > open Routing and Remote access tool > refresh and select Remote
Access clients > we will see our Administrator user logged in. Select Port and
see active VPN connection using PPTP.

3.8.12 Double click the Active port to view further information including
leased IP given to our PC. Using the Disconnect button, this Active VPN
connection can be disconnected from server.
Module 4 - Storage Services Labs
Module 4 labs will revolve around how Windows Server manages storage.
This will include implementing volumes, shares, permissions, Storage
Spaces, and iSCSI storage services.
!**Prerequisite**! Following virtual environment is required to complete
labs in this module.
Add two virtual switches
iSCSI.Net-12.12.12.0 (Internal virtual switch)
Heartbeat.Net-11.11.11.0 (Internal virtual switch) (See LS.11b on how to
add a new virtual switch)
Add three virtual machines (See LS.7, LS.8, & LS.10 on how to set these
up)
Storage-SRVR 12.12.12.200/24 192.168.1.243/24
VM need two virtual NICs. (use lab LS.11c on how to add additional
vNICs)
192.168.1.243 255.255.255.0 192.168.1.1(gateway) 192.168.1.225(DNS)
connects to External vSwitch
12.12.12.200/24 connects to Internal iSCSI vSwitch
Add two virtual hard disks and create simple volumes with following
size and drive letters.
P: 2.5TB & Q: 1.9TB
CTTC-Node1
VM need three virtual NICs. (use lab LS.11c on how to add additional
vNICs)
192.168.1.241 255.255.255.0 192.168.1.1(gateway) 192.168.1.225(DNS)
connects to External vSwitch
12.12.12.1 255.255.255.0 connects to Internal iSCSI vSwitch
11.11.11.1/24 connected to Internal Heartbeat vSwitch
CTTC-Node2
VM need three virtual NICs. (use lab LS.11c on how to add additional
vNICs)
192.168.1.242 255.255.255.0 192.168.1.1(gateway) 192.168.1.225(DNS)
connects to External vSwitch
12.12.12.2/24 connects to Internal iSCSI vSwitch
11.11.11.2/24 connected to Internal Heartbeat vSwitch
 All VMs must join the domain.
Firewall must be turned off.

4.1 Manage volumes, share folders, and set access

permissions.
In this lab, we create volumes and configure controlling access to shared
folders.
A partition or volume is a persistent division of a physical hard drive into
logical segments. Each volume or partition appears to the user like a separate
hard drive. Volume is the terminology used by post-Windows 2000 machines
for partition. Volumes are much more flexible in their configuration than the
more rigid partitions.
A folder in Windows is a storage area, just like a real folder in a file cabinet.
Windows divides your computer's hard drives into many folders to separate
your many projects. Windows gives you six main folders for storing your
files.
You use shared folders to provide network users with access to file
resources. When a folder is shared, users can connect to the folder over the
network and access the files it contains. However, to access the files, users
must have permissions to access the shared folders.
NTFS permission on folders give you the ability to control access to both
network and local users, whereas share permissions on a folder will only
apply to network users. Share permissions manage access to folders shared
over a network; they do not apply to users who log on locally. Share
permissions apply to all files and folders in the share; you cannot granularly
control access to subfolders or objects on a share. ... Share permissions can be
used with NTFS, FAT and FAT32 file systems.
4.1a Creating Volumes
In this we will create simple, spanned, striped, and stripping with parity
volumes.
!**Important**! Make sure you have completed lab LS.10a, DC server will
need multiple hard disks to complete this section.
4.1a.1 Login to DC with contoso\administrator credentials > right-click on
Start and select Disk Manager > right-click on Unallocated section on Disk 1
> select New Simple Volume.

4.1a.2 Next in Wizard page > type 10240 in Simple volume size in MB: to
create a 10GB volume, Next > Assign S as the drive letter, Next > keep
defaults in Format Partitions window, Next > Finish. Confirm that you can
see S: volume named Simple volume 10GB in size and remaining space is
still unallocated.

4.1a.2 Now we will create a Spanned volume of 20GB total space spanned
over 10GB on Disk 1 and 10GB on Disk 2. Right-click Disk 2 Unallocated
area > New Spanned Volume > Next > type 10240 in Select the amount of
space in MB:. Select Disk 2 > click Add button > click Disk 2 under
Selected: > type 10240 in Select the amount of space in MB:, Next.

4.1a.3 Select H as assigned drive letter, Next > type Spanned Volume in
Volume label > check perform a quick format > leave NTFS as File System,
Next > Finish. In Disk Management prompt to convert to Dynamic disk, click
Yes. You will now see color coded Simple and Spanned volume.

4.1a.4 In this step we will create a Mirrored set (RAID 1). Right-click
unallocated space on Disk 2 > New Mirrored volume > Next in Wizard
window > all unallocated space of Disk 2 is in Selected section > click Disk 3
in Available section, click Add button, Next > Assign J as drive letter, Next >
type Mirrored Volume in Volume label > check box for Perform a quick
format, Next > Finish. Yes to convert to Dynamic disk.

4.1a.5 In this step we will create Stripping with Parity (RAID 5) set. Right-
click on unallocated space on Disk 3 > New RAID-5 Volume > Next in
Wizard window > select Disk 4 in Available section, click Add > select Disk
5 in Available section, click Add. You will see Disk 3, 4, & 5 listed in
Selected section. Next > Choose P for drive letter, Next > type RAID-5 in
Volume label > check Perform a quick format box, Next > Finish > Yes to
convert to Dynamic disk.

4.1a.6 Disk Management is now listing all different volumes we created with
their size and disk types.

4.1b Share folder and set access permissions

In this lab we will share a folder and configure access permissions.
A shared resource, or network share, is a computer resource made available
from one host to other hosts on a computer network. It is a device or piece of
information on a computer that can be remotely accessed from another
computer transparently as if it were a resource in the local machine. A shared
folder in an example of such a resource where files are accessible over the
network by any client or user that have been granted proper access
permissions.
4.1b.1 Login to DC as contoso\administrator > create folders
C:\UserData\AdminData > right-click C:\UserData select Properties > click
Sharing tab > click Advance Sharing button > check Share this folder box
and click Permissions button > click Add button > type administrator in Enter
the object name to select, click Check Names button > select user
Administrator in Matching names section, click OK > OK.
4.1b.2 In Permissions for UserData window select Everyone and click
Remove button. Select Administrator user in Group or user names section >
uncheck Full Control and Change permissions boxes, click OK. This grants
Read Only access on to the Administrator user.

4.1b.3 OK in Advanced Sharing window > click Close on UserData

Properties window. Now login to ClientPC VM as contoso\administrator >
right-click on Start button, select Run > type \\DC (UNC path to the server)
and click OK.
4.1b.4 Explorer window opens and shows all shared folders accessible to the
user. Right-click Start button again, select Run > type \\DC\userdata and click
OK > this will open another explorer window showing contents of the
UserData shared folder.

4.1b.5 Open AdminData folder > right-click and select to create a Text
document > you will receive an access deny window, user administrator only
have Read access, hence unable to create a file > click Cancel.

4.1b.6 Move to C:\UserData > try to delete folder AdminData > you will
receive access deny prompt, click Cancel.
4.1b.7 Go back to DC server > right-click C:\UserData select Properties >
click Sharing tab > click Advance Sharing button > click Permissions button
> check Change permission Allow box, OK > OK > Close.

4.1b.8 Since administrator user have Change allow permission, we will

confirm that by creating simple text file in AdminData folder. Switch to
ClientPC > open AdminData shared folder in explorer > right-click and select
to create a text file > type MyTextFile as the file name and press Enter to
create the text file > Open this file and type This is a Simple Text file and
then save and close file. So, after granting Change permission, we can create
and edit objects in the in the shared folder.

4.2 Configure Storage Spaces.

In this lab we will create Storage Spaces by combining all hard disks that we
have added to our virtual machine DC. We will then proceed to create a
virtual disk from this Storage space. Once this virtual disk is created, we will
then create a volume in that virtual disk, format it with NTFS, and give it
drive letter F.
Storage Spaces is a technology in Windows and Windows Server that can
help protect your data from drive failures. It is conceptually similar to RAID,
implemented in software. You can use Storage Spaces to group three or more
drives together into a storage pool and then use capacity from that pool to
create Storage Spaces. These typically store extra copies of your data so if
one of your drives fails, you still have an intact copy of your data. If you run
low on capacity, just add more drives to the storage pool.
!**Prerequisite**! Please delete all volumes we created in lab 4.1a, open
Disk Management > right-click on each volume J, P, S, & H and select
Delete Volume. Make sure these volumes have been deleted before you start
this lab.
4.2.1 Login to DC as contoso\administrator > Server Manager > File and
Storage Services > Storage Pools > check out all your disks that currently
exist in the server under Physical Disks > right-click on Primordial available
disks in Storage Pools section > New Storage Pool.

4.2.2 In Storage Pool Wizard, Next on Before you begin > type CTTC-
StoragePool1 in Name, Next.

4.2.3 In Physical Disks section, select all five disks in the list, click Next >
click Create in Confirmation section > click Close in Results.
4.2.4 Right-click on newly listed CTTC-StoragePool1 in Storage Pools,
select New Virtual Disk > select CTTC-StoragePool1 in Pool Name, OK >
Next in Virtual Disk Wizard Before you begin section > type CTTC-
SP1.VirtualDisk1 (depicting first virtual disk from our Storage Pool 1), Next.
4.2.5 Click Next in Enclosure Awareness > check out description of the
three storage layouts providing data redundancy, select Mirror and click Next
> select Three-way mirror in Resiliency settings, Next > select Thin in
provisioning type, Next > type 200 in Specify size, Next > click Create in
Confirmation window > click Close in Results.

4.2.6 Click Disks in Server Manager to see Storage Pool add as disk #6.

4.2.7 We will now create a volume in this CTTC-SP1.VirtualDisk1 virtual

disk > select Storage Pools in Server Manager > right-click the virtual disk in
Server Manager, select New Volume.

4.2.7 Click Next in Volume Wizard Before you begin > Next in Select the
server and disk > type 150 for size of volume, Next > Choose E as Drive
letter, Next > Keep NTFS as File system, Next > Create in Confirmation >
Close in Results.

4.2.8 We will now confirm redundancy built into our volume due to Storage
Space by simulating a disk failure. Open File explorer and open our new
volume E, or E drive > create a folder at the root of E drive called InfoData >
create a text file in InfoData called UserDataFile > open the file, type This is
a text file in CTTC-StoragePool1 and CTTC-SP1.VirtualDisk1 > click File
and save.
4.2.9 In DC VM > open File menu and select Settings to open VM settings >
select HD3 under SCSI Controller section, click Remove button to simulate
HD3 failure, click Apply. You will see the Disk has disappeared from list >
OK.

4.2.10 Go back to the folder and file you created in E drive to see even with a
failed drive, data is still there due to our Storage Space redundancy.
4.3 iSCSI Storage services.
In this lab we will setup an iSCSI Target server which will make its disk
space available to other systems via iSCSI protocol. We will then setup an
iSCSI Initiator to connect to that storage on target server.
iSCSI is a protocol for storage networking and runs the quite common SCSI
storage protocol across a network connection which is usually Ethernet.
iSCSI traffic can be run over a shared network or a dedicated storage
network. Microsoft iSCSI Initiator is a tool that connects external iSCSI-
based storage to host computers with an Ethernet network adapter. The client
machine within a storage network is an iSCSI Initiator. The server machine
within a storage network is an iSCSI target. An iSCSI target is any machine
that receives iSCSI commands from an initiator.
4.3a Setting up iSCSI Target Server
!**Important**! Storage-SRVR VM will be used in this lab.
4.3a.1 Login to storage-srvr as contoso\administrator > Server Manager >
Add roles and Features > Next in Before you begin > Next in select
installation type > Next in select destination server > select Data
Deduplication and iSCSI Target Server, click Add Features button in prompt,
Next.

4.3a.2 Next in select features > check Restart the destination server if
required, Yes in prompt, click Install > Close button when installation
succeeds.
4.3a.3 Server Manager > File and Storage Services > iSCSI > click to create
an iSCSI virtual disk.
4.3a.4 In in iSCSI virtual disk location, click drive P (for the sake of this lab,
this is being done on a simple volume with no redundancy, in actual
production systems, we must select a drive created on a RAID system with
full redundancy like what we created in the 4.2 lab) in select by volume, click
Next. This process creates a virtual disk in the drive we selected. In Specify
Iscsi virtual disk name type CTTC-vDisk1, see where this virtual disk will be
created with the P drive selected, Next.

4.3a.5 Type 1.5TB for size and Dynamically expanding for disk type, Next >
select New iSCSI target in Assign target, Next > type CTTC-iTarget1 in
target name, Next > in Select a method to identify the initiator, using the drop
down select IP Address and type 12.12.12.1 (IP of the iSCSI Initiator device),
OK.
4.3a.6 Click Add button to add another iSCSI initiator in specifying access
servers > select IP Address in drop-down list under Enter a value for the
selected type and type 12.12.12.2 as the second iSCSI initiator, You will see
both iSCSI initiator numbers listed, click OK, Next.

4.3a.7 Click Next in Enable Authentication by leaving both boxes unchecked

> confirm our configuration and click Create button > click Close in Results
window.
4.3a.8 In Server Manager > File & Storage Services > iSCSI > right-click in
empty area under Storage-SRVR and select New iSCSI virtual disk.

4.3a.9 Now follow the same steps as in 4.3a.4 to add two more virtual disks.
One on P and the other on Q drive with the following configuration:
4.3a.10 Following show final result when all disks are in place and the iSCSI
Target system is ready.

4.3b Setting up iSCSI Initiator Server

!**Important**! Keep Storage-SRVR VM online for this lab, we will use
CTTC-Node1 and then CTTC-Node2 VMs in this lab to configure as iSCSI
Initiator servers.
!**Important**! Be advised that once this lab is successfully completed,
three servers will be needed to complete lab for module 6.
4.3b.1 Login to CTTC-Node1 as contoso\administrator > Server Manager >
Tools > iSCSI Initiator > Yes to Microsoft iSCSI prompt > click Discovery
tab > click Discovery Portal > type iSCSI Target’s IP 12.12.12.200 > click
Advance button > select Microsoft iSCSI Initiator from Local adapter drop
down > select 12.12.12.1 as the local Initiator IP > OK > OK >
4.3b.2 You will now see the iSCSI target listed under Targe portals in iSCSI
Initiator Properties page > click Targets tab > in discovered targets, first
select cttc-itarget1 with Inactive status > click Connect button.

4.3b.3 In Connect to Target, click Advance > select Microsoft iSCSI Initiator
in Local adapter > 12.12.12.1 in Initiator IP > 12.12.12.200 / 3260 in Target
portal IP > OK > OK.

4.3b.4 cttc-itarget1 now will show as connected. Complete tasks 4.3b.2 &
4.3b.3 for the remaining two Inactive discovered targets.
4.3b.5 Right-click on Start button > Disk Management > You will now see
iSCSI targets listed as Disks.
4.3b.6 Complete lab steps 4.3b.1 to 4.3b.4 for server CTTC-Node2. All
values are the same except Initiator IP for CTTC-Node2 is 12.12.12.2 (local
adapter address).

4.3b.7 Open Disk Manager > bring both iSCSI target disks Online and
Initialize them.

!**Important**! VMs used in this module will be needed again in Module 6

labs. Do not alter their configuration or remove any virtual hardware from
them.
Module 5 - Virtualization Labs
In this lab, we will create virtual environment to run virtual machines. Move
VMs between Host systems by exporting and then importing them.
Virtualization is the process of creating a software-based, or virtual,
representation of something, such as virtual applications, servers, storage, and
networks. It is the single most effective way to reduce IT expenses while
boosting efficiency and agility for all size businesses. Leverage the Power of
Virtualization. Virtualization uses software to create an abstraction layer
over computer hardware that allows the hardware elements of a single
computer—processors, memory, storage and more—to be divided into
multiple virtual computers, commonly called virtual machines (VMs).
Microsoft Hyper-V, codenamed Viridian, is a native hypervisor; it can create
virtual machines on x86-64 systems running Windows.[2] Starting with
Windows 8, Hyper-V superseded Windows Virtual PC as the hardware
virtualization component of the client editions of Windows NT. A server
computer running Hyper-V can be configured to expose individual virtual
machines to one or more networks.
!**Prerequisite**! VM File-Srvr is needed to complete lab 5.3 in this
module.
5.1 Virtual Networking in Hyper-V.
In this lab we will create a Private virtual switch and then see how we can
assign it to an VMs virtual Network adapter.
Microsoft Hyper-V supports three different types of virtual networks:
external, internal, and private. External virtual networks are the most
commonly used because they allow a virtual machine (VM) to access the
outside world. Internal virtual networks are isolated segments accessible by
VMs and by the Hyper-V host, while private virtual networks are only
accessible to VMs.
5.1.1 Open Hyper-V Manager > click Virtual Switch Manager in Actions
pane.
5.1.2 In Virtual Switches, select New Virtual Network switch > Private in
type of virtual switch > click Create Virtual Switch button.
5.1.3 Type Private-Net in Name section > type Network for VM connectivity
only > make sure Private is selected in Connection type > OK.

5.1.4 Select Virtual Switch Manager again, you will now see this Private-Net
Private type virtual switch listed in the list > OK.
5.1.5 Open settings of DC virtual machine > select Network Adapter in
virtual hardware list > click on drop-down list under Virtual switch to see this
new Private-Net virtual switch we created. We will not select it, rather just
wanted to see how a virtual switch can be assigned to a network adapter of a
VM.
5.2 Creating Virtual Machines.
In this lab we will create Gen 1 and 2 Virtual machines and look at different
virtual hardware types created by Hyper-V.
Virtual machine acts like a complete computer, running an operating system
and programs. When you need computing resources, virtual machines give
you more flexibility, help save time and money, and are a more efficient way
to use hardware than just running one operating system on physical hardware.
Hyper-V runs each virtual machine in its own isolated space, which means
you can run more than one virtual machine on the same hardware (host
system) at the same time.

5.2a Creating Generation 1 VM

!**Prerequisite**! Evaluation Installation media (.iso files) for Win 10 and
Server 2019 will be needed
5.2a.1 Open Hyper-V Manager > Click New in Action pane, select Virtual
machine > Next in Before you begin > type Windows 10 Client, Next > keep
Generation 1 selected, Next > type 2048 in Startup memory, Next > click the
drop-down in configure networking window, select Internal vSwich, Next >
In Connect Virtual Hard Disk window, keep default as we need Hyper-V to
create a new virtual disk for our VM, change size to 200GB, Next > In
installation options, select install an OS from bootable DVD > click Image
file and browse to your downloaded Win 10 OS iso file, Next > Finish.
5.2a.2 Hyper-V Manager will now list this new VM in virtual machines
section. Right-click the new VM and click Settings > we will browse
different virtualized hardware by the Hypervisor in the VM settings > select
BIOS under hardware and view the Startup order, this order is configurable
just like an actual system.

5.2a.3 Click on each virtual hardware e.g. memory, SCSI controller, serial
ports & Network Adapter. Also select virtual machine specific configuration
under Integration services, Checkpoints, & start / stop actions. Click OK to
close settings page.
5.2a.4 To bring up console or desktop of the VM, right-click Windows 10
Client VM, click Connect. In a VM where OS is installed and it is online, you
will see the desktop. Our VM is new, there is no OS installed, and is turned
off.
5.2a.5 Click Start to turn on the VM, since iso file is connected, VM will start
the Windows 10 installation process.
At this point, we created a Gen 1 VM, configured its virtual hardware, and
started OS install. OS installation is optional, you can complete the install if
you would like.
5.2b Creating Generation 2 VM
Gen 2 VMs are recommended to use in most cases, especially for modern 64-
bit operating systems. They provide higher CPU performance and memory
limits. There is no 2TB disk limit due to UEFI support with GPT. Gen 1 VMs
are recommended when 32-bit operating systems is being used, old OS that
does not support UEFI, COM ports and or Floppy disks are needed.
5.2b.1 Open Hyper-V Manager > Click New in Action pane, select Virtual
machine > Next in Before you begin > type Server 2019, Next > click
Generation 2 selected, Next > type 2048 in Startup memory, Next > click the
drop-down in configure networking window, select Internal vSwich, Next >
take defaults in connect virtual hard disk, Next > In installation options,
select install an OS from bootable DVD > click Image file and browse to
your downloaded Windows Server OS iso file, Next > Finish.

5.2b.2 Hyper-V Manager will now list this new VM in virtual machines
section. Right-click the new VM Server 2019 and click Settings > now let us
browse different virtualized hardware by the Hypervisor in the VM settings
for generation 2 > first difference you see is Firmware instead of BIOS, no
COM ports and Floppy disk.

5.2b.3 Click on each virtual hardware e.g., memory, SCSI controller, &
Network Adapter. Also select virtual machine specific configuration under
Integration services, Checkpoints, & start / stop actions. Click OK to close
settings page.
5.2b.4 Bring up VM desktop by right-clicking Server 2019 VM, click
Connect. Click Start to turn on the virtual machine.
5.2b.5 Since VM boot process points to DVD first, it will start the installation
process (press any key if requested to start the Server OS installation
process). Windows Server 2019 installation process will start.
At this point, we have created a Generation 2 VM, configured its virtual
hardware, and started OS install. Completing the OS installation is optional in
this lab as well.
5.3 Export and import Virtual Machine utilizing
Nested virtualization
The ability to move virtual machines from one host system to another without
downtime is one of the main benefits of virtualization. Microsoft Hyper-V
provides this functionality, and it is known as Export and Import of virtual
machines.
An export gathers all required files into one unit--virtual hard disk files,
virtual machine configuration files, and any checkpoint files. You can do this
on a virtual machine that is in either a started or stopped state.
!**Prerequisite**! This lab requires a VM to host nested VMs. File-Srvr
VM will be used for that purpose. Create VM File-Srvr if you have not
already. Nested virtualization is a feature that allows you to run Hyper-V
inside of a virtual machine (VM). Your host system either Windows Server
2019 or Windows 10 Pro that is running File-Srvr must be configured to host
such VMs by running the following command.
Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
Set-VMProcessor -VMName File-Srvr -ExposeVirtualizationExtensions
$true
Once this command is executed on your host successfully, File-Srvr VM how
can host nested virtual machines. Add Hyper-V role to File-Srvr.
5.3.1 Open Hyper-V Manager on your Host system > right-click on DC4,
select Export.

5.3.2 Click Browse, create folder on Host system c:\ExportedVMs > Select
folder > click Export.

5.3.3 When export process is complete, open ExportedVMs folder and

confirm exported information. Share the ExportedVMs folder and provide
Read access to everyone group.
5.3.4 Login to File-Server as contoso\administrator > connect to share
\\powerpc\exportedvms from File-Srvr VM (provide host authentication
when needed). To import DC4 VM as a nested VM in File-Srvr, map a drive
to your host (in our example our Host system’s name is PowerPC). Drive will
map as we have already connected to the share before.

5.3.5 Open Hyper-V in File-Srvr > right-click Hostname, select Import

virtual machine > Next on Before you begin > in Locate folder, click Browse
button > find I: drive in This PC and browse to “i:\DC4\Virtual Machines”,
click Select folder > Next.

5.3.6 Confirm that DC4 is highlighted in Select Virtual machine, Next >
select copy the virtual machine, click Next > in Choose Folders for Virtual
Machine Files, change paths to the following, Next.
5.3.7 In Choose Folders to Store Virtual Hard Disks use path
C:\Users\Public\Documents\Hyper-V, Next > in connect Network, pick
Virtual switch from drop-down menu, Next > Finish.

5.3.8 File Copy process starts, when completes you will see DC4 listed under
Virtual Machines.

5.3.9 Right-click on DC4 > select Settings > this opens up settings page for
the nested DC4 VM > here we can see the path to our virtual hard disk file.

!**Important**! VM File-Srvr will be used in Module 8 lab, please make

sure you do not remove or delete this VM.

Module 6 - High Availability Lab

!**Prerequisite**! VMs needed to complete labs in this module are CTTC-
Node1, CTTC-Node2, & Storage-Srvr. Module 4 labs must be completed
successfully before we can work on this lab. Confirm your configuration
using the following setup from module 4.
Add two virtual switches
iSCSI.Net-12.12.12.0 (Internal virtual switch)
Heartbeat.Net-11.11.11.0 (Internal virtual switch) (See LS.11b on how to
add a new virtual switch)
Add three virtual machines (See LS.7, LS.8, & LS.10 on how to set these
up)
Storage-SRVR 12.12.12.200/24 192.168.1.243/24
VM need two virtual NICs. (use lab LS.11c on how to add additional
vNICs)
192.168.1.243 255.255.255.0 192.168.1.1(gateway) 192.168.1.225(DNS)
connects to External vSwitch
12.12.12.200/24 connects to Internal iSCSI vSwitch
Add two virtual hard disks and create simple volumes with following
size and drive letters.
P: 2.5TB & Q: 1.9TB
CTTC-Node1
VM need three virtual NICs. (use lab LS.11c on how to add additional
vNICs)
192.168.1.241 255.255.255.0 192.168.1.1(gateway) 192.168.1.225(DNS)
connects to External vSwitch
12.12.12.1 255.255.255.0 connects to Internal iSCSI vSwitch
11.11.11.1/24 connected to Internal Heartbeat vSwitch
CTTC-Node2
VM need three virtual NICs. (use lab LS.11c on how to add additional
vNICs)
192.168.1.242 255.255.255.0 192.168.1.1(gateway) 192.168.1.225(DNS)
connects to External vSwitch
12.12.12.2/24 connects to Internal iSCSI vSwitch
11.11.11.2/24 connected to Internal Heartbeat vSwitch
All VMs must join the domain.
Firewall must be turned off.

6.1 Create a Failover Cluster.

In this lab we will create a two node cluster using CTTC-Node1 and CTTC-
Node2. Storage-SRVR will provide centralized iSCSI storage access for both
Nodes. Three network interface cards in each node will provide access to
network resources, iSCSI dedicated network, and heartbeat network between
both nodes.
High-availability server clusters (aka HA Clusters) is defined as a group of
servers which support applications or services that can be utilized reliably
with a minimal amount of downtime. High Availability clusters are often
used for mission-critical databases, data sharing, applications, and e-
commerce websites spread over a network. High Availability
implementations build redundancy within a cluster to remove any one single
point of failure, including across multiple network connections and data
storage, which can be connected redundantly via geographically diverse
storage area networks.
High availability is usually expressed in terms of several "9"s. Four nines is
99.99% availability. The goal is often expressed as 5 "9"s availability
(99.999%), which equates to five and a quarter minutes of downtime per
year.

6.1.1 Confirm IP configuration on Storage-SRVR, CTTC-Node1, & CTTC-

Node2 servers.
6.1.2 Login to CTTC-Node1 as contoso\administrator > we will now add
Failover clustering role using powershell > open powershell and type
Install-WindowsFeature -Name Failover-Clustering -
IncludeManagementTools

6.1.3 Repeat steps in 6.1.2 for server CTTC-Node2.

6.1.4 Go back to CTTC-Node1 > right-click on Start button > Disk
Management > right-click on the Disk2 > select New Simple Volume > Next
in Welcome window > take default in Volume size (which is the entire disk
space), Next > select drive letter Q in Assign the following drive letter, Next
> keep default NTFS file system in format partition, make sure Perform a
quick format checkbox is checked, Next > Finish.
6.1.5 Right-click on the Disk1 > select New Simple Volume > Next in
Welcome window > take default in Volume size (which is the entire disk
space), Next > select drive letter S in Assign the following drive letter, Next
> keep default NTFS file system in format partition, make sure Perform a
quick format checkbox is checked, Next > Finish.

6.1.6 Reboot CTTC-Node1 & CTTC-Node2 to complete Fail-over Clustering

role install.
6.1.7 Login as contoso\administrator on both nodes.
6.1.8 On CTTC-Node1 > Server Manager > Tools > Failover Clustering
Manager > right-click Failover Cluster Manager and select Validate
Configuration > Next in Before you begin > click Browse in Select servers or
a Cluster > in Select Computers, type cttc- in Enter the object names to select
section > click Check Names.

6.1.9 Select both CTTC-Node1 and CTTC-Node2 in Multiple Names Found,

OK > both nodes will be listed, click OK in Select Computers.

6.1.10 Click Next in Select Servers or a Cluster window > select Run all tests
in Testing options, Next > Next in Confirmation window >

6.1.11 System will start to validate and run all tests > click Finish in
Summary window.
6.1.12 Right-click on Failover Cluster Manager again > select Create Cluster
> Next in Before you begin > click Browse in Create Cluster Wizard > type
cttc- in Enter the object names and click Check Names > select both Node1
and Node2, click OK > click OK in Select Computers > see both nodes listed
under Select Servers, Next.

6.1.13 Type CTTC-Cluster in Cluster Name and click in Address section and
type 192.168.1.100, hit Next.
6.1.14 Next in Confirmation window > click Finish in Summary window.

6.1.15 Go to Failover Cluster Manager > expand CTTC-Cluster and click on

Nodes container > this lists all Nodes in the cluster > expand Storage and
click Disks to see the two Disks on Node2.

6.1.16 Login to DC as contoso\administrator > Server Manager > Tools >

Active Directory Users and Computers > click Computers container to see
computer objects of the two nodes of the Cluster and an added object of our
Cluster Name CTTC-Cluster. Open DNS from Server Manager > Tools and
see CTTC-Cluster hostname registration with configured IP address of
192.168.1.100.

6.1.17 Go back to CTTC-Node1 > Failover Cluster Manager > right-click on

CTTC-Cluster > More Actions > Configure Cluster Quorum Settings.

6.1.18 In Configure Cluster Quorum Wizard Before you begin window click
Next > In select quorum configuration option, click select the quorum
witness, Next button. In select Quorum Witness, click Configure a disk
witness, click Next.

6.1.19 In Configure Storage Witness > check Cluster Disk 1 (10GB), click
Next. Next in confirmation window > click Finish in Summary.

6.1.20 Click Network container in Failover Cluster Manager > click each
Network and identify public production network (192.168.1.0/24), iSCSI, and
Heartbeat Networks.

6.1.21 Click Cluster Network 1 > click Properties in Actions > rename it to
Public / Domain Net. Rename Networks for iSCSI and Heartbeat as well.
Select Do not allow cluster network communication on this network for
iSCSI Net.
6.1.22 Go to Disk under Storage > select Cluster Disk 2 > click Add to
Cluster Shared Volumes in Actions menu > see Disk 2’s Assigned to change
from Available Storage to Cluster Shared Volume.

6.1.23 Click Roles under CTTC-Cluster > here we can make added roles to
the server a cluster aware role e.g., File Server or DHCP server. At this point,
our Cluster is configured with centralized storage and appropriate Roles can
be added to benefit from Windows Clustering.
Module 7 - Performance Monitoring Labs
!**Prerequisite**! CTTC-Node1 and Windows 10 Clint PC virtual
machines will be used to complete labs in this module.
Windows Server performance monitoring refers to the range of processes
involved in tracking the server’s key metrics, to ensure excellent
performance. Windows Server includes some basic built-in tools for analysis
and troubleshooting that let you monitor four key aspects of performance,
including the server’s CPU, memory, hard disks, and the network interface
card (NIC). You can examine various metrics related to these components to
see whether the server is behaving as expected.

7.1 Capture performance data with Performance

Monitor.
In this lab we will go over Performance monitor tool in Windows. We will
see real-time performance data of different system components using this
tool.
The Microsoft Windows Performance Monitor is a tool that administrators
can use to examine how programs running on their computers affect the
computer's performance. The tool can be used in real time and also be used to
collect information in a log to analyze the data at a later time.
!**Prerequisite**! CTTC-Node1 virtual machine will be used to complete
this lab.
7.1.1 Login to CTTC-Node1 as contoso\administrator > click Start button and
type performance, select Performance Monitor.
7.1.2 Select Performance Monitor and see the Line chart view. Select Report
to see report view. Line option shows a graphical view, while Report shows
numeric value of the component being measured. Click the green Plus button
in toolbar to add system components.

7.1.3 Add Counter window will open > available counters show list of
counters we can select from e.g., CPU, memory, NIC etc. > select computer
section is for monitoring performance for the local or a remote system >
Instance is for number of instances for that component, our example shows
three NICs in the server or a system having two or more CPUs > show
description provides description of the selected counter > expand Network
Interface, select Bytes Total/Sec counter > select All instances and click Add
button.
7.1.4 Expand Logical Disk and select Ave. Disk Queue Length, select C in
instance > click Add. Do the same for Ave. Disk Byte/Write counter. Find
memory in the list and select Available MBytes, click Add > in Processor
select % Processor Time, select 0 in instance to select the only CPU system
have, click Add > look for System and select Processor Queue Length, click
Add.
7.1.5 Click OK in Add Counters window when completed with adding
counters above.
7.1.6 Make sure line graph view is selected, you will see all counters we
added and that system is capturing their real-time performance data.
7.1.7 Right-click on Performance Monitor, select Properties > change
Duration from 100 seconds to 600 (10 minuts), click Apply. This changes the
default time duration it shows performance activity in the line chart.
7.1.8 Click Data tab > here we can change Line chart color, scale, style, and
width > click OK. We will now see all counters we selected with line graph
performance information.

7.1.9 Select Avg. Disk Bytes/Write Counter and click on Highlight. This will
highlight the line graph of that counter. Create activity in the virtual machine
by opening multiple Internet Explorer, open file explore and browse C drive
and view line graph of the real-time monitoring.
7.1.10 Now click graph type button and select Histogram and then Report to
view different views.

7.2 System and User Data Collector Sets.

In this lab we will work with system and user generated Data Collector sets.
Data Collector Sets are groups of performance counters, event logs, and
system information that can be used to collect multiple data sets on-demand
or over a period. For example, you can set up a Data Collector Set to collect
processor utilization, and available memory over a 10-min period. Typically,
a report will be generated providing detailed information regarding the data
collected and recommended fixes to performance issues. Data Collector Sets
are broken down into two categories, user, and system.
User-Defined Data Collector Sets are created and configured by an
administrator. These are custom sets that contain counters, event logs, and
trace information defined by the administrator.
System Data Collector Sets are automatically created and defined by the
operating system, applications, and components. By default, two data
collector sets are created during the initial install of Windows operating
system.
!**Prerequisite**! CTTC-Node1 virtual machine will be used to complete
this lab.
7.2.1 Login to CTTC-Node1 as contoso\administrator > click Start button,
type performance, select Performance Monitor > expand Data Collector Sets
> expand System. These are the two system generated Data collector sets.
Right-click on System Performance, click Start.

7.2.2 Once started, System Performance will run for 60 seconds. Create
activity in the system by opening multiple Internet Explorer windows and
visiting different web sites, open command prompt and type dir c:\ /s and hit
enter to run a directory on the entire C drive.
7.2.3 When Data Collector activity completes, click System performance
under System Data Collector set to see path of where the performance file is
generated. Expand Reports container and browse to your generated report.
Generated report shows comprehensive component by component utilization
information. Check out different sections (Diagnostic results, CPU, Network,
Disk, Report statistics etc.) of the report and see measurement taken.
7.2.4 Expand Disk section of the report and check out files causing most IO.

7.2.5 Right-click on System Performance under System container, properties

> click Directory tab and view where performance data is created and what
are different subdirectory formats > click OK.
7.2.5b To see performance counters captured in this set > right-click
Performance Counter in System Performance and see all the counters it
collects information for.

7.2.6 We will now work with User Defined Collector set. Right-click User
Defined under Data Collector Sets > New, Data Collector Set > type Custom
Data Set in name, click Create manually, Next > check Performance counter
box, Next > click Add and add Processor\Processor Time and Physical Disk
Avg. Disk sec/Transfer for C drive instance only, change sample interval to
30 seconds, Next > take default path in root directory, Next > click Change to
use administrator credentials, select to open property page of collector set,
Finish.
7.2.7 Property page for the set will open > confirm configuration in General
and Directory tabs.

7.2.8 We can also schedule this set to execute at a specific date and time >
click Schedule tab, click Add > set desired date and start time, OK > click
Stop Condition, set 4 hours of collection time, OK > provide Administrator
credentials if requested. Keep in mind that we only added one schedule, we
can add multiple schedules if needed.
7.2.9 Verify that our User Defined collector set exist and will execute on the
schedule we configured.

7.3 Working with Windows Admin Center

In this lab, we will utilize Windows Admin Center to manage windows
devices.
Windows Admin Center is a locally deployed (with no Azure or cloud
dependency), browser-based app for managing Windows servers, clusters,
hyper-converged infrastructure, as well as Windows 10 PCs. It is a free
product and is ready to use in production.
Windows Admin Center gives you full control over all aspects of your server
infrastructure and is particularly useful for managing servers on private
networks that are not connected to the Internet. It is the modern evolution of
"in-box" management tools, like Server Manager and MMC. It complements
System Center - it is not a replacement.
Windows Admin Center runs in a web browser and manages Windows
Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows
Server 2012, Windows 10, Azure Stack HCI and more through the Windows
Admin Center gateway installed on Windows Server or domain-joined
Windows 10. The gateway manages servers by using Remote PowerShell and
WMI over WinRM. The gateway is included with Windows Admin Center in
a single lightweight .msi package that you can download.
!**Prerequisite**! Windows 10 Client PC virtual machine will be used to
complete this lab. DC VM should be online.
!**Important**! In Lab 1.3 we completed Windows Admin Center’s
download and install.
7.3.1 Login to Windows 10 client VM as contoso\administrator > click Start
button and launch Windows Admin Center > OK to certificate prompt > click
Add to add our DC server > click Add under Servers > click Search Active
Directory, type D* to use wildcard to search on all hostnames starting with D,
click Search > check box next to DC and click Add button.

7.3.2 Select DC listed in Admin center, portal opens up to manage DC

system > Overview shows information and statistics regarding DC server, we
can take action on DC by rebooting or shutting it down from this section.
7.3.3 select File and Sharing, here we can work with all drives and their
contents on the DC server without remoting into the system.

7.3.4 Select Remote Desktop, type administrator’s password, check box to

automatically connect, click Connect > opt to change Remote Desktop
settings, click Go to settigns > select Allow remote connections to this
computer, click Save.
7.3.5 Go back to Remote Desktop > check automatically connect, click
Connect. You should see RDP connection from within your Windows Admin
Center window.

7.3.6 Click Roles & features in Tools and see installed and available to install
server roles. Click Services to restart, stop, pause, or configure services
running on DC. Click Storage to see Disks and Volumes. Click Updates to
view and configure Windows updates.

Module 8 - Disaster Recovery Labs

In this lab, we will use tools to perform Disaster Recovery on a server using
built-in Windows backup and restore process and using Hyper-V Replica to
restore Hyper-V virtual machines
A solid understanding of the Disaster Recovery (DR) options that your
systems have can help you build a reliable DR plan for your organization.
Most businesses are using some version of Windows Server as core part of
their IT infrastructure and understanding Windows Server’s built-in DR
capabilities can help you protect your mission-critical systems and
applications from data loss and downtime.
!**Prerequisite**! File-Srvr virtual machine will be used to complete this
lab. Make sure we have two additional Disks 200GB with Volume drive E &
1024GB with volume K. To see how we add another Disk to a VM, refer to
lab LS.10a.
8.1 Implement Windows Scheduled Backup.
8.1.1 Login as contoso\administrator on File-Srvr server > Server Manager >
Add roles and features > click Next in Before you begin window > Next in
Select installation type > Next in Select destination server > click Next in
select server role window > click Windows Server Backup in Select features
> click Next.
8.1.2 Check restart server automatically if required > Yes to prompt > click
Install > click Close when installation succeeds.
8.1.3 Go to Server Manager > click Tools > select Windows Server Backup.
In wbadmin click Local Backup, then in Actions pane, click Backup
Schedule > Next in Getting Started window > In Backup configuration click
Custom, Next > click Add items button in Select items for Backup window >
check Bare metal recovery, click OK > Next in Select items for Backup.

8.1.4 In Specify Backup time select 9:00pm, click Next > In Specify
Destination select Backup to a hard disk option, click Next > click Show All
available Disks button > check box for the Disk, click OK, click Next, Yes to
prompt.
8.1.5 Click Finish on the Confirmation page and Close on Summary.

8.1.6 Open Task Scheduler, click Backup under Windows > Our scheduled
backup is listed > click Actions tab to see what command is executed when
backup runs.
8.2 Implement Windows on-demand Bare Metal
backup.
In this lab we will do an on-demand Bare metal backup on K drive.
Bare metal backup and recovery is a solution type that allows backing up
and restoring the entire system data from one system to another, including
everything from files to programs and drivers.
8.2.1 In Windows Server backup (wbadmin) console, Actions pane, click
Backup once.
8.2.2 In Backup options, click Different option, Next > In Select Backup
Configuration, select Custom, click Next > In Select Items for Backup, click
Add Items button, check Bare metal recovery, click OK, click Next > In
Specify destination type, select Local drives, click Next.

8.2.3 In Select backup destination, confirm K drive, click Next > In

Confirmation page click Backup button to start backup process. Click Close
once backup progress completes successfully.
8.2.4 Open K drive in File explorer and see the Backup files created.

8.3 Bare metal Backup Restore

!**Important**! In this lab, we will shut down File-Srvr simulating a
failure. We will then detach our drive K (which contains Bare metal backup
of File-Srvr) and attach it to a new virtual machine. This new VM will be
used to do a Bare metal restore of File-Srvr. Drive K from the turned off File-
Srvr will be attached to this new VM. We will boot this new VM using
installation media and then complete our Bare metal recovery from the newly
attached K drive. Make sure that this new VM is created as the same
Generation 1 or 2 as our original File-Srvr VM.
Bare metal backup and recovery is a solution type that allows backing up
and restoring the entire system data from one system to another, including
everything from files to programs and drivers.
8.3.1 On your host system > Hyper-V Manager > right-click on File-Srvr
VM, select Shutdown.

8.3.2 Right-click on File-Srvr again, select Settings > select K drive in Drive
list, click Remove button, click Apply, click OK.

8.3.3 Create a new virtual machine named File-Srvr-Recovered > connect it

to the virtual switch all VMs are using. Refer to lab LS.4 on how to create a
VM. Make sure you connect Server install .iso file to the new DVD of new
VM.
8.3.4 We will not attach File-Srvr-K Drive to our new VM. Open Setting of
the File-Srvr-Recovered VM > click SCSI Controller, click Add Hard Drive.

8.3.5 Click the Browse button, go to the path of File-Srvr-E virtual disk
(containing our Bare metal backup), select File-Srvr-E.vhdx file and click
Open > click Apply button, click OK.

8.3.6 In Hyper-V Manager, right-click on the new VM File-Srvr-Recovered,

select connect > turn on the VM and start hit any key when prompted to start
Server install process.
8.3.7 Click Next in Windows Server 2019 window > click repair your
computer.

8.3.8 In Choose an option, click Troubleshoot > System Image Recovery in

Advanced Options > In Select a System Image backup window, click Next.
8.3.9 Next in Choose additional restore options > In re-image your computer,
click Finish > Yes to re-image prompt > Restore process will start and when
system is restored, it will restart.

8.3.10 Login to File-Srvr-Recovered VM as contoso\administrator > confirm

in Server Manager and command prompt that server File-Srvr has been
restored.

8.3.11 This completes our 8.3 lab. This new recovered VM can now be
turned off and removed. Original File-Srvr VM can now be brought back
online.

8.4 Implement Hyper-V Replica

In this lab, we will configure Hyper-V Replica server and setup replication of
a virtual machine between Hyper-V role servers.
Hyper-V Replica is a free in-built feature in Windows Server Hyper-V for
disaster recovery. It contributes to your disaster recovery strategy by creating
a copy of the production virtual machine to a replica Hyper-V host. It will
allow you to bring back your replica Virtual Machines instantly during the
system crash or major disaster. Hyper-V Replica can asynchronously
replicate a virtual machine in a primary site to a replica virtual machine in a
secondary site.
!**Prerequisite**! we will need File-Srvr and Hyperv-Replica virtual
machines to complete this lab. To create Hyperv-replica VM, use labs LS.7,
LS.8, & LS.10. Use Lab Setup VM chart for IP configuration. Next look at
the prerequisite section of lab 5.3, which explains File-Srvr setup, this
Hyperv-replica will be setup same way as it is going to have the Hyper-V
role. Replace that Powershell command for File-Srvr with the following
Set-VMProcessor -VMName Hyperv-replica -
ExposeVirtualizationExtensions $true
After running the above, make sure you add Hyper-V role to Hyperv-
replica server. Have it rebooted and ready for this lab.
8.4.1 Login to Hyperv-replica VM with contoso\administrator credentials >
Server Manager > Tools and select Hyper-V Manager > in Actions pane click
Hyper-V settings.
8.4.2 Click Replication Configuration on Left > check Enable this computer
as a Replica server box > check User Kerberos (HTTP) check box > check
Allow replication from any authenticated server box > click Apply > click
OK on Firewall inbound TCP connection prompt > click OK to close Hyper-
V settings.

8.4.3 Open Control Panel > in search box, type firewall > select Windows
Defender Firewall > click Advanced settings > select Inbound Rules
container > enable both Hyper-V replica rules > now minimize the Firewall
window.
8.4.4 Login to File-Srvr as contoso\administrator user > Server Manager >
Tools > Hyper-V Manager > select DC4 (our imported VM from lab 5.3) > in
Actions pane at the bottom, click Enable Replication.
8.4.5 Now we start the replication configuration of DC4 VM over to our
Hyperv-replica server > click Next in Before you begin > type hyperv-
replica.contoso.com in Specify Replica Server, click Next > in Specify
Connection Parameters check Use Kerberos authentication (HTTP), change
Replica server port to 80, and confirm box is checked for compress the data
that is transmitted over the network > click Next.
8.4.6 In Choose Replication VHDs, make sure DC4.vhdx box is checked > in
Configure replication frequency, select 30 seconds, click Next.

8.4.7 Keep Maintain only the latest recovery point in Configure Additional
Recovery Points, click Next > defaults in Choose Initial Replication Method,
click Next > click Finish.

8.4.8 Back in Hyper-V Manager you will see DC4 replication.

8.4.9 Go to Hyperv-replica server and confirm DC4 replicated in Hyper-V
Manager > open file explorer, go to Hyper-V Replica folder to confirm
replicated VM folders.
Module 9 – Web Services and Remote Desktop Labs
In this lab we will setup a Web server and host a site using HTTP and HTTPs
protocols. We will configure Remote Desktop protocol for server
administration. Finally, we will deploy RemoteApp using Microsoft Remote
Desktop Services (RDS).
!**Prerequisite**! To complete labs in this module, create VMs Web-Srvr
and RD-Srvr using labs LS.7, LS.8, & LS.10. CientPC VM will also be
needed.
9.1 Install Web Server and create a Web site.
In this lab we will add Web server role to Web-Srvr and then configure
Internet Information server to create a web site.
A web server is a computer that runs websites. It's a computer program that
distributes web pages as they are requisitioned. The basic objective of the
web server is to store, process and deliver web pages to the users. The main
job of a web server is to display the website content. If a web server is not
exposed to the public and is used internally, then it is called Intranet Server.
Internet Information Services (IIS) for Windows Server is Microsoft's
implementation of a Web server. IIS is a secure and manageable Web server
for hosting anything on the Web.
9.1.1 Login to Web-Srvr as contoso\administrator user > Server Manager >
Add roles and features > Next in Before you begin > Next in Select
Installation type > select Web-Srvr in Select destination server, click Next >
check Web Server (IIS) in Select Server Role window, OK on feature
prompt, click Next > click Next in Select features > Next in Web Server Role
(IIS) > in Select role services, click Next > check Restart the destination
server automatically if the required box in Confirm installation selection,
click Yes to prompt, click Install > click Close when installation succeeds.
9.1.2 In Server Manager > Tools > IIS > in IIS Manager, expand Web-Srvr,
expand Site, select Default Web Site > click Bindings in Actions pane > Site
bindings shows that default website uses HTTP protocol for connectivity,
click Close.

9.1.3 In Actions pane, click Basic Settings > window shows physical path of
where default webpage exists, click OK > open File explorer and look at the
default webpage file.

9.1.4 Create a text file Default.htm in C:\inetpub\wwwroot > click View in

file explorer and check File name extension box > open this text file and type
This is the default site, close file and select Save > rename Default.htm.txt to
Default.htm > delete both existing files iisstart.htm and iisstart.png.

9.1.5 Login to ClientPC VM as contoso\administrator > launch Internet

Explorer > type Web-Srvr VM IP address in address bar 192.168.1.111 to hit
web page we created.

9.1.5 Go back to Web-Srvr VM > IIS Manager > right-click sites and choose
Add Website > In Add Website window > type www in site name > click
browse button next to Physical path, and create a folder named www in
C:\inetpub\wwwroot directory > type www.contoso.com in hostname, click
OK.

9.1.6 Create Default.htm text file in this new www folder > open this text file
and type This is the www.contoso.com site. > close file and select Save >
rename the text file by removing .txt from the file name.

9.1.7 Select our www site in IIS Manager > double click on Default
Document > confirm that Default.htm is at the top of the list. This page will
be loaded when the second site is visited.

9.1.8 Login to DC with contoso\administrator user > Server Manager > Tools
> DNS > expand DC, Forward Lookup Zones, and select contoso.com Zone.
9.1.9 Right-click on contoso.com > click Add A /Host record > in Name type
www > type 192.168.1.111 IP of Web-Srvr in IP address > click Add Host,
click Done. Confirm that the www host record has been created.

9.1.10 Go back to ClientPC VM > In web browser, type url

www.contoso.com to connect to new site we created. DNS will resolve url to
the Host record we created, and you will see the webpage of our second site.
9.2 Configure Web Server to host secure Web site.
In this lab, we will make the second site we created use HTTPS protocol to
encrypt data transmission between server and client.
Secure Sockets Layer (SSL) was the most widely deployed cryptographic
protocol to provide security over internet communications before it was
preceded by TLS (Transport Layer Security). Despite the deprecation of the
SSL protocol and the adoption of TLS in its place, most people still refer to
this type of technology as ‘SSL’.
SSL provides a secure channel between two machines or devices operating
over the internet or an internal network. One common example is when SSL
is used to secure internet communication which turns a website’s address
from HTTP to HTTPS, the ‘S’ standing for ‘secure’.
One of the main benefits of HTTPS is that it adds security and trust. It
protects users against man-in-the-middle (MitM) attacks that can be launched
from compromised or insecure networks. Hackers can use such techniques to
steal your customer’s sensitive information.
Implementing SSL secures any data transmitted between server and browser
during a user’s session interacting with a web site.
9.2.1 Open IIS Manager in Web-Srvr > select Web-Srvr and double click on
Server Certificates > click create self-Signed certificate.
9.2.2 In specify a friendly name type Web-Srvr, click OK > double click on
this new certificate, it will show the self-signed certificate > click OK.

9.2.3 Select www site and click Binding in Edit Site section under Actions
pane > Site Bindings windows, click Add button > in Add Site Bindings,
select https in type, type www.contoso.com in Host name, and select our
self-signed certificate Web-Srvr, click OK, click Close.
9.2.4 Login to ClientPC VM > launch web browser > in address bar type
192.168.1.111, IP of the default website > connectivity occurs using HTTP >
address bar type www.contoso.com, it will connect using HTTPS (SSL)
secure connection with an error because our certificate is self-signed.

9.2.5 Click Details on the certificate error page > click go on to the web page
> click on Certificate error > confirm certificate is our self-signed one. Scroll
down in Certificate Information to confirm.
9.3 Remote Desktop for Server Administration.
In this lab we will manage server remotely using Remote Desktop.
Microsoft Remote Desktop is a client application that allows you to access
and control the resources and data of a remote Windows host. It is, in
essence, remote control software. Remote desktop capabilities allow you to
access a work computer for administrative access and or change its
configuration.
Remote Desktop Protocol RDP is a proprietary protocol developed by
Microsoft which provides a user with a graphical interface to connect to
another computer over a network connection. RDP typically communicates
over TCP port 3389. It provides network access for a remote user over an
encrypted channel.
RD allows you to take control of a remote computer or virtual machine over a
network connection. With the Cloud and the Internet, that remote computer
or virtual machine can be just about anywhere on the planet.
9.3.1 Login to DC VM as contoso\administrator > right-click on Start button,
select System > in settings page, click Remote Desktop and confirm it is
enabled. If it is not, enable it please.

9.3.1a login to ClientPC VM as contoso\administrator > click Start and type

mstsc.exe, click Remote Desktop to launch client > type dc.contoso.com in
Computer > click show options to view RDP settings.
9.3.2 Now we will see options that can be chosen when an RDP session is
established with a remote system. General tab can be used to save user
credentials in the system so next time we log in, we will not need to provide
user name or pass word, this RDP client options can be saved or an already
saved file can be opened > Display tab lets us choose size of the RDP session
or if we want that session to be shown on multiple monitors (if you have
them).

9.3.3 Select Local Resource tab, this tab lets us configure our local resources
to appear on the remote system e.g we can select our C: drive from our local
system to show up in our RDP session in the remote system. Sound from the
remote system will be played at the local system when in RDP session.
Clipboard can be shared between local and remote system when using the
RDP connection, local installed Printers can be mapped in the RDP session >
click More button to view further resources that can be mapped between local
and remote system > click local drive C: to be mapped when in RDP session,
click OK.
9.3.4 Click General tab again > check Allow me to save credentials box >
click Save As button > save file on Desktop by naming it DC-RDP > click
Connect button to establish RDP session with DC.

9.3.5 Windows security window will pop-up requesting authentication > click
More choices > click Use a different account > type contoso\administrator
and password P@ssw.rd as credentials, click OK.
9.3.6 You will not get DC system’s desktop in your RDP session on
ClientPC.

9.3.7 RDP session basically provides us with the desktop of the target system
remotely. Once connected we can manage our system as if we are locally
logged into it. All Windows management tools are available for access.
Within our RDP session, open Active Directory from Server Manger > Tools
> select Active Directory Users & Computers, we can manage Active
Directory objects from here.
9.3.7a In Active Directory Users and Computers > Right-click Users
container and create User First Name: John, Last Name: Wick with user
Logon name: jwick. Use P@ssw.rd as password for user jwick. Make sure
you de-select user much change password at next logon. Add user jwick to
Domain Admins group.
9.3.7b Open DNS from Server Manager > Tools > DNS to manage name
resolution.
9.3.8 Now we will see our local C: drive from ClientPC mapped in the RDP
session. Open File explorer in RDP session with DC server > click This PC
and see C: drive of our local system (ClientPC) mapped in RDP session with
DC server.
9.3.9 Open C on ClinetPC > Create a folder by the name of RDPSession on
root of this drive. Open File explorer on ClientPC and confirm this new
folder now exists in our local system.

9.3.10 Login to RD-Srvr as contoso\administrator > Right-click on Start

button, select Run > type sysdm.cpl to launch System Properties > click
Remote tab, select Allow remote connections options, click OK. This will
enable RDP access to the RD-Srvr.

9.3.11 From ClientPC, launch RDP client and start a session with RD-Srvr to
confirm our changes made in earlier step 9.3.10.
9.3.12 From ClientPC launch RDP client and login to DC server using jwick
credentials. You will now have two RDP sessions with DC server, one as
administrator and second as jwick.
9.3.12 From first RDP session as administrator > right-click Start and select
PowerShell Admin > type whoami to confirm your session as administrator
user.

9.3.12 To view all logged on users on DC server, type quser > output will
show logged on user > to force a logoff type logoff and session ID (in our
example session ID is 5) > type quser again to confirm that user jwick have
been forced off the server and our RDP session as user jwick is no longer
active.

9.3.13 Logoff from RDP session as administrator user.

9.4 Deploying RemoteApp using Remote Desktop
Services.
In this lab, we will create a Remote Desktop Services (RDS) environment.
This will include adding Connection Broker, Web Access, Desktop Session
Host, and Licensing Role on our RD-Srvr VM. We are adding all these roles
on one server for this lab, in production systems, these are separate virtual or
physical systems that host these Roles.
Remote Desktop Services (RDS) is the platform of choice for building
virtualization solutions for every end customer need, including delivering
individual virtualized applications, providing secure mobile and remote
desktop access, and providing end users the ability to run their applications
and desktops from the cloud.
RemoteApps specify individual applications that are hosted/run on the
virtualized machine but appear as if they're running on the user's desktop like
local applications. The apps have their taskbar entry and can be resized and
moved across monitors. Ideal for deploying and managing key applications in
the secure, remote environment while allowing users to work from and
customize their desktops.
!**Prerequisite**! Download and install the following free applications on
RD-Srvr VM. RD-Srvr will host the Session Host role and these applications
will be published from the server to clients. If you are unable to obtain these
applications, you can instead only use Windows built-in Calculator, notepad,
and Wordpad as published applications.
Acrobat Reader
CPU-Z
Google Chrome
WinZip
WinRAR
Speccy
9.4.1 Login to RD-Srvr as contoso\administrator > Server Manager > click
Add roles and features > click Next in Before you begin > In Select
installation type, choose Remote Desktop Services installation, click Next >
in Select Deployment Type, choose Standard deployment, click Next > in
Select deployment scenario, choose Session-based desktop deployment >
click Next in Role services.
9.4.2 In RD Connection Broker window > select RD-Srvr and click the arrow
button to choose RD-Srvr as the broker server > click Next.

9.4.3 In RD Web Access & RD Session Host pages, select RD-Srvr, same as
step 9.4.2 > In the Confirmation page, check Restart the destination server
automatically box > click Deploy button. System will start the RDS
installation process and will reboot. Once system comes back online, login as
contoso\administrator and RDS installation process will complete > click
Close button.
9.4.4 In RD-Srvr > Server Manager > Remote Desktop Services >
Deployment Overview shows installed and pending roles. We will now add
Licensing role to our RD-Srvr as well. Click green icon of RD Licensing

9.4.5 Add RD-Srvr as Selected server for RD Licensing role > click Next >
click Close button after installation succeeds. Now RD-Srvr is also listed as
having RD License Installed Role services.

9.4.6 We will now create a self-signed certificate; this certificate will be used
for secure communication of RDS roles and from RDS clients to the session
host server. Right-click on Start button and select PowerShell (Admin) option
> type the following two commands to complete creating the certificate.
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -
dnsname "RDS"
$pwd = ConvertTo-SecureString -String "Passw.rd" -Force -
AsPlainText

9.4.7 type mmc.exe in PowerShell window to open Microsoft Management

console > in Console1 window click File and select Add/Remote Snap-in >
select Certificates from available snap-ins section > click Add button > select
Computer account, click Next > click Finish > click OK.

9.4.8 We will now export this RDS self-signed certificate so it can be used
for RDS communication. Expand Certificate > expand Personal > select
Certificate > right-click on RDS self-signed certificate > All Tasks > select
Export.
9.4.9 Click Next in Wizard page > In Export Private Key, select Yes, export
the private key, click Next > in Select File format, select Personal
Information Exchange, click Next > in Security page check Password box
and type password we provided during self-signed certificate (Passw.rd),
click Next.

9.4.10 In File to export, click Browse button > browse to desktop > type RDS
Certificate in file name > confirm .pfx is the file extension > click Save >
click Next > click Finish > click OK to complete export.

9.4.11 Go back to Server Manager > Remote Desktop Services > Select RD
Licensing under Deployment Servers > click Tasks in Deployment Overview.

9.4.12 In deployment properties page > select RD Licensing > choose Per
User > click RD-Srvr.contoso.com > click Apply button.

9.4.13 Click Certificates > select RD Connection Broker – Enable Single

Sign under Role Services > click Select Existing Certificate > browse to
Desktop where our exported RDS Certificate file exists, select file > click
Open > type Passw.rd in Password section > check Allow the Certificate to
be added option box, click OK, click Apply.
9.4.14 Make sure Certificates is still selected > select RD Connection Broker
– Publishing in Role Services > click Select existing certificate > browse to
Desktop and select RDS Certificate exported file > type Passw.rd in
Password section > check Allow the certificate to be added box > click OK >
click Apply.

9.4.15 Now complete the certificate selection for RD Web Access Role
service using same steps as 9.4.14. Confirm that all three Role services show
status as OK. Click OK.
9.4.16 We will create an A/Host record named RDS to be used by clients
when they connect to RD Web Access. Login to DC as contoso\administrator
> Server Manager > Tools > DNS > expand DC, Forward lookup zones, and
Contoso.com zone. Right-click contoso.com and select New Host (A or
AAAA) to create an A or Host record > type RDS name > type
192.168.1.239 in IP Address section > click Add Host button > click OK.

9.4.17 Login to ClientPC as contoso\administrator user > open Web browser

> type https://rds.contoso.com and hit Remote desktop services web portal
> proceed from security prompt > login as contoso\administrator > click
Sign in > since we have not published or virtualized any applications, current
folder is empty.
9.4.18 Go back to RD-Srvr > Server Manager > Remote Desktop Services >
click Collections > click Tasks > select Create Session Collection > in Before
you begin, click Next > in Name the collection, type Contoso Apps and type
Applications available to Contoso Users via RDP., click Next > in RD
Session Host, add RD-Srvr to selected servers, click Next > in Specify user
profile disks, uncheck Enable user profile disks box, click Next > click
Create button in Confirm selections window > click Close button when
progress succeeds.
9.4.19 In Server Manager > Remote Desktop Services > Collections, click
Contoso Apps > click Publish Remote Apps.

9.4.20 In Select RemoteApp Programs, check Acrobat Reader, Calculator,

CPU-Z, Google Chrome, Remote Desktop connection, Speccy, WinZip,
WinRAR, and WordPad application boxes, click Next > In the Confirmation
page, click Publish button > click Close on the Completion page.
9.4.21 Go back to our RDS session from ClientPC > click refresh button on
web browser to see all applications that are now published. Click one at a
time to open each virtualized or RemoteApp.

9.4.22 When you see your executed RemoteApps on ClientPC > open Task
Manager > see that none of our RemoteApps that are running on our PC
show up as Tasks > click More Details > click Users tab and expand
Administrator to see all applications running under this account, you will not
see any of the RemoteApps listed.

9.4.23 Go back to RD-Srvr > open Task Manager > click More Details >
click Users tab, here we will see Administrator user listed twice, one is
locally logged in and other is logged in via Remote Desktop Services >
under the RDS user administrator you will see tasks for the RemoteApps we
are running.