LAB 1

INSTALLING AND
CONFIGURING DOMAIN
CONTROLLERS

AL
RI
TE
MA
THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:
ED

Exercise 1.1 Installing a New Forest

HT

Exercise 1.2 Demoting a Domain Controller

IG

Exercise 1.3 Adding a Domain Controller to an Existing Domain

R

Exercise 1.4 Moving Operations Masters

PY

Lab Challenge Seizing Operations Masters

CO

BEFORE YOU BEGIN

The lab environment consists of student workstations connected to a local area network, along with a
server that functions as the domain controller for a domain called adatum.com. The computers
required for this lab are listed in Table 1-1.

1
2 70-742: Identity with Windows Server 2016

Table 1-1
Computers required for Lab 1

Computer Operating System Computer Name

Server (VM 1) Windows Server 2016 LON-DC1
Server (VM 2) Windows Server 2016 TOR-DC1

In addition to the computers, you will also require the software listed in Table 1-2 to complete Lab 1.

Table 1-2
Software required for Lab 1

Software Location
Lab 1 student worksheet Lab01_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, shoot screen shots, and perform other
activities that you will document in a worksheet named for the lab, such as Lab01_worksheet.docx.
You will find these worksheets on the book companion site. It is recommended that you use a USB
flash drive to store your worksheets, so you can submit them to your instructor for review. As you
perform the exercises in each lab, open the appropriate worksheet file using Word, fill in the required
information, and then save the file to your flash drive.

SCENARIO
After completing this lab, you will be able to:

■■ Install a new forest

■■ Demote a domain controller

■■ Add a domain controller to an existing domain

■■ Move operations masters

■■ Seize operations masters

Estimated lab time: 115 minutes

 Lab 1: Installing and Configuring Domain Controllers 3

Exercise 1.1 Installing a New Forest

Overview In this exercise, you will use the TOR-DC1 server to create a
new forest.
Mindset A forest is a collection of domain tree(s) that shares a common AD
DS. To create a new forest or a new domain, or to add a new domain
controller to an existing domain, you must install the Active Directory
Domain Services role on a Windows Server 2016 computer, and then
run the Active Directory Domain Services Configuration Wizard.
Completion time 30 minutes

1. Log on to TOR-DC1 as adatum\administrator with the password of Pa$$w0rd.

2. On TOR-DC1, right-click the Start button and choose System.

3. On the Control Panel System page, in the Computer name, domain, and workgroup settings
section, click Change settings.

4. In the System Properties dialog box, click Change.

5. In the Computer Name/Domain Changes dialog, click Workgroup and then type Workgroup in
the text box. Click OK.

6. When you are prompted to confirm that you want to continue, click OK.

7. When a welcome to the WORKGROUP workgroup message appears, click OK.

8. Click OK to restart the computer.

9. Click Close to close the System Properties dialog box.

10. When a message indicates you must restart your computer to apply these changes, click
Restart Now.

11. Log on to TOR-DC1 as local administrator with the password of Pa$$w0rd.

12. Click Start, then click the Server Manager tile. In Server Manager, click Manage > Add Roles
and Features.

13. In the Add Roles and Features Wizard, click Next.

14. On the Select installation type page, click Next.

15. On the Select destination server page, click Next.

4 70-742: Identity with Windows Server 2016

16. On the Select server roles, click Active Directory Domain Services. When you are prompted to
confirm that you want to add some features, click Add Features.

17. Back on the Select server roles page, click Next.

18. On the Select features page, click Next.

19. On the Active Directory Domain Services page, click Next.

20. On the Confirm installation selections page, click Install.

21. When Active Directory Domain Services is installed, click Close.

22. On Server Manager, click the yellow triangle with the black exclamation point and then click
Promote this server to a domain controller.

23. In the Active Directory Domain Services Configuration Wizard, on the Deployment
Configuration, click Add a New Forest.

24. In the Root domain name text box, type contoso.com, as shown in Figure 1-1. Click Next.

Figure 1-1
Creating a new forest

25. On the Domain Controllers Options page, type Pa$$w0rd in the Password text box and the
Confirm password text box. Click Next.

26. On the DNS Options page, answer the following question and then click Next.

Question
What is the message displayed in the warning?
1
 Lab 1: Installing and Configuring Domain Controllers 5

27. On the Additional Options page, after CONTOSO appears in the NetBIOS domain name text
box, click Next.

28. On the Paths page, click Next.

29. On the Review Options page, answer the following question and then click Next.

Question
Which additional options will be installed?
2

30. On the Prerequisites Check page, click Install.

31. On TOR-DC1, when Windows reboots, log on as contoso\administrator with the password
of Pa$$w0rd.

32. Open Server Manager and then click Tools > Active Directory Users and Computers. If a
dialog box displays, indicating that the Naming information cannot be located, you may need to
close the dialog box, close Active Directory Users and Computers, and try again in about 10
minutes so that DNS can create the DNS Application Directory Partition for the
DomainDNSZones.contoso.com domain.

33. Expand the contoso.com node and then click the Domain Controllers node.

34. Take a screen shot of Active Directory Users and Computers showing the coontoso.com domain
controllers by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page
provided by pressing Ctrl+V.

[copy screen shot over this text]

35. Close Active Directory Users and Computers.

Leave all windows open for the next exercise.

Exercise 1.2 Demoting a Domain Controller

Overview In this exercise, you will first create a new server. You will then install
and configure Windows Deployment Services, so that you can
quickly install Windows servers in the future.
Mindset To remove a domain controller from an AD DS installation, you must
begin by running the Remove Roles and Features Wizard, as shown
in the following procedure.
Completion time 30 minutes

1. On TOR-DC1, using Server Manager, click Manage > Remove Roles and Features.

2. In the Remove Roles and Features wizard, click Next.

3. On the Server destination server page, click Next.

6 70-742: Identity with Windows Server 2016

4. On the Remove server roles, deselect Active Directory Domain Services.When a message
displays, indicating that you have to remove features, click Remove Features.

5. In the Validation Results dialog box (as shown in Figure 1-2), click Demote this domain
controller.

Figure 1-2
Demoting a domain controller

6. On the Credentials page, click to select Force the removal of this domain controller and then
click Next.

7. When a message indicates that the current roles include Domain Name System (DNS) Server and
Global Catalogs, click to select the Proceed with removal and then click Next.

8. On the New Administrator Password page, for the Password text box and the Confirm password
text boxe, type Pa$$w0rd and click Next.

9. On the Review options page, click Demote. Windows will reboot when done.

10. On TOR-DC1, log on as adminstrator with the password of Pa$$w0rd.

11. Right-click the network status icon on the taskbar and choose Open Network and
Sharing Center.

12. In the Network and Sharing Center window, click Ethernet.

13. In the Ethernet Status dialog box, click Properties.

14. In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
 Lab 1: Installing and Configuring Domain Controllers 7

Question
Which DNS server is configured for TOR-DC1
3

15. Change the Preferred DNS Server to 172.16.0.10 and then click OK.

16. Close the Ethernet Properties dialog box by clicking OK.

17. Close the Ethernet Status dialog box by clicking Close.

18. Close the Network and Sharing Center.

19. Right-click the Start button and choose System.

20. On the Control Panel System page, in the Computer name, domain, and workgroup settings
section, click Change settings.

21. In the System Properties dialog box, click Change.

22. In the Computer Name/Domain Changes dialog box, click Domain and then type adatum.com
in the text box. Click OK.

23. In the Windows Security dialog box, log on as administrator with the password of Pa$$w0rd
and then click OK.

24. When a welcome to the adatum.com domain message appears, take a screen shot by pressing
Alt+PrtScr and then paste it into your Lab01_worksheet file in the page provided by press-
ing Ctrl+V.

[copy screen shot over this text]

25. Click OK.

26. Click OK to restart the computer.

27. Click Close on the System Properties dialog box.

28. When a message indicates that you must restart your computer to apply these changes, click
Restart Now.
8 70-742: Identity with Windows Server 2016

Adding a Domain Controller to an Existing

Exercise 1.3 Domain
Overview In this exercise, you will use the TOR-DC1 server to create a second
domain controller for the adatum.com domain.
Mindset Every Active Directory domain should have a minimum of two
domain controllers. To install a second domain controller, the server
should be pointing to a DNS server for the domain that you just
installed. In addition, it is best that the server is joined to the domain.
Completion time 20 minutes

1. Log on to TOR-DC1 as adatum\administrator with the password of Pa$$w0rd.

2. On Server Manager, click the yellow triangle with the black exclamation point and then click
Promote this server to a domain controller.

3. In the Active Directory Domain Services Configuration Wizard, on the Deployment

Configuration, with Add a domain controller to an existing domain already selected, click Next.

Question
Which site name is assigned to the domain controller?
4

4. On the Domain Controller Options, page, in the Password text box and the Confirm password
text box, type Pa$$w0rd. Click Next.

5. On the DNS Options page, click Next.

6. On the Additional Options page, answer the following questions and then click Next.

Question Which option should be selected when the server is not connected
5 to the network and other domain controllers?

7. On the Paths page, click Next.

8. On the Review Options page, take a screen shot by pressing Alt+PrtScr and then paste it into
your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

9. On the Review Options page, click Next.

10. After the prerequisite check, click Install. After the DC promotion, the system reboots.

11. On TOR-DC1, when Windows reboots, log on as adatum\administrator with the password
of Pa$$w0rd.

12. In Server Manager, click Tools > Active Directory Users and Computers.
 Lab 1: Installing and Configuring Domain Controllers 9

13. Expand the adatum.com node and then click the Domain Controllers node.

14. Take a screen shot of Active Directory Users and Computers showing the coontoso.com domain
controllers by pressing Alt+PrtScr and then paste it into your Lab01_worksheet file in the page
provided by pressing Ctrl+V.

[copy screen shot over this text]

15. Close Active Directory Users and Computers.

16. In Server Manager, click Tools > Active Directory Sites and Services.

17. In Active Directory Sites and Services, expand the Default-First-Site-Name > Servers >
TOR-DC1. Right-click NTDS Settings and choose Properties.

Question
Is the Global Catalog option checked or unchecked?
6

18. Close NTDS Settings Properties by clicking OK.

19. Close Active Directory Sites and Services.

Leave all windows open for the next exercise.

Exercise 1.4 Moving Operations Masters

Overview In this exercise, you will transfer the Operations Masters to another
domain controller.
Mindset If you know that you will be performing maintenance, which will cause
the operations masters to be unavailable, you should move the
operations masters to other domain controllers that will be available
during the maintenance period. While the operations masters are not
available, users may have trouble with recently changed passwords. In
addition, you will not be able to perform certain tasks, such as create
new domains, perform time synchronization, and other functions that
require the operations masters.
Completion time 25 minutes

1. Log on to TOR-DC1 as adatum\administrator with the password of Pa$$w0rd. The Server

Manager console opens.

2. In Server Manager, click Tools > Active Users and Computers. The Active Directory Users and
Computers console opens.

3. Right-click Adatum.com and choose Change Domain Controller. Click TOR-DC1.Adatum.

com and then click OK.

4. Right-click Adatum.com and choose Operations Masters.

10 70-742: Identity with Windows Server 2016

5. To change the RID from Lon-DC1.Adatum.com to TOR-DC1.Adatum.com, click Change on the

RID tab, as shown in Figure 1-3. When you are prompted to confirm this action, click Yes. When
the Operations Master role is transferred, click OK.

Figure 1-3
Transferring the RID Operations Master role

6. Click the PDC tab. Transfer the PDC Emulator to TOR-DC1.

Question Which Operations Master acts as the master time server and is
7 considered authorative for account passwords?

7. Click the Infrastructure tab. Transfer the Infrastructure to TOR-DC1.

8. Close the Operations Masters dialog box.

9. Close the Active Directory Users and Computers console.

10. In Server Manager, click Tools > Active Directory Domains and Trusts. The Active Domains
and Trusts console opens.

11. Right-click Active Directory Domains and Trusts and choose Change Active Directory
Domain Controller. Click TOR-DC1.Adatum.com. Click OK.

12. Right-click Active Directory Domains and Trusts and choose Operations Master. The
Operations Master dialog box showing current Domain Naming Operations Master opens.

13. To change the Operations Master, click Change. When you are prompted to confirm this action,
click Yes. When the transfer is successful, click OK.
 Lab 1: Installing and Configuring Domain Controllers 11

14. Take a screen shot of Active Directory Domains and Trusts by pressing Alt+PrtScr and then
paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

15. Click Close to close the Operations Master dialog box.

16. Close the Active Directory Domains and Trusts console.

17. Right-click the Start button and choose Run. In the Run dialog box, in the Open text box, type
cmd and then click OK.

18. At the command prompt, execute the following command so that you can use the Schema
Management console.

Regsvr32 schmmgmt.dll

19. When the schmmgmt.dll is registered, click OK.

20. At the command prompt, execute the mmc command. The MMC console opens.

21. Click File > Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens.

22. Select Active Directory Schema and then click Add. Click OK to close the Add/Remove
Snap-ins dialog box.

23. Right-click Active Directory Schema and choose Connect to Schema Operations Master.

24. Right-click Active Directory Schema and choose Change Active Directory Domain
Controller. Click TOR-DC1.Adatum.com and then click OK. When a warning dis-
plays, click OK.

25. Right-click Active Directory Schema and choose Operations Master. The Change Schema
Master dialog box opens.

26. To change the Schema Master to TOR-DC1, click Change. When you are prompted to confirm
this action, click Yes. When the Operations Master is transferred, click OK.

27. Take a screen shot of the Change Schema Master dialog box by pressing Alt+PrtScr and then
paste it into your Lab01_worksheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

28. Click Close to close the Change Schema Master dialog box.

29. Close the MMC console. When you are prompted to save the console, click No.

Leave the Command Prompt window open for the next exercise.
12 70-742: Identity with Windows Server 2016

Lab Challenge Seizing Operations Masters

Overview In this lab challenge, instead of transfering the Operations Master, you
will seize the Operations Masters and move them to another domain
controller.
Mindset It is always preferable to transfer roles instead of seizing roles.
Transferring roles is done when the current operations masters are
available. Seizing a role is done when the operations masters are
unavailable for a lengthy period of time.
Completion time 10 minutes

1. Log on to LON-DC1 as adatum\administrator with the password of Pa$$w0rd.

2. From the command prompt, execute the ntdsutil command.

3. At the ntdsutil prompt, execute the roles command.

4. At the fsmo maintenance prompt, execute the connections command.

5. At the server connections prompt, execute the following command:

connect to server lon-dc1

6. At the server connections prompt, execute the quit command.

7. To see the available options, press the ? key and then press Enter, as shown in Figure 1-4.

Figure 1-4
Using ntdsutil
 Lab 1: Installing and Configuring Domain Controllers 13

8. To seize the roles, at the fsmo maintenance prompt, type the following commands, clicking Yes
each time you’re prompted to confirm:

seize schema master

seize naming master

seize RID master

seize infrastructure master

seize PDC

If an “Are you sure?” dialog box appears, click Yes to continue.

9. Take a screen shot of the MMC by pressing Alt+PrtScr and then paste it into your Lab01_work-
sheet file in the page provided by pressing Ctrl+V.

[copy screen shot over this text]

10. At the fsmo maintenance prompt, execute the quit command.

End of lab.