Windows Server 2008 Directory Services Lab Manual

Windows Server 2008 Directory Services
Lab Manual
Microsoft Confidential - For Internal Use Only

DISCLAIMER
THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY
AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND
MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN
THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE
RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.
Terms of Use
© 2008 Microsoft Corporation. All rights reserved.
This content is proprietary and is intended only for use as described in the content provided in this
document. No part of the text or software included in this training package may be reproduced or
transmitted in any form or by any electronic or mechanical means, including photocopying,
recording, or copying to any information storage and retrieval system, without express written
permission from Microsoft.
For more information about use of licensed and copyrighted materials, please visit the Use of
Microsoft Copyrighted Content Web page at http://www.microsoft.com/about/legal/permissions/.
Trademarks
Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
12/04/2008
Windows Server 2008 Directory Services
Lab Manual

DISCLAIMER
THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND TRAINING PURPOSES ONLY
AND ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BECAUSE TECHNICAL ISSUES AND
MARKET CONDITIONS MAY REQUIRE CHANGES TO INFORMATION AND SOFTWARE INCLUDED IN
THIS PACKAGE, MICROSOFT CORPORATION (“MICROSOFT®”), AND ITS SUPPLIERS, RESERVE THE
RIGHT TO MAKE SUCH CHANGES WITHOUT NOTICE.
Terms of Use
© 2008 Microsoft Corporation. All rights reserved.
This content is proprietary and is intended only for use as described in the content provided in this
document. No part of the text or software included in this training package may be reproduced or
transmitted in any form or by any electronic or mechanical means, including photocopying,
recording, or copying to any information storage and retrieval system, without express written
permission from Microsoft.
For more information about use of licensed and copyrighted materials, please visit the Use of
Microsoft Copyrighted Content Web page at http://www.microsoft.com/about/legal/permissions/.
Trademarks
Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
12/04/2008
Lab 1
Lab 1:
Implementing Windows Server
2008
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These
materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of
these materials by any other persons is prohibited without the express written permission of Microsoft
Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
©2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
Version 1.0
During this lab, you will prepare the forest and domain for the introduction of
Windows Server 2008 domain controllers. You will be introduced to Server
Manager and some of the functions that can be performed using this tool.
Estimated time to complete this lab: 20 minutes
Before You Begin

Before starting this lab, you should:
■ Have a basic understanding of Microsoft Virtual Server or Virtual PC
What You Will Learn

After completing this lab, you will be able to:
■ Use Server Manager to perform tasks related to add roles and features.
Lab Environment
To complete this lab, you will need the following Virtual Machines:
■ 2008-01
Important
You must log on as an administrative user in order to perform all of the tasks in
this lab.
■ Administrative username and password
□ Username: Contoso\Administrator
□ Password: P@ssw0rd1
□ Domain: Contoso
©2008 Microsoft Corporation Microsoft Confidential
1
Exercise 1: Introduction to Server Manager
Scenario
Use the Initial Configuration Tasks console and Server Manager to perform common
tasks.
Tasks
In the following steps, we will examine some of the different types of tasks and
information that can be accessed through Server Manager. We will first examine the
IP address of the network adapter, and then we will enable Remote Desktop through
the Initial Configuration Tasks console. Following that, we will use Server Manager
to add the Terminal Services Role and then the Windows Server Backup Feature.
Lastly, we will view Diagnostics information provided under Server Manager.
Note
If Initial Configuration Tasks has been closed you can run oobe.exe to open it again.
1. Explore the Initial Configuration Tasks console on 2008-01.
a. View the Network Connection properties for the computer.
1) Under section 1. Provide Computer Information, click Configure

networking to display the Network Connections dialog box.
2) Right-click Local Area Connection and select Properties
3) Select Internet Protocol Version 4 (TCP/IPv4) and click

Properties
4) View the IP address of this adapter.
5) Close all and return to the Initial Configuration Tasks screen.
b. Enable Remote Desktop
1) Under section 3. Customize This Server click Enable Remote

Desktop. This brings up the Remote tab of System Properties.
2) Select the 2nd option: Allow connections from computers

running any version of Remote Desktop (less secure)
2
3) Read the Firewall exception warning message, click OK, and then
click OK in System Properties.
4) Notice Remote Desktop now shows as Enabled.
5) Close Initial Configuration Tasks console. Server Manager

should launch automatically after several seconds.
2. Add the Windows Server Backup Feature from Server Manager
1) Click Features under Server Manager in left pane.
2) Click Add Features in right pane. This will launch the Add
Features Wizard.
3) Review the available features, expand Windows Server Backup

Features, and then select Windows Server Backup.
From the Pop-up message, what additional feature is required for Windows
Server Backup to be installed?
____________________________________________________________________________________________1
Click Add Required Features and then select Command-line

Tools.
From the Pop-up message, what additional feature is required for Command-line
Tools?
____________________________________________________________________________________________2
Select Add Required Features and then click Next. On the

Confirm Installation Selections page, click Install. Once the
installation finishes the Installation Results will be displayed,
confirm the Installation succeeded and click Close.
4) Confirm that Windows Server Backup is listed under the

Features Summary in the right pane.
3.
1 Windows Recovery Disc

2 Windows PowerShell
3
Lab 2
Lab 2:
Installing Active Directory
Domain Services
1
Corporation.
owners.
Version 1.0
1
During this lab, you will promote a Windows Server 2008 machine that is in a
workgroup, to a Domain Controller in a Windows Server 2003 domain.
Before You Begin

What You Will Learn

■ Use new DCPROMO GUI features available in Windows Server 2008
Lab Environment
□ 2003-01
□ 2008-01
Important
this lab.
□ Username: Administrator
□ Domain: Contoso
2
Exercise 1: Prepare domain and forest for the
introduction of a Windows Server 2008 domain
controller
Scenario
You are the administrator of Contoso.com, a Windows 2003 domain. You are given the
task of introducing a Windows Server 2008 domain controller into your environment.
Pre-Tasks
■ Start the 2003-DC1 Virtual Machine
■ Start the 2008-01 Virtual Machine
Tasks
First, prepare the forest by running adprep /forestprep on 2003-DC1. Then raise the
domain functional level to Windows Server 2003 mode. Finally, prepare the domain
by running domainprep and gpprep.
1. On 2003-01, at the “Welcome to the Windows Setup Wizard” screen, click Next
At the “License Agreement” screen, check the “I accept this agreement” radio button, click
Next
At the “Date and Time Settings” screen, click Next
At the “Network configuration popup”, click “Ok”
Allow time for 2003-01 to boot up completely
2. First, prepare the forest by running adprep /forestprep on 2003-DC1
a. Log on to the Schema Master, 2003-DC1, as Contoso\Administrator.
b. Open a command prompt on 2003-DC1, and change directories to the

Adprep folder:
C:\Sources\ADPrep
3
c. At the command prompt, type the following and then press ENTER
adprep /forestprep
d. You will be prompted with an ADPREP WARNING message requesting
confirmation that all Windows 2000 Active Directory Domain Controllers
in the forest are upgraded to Windows 2000 SP4 or later.
a. Type C and then press ENTER. When the process finishes you will
receive a message that Adprep successfully updated the forest-
wide information.
Note
The domain must be in at least Windows 2000 native mode before you can run adprep
/domainprep.
3. Run Adprep /rodcprep
a. Open a command prompt, and then change directories to the

Adprep folder: C:\sources\adprep
b. At the command prompt, type the following and then press ENTER
adprep /rodcprep
c. When the command completes the last entry should report:
"Adprep completed without errors. All partitions are updated.

See the ADPrep.log in directory
c:\windows\debug\adprep\logs\<numerical value> for more
information. "
d. Review the adprep.log to review the changes made by running

adprep /rodcprep.
4
4. Prepare the domain by running domainprep and gpprep on 2003-DC.
a. At the command prompt, type the following and then press ENTER
adprep /domainprep /gpprep

b. When the process finishes you will receive the message, Adprep
successfully updated the domain-wide information. Adprep
successfully updated the Group Policy Object <GPO> information.
c. Close command prompt
5
Exercise 2: Promote a Windows Server 2008 machine
to a Domain Controller in an existing Windows Server
2003 domain.
Scenario
You are an administrator for your domain and would like to introduce a Window
Server 2008 domain controller in your existing Windows Server 2003 domain.
Tasks
1. Promote 2008-01 as a replica domain controller in the Contoso domain by
adding the Active Directory Domain Services role via Server Manager. Then
from a command prompt run DCPromo.exe to start the domain controller
promotion. Use the advanced mode installation option to make the domain
controller a DNS server as well as a Global Catalog. Lastly, export these
dcpromo settings to a text file to be used later in the promotion of another
domain controller. Name the text file 2008-answer.txt and place it in C:\.
a. Add AD DS role via Server Manager.

1) Log on to 2008-01 as local Administrator.
2) Launch Server Manager if it is not already open.
a) Click Start , Administrative Tools, and then Server

Manager
3) Select Roles and click on Add Roles in the right pane. The Add
Roles Wizard will start.
4) On the Before you Begin page click on Next
5) On the Select Server Roles page, select Active Directory Domain

Services. Read the Add Roles Wizard pop-up and select the
second option Install AD DS anyway click Next.
6) Click on Next and review the information on the Active Directory

Domain Services page then click Next.
7) Review the information on the Confirm Installation Selections

page and then click Install.
6
8) When the Installation Results are displayed, verify that the
installation succeeded.
Note
You can now launch DCPROMO directly from the Installation Results page. There is a link in
blue that states – Close this wizard and launch the Active Directory Domain Services Installation Wizard
(dcpromo.exe). You decide to start either with a. or with b. – since b. includes a. automatically.
9) Click Close.
10) Notice Active Directory Domain Services is listed under Roles in

Server Manager now but has a Red X. Click Active Directory
Domain Services and read the Summary.
Note
Please note that Active Directory snap-ins was not installed when the role was added. Adding
the role installs the AD DS binaries only and does not automatically start the dcpromo process.
b. Promote the new domain controller.

1) Open a command prompt, type DCPROMO, and then press
ENTER. A check runs to determine if Active Directory Domain
Services binaries are installed. If not, they are installed and the AD
DS installation wizard launches automatically.
a) ALTERNATIVELY, you can promote the domain controller

from the Roles Summary by clicking Active Directory
Domain Services with the Red X and then under Summary
click Run the Active Directory Domain Services
Installation Wizard (dcrpomo.exe).
Note
Since Terminal Services was installed on this computer during the previous lab the ACTIVE
DIRECTORY DOMAIN SERVICES INSTALLATION WIZARD displays a message requesting confirmation
for changes in security policy on this computer that allows only Administrator to log on to the
computer with Terminal Server.
2) Click OK to the dialog. On Welcome page, check Use advanced

mode installation and then click Next.
7
3) On the Choose a Deployment Configuration page, select Existing
forest, and Add a domain controller to an existing domain then
click Next.
4) On the Network Credentials page, type Contoso.com in window

for Type the name of any domain in the forest where you plan
to install this domain controller.
5) Click Set..., enter the following information as your Network

Credentials, and then click OK.
a) User name: Contoso\Administrator
b) Password: P@ssw0rd1
6) Click Next
7) On the Select a Domain page Select Contoso.com (forest root

domain) and click Next
8) In the Select a Site dialog check Use the site that corresponds to
the IP address of this computer.
Note
The Windows Server 2008 Active Directory Domain Services Installation Wizard has a new
dialog for Additional Domain Controller Options. The options available are:
■ DNS Server
■ Global Catalog
■ Read-only domain controller (RODC)
9) Read Additional information and confirm that both the DNS

server and Global catalog options are checked and then click
Next.
10) Read the warning message about delegation for this DNS Server
and click Yes.
8
Note
The informational message that is displayed indicates that a delegation for this DNS server
cannot be created because the authoritative parent zone cannot be found or it does not run Windows
DNS Server…
In our case, this occurs since contoso.com is our top-level domain and .com cannot be found because
it does not exist. The goal of this informational message is to help ensure IT professionals correctly
configure their DNS settings during the DCPROMO process.
11) On the Install from Media screen ensure the first option Replicate
data over the network from an existing domain controller is
selected and then click Next.
Note
The second new dialog page added to the Windows Server 2008 Active Directory Domain
Services Installation Wizard provides the option to select a source domain controller. Note that the
source domain controller must be writable.
12) On the Source Domain Controller screen, select Let the wizard
choose an appropriate domain controller option and then click
Next.
13) On the Location for Database, Log Files, and Sysvol leave the
default settings and click Next.
14) Provide the Password of P@ssw0rd1 on Directory Services

Restore Mode Administrator Password page and click Next.
15) On the Summary page, click Export settings... to create an answer

file for use later.
a) Type C:\2008-answer.txt when prompted for location to

save unattended file and then click Save and OK.
16) Click Next on the Summary page to begin configuration Active

Directory Domain Services.
17) Check the Reboot on completion box on the Active Directory

Domain Services Installation Wizard. Once the configuration
completes the server will reboot automatically.
9
2. Confirm the domain controller is functioning properly.
1) Logon as Contoso\administrator after the reboot completes.
2) Initial Configuration Tasks will open automatically. Notice under

section 1. Provide Computer Information, the Full Computer
Name and Domain is listed.
3) Close Initial Configuration Tasks and Server Manager should

start automatically.
4) Confirm Active Directory Domain Services is listed under Roles.
5) From a command prompt type: Net share and confirm that both
sysvol and netlogon are shared out.
6) Select Active Directory Domain Services and review the

information in right pane.
7) Expand Active Directory Domain Services in the left pane and

examine the following:
a) Expand Active Directory Users and Computers
(1) Confirm 2008-01 is listed under Domain Controllers

container
b) Expand Active Directory Sites and Services
(1) Confirm 2008-01 is added in East site
(2) Confirm that the 2008-01 NTDS Settings have been

created
8) Verify DNS record registration and DNS
a) Verify the following records exist for 2008-01. Expand DNS

Server, DNS, 2008-01, Forward Lookup Zones,
Contoso.com, and then highlight _tcp. In the right hand
window, ensure that the following records exist for 2008-01.
(1) _LDAP._TCP.Contoso.com
(2) _Kerberos._TCP.Contoso.com
(3) _Kpasswd._TCP.Contoso.com
10
(4) _GC._TCP.Contoso.com
b) Check Primary and Alternate DNS server settings
(1) Highlight Server Manager at the top of the left hand

window.
(2) Under Server Summary click View Network

Connections
(3) View the properties of the Internet Protocol Version 4

(TCP/IPv4) of the Local Area Connection and notice
which IP address is being used as the Alternate DNS
server.
(4) Close these properties and return to Server Manager.
9) Under Diagnostics expand Event Viewer and then Windows Logs
a) Select the Application log and confirm SceCli event 1704 is

reported.
b) Under the Applications and Services log select the File

Replication Service log and confirm NtFrs event 13516.
Tip
It may take several minutes for the sysvol to share out and for the above events to appear. If
you cannot verify these steps after five minutes stop and start the NTFRS service to resolve this issue.
c) Close Server Manager
10) Open dssite.msc and examine the security descriptor on the DC

object. It will display an unresolved security identifier -498
which is by design. It was inherited from the configuration
container.
2. View dcpromo.log and note the day, month and year this machine was
promoted to be a domain controller.
a. Open C:\Windows\Debug\DCPROMO.LOG file
b. Note that the log now records day, month and year under the first
column
1) Example:
11
10/01/2007 11:03:20 [INFO] Promotion request…
Note
The DCPROMO.LOG in Windows Server 2008 now displays the year in addition to day and
month that the domain controller was promoted.
12
Lab 3
Lab 3:
Windows Server 2008 DNS
1
Corporation.
owners.
Version 1.0
2
During this lab, you will configure and Troubleshoot DNS
Before You Begin

■ Have a basic understanding of DNS
What You Will Learn

■ Configure and Troubleshoot DNS using NSLOOKUP, and NLTEST
Lab Environment
■ 2003-01
■ 2008-01
Important
this lab.
Username: Administrator
Password: P@ssw0rd1
Domain: Contoso
Exercise 1: Use NSLOOKUP to gather IP Information

Task 1: Use NSLOOKUP to retrieve the IP Address of you current
logon server and to test that to see if forward lookup capabilities
are working or not.
1. Log on to 2008-01 as Contoso\Administrator.
2. Open a command prompt, type SET and press Enter.
3
3. What is your logon server? __________________________1
4. Resolve the IP Address of your logon server using NSLOOKUP. Type the
following statement and press enter:
NSLOOKUP 2008-01
5. What are the IP Addresses?__________________________________2
Exercise 2: Using NSlookup, IPConfig, and NLTEST to

test DNS settings
Task 1: Verify the new domain controller SRV records using
NSLlookup
1. Still from 2008-01 type the following command at the command prompt and
then press Enter:
NSLOOKUP
2. Type the following command and press enter:
set type=all
3. Type the following command and press enter:
_ldap._tcp.dc._msdcs.Contoso.com
4. You should see the result in Figure 2:
5. Close the command prompt
4
Figure 2: LDAP Servers for Contoso
Task 2: Verify whether you are using a domain controller in your site
using NLTEST and test the next closest site Group Policy Setting
1. On 2008-01, enable next closest site lookups for domain controllers:
a. Open gpedit.msc from the run line.
b. Navigate to Computer Configuration\Administrative

Templates\System\Net Logon\DC Locator DNS Records. Select Try
next closest site, change the setting to Enabled, and then click OK.
Close the Local Group Policy Editor.
c. Open a command prompt and run GPUPDATE /Force.
2. Use the following statement to call and test the DSGetDCName function of the
DClocator service from command line. This will show the enumerated or cached
DC.
NLTEST /DSGETDC:Contoso.com
More info: http://msdn2.microsoft.com/en-us/library/ms675983.aspx
DC name of current DC: _____________________________________________________3
3. Use the following statement to call and test the DSGetDCOpen function of the
DClocator service from command line. This will show you a list of DC’s in a
pseudo-random order taking into consideration priorities and weights.
5
NLTEST /DNSGETDC:Contoso.com
More info: http://msdn2.microsoft.com/en-us/library/ms675985.aspx
DC names of All DC’s ________________________________________________________
__________________________________________________________________________________4
4. Use the following statement to locate a writable DC within a set of DCs in the
next closest AD site from the client's perspective that could authenticate the
client:
NLTEST /DSGETDC:Contoso.com /Writable /Try_Next_Closest_Site
Note
Since both DC’s are in the same site, you will not actually see a next closest site resolution, but
during the RODC labs you can test this command to see a populate response. This command would be
useful during a support call to show you where DCLocator will look for the next closest DC based on
ISTG topology data.
5. Use the following statement to force a rediscovery of DCs and clear the cached
DC and site. This command is useful if a DC goes down in the client’s site and
forces the client to use a DC in another site. The sticky behavior of the DClocator
will cause the client to continue to use the remote DC until it becomes
unavailable or the client is restarted. However, in Windows Server 2008 and
Vista, whenever DsGetDcName retrieves a domain controller name from its
cache, it checks to see if this cached entry has expired and if so, discards that
domain controller name and tries to rediscover a domain controller name.
NLTEST /DSGETDC:Contoso.com /force
Exercise 3: GlobalNameZones
Enable the GlobalNames Zone functionality
Using the command line

1. Log onto 2008-01
2. Open a command prompt:
Click Start, right-click Command Prompt, and then click Run as

Administrator.
6
3. Type the following, and then press Enter:
Dnscmd 2008-01.contoso.com/config /Enableglobalnamessupport 1
Create the GlobalNames Zone
Using the Windows Interface

1. Open the DNS console.
2. In the console tree, right-click a DNS server, and then click New Zone to open
the New Zone Wizard.
3. Create a new zone and give it the name GlobalNames.
Note This is not case sensitive: globalnames is also supported.
4. Choose an appropriate storage method and replication scope for the zone
Note We recommend that you store the zone in AD DS and replicate it to all
domain controllers that are DNS servers in the Forest. This will create a new
AD DS-integrated zone called GlobalNames which is stored in the forest-wide
DNS application partition.
Create a Shortname Resource Record
1. Right click globalnamezones and select New Host (A or AAA)
2. In Name type test
3. In IP Address type 10.10.10.55
4. Click Add Host
Use NSLOOKUP to query Global Name Zones
1. Open a command prompt
2. Type NSLOOKUP
3. Type set type=all
4. Type server 2003-01
7
5. Type test and see the result
6. Type server 2008-01
7. Type test and see if query displays correct results
8
1 LOGONSERVER=\2008-01
2 172.24.1.2
3 DC:\\2008-01.contoso.com
4 2003-dc1.contoso.com, 2008-01.contoso.com
9
Lab 4
Lab 4:
Implementing RODC
Corporation.
owners.
Version 1.0
0
Version 1.0
During this lab, you will prepare the forest and domain for the introduction of
Windows Server 2008 Read Only Domain Controllers. You will also install the RODC
and understand its features.
Before You Begin

What You Will Learn

■ Understand preparation and installation of a Windows Server 2008 Read Only

Domain Controller.
■ Understand new features and functionality of RODC
Lab Environment
■ 2003-01
■ 2008-01
■ 2008-02
■ Vista-01
Important
You must log on as an administrative user in order to perform some of the tasks
in this lab.
□ Domain: Contoso
1
Exercise 1: Prepare Windows Server 2003 domain for
the installation of a Read Only Domain Controller
Scenario
You are the administrator of Contoso.com domain and have branch offices where
physical security cannot be guaranteed. You have decided to install a Read Only
Domain Controller (RODC) in your branch office.
Tasks
1. Prepare the contoso.com domain (Windows 2003 domain) for the RODC
installation.
a. Ensure that the forest functional Level is Windows Server 2003.
1) Log onto the domain controller 2003-DC1 as the

contoso\administrator.
2) Open Active Directory Domains and Trusts. Click the Action

menu and choose Raise Forest Functional Level. When the Raise
forest functional level dialog opens check the forest function level
is set to Windows Server 2003.
Exercise 2: Install an RODC on a full installation of

Windows Server 2008
Scenario
Now that you have prepared your domain for RODC installation, you want to
delegate the ability to attach the server that will be the RODC in your branch office
to a user, Susan Burk. You have therefore decided to perform a staged installation
of the RODC and use this method to add Users, Computers and Groups to the
Password Replication Policy.
Tasks
1. Configure network settings on 2008-02 and Vista-01 to place them in the
10.1.2.x subnet that maps to the West site, then join Vista-01 to the
Contoso.com domain.
2. Log onto Vista-01 using Local Administrator account
2
User: Administrator
Password: P@ssw0rd1
a. Disable Cached Credentials on Vista-01.
1) Launch Regedit.exe on Vista-01.
2) Expand HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
3) Set the cachedlogonscount value to 0, and then close regedit.exe.
b. Join Vista-01 to contoso.com and reboot the client afterwards.
3. Pre-create a Read Only Domain Controller account using Active Directory Users
and computers on 2008-01.
a. Log onto the domain controller 2008-01 as Contoso\administrator
b. Launch Server Manager if it is not already open.
c. Expand Roles, Active Directory Domain Services, Active Directory

Users and Computers and then Contoso.com.
d. Right click the Domain Controllers container and select Pre-create

Read-only Domain Controller account.
e. Select the check box for Use advanced mode installation and click
Next.
f. On the Network Credentials page verify My current logged on

credentials (CONTOSO\administrator) is selected and click Next.
g. On the Specify Computer Name page provide 2008-02 as the computer

name and click Next.
h. On the Select a Site page select West and click Next.
i. On the Additional Domain Controller Options page, ensure DNS

server and Global Catalog are checked and that Read-only domain
controller (RODC) is checked but grayed out. Click Next.
j. On the Specify the Password Replication Policy page notice only the
Allowed RODC Password Replication Group is set to Allow under
Settings. Click Add.
3
k. On the Add Groups, Users and Computers dialog choose Allow
passwords for the account to replicate to this RODC and click OK.
1) Add user Don Hall and computer Vista-01 and click OK. Ensure
Don Hall and Vista-01 has been added with the setting of Allow.
Click Next.
l. On the Delegation of RODC Installation and Administration page click

Set…, on the Select User or Group dialog add Susan Burk, and click OK.
Click Next and then Next again to create the Read Only Domain
Controller computer account. Click Finish.
m. Notice the computer account created in the Domain Controller container

is listed as type: Unoccupied DC Account (Read-only, GC)
4. Install the Active Directory Domain Services role.
a. Log onto 2008-01 and reset password for Susan Burk to P@ssw0rd1
b. Log onto 2008-02 as local Administrator with password of

P@ssw0rd1
c. Launch Server Manager and select Roles. Click Add Roles in the right
pane. The Add Role Wizard starts. On the Before You Begin page click
Next.
d. On the Select Server Roles page select Active Directory Domain

Services and click Next.
e. Review information on Active Directory Domain Services page and

click Next.
f. On the Confirm Installation Selections page, click Install.
g. Once the installation finishes click Close.
4. Promote 2008-02 as a Read Only Domain Controller using the delegated

account.
a. Click Start, Run and type: dcpromo /UseExistingAccount:Attach and

then click OK.
b. On the Active Directory Domain Services Installation Wizard check

the box for Use advanced mode installation and click Next.
4
c. On the Network Credentials page, provide Contoso.com as the domain
name and click Set… Provide SBurk as the user name and password of
P@ssw0rd1 click OK and Next.
d. On the Select Domain Controller Account page select 2008-02 and

click Next.
e. Select Yes if it reports a message indicating this computer has one or

more network adapters without any static IP address settings… Click
Next
f. On the Install from Media page ensure Replicate data over the
network from an existing domain controller is selected and click
Next.
g. On the Source Domain Controller page ensure Let the wizard choose
an appropriate domain controller is selected and click Next.
h. On the Location for Database, Log Files, and SYSVOL page leave the
default entries and click Next.
i. On the Directory Services Restore Mode Administrator Password

provide the password of P@ssw0rd1 click Next.
j. On the Summary page click Next and choose Reboot on completion

from the Active Directory Domain Services Installation Wizard.
5. Verify Installation of Active Directory
a. After the computer reboots allow the replication to take place.
b. Logon as Contoso\SBurk
c. Start Server Manager and confirm that Active Directory Domain

Services is listed under Roles.
d. What happens if you attempt to add the user accounts for Susan Burk
and Don Hall to the Domain Admins group? Why?
__________________________________________________________________________________________
__________________________________________________________________________________________1
5
6. For the purpose of this lab confirm successful replication of 2008-02
a. Logon on 2008-01 as Contoso\Administrator
b. Force 2008-02 to inbound replicate the domain partition from 2008-01

using:
repadmin/replicate 2008-02 2008-01 dc=contoso,dc=com
c. Log on 2008-02 as Contoso\Administrator
Note: You may get an error when trying to log onto 2008-02 for first
time due to trust account not being valid. If so, force inbound replication
on 2008-02 before trying again.
d. Force frs to poll AD by running ntfrsutl poll /now on 2008-02
Exercise 3: Test the Password Replication Policy

Scenario
As an administrator for Contoso domain, you are curious to find out what new
attributes support Password Replication Policy. You understand that Password
Replication Policy is the mechanism for determining whether a user or computer's
credentials are allowed to replicate from a writable domain controller to an RODC.
The Password Replication Policy is always set on a writable domain controller
running Windows Server 2008.
Tasks
1. View the following attributes that have been added to the Active Directory
schema to expedite the functionality that is required for RODC caching
operations
msDS-Reveal-OnDemandGroup
msDS-NeverRevealGroup
msDS-RevealedList
msDS-AuthenticatedToAccountList
a. Log on to the 2008-01, as Contoso\administrator

Click Start , Administrative Tools, and then Server Manager
6
c. Navigate to Roles, Active Directory Domain Services, Active
Directory Users and Computers, Contoso.com and then select
Domain Controllers OU
d. Enable Advanced Features by clicking on view menu and then

Advanced Features
e. Select 2008-02 from right pane
f. Right click it and select Properties
g. Select Attribute Editor tab
h. Click on Filter and select Constructed and Backlinks
i. Now under Attributes list, you will see following attributes listed:
 msDS-Reveal-OnDemandGroup: commonly known as the Allowed

List
 msDS-NeverRevealGroup : commonly known as the Denied List
 msDS-RevealedList : commonly known as the Revealed List
 msDS-AuthenticatedToAccountList : commonly known as the

Authenticated to List
Scenario
During the installation of RODC you set a policy for the password of Vista-01
machine account and user Don Hall to be cached on the RODC. You now want Don
Hall, user in branch office, to log on to Vista-01. After the user and machine
successfully authenticates, you expect their passwords to be stored on RODC.
Tasks
1. Pause the 2003-01 Virtual Machine from within the Virtual Server
Administration website or Virtual PC settings. Since Windows Server 2003 does
not recognize the Windows Server 2008 RODC as a domain controller, the 2003
server will register DNS service records in the West site. We pause the 2003
Domain controller to prevent it from accepting authentication request from our
Vista-01 client.
2. Log onto 2008-01 and reset password for Don Hall to P@ssw0rd1
3. Restart Vista-01, then log on to Vista-01 as contoso\dhall

7
4. Log on to 2008-02 as contoso\SBurk. View current credentials that are
cached on the RODC. Ensure Don Hall and Vista-01 is cached. Review whose
accounts have been authenticated to an RODC.
a. Log on to the 2008-02 as Contoso\SBurk.
1) Click Start , Administrative Tools, and then Server Manager

Directory Users and Computers.
d. Expand Contoso.com and then select Domain Controllers container.
e. In the details pane, right click 2008-02 and select properties.
f. Click the Password Replication Policy tab.
g. Click on Advanced.
h. From the drop-down list, select Accounts whose passwords are stored
on this Read-only Domain Controller and ensure Don Hall and Vista-
01 are cached.
i. In the drop-down list, click Accounts that have been authenticated to

this Read-only Domain Controller and list the accounts that have been
authenticated to RODC.
5. Log off Vista-01
Scenario
Don Hall, a user in the branch office wants to log on to his machine, Vista-01.
However, the WAN connection is down and the branch office which belongs to site,
West, only contains an RODC. You understand that the RODC will be able to
authenticate Don Hall and Vista-01 because their credentials are successfully cached
on the RODC.
Tasks
1. Pause the 2008-01 to simulate a broken WAN link.
2. Log on to Vista-01 machine as Don Hall ( This should be successful)
8
3. Resume virtual machine 2008-01 and 2003-01
9
Exercise 4: Administrator Role Separation
Scenario
You are the administrator of the Contoso domain and would like to create a local
administrator role for the RODC and add a user to that role
Tasks
1. Configure Administrator Role Separation for an RODC
a. Log on to the 2008-02, as Contoso\administrator
b. Launch command prompt and type dsmgmt and then press ENTER
c. At the DSMGMT prompt, type local roles and then press ENTER
d. Type add contoso\bsmith Administrators. It will report a message

Successfully updated local role.
2. Type Quit two times
3. Close command prompt
4. Log onto 2008-02 using contoso\bsmith account
Exercise 5: Dump the RODC machine account

Scenario
You are the administrator of the Contoso domain. You want to quickly find out how
many RODC do you have in your domain. You want to achieve this by using a
command line.
Tasks
1. Use DSQuery and NLTest to discover the RODCs on the domain.
a. Open up a command prompt on 2008-01.
b. Type Dsquery server –isreadonly and view the results.
c. Type Nltest /dclist:Contoso.com and view the results.
10
Exercise 6: Reset the credentials cached on the stolen
RODC and delete the RODC
Scenario
You are the administrator of the Contoso domain. You just found out that the RODC
in your branch office has been stolen. You are concerned that some of your user’s
passwords are cached on the RODC. You are going to take appropriate steps to reset
the current credentials cached on the RODC.
Tasks
1. Reset the current credentials that are cached on the RODC
a. Log on to the 2008-01, as Contoso\Administrator

Click Start , Administrative Tools, and then Server Manager

Directory Users and Computers
d. Expand Contoso.com and then select Domain Controllers container
e. In the details pane, right click 2008-02 and select Delete
f. To confirm deletion, click Yes
g. It will launch Deleting Domain controller dialog box
1) Review the following options:
○ Reset all passwords for user accounts that were cached on this
Read-only Domain Controller
○ Reset all passwords for computer accounts that were cached on

this Read-only Domain Controller
○ Uncheck Export the list of accounts that were cached on this Read-
only Domain Controller to this file
h. Click Cancel. Do NOT click on Delete! The RODC is needed for a later
lab.
1 The options are grayed out and the user is unable to make changes.
11
Lab 5
Lab 5:
Server Core
Corporation.
owners.
Version 1.0
During this lab, you will promote a Windows Server 2008 server core machine into
the contoso.com domain. You will also learn how to perform basic administrative
tasks from the command line.
Before You Begin

■ Have a basic understanding of Microsoft Virtual Server
What You Will Learn

■ Configure IPV4 addresses with Netsh
■ Add a Server Role with ocsetup
Lab Environment
■ 2008-core-01
■ 2008-01
■ 2003-01
You must log on as an administrative user in order to perform some of the tasks in
this lab.
1
Exercise 1: Configure the IP Address with Netsh
Scenario
You have a fresh install of Windows Server 2008 Core. You are tasked with setting
the IP address in a manner that is consistent with corporate guidelines.
Tasks
1. Use Netsh to configure TCP/IP properties
a. In command prompt type netsh and press ENTER
b. Type interface and press ENTER
c. Type ipv4 and press ENTER
d. Type show interfaces and press ENTER to show list of network

adapters
e. Note Idx is 2 for Local Area Connection network adapter.
f. Type following to set IP Address, Subnet and Default gateway:
set address “2” static 10.1.1.2 255.0.0.0
g. Type following to set primary DNS server:
add dnsserver “2” 10.1.1.4 1
h. Type exit and press ENTER
i. Verify IP configuration information
 At the command prompt type the following and then press ENTER
Ipconfig /all
2. Change hostname to 2008-Core-01
a. In command prompt type the following:
netdom renamecomputer . /newname:2008-Core-01
b. Enter Y to confirm and press ENTER
c. Reboot machine typing:
shutdown /r
2
Exercise 2: Configure 2008-core-01 so that it can be
controlled remotely
Scenario
2008-core-01 will be in a remote location. Make sure it will be possible to connect
to the server using RDP.
1. Enable Remote Desktop

a. At the command prompt type the following and then press ENTER
Cscript C:\Windows\System32\ Scregedit.wsf /ar 0
Note
Cscript C:\Windows\System32\ Scregedit.wsf /cli will show you several other options.
2. Connect to 2008-core-01 remotely
a. Log onto 2008-01 as contoso\administrator
b. Launch MSTSC
c. Type 2008-core-01 and click Connect
d. Right Click DNS; select Connect to DNS Server…
e. Select The following computer: and enter 2008-core-01 and click OK
f. Verify RDP is now available on 2008-core-01
Exercise 3: Add the Windows Server Backup Feature.

Scenario
All Servers need backup. Please add the Windows Server Backup feature to 2008-
core-01. We will use this feature in a later lab.
1. Add the Windows Server Backup Feature with OCsetup
Start /w ocsetup WindowsServerBackup
b. Once the process is completed, you will see command prompt again
3
c. Confirm if the feature is added by typing the following command
Oclist
d. Confirm it shows “Installed” for WindowsServerBackup
Exercise 4: Add the DNS server Role with OCsetup

Scenario
In preparation of promotion to a Domain Controller, add the DNS Server role to
2008-core-01.
1. Add the DNS Server Role with OCsetup
Start /w ocsetup DNS-Server-Core-Role
Note: Using the /w switch prevents the command prompt from returning
until the installation completes. Without the /w switch there is no
indication that the installation completed.
b. Once the process is completed, you will see command prompt again
c. Confirm if the role is added by typing the following

Oclist
d. Confirm it shows “Installed” for DNS-Server-Core-Role
2. Manage the DNS server role remotely
a. Log onto 2008-01 as contoso\administrator
b. Launch DNSMGMT.msc
c. Right click DNS; select Connect to DNS Server…
d. Select The following computer: and enter 2008-core-01 and click OK
4
Exercise 5: Promote the Server Core box into the
contoso.com domain using the answer file that we
created in a previous lab.
Scenario
You are testing the use of server core Domain Controllers in your enterprise. Please
promote 2008-core-01 as a new Domain Controller DC in contoso.com using an
unattend file (the unattend file was created in a previous lab).
1. Run Dcpromo with answer file.
a. Copy the unattended installation file created in lab 3 to 2008-core-01.
b. Open the file in notepad.exe.
c. Find the SafeModeAdminPassword field and set this to P@ssw0rd1
d. At the command prompt type the following and then press ENTER
dcpromo /unattend:2008-answer.txt
e. It will check if Active Directory Domain Services binaries are installed. If

not, it will install Domain Services binaries and will start Active directory
Domain Services setup.
f. When prompted, enter P@ssw0rd1 as the administrator password.
g. Once the installation completes, it will restart the Server.
h. Logon as contoso\administrator after the reboot completes.
i. At the command prompt type the following and then press ENTER
Netsh firewall show state. Notice the firewall is enabled.
j. At the command prompt, type the following and then press ENTER
net share.
k. Confirm Sysvol and Netlogon are shared.
5
Lab 6
Lab 6:
Directory Services Auditing
Changes
Corporation.
owners.
Version 1.0
During this lab, you will perform hands on Windows Server 2008 Auditing.
Before You Begin

■ Have a basic understanding of directory service auditing changes.
What You Will Learn

■ Enable and disable auditing
■ Understand new auditing Event ID’s
Lab Environment
■ 2008-01
You must log on as an administrative user in order to perform all of the tasks in this
lab.
□ Domain: Contoso
1
Exercise 1: Review DS Auditing changes in Windows
Server 2008
Scenario
You are an administrator of Contoso domain and would like to view changes to Auditing in
Windows Server 2008.
Tasks
1. Review the Audit Policy settings under Default Domain Policy.
a. Log on to 2008-01 as Contoso\administrator
c. Expand Features
d. Expand Group Policy Management
e. Expand Forest: Contoso.com
f. Expand Domains
g. Expand Contoso.com
h. Expand Group Policy Objects
i. Select Default Domain Policy
j. Right click it and select Edit...
k. In Group Policy Management Editor, Select Audit Policy under Computer

Configuration, Windows Settings, Security Settings, Local Policies
l. Review audit policies and policy setting in details pane
m. Close Group Policy Management Editor
2. Review the Audit Policy settings under Default Domain Controllers Policy. Ensure
the policy setting for directory service access audit policy is set to Success
a. Select Default Domain Controllers Policy under Group Policy Object in

Server Manager
b. Right click it and select Edit...
2
c. In Group Policy Management Editor, Select Audit Policy under Computer
Configuration, Windows Settings, Security Settings, Local Policies
d. Review audit policies and policy setting in details pane
e. Confirm Policy Setting for Audit directory service access is set to

Success.
f. Close Group Policy Management Editor
3. View the subcategories of DS Access via auditpol.cmd and ensure that Directory
Service Changes is set to Success
a. Launch a command prompt
1) Click on Start, type cmd and press ENTER
b. Type Auditpol /clear
c. Type Auditpol /set /category:"DS Access"
d. Type Auditpol /get /category:"DS Access"
e. List the subcategories and setting for each of the subcategory
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
f. Confirm Directory Service Changes is set to Success
g. Close command prompt
Exercise 2: DS Auditing Creation, Modification and

Moving of AD Objects
Scenario
You are an administrator of Contoso domain and would like to audit creation and modification and
moving of AD objects.
3
Tasks
1. Ensure audit policy is enabled (completed in exercise 1)
2. Create an OU called AuditTest and set up auditing on the OU created
a. Launch Server Manager if it is not already open.
b. Expand Server Manager
c. Expand Roles
d. Expand Active Directory Domain Services
e. Expand Active Directory Users and Computers
f. Select Contoso.com
g. Right click it and select New, Organizational Unit
h. Type AuditTest in the Name of New Object and click on OK
i. Right click AuditTest in Contoso.com and click Properties
j. Confirm Advanced Features are enabled in the View menu in order for
you to view the Security tab.
k. Select Security tab, click on Advanced and select the Auditing tab.
l. Click on Add
m. Under Enter the object name to select, type Authenticated Users and
then click OK.
n. In Apply onto, confirm This object and all descendant objects is

selected.
o. Under Access, select the Successful check box for Write all properties,
Create all child objects and Delete all child objects. It will check
successful audit for several other accesses.
p. Click on OK until you exit the property sheet for the OU or other object.
3. Create a user called AuditTest1 in OU AuditTest
a. Right click OU AuditTest, select New, User
b. Type AuditTest1 in First name and User logon name

4
c. Click on Next
d. Type P@ssw0rd1 in Password and confirm password.
e. Click on Next and then Finish
4. View security logs to review audit event generated
a. In Server Manager, Expand Diagnostics and then Event Viewer
b. Expand Windows Logs
c. Select Security log
d. The log shows Directory Service Changes event 5137 indicating creation
of new directory service object:
Log Name: Security

Source: Microsoft-Windows-Security-Auditing
Date: 8/1/2007 11:50:48 AM
Event ID: 5137
Task Category: Directory Service Changes
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008-01.Contoso.com
Description:
A directory service object was created.
Subject:
Security ID: CONTOSO\Administrator
Account Name: Administrator
Account Domain: CONTOSO
Logon ID: 0x18b1d
Directory Service:
Name: Contoso.com
Type: Active Directory Domain Services
Object:
DN: cn=AuditTest1,ou=AuditTest,DC=Contoso,DC=com
GUID: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com
Class: user
Operation:
Correlation ID: {57586991-b6fd-49e8-b52b-6cdb19067268}
Application Correlation ID: -
5. Rename the user’s First Name to Test1000
a. Switch back to Active Directory Users and Computers in Server

Manager
5
b. Select user AuditTest1
c. Right click it and select Properties
d. Change First name to Test1000
e. Click on OK
6. Review the security logs to review audit event generated
d. The log shows two Directory Service Changes events 5136. The first one
shows Operation type: Value deleted for givenName AuditTest1 and the
second one shows Operation type: Value added for givenName with value
Test1000.
Log Name: Security

Date: 8/1/2007 2:04:51 PM
Event ID: 5136
Level: Information
User: N/A
Description:
A directory service object was modified.
Subject:
Logon ID: 0x18b1d
Directory Service:
Name: Contoso.com
Object:
DN: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com
Class: user
Attribute:
LDAP Display Name: givenName
Syntax (OID): 2.5.5.12
Value: AuditTest1
6
Operation:
Type: Value Deleted
Correlation ID: {b87e4c30-c6cd-44cf-947b-09ee52dd25e9}
Log Name: Security

Date: 8/1/2007 2:04:51 PM
Event ID: 5136
Level: Information
User: N/A
Description:
A directory service object was modified.
Subject:
Logon ID: 0x18b1d
Directory Service:
Name: Contoso.com
Object:
DN: CN=AuditTest1,OU=AuditTest,DC=Contoso,DC=com
Class: user
Attribute:
LDAP Display Name: givenName
Syntax (OID): 2.5.5.12
Value: Test1000
Operation:
Type: Value Added
Correlation ID: {b87e4c30-c6cd-44cf-947b-09ee52dd25e9}
7. Create a new user in the users container called AuditTest2
a. Switch back to Active Directory Users and Computers in Server

Manager
b. Select Users container from Contoso.com
c. Right click Users container and select New, User
d. Type AuditTest2 in First name and User logon name
7
e. Click on Next
f. Type P@ssw0rd1 in Password and Confirm password
g. Click on Next
h. Click on Finish
8. Move AuditTest2 in AuditTest OU
a. Select newly created user account AuditTest2
b. Right click it and select Move...
c. Select OU AuditTest when prompted to select a container to move object

into
d. Click on OK
e. Select AuditTest OU and confirm that the user object is moved
9. Review the security logs to view audit event generated
The log shows Directory Service Changes event 5139 indicating successful move.
Please note that the event shows Old and New DN showing original and new location of
an object.
Log Name: Security

Date: 8/1/2007 2:28:02 PM
Event ID: 5139
Level: Information
User: N/A
Description:
A directory service object was moved.
Subject:
8
Logon ID: 0x18b1d
Directory Service:
Name: Contoso.com
Object:
Old DN: CN=AuditTest2,CN=Users,DC=Contoso,DC=com
New DN: CN=AuditTest2,OU=AuditTest,DC=Contoso,DC=com
Class: user
Operation:
Correlation ID: {2fe1228d-d0a4-45d1-bdfc-48d64d7802be}
9
Lab 7
Lab 7:
DFSR and SYSVOL Migration
Corporation.
owners.
Version 1.0
During this lab, you will migrate SYSVOL from FRS to DFSR as the replication engine.
Before You Begin

■ Have a basic understanding of Microsoft Virtual Server
What You Will Learn

■ Understand migration of SYSVOL from FRS to DFSR in Windows Server 2008

domain
Lab Environment
■ 2008-01
■ 2008-02
■ 2008-Core-01
lab.
□ Domain: Contoso
1
Exercise 1: Migrate SYSVOL from using NTFRS to DFSR
Scenario
You are the administrator of Contoso.com domain. You understand that in your
current environment SYSVOL is using NTFRS as its replication engine. However, you
have read that DFSR provides substantial improvements over FRS and several key
new features. Therefore, you wish to perform a DFSR migration and you are ready
to demote any domain controller that is not running Windows Server 2008 to
perform this migration.
Tasks
1. Transfer all FSMO roles to from 2003-01 to 2008-01 and demote 2003-01.
Note: Dcrpromo will try to transfer roles automatically if not done before.
a. Transfer all the FSMO roles to 2008-01
1. Log on to 2008-01 as Contoso\administrator
2. Launch a Command Prompt
3. Type ntdsutil and then press ENTER
4. Type Roles and then press ENTER
5. Type Connections and then press ENTER
6. Type Connect to Server 2008-01 and then press ENTER
7. Type Quit and then press ENTER
8. Type Transfer PDC and then press ENTER
9. It will prompt you to confirm if you want to transfer the role to 2008-01
10. Click on Yes
11. Transfer rest of the roles by typing

Transfer Schema Master
Transfer naming master
Transfer infrastructure master
Transfer RID master
12. Type quit and press ENTER
2
13. Type quit and press ENTER
14. At the command prompt, type netdom query fsmo and then press
ENTER
15. Confirm 2008-01 holds all the FSMO roles
b. Demote 2003-01 back to a member server.
1. While logged on to 2003-01 as Contoso\Administrator
2. Start | Run and type DCPROMO
3. Remove Active Directory from 2003-01
4. Reboot
5. Make sure 2003-01 is no longer referred to as a DNS server in TCP/IP

properties of any domain member.
2. Raise the Contoso.com Domain Functional Level to Windows Server 2008.
a. While logged onto 2008-01 as Contoso\Administrator, run DSA.msc.
b. Right click on the domain and select Raise Domain Functional Level.
c. Raise the domain functional level to Windows Server 2008
d. Stay logged on to 2008-01 as Contoso\Administrator
3. Verify that your SYSVOL is currently healthy and replicating

a. Log on to the Schema Master, 2008-01, as Contoso\administrator.
b. Open a command prompt.
c. At the command prompt, type the following and then press ENTER
net share
d. Confirm SYSVOL and NETLOGON are shared and are pointing to

C:\Windows\SYSVOL\Sysvol
e. Close command prompt
3
f. Launch Adsiedit.msc
g. Connect to Default naming context
h. Expand OU=Domain Controllers ,DC=Contoso, DC=com
i. Expand each of the Domain Controllers and select CN=NTFRS Subscriptions
j. Confirm that the right pane shows an NTFRS Subscriber object called
CN=Domain System Volume (SYSVOL share)
k. Expand CN=File Replication Service,CN=System, DC=Contoso, DC=Com
l. Select CN=Domain System Volume (SYSVOL share)
m. Confirm right pane contains NTFRS member objects for all the Domain
Controllers. NTFRS member object name is same as the domain controller
name.
n. Close Adsiedit.msc
o. Click on Start, Programs, Administrative Tools and Event Viewer.
p. Check the File Replication Service log and confirm that no errors or
warnings are reported for Sysvol.
4. Backup data in the Sysvol folder.

a. It is recommended to take a backup of the data in the SYSVOL folder before
beginning the process of migrating from FRS to DFS Replication.
b. On 2008-01, copy C:\Windows\SYSVOL\domain folder to Desktop
1. At the command prompt, run

xcopy /x /e /h /r C:\Windows\SYSVOL\domain %userprofile%\desktop
c. Confirm that Policies and Scripts folders are copied correctly.
5. Verify that the DFS Replication service is installed and is set to Automatic start
a. On 2008-01, launch Server Manager if it is not already open.

Click on Start, Administrative Tools, and then Server Manager
b. Expand Configuration and select Services
c. Confirm DFS Replication service is started and startup Type is set to

Automatic
4
d. If the service is not installed:
1. Expand Roles in left pane and select File Services
2. Right click File Services and select Add Role Services
3. It will launch the Add role Services wizard
4. Expand Windows Server 2003 File Services and select File

Replication Service
5. Click on Install
6. Once the process completes, it will display a message confirming File

Replication Service installed successfully.
7. Select File Services from left pane.
8. Review details pane.
9. Now DFS Replication service is listed under System Services.
10. Status shows Running and Startup Type is Auto.
6. Run DfsrMig tool on PDC to create DFSR-GlobalSettings object
a. On 2008-01, launch a command prompt
b. Type DfsrMig /CreateGlobalObjects and then press ENTER
c. It will report following.
Current DFSR global state: Start

Succeeded.
d. The DfsrMig performs following actions:
1. Creates the ReplicationGroup, Content object, ContentSet, and Topology

objects.
2. msDFSR-GlobalSettings object under System container is created.
a) Launch Adsiedit.msc or LDP
b) Connect to Default naming context
c) Expand DC=Contoso, DC=Com
d) Select CN=System
5
e) Notice in details pane, CN=DFSR-GlobalSettings object of class
msDFSR-GlobalSettings is created under CN=System.
3. msDFSR-ReplicationGroup object under msDFSR-GlobalSettings.

msDFSR-ReplicationGroupType is set to a value of 1.
a) Expand CN=System and select CN=DFSR-GlobalSettings
b) Notice in details pane, CN=Domain System volume object of class

msDFSR-ReplicationGroup is created under CN=DFSR-
Globalsettings
c) Right click CN=Domain System volume and select properties
d) Under Attributes, select msDFSR-ReplicationGroupType
e) Confirm the value is set to 1
f) Click on Cancel
4. msDFSR-Content and msDFSR-Topology objects are created under the

msDFSR-ReplicationGroup object.
a) Expand CN=DFSR-Globalsettings in left pane.
b) Select CN=Domain System volume.
c) Notice the CN=Content and CN=Topology objects are created.
5. msDFSR-ContentSet object under msDFSR-Content object is created.
a) Expand CN=Domain System volume in left pane and select

CN=Content.
b) Notice in details pane, CN=SYSVOL Share object of class msDFSR-

ContentSet is created.
6. For NTFRS compatibility, the content set is set to filter out the
DO_NOT_REMOVE_NtFrs_PreInstall_Directory and
NtFrs_PreExisting___See_EventLog folders.
a) Right click CN=SYSVOL Share and select Properties.
b) From the list of attributes, select msDFSR-DirectoryFilter.
6
c) Confirm the value is set to
DO_NOT_REMOVE_NtFrs_PreInstall_Directory,
NtFrs_PreExisting___See_EventLog.
d) Click on Cancel.
7. Creates member objects for each existing RODC.
a) Select CN=Topology in left pane
b) Notice in details pane, CN=2008-02 object of msDFSR-Member

class is created.
c) Close Adsiedit.msc.
8. Sets GlobalState to 0.
e. Launch a Command prompt
f. Type DfsrMig /GetGlobalState and then press ENTER
1. It will report the following:

Current DFSR global state: ‘Start’
Succeeded.
7. Run DfsrMig.exe on PDC to enter the Prepare phase
a. Launch a Command prompt
b. Type DFSRMig /SetGlobalState 1 and then press ENTER
1. It will report:
Current DFSR global state: Start
New DFSR global state: ‘Prepared’
Migration will proceed to ‘Prepared’ state. DFSR service

will copy the contents of SYSVOL to SYSVOL_DFSR folder.
If any DC is unable to start migration then try manual

polling.
OR Run with option /CreateGlobalObjects.
Migration can start anytime between 15 min to 1 hour.
Succeeded.
c. The DfsrMig performs following actions:
7
1. Creates SYSVOL_DFSR, and its immediate subfolders, copying the ACLs
from the original SYSVOL.
a) Launch Windows Explorer.
b) Confirm SYSVOL_DFSR folder is created under %SystemRoot%.
c) Confirm ACLs are identical for Policies and Scripts folders under
%SystemRoot%\SYSVOL\Domain and
%SystemRoot%\SYSVOL_DFSR\Domain
2. ROBOCOPY copies SYSVOL\domain to SYSVOL_DFSR\domain.
a) Confirm the contents of %SystemRoot%\SYSVOL_DFSR\Domain

is same as the contents of %SystemRoot%\SYSVOL\Domain.
3. The output of ROBOCOPY is saved in

%SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt.
a) Review file %SystemRoot%\Debug\SYSVOl_DFSR-RoboCopy.txt.
4. Creates the SYSVOL junction.
a) Launch command prompt
b) Type following command and then press ENTER

cd %SystemRoot%\SYSVOL_DFSR\Sysvol
c) Type Dir /a and then press ENTER
d) Confirm a Junction Contoso.com is created for

%SystemRoot%\SYSVOL_DFSR\domain.
e) Close Command prompt
5. msDFSR-Member object under msDFSR-Topology object was populated

with msDFSR-ComputerReference, ServerReference, and
ServerReferenceBL attribute values.
a) Launch Adsiedit.msc.
b) Connect to Default naming context.
c) Expand CN=Domain System Volume,CN=DFSR-

GlobalSettings,CN=System ,DC=Contoso, DC=com.
d) Select CN=Topology.
8
e) Details pane shows CN=2008-02 object of class msDFSR-Member.
f) Right click 2008-02 and select Properties.
g) Review attributes msDFSR-ComputerReference, ServerReference,

and ServerReferenceBL. To see the ServerReferenceBL value you
must enable Backlink values.
(1) Click Filter, then click Backlinks
h) Click on Cancel
6. msDFSR-LocalSettings object under OU=Domain Controllers is created.
a) Expand OU=Domain Controllers under DC=Contoso,DC=com.
b) Expand CN=2008-01.
c) Notice CN=DFSR-LocalSettings object is created under

CN=2008-01.
7. msDFSR-Subscriber object under msDFSR-LocalSettings object is

populated with msDFSR-MemberReference and msDFSR-
ReplicationGroupGuid attribute values.
a) Select CN=DFSR-LocalSettings.
b) Details pane shows CN=Domain System Volume object of class

msDFSR-Subscriber.
c) Right click CN=Domain System Volume and select Properties.
d) Review attributes msDFSR-MemberReference and msDFSR-

ReplicationGroupGuid.
e) Click on Cancel.
8. msDFSR-Subscription object under msDFSR-Subscriber object is

populated with msDFSR-RootPath, msDFSR-StagingPath, msDFSR-
ReplicationGroupGuid, msDFSR-ContentSetGuid, msDFSR-ReadOnly,
and msDFSR-Options attribute values.
a) Select CN=Domain System Volume in left pane.
b) Details pane shows CN=SYSVOL Subscription object of class

msDFSR-Subscription.
9
c) Right click CN=SYSVOL Subscription and select Properties.
d) Review attributes msDFSR-RootPath, msDFSR-StagingPath,

msDFSR-ReplicationGroupGuid, msDFSR-ContentSetGuid,
msDFSR-ReadOnly, and msDFSR-Options.
e) Click on Cancel.
f) Close Adsiedit.msc.
9. Creates and populates this key in the registry:

HKLM\System\CurrentControlSet\Services\DFSR\Parameters\SysVols
\Migrating SysVols.
a) Launch regedit.
b) Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\DFSR\Parameters\SysVols\Migrating SysVols
c) Confirm the value of Local State is set to 1.
d) Close Registry Editor.
d. Confirm the global state is set to Prepared now.
1. Launch Command prompt
2. Type DfsrMig /GetGlobalState and then press ENTER
3. It will report:
Current DFSR global state: ‘Prepared’
Succeeded.
e. Confirm all Domain Controllers are synchronized with Global State

(Prepared). It is highly recommended not to initiate migration to the
REDIRECTED state until this is done.
1. At the command prompt, type DfsrMig /GetMigrationState and then

press ENTER
2. It will list Domain Controllers that are not in sync with Global State.
Example:
10
3. If any of the Domain Controllers are listed there, then force Active
Directory replication using following command:
Repadmin /syncall 2008-01 /AdeP
Repadmin /syncall 2008-02 /Ade
4. Check for success with:

repadmin /showattr * "CN=DFSR-
GlobalSettings,CN=System,DC=contoso,DC=com" /atts:msDFSR-
Flags
5. Manually poll Active Directory on a Domain Controller using:

DfsrDiag PollAD
OR Remotely from any other Domain Controller using:
DfsrDiag PollAD /Member:<Domain Controller name>
8. Run DfsrMig.exe on PDC to enter the Re-Directed phase
a. Launch a command prompt
c. It will report:
Current DFSR global state: ‘Prepared’
11
New DFSR global state: ‘Redirected’
Migration will proceed to ‘Redirected’ state. The SYSVOL share
will be changed to SYSVOL_DFSR folder.
If any changes have been made to the SYSVOL share during the
state transition from ‘Prepared’ to ‘Redirected’ please
robocopy the changes from SYSVOL to SYSVOL_DFSR on any
replicated RWDC.
Succeeded.
d. Verify that DFS Replication global migration state is set to REDIRECTED
1. Launch command prompt if it is not already open.
2. Type DfsrMig /GetGobalState and then press ENTER
3. It will report
Current DFSR global state: Redirected
Succeeded.
e. Verify that SYSVOL and NETLOGON shares are now pointing to paths under
SYSVOL_DFSR.
1. At the command prompt, type net share and then press ENTER
2. Confirm SYSVOL and NETLOGON shares are pointing to paths under

SYSVOL_DFSR.
f. Confirm all Domain Controllers are in sync with global state or in

REDIRECTED state. It is recommended not to initiate migration to the
ELIMINATED state until this is done.

press ENTER
3. If any of the Domain Controllers are listed there, then

Force Active Directory replication using following command
Repadmin /syncall /AeD
Manually poll Active Directory on a Domain Controller using
DfsrDiag PollAD
OR Remotely from any other Domain Controller using
9. Run DfsrMig.exe on PDC to enter Eliminate phase
12
a. Launch a Command prompt
c. It will report
Current DFSR global state: ‘Redirected’
New DFSR global state: ‘Eliminated’
Migration will proceed to ‘Eliminated’ state. It is not
possible to revert this step.
If any RODC is stuck in the ‘Eliminating’ state for too long
then run with option /DeleteRoNtfrsMembers.
Succeeded.
d. Verify that DFS Replication global migration state is set to ELIMINATED.
1. Type DfsrMig /GetGlobalState and then press ENTER
2. It will report
Current DFSR global state: Eliminated
Succeeded.
e. Confirm all Domain Controllers are in sync with global state or in

ELIMINATED state.

press ENTER
3. If any of the Domain Controllers are listed there, then

Force Active Directory replication using following command
Repadmin /syncall /Ade
Manually poll Active Directory on a Domain Controller using
DfsrDiag PollAD
OR Remotely from any other Domain Controller using
f. The DfsrMig performs following actions:
1. Deletes the NTFRS SYSVOL Active Directory configuration objects.
a) Launch Adsiedit.msc and connect to Default naming context.
b) Expand CN=DFSR-LocalSettings,CN=2008-01,OU=Domain
Controllers DC=Contoso, DC=com.
13
c) Select CN=Domain System Volume.
d) Details pane shows CN=SYSVOL Subscription object of class

msDFSR-Subscription.
e) Confirm there is no more CN=NTFRS Subscriptions object for

SYSVOL under CN=2008-01.
f) Expand CN=File Replication Service,CN=System.
g) Select CN=Domain System volume (SYSVOL share).
h) Confirm it does not have any nTFRSMember objects.
i) Close Adsiedit.msc.
2. Deletes content under SYSVOL folder.
a) Start Windows Explorer.
b) Navigate to %SystemRoot%.
c) Confirm there is no Policies or Scripts inside the SYSVOL folder.
d) Close Windows Explorer.
g. Verify that SYSVOL and NETLOGON shares are pointing to paths under
SYSVOL_DFSR.
1. Launch command prompt.
2. Type net share and then press ENTER.
3. Confirm NETLOGON and SYSVOL shares point to

%SystemRoot%\SYSVOL_DFSR.
5. Start Regedit and navigate to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon
\Parameters
6. Confirm the value of SysVol is %SystemRoot%\SYSVOL_DFSR\Sysvol.
7. Close regedit.exe.
10. Review the DFS Replication Event log for DFSR SYSVOL migration events.
14
a. Click on Start, Programs, Administrative Tools and Event Viewer.
b. Check the DFS Replication log and examine the SYSVOL migration events.
15
Lab 8
Lab 8:
Fine Grained Password Policy
Corporation.
owners.
Version 1.0
During this lab, you will learn about Group Policy changes and FGPP.
Before You Begin

■ Have an understanding of FGPP
Lab Environment
■ 2008-01
■ 2003-DC1
lab.
□ Domain: Contoso
1
Exercise 1:
Create a New Password Settings Object (PSO)
Scenario
You are the administrator of Contoso.com domain. You have been asked to set up a
password policy for your users in Managers group with password’s minimum length
to be of 10 characters.
Tasks
1. On 2008-01, verify the domain functional level is set to Windows Server 2008.
a. Log on to 2008-01 as Contoso\administrator

c. Expand Roles | Active Directory Domain Services | Active Directory

Users and computers | Contoso.com.
d. Right click Contoso.com and select Raise domain functional level...
e. Confirm Current domain functional level is set to Windows Server 2008
f. Click on Close
2. Create a new Password Settings Object and name it managers. Specify Password
Length to be of 10 characters.
a. Click on Start, Run, type Adsiedit.msc and click on OK.
b. Connect to Default naming context.
c. Expand CN=System,DC=Contoso,DC=com
d. Right click CN=Password Settings and select New, Object...
e. It will launch Create Object wizard.
f. Confirm msDS-PasswordSettings class is selected and click Next.
2
g. For different attributes, type the corresponding values from the
following list and click Next (the times are entered in d:hh:mm:ss
format):
Value
Attribute
cn Managers
msDS-PasswordSettingsPrecedence 10
msDS-PasswordReversibleEncryptionEnabled FALSE
msDS-PasswordHistoryLength 24
msDS-PasswordComplexityEnabled TRUE
msDS-MinimumPasswordLength 10
msDS-MinimumPasswordAge 0
msDS-MaximumPasswordAge 20:00:00:00 (20 days)
msDS-LockoutThreshold 0
msDS-LockoutObservationWindow 0:00:30:00
(30 minutes)
msDS-LockoutDuration 0:00:30:00
(30 minutes)
h. Click Finish to complete the creation of this object.
3. Apply the PSO to Managers group

a. In the CN=Password Settings container, right click on the
CN=Managers object in the details pane and select Properties.
b. Select msDS-PSOAppliesTo attribute from the list of attributes.
c. Click Edit.
d. Click Add Windows Account…
e. Type Managers in the Select Users, Computers, or Groups dialog and

click OK.
f. Click OK in the Multi-valued Distinguished Name with Security Principal

Editor dialog box.
g. Confirm correct value is set for msDS-PSOAppliesTo attribute.
3
h. Click OK.
i. Close Adsiedit.msc.
4. Test the password policy by resetting the password of Lisa Miller in Managers
group to seven characters from AD users and computers. It should fail. Test it by
setting to 10 or more characters.
a. Launch Server Manager if it is not already open.

b. Expand Roles | Active Directory Domain Services | Active Directory

Users and computers | Contoso.com.
c. Select Lisa Miller in the Training Organizational Unit.
d. Right click the Lisa Miller account and select Properties. Click on the
MemberOf tab and verify Lisa Miller is a member of the Managers group.
Click OK to close the user properties.
e. Right click on the user account and select “Reset Password…”
f. Type a password with seven characters.
g. It will report an error informing Windows cannot complete the

password change because the password does not meet the password
policy requirements.
h. Click OK.
i. Right click on the user account again and select “Reset Password…”
j. Type a password that has 10 or more characters and click on OK.
k. It will report, “The password has been changed.”
l. Click OK.
4
Exercise 2:
How to determine which PSO is effective on a user
Tasks
1. On 2008-01, query the msDS-ResultantPSO attribute for the user in question.
This will indicate the distinguished name of the PSO that is ultimately applied to
that user.
a. In Active Directory Users and Computers, click on View and confirm

that Advanced Features are enabled.
b. Select the user account for which you would like to examine the effective
PSO.
c. Right click on the user account and select Properties.
d. Select the Attribute Editor tab.
e. Click Filter, confirm that Show attributes: Optional, and Show read-
only attributes: Constructed are checked.
f. From the list of attributes, select the msDs-ResultantPSO attribute. It

will show distinguished name of the PSO that is applied to the user.
g. If multiple PSO’s are applied to a user, which one will take effect? How
can you tell?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
h. If a PSO is applied to a user and a group, which one takes precedence?

How can you tell?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
2. Run the following command:
dsget user “cn=lmiller,ou=training,dc=contoso,dc=com” –effectivepso

5
What does the output show?
6
Lab 9
Lab 9:
Group Policy Changes and
Enhancements
Corporation.
owners.
Version 1.0
During this lab, you will learn about Group Policy changes and FGPP.
Before You Begin

■ Have an understanding of new group policy changes
■ Have an understanding of FGPP
What You Will Learn

■ Create a Central Store
■ Configure and use GPEdit logging
■ Create and use Starter GPOs
■ Use folder redirection to share data between V1 and V2 user profiles
■ Understand what password policies and account lockout policies are
Lab Environment
■ 2008-01
lab.
□ Domain: Contoso
1
Exercise 1: Enabling GPEDIT logging and Create a
Central Store
Task 1: Enable GPEDIT logging
1. Logon to 2008-01 as Contoso\Administrator
2. Run Regedit.exe
3. Enable GPEDIT logging:
a. Debug Logging is provided for GPEDIT, and may be enabled via the
following Registry key.
b. Create the following registry key

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPEditDebugLevel(REG_DWORD)
1) Change the Value to Hexadecimal 10002
2) Close the Registry Editor.
Task 2: Creating and Using a Central Store

Note
There is no user interface for populating the central store in Windows Vista or
Windows Server 2008 at this time. This procedure shows how to populate the
central store using command line syntax.
1. To populate the Central Store, open a command window on server 2008-01.
2. To copy all the language-neutral and specific ADMX files from your Windows
Server 2008-01 system to the central store on your domain controller using the
xcopy command, type:
Xcopy /S %systemroot%\PolicyDefinitions\*
%logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions
3. When prompted for file or directory, enter D
4. To edit administrative template policy settings using ADMX files open the
Group Policy Management Console. Click Start, click Run, then type GPMC.msc.
5. To create a new GPO right-click Contoso.com under Domains and select

Create a GPO in this domain, and link it here.
2
6. Type a name for the GPO and click OK.
7. Expand the Group Policy Objects node.
8. Right-click the name of the GPO you created and click Edit.
9. Select Administrative Templates under Computer Configurations, Policies. In

the right pane, view the message stating Administrative Templates: Policy
definitions (ADMX files) retrieved from the central store
10. Click on Printers under Administrative Templates and select Web-based

Printing
11. Select Enabled and click OK
12. Close Group Policy Management Editor
13. Open c:\windows\debug\usermode\gpedit.log
14. Review the log and notice the information stating Successfully wrote:
Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting
Important
The Group Policy Object Editor automatically reads all ADMX files stored in the
central store. When there is no central store, the Group Policy Object Editor reads
the local versions of the ADMX files used by the local GPO on your Windows Vista™
administrative machine.
Exercise 2: Creating and Using Starter GPO’s

Scenario
As an administrator for Contoso.com, you plan on delegating permissions to other
users to administer specific Organizational Units in the future. To aid the other
users in Group Policy creation, you are going to prepare a Starter GPO that contains
helpful pre-configured Administrative Template settings.
Task 1:
1. On 2008-01 create a new Starter GPO
a. Logon to 2008-01 as contoso\administrator.
b. In Server Manager, expand Features | Group Policy Management |

Forest: contoso.com | Domains | contoso.com | Starter GPOs.
3
c. Right click Starter GPOs and then click New.
d. In the New Starter GPO dialog box, type Contoso Base in the Name box
and click OK.
e. Right click Contoso Base and select Edit. Notice only Administrative
templates are available to manage in a Starter GPO. Change an
administrative template setting under User or Computer configuration;
then close the Group Policy Editor window.
2. Create a new policy from the Starter GPO.
a. Right Click Contoso Base and then click New GPO from Starter GPO.
b. In the New GPO dialog box, type Training Policy in the Name box and
click OK.
Exercise 4: Create a network share for all computers in the

domain via Preferences in group policy
Task 1:
1. Logon as contoso\administrator on 2008-01.
2. Create a folder C:\scripts.
3. Edit the Default Domain Policy
a. Click on Start | Run and type gpmc.msc
b. Double click Domains and then Contoso.com
c. Right click the Default Domain Policy and click Edit
4. Click on Computer Configuration | Preferences | Windows Settings |

Network Shares
a. Under Group Policy Management Editor click on Computer

Configuration, Preferences, Windows Settings and Network Shares
5. Create a new network share Preference setting
a. Right Click Network Shares and select New and Network Shares
b. In the New Network Share properties window, select the following:
4
1) Action : Create
2) Share name: 2008TEST
3) Folder Path: C:\scripts
4) Leave rest as Default settings
5) Click OK
6. Force Group Policy application by typing gpupdate /force in the command

prompt. Select Y when prompted to re-login
7. Re-login and open up a command prompt and type net share. You will see a
share by the name 2008TEST pointing to an existing folder, in this case to the C
drive on 2008-01.
Exercise 5: Create a mapped drive for users in the Domain

Admins group via Preferences in group policy
Task 1:
1. On 2008-01, edit the Default Domain Policy
a. Logon to 2008-01. Click on Start | Run and type gpmc.msc
2. Click on User Configuration | Preferences | Windows Settings | Drive Maps
a. Under Group Policy Management Editor click on User Configuration,

Preferences, Windows Settings and Drive Maps
3. Create a new mapped drive preference setting
a. Right Click Drive Maps and select New and Map Drives
b. In the New Drive properties window, select the following:
1) Action : Create
2) Location: \\2008-01\c$
3) Label as: MyDrive
5
4) Drive Letter: Use first available starting at: E
5) Keep rest of the settings as default
6) Click on the Common Tab and select item-level targeting and

select Targeting
7) Click New Item and select Security Group and click on Browse
8) Type Domain Admins and click on Check Names. Click OK
9) Click OK

5. Re-login and open My Computer and view MyDrive pointing to \\2008-01\C$
6. (Optional) Test via logging to Vista-01 as a Domain Admin and a non admin
and confirm if the drive is mapped.
Exercise 6: Disable a preference setting

Task 1:
1. On 2008-01, edit the Default Domain Policy
a. Logon to 2008-01. Click on Start | Run and type gpmc.msc
2. Click on User Configuration | Preferences | Windows Settings | Drive Maps
a. Under Group Policy Management Editor click on User Configuration,

Preferences, Windows Settings and Drive Maps
3. Click on Drive letter in the right console to select the preference and click the
red circle with a slash on the toolbar to disable it

5. Re-login and open My Computer and view MyDrive is not available anymore
6
Lab 10
Lab 10:
Windows Server 2008 Backup
and Recovery
Corporation.
owners.
Version 1.0
During this lab, you will use the Windows Server 2008 Backup features to backup,
view, and restore Active Directory data.
Before You Begin

What You Will Learn

■ Backup Windows Server 2008 System State data.
■ Create a snapshot and mount the snapshot so that the backup directory
information can be viewed in an LDAP browser.
■ Restore the System State backup.
Lab Environment
■ 2008-01
Important
You must log on as an administrative user in order to perform some of the tasks
in this lab.
□ Domain: Contoso
1
Exercise 1: Use Windows Server Backup to backup and
restore System State data
Scenario
As an administrator of Active Directory in Contoso.com, you need to test the correct
Disaster Recovery procedures used for Active Directory in Windows Server 2008.
Tasks
1. Use Windows Server backup to backup the Windows System State.
a. Verify Windows Backup is installed, or install the Windows Backup

feature.
1) Log onto 2008-01 as contoso\Administrator.
2) Launch Server Manager.
a) Click Start, Administrative Tools, then Server Manager
3) Select Features and verify Windows Server Backup is installed

by looking at the list under Features Summary.
4) If not installed, click Add Features in right pane under Features

Summary. This will launch the Add Features Wizard.
5) On the Select Features page, select Windows Server Backup

Features. Expand Windows Server Backup Features and make
sure Command-line Tools is checked and click Next.
6) On Confirm Installation Selections, select Install.
7) Click Close on the Installation Results page.
b. Create a system state backup.
1) At the command prompt, type wbadmin start

SystemStateBackup –backuptarget:D:, then press Enter
Important
The backup target location must contain a drive letter and colon, followed by no
folder path (such as D: , F: , etc). The backup target cannot be the system drive, and
cannot be a mapped drive.
2
2) When prompted, enter C and press Enter, then enter Y and press
Enter.
Important
The backup could take up to 90 minutes to complete; depending on hardware resources.
3) Examine the contents of D:\WindowsImageBackup\2008-

01\SystemStateBackup\Backup\<date>
a) Notice the backup file has a .vhd extension.
2. Create a Snapshot using NTDSUtil.exe
a. At the command prompt type ntdsutil snapshot
b. At the snapshot prompt, type activate instance ntds
c. At the snapshot prompt, type Create
3. Mount the snapshot created in step 2 using DSMain.exe.
a. Mount the System State using ntdsutil.exe
1) At the snapshot prompt, type List All
2) At the snapshot prompt, type mount 1
b. View the contents of C:\$SNAP_<datetime>_VOLUMEC$\
1) Notice you can browse to the ntds.dit file at

C:\$SNAP_<datetime>_VOLUMEC$\Windows\NTDS\ntds.dit
4. Load the ntds.dit copy created in the snapshot and connect to the offline
directory using an ldap browser
a. Use DSAMain.exe to load the snapshot
1) At another command prompt, type dsamain –dbpath

C:\$SNAP_<datetime>_VOLUMEC$\Windows\NTDS\ntds.dit –
ldapport 5000
b. Launch LDP.exe and view the contents of the ntds.dit database
1) Launch ldp.exe
2) Click Connection | Connect
3
3) Change the port to 5000 and click OK
4) Click Connection | Bind
5) Click View | Tree
a) Notice you can view the directory data
6) In the DSAMain command window, enter Control-C and press

Enter
5. Delete the contoso\bsmith user account
a. Launch Server Manager.
1) Click Start, Administrative Tools, then Server Manager

Users and Computers | contoso.com | Training.
c. Find Ben Smith, and delete this account.
Note
The above steps are necessary to un-mount the Windows Server 2008 ISO to prevent
accidently selecting “Boot from CD or DVD” during the reboot.
d. Restart the server
e. Enter Directory Services Restore mode
1) Press F8 to enter Advanced Boot options
2) Select Directory Services Restore mode and press Enter
6. Use Windows Server backup to restore the Windows System State backup.
a. Obtain the version of the store system state
1) At the command prompt, type wbadmin get versions
2) Note the Version identifier value
b. Restore the system state
4
1) At the command prompt, type wbadmin start
systemstaterecovery –version:<datetime as found in previous
step>
2) Type Y when prompted at Do you want to start the system state
recovery operation.
3) Type Y when prompted at:
The replication engine used at backup time was `FRS`. You cannot
use System State Recovery if the replication engine for SYSVOL
changed from the backup time.
If the replication engine has changed, abort this recovery and contact
support.
Do you want to proceed?
[Y] Yes [N] No
Note
If you are going to perform a restore after a SYSVOL migration to DFSR has been performed,
you cannot use a system state backup taken while FRS was the replication engine for SYSVOL.
7. Using ntdsutil.exe, authoritatively restore the User object

a. At the command prompt, type ntdsutil and press enter
b. Type activate instance ntds and press enter
c. Type authoritative restore and press enter
d. Type restore object “CN=Ben
Smith,OU=Training,DC=Contoso,DC=com” and press enter
e. Type quit and press enter, then type quit again and press enter
8. Restart the Server into normal mode
9. Verify the contoso\bsmith account is available after the restore.
a. Launch Server Manager.
1) Click Start, Administrative Tools, then Server Manager

Users and Computers | contoso.com | Training.
c. Find Ben Smith.

Windows Server 2008 Directory Services Lab Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Server 2008 Directory Services Lab Manual

Uploaded by

Copyright:

Available Formats

Windows Server 2008 Directory Services

Microsoft Confidential - For Internal Use Only

Microsoft Confidential - For Internal Use Only

©2008 Microsoft Corporation. All rights reserved.

Estimated time to complete this lab: 20 minutes

Before You Begin

■ Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn

■ Administrative username and password

©2008 Microsoft Corporation Microsoft Confidential

1. Explore the Initial Configuration Tasks console on 2008-01.

a. View the Network Connection properties for the computer.

1) Under section 1. Provide Computer Information, click Configure

2) Right-click Local Area Connection and select Properties

3) Select Internet Protocol Version 4 (TCP/IPv4) and click

4) View the IP address of this adapter.

5) Close all and return to the Initial Configuration Tasks screen.

b. Enable Remote Desktop

1) Under section 3. Customize This Server click Enable Remote

2) Select the 2nd option: Allow connections from computers

©2008 Microsoft Corporation Microsoft Confidential

4) Notice Remote Desktop now shows as Enabled.

5) Close Initial Configuration Tasks console. Server Manager

2. Add the Windows Server Backup Feature from Server Manager

1) Click Features under Server Manager in left pane.

3) Review the available features, expand Windows Server Backup

Click Add Required Features and then select Command-line

Select Add Required Features and then click Next. On the

4) Confirm that Windows Server Backup is listed under the

1 Windows Recovery Disc

©2008 Microsoft Corporation Microsoft Confidential

©2008 Microsoft Corporation Microsoft Confidential

©2008 Microsoft Corporation. All rights reserved.

©2008 Microsoft Corporation Microsoft Confidential

Estimated time to complete this lab: 60 minutes

Before You Begin

■ Have a basic understanding of Microsoft Virtual Server or Virtual PC

What You Will Learn

■ Use new DCPROMO GUI features available in Windows Server 2008

■ Administrative username and password

©2008 Microsoft Corporation Microsoft Confidential

■ Start the 2008-01 Virtual Machine

At the “Date and Time Settings” screen, click Next

At the “Network configuration popup”, click “Ok”

Allow time for 2003-01 to boot up completely

2. First, prepare the forest by running adprep /forestprep on 2003-DC1

a. Log on to the Schema Master, 2003-DC1, as Contoso\Administrator.

b. Open a command prompt on 2003-DC1, and change directories to the

©2008 Microsoft Corporation Microsoft Confidential

3. Run Adprep /rodcprep

a. Open a command prompt, and then change directories to the

c. When the command completes the last entry should report:

"Adprep completed without errors. All partitions are updated.

d. Review the adprep.log to review the changes made by running

©2008 Microsoft Corporation Microsoft Confidential

adprep /domainprep /gpprep

c. Close command prompt

©2008 Microsoft Corporation Microsoft Confidential

a. Add AD DS role via Server Manager.

2) Launch Server Manager if it is not already open.

a) Click Start , Administrative Tools, and then Server

4) On the Before you Begin page click on Next

5) On the Select Server Roles page, select Active Directory Domain