O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

10969B
Active Directory® Services with
Windows Server®
ii Active Directory® Services with Windows Server®

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.

© 2014 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners.

Product Number: 10969B

Part Number: X19-32458

Released: 02/2014
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.

i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
 l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
 vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
 ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
 b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised July 2013

Active Directory® Services with Windows Server® xi
xii Active Directory® Services with Windows Server®

Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.

Damir Dizdarevic – Subject Matter Expert/Content Developer

Damir Dizdarevic is an MCT, Microsoft® Certified Solutions Expert (MCSE), Microsoft Certified
Technology Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He
is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina.
He also works as a consultant on IT infrastructure and messaging projects. Damir has more than 17 years
of experience on Microsoft platforms, and he specializes in Windows Server®, Exchange Server, security,
and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft
Official Courses (MOC) courses, and has published more than 400 articles in various IT magazines, such as
Windows ITPro and INFO Magazine. He's also a frequent and highly rated speaker on most of Microsoft
conferences in Eastern Europe. Additionally, Damir is a Microsoft Most Valuable Professional (MVP) for
Windows Server, 7 years in a row. His technical blog is available at http://dizdarevic.ba/ddamirblog.

Andrew J. Warren – Subject Matter Expert/Content Developer

Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a subject matter expert for many of the Windows Server
2008 and 2012 courses, and the technical lead on a number of other courses. He also has been involved in
developing TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs
his own IT training and education consultancy.

Ulf B. Simon-Weidner – Subject Matter Expert/Content Developer

Ulf B. Simon-Weidner secured his first jobs in digital electronics and microprocessor programming,
and then began more than 20 years ago programming and building network infrastructures. In 1998,
he joined a European provider for infrastructure solutions in Germany, consulting in the Windows®
Client/Server field, and found his passion on the first days in Active Directory® (in the NT 5 Preview, which
was later renamed Windows 2000). Today, he is working as the Principal Consultant and Manager for
Microsoft Solutions-Strategy and Presales. He is also an independent author, consultant, speaker and
trainer. For the past decade, he has been repeatedly awarded as Microsoft Most Valuable Professional
(MVP) for Windows Server – Directory Services, as well as being a Microsoft Certified Trainer for more
than 10 years. Throughout his professional career, Ulf Simon-Weidner has had uncountable consulting
engagements with major European and Global corporations. He has published multiple books and several
magazine articles about Active Directory, Windows Server Infrastructures, Client and security. Ulf is often
a visiting speaker for conferences such as Microsoft TechEd North America and Europe, the Directory
Experts Conference and The Experts Conference, and provides his technical and from-the-field experience
in multiple Windows Server courses as a technical reviewer and author.
 Active Directory® Services with Windows Server® xiii

Byron Wright – Subject Matter Expert/Content Developer

Byron Wright is a partner in a consulting firm, where he performs network consulting, computer-systems
implementation, and technical training. Byron is also a sessional instructor for the Asper School of
Business at the University of Manitoba, teaching management information systems and networking.
Byron has authored and coauthored a number of books on Windows Servers, Windows Vista, and
Microsoft Exchange Server, including the Windows Server 2008 Active Directory Resource Kit.

Marcin Policht – Technical Reviewer

Marcin Policht obtained his Masters of Computer Science degree over 15 years ago and since then he
has been working in the Information Technology field, handling a variety of responsibilities, but focusing
primarily on the areas of Directory Services, Virtualization, System Management, and Database
Management.

He has authored the first book dedicated to Windows Management Instrumentation and co-written
several others dealing with subjects ranging from core operating system features to high-availability
solutions. His articles have been published on such web sites as ServerWatch.com and
DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been
awarded the title of Microsoft MVP over the last seven years.
 L1-1

Module 1: Overview of Access and Information Protection

Lab: Choosing an Appropriate Access and
Information Protection Management
Solution
Exercise 1: Analyze the Lab Scenario and Identify Business Requirements
 Task 1: Read lab scenario and identify key business requirements
1. Read the lab scenario carefully.

2. Identify key business and technical requirements.

3. List the requirements. From the lab scenario, requirements can be identified as the following:

o A. Datum Corporation wants a more secure method of authentication.

o Documents must be accessible only by authorized persons, no matter where they reside.

o Users from Contoso, Ltd. must be able to access web applications on the A. Datum web server
with their accounts from Contoso.
o Developers must have a more efficient testing platform.

o Developers must have the ability to use iOS devices to access certain resources.
o Conflicts between the HR database and Active Directory Domain Services (AD DS) should be
resolved.
L1-2 Overview of Access and Information Protection

Exercise 2: Propose a Solution

 Task 1: Propose a solution by answering questions
1. Use the list of requirements from the previous exercise.

2. Propose a technology or product that you should implement for each requirement, for example:
o A. Datum wants a more secure authentication method. You can address this requirement by
implementing smart card authentication with Microsoft Forefront Identity Manager (FIM)
Certificate Management components for smart card management.

o Documents must be accessible only by authorized persons, no matter where they reside. You
can address this requirement by implementing Active Directory Rights Management Services
(AD RMS) technology. This technology protects the documents independently of NTFS file system
permissions or the location of documents.

o Users from Contoso must be able to access web applications on the A. Datum web server with
their accounts from Contoso. You can address this requirement by implementing Active Directory
Federation Services technology.

o Developers must have a more efficient testing platform. You can address this requirement by
implementing Active Directory Lightweight Directory Services technology. This will provide
developers with the ability to establish their own directory database for testing purposes.

o Developers must have the ability to use iOS devices to access certain resources. You can address
this requirement by implementing Workspace Join technology.

o Conflicts between the HR database and AD DS should be resolved. You can address this
requirement by implementing FIM components and directory synchronization.
3. Discuss your solutions with the class, and try to provide some alternative solutions.
 L2-3

Module 2: Advanced Deployment and Administration of

AD DS
Lab: Deploying and Administering AD DS
Exercise 1: Deploying AD DS
 Task 1: Install AD DS binaries
1. Switch to LON-DC1.

2. In Server Manager, click Tools, and then click Windows PowerShell.

3. At a command prompt in the Windows PowerShell command-line interface, type the following
command, and then press Enter:

Install-WindowsFeature –Name AD-Domain-Services –ComputerName LON-SVR1

4. Wait after the installation is finished. Type the following command to verify that the Active Directory
Domain Services (AD DS) role is installed on LON-SVR1, and then press Enter:

Get-WindowsFeature –ComputerName LON-SVR1

5. In the output of the previous command, scroll up and search for “Active Directory Domain
Services.” Verify that the check box is selected. Also, search for “Remote Server Administration
Tools.” Look for the Role Administration Tools node below, and then look for the node AD DS and
AD LDS Tools. Note that below that node, only Active Directory module for Windows PowerShell
has been installed, but not the graphical tools like Active Directory Administrative Center. If you
manage your servers centrally, you usually do not need these on each server. If you want to install
them, you need to specify the AD DS tools with RSAT-ADDS.

 Task 2: Prepare the AD DS installation and promote a remote server

Add LON-SVR1 to Server Manager on LON-DC1

1. On LON-DC1, in Server Manager, select the All Servers view.
2. On the top menu, click the Manage menu, and then select Add Servers.

3. In the Add Servers dialog box, maintain the default settings, and then click Find Now.

4. In the Active Directory list of servers, select LON-SVR1, click the arrow to add it to the Selected list,
and then click OK.

Configure AD DS remotely by using Server Manager

1. On LON-DC1, when the installation of the AD DS role on LON-SRV1 is finished and the server is
added to Server Manager, in Server Manager, on the top menu, click the Notifications flag symbol.

2. Note the Post-deployment Configuration of LON-SVR1, and then click the Promote this server to a
domain controller link.

3. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration
page, Select the deployment operation to Add a domain controller to an existing domain.
Ensure that the domain Adatum.com is specified. In the Supply the credentials to perform this
operation section, click Change.
L2-4 Advanced Deployment and Administration of AD DS

4. In the Credentials for deployment operation dialog box, enter the following, click OK, and then
click Next:

o User name: Adatum\Administrator

o Password: Pa$$w0rd

5. On the Domain Controller Options page, remove the selections for the Domain Name System
(DNS) server and Global Catalog (GC). Read-only domain controller (RODC) also should not be
selected.

6. In the Type the Directory Services Restore Mode (DSRM) password section, enter and confirm the
password Pa$$w0rd, and then click Next.
7. On the Additional Options page, click Next.

8. On the Paths page, keep the default path settings for the Database folder, Log files folder, and
SYSVOL folder, and then click Next.
9. On the Review Options page, open the generated Windows PowerShell script by clicking View
script.

10. In Notepad, edit the generated Windows PowerShell script:

o Delete comment lines introduced with the number sign (#).

o Remove the Import-Module line.

o Remove the grave accent (`) symbols at the end of each line.

o Remove the line breaks.

11. Now the command Install-ADDSDomainController and all parameters are in one line. Place the
cursor in front of the line, and then press Shift+End to mark the whole line. In the menu, click Edit,
and then click Copy.

12. Switch to the Active Directory Domain Services Configuration Wizard, and then click Cancel. Confirm
with Yes to cancel the wizard.
13. Switch to Server Manager. From the menu, click Tools, and then click Windows PowerShell.

14. At the Windows PowerShell command prompt, type the following command:

Invoke-Command –ComputerName LON-SVR1 { }

15. Place the cursor between the braces, paste the content of the copied script line from the clipboard,
and then press Enter to start the command. The whole line should now be:

Invoke-Command –ComputerName LON-SVR1 { Install-ADDSDomainController –

NoGlobalCatalog:$true –CreateDnsDelegation:$false –Credential (Get-Credential) –
CriticalReplicationOnly:$false –DatabasePath “C:\Windows\NTDS” –DomainName
“Adatum.com” –InstallDns:$false –LogPath “C:\Windows\NTDS” –
NoRebootonCompletion:$false –SiteName “Default-First-Site-Name” –SysvolPath
“C:\Windows\SYSVOL” –Force:$true }

16. In the Windows PowerShell Credential Request dialog box, enter the following, and then click OK:
o User name: Adatum\Administrator

o Password: Pa$$w0rd

17. When prompted, enter and confirm the SafeModeAdministratorPassword as Pa$$w0rd.

18. Wait until the command executes and “Status Success” returns. LON-SVR1 restarts.
 Active Directory® Services with Windows Server® L2-5

19. Switch to Notepad, and then close it. When prompted, click Don’t Save.

20. After LON-SVR1 restarts, on LON-DC1, switch to Server Manager, and on the left-hand side, click the
AD DS node. Note that LON-SVR1 has been added as a server and that the warning notification has
disappeared. You might have to click Refresh.

 Task 3: Run the AD DS Best Practices Analyzer

1. On LON-DC1, in Server Manager, go to the AD DS dashboard view.

2. Scroll down to the Best Practices Analyzer section, click the Tasks menu, and then select Start BPA
Scan.
3. In the Select Servers dialog box, select LON-DC1.Adatum.com and LON-SVR1.Adatum.com.

4. Click Start Scan, and then wait until the Best Practices Analyzer (BPA) has finished the scan.

5. Review the results of the BPA.

Exercise 2: Deploying Domain Controllers by Performing Domain

Controller Cloning
 Task 1: Check for domain controller clone prerequisites
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, double-click Adatum (local), and then in the details pane,
double-click the Domain Controllers organizational unit (OU).

3. In the details pane, select LON-DC1, and then in the Tasks pane, in the LON-DC1 section, click Add
to group.

4. In the Select Groups dialog box, in the Enter the object names to select, type Cloneable, and then
click Check Names.
5. Ensure that the group name is expanded to Cloneable Domain Controllers, and then click OK.

6. On LON-DC1, in the taskbar, click the Windows PowerShell icon.

7. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Get-ADDCCloningExcludedApplicationList

8. Verify the list of critical apps. In production, you would need to verify each app or use a domain
controller that has fewer apps installed by default. Accept the risk, type the following command, and
then press Enter:

Get-ADDCCloningExcludedApplicationList –GenerateXML

9. Now, type the following command to create the DCCloneConfig.xml file, and then press Enter.

New-ADDCCloneConfigFile
L2-6 Advanced Deployment and Administration of AD DS

 Task 2: Copy the source domain controller

1. Type the following command to shut down LON-DC1, and then press Enter:

Stop-Computer

2. On the host computer, in Hyper-V Manager, in the details pane, select the 10969B-LON-DC1 virtual
machine.

3. In the Actions pane, in the 10969B-LON-DC1 section, click Export.

4. In the Export Virtual Machine dialog box, type the location D:\Program Files\Microsoft Learning
\10969, and then click Export.

Note: Depending on your classroom’s setup, the Program Files\Microsoft Learning\10969

folder might be on drive C. Please locate and use the existing folder for the remainder of the lab.

5. Wait until the export finishes.

6. In the Actions pane, in the 10969-LON-DC1 section, click Start, and then sign in as
Adatum\Administrator with password Pa$$w0rd.

 Task 3: Perform domain controller cloning

1. On the host computer, switch to Hyper-V Manager.
2. In the Actions pane, in the upper section that is named for the host computer, click Import Virtual
Machine.

3. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.
4. On the Locate Folder page, click Browse, select the D:\Program Files\Microsoft Learning\10969
\10969B-LON-DC1 folder, click Select Folder, and then click Next.

5. On the Select Virtual Machine page, select 10969B-LON-DC1, and then click Next.
6. On the Choose Import Type page, select Copy the virtual machine (create a new unique ID), and
then click Next.

7. On the Choose Folders for Virtual Machine Files page, select the Store the virtual machine in
a different location check box. For each folder location, provide the path D:\Program Files
\Microsoft Learning\10969\, and then click Next.

8. On the Choose Folders to Store Virtual Hard Disks page, provide the path D:\Program Files
\Microsoft Learning\10969\, and then click Next.
9. On the Completing Import Wizard page, click Finish.

10. In the details pane, identify and select the newly imported virtual machine 10969B-LON-DC1, which
has the State shown as Off. In the lower section of the Actions pane, click Rename.

11. In the virtual machines pane, in the name column, type 10969B-LON-DC3 as the name, and then
press Enter

12. In the Actions pane, in the 10969-LON-DC3 section, click Start, and then click Connect to start the
machine.

13. While the server is starting, note the “Domain Controller cloning is at x% completion” message.
 Active Directory® Services with Windows Server® L2-7

Exercise 3: Administering AD DS
 Task 1: Use Active Directory Administrative Center

Navigate within Active Directory Administrative Center

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. Switch to the tree view, and then expand Adatum (local).

Perform an administrative task within Active Directory Administrative Center

1. In Active Directory Administrative Center, click Overview.

2. In the Reset Password box, in the User name field, type Adatum\Adam.
3. In the Password and Confirm password fields, type Pa$$w0rd.

4. Clear the check box for User must change password at next log on, and then click Apply.

5. In the Global Search section, type Rex in the Search field, and then press Enter.

Create objects
1. In Active Directory Administrative Center, in the Navigation pane, click Adatum (local), and then
click Computers.
2. In the Tasks pane, in the Computers section, click New, and then select Computer.

3. In the Create Computer dialog box, enter the following information, and then click OK:

o Computer name: LON-CL4

o Computer (NetBIOS) name: LON-CL4

View all object attributes

1. In Active Directory Administrative Center, double-click Adatum (local), and then in the details pane,
double-click Computers.
2. Select LON-CL4, and in the Tasks pane, in the LON-CL4 section, click Properties.

3. In the LON-CL4 properties window, scroll down to the Extensions section, click the Attribute Editor
tab, and then note that all attributes of the computer object are available here.

4. Close the LON-CL4 properties window by clicking Cancel.

Use the Windows PowerShell History viewer

1. In Active Directory Administrative Center, click the Windows PowerShell History toolbar at the
bottom of the screen.

2. View the details for the New-ADComputer cmdlet that was used to perform the most recent task.

3. On LON-DC1, close all open windows.

 Task 2: Use Windows PowerShell to administer AD DS

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory module for Windows
PowerShell.

2. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADUser –filter {Department –eq ‘Marketing’} –properties department | ft

name,department
L2-8 Advanced Deployment and Administration of AD DS

3. Verify in the output of the command that all users belong to the Marketing department.

4. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADUser –LDAPFilter “(&(objectClass=User)(department=Marketing))” –properties sn |

where {$_.sn –ge ‘L’} | Set-ADUser –department ‘Marketing2’

5. In Server Manager, click Tools, and then click Active Directory Administrative Center.

6. In Active Directory Administrative Center, double-click Adatum (local), in the details pane, scroll
down, and then double-click Marketing.
7. Confirm that user accounts with a last name beginning with L through Z have the department
Marketing2 in their properties.

8. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADOrganizationalUnit –filter * -Properties ProtectedFromAccidentalDeletion |

where {$_.ProtectedFromAccidentalDeletion –match $False}

9. Verify in the output of the command that the domain controller’s default OU is not protected from
accidental deletion.
10. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADOrganizationalUnit –filter * -Properties ProtectedFromAccidentalDeletion |

where {$_.ProtectedFromAccidentalDeletion –match $False} | Set-ADOrganizationalUnit –
ProtectedFromAccidentalDeletion $true

11. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADOrganizationalUnit –filter * -Properties ProtectedFromAccidentalDeletion |

where {$_.ProtectedFromAccidentalDeletion –match $False}

12. Verify that the domain controller’s OU is no longer listed. The results are empty because the domain
controller’s OU is now protected from accidental deletion.

 Prepare for the next module

When you have completed the lab, revert the virtual machines back to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.

2. Right-click 10969B-LON-DC3, and then click Turn Off.

3. In the Turn Off Machine dialog box, click Turn Off.

4. Right-click 10969B-LON-DC3, then click Delete.

5. In the Delete Selected Virtual Machines dialog box, click Delete.

6. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

7. In the Revert Virtual Machine dialog box, click Revert.

8. Repeat steps six and seven for 10969B-LON-SVR1.
 L3-9

Module 3: Securing AD DS
Lab: Securing AD DS
Exercise 1: Implementing Security Policies for Accounts, Passwords, and
Administrative Groups
 Task 1: Identify the required settings
1. Read the documentation provided.

2. Fill in the table of settings according to the requirements of A. Datum Corporation.

Configuration for all Configuration for IT

Setting
users administrators

Enforce password history 10 10

Maximum password age 60 days 30 days

Minimum password age 1 day 1 day

Minimum password length 8 characters 10 characters

Passwords must meet complexity True True

requirements

Store password using reversible False False

encryption

Account lockout duration 1 hour Administrator must unlock

Account lockout threshold 5 3

Reset account lockout counter after 20 minutes 20 minutes

3. Answer the additional questions from the proposals document.

Questions
1. How can you configure that information technology (IT) administrators have different password and
account lockout settings than regular users?

Answer: Use the Default Domain Policy, which applies to all users, and create a fine-grained
password policy object that applies only to the required administrative groups.

2. How can you identify IT administrators in terms of more restricted password and account lockout
settings?

Answer: The administrative password and account lockout settings should apply to the IT group and
the Domain Admins group.
L3-10 Securing AD DS

3. How can you meet the requirement to limit the membership list for the local Administrators groups
on all member servers to only the local Administrator account, the Domain Admins group, and the IT
group?

Answer: Ensure that you have domain member servers in the same organizational unit (OU)
hierarchy. Assign a policy to it and use the restricted groups feature to forcefully restrict the local
Administrators group to only contain administrators, the Domain Admins group, and the IT group.
4. How can you meet the requirement that the Domain Admins group must include only the
Administrator account and that the Enterprise Admins and Schema Admins groups must be empty
during normal operations?

Answer: You cannot configure groups other than local groups with the restricted groups feature. For
Domain Admins, Enterprise Admins, and Schema Admins, you must configure the group membership
manually and audit their changes.
5. How can you meet the requirement that other built-in groups, such as Account Operators and Server
Operators, must not contain members?

Answer: Use the restricted groups feature.

6. How can you meet the requirement that you must audit all changes to users or groups in Active
Directory Domain Services (AD DS)?

Answer: Configure advanced auditing policies to audit directory services changes.

 Task 2: Configure password settings for all users

1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com
\Domains\Adatum.com\Group Policy Objects, and then select the Default Domain Policy.

3. Right-click Default Domain Policy, and then click Edit.

4. In the Group Policy Management Editor window, in the navigation pane, expand Computer
Configuration\Policies\Windows Settings\Security Settings\Account Policies, and then double-
click Password Policy.
5. In the details pane, double-click Enforce password history.

6. In the Enforce password history Properties dialog box, ensure that Define this policy setting is
selected.
7. Configure Keep password history for: to 10 passwords remembered, click OK, and then double-
click Maximum password age.

8. In the Maximum password age Properties dialog box, ensure that Define this policy setting is
selected.

9. Configure Password will expire in to 60 days, click OK, and then double-click Minimum
password age.

10. In the Minimum password age Properties dialog box, ensure that Define this policy setting is
selected.

11. Configure Password can be changed after to 1 days, click OK, and then double-click Minimum
password length.

12. In the Minimum password length Properties dialog box, ensure that Define this policy setting is
selected.
 Active Directory® Services with Windows Server® L3-11

13. Configure Password must be at least to 8 characters, click OK, and then double-click Password
must meet complexity requirements.

14. In the Password must meet complexity requirements Properties dialog box, ensure that Define
this policy setting is selected.
15. Select Enabled, click OK, and then double-click Store passwords using reversible encryption.

16. In the Store passwords using reversible encryption Properties dialog box, ensure that Define this
policy setting is selected.

17. Select Disabled, and then click OK.

18. In the navigation pane, click to select Account Lockout Policy.

19. In the details pane, double-click Account lockout duration.

20. In the Account lockout duration Properties dialog box, click Define this policy setting.

21. Configure Account is locked out for to 60 minutes, and then click OK.

22. In the Suggested Value Changes dialog box, click OK, and then double-click Account lockout
threshold.

23. In the Account lockout threshold Properties dialog box, configure Account will lock out after to
5 invalid logon attempts, click OK, and then double-click Reset account lockout counter after.
24. In the Reset account lockout counter after Properties dialog box, configure Reset account
lockout counter after to 20 minutes, and then click OK.
25. Close the Group Policy Management Editor window and the Group Policy Management Console.

 Task 3: Configure a PSO for IT administrators

1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).

3. In the details pane, scroll to and double-click System, and then double-click Password Settings
Container.

4. In the Tasks pane, in the Password Settings Container section, click New, and then click Password
Settings.

5. In the Create Password Settings dialog box, in the Password Settings section, in the Name field,
type Adatum Administrators Password Settings.

6. In the Precedence field, type 10, and then ensure that Enforce minimum password length is
selected.

7. In the Minimum password length (characters) text box, type 10, and then ensure that Enforce
password history is selected.

8. In the Number of passwords remembered text box, type 10, ensure that Password must meet
complexity requirements is selected, and then ensure that Store password using reversible
encryption is not selected.

9. Under Password age options, ensure that Enforce minimum password age is selected.

10. In the User cannot change the password within (days) text box, type 1, and then ensure that
Enforce maximum password age check is selected.

11. In the User must change the password after (days) text box, type 30, and then select the Enforce
account lockout policy check box.
L3-12 Securing AD DS

12. In the Number of failed logon attempts allowed text box, type 3.

13. In the Reset failed logon attempts count after (mins) text box, type 20, and then select Account
will be locked out, Until an administrator manually unlocks the account.
14. In the Directly Applies To section, click Add.

15. In the Select Users or Groups dialog box, under Enter the object names to select, type IT, and then
click Check Names.

16. The Name Not Found dialog box appears because IT is not a global group but a Universal Group.
Click Cancel.

17. Switch to Server Manager, click Tools, and then click Windows PowerShell.

18. In the Windows PowerShell command-line interface, type the following command, and then press
Enter:

Get-ADGroup IT

19. Verify that the IT group has a group scope of Universal.

20. Type the following command, and then press Enter:

Set-ADGroup IT –GroupScope Global

21. Switch back to the Create Password Settings: Adatum Administrative Password Settings dialog
box.
22. In the Select Users or Groups dialog box, under Enter the object names to select, type IT; Domain
Admins, and then click Check Names. The names are both resolved. Click OK.

23. Click OK to close the Create Password Settings: Adatum Administrative Password Settings
dialog box and create the Password Settings object (PSO).

24. In Active Directory Administrative Center, in the navigation pane, click Overview.

25. In the details pane, in the Global Search box, type Brad Sutton, and then press Enter. The user
object of Brad Sutton is found.
26. In the Tasks pane, click View resultant password settings. Note that the Adatum Administrative
Password Settings PSO applies (Brad is in the IT group), and then click Cancel.

27. In the Global Search box, type Benno Kurmann, and then press Enter.
28. In the Tasks pane, click View resultant password settings. Note that no resultant fine- grained
password settings apply (Benno is not in the IT group and the Default Domain Policies settings apply
to him), and then click OK.

29. Close Active Directory Administrative Center and Windows PowerShell.

 Task 4: Implement administrative security policies

1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).

3. In the Tasks pane, in the Adatum (local) section, click New, and then click Organizational Unit.

4. In the Create Organizational Unit dialog box, in the Name field, type Adatum Servers, and then
click OK.
 Active Directory® Services with Windows Server® L3-13

5. In Active Directory Administrative Center, in the details pane, double-click Computers, select
LON-SVR1, and then press and hold the Shift key and click LON-SVR2. Both servers are now
selected.

6. In the Tasks pane, in the 2 items selected section, click Move.

7. In the Move dialog box, select Adatum Servers, and then click OK.

8. Close Active Directory Administrative Center.

9. In Server Manager, click Tools, and then click Group Policy Management.
10. In the Group Policy Management Console, under Forests: Adatum.com\Domains\Adatum.com,
locate and click to select Adatum Servers. Right-click Adatum Servers, and then click Create a GPO
in this domain, and Link it here.
11. In the New GPO dialog box, in the Name field, type Restricted Administrators on Member
Servers, and then click OK.

12. In the details pane, right-click the Restricted Administrators on Member Servers GPO, and then
click Edit.

13. In the Group Policy Management Editor window, expand Computer Configuration\Policies
\Windows Settings\Security Settings, click to select Restricted Groups, right-click Restricted
Groups, and then click Add Group.

14. In the Add Group dialog box, in the Group field, type Administrators, and then click OK.

15. In the Administrators Properties dialog box, click Add.

16. In the Add Member dialog box, click Browse.

17. In the Select Users, Service Accounts or Groups dialog box, in the Enter the object names to
select text box, type Domain Admins; IT, click Check Names, and then click OK.
18. In the Add Member dialog box, in the Members of this group section, add ;Administrator to the
string, and then click OK.

19. Verify that the Administrator Properties dialog box now shows the following in Members of this
group, and then click OK:

• ADATUM\Domain Admins
• ADATUM\IT

• Administrator

20. Close the Group Policy Management Editor window.

21. On LON-SVR1, from Start screen, type cmd, and then click Command Prompt.

22. In the Administrator: Command Prompt window, type the following command, and then press Enter:

gpupdate /force

23. Wait until the command updates the Computer Policy and the User Policy.

24. On LON-SVR1, from Server Manager, click Tools, and then click Computer Management.
25. In Computer Management, expand System Tools\Local Users and Groups, and then click Groups.

26. Double-click Administrators, and then verify that ADATUM\Domain Admins, ADATUM\IT, and the
local Administrator are members of this group.
27. Close all open windows except for Server Manager.
L3-14 Securing AD DS

28. Switch back to LON-DC1, and then switch to Group Policy Management.

29. In the Group Policy Management Console, expand Domain Controllers, right-click the Default
Domain Controllers Policy link, and then click Edit.
30. In the Group Policy Management Editor window, expand Computer Configuration\Policies
\Windows Settings\Security Settings, click to select Restricted Groups, right-click Restricted
Groups, and then click Add Group.

31. In the Add Group dialog box, in the Group field, type Server Operators, and then click OK.

32. In the Server Operators Properties dialog box, keep the default settings of This group should
contain no members, and then click OK.

33. Repeat the above steps for the Account Operators group.
34. Close the Group Policy Management Editor window and the Group Policy Management Console.

 Task 5: Implement administrative auditing

1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forest: Adatum.com\Domains,
Adatum.com\Group Policy Objects, select the Default Domain Controllers Policy, right-click
Default Domain Controllers Policy, and then click Edit.

3. In the Group Policy Management Editor window, expand Computer Configuration\Policies

\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies, and
then click to select DS Access.
4. In the details pane, double-click Audit Directory Services Changes.

5. In the Audit Directory Services Changes Properties dialog box, select Configure the following
audit events, select the Success check box, and then click OK.
6. In the navigation pane, navigate to Computer Configuration\Policies\Windows Settings
\Security Settings\Advanced Audit Policy Configuration\Audit Policies, and then click to select
Account Management.
7. In the details pane, double-click Audit Security Group Management.

8. In the Audit Security Group Management dialog box, select Configure the following audit
events, select the Success check box, and then click OK.
9. In the navigation pane, navigate to Computer Configuration\Policies\Windows Settings
\Security Settings\Local Policies, click to select Security Options, and then double-click the Audit:
Force audit policy subcategory settings (Windows Vista or later) to override audit policy
category settings.

10. In the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit
policy category settings dialog box, select Define this policy setting, ensure that Enabled is
selected, and then click OK.

11. Close the Group Policy Management Editor window and the Group Policy Management Console.

12. On LON-DC1, from Start screen, type cmd, and then click Command Prompt.
13. In the Administrator: Command Prompt window, type the following command, and then press Enter:

gpupdate /force

14. From Server Manager, click Tools, and then click Active Directory Users and Computers.

15. In Active Directory Users and Computers, from the View menu, enable the Advanced Features view.
 Active Directory® Services with Windows Server® L3-15

16. In the navigation pane, click to select Adatum.com, right-click Adatum.com, and then click
Properties.

17. In the Adatum.com Properties dialog box, on the Security tab, click Advanced.
18. In the Advanced Security Settings for Adatum dialog box, on the Auditing tab, double-click the
Success auditing entry for Everyone with Special access, which applies to This object only.

19. In the Auditing Entry for Adatum dialog box, in the Applies to drop-down list box, select This
object and all descendent objects.

20. Click OK three times to close all open dialog boxes.

21. In Active Directory Users and Computers, in the navigation pane, if necessary, expand Adatum.com,
and then click to select Users.

22. In the details pane, double-click Domain Admins.

23. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

24. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select text box, type Benno, click Check Names, and then click OK twice.

25. In Active Directory Users and Computers, in the navigation pane, click to select Marketing.
26. In the details pane, double-click Anna Bedecs.
27. In the Anna Bedecs Properties dialog box, on the Address tab, in the City text box, select London,
type Birmingham, and then click OK.

28. Close Active Directory Users and Computers.

29. In Server Manager, click Tools, and then click Event Viewer.

30. In Event Viewer, expand Windows Logs, and then click Security.

31. In the details pane, search for the most recent Event ID 4728, and then double-click the event.
32. In the Event Properties – Event 4728, Microsoft Windows security auditing dialog box, you get
the message “A member was added to a security-enabled global group.” You can see that
ADATUM\Administrator invoked the change and that ADATUM\Benno was added to the
ADATUM\Domain Admins group.

33. In Event Viewer, in the Windows Logs\Security Log node, search for the two most recent Event IDs
5136, then double-click the older of the two events.

34. In the Event Properties – Event 5136, Microsoft Windows security auditing dialog box, you will
get a message “A directory service object was modified.” You can see that ADATUM\Administrator
has modified the user object cn=Anna Bedecs and deleted the value London. On the right side of the
dialog box, click the Up Arrow to move to the next event.

• In the Event Properties details, you can see that ADATUM\Administrator modified Anna Bedecs
and added the Value Birmingham.

35. Close all open windows except for Server Manager.

Results: After this exercise, you will have identified and configured the security policies for A. Datum.
L3-16 Securing AD DS

Exercise 2: Deploying and Configuring an RODC

 Task 1: Stage a delegated installation of an RODC

Preparation
To pre-stage a read-only domain controller (RODC) account, the computer name must not be in use in
the domain. Therefore, we first need to remove LON-SVR1 from the domain:

1. On LON-SVR1, in Server Manager, on the left side, click Local Server.

2. In the Properties for LON-SVR1 section, click the domain Adatum.com.

3. In the System Properties dialog box, click Change.

4. In the Computer Name/Domain Changes dialog box, in the Member of section, select Workgroup,
type MUNICH, and then click OK.
5. In the Computer Name/Domain Changes dialog box, click OK.

6. In the Computer Name/Domain Changes dialog box, you will see the following message: “Welcome
to the MUNICH workgroup.” Click OK.

7. In the Computer Name/Domain Changes dialog box, you will see the following message: “You must
restart your computer to apply these changes.” Click OK.
8. In the System Properties dialog box, click Close.

9. In the Microsoft Windows dialog box, click Restart Now.

10. Sign in as:

• User name: Administrator
• Password: Pa$$w0rd

11. Switch to LON-DC2. In Server Manager, click Tools, and then click Active Directory Users and
Computers.
12. In the navigation pane, expand Adatum.com, click to select Adatum Servers, right-click LON-SVR1,
and then click Delete.

13. In the Active Directory Domain Services dialog box, confirm the deletion by clicking Yes.

14. In the Confirm Subtree Deletion dialog box, click Yes.

Stage a delegated installation of an RODC

1. On LON-DC2, in Server Manager, click Tools, and then click Active Directory Sites and Services.
2. In Active Directory Sites and Services, in the navigation pane, click Sites. From the Action menu, click
New Site.

3. In the New Object – Site dialog box, in the Name field, type Munich, select the
DEFAULTIPSITELINK site link object, and then click OK.

4. In the Active Directory Domain Services dialog box, click OK.

5. Switch to Server Manager, click Tools, and then click Active Directory Administrative Center.

6. In Active Directory Administrative Center, in the navigation pane, click Adatum (local), and then in
the details pane, double-click the Domain Controllers OU.

7. In the Tasks pane, in the Domain Controllers section, click Pre-create a Read-only domain
controller account.
 Active Directory® Services with Windows Server® L3-17

8. In the Active Directory Domain Services Installation Wizard, on the Welcome to the Active
Directory Domain Services Installation Wizard page, click Next.

9. On the Network Credentials page, click Next.

10. On the Specify the Computer Name page, type the computer name LON-SVR1, and then click
Next.

11. On the Select a Site page, click Munich, and then click Next.

12. On the Additional Domain Controller Options page, accept the default selections of DNS Server
and Global Catalog, and then click Next.

13. On the Delegation of RODC Installation and Administration page, click Set.

14. In the Select User or Group dialog box, in the Enter the object name to select field, type Thorsten,
and then click Check Names.

15. Verify that Thorsten Scholl is resolved, and then click OK.
16. On the Delegation of RODC Installation and Administration page, click Next.
17. On the Summary page, review your selections, and then click Next.

18. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

 Task 2: Run the Active Directory Domain Services Installation Wizard on an RODC to
complete the deployment process
1. Switch to LON-SVR1. From Server Manager, click Manage, and then click Add Roles or Features.
2. In the Add Roles or Features Wizard, on the Before You Begin page, click Next.

3. On the Select installation type page, accept the default of Role-based or feature-based
installation, and then click Next.
4. On the Select destination server page, accept the default with LON-SVR1 being selected, and then
click Next.
5. On the Select server roles page, in the Roles list, select Active Directory Domain Services.

6. In the Add Roles and Features Wizard, accept to install the features and management tools, click Add
Features, and then click Next.

7. On the Select features page, click Next.

8. On the Active Directory Domain Services page, click Next.

9. On the Confirm installation selections page, click Install.

10. Wait until the role has been installed. You can click Close at any time, but monitor the Notification
icon in Server Manager.

11. When the installation of the new role is finished, click the Notification icon for notifications.

12. In the Post-deployment Configuration message box, click Promote this server to a domain
controller.

13. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration
page, leave the default to Add a domain controller to an existing domain.
14. In the Supply the credentials to perform this operation section, click Change.
L3-18 Securing AD DS

15. In the Windows Security dialog box, enter the following credentials:

• User name: Adatum\Thorsten

• Password: Pa$$w0rd

16. Under Specify the domain information for this operation, click Select, then select the domain
Adatum.com, click OK, and then click Next.

17. You will receive a notification that an RODC account that matches the name of the server exists in the
directory.
18. On the Domain Controller Options page, accept the default to Use existing RODC account, type
Pa$$w0rd in the Password and Confirm password fields, and then click Next.

19. On the Additional Options page, accept the defaults, and then click Next.

20. On the Paths page, accept the defaults, and then click Next.

21. On the Review Options page, review your options, and then click Next.

22. After the prerequisites check has been performed, click Install.
23. The computer will configure AD DS and restart, but you can proceed to the next task.

 Task 3: Configure the domain-wide password replication policy

1. Switch to LON-DC2. In Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).

3. In the details pane, double-click IT.

4. Locate the IT group, right-click the group, and then click Add to another group.
5. In the Select Groups dialog box, in the Enter the object names to select text box, type denied, and
then click Check Names.
6. Verify that the name of the group is expanded to Denied RODC Password Replication Policy
Group, and then click OK.

Note: The members of the IT group have elevated permissions, so storing their password
on an RODC would be a security risk. Therefore, we add the IT group to the global Deny List,
which applies to every RODC in the domain.

7. Close Active Directory Administrative Center.

 Task 4: Create a group to manage password replication to the branch office RODC
1. Switch to Server Manager, click Tools, and then click Active Directory Users and Computers.

2. In the navigation pane, expand Adatum.com, and then click Users.

3. On the Action menu, click New, and then click Group.

4. In the New Object – Group dialog box, type the group name Munich Allowed RODC Password
Replication Group, click OK, and then double-click the Munich Allowed RODC Password
Replication Group.

5. On the Members tab, click Add.

6. In the Select Users, Contacts, Computers, Services Accounts, or Groups dialog box, in the Enter
the object names to select text box, type Anne, and then click Check Names.
 Active Directory® Services with Windows Server® L3-19

7. In the Multiple Names Found dialog box, select Anne-Mette Stolze, and then click OK.

8. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, click OK, and
then click OK in the Munich Allowed RODC Password Replication Group Properties dialog box.
9. Close Active Directory Users and Computers.

10. In Active Directory Administrative Center, from the Domain Controllers OU, view the Properties for
LON-SVR1.

11. In the Extensions section, on the Password Replication Policy tab, click Add.
12. In the Add Groups, Users and Computers dialog box, select Allow passwords for the account to
replicate to this RODC, and then click OK.

13. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select text box, type Munich, click Check Names, and then click OK.

14. In the LON-SVR1 dialog box, click OK to close the dialog box.

 Task 5: Evaluate the resultant password replication policy

1. In Active Directory Administrative Center, in the Tasks pane, in the LON-SVR1 section, click
Properties.

2. In the Properties of LON-SVR1, in the Extensions section, on the Password Replication Policy tab,
click Advanced.

3. Note that this dialog shows all accounts whose passwords are stored on the RODC.

4. Select Accounts that have been authenticated to this Read-only Domain Controller, and then
note that this only shows accounts that have the permissions and already have been authenticated by
this RODC.

5. Click the Resultant Policy tab, and then add Anne-Mette Stolze. Recognize that Anne-Mette has a
resultant policy of Allow.

6. Close all open dialog boxes.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps two and three for 10969B-LON-DC2 and 10969B-LON-SVR1.

Results: After this exercise, you will have deployed and configured an RODC.
 L4-21

Module 4: Implementing and Administering AD DS Sites and

Replication
Lab: Implementing AD DS Sites and
Replication
Exercise 1: Creating Subnets and Sites
 Task 1: Rename the default site
1. If necessary, on LON-DC1, open the Server Manager console.

2. In Server Manager, click Tools, and then click Active Directory Sites and Services.
3. In Active Directory Sites and Services, in the navigation pane, expand Sites.

4. Right-click Default-First-Site-Name, and then click Rename.

5. Type LondonHQ, and then press Enter.

6. Expand LondonHQ, expand the Servers folder, and then verify that LON-DC1 and LON-DC2 both
belong to the LondonHQ site.

 Task 2: Configure IP subnets that are associated with the default site
1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. In the Windows PowerShell command-line interface, use the following command to create a new
subnet:

o New-ADReplicationSubnet –name 172.16.0.0/24 –site LondonHQ

 Task 3: Create the site for the Toronto location

1. On LON-DC1, use the following Windows PowerShell command to create a new site:
o New-ADReplicationSite –name Toronto

2. On LON-DC1, use the following Windows PowerShell command to create a new site:

o New-ADReplicationSite –name Test

 Task 4: Configure IP subnets that are associated with the Toronto site
1. On LON-DC1, in Windows PowerShell, use the following command to create a new subnet:

o New-ADReplicationSubnet –name 172.16.1.0/24 –site Toronto

2. In Windows PowerShell, use the following command to create a new subnet:

o New-ADReplicationSubnet –name 172.16.100.0/24 –site Test

3. Switch to Active Directory Sites and Services. In the navigation pane, click the Subnets folder. Verify
in the details pane that the three subnets have been created and associated with their appropriate
site.

Note: You might need to press F5 to refresh the display to see the new subnets.

Results: After completing this exercise, you will have reconfigured the default site and assigned IP address
subnets to the site. Additionally, you will have created two additional sites representing the IP subnet
addresses located in Toronto.
L4-22 Implementing and Administering AD DS Sites and Replication

Exercise 2: Deploying an Additional Domain Controller

 Task 1: Install the Toronto domain controller
1. On TOR-DC1, in Server Manager, click Manage, and from the drop-down list, click Add Roles and
Features.

2. On the Before you begin page, click Next.

3. On the Select installation type page, confirm that Role-based or feature-based installation is
selected, and then click Next.

4. On the Select destination server page, ensure that Select a server from the server pool is
selected, and that TOR-DC1.adatum.com is highlighted, and then click Next.

5. On the Select server roles page, click Active Directory Domain Services.

6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features, and then click Next.
7. On the Select features page, click Next.

8. On the Active Directory Domain Services page, click Next.

9. On the Confirm installation selections page, click Install. It is not necessary to close this window.
10. When the AD DS binaries have installed, click the blue Promote this server to a domain controller
link.

11. In the Deployment Configuration window, click Add a domain controller to an existing domain,
and then click Next.

12. In the Domain Controller Options window, ensure that the Domain Name system (DNS) server and
Global Catalog (GC) check boxes are selected.

13. Next to Site name select LondonHQ, and then under Type the Directory Services Restore Mode
(DSRM) password, type Pa$$w0rd in both the Password and Confirm password boxes, and then
click Next.

Note: Although you simply could add the domain controller to the Toronto site at this
point, we will move it later so that you can see that process.

14. On the DNS Options page, click Next.

15. On the Additional Options page, click Next.

16. On the Paths page, click Next.

17. On the Review Options page, click Next.

18. On the Prerequisites Check page, confirm that there are no issues, and then click Install. The server
will restart automatically.

19. After TOR-DC1 restarts, sign in as Adatum\Administrator with password Pa$$w0rd.

Results: After completing this exercise, you will have deployed a new domain controller.
 Active Directory® Services with Windows Server® L4-23

Exercise 3: Configuring AD DS Replication

 Task 1: Configure site links between the AD DS sites
1. If necessary, on LON-DC1, switch to Active Directory Sites and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand
Inter-Site Transports, and then click the IP folder.

3. Right-click IP, and then click New Site Link.

4. In the New Object – Site Link dialog box, next to Name, type TOR-TEST.

5. Under Sites not in this site link, press Ctrl on the keyboard, click Toronto, click Test, click Add, and
then click OK.
6. Right-click TOR-TEST, and then click Properties.

7. In the TOR-TEST Properties dialog box, click Change Schedule.

8. In the Schedule for TOR-TEST dialog box, highlight the range from Monday 9am to Friday 3pm,
and then click Replication Not Available.

Note: We will not change the schedule. Due to time zone variations between classes, this
might adversely affect the lab.

9. Click Cancel, and then click OK to close the TOR-TEST Properties dialog box.

10. Right-click DEFAULTIPSITELINK, and then click Rename.

11. Type LON-TOR, and then press Enter.

12. Right-click LON-TOR, and then click Properties.

13. Under Sites not in this site link, click Toronto, and then click Add.

14. Next to Replicate Every, change the value to 60 minutes, and then click OK.

 Task 2: Move the TOR-DC1 domain controller to the Toronto site

1. On LON-DC1, in Active Directory Sites and Services, in the navigation pane, expand Sites, expand
LondonHQ, and then expand the Servers folder.

Note: You might need to refresh the list of sites by pressing F5.

2. Right-click TOR-DC1, and then click Move.

3. In the Move Server dialog box, click Toronto, and then click OK.

4. In the navigation pane, expand the Toronto site, expand Servers, and then click TOR-DC1.

 Task 3: Monitor AD DS site replication

1. On LON-DC1, switch to Windows PowerShell.

2. At the Windows PowerShell command prompt, type the following, and then press Enter:

Repadmin /kcc

This command recalculates the inbound replication topology for the server.
L4-24 Implementing and Administering AD DS Sites and Replication

3. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Repadmin /showrepl

4. Verify that the last replication with TOR-DC1 was successful.

5. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Repadmin /bridgeheads

This command displays the bridgehead servers for the site topology.

6. At the Windows PowerShell command prompt, type the following, and then press Enter:

Repadmin /replsummary

This command displays a summary of replication tasks. Verify that no errors appear.

7. At the Windows PowerShell command prompt, type the following, and then press Enter:

DCDiag /test:replications

8. Verify that all connectivity and replication tests pass successfully. You may see errors with LON-DC2. If
this is the case, you may ignore them.
9. Switch to TOR-DC1, and then repeat steps 1 through 8 to view information from TOR-DC1. For step 4,
verify that the last replication with LON-DC1 was successful. You may see errors with LON-DC2. If this
is the case, you may ignore them.
10. Switch to LON-DC1, and at the Windows PowerShell command prompt, type the following, and then
press Enter:

Get-ADReplicationPartnerMetadata -target lon-dc1.Adatum.com | format-table

lastreplicationattempt,lastreplicationresult,partner -auto

11. Verify that all connectivity and replication tests pass successfully. You may see errors with LON-DC2. If
this is the case, you may ignore them.

Results: After completing this exercise, you will have configured site links and monitored replication.

Exercise 4: Troubleshooting AD DS Replication

 Task 1: Read the help desk Incident Record
• Read help desk Incident Record 603612.

 Task 2: Update the Plan of Action section in the Incident Record

1. Read the Additional Information section of the Incident Record.
2. Update the Plan of Action section in the Incident Record with your recommendations:

o Use Repadmin.exe and Windows PowerShell cmdlets to verify the current replication topology
and status.
o Visit the TOR-DC1 computer and check computer configuration that might relate to Domain
Name System (DNS) errors.
 Active Directory® Services with Windows Server® L4-25

 Task 3: Simulate and verify the problem

1. Switch to the TOR-DC1 computer.

2. Run the D:\Labfiles\Mod04\Scenario1.vbs script. The script will run silently and then restart the
computer.
3. Switch to LON-DC1.

 Task 4: Attempt to resolve the problem

1. On LON-DC1, in Active Directory Sites and Services, expand Sites, expand Toronto, expand Servers,
expand TOR-DC1, click NTDS Settings, right-click NTDS Settings, point to All Tasks, and then click,
Check Replication Topology.

2. Click OK to the error message.

3. On LON-DC1, switch to Windows PowerShell.

4. Use the following commands to investigate site replication:

Repadmin /showrepl

Determine if the last replication with TOR-DC1 was successful.

Repadmin /replsummary

This command displays a summary of replication tasks. Determine whether errors appear.

DCDiag /test:replications

Determine if there were any problems with replication.

5. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADReplicationPartnerMetadata -target lon-dc1.Adatum.com | format-table

lastreplicationattempt,lastreplicationresult,partner -auto

6. Determine if there are any problems. Repeat these commands on TOR-DC1.

7. Update the Incident Details section of the Incident Record with your findings.

8. Switch to TOR-DC1.

9. Right-click Start and then click Network Connections.

10. Right-click Ethernet, and then click Properties.

11. Double-click Internet Protocol Version 4 (TCP/IPv4).

12. Reconfigure the settings, and then click OK twice:

o IP Address: 172.16.1.100

o Subnet mask: 255.255.0.0

o Default gateway: 172.16.0.1

13. Right-click Ethernet and then click Disable.

14. Right-click Ethernet and then click Enable.

L4-26 Implementing and Administering AD DS Sites and Replication

15. On LON-DC1, use the following commands to investigate site replication. When you have completed
the tests, switch to TOR-DC1 and repeat them.

Repadmin /showrepl

Determine if the last replication with TOR-DC1 was successful.

Repadmin /replsummary

This command displays a summary of replication tasks. Determine whether errors still appear. You
may see errors with LON-DC2. If this is the case, you may ignore them.

DCDiag /test:replications

Determine if there are still any problems with replication. If you continue to receive errors (other than
with LON-DC2), try restarting LON-DC1 and then TOR-DC1. Then, repeat the tests.

16. Update the Resolution section of the Incident Record with your conclusion:

o A subnet addressing problem resulted in the TOR-DC1 domain controller being inaccessible from
the LON-DC1 domain controller because the DNS record for TOR-DC1 was incorrect.
o Changed the IP configuration to match the actual subnet and restarted TOR-DC1.

o Verified the replication topology and status.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 10969B-TOR-DC1 and 10969B-LON-DC2.

Results: After completing this exercise, you will have resolved an AD DS replication problem successfully.
 L5-27

Module 5: Implementing Group Policy

Lab: Implementing and Troubleshooting a
Group Policy Infrastructure
Exercise 1: Creating and Configuring GPOs
 Task 1: Create and edit a Group Policy Object (GPO)
1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.

2. In the console tree, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the
Group Policy Objects container.
3. In the console tree, right-click the Group Policy Objects container, and then click New.

4. In the Name field, type ADATUM Standards, and then click OK.

5. In the details pane of the Group Policy Management Console, right-click the ADATUM Standards
GPO, and then click Edit.
6. In the console tree, expand User Configuration, expand Policies, expand Administrative
Templates, and then click System.
7. Double-click the Don’t run specified Windows applications policy setting.

8. In the Don’t run specified Windows applications dialog box, click Enabled.

9. Click Show, and in the Show Contents dialog box, in the Value list, type notepad.exe, and then
click OK.

10. In the Don’t run specified Windows applications dialog box, click OK.

11. In the console tree, expand User Configuration, expand Policies, expand Administrative
Templates, expand Control Panel, and then click Personalization.
12. In the details pane, click the Screen saver timeout policy setting.

13. Double-click the Screen Saver timeout policy setting, and then click Enabled.

14. In the Seconds box, type 600, and then click OK.
15. Double-click the Password protect the screen saver policy setting, click Enabled, and then click OK.

16. Close the Group Policy Management Editor window.

 Task 2: Link the GPO

1. In the Group Policy Management Console tree, right-click the Adatum.com domain, and then click
Link an Existing GPO.

2. In the Select GPO dialog box, click ADATUM Standards, and then click OK.

 Task 3: View the effects of the GPO’s settings

1. Switch to LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd.
2. From Start, type Control Panel, and then press Enter.

3. Click System and Security, and then click Allow an app through Windows Firewall.
L5-28 Implementing Group Policy

4. In the Allowed apps and features list, select the following check boxes and then click OK.

o Remote Event Log Management

o Remote Service Management

o Windows Remote Management

5. Sign out, and then sign in as Adatum\Pat with password Pa$$w0rd.

6. On the Start screen, click the Desktop tile.

7. Right-click the desktop, and then click Personalize.

8. Click Screen Saver. Notice that the Wait box is disabled—you cannot change the timeout. Notice
that the On resume, display logon screen check box is selected and disabled, and that you cannot
change the settings.

9. Click OK to close the Screen Saver Settings dialog box.

10. Click Start.

11. Under the Desktop tile, click the arrow.

12. In the Apps list, click Notepad. Notepad does not open.

Results: After this exercise, you should have created, edited, and linked the required GPOs successfully.

Exercise 2: Managing GPO Scope

 Task 1: Create and link the required GPOs
1. On LON-DC1, switch to Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In the console tree, expand the Adatum.com domain, and then click the Research organizational
unit (OU).

3. Right-click the Research OU, point to New, and then click Organizational Unit.
4. Type Engineers, and then click OK.

5. Close Active Directory Users and Computers.

6. Switch to the Group Policy Management Console.

7. In the console tree, expand Forest: Adatum.com, expand Domains, expand Adatum.com, expand
Research, and then click the Engineers OU.

8. Right-click the Engineers OU, and then click Create a GPO in this domain, and Link it here.

9. Type Engineering Application Override, and then click OK.

10. Right-click the Engineering Application Override GPO, and then click Edit.

11. In the console tree, expand User Configuration, expand Policies, expand Administrative
Templates, expand Control Panel, and then click Personalization.

12. Double-click the Screen saver timeout policy setting.

13. Click Disabled, and then click OK.
14. Close the Group Policy Management Editor window.
 Active Directory® Services with Windows Server® L5-29

 Task 2: Verify the order of precedence

1. In the Group Policy Management Console tree, click the Engineers OU.

2. Click the Group Policy Inheritance tab. Notice that the Engineering Application Override GPO has
higher precedence than the ADATUM Standards GPO. The screen saver timeout policy setting that
you just configured in the Engineering Application Override GPO is applied after the setting in the
ADATUM Standards GPO. Therefore, the new setting will overwrite the standards setting and will
prevail. Screen saver timeout will be disabled for users within the scope of the Engineering
Application Override GPO.

 Task 3: Configure the scope of a GPO with security filtering

1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and
Computers.

2. In the console tree, if necessary, expand the Adatum.com domain and the Research OU, and then
click the Engineers OU.

3. Right-click the Engineers OU, point to New, and then click Group.

4. Type GPO_Engineering Application Override_Apply, and then press Enter.

5. Switch to the Group Policy Management Console.

6. In the console tree, if required, expand the Engineers OU, and then double-click the Engineering
Application Override GPO under the Engineers OU. A message appears.

7. Read the message, select the Do not show this message again check box, and then click OK. In the
Security Filtering section, you will see that the GPO applies by default to all authenticated users.
8. In the Security Filtering section, click Authenticated Users.
9. Click Remove. A confirmation prompt appears. Click OK.

10. In the details pane, click Add.

11. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples): box, type GPO_Engineering Application Override_Apply, and then press Enter.

12. Switch to Active Directory Users and Computers.

13. In the console tree, expand the Adatum.com domain, and then click the Users folder.

14. Right-click Users, point to New, and then click Group.

15. Type GPO_ADATUM Standards_Exempt, and then press Enter.

16. Switch to the Group Policy Management Console.

17. In the console tree, click the Adatum.com domain object, and then double-click the Adatum
Standards GPO. In the Security Filtering section, notice that the GPO applies by default to all
authenticated users.

18. Click the Delegation tab, and then click Advanced. The ADATUM Standards Security Settings
dialog box appears.

19. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box appears.

20. In the Enter the object names to select (examples): box, type GPO_ADATUM Standards_Exempt,
and then press Enter.

21. Select the Deny check box next to Apply group policy, and then click OK.
22. A warning message appears to remind you that Deny permissions override Allow permissions. Click
Yes. Notice that the permission appears on the Delegation tab as Custom.
L5-30 Implementing Group Policy

 Task 4: Configure loopback processing

1. On LON-DC1, switch to Active Directory Users and Computers.

2. In the console, click Adatum.com, right-click Adatum.com, point to New, and then click
Organizational Unit.
3. In the New Object – Organizational Unit dialog box, type Kiosks, and then click OK.

4. Right-click Kiosks, point to New, and then click Organizational Unit.

5. In the New Object – Organizational Unit dialog box, type Conference Rooms, and then click OK.
6. Switch to the Group Policy Management Console. Refresh the console if necessary.

7. In the tree, expand the Kiosks OU, and then click the Conference Rooms OU.

8. Right-click the Conference Rooms OU, and then click Create a GPO in this domain, and Link it
here.

9. In the New GPO window, in the Name field, type Conference Room Policies, and then press Enter.

10. In the console tree, expand Conference Rooms, and then click the Conference Room Policies GPO.

11. Click the Scope tab. Confirm that the GPO is scoped to apply to Authenticated Users.
12. Right-click the Conference Room Policies GPO in the console tree, and then click Edit.

13. In the Group Policy Management Editor console tree, expand User Configuration, expand Policies,
expand Administrative Templates, expand Control Panel, and then click Personalization.
14. Double-click the Screen saver timeout policy setting, and then click Enabled.

15. In the Seconds box, type 7200, and then click OK.
16. In the console tree, expand Computer Configuration, expand Policies, expand Administrative
Templates, expand System, and then click Group Policy.

17. Double-click the Configure user Group Policy loopback processing mode policy setting, and then
click Enabled.

18. In the Mode drop-down list, select Merge, and then click OK.

19. Close the Group Policy Management Editor window.

Results: After this exercise, you should have configured the required scope of the GPOs successfully.

Exercise 3: Verifying GPO Application

 Task 1: Perform Resultant Set of Policy (RSoP) analysis
1. Switch to LON-CL1, and then verify that you are signed in as Adatum\Pat. If necessary, provide the
password Pa$$w0rd.

2. Click Start.

3. Under the Desktop tile, click the arrow.

4. In the Apps list, right-click Command Prompt, and then click Run as administrator.

5. In the User Account Control dialog box, in the User name field, type Administrator. In the
Password field, type Pa$$w0rd, and then click Yes.
 Active Directory® Services with Windows Server® L5-31

6. At the command prompt, type the following command, and then press Enter:

gpupdate /force

7. Wait for the command to complete. Make a note of the current system time, which you will need to
know for a task later in this lab. To record the system time, type the following command, and then
press Enter twice:

Time

8. Restart LON-CL1. Wait for LON-CL1 to restart before proceeding with the next task. Do not sign in to
LON-CL1.

9. Switch to LON-DC1.
10. Switch to the Group Policy Management Console.

11. In the console tree, if required, expand Forest: Adatum.com, and then click Group Policy Results.
12. Right-click Group Policy Results, and then click Group Policy Results Wizard.

13. On the Welcome to the Group Policy Results Wizard page, click Next.

14. On the Computer Selection page, click Another computer, type LON-CL1, and then click Next.

15. On the User Selection page, click Display policy settings for, click Select a specific user, select
ADATUM\Pat, and then click Next.

16. On the Summary Of Selections page, review your settings, and then click Next.

17. Click Finish. The RSoP report appears in the details pane of the Group Policy Management Console
(GPMC).

18. Review the summary results. For both the user and the computer configuration, identify the time of
the last policy refresh and the list of allowed and denied GPOs. Identify the components that were
used to process policy settings.

19. Click the Details tab. Review the settings that were applied during user and computer policy
application, and then identify the GPO from which the settings were obtained.
20. Click the Policy Events tab, and then locate the event that logs the policy refresh you triggered with
the gpupdate command in Task 1.

21. Click the Summary tab, right-click the page, and then click Save Report.
22. In the navigation pane, click Desktop, and then click Save.

23. Open the saved RSoP report from the desktop. Examine the RSoP report, and then close it.

 Task 2: Analyze RSoP with GPResults

1. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2. Under the Desktop tile, click the arrow.

3. In the Apps list, click Command Prompt.

4. At the command prompt, type the following command, and then press Enter:

gpresult /r

RSoP summary results are displayed. The information is very similar to the Summary tab of the RSoP
report that was produced by the Group Policy Results Wizard.
L5-32 Implementing Group Policy

5. At the command prompt, type the following command, and then press Enter:

gpresult /v | more

Press the spacebar to proceed through the report. Notice that many of the Group Policy settings that
were applied by the client are listed in this report.

6. At the command prompt, type the following command, and then press Enter:

gpresult /z | more

Press the spacebar to proceed through the report. The most detailed RSoP report is produced.

7. At the command prompt, type the following command, and then press Enter:

gpresult /h:"%userprofile%\Desktop\RSOP.html"

An RSoP report is saved as an HTML file to your desktop.

8. Open the saved RSoP report from your desktop.

9. Compare the report, its information, and its formatting with the RSoP report that you saved in the
previous task.

 Task 3: Perform RSoP analysis with Windows PowerShell

1. Switch to LON-DC1.

2. On the taskbar, click Windows PowerShell.

3. At the command prompt in the Windows PowerShell command-line interface, type the following
command, and then press Enter:

get-GPresultantSetOfPolicy –user Pat –computer Adatum.com\LON-CL1 –reporttype html –

path c:\report.html

4. On the taskbar, click File Explorer.

5. In the Address bar, type c:\, and then press Enter.

6. In File Explorer, double-click report.html.

7. In Internet Explorer, examine the report. It should appear similar to the one generated in task 1.

 Task 4: Evaluate GPO results by using the Group Policy Modeling Wizard
1. On LON-DC1, in the Group Policy Management Console tree, expand Forest: Adatum.com, and then
click Group Policy Modeling.

2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. The Group
Policy Modeling Wizard appears. Click Next.

3. On the Domain Controller Selection page, click Next.

4. On the User and Computer Selection page, in the User information section, click User, and then
click Browse. The Select User dialog box appears. Type Mike, and then press Enter.

5. In the Computer information section, click Computer, and then click Browse. The Select Computer
dialog box appears. Type LON-CL1, press Enter, and then click Next.
6. On the Advanced Simulation Options page, select the Loopback Processing check box, and then
click Merge. Even though the Conference Room Polices GPO specifies loopback processing, you must
instruct the Group Policy Modeling Wizard to consider loopback processing in its simulation. Click
Next.
 Active Directory® Services with Windows Server® L5-33

7. On the Alternate Active Directory Paths page, click Browse next to Computer location. The
Choose Computer Container dialog box appears.

8. Expand Adatum and Kiosks, and then click Conference Rooms. You are simulating the effect of
LON-CL1 as a conference room computer. Click OK, and then click Next.
9. On the User Security Groups page, click Next.

10. On the Computer Security Groups page, click Next.

11. On the WMI Filters for Users page, click Next.

12. On the WMI Filters for Computers page, click Next.

13. Review your settings on the Summary of Selections page, click Next, and then click Finish.
14. On the Details tab, scroll to, and if necessary, expand User Details, expand Group Policy Objects,
and then expand Applied GPOs.

15. Will the Conference Room Policies GPO apply to Mike as a User policy when he logs on to LON-CL1,
if LON-CL1 is in the Conference Rooms OU?

16. Scroll to, and if necessary, expand User Details, expand Policies, expand Administrative Templates,
expand Control Panel/Personalization.
17. Confirm that the screen saver timeout is 7,200 seconds (45 minutes), the setting configured by the
Conference Room Policies GPO that overrides the 10-minute standard configured by the ADATUM
Standards GPO.

 Task 5: Review policy events and determine GPO infrastructure status

1. Switch to LON-CL1.
2. Pause your pointer in the lower-right corner of the display, click Settings, and then click Control
Panel.

3. Click System and Security, click Administrative Tools, and then double-click Event Viewer.
4. In the console tree, expand Windows Logs, and then click the System log.

5. Sort the System log by Source.

6. Locate events with Group Policy as the Source.

7. Review the information that is associated with Group Policy events.

8. In the console tree, expand Applications and Services Logs, expand Microsoft, expand Windows,
expand Group Policy, and then click Operational.

9. Locate the first event that is related in the Group Policy refresh you initiated in Exercise 1 with the
gpupdate command. Review that event and the events that followed it.
10. Sign out of LON-CL1.

Results: After this exercise, you should have used RSoP tools successfully to verify the correct application
of your GPOs.
L5-34 Implementing Group Policy

Exercise 4: Managing GPOs

 Task 1: Perform a backup of GPOs
1. Switch to LON-DC1.

2. Switch to the Group Policy Management Console, and then click the Group Policy Objects node.
3. In the details pane, right-click ADATUM Standards, and then click Back Up.

4. In the Back Up Group Policy Object dialog box, in the Location field, type C:\, and then click
Backup.

5. In the Backup dialog box, click OK.

 Task 2: Perform a restore of GPOs

1. In the Group Policy Management Console, right-click ADATUM Standards, and then click Restore
from Backup.
2. In the Restore Group Policy Object Wizard dialog box, click Next.

3. On the Backup Location page, click Next.

4. On the Source GPO page, click Next.
5. On the Completing the Restore Group Policy Object Wizard page, click Finish.

6. In the Restore dialog box, click OK.

7. Close all open windows.

Results: After this exercise, you should have performed common management tasks successfully on your
GPOs.

Exercise 5: Troubleshooting GPOs

 Task 1: Read the help desk Incident Record
• Read help desk Incident Record 604531 in the exercise scenario.

 Task 2: Update the Plan of Action section of the Incident Record

1. Read the Additional Information section of the Incident Record in the exercise scenario in the
Workbook.

2. Update the Plan of Action section of the Incident Record in the Workbook with your
recommendations:

o Verify the configuration for LON-LAB1, and then ensure that LON-CL1 has the same
configuration.

o RSoP from Group Policy Modeling will provide the configuration information for LON-LAB1.
 Active Directory® Services with Windows Server® L5-35

 Task 3: Attempt to resolve the problem

1. On LON-CL1, if necessary, sign out.

2. On LON-CL1, sign in by using the following credentials:

o User name: Administrator

o Password: Pa$$w0rd

o Domain: Adatum

3. In Start, click the Desktop tile.

4. Verify that the analysis Desktop shortcut for the Research application is not present. It should display
for any account.

5. Switch to the LON-DC1 computer.

6. In Server Manager, click Tools, and then click Active Directory Users and Computers.

7. In Active Directory Users and Computers, expand Adatum.com, and then click Computers.

8. Right-click LON-CL1, and then click Move.

9. In the Move window, expand Research, click Lab, and then click OK.

10. Close Active Directory Users and Computers.

11. Switch to LON-CL1.

12. Right-click Start, point to Shut down or sign out, and then click Restart.
13. On LON-CL1, sign in by using the following credentials:

o User name: Administrator

o Password: Pa$$w0rd

o Domain: Adatum

14. In Start, click Desktop.

15. Right-click Start and then click Command Prompt.
16. At the command prompt, type gpupdate /force, and then press Enter.

17. Right-click Start, point to Shut down or sign out, and then click Sign out.

18. On LON-CL1, sign in by using the following credentials:

o User name: Allie

o Password: Pa$$w0rd

o Domain: Adatum

19. In Start, click Desktop.

20. Verify that the Desktop shortcut analysis displays.

21. Sign out from LON CL1.

L5-36 Implementing Group Policy

22. Update the Resolution section of the Incident Record in the student handbook:

o RSoP from Group Policy Modeling indicates that LON-LAB1 has a GPO named ResearchLabs
applied. ResearchLabs GPO is linked to Adatum.com/Research/Lab.
o LON-CL1 is located in the Computers container and will not apply the ResearchLabs GPO.

o Moved LON-CL1 computer account to the Adatum.com/Research/Lab OU and then restarted the
computer.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 10969B-LON-CL1 and 10969B-LON-DC2.

Results: After completing this exercise, you will have resolved the GPO application problem.
 L6-37

Module 6: Managing User Settings with Group Policy

Lab: Managing User Desktops with Group
Policy
Exercise 1: Implementing Settings by Using Group Policy Preferences
 Task 1: Create the required logon script
1. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.

2. On the taskbar, click File Explorer.

3. In the navigation pane, click This PC.

4. In the details pane, double-click Local Disk (C:), and then on the Home tab, click New folder.
5. Name the new folder Branch1.

6. Right-click the Branch1 folder, click Share with, and then click Specific people.

7. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
8. For the Everyone group, click the Permission Level drop-down arrow, and then select Read/Write.

9. Click Share, and then click Done.

10. Close the Local Disk (C:) window.

11. Pause your pointer in the lower-right corner of the display, and then click Start.

12. Type Notepad, and then press Enter.

13. In Notepad, type Net use S: \\LON-DC1\Branch1.

14. Click the File menu, and then click Save As.

15. In the Save As dialog box, in the File name box, type BranchScript.cmd.
16. In the Save as type list, select All Files (*.*).

17. In the navigation pane, click Desktop, and then click Save.

18. Close Notepad.

19. On the desktop, right-click the BranchScript.cmd file, and then click Copy. You will paste the file
into the appropriate folder later in the lab.

 Task 2: Create a new GPO, and link it to the Branch Office 1 organization unit
1. On LON-DC1, click Start, and then click Administrative Tools.

2. In Administrative Tools, double-click Active Directory Users and Computers.

3. In Active Directory Users and Computers, click and then right-click Adatum.com, point to New, and
then click Organizational Unit.

4. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and
then click OK.

5. In the navigation pane, click IT.

6. In the details pane, right-click Holly Dickson, and then click Move.

7. In the Move dialog box, click Branch Office 1, and then click OK.
L6-38 Managing User Settings with Group Policy

8. In the details pane, right-click Brad Sutton, and then click Move.

9. In the Move dialog box, click Branch Office 1, and then click OK.

10. In the navigation pane, click Computers.

11. In the details pane, right-click LON-CL1, and then click Move.

12. In the Move dialog box, click Branch Office 1, and then click OK.

13. Pause your pointer in the lower-right corner of the display, and then click Start.

14. Click Administrative Tools, and then double-click Group Policy Management.

15. Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.

16. Right-click Branch Office 1, and then click Create a GPO in this domain and Link it here.

17. In the New GPO dialog box, in the Name box, type Branch1, and then click OK.

18. In the navigation pane, click Group Policy Objects.

19. Right-click the Branch1 Group Policy Object (GPO), and then click Edit.

20. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).

21. In the details pane, double-click Logon.

22. In the Logon Properties dialog box, click Show Files.

23. In the details pane, right-click a blank area, and then click Paste.

24. Close the Logon window.

25. In the Logon Properties dialog box, click Add.

26. In the Add a Script dialog box, click Browse.

27. Click BranchScript.cmd, and then click Open.

28. Click OK twice to close all dialog boxes.
29. Close the Group Policy Management Editor window.

 Task 3: Edit the Default Domain Policy with the required Group Policy Preferences
1. On LON-DC1, in the Group Policy Management Console, click Group Policy Objects, in the details
pane, right-click Default Domain Policy, and then click Edit.

2. Expand User Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts,
point to New, and then click Shortcut.

3. In the New Shortcut Properties dialog box, in the Action list, click Create.

4. In the Name box, type Notepad.

5. In the Location box, click the arrow, and then select All Users Desktop.

6. In the Target path box, type C:\Windows\System32\Notepad.exe.

7. On the Common tab, clear the Run in logged-on user’s security context (user policy option)
check box.

8. Select the Item-level targeting check box, and then click Targeting.
9. In the Targeting Editor dialog box, click New Item, and then click Security Group.

10. In the lower part of the dialog box, click the ellipsis button (…).
 Active Directory® Services with Windows Server® L6-39

11. In the Select Group dialog box, in the Enter the object name to select (examples) box, type IT,
and then click OK.

12. Click OK twice.

13. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand
System, and then expand Group Policy.

14. In the Details pane, double-click Configure Logon Script Delay.

15. In the Configure Logon Script Delay dialog box, click Disabled and then click OK.
16. Close all open windows.

 Task 4: Test the preferences

1. Switch to LON-CL1.

2. Pause your pointer in the lower-right corner of the display, and then click Settings.
3. Click Power, and then click Restart.

4. When the computer has restarted, sign in as Adatum\Holly with password Pa$$w0rd.
5. From Start screen, type cmd.exe, and then press Enter.

6. At the command prompt, type the following command, and then press Enter:

gpupdate /force

7. Sign out of LON-CL1. It is necessary to do this to ensure that the network drive mapping is created.
8. Sign in as Adatum\Brad with password Pa$$w0rd.

9. Click Desktop, and on the taskbar, click File Explorer.

10. Examine the navigation pane, and then verify that you have a drive that is mapped to
\\LON-DC1\Branch1.
11. Verify that the Notepad shortcut is on Brad’s desktop.

Note: It can take up to five to ten minutes for the shortcut and drive mapping to show.

12. If the shortcut does not appear, restart LON-CL1 and then repeat steps four through eight.

13. Sign out of LON-CL1.

Results: After this exercise, you should have created the required scripts and preference settings
successfully and then assigned them by using GPOs.
L6-40 Managing User Settings with Group Policy

Exercise 2: Configuring Folder Redirection

 Task 1: Create a shared folder to store the redirected folders
1. On LON-DC1, on the taskbar, click File Explorer.

2. In the navigation pane, click This PC.

3. In the details pane, double-click Local Disk (C:), and then on the Home tab, click New folder.

4. Name the new folder Branch1Redirect.

5. Right-click the Branch1Redirect folder, click Share with, and then click Specific people.
6. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.

7. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write.

8. Click Share, and then click Done.

9. Close the Local Disk (C:) window.

 Task 2: Create a new GPO and link it to the Branch Office 1 OU

1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.

3. Right-click Branch Office 1, and then click Create a GPO in this domain and Link it here.
4. In the New GPO dialog box, in the Name box, type Folder Redirection, and then click OK.

 Task 3: Edit the Folder Redirection settings in the policy

1. Expand Branch Office 1, right-click Folder Redirection, and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection.

3. Right-click Documents, and then click Properties.

4. In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down
arrow, and then select Basic – Redirect everyone’s folder to the same location.

5. Ensure that the Target folder location box is set to Create a folder for each user under the root
path.
6. In the Root Path box, type \\LON-DC1\Branch1Redirect, and then click OK.

7. In the Warning dialog box, click Yes.

8. Close all open windows on LON-DC1.

 Task 4: Test the Folder Redirection settings

1. Switch to LON-CL1.
2. Sign in as Adatum\Administrator with password Pa$$w0rd.

3. From Start screen, type cmd.exe, and then press Enter.

4. At the command prompt, type the following command, and then press Enter:

gpupdate /force

5. Sign out, and then sign in as Adatum\Holly with password Pa$$w0rd.

 Active Directory® Services with Windows Server® L6-41

6. From Start screen, click Desktop.

7. Right-click the desktop, and then click Personalize.

8. In the navigation pane, click Change desktop icons.

9. In Desktop Icon Settings, select the User’s Files check box, and then click OK.

10. On the desktop, double-click Holly Dickson.

11. Right-click Documents, and then click Properties.

12. In the Document Properties dialog box, note that the location of the folder is now the network
share in a subfolder named for the user.

13. If the Folder Redirection is not evident, sign out, sign in as Adatum\Holly with password Pa$$w0rd,
and then repeat steps 10 through 12.

14. Sign out of LON-CL1.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps two and three for 10969B-LON-DC2 and 10969B-LON-CL1.

Results: After this exercise, you should have successfully configured Folder Redirection to a shared folder
on the LON-DC1 server.
 L7-43

Module 7: Deploying and Managing AD CS

Lab: Deploying and Configuring a Two-Tier
CA Hierarchy
Exercise 1: Deploying an Offline Root CA
 Task 1: Install and configure Active Directory Certificate Services (AD CS) on CA-SVR1
1. Sign in to CA-SVR1 as Administrator with password Pa$$w0rd.

2. In Server Manager, click Add roles and features.

3. On the Before you begin page, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, select Active Directory Certificate Services. When the Add Roles
and Features Wizard window displays, click Add Features, and then click Next.
7. On the Select features page, click Next.

8. On the Active Directory Certificate Services page, click Next.

9. On the Select role services page, ensure that Certification Authority is selected, and then
click Next.

10. On the Confirm installation selections page, click Install.

11. On the Installation progress page, after installation completes successfully, click the text Configure
Active Directory Certificate Services on the destination server.

12. In the AD CS Configuration Wizard, on the Credentials page, click Next.

13. On the Role Services page, select Certification Authority, and then click Next.

14. On the Setup Type page, ensure that Standalone CA is selected, and then click Next.

15. On the CA Type page, ensure that Root CA is selected, and then click Next.

16. On the Private Key page, ensure that Create a new private key is selected, and then click Next.

17. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider
(CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.

18. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then
click Next.

19. On the Validity Period page, click Next.

20. On the CA Database page, click Next.

21. On the Confirmation page, click Configure.

22. On the Results page, click Close.

23. On the Installation progress page, click Close.

24. On CA-SVR1, in Server Manager, click Tools, and then click Certification Authority.

25. In the certsrv – [Certification Authority (Local)] console, right-click AdatumRootCA, and then click
Properties.
L7-44 Deploying and Managing AD CS

26. In the AdatumRootCA Properties dialog box, click the Extensions tab.

27. On the Extensions tab, in the Select extension drop-down list, click CRL Distribution Point (CDP),
and then click Add.
28. In the Location box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down list,
click <CaName>, and then click Insert.

29. In the Variable drop-down list, click <CRLNameSuffix>, and then click Insert.

30. In the Variable drop-down list, click <DeltaCRLAllowed>, and then click Insert.
31. In the Location box, position the cursor at the end of URL, type .crl, and then click OK.

32. Select the following options, and then click Apply:

o Include in the CDP extension of issued certificates

o Include in CRLs. Clients use this to find Delta CRL locations

33. In the Certification Authority pop-up window, click No.

34. In the Select extension drop-down list, click Authority Information Access (AIA), and then
click Add.

35. In the Location box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down list,
click <ServerDNSName>, and then click Insert.

36. In the Location box, type an underscore (_), in the Variable drop-down list, click <CaName>, and
then click Insert. Position the cursor at the end of URL.

37. In the Variable drop-down list, click <CertificateName>, and then click Insert.
38. In the Location box, position the cursor at the end of the URL, type .crt, and then click OK.

39. Select the Include in the AIA extension of issued certificates check box, and then click OK.
40. Click Yes to restart the Certification Authority service.

41. In the Certification Authority console, expand AdatumRootCA, right-click Revoked Certificates,
point to All Tasks, and then click Publish.
42. In the Publish CRL window, click OK.

43. Right-click AdatumRootCA, and then click Properties.

44. In the AdatumRootCA Properties dialog box, click View Certificate.

45. In the Certificate dialog box, click the Details tab.

46. On the Details tab, click Copy to File.

47. In the Certificate Export Wizard, on the Welcome page, click Next.

48. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

49. On the File to Export page, click Browse. In the File name box, type \\lon-svr1\C$, and then press
Enter.
50. In the File name box, type RootCA, click Save, and then click Next.
51. Click Finish, and then click OK three times.

52. Open a File Explorer window, and then browse to C:\Windows\System32\CertSrv\CertEnroll.

53. In the Cert Enroll folder, click both files, right-click the highlighted files, and then click Copy.
54. In the File Explorer address bar, type \\lon-svr1\C$, and then press Enter.
 Active Directory® Services with Windows Server® L7-45

55. Right-click the empty space, and then click Paste.

56. Close File Explorer.

 Task 2: Create a Domain Name System (DNS) record for an offline root CA
1. ON LON-DC1, in Server Manager, click Tools, and then click DNS.

2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, click
Adatum.com, right-click Adatum.com, and then click New Host (A or AAAA).

3. In the New Host window, in the Name box, type CA-SVR1.

4. In the IP address window, type 172.16.0.40, click Add Host, click OK, and then click Done.

5. Close DNS Manager.

6. Switch to CA-SVR1.

7. On the Start screen, click Control Panel.

8. In the Control Panel window, click View network status and tasks.

9. In the Network and Sharing Center window, click Change advanced sharing settings.

10. Under Guest or Public (current profile), select the Turn on file and printer sharing option, and
then click Save changes.

Results: After completing this exercise, students will have installed and configured the stand-alone root
certification authority (CA) role on LON-CA1 server. Also, they will have appropriate DNS record created in
Active Directory Domain Services (AD DS) so that other servers can connect to LON-CA1.

Exercise 2: Deploying an Enterprise Subordinate CA

 Task 1: Install and configure AD CS on LON-SVR1
1. On LON-SVR1, in Server Manager, click Add roles and features.

2. On the Before you begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, click Next.

5. On the Select server roles page, select Active Directory Certificate Services.
6. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.

7. On the Select features page, click Next.

8. On the Active Directory Certificate Services page, click Next.

9. On the Select role services page, ensure that Certification Authority is selected already, and then
select Certification Authority Web Enrollment.

10. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.

11. On the Confirm installation selections page, click Install.

12. On the Installation progress page, after installation is successful, click the text Configure Active
Directory Certificate Services on the destination server.

13. In the AD CS Configuration Wizard, on the Credentials page, click Next.

L7-46 Deploying and Managing AD CS

14. On the Role Services page, select both Certification Authority and Certification Authority Web
Enrollment, and then click Next.

15. On the Setup Type page, select Enterprise CA, and then click Next.
16. On the CA Type page, click Subordinate CA, and then click Next.

17. On the Private Key page, ensure that Create a new private key is selected, and then click Next.

18. On the Cryptography for CA page, keep the default selections, and then click Next.
19. On the CA Name page, in the Common name for this CA box, type Adatum-IssuingCA, and then
click Next.

20. On the Certificate Request page, ensure that Save a certificate request to file on the target
machine is selected, and then click Next.

21. On the CA Database page, click Next.

22. On the Confirmation page, click Configure.

23. On the Results page, click Close.

24. On the Installation progress page, click Close.

 Task 2: Install a subordinate CA certificate

1. On LON-SVR1, open a File Explorer window, and then navigate to Local Disk (C:).
2. Right-click RootCA.cer, and then click Install Certificate.

3. In the Certificate Import Wizard, click Local Machine, and then click Next.

4. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.
5. Select Trusted Root Certification Authorities, click OK, click Next, and then click Finish.

6. When the Certificate Import Wizard window appears, click OK.

7. In the File Explorer window, select the AdatumRootCA.crl and CA-SVR1_AdatumRootCA.crt files,
right-click the files, and then click Copy.

8. Double-click inetpub.

9. Double-click wwwroot.

10. Create a new folder, and then name it CertData.

11. Paste the two copied files into that folder.

12. Switch to Local Disk (C:).

13. Right-click the file LON-SVR1.Adatum.com_Adatum-LON-SVR1-CA.req, and then click Copy.

14. In the File Explorer address bar, type \\CA-SVR1\C$, and then press Enter.

15. In the File Explorer window, right-click an empty space, and then click Paste. Make sure that the
request file is copied to CA-SVR1.

16. Switch to the CA-SVR1 server.

17. In the Certificate Authority console, right-click AdatumRootCA, point to All Tasks, and then click
Submit new request.

18. In the Open Request File window, navigate to Local Disk (C:), click file
LON-SVR1.Adatum.com_Adatum- LON-SVR1-CA.req, and then click Open.
 Active Directory® Services with Windows Server® L7-47

19. In the Certification Authority console, click the Pending Requests container. Right-click Pending
Requests, and then click Refresh.

20. In the details pane, right-click the request (with ID 2), point to All Tasks, and then click Issue.
21. In the Certification Authority console, click the Issued Certificates container.

22. In the details pane, double-click the certificate, click the Details tab, and then click Copy to File.

23. In the Certificate Export Wizard, on the Welcome page, click Next.
24. On the Export File Format page, click Cryptographic Message Syntax Standard – PKCS #7
Certificates (.P7B), click Include all certificates in the certification path if possible, and then click
Next.

25. On the File to Export page, click Browse.

26. In the File name box, type \\lon-svr1\C$, and then press Enter.

27. In the File name box, type SubCA, click Save, click Next, click Finish, and then click OK twice.

28. Switch to LON-SVR1.

29. In Server Manager, click Tools, and then click Certification Authority.

30. In the Certification Authority console, right-click Adatum-IssuingCA, point to All Tasks, and then
click Install CA Certificate.
31. Navigate to Local Disk (C:), click the SubCA.p7b file, and then click Open.

32. Wait for 15–20 seconds, and then on the toolbar, click the green icon to start the CA service.
33. Ensure that the CA starts successfully.

34. Switch to CA-SVR1.

35. Shut down the server.

Note: From this point, you can safely put Root CA offline and use just Enterprise
Subordinate CA.

 Task 3: Publish a root CA certificate through Group Policy

1. On LON-DC1, on the taskbar, click the Server Manager icon.

2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.

4. In the Computer Configuration node, expand Policies, expand Windows Settings, expand
Security Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities,
click Import, and then click Next.

5. On the File to Import page, click Browse.

6. In the file name box, type \\lon-svr1\C$, and then press Enter.

7. Click file RootCA.cer, and then click Open.

8. Click Next two times, and then click Finish.

L7-48 Deploying and Managing AD CS

9. When the Certificate Import Wizard window appears, click OK.

Note: It might take 15–20 seconds for this window to appear.

10. Close the Group Policy Management Editor and the Group Policy Management Console.

 Prepare for the next module

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 10969B-LON-SVR1, 10969B-LON-DC2, and 10969B-CA-SVR1.

Results: After completing this exercise, students will have deployed and configured an enterprise
subordinate CA. Also, students will have a subordinate CA certificate issued from a root CA installed on
LON-SVR1. To establish trust between the root CA and domain-joined clients, students will use Group
Policy to have a root CA certificate deployed.
 L8-49

Module 8: Deploying and Managing Certificates

Lab: Deploying and Using Certificates
Exercise 1: Configuring Certificate Templates
 Task 1: Create a new template based on the Web Server template
1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.

2. In the Certification Authority console, expand AdatumCA, right-click Certificate Templates, and
then select Manage.
3. In the Certificate Templates console, locate the Web Server template in the list, right-click it, and
then click Duplicate Template.

4. Click the General tab, and in the Template display name text box, type Production Web Server,
and then set the Validity period to 3 years.
5. Click the Request Handling tab, select Allow private key to be exported, and then click OK.
Minimize the Certificate Templates console.
6. In the Certification Authority console on LON-DC1, right-click Revoked Certificates, select All tasks,
click Publish, and then click OK.

 Task 2: Create a new template for users that includes smart card logon
1. On LON-DC1, in the Certificate Templates console, right-click the User certificate template, and then
click Duplicate Template.
2. In the Properties of New Template dialog box, click the General tab, and in the Template display
name text box, type Adatum User.

3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail
name check boxes.

4. On the Extensions tab, click Application Policies, and then click Edit.

5. In the Edit Application Policies Extension dialog box, click Add.

6. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.

7. Click the Superseded Templates tab, click Add, click the User template, and then click OK.

8. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select
the Allow check boxes for Read, Enroll, and Autoenroll, and then click OK.

9. Close the Certificate Templates console.

 Task 3: Configure the templates so they can be issued

1. On LON-DC1, in the Certification Authority console, right-click Certificate Templates, point to New,
and then click Certificate Template to Issue.

2. In the Enable Certificate Templates window, select Adatum User and Production Web Server, and
then click OK.

 Task 4: Enroll the Web server certificate on LON-SVR1

1. Switch to LON-SVR1.

2. From the taskbar, click the Windows PowerShell icon.

L8-50 Deploying and Managing Certificates

3. At the command prompt in the Windows PowerShell command-line interface, type gpupdate /force,
and then press Enter.

4. From Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
5. In the IIS console, click LON-SVR1, and then in the central pane, double-click Server Certificates.

6. In the Actions pane, click Create Domain Certificate.

7. On the Distinguished Name Properties page, complete the following fields, and then click Next:
o Common name: lon-svr1.adatum.com

o Organization: Adatum

o Organizational Unit: IT
o City/locality: Seattle

o State/province: WA

o Country/region: US

8. On the Online Certification Authority page, click Select, click AdatumCA, and then click OK.

9. In the Friendly name text box, type lon-svr1, and then click Finish.

10. Ensure that the certificate displays in the Server Certificates console.

11. In the IIS console, expand LON-SVR1, expand Sites, and then click Default Web Site.
12. In the Actions pane, click Bindings.

13. In the Site Bindings window, select https, and then click Edit.
14. In the SSL certificate drop-down list, click lon-svr1, click OK, and then click Close.

15. Close the Internet Information Services (IIS) Manager.

16. Switch to LON-DC1. Open Start screen, and then click Internet Explorer.
17. In the Internet Explorer window, type https://lon-svr1.adatum.com/ in the Address bar, and then
press Enter.

18. Ensure that the Internet Information Services page opens and that no certificate error displays.

Results: After completing this exercise, students will have configured certificate templates.

Exercise 2: Enrolling and using certificates

 Task 1: Configure autoenrollment for users
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain
Policy, and then click Edit.

3. Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings,
and then click to highlight Public Key Policies.

4. In the details pane, double-click Certificate Services Client – Auto-Enrollment.

 Active Directory® Services with Windows Server® L8-51

5. In the Configuration Model drop-down list, click Enabled, select Renew expired certificates,
update pending certificates, and remove revoked certificates, and Update certificates that use
certificate templates, and then click OK to close the properties window.

6. In the right pane, double-click the Certificate Services Client – Certificate Enrollment Policy
object.

7. On the Enrollment Policy tab, set the Configuration Model to Enabled, and then ensure that the
Certificate Enrollment Policy list displays the Active Directory Enrollment Policy. It should have a
check mark next to it and display a status of Enabled. Click OK to close the window.

8. Close both the Group Policy Management Editor window and the Group Policy Management
Console.

 Task 2: Verify autoenrollment

1. On LON-CL1, on Start, type PowerShell, and then click the Windows PowerShell icon.

2. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
3. After the policy refreshes, type mmc.exe, and then press Enter.

4. In Console1, click File, and then click Add/Remove Snap-in, click Certificates, click Add, click Finish,
and then click OK.
5. Expand Certificates – Current User, expand Personal, and then click Certificates.

6. Verify that a certificate based on the Adatum User template is issued for Administrator. To verify the
name of template, scroll to the right in the console window.
7. Close Console1 without saving changes.

8. Sign out of LON-CL1.

 Task 3: Configure the Enrollment Agent for smart card certificates

1. On LON-DC1, in Server Manager, click Tools, and then open Certification Authority.
2. In the certsrv console, expand AdatumCA, right-click Certificate Templates, and then click Manage.

3. In the Certificate Templates console, double-click Enrollment Agent.

4. Click the Security tab, and then click Add.

5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names,
and then click OK.

6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then
click OK.

7. Close the Certificate Templates console.

8. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.
9. In the list of templates, click Enrollment Agent, and then click OK.

10. Switch to LON-CL1, and then sign in as Adatum\Allie with password Pa$$w0rd.

11. Open a Command Prompt window, type mmc.exe, and then press Enter.
12. In Console1, click File, and then click Add/Remove Snap-in.

13. Click Certificates, click Add, and then click OK.

L8-52 Deploying and Managing Certificates

14. Expand Certificates – Current User, expand Personal, click Certificates, right-click Certificates,
point to All Tasks, and then click Request New Certificate.

15. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
16. On the Select Certificate Enrollment Policy page, click Next.

17. On the Request Certificates page, select Enrollment Agent, click Enroll, and then click Finish.

18. Sign out of LON-CL1.

19. Switch to LON-DC1.

20. In the Certification Authority console, right-click AdatumCA, and then click Properties.

21. On the Enrollment Agents tab, click Restrict Enrollment agents.

22. On the pop-up window that displays, click OK.

23. In the Enrollment agents section, click Add.

24. In the Select User, Computer or Group field, type Allie, click Check Names, and then click OK.

25. Click Everyone, and then click Remove.

26. In the Certificate Templates section, click Add.

27. In the list of templates, select Adatum User, and then click OK.

28. In the Certificate Templates section, click <All>, and then click Remove.
29. In the Permission section, click Add.

30. In the Select User, Computer or Group field, type Marketing, click Check Names, and then
click OK.
31. In the Permission section, click Everyone, click Remove, and then click OK.

 Task 4: Use certificates for digital signing of a Word document

1. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd.
2. Open Word 2013.

3. In a blank document, type some text, and then save the document to the desktop.

4. On the toolbar, click INSERT, and then in the Text pane, in the Signature Line drop-down list, click
Microsoft Office Signature Line.
5. In the Signature Setup window, type your name in the Suggested signer text box, type
Administrator in the Suggested signer’s title text box, type Administrator@adatum.com in the
Suggested signer’s email address text box, and then click OK.
6. Right-click the signature line in the document, and then click Sign….

7. In the Sign window, click Change.

8. In the Certificate list, ensure that you have a certificate issued for Administrator, and then click OK.

9. In the text box to the right of the X, type your name, click Sign, and then click OK. Besides typing
your name, you also can select an image. This image can be your scanned handwriting signature.

10. Ensure that the document cannot be edited anymore.

Note: Try to type some text in the document.

 Active Directory® Services with Windows Server® L8-53

11. Close Word 2013, and then save changes if prompted.

12. Sign out of LON-CL1.

Results: After completing this exercise, students will have implemented certificate enrollment.

Exercise 3: Configuring and Implementing Key Recovery

 Task 1: Configure the certification authority (CA) to issue KRA certificates
1. On LON-DC1, in the Certification Authority console, expand the AdatumCA node, right-click the
Certificates Templates folder, and then click Manage.

2. In the details pane, right-click the Key Recovery Agent certificate, and then click Properties.

3. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab, and then
clear the CA certificate manager approval check box.
4. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that
have the Enroll permission, and then click OK.

5. Close the Certificate Templates console.

6. In the Certification Authority console, right-click Certificate Templates, point to New, and then click
Certificate Template to Issue.
7. In the Enable Certificate Templates dialog box, click the Key Recovery Agent template, and then
click OK.

8. Close the Certification Authority console.

 Task 2: Acquire the KRA certificate

1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter.

3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.

6. Expand the Certificates - Current User node, right-click Personal, point to All Tasks, and then click
Request New Certificate.
7. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.

8. On the Select Certificate Enrollment Policy page, click Next.

9. On the Request Certificates page, select the Key Recovery Agent check box, click Enroll, and then
click Finish.

10. Refresh the console, and then view the Key Recovery Agent (KRA) in the personal store; scroll across
the certificate properties and verify that the Certificate Template Key Recovery Agent is present.
11. Close Console1 without saving changes.
L8-54 Deploying and Managing Certificates

 Task 3: Configure the CA to allow key recovery

1. On LON-DC1, in the Certification Authority console, right-click AdatumCA, and then click
Properties.

2. In the AdatumCA Properties dialog box, click the Recovery Agents tab, and then select Archive
the key.
3. Under Key recovery agent certificates, click Add.

4. In the Key Recovery Agent Selection dialog box, click the certificate that is for KRA purpose (it will
most likely be last on the list), and then click OK twice.

5. When prompted to restart the CA, click Yes.

 Task 4: Configure a custom template for key archival

1. On LON-DC1, in the Certification Authority console, right-click the Certificates Templates folder,
and then click Manage.
2. In the Certificate Templates console, right-click the User certificate, and then click Duplicate
Template.

3. In the Properties of New Template dialog box, on the General tab, in the Template display name
text box, type Archive User.

4. On the Request Handling tab, select the Archive subject's encryption private key check box.

5. If a pop-up window displays, click OK.

6. Click the Subject Name tab, clear the E-mail name and Include E-mail name in subject name
check boxes, and then click OK.
7. Close the Certificate Templates console.

8. In the Certification Authority console, right-click the Certificates Templates folder, point to New,
and then click Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, click the Archive User template, and then click OK.

10. Close the Certification Authority console.

 Task 5: Verify key archival functionality

1. Sign in to LON-CL1 as Adatum\Aidan with password Pa$$w0rd.

2. On Start screen, type mmc.exe, and then press Enter. Click Yes in User Account Control window.

3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, and then click OK. Click
Finish, in the Certificates snap-in.
5. Expand the Certificates - Current User node, right-click Personal, click All Tasks, and then click
Request New Certificate.

6. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.

7. On the Select Certificate Enrollment Policy page, click Next.

8. On the Request Certificates page, select the Archive User check box, click Enroll, and then click
Finish.
9. Refresh the console, and then view that a certificate is issued to Aidan, based on the Archive User
certificate template.
 Active Directory® Services with Windows Server® L8-55

10. Simulate the loss of a private key by deleting the certificate. In the central pane, right-click the
certificate that you just enrolled, select Delete, and then click Yes to confirm.

11. Switch to LON-DC1.

12. Open the Certification Authority console, expand AdatumCA, and then click the Issued Certificates
store.

13. In the details pane, double-click a certificate with Requestor Name Adatum\Aidan, and a Certificate
Template name of Archive User.

14. Click the Details tab, copy the Serial number, and then click OK. You might either copy the number
by selecting it and pressing Ctrl+C, or by writing it down on paper.
15. On the taskbar, click the Windows PowerShell icon.

16. At the Windows PowerShell command prompt, type the following command, where <serial number>
is the serial number that you copied, and then press Enter:

Certutil –getkey <serial number> outputblob

Note: If you paste the serial number, remove the spaces between the numbers.

17. Verify that the Outputblob file now displays in the C:\Users\Administrator folder.
18. To convert the Outputblob file into a .pfx file, at the Windows PowerShell command prompt, type the
following command, and then press Enter:

Certutil –recoverkey outputblob aidan.pfx

19. When prompted for the new password, type Pa$$w0rd, and then confirm the password.
20. After the command executes, close Windows PowerShell.

21. Browse to C:\Users\Administrator, and then verify that aidan.pfx—the recovered key—is created.

22. Switch to LON-CL1.

23. Open File Explorer and then browse to \\LON-DC1\c$\users\administrator.

24. When prompted for credentials, use Adatum\Administrator with password Pa$$w0rd.

25. Copy the aidan.pfx file to C:\Users\aidan.

26. Double-click the aidan.pfx file.

27. On the Welcome to the Certificate Import Wizard page, click Next.

28. On the File to Import page, click Next.

29. On the Password page, type password Pa$$w0rd, and then click Next.

30. On the Certificate Store page, click Next, click Finish, and then click OK.

31. In Console1, expand the Certificates - Current User node, expand Personal, and then click
Certificates.

32. Refresh the console, and then verify that the certificate for Aidan is restored.
L8-56 Deploying and Managing Certificates

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 10969B-LON-CL1, 10969B-LON-DC2, and 10969B-LON-SVR1.

Results: After completing this exercise, students will have configured key recovery.
 L9-57

Module 9: Implementing and Administering AD RMS

Lab: Implementing an AD RMS
Infrastructure
Exercise 1: Install and Configure AD RMS
 Task 1: Configure DNS and the AD RMS service account
1. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.

2. In Server Manager, click Tools, and then click Active Directory Administrative Center.

3. Select and then right-click Adatum (local), click New, and then click Organizational Unit.

4. In the Create Organizational Unit dialog box, in the Name field, type Service Accounts, and then
click OK.

5. Right-click the Service Accounts organizational unit (OU), click New, and then click User.

6. In the Create User dialog box, enter the following details, and then click OK:
o First name: ADRMSSVC

o User UPN logon: ADRMSSVC

o Password: Pa$$w0rd

o Confirm Password: Pa$$w0rd

o Password never expires: Enabled

o User cannot change password: Enabled

7. Right-click the Users container, click New, and then click Group.

8. In the Create Group dialog box, enter the following details, and then click OK:

o Group name: ADRMS_SuperUsers

o E-mail: ADRMS_SuperUsers@adatum.com

9. Right-click the Users container, click New, and then click Group.
10. In the Create Group dialog box, enter the following details, and then click OK:

o Group name: Executives

o E-mail: executives@adatum.com
11. Double-click the Managers OU, hold down the Ctrl key, and then click the following users:

o Aidan Delaney

o Bill Malone

12. In the Tasks pane, click Add to group.

13. In the Select Groups dialog box, type Executives, and then click OK.

14. Close the Active Directory Administrative Center.

15. In Server Manager, click Tools, and then click DNS.

16. In the DNS Manager console, expand LON-DC1, and then expand Forward Lookup Zones.

17. Select and then right-click Adatum.com, and then click New Host (A or AAAA).
L9-58 Implementing and Administering AD RMS

18. In the New Host dialog box, enter the following information, and then click Add Host:

o Name: adrms

o IP address: 172.16.0.21

19. Click OK, and then click Done.

Note: This is the address of the LON-SVR1 where you will install Active Directory Rights
Management Services (AD RMS).

20. Close the DNS Manager console.

 Task 2: Install and configure the AD RMS server role

1. Sign in to LON-SVR1 as Adatum\Administrator with password Pa$$w0rd.

2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next three times.

4. On the Select server roles page, click Active Directory Rights Management Services.

5. In the Add Roles and Features Wizard dialog box, click Add Features, click Next four times, click
Install, and then click Close.

6. In Server Manager, click the AD RMS node.

7. Next to Configuration required for Active Directory Rights Management Services at LON-SVR1, click
More.
8. On the All Servers Task Details and Notifications page, click Perform additional configuration.

9. On the AD RMS page, in the AD RMS Configuration: LON-SVR1.adatum.com dialog box, click
Next.
10. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.

11. On the Configuration Database page, click Use Windows Internal Database on this server, and
then click Next.

12. On the Service Account page, click Specify.

13. In the Windows Security dialog box, enter the following details, click OK, and then click Next (If you
get an error when you try to use the ADRMSSVC service account, force replication between LON-DC1
and LON-DC2 and then try the step again):

o User name: ADRMSSVC

o Password: Pa$$w0rd

14. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.

15. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then
click Next.

16. On the Cluster Key Password page, type password Pa$$w0rd twice, and then click Next.

17. On the Cluster Web Site page, verify that Default Web Site is selected, and then click Next.
 Active Directory® Services with Windows Server® L9-59

18. On the Cluster Address page, provide the following information, and then click Next:

o Connection Type: Use an unencrypted connection (http://)

o Fully Qualified Domain Name: adrms.adatum.com

o Port: 80

Note: This lab uses port 80 for convenience. In production environments, you would
protect AD RMS by using an encrypted connection.

19. On the Licensor Certificate page, type AdatumADRMS, and then click Next.

20. On the SCP Registration page, click Register the SCP now, and then click Next.

21. On the Confirmation page, click Install, and then click Close.
22. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

23. In Internet Information Services (IIS) Manager, expand LON-SVR1\Sites\Default Web Site, and then
click _wmcs. If the Internet Information Services (IIS) Manager prompt window appears, click No.
24. Under the /_wmcs node, double-click Authentication, click Anonymous Authentication, and then
in the Actions pane, click Enable.

25. In the Connections pane, expand _wmcs, and then click licensing.
26. Under the /_wmcs/licensing node, double-click Authentication, click Anonymous Authentication,
and then in the Actions pane, click Enable.

Note: You will not be enabling Anonymous Authentication in a production environment.

This is just for lab purposes to make configuration easier.

27. On the Start screen, click Administrator, and then click Sign Out.

Note: You must sign out before you can manage AD RMS.

 Task 3: Configure the AD RMS Super Users group

1. Sign in to LON-SVR1 as Adatum\Administrator with password Pa$$w0rd.

2. In Server Manager, click Tools, and then click Active Directory Rights Management Services.

3. In the AD RMS console, expand the lon-svr1 (Local) node, and then click Security Policies.

4. In the Security Policies area, under Super Users, click Change super user settings.

5. In the Actions pane, click Enable Super Users.

6. In the Super Users area, click Change super user group.

7. In the Super Users dialog box, in the Super user group text box, type
ADRMS_SuperUsers@adatum.com, and then click OK.

Results: After completing this exercise, you will have installed and configured AD RMS.
L9-60 Implementing and Administering AD RMS

Exercise 2: Configure AD RMS Templates

 Task 1: Configure a new rights policy template
1. Ensure that you are signed in to LON-SVR1.

2. In the AD RMS console, click the Rights Policy Templates node.

3. In the Actions pane, click Create Distributed Rights Policy Template.

4. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification
information page, click Add.

5. On the Add New Template Identification Information page, enter the following information, click
Add, and then click Next:
o Language: English (United States)

o Name: ReadOnly

o Description: Read-only access. No copy or print.

6. On the Add User Rights page, click Add.

7. On the Add User or Group page, type executives@adatum.com, and then click OK.

8. When executives@adatum.com is selected, under Rights, click View. Verify that Grant owner
(author) full control right with no expiration is selected, and then click Next.
9. On the Specify Expiration Policy page, choose the following settings, and then click Next:

o Content Expiration: Expires after the following duration (days): 7

o Use license expiration: Expires after the following duration (days): 7

10. On the Specify Extended Policy page, click Require a new use license every time content is
consumed (disable client-side caching), and then click Next.
11. On the Specify Revocation Policy page, click Finish.

 Task 2: Configure the rights policy template distribution

1. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell command-line interface command prompt, type the following, and then
press Enter:

New-Item c:\rmstemplates -ItemType Directory

3. At the Windows PowerShell command prompt, type the following, and then press Enter:

New-SmbShare -Name RMSTEMPLATES -Path c:\rmstemplates -FullAccess ADATUM\ADRMSSVC

4. At the Windows PowerShell command prompt, type the following, and then press Enter:

New-Item c:\docshare -ItemType Directory

5. At the Windows PowerShell command prompt, type the following, and then press Enter:

New-SmbShare -Name docshare -Path c:\docshare -FullAccess Everyone

6. To exit Windows PowerShell, type exit, and then press Enter.

7. Switch to the AD RMS console, click the Rights Policy Templates node, and then in the Distributed
Rights Policy Templates area, click Change distributed rights policy templates file location.
 Active Directory® Services with Windows Server® L9-61

8. In the Rights Policy Templates dialog box, click Enable export.

9. In the Specify templates file location (UNC) field, type \\LON-SVR1\RMSTEMPLATES, and then
click OK.
10. On the taskbar, click File Explorer.

11. Navigate to the C:\rmstemplates folder, and then verify that ReadOnly.xml is present.

12. Close the File Explorer window.

 Task 3: Configure an exclusion policy

1. On LON-SVR1, switch to the AD RMS console, click the Exclusion Policies node, and then click
Manage application exclusion list.

2. In the Actions pane, click Enable Application Exclusion.

3. In the Actions pane, click Exclude Application.

4. In the Exclude Application dialog box, enter the following information, and then click Finish:

o Application File name: Powerpnt.exe

o Minimum version: 14.0.0.0

o Maximum version: 16.0.0.0

5. Close the AD RMS console.

Results: After completing this exercise, you will have configured AD RMS templates.

Exercise 3: Verifying AD RMS on Clients

 Task 1: Create a rights-protected document
1. Sign in to LON-CL1 as Adatum\Aidan with password Pa$$w0rd.
2. Open Internet Explorer from the taskbar, right-click the toolbar, click Menu bar, click Tools, and then
select Internet options.

3. In the Internet options dialog box, click Security, click Local intranet, click Sites, click Advanced,
and under Add this website to the zone, type http://adrms.adatum.com, and then click Add. Click
Close, and then click OK two times.

Note: You added adrms.adatum.com to the Local intranet sites to achieve a single sign-on
experience when signing in to the AD RMS servers.

4. Close Internet Explorer.

5. On the Start screen, type Word, and in the results area, click Word 2013. If the First things first
window appears, click Ask me later, and then click Accept. If it appears, close the Welcome to your
new Office window.
6. In the Word 2013 application, click Blank document.
L9-62 Implementing and Administering AD RMS

7. In the Word document, type the following text: This document is for executives only, and it
should not be modified. Click File, click Protect Document, click Restrict Access, and then click
Read Only.

Note: If the ReadOnly template does not appear, it might be necessary to first click
Connect to Digital Rights Management server.

8. Return to the document, click Save, and then click Browse.

9. In the Save As dialog box, save the document to the \\lon-svr1\docshare location with the name
Executives Only.docx.

10. Close Word 2013.

11. Click the Start screen, click the Aidan Delaney icon, and then click Sign Out.

 Task 2: Verify internal access to protected content as an authorized user

1. Sign in to LON-CL1 as Adatum\Bill with password Pa$$w0rd.

2. On the Start screen, click Desktop.

3. Open Internet Explorer from the taskbar, right-click the toolbar, click the Menu bar, click Tools, and
then select Internet options.

4. In Internet options, click Security, click Local intranet, click Sites, click Advanced, and under Add
this website to the zone, type http://adrms.adatum.com, and then click Add. Click Close, and then
click OK twice.

5. Close Internet Explorer.

6. On the taskbar, click the File Explorer icon.

7. In the File Explorer window, navigate to \\lon-svr1\docshare.

8. In the docshare folder, double-click the Executives Only document.

9. When the document opens, verify that you are unable to modify or save the document. If the First
things first window appears in Word, click Ask me later, and then click Accept. If it appears, close the
Welcome to your new Office window.
10. Select a line of text in the document, right-click it, and then verify that you cannot make changes.

11. Click View Permission, review the permissions, and then click OK.

Note: You will see that Bill has View permission only. He is a member of Executives group
and he can access the content.

12. Close Word 2013.

13. Click the Start screen, click the Bill Malone icon, and then click Sign Out.

 Task 3: Open the rights-protected document as an unauthorized user

1. Sign in to LON-CL1 as Adatum\Carol with password Pa$$w0rd.
2. On the Start screen, click Desktop.

3. Open Internet Explorer from the taskbar, right-click on the toolbar, click the Menu bar, click Tools,
and then select Internet options.
 Active Directory® Services with Windows Server® L9-63

4. In Internet options, click Security, click Local intranet, click Sites, click Advanced, and under Add
this website to the zone, type http://adrms.adatum.com, and then click Add. Click Close, and then
click OK twice.

5. Close Internet Explorer.

6. On the taskbar, click the File Explorer icon.

7. In the File Explorer window, navigate to \\lon-svr1\docshare.

8. In the docshare folder, double-click the Executives Only document, and then click OK in the
Microsoft Office prompt window.

9. Verify that Carol is unable to open the document.

Note: Carol cannot open the document because the document is protected with an RMS
template that allows only the Executives group to view the document. Click OK in the Microsoft
Word prompt window.

10. Close Word 2013.

11. Click to Start screen, click the Carol Troup icon, and then click Sign Out.

Results: After completing this exercise, you will have verified that the AD RMS deployment is successful.

Exercise 4: Configure AD RMS Monitoring and Reporting

 Task 1: Perform AD RMS monitoring
1. On LON-SVR1, in Server Manager, click Tools, and then click Active Directory Rights Management
Services.

2. In the AD RMS console, expand lon-svr1 (local), and then click Reports.

3. Click Statistics Reports, and then review the values for Total User Accounts Certified, Domain
User Accounts Certified, and Federated Identities Certified. The first two values should be higher
than zero since you last used AD RMS in the previous exercise. The last one should have a value of 0.
4. In the left pane, click System Health, and then in the Actions pane, click View Report….

5. In the Create Report window, set the value for Query end time to be today’s date and time 11:59:59
PM, and then click Finish.

6. Review the report and graphs. Notice the number of success and fail requests.

7. In the left pane, click Troubleshooting, and then in the Actions pane, click View Report….

8. In the Create Report window, set the value for Query end time to be today’s date and time 11:59:59
PM.
9. In the User Name field, type Adatum\Aidan, and then click Finish. Review the provided report, click
Certify to enter a more detailed report, and then review the report.

10. Click First Report in the toolbar.

11. Click Find Service Locations for User.

12. Review the report for User Request Analysis.

L9-64 Implementing and Administering AD RMS

13. Click First Report in the toolbar.

14. Click Get Server Licensor Certificate, and then review the report.

15. Close the AD RMS console.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps two and three for 10969B-LON-SVR1, 10969B-LON-DC2, and 10969B-LON-CL1.

Results: After completing this exercise, students will have configured AD RMS reporting.
 L10-65

Module 10: Implementing and Administering AD FS

Lab: Implementing AD FS
Exercise 1: Installing and Configuring AD FS
 Task 1: Create a service account for Active Directory Federation Services (AD FS)
1. On LON-DC2, on the taskbar, click Windows PowerShell.

2. At the command prompt for the Windows PowerShell command-line interface, type
New-ADUser –Name adfsService, and then press Enter.
3. Type Set-ADAccountPassword adfsService, and then press Enter.

4. At the Password prompt, press Enter.

5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.

8. Close the Windows PowerShell Command Prompt window.

 Task 2: Create a Domain Name System (DNS) record for AD FS

1. On LON-DC2, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC2, expand Forward Lookup Zones, and then click Adatum.com.

3. Right-click Adatum.com, and then click New Host (A or AAAA).

4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.11, and then click Add Host.

6. In the DNS window, click OK.

7. Click Done, and then close DNS Manager.

 Task 3: Install AD FS
1. On LON-DC2, in Server Manager, click Manage, and then click Add Roles and Features.

2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.

4. On the Select destination server page, click Select a server from the server pool, click
LON-DC2.Adatum.com, and then click Next.

5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.
6. On the Select features page, click Next.

7. On the Active Directory Federation Services (AD FS) page, click Next.

8. On the Confirm installation selections page, click Install.

9. When the installation is complete, click Close.
L10-66 Implementing and Administering AD FS

 Task 4: Configure AD FS
1. On LON-DC2, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.

2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.

4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.

5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.

6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.

8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.

10. On the Review Options page, click Next.

11. On the Pre-requisite Checks page, click Configure.

12. On the Results page, click Close.

 Task 5: Verify AD FS functionality

1. On LON-CL1, sign in as Adatum\Brad with password Pa$$w0rd.
2. On the taskbar, click Internet Explorer.

3. In Internet Explorer, in the Address bar, type https://adfs.adatum.com/federationmetadata

/2007-06/federationmetadata.xml, and then press Enter.
4. Verify that the file loads, and then close Internet Explorer.

Results: In this exercise, you installed and configured AD FS. You also verified that it is functioning by
viewing the contents of the Federationmetadata.xml file.

Exercise 2: Configure an Internal Application for AD FS

 Task 1: Configure the Active Directory claims provider trust
1. On LON-DC2, in Server Manager, click Tools, and then click AD FS Management.

2. In the AD FS console, expand Trust Relationships, and then click Claims Provider Trusts.
3. In the Claims Provider Trusts pane, right-click Active Directory, and then click Edit Claim Rules.

4. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.

6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
 Active Directory® Services with Windows Server® L10-67

7. In the Attribute Store drop-down list, select Active Directory.

8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for the
LDAP Attribute and the Outgoing Claim Type, and then click Finish:
o E-Mail-Addresses: E-Mail Address

o User-Principal-Name: UPN

o Display-Name: Name
9. In the Edit Claim Rules for Active Directory window, click OK.

 Task 2: Configure the application to trust incoming claims

1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.

2. On the Welcome to the Federation Utility wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample Web.config file.
3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the
path to the sample application that will trust the incoming claims from the federation server, and
then click Next to continue.
4. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata
/2007-06/federationmetadata.xml, and then click Next.

5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.

6. On the Security token encryption page, click No encryption, and then click Next.
7. On the Offered claims page, review the claims that the federation server will offer, and then click
Next.

8. On the Summary page, review the changes that the Federation Utility Wizard will make to the
sample application, scroll through the items to understand what each item is doing, and then click
Finish.

9. In the Success window, click OK.

 Task 3: Configure a relying party trust for the claims-aware application

1. On LON-DC2, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.

3. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or
on a local network.

5. In the Federation Metadata address (host name or URL) box, type https://lon-svr1.adatum.com
/adatumtestapp, and then click Next. This downloads the metadata that was configured in the
previous section.

6. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and then
click Next.
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi-
factor authentication settings for this relying party trust at this time, and then click Next.
L10-68 Implementing and Administering AD FS

8. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying
party, and then click Next.

9. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
10. On the Finish page, click Close.

11. Leave the Edit Claim Rules for A. Datum Test App window open for the next task.

 Task 4: Configure claim rules for the relying party trust

1. On LON-DC2, in AD FS Manager, In the Edit Claim Rules for A. Datum Test App window, on the
Issuance Transform Rules tab, click Add Rule.

2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.
3. In the Claim rule name box, type Pass through Windows account name.

4. In the Incoming claim type drop-down list, click Windows account name, and then click Finish.

5. On the Issuance Transform Rules tab, click Add Rule.

6. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.

7. In the Claim rule name box, type Pass through E-Mail Address.

8. In the Incoming claim type drop-down list, click E-Mail Address, and then click Finish.
9. On the Issuance Transform Rules tab, click Add Rule.

10. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name box, type Pass through UPN.

12. In the Incoming claim type drop-down list, click UPN, and then click Finish.
13. On the Issuance Transform Rules tab, click Add Rule.
14. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.
15. In the Claim rule name box, type Pass through Name.

16. In the Incoming claim type drop-down list, click Name, and then click Finish.

17. On the Issuance Transform Rules tab, click OK.

 Task 5: Test access to the claims-aware application

1. On LON-CL1, open Internet Explorer.
2. In Internet Explorer, in the Address bar, type https://lon- svr1.adatum.com/AdatumTestApp/, and
then press Enter.

Note: It is critical to use the trailing slash in the URL for step 2.

3. In the Windows Security dialog box, sign in as Adatum\Brad with password Pa$$w0rd.

4. Review the claim information that is displayed by the application.

5. Close Internet Explorer.

 Active Directory® Services with Windows Server® L10-69

 Task 6: Configure Internet Explorer to pass local credentials to the application

automatically
1. On LON-CL1, on Start screen, type Internet Options, and then click Internet Options.

2. In the Internet Properties window, on the Security tab, click Local intranet, and then click Sites.

3. In the Local intranet window, click Advanced.

4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.

5. In the Add this website to the zone box, type https://lon-svr1.adatum.com, click Add, and then
click Close.
6. In the Local intranet window, click OK.

7. In the Internet Properties window, click OK.

8. On LON-CL1, open Internet Explorer.

9. In Internet Explorer, in the Address bar, type https://lon-svr1.adatum.com/AdatumTestApp/, and
then press Enter.

Note: It is critical to use the trailing slash in the URL for step 9.

10. Notice that you were not prompted for credentials.

11. Review the claim information that is displayed by the application.

12. Close Internet Explorer.

Results: After completing this exercise, you will have configured AD FS to support authentication for an
application.

Exercise 3: Configuring AD FS for a Federated Business Partner

 Task 1: Configure DNS forwarding between TreyResearch.net and Adatum.com
1. On LON-DC2, in Server Manager, click Tools, and then click DNS.

2. In DNS Manager, expand LON-DC2, and then click Conditional Forwarders.

3. Right-click Conditional Forwarders, and then click New Conditional Forwarder.

4. In the New Conditional Forwarder window, in the DNS Domain box, type TreyResearch.net.

5. In the IP addresses of the master servers box, type 172.16.10.10, and then press Enter.

6. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check
box, select All DNS servers in this forest, and then click OK.

7. Close DNS Manager.

8. On TREY-DC1, in Server Manager, click Tools, and then click DNS.

9. In DNS Manager, expand Trey-DC1, and then click Conditional Forwarders.

10. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
L10-70 Implementing and Administering AD FS

11. In the New Conditional Forwarder window, in the DNS Domain box, type Adatum.com.

12. In the IP addresses of the master servers box, type 172.16.0.10, and then press Enter.

13. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check
box, select All DNS servers in this forest, and then click OK.

14. Close DNS Manager.

 Task 2: Configure certificate trusts between TreyResearch.net and Adatum.com

1. On LON-DC2, open File Explorer, browse to \\TREY-DC1\CertEnroll, and then copy
TREY-DC1.TreyResearch.net_TreyResearchCA.crt to C:\.

2. Close File Explorer.

3. In Server Manager, click Tools, and then click Group Policy Management.

4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Adatum.com, right-click Default Domain Policy, and then click Edit.

5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click
Trusted Root Certification Authorities.

6. Right-click Trusted Root Certification Authorities, and then click Import.

7. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Next.

8. On the File to Import page, type C:\TREY-DC1.TreyResearch.net_TreyResearchCA.crt, and then

click Next.
9. On the Certificate Store page, click Next.

10. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close the
success message.
11. Close the Group Policy Management Editor window.

12. Close Group Policy Management.

13. On TREY-DC1, open File Explorer, and then navigate to \\LON-DC1\CertEnroll.

14. Right-click LON-DC1.Adatum.com_AdatumCA.crt, and then click Install Certificate.

15. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Local Machine, and then click Next.

16. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.

17. In the Select Certificate Store window, click Trusted Root Certification Authorities, and then
click OK.

18. On the Certificate Store page, click Next.

19. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close the
success message.

20. Close File Explorer.

21. On LON-SVR1, on the taskbar, click Windows PowerShell.

22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.

23. Close Windows PowerShell.

 Active Directory® Services with Windows Server® L10-71

 Task 3: Create a service account for AD FS

1. On TREY-DC1, on the taskbar, click Windows PowerShell.

2. At the Windows PowerShell command prompt, type New-ADUser –Name adfsService, and then
press Enter.
3. Type Set-ADAccountPassword adfsService, and then press Enter.

4. At the Password prompt, press Enter.

5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.

7. Type Enable-ADAccount adfsService, and then press Enter.

8. Close the Windows PowerShell Command Prompt window.

 Task 4: Create a DNS record for AD FS

1. On TREY-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand Trey-DC1, expand Forward Lookup Zones, and then click
TreyResearch.net.

3. Right-click TreyResearch.net, and then click New Host (A or AAAA).

4. In the New Host window, in the Name box, type adfs.

5. In the IP address box, type 172.16.10.10, and then click Add Host.

6. In the DNS window, click OK, and then click Done.

7. Close DNS Manager.

 Task 5: Install AD FS for TreyResearch.net

1. On TREY-DC1, in Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click Select a server from the server pool, click
TREY-DC1.TreyResearch.net, and then click Next.

5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.
6. On the Select features page, click Next.

7. On the Active Directory Federation Services (AD FS) page, click Next.

8. On the Confirm installation selections page, click Install.

9. When the installation is complete, click Close.

 Task 6: Configure AD FS for TreyResearch.net

1. On TREY-DC1, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.

2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
L10-72 Implementing and Administering AD FS

3. On the Connect to Active Directory Domain Services page, click Next to use
TREYRESEARCH\Administrator to perform the configuration.

4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.TreyResearch.net.
5. In the Federation Service Display Name box, type Trey Research, and then click Next.

6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.

7. Click Select, type adfsService, and then click OK.

8. In the Account Password box, type Pa$$w0rd, and then click Next.

9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.

10. On the Review Options page, click Next.

11. On the Pre-requisite Checks page, click Configure.

12. On the Results page, click Close.

 Task 7: Add a claims provider trust for the TreyResearch.net AD FS server

1. On LON-DC2, if required, in Server Manager, click Tools, and then click AD FS Management.

2. In the AD FS console, expand Trust Relationships, and then click Claims Provider Trusts.
3. In the Actions pane, click Add Claims Provider Trust.

4. In the Add Claims Provider Trust Wizard, on the Welcome page, click Start.

5. On the Select Data Source page, click Import data about the claims provider published online or
on a local network.

6. In the Federation metadata address (host name or URL) box, type https://adfs.treyresearch.net,
and then click Next.
7. On the Specify Display Name page, in the Display name box, type Trey Research, and then click
Next.

8. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.

9. On the Finish page, select the Open the Edit Claim Rules dialog for this claims provider trust
when the wizard closes check box, and then click Close.

10. In the Edit Claim Rules for Trey Research window, on the Acceptance Transform Rules tab, click
Add Rule.

11. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Pass Through or Filter an Incoming Claim, and then click Next.

12. On the Configure Rule page, in the Claim rule name box, type Pass through Windows account
name.

13. In the Incoming claim type drop-down list, select Windows account name.

14. Select Pass through all claim values, and then click Finish.

15. In the pop-up window, click Yes to acknowledge the warning.

16. In the Edit Claim Rules for Trey Research window, click OK, and then close the AD FS console.
 Active Directory® Services with Windows Server® L10-73

 Task 8: Configure a relying party trust in TreyResearch.net for the Adatum.com

application
1. On TREY-DC1, in Server Manager, click Tools, and then click AD FS Management.

2. In the AD FS console, expand Trust Relationships, and then click Relying Party Trusts.

3. In the Actions pane, click Add Relying Party Trust.

4. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.

5. On the Select Data Source page, click Import data about the relying party published online or
on a local network.
6. In the Federation metadata address (host or URL) box, type adfs.adatum.com, and then click
Next.

7. On the Specify Display Name page, in the Display name text box, type A. Datum Corporation,
and then click Next.

8. On the Configure Multi-Factor Authentication Now page, click I do not want to configure
multi-factor authentication settings for this relying party trust at this time, and then click Next.
9. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.

10. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
11. On the Finish page, select the Open the Edit Claim Rules dialog box for this relying party trust
when the wizard closes check box, and then click Close.
12. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Transform Rules tab,
click Add Rule.

13. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Pass Through or Filter an Incoming Claim, and then click Next.

14. On the Configure Rule page, in the Claim rule name box, type Pass through Windows account
name.
15. In the Incoming Claim type drop-down list, select Windows account name.
16. Click Pass through all claim values, click Finish, and then click OK.

17. Close the AD FS console

 Task 9: Test access to the application

1. On TREY-DC1, open Internet Explorer.
2. In Internet Explorer, in the Address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and
then press Enter.

3. On the A. Datum Corporation page, click Trey Research.

4. In the Windows Security dialog box, sign in as TreyResearch\April with password Pa$$w0rd.

5. After the application loads, close Internet Explorer.

6. Open Internet Explorer.

7. In Internet Explorer, in the Address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and
then press Enter.
L10-74 Implementing and Administering AD FS

8. In the Windows Security dialog box, sign in as TreyResearch\April with password Pa$$w0rd.

9. Close Internet Explorer.

Note: You are not prompted for a home realm again. Once users have selected a home
realm and have been authenticated by a realm authority, they are issued an _LSRealm cookie by
the relying party’s federation server. The default lifetime for the cookie is 30 days. Therefore, to
sign in multiple times, you should delete that cookie after each logon attempt to return to a
clean state.

Results: After completing this exercise, you will have configured access for a claims-aware application in a
partner organization.

Exercise 4: Configuring Web Application Proxy

 Task 1: Install Web Application Proxy
1. On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features.

2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.

4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, select the Remote Access check box, and then click Next.

6. On the Select features page, click Next.

7. On the Remote Access page, click Next.

8. On the Select role services page, select Web Application Proxy.

9. In the Add Roles and Features Wizard, click Add Features.

10. On the Select role services page, click Next.

11. On the Confirm installation selections page, click Install.

12. On the Installation progress page, click Close.

 Task 2: Add the adfs.adatum.com certificate to LON-SVR2

1. On LON-DC2, on Start screen, type mmc, and then press Enter.

2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.

4. In the Certificates snap-in window, click Computer account, and then click Next.

5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.

6. In the Add or Remove Snap-ins window, click OK.

7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.

8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.

 Active Directory® Services with Windows Server® L10-75

9. In the Certificate Export Wizard, click Next.

10. On the Export Private Key page, click Yes, export the private key, and then click Next.

11. On the Export File Format page, click Next.

12. On the Security page, select the Password check box.

13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.

14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.

15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.

16. Close the Microsoft Management Console, and then do not save the changes.
17. On LON-SVR2, on Start screen, type mmc, and then press Enter.

18. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.

19. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.

20. In the Certificates snap-in window, click Computer account, and then click Next.

21. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
22. In the Add or Remove Snap-ins window, click OK.

23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.

26. On the File to Import page, in the File name box, type \\LON-DC2\c$\adfs.pfx, and then click
Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.

28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.

30. In the Certificate store box, select Personal, and then click Next.

31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear the
success message.

32. Close the Microsoft Management Console, and then do not save the changes.

 Task 3: Add the LON-SVR1.adatum.com certificate to LON-SVR2

1. On LON-SVR1, on Start screen, type mmc, and then press Enter.

2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.

4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.

6. In the Add or Remove Snap-ins window, click OK.

L10-76 Implementing and Administering AD FS

7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.

8. Right-click LON-SVR1.adatum.com, point to All Tasks, and then click Export.

9. In the Certificate Export Wizard, click Next.

10. On the Export Private Key page, click Yes, export the private key, and then click Next.

11. On the Export File Format page, click Next.

12. On the Security page, select the Password check box.

13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.

14. On the File to Export page, in the File name box, type C:\lon-svr1.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.

16. Close the Microsoft Management Console, and then do not save the changes.

17. On LON-SVR2, on Start screen, type mmc, and then press Enter.
18. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.

19. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
20. In the Certificates snap-in window, click Computer account, and then click Next.
21. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
22. In the Add or Remove Snap-ins window, click OK.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.

25. In the Certificate Import Wizard, click Next.

26. On the File to Import page, in the File name box, type \\LON-SVR1\c$\lon-svr1.pfx, and then click
Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.

28. Select the Mark this key as exportable check box, and then click Next.

29. On the Certificate Store page, click Place all certificates in the following store.

30. In the Certificate store box, select Personal, and then click Next.

31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear the
success message.

32. Close the Microsoft Management Console, and then do not save the changes.

 Task 4: Configure Web Application Proxy

1. On LON-SVR2, in Server Manager, click the Notifications icon, and then click Open the Web
Application Proxy Wizard.

2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
 Active Directory® Services with Windows Server® L10-77

3. On the Federation Server page, enter the following, and then click Next:

o Federation service name: adfs.adatum.com

o User name: Adatum\Administrator

o Password: Pa$$w0rd

4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy
box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.

6. On the Results page, click Close.

7. The Remote Access Management Console opens automatically. Leave it open for the next task.

 Task 5: Publish the test application on the Web Application Proxy

1. On LON-SVR2, in the Remote Access Management Console, in the Tasks pane, click Publish.
2. In the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Preauthentication page, click Active Directory Federation Services (AD FS), and then click
Next.
4. On the Relying Party page, click A. Datum Test App, and then click Next.

5. On the Publishing Settings page, in the Name box, type A. Datum Test App.

6. In the External URL box, type https://lon-svr1.adatum.com/adatumtestapp/.

7. In the External certificate box, select lon-svr1.adatum.com.

8. In the Backend server URL box, type https://lon-svr1.adatum.com/adatumtestapp/, and then

click Next.
9. On the Confirmation page, click Publish.

10. On the Results page, click Close.

 Task 6: Test Web Application Proxy

1. On TREY-DC1, on Start screen, type Notepad.
2. Right-click Notepad, and then click Run as administrator.

3. In Notepad, click File, and then click Open.

4. In the File name box, type C:\Windows\System32\drivers\etc\hosts, and then click Open.
5. At the bottom of the file, add the following two lines, click File, and then click Save:

o 172.16.0.22 adfs.adatum.com

o 172.16.0.22 lon-svr1.adatum.com
6. Close Notepad.

7. Open Internet Explorer.

8. In Internet Explorer, in the Address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and

then press Enter.

9. In the Windows Security dialog box, sign in as TreyResearch\April with password Pa$$w0rd.
L10-78 Implementing and Administering AD FS

10. After the application loads, close Internet Explorer.

Note: Modification of the Hosts file is used to simulate the use of split DNS. Split DNS
allows the same host name to resolve differently on internal and external networks.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969A-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

Repeat steps 2 and 3 for 10969A-LON-DC2, 10969A-LON-SVR1, 10969A-LON-SVR2,

10969A-LON-CL1, and 10969A-TREY-DC1.

Results: After completing this exercise, you will have configured Web Application Proxy to secure access
to AdatumTestApp from the Internet.
 L11-79

Module 11: Implementing Secure Shared File Access

Lab: Implementing Secure File Access
Exercise 1: Preparing for DAC Deployment
 Task 1: Preparing AD DS for DAC deployment
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Domains and Trusts.

2. In the Active Directory Domains and Trusts console, right-click Adatum.com, and then select Raise
Domain Functional Level.
3. In the Raise domain functional level window, in the Select an available domain functional level
drop-down list box, select Windows Server 2012, click Raise, and then click OK twice.

Note: If you get an error message, force the replication between LON-DC1 and LON-DC2,
and then try again.

4. Right-click Active Directory Domains and Trusts [LON-DC1.Adatum.com], and then click Raise
Forest Functional Level….
5. In the Raise forest functional level window, in the Select an available forest functional level drop-
down list box, select Windows Server 2012, click Raise, and then click OK twice.

Note: If you get an error message, force the replication between LON-DC1 and LON-DC2,
and then try again.

6. Close the Active Directory Domains and Trusts console.

7. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
8. In Active Directory Users and Computers, right-click Adatum.com, click New, and then click
Organizational Unit.

9. In the New Object – Organizational Unit dialog box, in the Name field, type DAC Protected, and
then click OK.

10. Click the Computers container.

11. Select LON-CL1, LON-CL2, and LON-SVR1, right click and then click Move.

12. In the Move window, click DAC Protected, and then click OK.

13. Close Active Directory Users and Computers.

14. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

Note: If the console does not open and a dialog box appears that says Group Policy
Management is loading, close the dialog box, and then try to open the Group Policy
Management Console again.

15. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click the Group
Policy Objects container.

16. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
L11-80 Implementing Secure Shared File Access

17. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.

18. In the details pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
19. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, in the Options section, click the drop-down list box, select Always provide claims, and
then click OK.

20. Close Group Policy Management Editor window and the Group Policy Management Console.

21. On the taskbar, click the Windows PowerShell icon.

22. At the command prompt for the Windows PowerShell command-line interface, type
gpupdate /force, and then press Enter. After Group Policy updates, close Windows PowerShell.

23. Repeat steps 21 and 22 on LON-DC2.

24. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
25. Expand Adatum.com, right-click Users, click New, and then click Group.

26. In the Group name field, type ManagersWKS, and then click OK.
27. Click the DAC Protected container, right-click LON-CL1, and then click Properties.
28. Click the Member Of tab, and then click Add.

29. In Select Groups window, type ManagersWKS, click Check Names, and then click OK twice.

30. Click the Managers organizational unit (OU), right-click Aidan Delaney, and then click Properties.
31. In the Aidan Delaney Properties dialog box, click the Organization tab. Ensure that the
Department field is populated with the value Managers, and then click Cancel.

32. Click the Research OU, right-click Allie Bellew, and then click Properties.
33. In the Allie Bellew Properties dialog box, click the Organization tab. Ensure that the Department
field is populated with the value Research, and then click Cancel.

34. Close Active Directory Users and Computers.

 Task 2: Configuring user and device claims

1. On LON-DC1, click Tools and then click Active Directory Administrative Center.

2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.
3. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.

4. In the Create Claim Type window, in the Source Attribute section, select department.

5. In the Display name text box, type Company Department.

6. Select the User and Computer check boxes.

7. Scroll down to the Suggested Values section, select The following values are suggested: option,
and then click Add….

8. In the Add a suggested value window, type Managers in both the Value and Display name fields,
click OK, and then click Add….
9. In the Add a suggested value window, type Research in both the Value and Display name fields,
and then click OK twice.
 Active Directory® Services with Windows Server® L11-81

10. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.

11. In the Create Claim Type window, in the Source Attribute section, click description.
12. Clear the User check box, select the Computer check box, and then click OK.

 Task 3: Configuring Resource Properties and Resource Property Lists

1. In the Active Directory Administrative Center, click Dynamic Access Control.

2. In the central pane, double-click Resource Properties.

3. In the Resource Properties list, right-click Department, and then click Enable.

4. In the Resource Properties list, right-click Confidentiality, and then click Enable.

5. In the Resource Property List, ensure that both the Department and Confidentiality properties are
enabled.
6. Double-click Department, scroll down to the Suggested Values section, and then click Add.

7. In the Add a suggested value window, in both the Value and Display name text boxes, type
Research, and then click OK twice.
8. Click Dynamic Access Control, and then double-click Resource Property Lists.

9. In the central pane, double-click Global Resource Property List, ensure that both Department and
Confidentiality display, and then click Cancel. If they do not display, click Add, add these two
properties, and then click OK.

10. Close the Active Directory Administrative Center.

 Task 4: Implementing file classifications

1. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.
2. In File Server Resource Manager, expand Classification Management.

3. Select and right-click Classification Properties, and then click Refresh.

4. Verify that the Confidentiality and Department properties are listed.
5. Click Classification Rules, and in the Actions pane, click Create Classification Rule.

6. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.

7. Click the Scope tab, and then click Add.

8. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then
click OK.

9. Click the Classification tab. Make sure that following settings are set, and then click Configure:
o Classification method: Content Classifier

o Property: Confidentiality
o Value: High

10. In the Classification Parameters dialog box, click the Regular expression drop-down list box, and
then click String.

11. In the Expression field next to the word String, type secret, and then click OK.

12. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
L11-82 Implementing Secure Shared File Access

13. In File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.

14. Click Wait for classification to complete, and then click OK.

15. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in Report Totals section.

16. Close the report.

17. On the taskbar, click the File Explorer icon.

18. In the File Explorer window, expand Local Disk (C:), and then expand the Docs folder.

19. In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify
that Confidentiality is set to High.

20. Repeat step 19 on files Doc2.txt and Doc3.txt. Doc2.txt should have same Confidentiality as Doc1.txt,
while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt have the word
“secret” in their content.

 Task 5: Assign property to the Research folder

1. On LON-SVR1, open File Explorer, and then browse to Local Disk (C:).
2. Right-click the Research folder, and then click Properties.

3. Click Classification tab, and then click Department.

4. In the Value section, click Research, click Apply, and then click OK.

Results: After completing this exercise, you will have prepared Active Directory Domain Services (AD DS)
for DAC deployment, configured claims for users and devices, and configured Resource Properties to
classify files.

Exercise 2: Implementing DAC

 Task 1: Configure Central Access Rules
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.

3. In the Tasks pane, click New, and then click Central Access Rule.

4. In the Create Central Access Rule dialog box, in the Name field, type Department Match.

5. In the Target Resources section, click Edit.

6. In the Central Access Rule dialog box, click Add a condition.

7. Set a condition as Resource-Department-Equals-Value-Research, and then click OK.

8. In the Permissions section, click Use following permissions as current permissions.

9. In the Permissions section, click Edit.

10. Remove permission for Administrators.

11. In Advanced Security Settings for Permissions, click Add.

 Active Directory® Services with Windows Server® L11-83

12. In Permission Entry for Permissions, click Select a principal.

13. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.
14. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes.

15. Click Add a condition, click the Group drop-down list box, and then click Company Department.

16. Click the Value drop-down list box, and then click Resource.
17. In the last drop-down list box, click Department, and then click OK three times.

Note: You should have this expression as a result:

User-Company Department-Equals- Resource-Department.

18. In the Tasks pane, click New, and then click Central Access Rule.

19. For the name of rule, type Access Confidential Docs.

20. In the Target Resources section, click Edit.

21. In the Central Access Rule window, click Add a condition.

22. In the last drop-down list box, click High, and then click OK.

Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.

23. In the Permissions section, click Use following permissions as current permissions, and then, click
Edit.

24. Remove permission for Administrators.

25. In Advanced Security Settings for Permissions, click Add.

26. In Permission Entry for Permissions, click Select a principal.

27. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.

28. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.

29. Click Add a condition. Set the first condition to User-Company Department-Equals-Value-
Managers, and then click Add a condition.

Note: Value Managers should be in last drop down list.

30. Set the second condition to Device-Group-Member of each-Value-ManagersWKS, and then click
OK three times.

Note: If you cannot find ManagersWKS in the last drop-down list box, click Add items.
Then in the Select Computer or Group window, type ManagersWKS, click Check Names, and
then click OK.
L11-84 Implementing Secure Shared File Access

 Task 2: Configure central access policies

1. On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.

2. In the Tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.

4. Click the Access Confidential Docs rule, click >>, and then click OK twice.

5. In the Tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.

7. Click the Department Match rule, click >>, and then click OK twice.

8. Close the Active Directory Administrative Center.

 Task 3: Apply central access policies to a file server

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

Note: If the console does not open and a dialog box appears that says Group Policy
Management is loading, close the dialog box, and then try to open Group Policy Management
console again.

2. In the Group Policy Management Console, under Domains, expand Adatum.com, right-click DAC
Protected, and then click Create a GPO in this domain, and Link it here.
3. Type DAC Policy, and then click OK.

4. Right-click DAC Policy, and then click Edit.

5. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
6. Press and hold the Ctrl key and click both Department Match and Protect confidential docs, click
Add, and then click OK.

7. Close the Group Policy Management Editor and the Group Policy Management Console.

8. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.

9. At a Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

10. Close Windows PowerShell when you get the message that the Computer and User policies update
completed successfully.
11. On the taskbar, click the File Explorer icon.

12. In File Explorer, browse to Local Disk (C:), right-click the Docs folder, and then click Properties.
13. In the Properties dialog box, click the Security tab, and then click Advanced.

14. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.

Note: If the Central Policy tab does not appear, restart the virtual machine and try again.
 Active Directory® Services with Windows Server® L11-85

15. In the drop-down list box, select Protect confidential docs. Ensure that in the Applies to drop-
down list box value This folder, subfolders and files is selected, and then click OK twice.

16. Right-click the Research folder, and then click Properties.

17. In the Research Properties dialog box, click the Security tab, and then click Advanced.

18. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.

19. In the drop-down list box, click Department Match. Ensure that in the Applies to drop-down list
box value This folder, subfolders and files is selected, and then click OK twice.

Results: After completing this exercise, you will have implemented DAC.

Exercise 3: Validating and Remediating DAC

 Task 1: Evaluate user access with DAC
1. On LON-SVR1, on the taskbar, click the File Explorer icon.
2. In the File Explorer window, navigate to C:\Research, right-click Research, and then click Properties.

3. In the Properties dialog box, click the Security tab, click Advanced, and then click Effective Access.

4. Click Select a user, and in the Select User, Computer, Service Account, or Group window, type April,
click Check Names, and then click OK.
5. Click View effective access, and then review the results. The user April should not have access to this
folder. This is because she is not from the Research department, so she does not have a Research
value in her department attribute. In the effective access list, this will be shown as red cross sign on
each permission.

6. Click Include a user claim, and then in the drop-down list box, click Company Department.

7. In the Value drop-down list box, select Research, and then click View effective access. April should
now have read access. This is because you added April’s claim for the Research department. In the
effective access list, you should see green check marks on several permissions (Traverse Folder, List
Folder, Read Attributes, Read Extended Attributes and Read permissions).
8. Click Cancel two times.

9. In the File Explorer window, navigate to C:\Docs, open the folder, right-click Doc1.txt, and then click
Properties.

10. In the Properties dialog box, click the Security tab, click Advanced, and then click Effective Access.

11. Click Select a user, and in the Select User, Computer, Service Account, or Group window, type Aidan,
click Check Names, and then click OK.

12. Click View effective access, and then review the results. The user Aidan should not have access to
this folder. This is because the rule that protects this file has one more defined condition. In the
effective access list, this will be shown as a red cross sign on each permission.

13. Click Select a device, and in the Select Computer or Group window, type LON-CL1, click Check
Names, and then click OK.
L11-86 Implementing Secure Shared File Access

14. Click View effective access, and then verify the permissions in the list below. Aidan now should have
access as both conditions from the Central Access Rule are satisfied. In the effective access list you
should see green check marks on several permissions (Traverse folder, list folder, read attributes, read
extended attributes and read permissions).

15. Close all open windows.

 Task 2: Configure access-denied remediation

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

Note: If the console does not open and a dialog box appears that says Group Policy
Management is loading, close the dialog box, and then try to open Group Policy Management
console again.

2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.

3. Right-click DAC Policy, and then click Edit.

4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand

System, and then click Access-Denied Assistance.
5. In the details pane, double-click Customize Message for Access Denied errors.

6. In the Customize Message for Access Denied errors window, click Enabled.

7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.

8. Select the Enable users to request assistance check box.

9. Review the other options, but do not make any changes, and then click OK.
10. In the details pane of the Group Policy Management Editor window, double-click Enable access-
denied assistance on client for all file types, click Enabled, and then click OK.

11. Close the Group Policy Management Editor and the Group Policy Management Console.
12. Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.

13. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

 Task 3: Request access remediation

1. Start LON-CL1, and then sign in as Adatum\April with password Pa$$w0rd.

2. Click the Desktop tile, and then on the taskbar, click the File Explorer icon.

3. In the File Explorer address bar, type \\LON-SVR1\Research, and then press Enter. You should be
unable to access the folder.

4. Click Request assistance. Review the options for sending a message, and then click Close.

Note: If you don’t get Request assistance option, restart the LON-CL1 machine, and try
again.

5. Sign out of LON-CL1.

Results: After completing this exercise, you will have validated DAC functionality.
 Active Directory® Services with Windows Server® L11-87

Exercise 4: Implementing Work Folders

 Task 1: Installing Work Folders functionality and configuring an SSL certificate
1. On LON-SVR2, in Server Manager, click Add roles and features.

2. On the Before You Begin page, click Next.

3. On the Select installation type page, ensure that Role - based or feature - based installation is
selected, and then click Next.

4. On the Select destination server page, click Next.

5. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services,
and then select Work Folders.
6. In the Add features that are required for Work Folders dialog box, note the features, and then
click Add Features.

7. On the Select server roles page click Web Server (IIS). In the Add features that are required for
Web Server dialog box, note the features, and then click Add Features.

8. On the Select server roles page, click Next.

9. On the Select features page, click Next.

10. On the Web Server Role (IIS) page, click Next.

11. On the Select role services page, click Next.

12. On the Confirm installation selection pages, click Install.

13. When the installation finishes, click Close.
14. In the Server Manager on LON-SVR2, click Tools, and then click Internet Information Services (IIS)
Manager.
15. In the Internet Information Services (IIS) Manager console, click
LON-SVR2(ADATUM\Administrator), click No when prompted, and then double-click Server
Certificates in the middle pane.
16. In the Actions pane, click Create Domain Certificate.

17. In the Create Certificate window, fill in the text fields as follows, and then click Next:

o Common name: lon-svr2.adatum.com

o Organization: Adatum
o Organizational unit: IT

o City/locality: Seattle

o State/province: WA
o Country/region: US

18. On the Online Certification Authority page, click Select.

19. In the Select Certification Authority window, select AdatumCA, and then click OK.
20. In the Friendly name text box, type lon-svr2.adatum.com, and then click Finish.

21. In the IIS console, expand Sites, and then click on Default Web Site.

22. In the Actions pane, click Bindings.

23. In the Site Bindings window, click Add….
L11-88 Implementing Secure Shared File Access

24. In the Add Site Binding window, under Type, select https. In the SSL certificate drop-down list, select
lon-svr2.adatum.com.

25. Click OK, and then click Close.

26. Close the Internet Information Services (IIS) Manager.

 Task 2: Provisioning a share for Work Folders

1. On LON-SVR2, in Server Manager, in the navigation pane, click File and Storage Services.

2. Click Shares, and in the SHARES area, click Tasks, and then select New Share….
3. In the New Share Wizard, on the Select the profile for this share page, ensure that SMB Share –
Quick is selected, and then click Next.

4. On the Select the server and path for this share page, accept the defaults, and then click Next.

5. On the Specify share name page, in the Share name field, type WF-Share, and then click Next.
6. On the Configure share settings page, select Enable access - based enumeration, leave the other
settings at their defaults, and then click Next.
7. On the Specify permissions to control access page, note the default settings, and then click Next.

8. On the Confirm selections page, click Create.

9. On the View results page, click Close.

 Task 3: Configuring and implementing Work Folders

1. On LON-SVR2, in Server Manager, expand File and Storage Services, and then click Work Folders.
2. In the WORK FOLDERS tile, click Tasks, and then click New Sync Share….

3. In the New Sync Share Wizard, on the Before you begin page, click Next.
4. On the Select the server and path page, select Select by file share, ensure that the share you
created in the previous task (WF-Share) is highlighted, and then click Next.

5. On the Specify the structure for user folders page, accept the default selection (user alias), and
then click Next.

6. On the Enter the sync share name page, accept the default, and then click Next.

7. On the Grant sync access to groups page, note the default selection to disable inherited
permissions and grant users exclusive access, and then click Add.
8. In the Select User or Group dialog box, in the Enter the object names to select field, type WFsync,
click Check Names, and then click OK.

9. On the Grant sync access to groups page, click Next.

10. On the Specify device policies page, clear both check boxes, and then click Next.

11. On the Confirm selections page, click Create.

12. On the View results page, click Close.

13. Switch to LON-DC1.

14. Open Server Manager, click Tools, and then click Group Policy Management.

Note: If the console does not open and a dialog box appears that says Group Policy
Management is loading, close the dialog box, and then try to open the Group Policy
Management console again.
 Active Directory® Services with Windows Server® L11-89

15. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy
Objects. Right-click Group Policy Objects, and then click New.

16. In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
17. Right-click Work Folders GPO, and then click Edit.

18. In the Group Policy Management Editor window, expand User Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Work Folders.

19. Double-click Specify Work Folders settings in the details pane, and then in the Specify Work
Folders settings dialog box, click Enabled.

20. In the Work Folders URL text box, type https://lon-svr2.adatum.com, and then select Force
automatic setup.

21. Click OK to close the Specify Work Folders settings dialog box, and then close the Group Policy
Management Editor window.
22. In the Group Policy Management Console, right-click the Adatum.com domain object, and then
select Link an Existing GPO….

23. In the Select GPO window, select Work Folders GPO, and then click OK.
24. Close the Group Policy Management Console.

 Task 4: Validating Work Folders functionality

1. Sign in to LON-CL1 as Adatum\Aidan with password Pa$$w0rd.

2. On Start screen, type PowerShell, and then click the Windows PowerShell icon in the Search pane.
3. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

Note: If you get an error when refreshing Group Policy, restart the machine and try again.

4. Open File Explorer, and then navigate to C:\Users\Aidan\.

5. Verify that the Work Folders folder has been created.

Note: The presence of the Work Folders folder indicates that the Work Folders
configuration is successful.

6. In File Explorer, create a few text files in the Work Folders folder.

Note: File Explorer displays the synchronization status of the files in the Work Folders
folder.

7. Right-click the Windows button on the taskbar, and then click Control Panel.

8. In Control Panel, click System and Security, and then click Work Folders.

9. Ensure that Work Folders are configured and working.

10. Close Control Panel.

11. Start LON-CL2 and sign in as Adatum\Aidan with password Pa$$w0rd.

L11-90 Implementing Secure Shared File Access

12. On the Start screen, type PowerShell, and then click the Windows PowerShell icon in the Search
pane.

13. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

Note: If you get an error when refreshing Group Policy, restart the machine and try again.

14. Open File Explorer, and then navigate to C:\Users\Aidan\.

15. Verify that the Work Folders folder is created.

16. Open the folder, and then verify that the files that you created on LON-CL1 are present.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps two and three for 10969B-LON-DC2, 10969B-LON-SVR1, 10969B-LON-SVR2,

10969B-LON-CL1, and 10969B-LON-CL2.

Results: After completing this exercise, you will have configured Work Folders.
 L12-91

Module 12: Monitoring, Managing, and Recovering AD DS

Lab A: Monitoring AD DS
Exercise 1: Monitoring AD DS with Performance Monitor
 Task 1: Configure Performance Monitor to monitor AD DS
1. Switch to LON-DC1.

2. In Server Manager, click Tools, and then click Performance Monitor.

3. Under the Monitoring Tools node, click Performance Monitor.

4. Click the Add button—the green Plus Sign (+) on the toolbar—to add objects and counters.

5. In the Add Counters dialog box, in the Available Counters list, expand the Directory Services
object.
6. Click the DRA Inbound Bytes Total/sec counter, and then click the Add button.
7. Repeat the previous step to add the following counters:

o DirectoryServices\DRA Outbound Bytes Total/sec

o DirectoryServices\DS Threads In Use

o DirectoryServices\DS Directory Reads/sec

o DirectoryServices\DS Directory Writes/sec

o DirectoryServices\DS Directory Searches/sec

o NTDS\DRA Inbound Objects/sec

o NTDS\DRA Pending Replication Synchronizations

o Security System-Wide Statistics\NTLM Authentications

o Security System-Wide Statistics\Kerberos Authentications

8. Click OK, and then watch for a few moments.

9. In the counter list below the graph, select DS Directory Searches/sec.

10. On the toolbar, click Highlight.

The selected counter is highlighted, making it easier to see that counter's performance.
11. On the toolbar, click Highlight to turn off the highlight.

 Task 2: Create a Data Collector Set from Performance Monitor counters

1. In the console tree, expand Performance, expand Monitoring Tools, and then click Performance
Monitor. Right-click Performance Monitor, point to New, and then click Data Collector Set.

2. In the Create new Data Collector Set dialog box, in the Name box, type Custom ADDS
Performance Counters, and then click Next.

3. Make a note of the default root directory in which the Data Collector Set will be saved, click Next,
and then click Finish.
L12-92 Monitoring, Managing, and Recovering AD DS

 Task 3: Start a Data Collector Set

1. In the console tree, expand Data Collector Sets, expand User Defined, and then click User Defined.

2. Right-click Custom ADDS Performance Counters, and then click Start.

The Custom ADDS Performance Counters node is selected automatically.

You can identify the individual data collectors in the Data Collector Set. In this case, only one data
collector—the System Monitor Log performance counters—is contained in the data collector set.

You also can identify where the output from the data collector is being saved.
3. In the console tree, right-click the Custom ADDS Performance Counters Data Collector Set, and
then click Stop.

 Task 4: View a Data Collector Set report

1. In the console tree, expand Reports, expand User Defined, expand Custom ADDS Performance
Counters, and then click System Monitor Log.blg.
2. The graph of the log's performance counters is displayed.

 Task 5: Examine a predefined Data Collector Set

1. In the Performance Monitor, expand Data Collector Sets, expand System, and then click Active
Directory Diagnostics.
2. Notice which data collectors are part of the Data Collector Set.

3. Right-click Active Directory Diagnostics, and then click Start.

4. In the console tree, expand Reports, expand System, expand Active Directory Diagnostics, and
then click the report, which will be named yyyymmdd-xxxx, where yyyy is the current year, mm is the
current month, dd is the current day, and xxxx is a four-digit incrementing serial number.

The Report Status indicates that data is being collected for 300 seconds, or five minutes.
5. Wait five minutes.

The Report Status indicates that the report is being generated.

The report appears.

6. Spend a few moments examining the sections of the report.

7. Right-click the report, point to View, and then click Performance Monitor.

8. Right-click the report, point to View, and then click Report.

9. Right-click the report, point to View, and then click Folder.

10. In the details pane, double-click Performance Counter.blg.

The log opens in a new instance of Performance Monitor. If the new instance of Performance Monitor
is minimized, open it by clicking its button on the taskbar.

11. Close the new instance of Performance Monitor.

12. In Performance Monitor, click Performance Monitor in the navigation pane.

13. On the toolbar, click the View Log Data button, which is the second button from the far left edge of
the toolbar.

The Performance Monitor Properties dialog box opens.

14. Click the Log files option.

 Active Directory® Services with Windows Server® L12-93

15. Click the Add button.

The Select Log File dialog box opens, focused on C:\PerfLogs.

16. Double-click ADDS.

17. Double-click the folder with the same name as the report you generated.

18. Click Performance Counter, click Open, and then click OK.

 Task 6: Create a Data Collector Set

1. In the Performance Monitor console tree, expand Data Collector Sets, and then click User Defined.

2. Right-click User Defined, point to New, and then click Data Collector Set.
3. On the Create new Data Collector Set page, in the Name box, type Custom ADDS Diagnostics.

4. Click the Create from a template (Recommended) option, and then click Next.

5. On the Which template would you like to use? page, select Active Directory Diagnostics, and
then click Next.

6. On the Where would you like the data to be saved? page, in Root directory, create a folder
C:\ADDS Data Collector Sets, and then click Next.

7. On the Create the data collector set? page, click the Change button.

8. In the Performance Monitor credentials dialog box, in the User name box, type
Adatum\Administrator.
9. In the Password box, type Pa$$w0rd, click OK, and then Click Finish.

Note: In a production environment, the account you use should be a unique domain
account. It must be a member of the Performance Log Users group and must have the Log on as
a batch job user right. By default, the Performance Log Users group has this right, so you simply
can create a domain account and make it a member of the group.

 Task 7: Configure start and stop conditions for a Data Collector Set
1. In the console tree, right-click Custom ADDS Diagnostics, and then click Properties.
2. In the Custom ADDS Diagnostics Properties dialog box, click the Schedule tab, and then click the
Add button.

3. In the Folder Action dialog box, confirm that the Beginning date is today's date.
4. Select the Expiration date check box, and in the Expiration date drop-down list, select the date one
week from today.

5. Configure the start time to the current time in the virtual machine plus five minutes. Make a note of
the start time that you configure, and then click OK.

Note: The Expiration date property specifies when new instances of data collection will no
longer be started. It does not stop existing sessions. You must configure the Stop Condition to
specify when data collection stops.

6. In the Custom ADDS Diagnostics Properties dialog box, click Apply.

7. In the Performance Monitor credentials dialog box, in the User name box, type
Adatum\Administrator, in the Password box, type Pa$$w0rd, then click OK.

8. Click the Stop Condition tab, and then select the Overall Duration check box.
L12-94 Monitoring, Managing, and Recovering AD DS

9. Configure the duration to 2 Minutes.

In a production environment, you likely would run a data collector for a longer period.

10. Do not select the Stop when all data collectors have finished check box, and then click OK. If a
Performance Monitor – Data Collector Set dialog box appears, click OK.

This option allows data collectors that are running when the Overall Duration is reached to finish
recording the most recent values.

 Task 8: Configure data management for a data collector

1. Right-click Custom ADDS Diagnostics, and then click Data Manager.

2. On the Data Manager tab, click the Resource policy list, and then select Delete oldest.

3. Click the Actions tab, and then click 1 Day(s).

4. Click the Edit button.

5. In the Folder Action dialog box, in the Action section, select the Copy cab file to this directory
check box.

6. In the Copy cab file to this directory box, type \\LON-DC1\c$\ADDS_Diag_Reports.

7. Confirm that the Create cab file and Delete data files check boxes are selected, and then click OK
twice.

8. In the Performance Monitor credentials dialog box, in the User name box, type
Adatum\Administrator, in the Password box, type Pa$$w0rd, then click OK.

 Task 9: View the results of data collection

1. Wait until the time that you configured as the start time for the Data Collector Set passes.
2. In Performance Monitor, select the report under Reports\User Defined\Custom ADDS Diagnostics.
The Report Status indicates that data is being collected for 120 seconds, or two minutes.
After data collection has completed, the Report Status indicates that the report is being generated.
3. Spend a few moments examining the report.
4. Right-click the report in the console tree, point to View, and then click Folder.
5. In the details pane, double-click Performance Counter.
A new instance of Performance Monitor opens, with Performance Monitor displaying the logged data
in the Performance Counter log.
6. Spend a few moments examining the performance graph, and then close the window.

 Prepare for the next lab

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 10969B-LON-DC2.

Results: After completing this exercise, you will have successfully monitored the Active Directory Domain
Services (AD DS) performance of the domain controller.
 Active Directory® Services with Windows Server® L12-95

Lab B: Recovering Objects in AD DS

Exercise 1: Backing Up and Restoring AD DS
 Task 1: Install the Windows Server Backup feature
1. Switch to LON-DC1.

2. In Server Manager, click Add roles and features.

3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Next.

7. On the Select features page, in the Features list, select the Windows Server Backup check box, and
then click Next.

8. On the Confirm installation selections page, click Install.

9. When the installation finishes, click Close.

 Task 2: Create a scheduled backup

1. In Server Manager, click Tools, and then click Windows Server Backup.
2. In the navigation pane, click Local Backup.

3. In the Actions pane, click Backup Schedule.

4. In the Backup Schedule Wizard, on the Getting Started page, click Next.
5. On the Select Backup Configuration page, click Custom, and then click Next.

6. On the Select Items for Backup page, click Add Items.

7. In the Select Items dialog box, select Bare metal recovery, click OK, and then click Next.
8. On the Specify Backup Time page, click Once a day.

9. In the Select time of day list, select 12:00 am, and then click Next.

10. On the Specify Destination Type page, click Back up to a hard disk that is dedicated for backups
(recommended), and then click Next.

11. On the Select Destination Disk page, click Show All Available Disks.
12. In the Show All Available Disks dialog box, select the Disk 1 check box, and then click OK.

13. On the Select Destination Disk page, select the Disk 1 check box, and then click Next.

14. The Windows Server Backup dialog box appears, informing you that all data on the disk will be
deleted. Click Yes to continue.

Note: Important: You will cancel the process in the next step to avoid formatting drive E.

15. On the Confirmation page, click Cancel to avoid formatting drive E.

L12-96 Monitoring, Managing, and Recovering AD DS

 Task 3: Perform an interactive backup

1. In the Actions pane, click Backup Once.

2. On the Backup Options page, ensure that Different options is selected, and then click Next.

3. On the Select Backup Configuration page, click Custom, and then click Next.

4. On the Select Items for Backup page, click Add Items.

5. In the Select Items dialog box, click System state, and then click OK.

6. Click Advanced Settings, click the VSS Settings tab, click VSS full Backup, click OK, and then click
Next.

7. On the Specify Destination Type page, click Next.

8. On the Select Backup Destination page, click Next.

9. On the Confirmation page, click Backup, and then click Close.

Note: The backup will take about 10–15 minutes to complete. When the backup is
complete, close Windows Server Backup.

 Task 4: Delete an organizational unit (OU)

Note: Wait until the backup is complete before proceeding.

1. In Server Manager, click Tools, and then click Active Directory Users and Computers.

2. On the menu, click View, and then click Advanced Features.

3. In the console tree, expand Adatum.com, and then click the Research OU.

4. In the details pane, right-click Lab, and then click Properties.

5. In the Lab Properties dialog box, on the Object tab, clear the Protect object from accidental
deletion check box, and then click OK.
6. In the details pane, right-click Lab, and then click Delete.

7. A confirmation message appears. Click Yes.

8. A warning message appears. Click Yes.

9. Wait for the deletion to complete.

10. Verify that the Lab OU is deleted.

 Task 5: Restart in Directory Services Restore Mode (DSRM)

1. On the taskbar, right-click Windows PowerShell, and then in the Tasks list, click Run as
Administrator.

2. At a command prompt in the Windows PowerShell command-line interface, type

bcdedit /set safeboot dsrepair, and then press Enter.

3. Type shutdown /t 0 /r, and then press Enter.

 Active Directory® Services with Windows Server® L12-97

 Task 6: Restore System state data

1. Sign in to LON-DC1 as .\Administrator with password Pa$$w0rd.

2. On the taskbar, right-click Windows PowerShell, and then click Run as Administrator.

3. At the Windows PowerShell command prompt, type wbadmin get versions -backuptarget:E:
-machine:LON-DC1, and then press Enter.

4. Note the version identifier that is returned.

5. Type wbadmin start systemstaterecovery -version:version -backuptarget:E: -machine:LON-DC1,

where version is the number that you recorded in the previous step, and then press Enter.
For example: wbadmin start systemstaterecovery -version:01/22/2011-10:37 -backuptarget:E:
-machine:LON-DC1

6. Type Y, and then press Enter.

7. Type Y, and then press Enter.

The restoration will take about 30–35 minutes. Depending on the host machine, it could take up to an
hour.

8. When prompted to restart, type Y, and then press Enter.

9. Sign in to LON-DC1 as .\Administrator with password Pa$$w0rd.

10. Press Enter when prompted.
11. Click Start, right-click Windows PowerShell, and then click Run as Administrator.

 Task 7: Mark restored information as authoritative

1. At the Windows PowerShell command prompt, type NtdsUtil.exe, and then press Enter.
2. Type activate instance ntds, and then press Enter.

3. Type authoritative restore, and then press Enter.

4. Type restore subtree "ou=Lab,ou=Research,dc=adatum,dc=com", and then press Enter.

5. Click Yes in the confirmation dialog message box that appears.

6. Type quit, and then press Enter.

7. Type quit, and then press Enter.

8. Type bcdedit /deletevalue safeboot, and then press Enter.

9. Type shutdown /t 0 /r, and then press Enter.

 Task 8: Verify that the data has been restored

1. Wait for LON-DC1 to restart.

2. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.

3. In Server Manager, from the Tools menu, click Active Directory Users and Computers.

4. In the console tree, expand Adatum.com, and then click the Research OU.
5. Verify that the Lab OU is restored.

Results: After completing this exercise, you will have performed an interactive backup and an
authoritative restore of AD DS.
L12-98 Monitoring, Managing, and Recovering AD DS

Exercise 2: Recovering Objects in AD DS

 Task 1: Verify requirements for Active Directory Recycle Bin
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Domains and Trusts.

2. In Active Directory Domains and Trusts console, right-click Active Directory Domains and Trusts,
and then click Raise Forest Functional Level.

3. Check the value of Current forest functional level. If it is not set to Windows Server 2008 R2,
proceed to the next step. If it is, click Cancel, and then proceed to step 7.

4. In the Select an available forest functional level drop-down list, select Windows Server 2008 R2,
and then click Raise.

5. In the Warning dialog box, click OK.

6. In the Confirmation dialog box, click OK.

7. Close the Active Directory Domains and Trust console.

 Task 2: Enable the Active Directory Recycle Bin feature

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services.
2. Expand Sites, expand Default-First-Site-Name, expand Servers, expand LON-DC1, and then click
NTDS Settings.

3. Right-click <automatically generated>, click Replicate Now, and then click OK.
4. Expand LON-DC2, and then click NTDS Settings.

5. Right-click <automatically generated>, click Replicate Now, and then click OK.

6. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.
7. Type the following commands, and then press Enter:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional

Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
DC=adatum,DC=com’ –Scope ForestOrConfigurationSet –Target ‘adatum.com’

8. Type y, and then press Enter.

9. After the command prompt is returned to you, close the Windows PowerShell window.

 Task 3: Delete objects to simulate accidental deletion

1. In Server Manager, click Tools, and then click Active Directory Users and Computers.
2. Navigate to the Research OU.

3. Right-click Allie Bellew, and then click Delete.

4. In the confirmation window, click Yes.

5. Close Active Directory Users and Computers.
 Active Directory® Services with Windows Server® L12-99

 Task 4: Perform object restoration with Windows PowerShell

1. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.

2. Type the following command, and then press Enter:

Get-ADObject -Filter {displayName -eq "Allie Bellew"} -IncludeDeletedObjects |

Restore-ADObject

3. Close the Windows PowerShell window.

 Task 5: Verify object restoration

1. In Server Manager, click Tools, and then click Active Directory Users and Computers.

2. Make sure that Allie Bellew exists within the Research OU.

 Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 to revert 10969B-LON-DC2.

Results: After completing the exercise, you will have enabled and tested the Active Directory Recycle Bin
feature successfully.
 L13-101

Module 13: Implementing Windows Azure Active Directory

Lab: Implementing Windows Azure AD
Exercise 1: Implementing Windows Azure AD for Office 365
 Task 1: Identify how to implement Windows Azure AD for Office 365
1. Does Microsoft Office 365 use Windows Azure Active Directory (AD)?

Answer: Yes. Windows Azure AD was developed initially to support Office 365. It is now available as a
stand-alone product.
2. When configuring Windows Azure AD for hybrid mode, will you use the Windows Azure AD
management console or the Office 365 management console?

Answer: In general, when you configure Windows Azure AD for a specific application, you should
use the management console that is provided by the application. The management console that is
provided by the application typically has wizards and options that are specific to the application and
help in the configuration. So, in this instance, you should use the Office 365 management console.

3. Which tool will you use to synchronize user accounts from Active Directory Domain Services (AD DS)
to Windows Azure AD?

Answer: The two tools available for synchronizing users from AD DS to Windows Azure AD are
Microsoft Forefront Identity Manager (FIM) and the Windows Azure AD Sync Tool. FIM supports
advanced scenarios that are not supported by Directory Sync. In this case, synchronization is from a
single AD DS forest to a single Windows Azure AD tenant. You can perform this simple scenario by
using Directory Sync.

4. How will you ensure that passwords that are used in AD DS also are used when authenticating to
Office 365?
Answer: You can use Password Sync in Directory Sync to place the AD DS password in the
synchronized Windows Azure AD tenant. You also can use Active Directory Federation Services
(AD FS) with Directory Sync to provide single sign-on (SSO). In this case, you should use Password
Sync rather than AD FS. Implementing Password Sync is significantly easier than implementing AD FS.
However, the critical requirement is authentication availability when an Internet connection is down.
When AD FS is used with on-premises AD DS, an Internet connection being down prevents the
authentication of sales users to Office 365.

Results: After completing this exercise, you will have planned the implementation of Windows Azure AD
for Office 365.
L13-102 Implementing Windows Azure Active Directory

Exercise 2: Implementing Windows Azure AD for a Cloud-Based

Application
 Task 1: Identify how to implement Windows Azure AD for a cloud-based application
1. Should external users for the application be created in the same Windows Azure AD tenant as the
hybrid implementation of Microsoft Exchange Server 2013 and Office 365?

Answer: The tenant that is used for the hybrid implementation of Exchange Server 2013 and Office
365 is configured specifically for the purpose. The data that exists in that tenant is not useful for the
new customer service application. It would be best for this application to have a separate tenant to
host external users.
2. What is the best way for the application to read and manage user accounts in Windows Azure AD?

Answer: As a developer, you can use the Windows PowerShell command-line interface or Windows
Azure AD Graph to read and manage user accounts. Windows PowerShell is best suited to use in
simple scripting scenarios. In this case, the application should use Windows Azure AD Graph.

3. Is it possible to use other external identity providers with the cloud-based application? If so, where is
this configured?
Answer: Integration with other external identity providers is possible by using Windows Azure AD
Access Control. There is built-in support for Microsoft account, Google, Yahoo!, and Facebook.

Results: After completing this lab, you will have identified how to implement Windows Azure AD for a
cloud-based application.
 L14-103

Module 14: Implementing and Administering AD LDS

Lab: Implementing and Administering
AD LDS
Exercise 1: Configuring AD LDS Instances and Partitions
 Task 1: Install the required server roles
1. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.

2. In Server Manager, click Add roles and features.

3. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, in the Roles list, select the Active Directory Lightweight
Directory Services check box.
7. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.

8. On the Select features page, click Next.

9. On the Active Directory Lightweight Directory Services (AD LDS) page, click Next.

10. On the Confirm installation selections page, click Install.

11. On the Installation progress page, click Close.

12. Sign in to LON-SVR1 as Adatum\Administrator with password Pa$$w0rd.

13. In Server Manager, click Add roles and features.

14. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

15. On the Select installation type page, click Next.

16. On the Select destination server page, click Next.

17. On the Select server roles page, in the Roles list, select the Active Directory Lightweight
Directory Services check box.

18. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.

19. On the Select features page, click Next.

20. On the Active Directory Lightweight Directory Services (AD LDS) page, click Next.

21. On the Confirm installation selections page, click Install.

22. On the Installation progress page, click Close.

 Task 2: Create an AD LDS instance and app partition

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Lightweight
Directory Services Setup Wizard.

2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page,
click Next.

3. On the Setup Options page, ensure that A unique instance is selected, and then click Next.
L14-104 Implementing and Administering AD LDS

4. On the Instance Name page, click Next.

5. On the Ports page, in the LDAP port number box, type 50000.

6. In the SSL port number box, type 50001, and then click Next.

Note: If these two ports are unavailable, use 60000 and 60001 throughout. You then must
remember to update all other commands that reference these ports to match those you have
used.

7. On the Application Directory Partition page, click Yes, create an application directory partition,
and in the Partition name box, type CN=Application1,DC=Adatum,DC=com, and then click Next.

8. On the File Locations page, click Next.

9. On the Service Account Selection page, click This account, type Administrator in the User name
box and Pa$$w0rd in the Password box, and then click Next.
10. In the Active Directory Lightweight Directory Services Setup Wizard message box, click Yes.
11. On the AD LDS Administrators page, ensure that Currently logged on user:
ADATUM\Administrator is selected, and then click Next.
12. On the Importing LDIF Files page, in the LDIF file name list, select all check boxes, and then click
Next.

13. On the Ready to Install page, click Next.

14. On the Completing the Active Directory Lightweight Directory Services page, click Finish.

Results: After this exercise, you will have deployed Active Directory Lightweight Directory Services
(AD LDS).

Exercise 2: Configuring AD LDS Replication

 Task 1: Create a replica of the existing instance
1. On LON-SVR1, in Server Manager, click Tools, and then click Active Directory Lightweight
Directory Services Setup Wizard.

2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page,
click Next.

3. On the Setup Options page, click A replica of an existing instance, and then click Next.
4. On the Instance Name page, click Next.

5. On the Ports page, in the LDAP port number box, type 50000, and in the SSL port number box,
type 50001, and then click Next.

Note: If these two ports are unavailable, use 60000 and 60001 throughout. You then must
remember to update all other commands that reference these ports to match those you have
used.
 Active Directory® Services with Windows Server® L14-105

6. On the Joining a Configuration Set page, in the Server box, type LON-DC1.Adatum.com, and in
the LDAP port field, type 50000, and then click Next.

7. On the Administrative Credentials for the Configuration Set page, ensure that the Currently
logged on user: ADATUM\Administrator option is selected, and then click Next.
8. On the Copying Application Directory Partitions page, in the Partition DN box, select the
CN=Application1,DC=Adatum,DC=com check box, and then click Next.

9. On the File Locations page, click Next.

10. On the Service Account Selection page, ensure that Network service account is selected, and then
click Next.

11. On the AD LDS Administrators page, ensure that Currently logged on user:
ADATUM\Administrator is selected, and then click Next.

12. On the Ready to Install page, click Next.

13. On the Completing the Active Directory Lightweight Directory Services page, click Finish.

 Task 2: Check the existing replication topology

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services.

2. In the tree pane, right-click Active Directory Sites and Services [LON-DC1.Adatum.com], and then
click Change Domain Controller.

3. In the Change Directory Server dialog box, in the Name list, click <Type a Directory Server
name[:port]here>, type LON-DC1:50000, press Enter, and then click OK.

Note: It can take a few moments for the next dialog box to appear.

4. In the Active Directory Domain Services message box, click Yes.

5. In the Active Directory Sites and Services console, in the tree pane, expand Sites, expand Default-
First-Site-Name, and then expand Servers.

6. Under Servers, expand LON-DC1$instance1, right-click NTDS Settings, point to All Tasks, and then
click Check Replication Topology.
7. In the Check Replication Topology message box, click OK.

8. Under Servers, expand LON-SVR1$instance1, right-click NTDS Settings, point to All Tasks, and
then click Check Replication Topology.
9. In the Check Replication Topology message box, click OK.

10. Under LON-DC1$instance1, click NTDS Settings, right-click NTDS Settings, and then click Refresh.

11. In the tree pane, expand LON-SVR1$instance1, click NTDS Settings, right-click NTDS Settings, and
then click Refresh.

 Task 3: Create a site and move the server to the new site
1. On LON-DC1, in Active Directory Sites and Services, in the tree pane, right-click Sites, and then click
New Site.

2. In the New Object – Site dialog box, in the Name box, type London, in the Link Name list, click
DEFAULTIPSITELINK, and then click OK.

3. In the Active Directory Domain Services message box, click OK.

L14-106 Implementing and Administering AD LDS

4. In the tree pane, expand Sites, expand Default-First-Site-Name, and then expand Servers.

5. Under Servers, right-click LON-SVR1$instance1, and then click Move.

6. In the Move Server dialog box, in the Site Name list, click London, and then click OK.

 Task 4: Create a site link and replication schedule

1. In the Active Directory Sites and Services console, in the tree pane, under Sites, expand Inter-Site
Transports, right-click IP, and then click New Site Link.

2. In the New Object – Site Link dialog box, in the Name box, type LON-TOR, and then click OK.
3. In the tree pane, under Inter-Site Transports, click IP.

4. In the IP details pane, in the Name list, right-click LON-TOR, and then click Properties.

5. In the LON-TOR Properties dialog box, click the General tab. In the Cost box, type 50, and in the
Replicate every box, type 1440, and then click OK.
6. In the Active Directory Sites and Services console, click Close.

 Task 5: Use ADSI Edit to connect to the instance and then create a user
1. On LON-DC1, in Server Manager, click Tools, and then click ADSI Edit.
2. In the Active Directory Services Interfaces Editor (ADSI Edit) console, click Action, and then click
Connect to.

3. In the Connection Settings dialog box, in the Name box, type AD LDS Application1.
4. In the Connection Point area, click Select or type a Distinguished Name or Naming Context, and
then in the Select or type a Distinguished Name or Naming Context box, type
CN=Application1,DC=Adatum,DC=com.

5. In the Computer area, click Select or type a domain or server: (Server | Domain [:port]), and in
the Select or type a domain or server: (Server | Domain [:port]) box, type LON-DC1:50000, and
then click OK.
6. In ADSI Edit, in the console tree, click and expand AD LDS Application1 [LON-DC1:50000], and
then click CN=Application1,DC=Adatum,DC=com.

7. In the CN=Application1,DC=Adatum,DC=com details pane, in the Name list, right-click CN=Roles,

point to New, and then click Object.
8. In the Create Object dialog box, in the Select a class box, click user, and then click Next.

9. In the Value box, type user1, click Next, and then click Finish.

10. Do not close ADSI Edit.

 Task 6: Confirm replication

1. On LON-SVR1, in Server Manager, click Tools, and then click Active Directory Sites and Services.

2. In the tree pane, right-click Active Directory Sites and Services [LON-DC1.Adatum.com], and then
click Change Domain Controller.
3. In the Change Directory Server dialog box, click <Type a Directory Server name[:port]here>,
type LON-SVR1:50000, press Enter, and then click OK.

Note: It can take a few moments for the next dialog box to appear.

4. In the Active Directory Domain Services message box, click Yes.

 Active Directory® Services with Windows Server® L14-107

5. In the tree pane, expand Sites, expand London, expand Servers, expand LON-SVR1$instance1, and
then click NTDS Settings.

6. In the NTDS Settings details pane, in the Name list, right-click <automatically generated>, and
then click Replicate Now.
7. In the Replicate Now message box, click OK.

8. In Server Manager, click Tools, and then click ADSI Edit.

9. In ADSI Edit, click Action, and then click Connect to.

10. In the Connection Settings dialog box, in the Name box, type AD LDS Application1.

11. In the Connection Point area, click Select or type a Distinguished Name or Naming Context, and
then in the Select or type a Distinguished Name or Naming Context box, type
CN=Application1,DC=Adatum,DC=com.

12. In the Computer area, in the Select or type a domain or server: (Server | Domain[:port]), type
LON-SVR1:50000, and then click OK.

13. In ADSI Edit, in the console tree, click and expand AD LDS Application1 [LON-SVR1:50000], click
and expand CN=Application1,DC=Adatum,DC=com, and then double-click CN=Roles.
14. Verify the presence of CN=user1 in the Name list.

15. On the File menu of ADSI Edit, click Exit.

 Prepare for the next exercise

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps two and three for 10969B-LON-SVR1 and 10969B-LON-DC2.

5. In Hyper-V Manager, click 10969B-LON-DC1, and in the Actions pane, click Start.

6. In the Actions pane, click Connect. Wait until the virtual machine starts.
7. Sign in by using the following credentials:

o User name: Administrator

o Password: Pa$$w0rd
o Domain: Adatum

8. Repeat steps five through seven for 10969B-LON-DC2 and 10969B-LON-SVR1.

Results: After this exercise, you will have configured AD LDS replication.
L14-108 Implementing and Administering AD LDS

Exercise 3: Synchronizing AD LDS with AD DS

 Task 1: Install and configure an instance of AD LDS
1. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.

2. In Server Manager, click Tools, and then click Active Directory Sites and Services.
3. Navigate to Sites\Default-First-Site-Name\Servers\LON-DC1\NTDS Settings.

4. In the details pain, right-click <automatically generated>, click Replicate Now, and then click OK.

5. Repeat for LON-DC2.

6. Close Active Directory Sites and Services.

7. On LON-SVR1, in Server Manager, click Add roles and features.

8. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.
9. On the Select installation type page, click Next.

10. On the Select destination server page, click Next.

11. On the Select server roles page, in the Roles list, select the Active Directory Lightweight
Directory Services check box.

12. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
13. On the Select features page, click Next.

14. On the Active Directory Lightweight Directory Services (AD LDS) page, click Next.

15. On the Confirm installation selections page, click Install.

16. On the Installation progress page, click Close.

17. In Server Manager, click Tools, and then click Active Directory Lightweight Directory Services
Setup Wizard.
18. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page,
click Next.

19. On the Setup Options page, ensure that A unique instance is selected, and then click Next.

20. On the Instance Name page, click Next.

21. On the Ports page, in the LDAP port number box, type 50000.

22. In the SSL port number box, type 50001, and then click Next.

Note: If these two ports are unavailable, use 60000 and 60001 throughout. You then must
remember to update all other commands that reference these ports to match those you have
used.

23. On the Application Directory Partition page, click Yes, create an application directory partition,
and in the Partition name box, type DC=Adatum,DC=com, and then click Next.

24. On the File Locations page, click Next.

25. On the Service Account Selection page, click Next.

26. On the AD LDS Administrators page, ensure that Currently logged on user:
ADATUM\Administrator is selected, and then click Next.
 Active Directory® Services with Windows Server® L14-109

27. On the Importing LDIF Files page, click Next.

28. On the Ready to Install page, click Next.

29. On the Completing the Active Directory Lightweight Directory Services page, click Finish.

 Task 2: Prepare the AD LDS Instance for synchronization

1. On LON-SVR1, press the Windows logo key+R.

2. In the Run dialog box, type cmd.exe, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

Cd \windows\adam

4. At the command prompt, type the following command, and then press Enter:

ldifde -i -u -f MS-adamschemaw2k8.ldf -s lon-svr1:50000 -j . -c

"cn=Configuration,dc=X" "#configurationNamingContext"

5. At the command prompt, type the following command, and then press Enter:

ldifde -i -s lon-svr1:50000 -c "CN=Configuration,DC=X" "#ConfigurationNamingContext"

-f MS-AdamSyncMetadata.ldf

6. At the command prompt, type the following command, and then press Enter:

Notepad MS-AdamSyncConf.xml

7. In Notepad, make the following changes to the contents of the configuration file:
o Replace the value of <source-ad-name> with LON-DC1.

o Replace the value of <source-ad-partition> with dc=Adatum,dc=com.

o Replace the value of <source-ad-account> with Administrator.

o Replace the value of <account-domain> with Adatum.com.

o Replace the value of <target-dn> with dc=Adatum,dc=com.

o Replace the value of <base-dn> with ou=Research,dc=Adatum,dc=com.

8. In Notepad, on the File menu, click Save As.

9. In the Save As dialog box, in the navigation pane, double-click Local Disk (C:), double-click
Windows, and then double-click ADAM.

10. In the File name box, type Instance1.xml.

11. In the Save as type list, click All Files (*.*), click Save, and then close Notepad.

12. At the command prompt, type the following command, and then press Enter:

adamsync /install LON-SVR1:50000 Instance1.xml

L14-110 Implementing and Administering AD LDS

 Task 3: Synchronize AD LDS and verify data synchronization

1. On LON-SVR1, at the command prompt, type the following command, and then press Enter:

adamsync /sync LON-SVR1:50000 dc=adatum,dc=com

2. In Server Manager, click Tools, and then click ADSI Edit.

3. In the ADSI Edit console, click Action, and then click Connect to.
4. In the Connection Settings dialog box, in the Name box, type AD LDS Instance1.

5. In the Connection Point area, click Select or type a Distinguished Name or Naming Context, and
then in the Select or type a Distinguished Name or Naming Context box, type
DC=Adatum,DC=com.

6. In the Computer area, click Select or type a domain or server: (Server | Domain [:port]), and in
the Select or type a domain or server: (Server | Domain [:port]) box, type LON-SVR1:50000, and
then click OK.
7. In ADSI Edit, in the console tree, click and expand AD LDS Instance1 [LON-SVR1:50000], and then
click DC=adatum,DC=com.

8. In ADSI Edit, in the console tree, click and expand AD LDS Instance1 [LON-DC1:50000], and then
click and expand DC=Adatum,DC=com.

9. Verify the changes. You should be able to see users in the Research OU.
10. On the File menu of ADSI Edit, click Exit.

 Prepare for the end of the course

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 10969B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps two and three for 10969B-LON-SVR1 and 10969B-LON-DC2.

Results: After you have completed this exercise, you will have integrated Active Directory Domain
Services (AD DS) with AD LDS.