Module 3 Lab Exercises

Lab 1: Implementing Active Directory Domain Forest

Description: Configure a Domain Controller for the Domain Zee.com provide a load
balancing and Fault tolerance for the domain controller. create a Child Domain as
BLR.Zee.com for the Domain Zee.com. Raise the Domain and Forest Functional Levels to
Windows 2003 only.

Network Diagram

Forest root Domain Domain Tree root

ACME.COM NET.COM

Server1
DC

Server3
Server2 DC
ADC

Two Way Transitive

IP Configuration :
Server1 : 192.168.10.1 /24
Child Domain Server2 : 192.168.10.2 /24
BLR.ACME.COM Server3 : 192.168.10.3 /24
Server4 :192.168.10.4 /24
DNS server :192.168.10.1

Server4
DC

Steps:
1. Configure the DNS server on the Server1 for the Domain DNS name ACME.COM
2. Run DCpromo on the server1 to configure the Domain Controller for the Domain
Acme.com
3. Configure the DNS server address on the server2 and run DCPROMO on this machine
4. After Welcome to Active directory installation Wizard select additional Domain
Controller for the Existing Domain and continue to complete the ADC configuration
5. configure separate primary zone for the Child domain to hold all the SRV records of
child domain controller
6. configure the Child Domain for the existing domain on server 4
7. configure the new domain tree in the Existing forest on the Server5
8. This will build the complete Active directory Domain Forest
9. After completing the setup use the following tools to check the Active directory
 10. use Active directory domains and trusts to check two way transitive trust relationship
between parent domain and child domain and tree root trust relationship between
ACME.COM and Net.com
11. use Active directory users and computers to manage different domains
12. Check for NTDS folder creation and sysvol folder creation in all the domain controllers
13. Check for the domain and forest functional levels using Active directory domains and
trusts / active directory users and computers.
14. If you want to raise the Domain and Forest functional levels use Active directory
Domains and trusts.
15. Use Netdom Command to test and Varity the Trust relationship Between the Domains

LAB 2 : Implementing Organizational Unit Structure

Description: Create a OU by name Training in domain IBM.com Give permission for user
jack to create User Objects in Training OU only. Verify the delegation of control

Network Diagram:

DC ADC

IP: 192.168.10.1/24 IP: 192.168.10.2/24

DNS: 192.168.10.1 DNS: 192.168.10.1

Client 1

IP: 192.168.10.3/24
DNS: 192.168.10.1

Steps:

1. Rig up the Circuit as shown in the Diagram

2. Assign the Static IP addresses as shown in the Diagram
3. Configure the DNS server on the Domain Controller for the Domain IBM.com
4. Configure the Domain Controller and Additional Domain Controller for the Domain
IBM.com
5. Join the Client1 to the domain IBM.com
6. open the Active directory Computers by running dsa.msc on the run command
7. right click on the domain and select new to create a OU by name Training
8. right click on the Training OU and create a new user object Jack in the Training OU
9. Right click on the Training OU to view the Delegation of control
10. click on delegation of control to open the New delegation control wizard
11. select the user whom you need to delegate in this case select user Jack
 12. Select the permission that you want to delegate and click next. In this case give to
create user objects only
13. This will complete the delegation of control to a user Jack
14. In active directory users and computers click on view and select advanced options
15. right click on the training OU to see security tab and click on it
16. check for the user in the Security principles and view his permissions
17. Move the user to different OU and check for the permissions
18. remove the permissions manually and check for the permissions

Lab 3 : Moving Objects from one domain to another domain

Description: move the user objects residing in the parent domain IBM.com to the child
domain BLR.IBM.COM. from the command line. Also try to migrate the user account
from child domain to parent domain.

Network Diagram
IBM.com BLR.IBM.com

Server1 Server2
DC: 192.168.10.1 /24 CDC: 192.168.10.2 /24
DNS: 192.168.10.1 DNS: 192.168.10.1

Steps:

1. Assign the Static IP addresses as per the Network Diagram

2. configure the DNS server on server1
3. Configure Domain Controller for the Domain IBM.com on the server1
4. Configure Domain Controller for the Child Domain BLR.IBM.com on server2
5. Create a OU by name training in the parent domain and create 3 user objects by
name michel,john and Ruby
6. use movetree command to move the users from parent domain to child domain
 LAB 4: Implementing Group policy

Task1: Creating linked and unlinked Group policy objects.

Description: Create a unlinked GPO to define the minimum password length as 8

characters. And define linked GPO to define invalid log on attempts to 5 in domain IBM.com

Steps

1. Configure the Domain Controller for the Domain IBM.com

2. open Microsoft Management Console and select group policy object editor and
click next
3. click on all to view all the Group policy Objects
4. right click on the panel area and select new to create New group policy object
5. select this GPO and save as snap shot on the desktop
6. This is unlinked GPO
7. open this GPO by double clicking on this to view Computer configurations and
User Configurations
8. In computer configuration under security settings select password policy to
view all the policies related to Password
9. click on minimum Password length policy and provide minimum characters to
be 8
10. To create a Linked GPO open ADUC
11. Right click on the Domain select properties
12. click on Group policy to view Default Domain policy as linked GPO
13. click on new to create new linked GPO and name it as Invalid logon policy
14. select the new linked GPO and edit to view Computer and user Comfiguration
15. click on Computer configurationsecurity settingaccount policiesaccount
lockout policy.
16. define no. of invalid log on attempts to 5 and lock out duration to 30 minutes
17. this will completes the creation of Linked GPO
18. Test the policies of linked GPO and Unlinked GPO. Note down the results

Task 2: Implementing GPO inheritance, blocking and override options

Description: create 2 group policy objects GPO1 and GPO2. Define GPO1 to hide
the RUN menu in startup and GPO2 to hide the add/remove programs in control panel and link
both to domain level. Create two OU’s Training and sales. Enable block inheritance for the
training OU. For the users in sales to be inherited. Define over ride for the GPO2 object link.

Steps

1. open Active directory users and computers.Right click on the domain and
access the properties to view the Group policy
2. open the Group policy and add 2 new Group policy objects by name GPO1
and GPO2
3. edit GPO1 to view computer and User Configuration
 4. open user configuration under administrative templates click on start menu
and taskbar
5. configure remove run menu from start menu as enabled
6. edit GPO2 to view computer and user configuration
7. open user configuration under administrative Templates click on control panel
8. click on add or remove programs and configure remove add or remove
programs as enabled
9. Create two OU’s Training and Sales
10. right click on training OU properties and open Group policy
11. check the box for block policy inheritance
12. right click on the Domain and access the properties to open the Group policy
13. select the GPO2 and click on options and check on no override option
14. click Ok twice to close the windows
15. This will complete enabling the over ride option

Task 3: Managing GPO by using Group policy Management Console

Description: Download the GPMC.msi from Microsoft site and install the tool .create a
GPO to hide the task manager and link it to the training OU

Steps

1. Install GPMC.msi package on windows 2003 member server or windows XP

with SP2
2. open Active directory users and computers by typing dsa.msc on the RUN
menu
3. Right click on the Training OU and access the properties and click on Group
policyopen to view the GPMC tree
4. click on the domains to view the list of domains and select group policy objects
on a specific domain
5. Right click on the Group policy Objects and click on new to create a new
Group policy Object and name it as Test policy
6. Right click on the Test policy and say edit to view the Computer and User
configuration
7. select user configuration,click on administrative
templatessystemctrl+alt+delRemove Task Manager and configure the
setting as enabled
8. Right click on the Training OU and click on link an Existing GPO.. which will
open the available GPO
9. select the GPO which has been created recently and click on OK
10. This exercise has created GPO and linked the GPO to the Training OU.
 Task 4: Implementing Group policy modeling

Description: simulate a group policy deployment for planning and testing purposes
using Group policy modeling. Simulate the policy for the users and computers available in the
Training OU

Steps:

1. click on startprogramsadministrative toolsgroup policy management to

view the tree structure of GPMC
2. Right click on the Group policy modeling and select group policy modeling
Wizard
3. In group policy modeling wizard specify the domain controller used to perform
the simulation and click next
4. To view simulated policy settings for a specific container or user or computer
select the appropriate options
5. In this scenario we have selected training OU for both user and computer
information and click next
6. In advance simulation options select the defaults and click next
7. To simulate the changes to the selected user’s security group you can add the
additional security groups and click next (applicable for user and computer)
8. If you want to apply policies only those who satisfy the WMI filters you can
specify the specific WMI filter or all linked filters (applicable for user and
computer)
9. Finally it will display a summary of selections and click next
10. this will generate a report of simulation settings for the training OU
11. Also note down the settings and query information
12. This will completes the Group policy modeling

Task 5: viewing the Resultant set of policies

Description: implement to view the resultant set of policies applied for specific user or
computer available in a training OU

Steps

1. Open startprogramsAdministrative toolsGroup policy management

console
2. Right click on the group policy results to open the Group policy result wizard
and click next
3. select the computer for which you need to display policy settings . In our case
select another computer select the computer available in the Training OU
4. Select the user who is available in the Training OU by selecting a Specific user
and click next
5. The next screen will display the summary of the selection you made in the
Wizard and click next
6. click on finish to view the resultant policy settings for selected user and
computer
7. The same thing can be done from the command line by using GPRESULT
 LAB 5: Implementing Group policy through Security Templates

Description: to create a custom security Template by using security Templates and

importing, analyzing and applying to computer by using Security configuration and Analysis

Steps:

1. Create a MMC snapshot for Security Templates and Security Configuration

and analysis
2. Click on security templates to view the list of Security templates available
3. To create a new Security Template right click on windows\security\templates
and click on new Template and give the name for the new template
4. Edit the Template policy settings based on the requirement
5. use security configuration analysis to create a new database and link to the
existing Ready made template
6. Right click on the security configuration analysis and select Analyze
Computer now will compare the setiings existing in the computer and
settings in the Database this may pop up with red cross marks for some
settings if there is a mismatch
7. Right click on the Security Configuration and Analysis and select Configure
Computer now
8. If you want to apply a different template settings Just import the new
template analyze and configure computer now
9. To import the security template to the Group policy Security Settings edit the
Group policy object by opening Group policy management Console
10. Under the Computer configuration open the security settings
11. right click security settings and select import policy to select the readily
available Security Templates
12. This will completes the Applying Group policy through Security templates

LAB 6: Folder redirection through Group Policy

Description: Redirect all the users my documents folder of all users available in the
Training OU on to a File server called FS1.

1. open startprogramsAdministrative toolsGroup Policy management

console
2. open Group policy Objects to view the list of GPO
3. under user configuration open windows settingsFolder redirection
4. right click on My documents and open Properties
5. under target wizard in setting select basic-redirect everyone’s folder to the
same location
6. under target folder location select redirect to following location
7. under root path give UNC path of the shared folder
ex:\\servername\sharename\%username%
8. click on settings to select the Default values and apply to redirect all the
user’s My documents folder to the UNC path mentioned
9. To test log in with a roaming user account and create a test folder and a test
file and save it in my documents
 10. You can able to observe the creation of a folder by user name and contains
folders inside it.

LAB 7 : Implementing log on script by using Group Policy

Description: create a log on script to display notepad when the users in the
Training OU logged on to the system.

1. create a batch file by typing copy con test.bat

2. type notepad and press control Z
3. click on startprogramsadministrative toolsGroup policy Management
console
4. Click on the group policy objects to view the list of GPO’s
5. right click on the test GPO which is created and edit to view Computer
configuration and user configuration
6. under user configuration click on windows settingsscripts to view log on
and Logoff script
7. click on log on script and click on show files and paste the batch file
8. click on add, browse for script name to view the batch file and click ok
9. click on apply and close all the windows
10. ensure that GPO which is edited is linked to the Training OU
11. run GPUPDATE /Force from command line
12. log in with a user account available in the Training OU to view Notepad

LAB 8: Managing Software deployment by using Group policy

Task1: Deploying office package for all the computers

Description: To deploy office package for all the computers in the Training OU.

Steps:

1. Create share folder and dump all the .msi Package files and installation files
of office package into it.
2. Set read and execute permissions to all and hide the Share folder from the
normal users
3. open startprogramsadministrative toolsgroup policy management
console
4. Click on the group policy Objects to view the list of group policy objects
under the Domain training.com
5. Right click on the Group policy Objects new to create a new un linked
GPO and name it as Office package for training
6. Edit the new GPO and open the Computer configuration software
settingssoftware installation
7. Right click on the software installation and open the properties and provide
the UNC path of the share folder that has been created in the First step
8. Right click on the software installation and click on new to provide the
information of .msi package files available in the share folder.
 9. move the computers to the Training OU on which you want to deploy this
policy
10. link the GPO to that OU and restart the Client computer
11. check for the office package which will get installed in the program files

LAB 9: Auditing security for the object access

Description: To audit the read and write and deletion access on a shared folder
available on a file server.for the all the Users

Steps

1. open the GPEDIT.msc on the file server under Computer configuration open
Windows settingsSecurity SettingsAudit Policy and select Auditing for
the Object access as Success and Failure
2. right click on the Share folder select sharing and Security
3. click on SecurityadvancedAudit to add the list of users you want to audit.
In this case let us select Everyone Group and click Ok
4. Select the level of Access you want to audit for Success and Failed. In this case
select every one and access levels as Read, write and delete for success and
Failed. And click ok
5. log in with any user and try to access the folder and create some files and
delete the files which you have created
6. open the event viewer on the File server to view the Auditing events in the
Security log

Lab10: Managing Deployment of Software through Group policy

Task1: Deploying office package for all the computers in the Training OU.

Steps:

1. create a shared folder and give full access permissions to everyone and put
MSI package and all installation files of office package into this shred folder
2. click on startprogramsAdministrative ToolsGroup policy management
group policy objects to view the list of GPO’s
3. Right click and edit the test GPO to view Computer and user Configuration
4. Right Click on software settings and access properties to provide the UNC
path of the Shared folder.
5. Click on assign and close the window
6. right click on the software installation and select new Package
7. select the .msi package available in the software share folder
8. run GPUPDATE /force from the command line
9. To test the settings restart the Client computer and log in with any user you
could able to see software will get installed automatically for the first time
10. you can also try for redeployment, Upgradation and removal options
 11. Similarly try for publish option available in software settings under user
configuration
12. observe the software will be available as a part of add new programs in the
Add/remove programs wizard

LAB 11: Managing the Operation Masters Roles

Task1: To view the forest wide Operation master roles

Description: check for the Domain naming master and Schema Master
through GUI

Steps

1. to view the Domain Naming Master open Administrative ToolsActive

directory Domains and Trusts
2. Right click on Active directory Domain and Trusts to view operations master
3. The wizard will display the domain controller holding the role of Domain
Naming Master
4. To view the Schema Master run regsvr32 schmmgmt.dll from Run prompt
5. open MMC and create snapshot for Active directory schema
6. Right click on the active directory schema and click on operation Master to view
the Domain Controller holding the role of Active directory Schema

Task 2: To view the Domain wide operation Master roles

Description: To view the RID master, PDC emulator and Infrastructure

Master

Steps

1. To view the PDC emulator run dsa.msc from run menu

2. Right click on the domain and select operations master
3. Click on RID,PDC or Infrastructure to view the current master holders

Task 3: To transfer the Operation Master Roles

Description: Wipro is currently running with 2 domain controllers. Having

all the operation masters running on the main domain controller server1. you want to
take for the maintenance to upgrade the hardware configuration for the server1.you have
been asked to transfer the roles from server1 to server2.

Steps:

1. Check for the replication is happening properly between the domain controllers
by using ADSS and replication monitoring tool
2. Ensure both domain controllers are up and running
 3. enter into command prompt and type ntdsutil
4. type roles to get FSMO maintenance:
5. type connections to get server connection
6. type transfer domain naming master
7. type transfer schema master
8. type transfer PDC
9. type transfer RID master
10. Type transfer infrastructure master
11. check for the new holder of the operation master roles
12. restart both servers ensure both the Domain controllers knows about both the
roles
13. shut down the server1 for maintenance

Task 4: To seize the operation Master Roles

Description: the company wipro Ltd. Is running with 2 domain controllers

having server1.wipro.com and Server2.wipro.com as FQDN names. Server1.wipro.com is
holding all the roles. This domain controller is down and could not able to recover
back.you have been asked to seize all the roles and owned by ADC.

Steps:

1. Disconnect the Domain controller which is holding the roles currently

2. enter into command prompt and type NTDSUTIL
3. type roles
4. type connections
5. type connect to server server2.wipro.com
6. type seize Domain naming master
7. Type seize Schema master
8. Type seize PDC
9. Type seize RID master
10. Type seize infrastructure master
11. do not bring back the Domain controller on which roles have been seized
12. Format the Hard disk install the new OS and reconfigure the Doamin controller
 Lab 12 : Maintaining Active Directory

Task1 : Taking the backup of Active directory

Description: take the backup of the Domain controller Server1.wipro.com. by

using NTBACKUP utility

Steps

1. Run Ntbackup from the run menu to view the Backup Wizard
2. click on advanced to view backup utility Advanced Mode
3. Click on backup icon to view welcome to Backup Wizard
4. select only backup system state data under what to back up
5. provide the information where to keep backup and name for the backup
6. This will take the backup of the complete Active directory database

Task 2: Non Authoritative Restore of Active directory Database

Description: Wipro has got a single Domain controller for the Doamin
Wipro.com. Take the backup of the Active directory. Delete the Training OU which has
got 4 user objects. Do Non authoritative restore to recover the deleted objects after taken
the backup

Steps

1. Take the backup of the System state on the Domain Controller

2. Delete the Training OU
3. Restart the System in DSRM mode
4. use Ntbackup utility to restore the System state backup
5. Restart the server
6. Check for the Deleted objects

Task 3 : Authoritative Restore of Active Directory

Description: wipro has got 2 domain controllers for the domain Wipro.com.
some one has deleted the training OU. in one of the Domain Controller.
Same thing got replicated on the other Doamin controller. you need to
restore the deleted object from Authoritative Restore.

Steps

1. Take the Backup of the System state on the Doamin Controller

2. Delete the Training OU
3. Restart the system in the DSRM mode
4. Use NTBACKUP utility to restore the System state Backup
5. Do not restart the machine
6. enter into command prompt and type NTDSUTIL
7. type authoritative restore
 8. type restore subtree “ou=training,dc=wipro,dc=com”
9. display with a dialog box authoritative restore on the specified object and click
Yes
10. This will increase the USN no. for each of the object by 100000 times/day
11. restart the Domain controller in the Normal mode
12. Replicate between the Doamin Controllers
13. Check for the deleted object in both the Domain Controllers.

Task 4: Defragmenting and Moving of Active directory Database

Description: do offline Defragmentation of the active directory data base and move
the database back to original location using ntdsutil

Steps:

1. Take the backup of the system state data on the Doamin controller
2. Restart the Domain controller in the DSRM mode
3. enter into command line and type ntdsutil
4. type files to enter into File maintenance
5. Type compact to d:\test to do offline defragmentation
6. type move DB to c:\ntds to move the database back to original location
7. Also try integrity check of the database
8. use info to collect the information on the Active directory Database