ejercicios 6424

8/6/2019 Ejercicios 6424

1/34

Exercise 1: Planning Active Directory Server Role Implementations

Task 1: Review the four scenarios and determine w hich of the Active Directory server roles will assis t inproviding the required solution

Scenario Number Answer

Scenario 1 Active Directory Federation Service (AD FS)

Scenario 2 Active Directo ry Rights Managemen t Service (AD RMS)Scenario 3 Active Directory Certificate Services (AD CS)

Scenario 4 Act ive Directory Lightweight Directory Services (AD LDS)

Task 2: Determine the location where each of the server roles w ould be placed


Scenario 1 Place an AD FS server at each location.

Scenario 2 Place a AD RMS Server ins ide the corporate network.

Scenario 3 Place a AD CS Server ins ide the corporate network.Scenario 4 Place a AD LDS s erver in the perimeter network.

Results: At the end of this exercise, you will have practiceddecision making about Active Directory server roles and

placement.

Exercise 1: Examining the AD DS Logical Components

Task 1: Start the virtual machines, and then log on

1. On your host machine, click the 6424 A Lab Launcher shortcut on the desktop. The Lab Launcherstarts.

2. In the Lab Launcher, next to 6424A-NYC-DC1, click Launch .

3. In the Lab Launcher, next to 6424A-NYC-CL1, click Launch .

4. In the Lab Launcher, next to 6424A-LON-DC1, click Launch .

5. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd .

6. Log on to NYC-CL1 as WOODGROVEBANK\Tamer with the password Pa$$w0rd .

7. Log on to LON-DC1 as EMEA\Administrator with the password Pa$$w0rd .

8. Minimize the Lab Launcher window.

Task 2: Open Active Directory Users and C omputers to examine the logica l components of W oodgroveBank AD DS

1. On NYC-DC1, click Start , point to Administrative Tools , and click Active Directory Users andComputers.

2. In the console tree pane, click Active Directory Users and Computers [NYC-DC1.WoodgroveBank.com] . What domain are you administering?

Answer

WoodgroveBank.com.


2/34

3. Click WoodgroveBank.com . In the details pane, click Type to sort the view by type. What are thethree types of object listed under the domain? How can you tell the difference?

Answer

There is one builtinDomain object called Builtin; container objects such as the Computers or Userscontainer; and organization unit objects such as Miami, Domain Controllers, and Executives. ThebuiltinDomain object and Container objects have different icons than organizational unit (OU)objects.

4. Expand the NYC organizational unit, and then click BranchManagers . What design was used tocreate the OU structure at WoodgroveBank.com?

Answer

Inside each city OU, the users are grouped by Department.

5. Right-click BranchManagers , and click Properties . Review the configuration options that you canconfigure for an OU, and then click OK .

6. In the details pane, click NYC_BranchManagersGG , and then click Properties . What is the grouptype and scope?

Answer

The group type is Security, and the group scope is Global.

7. Select the Members and Member of tabs, review the information, and then click OK .

8. Double-click Doris Krieger , review the configuration options for a user account, and then click OK .

9. In the console tree pane, click Computers . In the details pane, double-click NYC-CL1 , review theconfiguration options for a computer account, and then click OK .

10. Leave Active Directory Users and Computers open.

Task 3: Open Active Directory Domains a nd Trusts to examine the logical components of Woodgrove Bank AD DS

1. On NYC-DC1, click Start , point to Administrative Tools , and click Active Directory Domainsand Trusts.

2. In the console tree pane, expand WoodgroveBank.com . What domains are listed as childdomains?

Answer

EMEA.WoodgroveBank.com, Asia.WoodgroveBank.com.

3. Right-click WoodgroveBank.com , click Properties , and then click the Trusts tab. What type of trust is created between WoodgroveBank.com and EMEA.WoodgroveBank.com? Click OK .

Answer

A child trust.

4. Right-click EMEA.WoodgroveBank.com , and click Properties . Click the Trusts tab. What type of trust is created between EMEA.WoodgroveBank.com and WoodgroveBank.com?

Answer

A parent trust.

5. Click OK twice, and then close Active Directory Domains and Trusts .

Task 4: In Active Directory Users and Computers, change the domain that you are administering

1. In Active Directory Users and Computers, right-click WoodgroveBank.com , and click Change


3/34

domain .

2. In the Change Domain dialog box, type EMEA.WoodgroveBank.com , and then click OK .

3. Verify that you can connect to the EMEA.WoodgroveBank.com domain. Why can you connect to thedomain without providing authentication credentials?

Answer

You are logged on to the WoodgroveBank.com domain using the Administrator account from theforest root domain. This account has permissions in all of the forests domains.

4. Right-click EMEA.WoodgroveBank.com , and then click Change domain controller .

5. In the Change Directory Controller dialog box, click the first line in the Name column, type NYC-DC1.WoodgroveBank.com , press ENTER, and then click OK . Click Yes .

6. Verify that you can connect to the NYC-DC1.WoodgroveBank.com domain controller. What domain isdisplayed in Active Directory Users and Computers?

Answer

You are logged on to the WoodgroveBank.com domain.

7. Close Active Directory Users and Computers.

Results: At the end of this exercise, you will have explored theWoodgroveBank.com AD DS environment by using the AD DSmanagement tools.

Exercise 1: Configuring AD LDS Instances and Application Partitions


1. On your host machine, click the 6424A Lab Launcher shortcut on the desktop. The Lab Launcherstarts.


3. In the Lab Launcher, next to 6424A-NYC-SVR1, click Launch .

4. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd .

5. Log on to NYC-SVR1 as Administrator with the password Pa$$w0rd .


Task 2: Use Server Manager to add the AD LDS role to the server

1. On NYC-SVR1, open Server Manager if it is not open already.

2. From the Action menu, click Add Roles .

3. In the Before You Begin window, click Next .

4. Select the Active Directory Lightweight Directory Services check box, and then click Next .

5. Click Next , click Install , and then click Close .

Task 3: Use the AD LDS Wizard to create an AD LDS instance named Woodgrove

1. On NYC-SVR1, in Server Manager, expand the Roles node in the Server Manager tree, and then clickActive Directory Lightweight Directory Services .

2. In content pane, under the Advanced Tools section, click AD LDS Setup Wizard .


4/34

3. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, clickNext .

4. On the Setup Options page, click A unique instance , and click Next .

5. On the Instance Name page, in the Instance Name box, type Woodgrove, and then click Next .

6. On the Ports page, change the LDAP port number to 6389 and the SSL port number to 6636, andthen click Next .

7. On the Application Directory Partition page, click Yes , create an application directory partition.

8. In the Partition Name box, type CN=Partition1,DC=Woodgrove and then click Next .

9. On the File Locations page, accept the default data file locations, and then click Next .

10. On the Service Account Selection page, click Network service account , and then click Next .

11. On the AD LDS Administrators page, ensure that Currently logged on user is selected, and thenclick Next .

12. On the Importing LDIF Files page, select the MS-User.LDF check box, and then click Next .

13. On the Ready to Install page, review the selections, and then click Next .

14. After the installation completes, click Finish to close the wizard.

Task 4: Use LDP to create an application partition

1. On NYC-SVR1, in Server Manager, expand the Roles node in the Server Manager tree, and thenclick Active Directory Lightweight Directory Services .

2. In the content pane, in the Advanced Tools section, click on Ldp.exe .

3. In LDP, on the Connection menu, click Connect .

4. In the Connect dialog box, in the Server field, type NYC-SVR1 , change the port number to 6389 ,and then click OK .

5. On the Connection menu, click Bind .

6. Ensure that Bind as currently logged on user is selected, and then click OK .

7. On the Browse menu, click Add child .

8. In the DN field, type CN=Partition2,dc=Woodgrove.

9. Under Edit entry , type ObjectClass in the Attribute field and container in the Values field, andthen click Enter .

10. Under Edit entry , type instanceType in the Attribute field and 5 in the Values field, and thenclick Enter .

11. Click Run .

12. If the new application directory partition is added successfully, the following information appears inthe details pane:

Added {CN=Partition2,DC=Woodgrove}

13. Click Close .

14. On the Connection menu, click Exit .

Results: At the end of this exercise, you will haveconfigured an AD LDS instance and an application

partition.


5/34

Exercise 1: Requesting Certificates Using Web Enrollment


1. Click the 6424A Lab Launcher shortcut on your desktop. The Lab Launcher starts.


3. In the Lab Launcher, next to 6424A-NYC-SVR1, click Launch .




Task 2: On NYC-SVR1, request a new user certificate from NYC-DC1

1. On NYC-SVR1, click Start , click All Programs , and then click Internet Explorer .

2. In the address bar in Microsoft Internet Explorer, type: https://NYC-

DC1.WoodgroveBank.com/CertSrv , and then click Go .3. When prompted for authentication, log on as Woodgrovebank\administrator using the password

Pa$$w0rd .

4. On the Welcome page , click Request a Certificate .

5. On the Request a Certificate page , click User Certificate , and then click Submit .

6. On the Web Access Confirmation dialog box, click Yes to generate the certificate.

7. Once the certificate is generated, click Install this certificate .

8. On the Web Access Confirmation dialog box, click Yes to allow the certificates installation.

9. Close Internet Explorer.

Task 3: Using the Certificates snap-in, verify that the user certificate was installed successfully

1. On NYC-SVR1, click Start , and then click Run .

2. In the Run dialog box, type mmc.exe , and then click OK .

3. In the Microsoft Management Console , click File , and then click Add/Remove Snap-in .

4. In the Available snap-ins field, click Certificates , and then click Add .

5. In the Certificates Snap-in Wizard, ensure that My user account is selected, and then click Finish .

6. In the Add or Remove Snap-ins dialog box, click OK .

7. In the console on the certificates node tree, expand Certificates Current User , expandPersonal , and then click the Certificates node.

8. In the content pane, double-click the user certificate generated for Administrator .

9. Click OK to close the certificate.

10. Click File , and then click Exit .

11. When asked if you would like to save console settings, click No .

Task 4: Use the Certification Authority Console to verify the ce rtificates creation

1. On NYC-DC1, click Start , click Administrative Tools , and then click Certification Authority .


6/34

2. Expand WoodgroveBank-NYC-DC1-CA , and in the Certification Authority tree, click IssuedCertificates .

3. In the content pane, double-click the user certificate generated for Administrator .

4. Verify that the dates for which the certificate is valid match the certificate that was installed on NYC-SVR1, and then click OK .5. Close the Certification Authority management console.

Results: At the end of this exercise, you will have requested acertificate using Web enrollment.

Exercise 1: Verifying AD RMS Functionality



2. In the Lab Launcher, next to 6424A-NYC-DC1, click Launch.

3. In the Lab Launcher, next to 6424A-NYC-SVR1, click Launch.

4. In the Lab Launcher, next to 6424A-NYC-CL1, click Launch.




Task 2: Open Active Directory Users and Computers ,and assign e-mail addresses for DanaBirkby, Manish Gupta, Byarne Riis, and the NYC_MarketingGG global group

1. On NYC-DC1, click Start , click Administrative Tools , and then click Active Directory Users andComputers .

2. In Active Directory Users and Computers , expand WoodgroveBank.com , expand NYC , andclick Marketing . Right-click Dana Birkby , and then click Properties .

3. On the General tab, in the E-mail text box, type [email protected] , and then clickOK .

4. Right-click Manish Chopra , and click Properties . On the General tab, in the Manish properties,in the E-mail text box, type [email protected] , and then click OK .

5. Right-click Bjarne Riis , and click Properties .

6. On the General tab, in the E-mail text box, type [email protected] , and then clickOK .

7. Right-click NYC-MarketingGG , and click Properties .

8. On the General tab, in the NYC_MarketingGG properties, in the E-mail text box, [email protected] , and then click OK .

9. Close Active Directory Users and Computers .

Task 3: Log on as Dana and create and protect a Word document

1. Log on to 6424A-NYC-CL1 as Dana , using the password Pa$$w0rd .

2. Click Start , click All Programs , click Microsoft Office , and then click Microsoft Office Word2007 .


7/34

3. In the User Name dialog box, click OK .

4. In the Welcome to the 2007 Microsoft Office system dialog box, clear all check boxes, andclick Next .

5. In the Sign Up for Microsoft Update dialog box, click I dont want to use Microsoft Update ,and click Finish .

6. In Word, type This is a protected document .

7. Click Save , and in the Save As dialog box, browse to C:\Users\Public\Public Documents . TypeConfidential as the File name , and click Save .

8. Click the Review tab, click Protect Document , and then click Restricted Access .

9. When prompted, log on as Woodgrovebank\Dana using the password Pa$$w0rd .

10. In the Permission dialog box, select the Restrict permission to this document check box.

11. Next to the Read textbox, click the Give all users Read access button.

12. In the Change field, type [email protected] .

13. Click More Options .

14. In the Permission dialog box, click Everyone , select the Print content check box, and then clickOK .

15. Click the Office button in the top left corner, and then click Save .

16. Close Microsoft Office Word.

17. Log off from NYC-CL1.

Task 4: Log on as Manish and ensure that the Word document has restrictions assigned

1. Log on to 6424A-NYC-CL1 as Manish using the password Pa$$w0rd .





6. Click the Office button in the top left corner, and then click Open .

7. Locate the document at C:\Users\Public\Public Documents\Confidential , click the documentname, and then click Open .

8. When prompted, log on as WoodgroveBank\Manish using a password of Pa$$w0rd .

9. In the Microsoft Office dialog box, click OK .

10. Click the View Permission button in the Information bar.

11. In the My Permission window, verify that the user you are logged in as has permissions to View,Edit, Copy, Print, and Save this document, and then click OK .

12. Close Word.


Task 5: Log on as Bjarne and ensure that the Word document has restrictions assigned


8/34

1. Log on to 6424A-NYC-CL1 as Bjarne using the password Pa$$w0rd .





6. Click the Office button in the top left corner, and then click Open .

7. Locate the document at C:\Users\Public\Public Documents\Confidential , click the documentname, and then click Open .

8. When prompted, log on as WoodgroveBank\Bjarne using a password of Pa$$w0rd .

9. In the Microsoft Office dialog box, click OK .

10. Click the View Permission button in the Information bar.

11. In the My Permission window, verify that the user you are logged in as has permissions to View andPrint this document, and then click OK .

12. Close Word.


Results: At the end of this exercise, you will have configuredthree user accounts with e-mail addresses and used one of theaccounts to protect a document that is stored on a sharedfolder. You also will have verified that the restrictions that youapplied to the document were enforced.

Exercise 1: Implementing the AD FS Components (Discussion)

Task 1: Identify each organization in the diagram

The organization on the left is Woodgrove Bank. The organization on the right is Northwind Traders.In this scenario, Woodgrove Bank is the account partner, and Northwind Traders is the resourcepartner.

Task 2: Identify the follow ing components on the network diagram (see answer label s in the diagramabove):


9/34


10/34

Task 3: Modify Kerim Hanifs user account properties

1. On NYC-DC1, in Active Directory Users and Computers , in the ITAdmin s organizational unit,right-click Kerim Hanif , and then click Properties .

2. Modify the user properties as follows:

a. On the General tab, type the following information in the boxes:

Telephone number: 204-555-0100

Office: Downtown

E-mail: [email protected]

b. On the Dial-in tab, set Network Access Permission to Allow access .

c. On the Account tab, click Logon Hours . Configure logon hours to be permitted between8:00 A.M. and 5:00 P.M.

d. On the Member of tab, click Add .

e. In the Select Groups dialog box, type ITAdmins_WoodgroveGG , and then click OK .

3. In the Kerim Hanif Properties dialog box, click OK .

Task 4: Create a template for the New York Customer Service department

1. On NYC-DC1, in Active Directory Users and Computers , expand the NYC OU, and then expandthe CustomerService OU.

2. In the CustomerService OU, create and configure a user account with the property settings in thefollowing table:

Property Value

First name CustomerService

Last name Template

Full name CustomerService Template

User logon name _ CustomerServic eTemplat e

Password Pa$$w0rd

Disable the account

Description Customer Service Representative

Office New York Main Office

Member Of NYC_CustomerServiceGG

Department Customer Service


11/34

Logon Hours6:00 A.M 6:00 P.M. Monday toFriday

3. Click OK .

Task 5: Create a new user account based on the customer service template created previously

1. On NYC-DC1, in Active Directory Users and Computers , click the CustomerService OU underthe NYC OU.

2. Right-click the CustomerService Template user, and then click Copy .

3. In the Copy Object User dialog box, enter the following:

First Name: Sunil

Last Name: Koduri

User Logon Name: Sunil

4. Click Next .

5. In the Password and Confirm Password boxes, type Pa$$w0rd .

6. Click Next , and then click Finish .

7. Right-click Sunil Koduri , and then click Enable Account . Click OK .

8. Open the Properties dialog box for Sunil Koduris account, and verify that the group membershipand logon hours are correct. Review the settings on the General and Organization tabs.

9. Question: What values did not transfer from the template?

Answer

The Description and Office attributes.

Task 6 : Modify the user account properties for al l New York-based customer-service representatives

1. On NYC-DC1, in Active Directory Users and Computers , click the CustomerService OU underthe NYC OU.

2. Select the top user in the details pane, press SHIFT, and click the last user in the details pane.

3. Hold CTRL, and click NYC_CustomerServiceGG .

4. Right-click the highlighted user accounts, and then click Properties .

5. On the General tab, select the appropriate check boxes, and fill in the following information:

Description: Customer Service Representative

Office: New York Main Office

6. On the Organization tab, change the department attribute to Customer Service , and then clickOK .

7. Double-click Eli Bowen , and confirm that the Description, Office, and Department attributes havebeen updated. Click OK .

Task 7: Modify the user account properties for all Branch Managers

1. On NYC-DC1, in Active Directory Users and Computers , right-click WoodgroveBank.com ,and then click Find .

2. In the Find Users, Contacts, and Groups dialog box, click the Advanced tab.


12/34

3. Click Field , point to User , and then click Job Title .

4. In the Condition box, select Is (exactly) , and in the Value box, type Branch Manager .

5. Click Add , and then click Find Now .

6. Select all of the user accounts in the Search Results , right-click the highlighted user accounts, andclick Add to a group .

7. In the Select Groups dialog box, type BranchManagersGG , and then click OK twice.

8. Close the Search dialog box.

Task 8: C reate a saved query to find a ll investment users

1. In Active Directory Users and Computers , right-click the Saved Queries folder, point to New ,and then click Query .

2. In the New Query dialog box, type Find_Investment_Users in the Name field.

3. Click Define Query .

4. In the Find box, click the drop-down arrow, and select Users, Contacts and Groups .

5. In the Find Users, Contacts and Groups dialog box, click the Advanced tab.

6. In the Field list, select User Department .

7. Ensure that the Condition box has the Starts with option selected.

8. In the Value box, type Investments .

9. Click Add , and then click OK twice.

10. Under Saved Queries , click Find_Investment_Users.

11. The query should display all the users in the Investment departments in each city.

Results: At the end of this exercise, you will have created andconfigured user accounts; created a template and a user account based on the template; and created a saved query andverified its ability to return expected search results.

Exercise 1: Creating AD DS Groups



2.3.4.5.

Task 2: Create three new groups

1. On NYC-DC1, click Start , point to Administrative Tools , and then click Active Directory Usersand Computers .

2. Expand WoodgroveBank.com, right-click Users , point to New , and then click Group .

3. In the New Object Group dialog box, add the following information into the appropriate fields:


13/34

Group Name: Van_BranchManagersGG

Scope: Global

Type: Security

4. Click OK .

5. Repeat steps two and three to create two more groups that have the same scope and type named:

Van_CustomerServiceGG

Van_InvestmentsGG

Task 3: C reate groups by using the Dsadd command-line tool

1. On NYC-DC1, click Start , click Command Prompt .

2. At the command prompt, type the following command:

Dsadd group cn=Van_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com samidVan_MarketingGG secgrp yes scope g

3. Press ENTER.

4. The command line will display either of the following messages.

a. dsadd failed :

If you receive this error, type the command from step 3 again.

b. dsadd succeeded:

If you receive this message, type exit , and then press ENTER to close the command linewindow.

5. In Active Directory Users and Computers, if necessary, click WoodgroveBank.com domain toexpand it.

6. Click Users , and then click Refresh .

7. Note the presence of the Van_MarketingGG group inside the Users container.

Task 4: Add members to the new groups

1. In Active Directory Users and Computers , right-click WoodgroveBank.com , and then clickFind .

2. In the Find Users, Contacts, and Groups dialog box, on the Users , Contacts , and Groupstab, in the Name box, type Neville Burdan .

3. Click Find Now .

4. In the Results view, right-click Neville Burdan , and then click Add to a group . Click OK twice.

5. In the Select Groups dialog box, in the Enter the object names to select box, typeVan_BranchManagersGG .

6. Click OK .

7. Repeat steps 2 through 6, and move the users found in the following table to their correspondinggroups:

Find Add to group

Suchitra Mohan Van_BranchManagersGG


14/34

Anton Kirilov Van_CustomerServiceGG

Shelley Dyck Van_CustomerServiceGG

Barbara Moreland Van_InvestmentsGG

Nate Sun Van_InvestmentsGG

Yvonne McKay Van_MarketingGG

Monika Bus chmann Van_MarketingGG

Bernard Duerr Van_MarketingGG

Task 5 : Inspect the contents of the Vancouver groups

1. In Active Directory Users and Computers, click Users.2. In the contents view area, right-click Van_BranchManagersGG , and then click Properties .

3. In the Van_BranchManagersGG Properties dialog box, click the Members tab, and verify thatNeville Burdan, and Suchitra Mohan are now members.

4. Click Cancel to close the Van_BranchManagersGG Properties dialog box.


Results: At the end of this exercise, you will have created three new

groups by us ing Active Directory Users and Computers, and youwill have created one group by using Dsadd . You also will haveadded users to the groups and inspected the results.

Exercise 1: Planning a Shared Folder Implementation (Discussion)

1. Answer : On their domain controller (or member server), use Windows Explorer to create a folder foreach department. Right-click each folder, and set Sharing permissions. Remove the Everyone group,and add the global group for which the shared folder is intended. Give the global groups Contributorstatus.

2. Answer : Create a new folder named Company. Assign it a shared permissions level of Read for allDomain Users. Next, add the Branch Managers global group as Contributors. Inside the Companyfolder, create a folder for: News, S taffing, and Projections.

3. Answer : You should create a new global group for this project, and a new shared folder that has asits only member, in addition to Administrator, the new global group that you create. You should settheir permission level to Contributors.

Exercise 2: Understanding Active Directory Server Role Integration with AD DS

Task 1: Determine how the selected Active Directory role integrates w ith AD DS in ea ch scenario



15/34

Scenario 1 AD FS obtains security tokens from the AD DS and enables users to use single sign-on across forest boundaries.

Scenario 2 AD RMS permits user accounts that AD DS stores to access protected content. AD RMS will readrequired information from AD DS.

Scenario 3 AD CS authenticates certificate requests from AD DS to ensure the authenticity of certificate requestors.AD CS also stores certificate details in AD DS for retrieval and use in applications. Lastly, AD CS retrievescertificate policies from AD CS.

Scenario 4 In this scenario, you can configure AD LDS to pull user information from AD DS for use with the Webapplication.

Task 2: Postulate what might happen if the AD DS integration stopped working


Scenario 1 AD FS will not be able to authenticate Web us ers.

Scenario 2 AD RMS will not be able to authorize or pro tect new content.

Scenario 3 AD CS will not be able to authenticate new certificate requests. AD CS also will not be able to savecertificate information to user accounts.

Scenario 4 AD LDS will not be able to pull new user information. However, the application should continue tooperate.

Result: At the end of this exercise, you will have described howthe Active Directory server roles integrate with AD DS and

postulated the results of an integration failure.

Exercise 2: Examining the AD DS Physical Components

Task 1: Enable Remote Desktop connections on NYC-DC1

1. On NYC-DC1, click Start , point to Administrative Tools , and then click Server Manager .

2. In Server Manager, click Configure Remote Desktop .

3. In the System Properties dialog box, click Allow connections only from computers runningRemote Desktop with Network Level Authentication (more secure) . What limitation doesthis selection place on the remote desktop connections?

Answer

You will be able to connect only from Windows Vista, Windows Server 2008 or Windows XP SP 2clients with Remote Desktop Client 6.0 installed.

4. Click OK , and then click Select Users . Which users have Remote Desktop access by default?

Answer

Members of the Administrators group automatically have access to Remote Desktop.

5. Click OK twice.

Task 2: C onnect to NYC-DC1 using Remote Desktop

1. On NYC-CL1, click Start , click All Programs , click Accessories , and then click Remote DesktopConnection .

2. In the Remote Desktop Connection dialog box, type NYC-DC1 , and then click Connect .

3. In the Windows Security dialog box, type WoodgroveBank\Administrator as the User nameand Pa$$w0rd as the password, and then click OK .

Task 3: Use Active Directory Users and Computers to examine the domain controllers in the


16/34

WoodgroveBank.com domain

1. In the Remote Desktop connection, click Start , point to Administrative Tools , and then clickActive Directory Users and Computers .

2. Expand WoodgroveBank.com , click Domain Controllers . How many domain controllers doesthe domain deploy? What is different about each?

Answer

There are three domain controllers. NYC-DC1 is a global catalog server, NYC-DC2 is a global catalogserver, and MIA-RODC is a read-only domain controller.


Task 4: Use Active Directory Sites and Services to examine the domain controllers in theWoodgroveBank.com domain

1. In the Remote Desktop connection, click Start , point to Administrative Tools , and then clickActive Directory Sites and Services .

2. Expand Sites . How many sites are listed in the forest? What are the site names?

Answer

Only one site is listed. The default site is called Default-First-Site-Name.

3. Expand Default-First-Site-Name , and then click Servers . Verify that the same domaincontrollers, and those for the EMEA.WoodgroveBank.com and Asia.WoodgroveBank.com, are listed.

4. Expand Servers , expand NYC-DC1 , right-click NTDS Settings , and then click Properties . Verifythat NYC-DC1 is configured as global catalog server.

5. On the Connections tab, examine the replication connections on the domain controller, and thenclick OK .

Task 5: Close a ll virtual machines, and discard undo disks

1. In the Remote Desktop connection, click Start , and then click Log off .

2. For each virtual machine that is running, close the Virtual Machine Remote Control window.

3. In the Close box, select Turn off machine and discard changes . Click OK .

4. Close the 6424A Lab Launcher.

Results: At the end of this exercise, you will have examined theAD DS physical properties in the WoodgroveBank.comdomain.

Exercise 2: Configuring AD LDS Access Control

Task 1: Open ADSIEdit, and connect to the created instance

1. On NYC-SVR1, in Server Manager, in the Roles node, click Active Directory LightweightDirectory Services .

2. In the content pane, in the Advanced Tools section, click ADSI Edit .

3. In the left pane, right-click ADSI Edit , and choose Connect to .

4. In the Connection Settings dialog box, in the Name field , type WoodgroveApplication .

5. Under Connection Point , in Select or type a Distinguished Name or Naming Context , typeCN = Partition1,dc=Woodgrove .


17/34

6. Under Computer , in Select or type a domain or server , type NYC-SVR1:6389 , and then clickOK .

Task 2: Create a container with the distinguished name CN=Security,CN=Partition1,dc=Woodgrove

1. In the console tree, expand WoodgroveApplication . Right-clickCN=Partition1,dc=Woodgrove , click New , and then click Object .

2. In Select a Class , choose container , and then click Next .

3. On the next window, in the Value field, type Security , click Next , and then click Finish .

Task 3: C reate User1 in the root of the created application partition

1. In the console tree of ADSIEdit, right-click CN=Partition1,dc=Woodgrove , click New , and thenclick Object .

2. In Select a Class , choose user , and then click Next .

3. In the Create Object dialog box, in the Value field, type User1 , click Next , and then click Finish.

4. Click CN=Partition1,dc=woodgrove , right-click CN=User1 , and choose Reset Password .

5. In the New password and Confirm password fields, type Pa$$w0rd , and then click OK .

6. Right-click CN=User1 , and then click Properties .

7. On the Attribute Editor tab, double-click msDS-UserAccountDisabled .

8. Click Not set , and then click OK twice.

Task 4: C reate Group1 in the Roles container of the application partition and add User1 into Group1

1. In the console tree, expand CN=Partition1,dc=Woodgrove , right click CN=Roles , click New ,and then click Object .

2. In Select a Class , choose group , and then click Next .

3. In the Create Object dialog box, in the Value field, type Group1 , click Nex t, and then click Finish .

4. Click CN=Partition1,dc=woodgrove , and then double-click CN=Group1 .

5. In the Properties window, click member , and then click Edit .

6. Click Add DN .

7. In the Enter a distinguished name (DN) for an object field, typeCN=User1,CN=Partition1,DC=Woodgrove , and then click OK .

8. Click OK twice.

Task 5 : Use Dsac ls to grant Group1 Generic Read permission to the Partition1 partition

1. Click Start , and then click Command Prompt .

2. At the command prompt, type:

Dsacls \\NYC-SVR1:6389\CN=Partition1,dc=Woodgrove /GCN=Group1,CN=Roles,CN=Partition1,DC=Woodgrove:GR

3. Review the output from the command to verify that Group1 has list object permission to the

partition.4. Close the command prompt.

Task 6: Use ADSIEdit to connect to the instance and verify permissions


18/34

1. In ADSIEdit, right-click ADSI Edit in the console tree, and choose Connect to .

2. In the Connection Settings dialog box, in the Name field, type Partition1 .

3. Under Connection Point , in Select or type a Distinguished Name or Naming Context , typeCN=Partition1,dc=Woodgrove .

4. Under Computer , in Select or type a domain or server , type NYC-SVR1:6389 , and then clickAdvanced .

5. In the Credentials section, select the Specify Credentials check box.

6. In the Username field, type CN=User1,CN=Partition1,DC=Woodgrove .

7. In the Password field, type Pa$$w0rd , select the Simple bind authentication check box, andthen click OK .

8. Verify that User1 has read access to objects in Partition1.

9. Close ADSI Edit .

Results: At the end of this exercise, you will haveconfigured user accounts and groups, and configuredand tested access control.

Exercise 2: Managing Certificate Requests and Revocation

Task 1: Open IIS Manager to create a certificate request

1. On NYC-SVR1, click Start , click Administrative Tools , and then click Internet InformationServices (IIS) Manager .

2. In IIS Manager, in the Connections pane, click NYC-SVR1(WOODGROVEBANK\administrator) .

3. In the Content pane, in the IIS section, double-click Server Certificates .

4. In the Action pane, click Create Certificate Request .5. In the Distinguished Name Properties dialog box, type the following information:

6. Click Next .

7. For the Cryptographic service provider, accept the defaults, and click Next .

8. On the File Name page, specify a file name for the certificate request by typing: C:\NYC-SVR1.txt ,and click Finish .

Task 2: Use W eb Enrollment to generate the Web server certificate using the certificate request

1. On NYC-SVR1, open Internet Explorer .

2. In Internet Explorer, connect to https://NYC-DC1.woodgrovebank.com/CertSrv .

3. When prompted for authentication, log on as Woodgrovebank\administrator using the passwordPa$$w0rd .4. On the Welcome page, click Request a Certificate .

5. On the Request a Certificate page, click advanced certificate request .

6. On the Advanced Certificate Request page, click Submit a certificate request by using abase-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file .

7. Click Start , click All Programs , click Accessories and then click Notepad .

8. In Notepad, click the File menu and then click Open

9. Browse for the file located at C:\NYC-SVR1.txt , and click Open .

10. The certificate request should have opened in Notepad. On the Edit menu, click Select All .

11. All of the text in the file should be highlighted, with it still highlighted on the Edit menu, click Copy .


19/34

12. On the File menu, click Exit .

13. In Internet Explorer, right-click the text area labeled Base-64-encoded certificate request(CMC or PKCS #10 or PKCS #7) , and click Paste .

14. From the Certificate Template drop-down list, click Web Server , and click Submit .

15. On the Certificate Issued page, leave DER encoded selected, and click Download Certificate .

16. When prompted to save the certificate, click Save .

17. Accept the default save location and file name, and click Save .

18. In the Confirm Save As dialog box, click Yes .

19. On the Download complete dialog box, click Close .


Task 3: Install the issued c ertificate on the Web server and verify the ce rtificate is valid

1. On NYC-SVR1, (if IIS Manager is not already open) click Start , click Administrative Tools , and thenclick Internet Information Services (IIS) Manager .

2. In IIS Manager, in the Connections pane, click NYC-SVR1(WoodgroveBank\administrator) .

3. In the Content pane, in the IIS section, double-click Server Certificates .

4. In the Actions pane, click Complete Certificate Request

5. In the File name containing the certification authoritys response text box, typeC:\Users\Administrator.Woodgrovebank\Download\certnew.cer .

6. In the Friendly name text box, type NYC-SVR1 SSL , and click OK .

7. In the Connections pane, expand Sites , and click Default Web Site .

8. In the Actions pane, click Bindings.

9. In the Site Bindings dialog box, click Add.

10. From the Type drop-down list, click https , leave the IP address and Port at the default settings.

11. In the SSL certificate drop-down box, select NYC-SVR1 SSL , and click OK .

12. Click Close , and close IIS Manager .

13. Open Internet Explorer.

14. In the address bar in Internet Explorer, go to https://NYC-SVR1.Woodgrovebank.com .

15. Ensure that the default IIS 7 Web site appears and that the lock beside the address bar indicatesthat you have a secure connection.


Task 4: Revoke the NYC-SVR1 certificate using the Certificate Authority snap-in

1. On NYC-DC1, click Start , click Administrative Tools , and then click Certification Authority .

2. Expand WoodgroveBank-NYC-DC1-CA , and click the Issued Certificates node in theCertificate Authority tree.

3. Right-click the last Web Server certificate, point to All Tasks , and then click Revoke Certificate .

4. From the Reason code list, select Cease of Operation , leave the current date and timeselected, and click Yes .

5. In the Certification Authority tree, click the Revoked Certificates node.

6. Verify that the Web server certificate is listed in the revoked certificates list.


20/34

7. To ensure that the CRL has been created, right-click the Revoked Certificates tree node, point toAll Tasks , and then click Publish .

8. Ensure that New CRL is selected, and then click OK .

Task 5: Using Internet Explorer, verify that the Web certificate has been revoked

1. On NYC-DC1, open Internet Explorer.

2. In Internet Explorer, go to https://NYC-SVR1.woodgrovebank.com .

3. You will receive an error message stating that the certificate has been revoked.






Results: At the end of this exercise, you will have requestedand approved a certificate for a Web server. You also will haverevoked the certificate, published the revoked certificate, andverified that the certificate is revoked.

Exercise 2: Customizing the AD RMS Configuration

Task 1: Create policy-templates shared folder for AD RMS rights

1. On NYC-SVR1, click Start , click Computer , and then double-click Local Disk (C:) .

2. On the File menu, click New , and then click Folder . Type the name ADRMSTemplates , and thenpress ENTER.

3. Right-click the ADRMSTemplates folder, and then click Share .

4. In the File Sharing dialog box, type ADRMSService , and click Add . In the Permission Levelcolumn for the ADRMSService account, click Contributor .

5. In the File Sharing dialog box, type Domain Users , click Add , and then click Share . Click Done .

Task 2: Open Active Directory Rights Management Console, and create an additional rights-management template called Marketing Projects

1. On NYC-SVR1, click Start , point to Administrative Tools , and then click Active Directory RightsManagement Services .

2. In the Active Directory Rights Management Services Administration console, in the Tasks box in theResults pane, click Manage rights policy templates .

3. To enable exporting of the AD RMS rights policy templates, click Properties in the Actions pane.

4. Select the Enable export check box. In the Specify templates file location (UNC) box, type\\NYC-SVR1\ADRMSTemplates , and then click OK .

5. In the Actions pane, click Create Distributed Rights Policy Template to start the CreateDistributed Rights Policy template wizard.

6. Click Add .

7. In the Name box, type Marketing Projects .


21/34

8. In the Description box, type Woodgrove Bank Marketing Department Projects , then clickAdd , and then click Next .

9. Click Add in the The e-mail address of a user or group box. [email protected] , and then click OK .

10. Select the Edit check box to grant the Marketing group edit and save access to any document thatis created by using this AD RMS rights-policy template.

11. Click Add , click Anyone , and then click OK .

12. Select the View check box to grant the Anyone special group View access to any document that iscreated using this AD RMS rights-policy template. Then click Next .

13. Click Expires after the following duration (days) , and then type 14 in the corresponding box.

14. Click Finish .

Task 3: Create an exemption to prohibit Manish from accessing AD RMS protected content

1. In the Active Directory Rights Management Services Administration console, click nyc-svr1.woodgrovebank.com.

2. In the Results pane, in the Tasks box, click Manage exclusion policies .

3. In the Results pane, in the User Exclusion box, click Manage AD RMS user exclusion list .

4. In the Actions pane, click Enable User Exclusion .

5. In the Actions pane, click Exclude user .

6. In the User name box, type [email protected] .

7. Click Finish .

Task 4: Protect a Word document with the Marketing rights template

1. Log on to 6424A-NYC-CL1 as Dana using the password Pa$$w0rd .

2. Click Start , and in the search box, type Regedi t, and then press ENTER.

3. Expand the following registry key:HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM

4. Click DRM , click Edit , point to New , click Expandable String Value , and then typeAdminTemplatePath .

5. Double-click the AdminTemplatePath registry value, type \\NYC-SVR1\ADRMSTemplates inthe Value data box, and then click OK .

6. Close Registry Editor.


8. In Word, type This is a protected Marketing document .

9. Click Save , and in the Save As dialog box, browse to C:\Users\Public\Public Documents . TypeMktgConfidential as the File name, and click Save . Click the Review tab, click ProtectDocument , and then click Marketing Projects .

10. When prompted, log on as Dana using the password Pa$$w0rd .

11. In the information bar, click View Permissions .

12. Verify that the Marketing template is listed and that the permissions match those given to theMarketing group in the previous task, and click OK .


22/34


23/34

3. Right-click Trust Policy , and then click Properties .

4. On the General tab, in Federation Service URI, type urn:federation:northwindtraders/ .

5. In the Federation Service endpoint URL text box, typehttps://adfsresource.northwindtraders.com/adfs/ls/ .

6. On the Display Name tab, in Display name for this trust policy field, type NorthwindTraders , and then click OK .

Task 3: Create a group claim for the claims-aware application

1. Expand Trust Policy , then expand My Organization .

2. Right-click Organization Claims , point to New , and then click Organization Claim .

3. In the Create a New Organization Claim dialog box, in Claim name , type Woodgrove AppClaim .

4. Ensure that Group claim is selected, and then click OK .

Task 4: Add an AD DS account store

1. Right-click Account Stores , point to New , and then click Account Store .2. On the Welcome to the Add Account Store Wizard page, click Next .

3. On the Account Store Type page, ensure that Active Directory Domain Services (AD DS) isselected, and then click Next .

4. On the Enable this Account Store page, ensure that the Enable this account store check boxis selected, and then click Next .

5. On the Completing the Add Account Store Wizard page, click Finish .

Task 5: Add and configure a claims-aw are application

1. Right-click Applications , point to New , and then click Application .

2. On the Welcome to the Add Application Wizard page, click Next .

3. On the Application Type page, click Claims-aware application , and then click Next .

4. On the Application Details page, in Application display name, type Claims-awareApplication .

5. In Application URL, type https://adfsweb.northwindtraders.com/claimapp/ , and then clickNext .

6. On the Accepted Identity Claims page, select the User principal name (UPN) check box, andthen click Next .

7. On the Enable this Application page, ensure that the Enable this application check box isselected, and then click Next .

8. On the Completing the Add Application Wizard page, click Finish .

Task 6: Add and configure an account partner

1. Expand Partner Organizations , right-click Account Partners , point to New , and then clickAccount Partner .

2. On the Welcome to the Add Account Partner Wizard page, click Next .

3. On the Import Policy File page, ensure that No is selected, and then click Next .

4. On the Account Partner Details page, in Display name , type Woodgrove .


24/34

5. In Federation Service URI, type urn:federation:woodgrove/ .

6. In Federation Service endpoint URL, type https://adfsaccount.woodgrovebank.com/adfs/ls/ ,and then click Next .

7. On the Account Partner Verification Certificate page, do the following:

8. In the Add Certificate dialog box, click Yes .

9. On the Federation Scenario page, click Federated Web SSO , and then click Next .

10. On the Account Partner Identity Claims page, select the UPN Claim check box, and then clickNext .

11. On the Accepted UPN Suffixes page, type woodgrovebank.com , click Add , and then clickNext .

12. On the Enable this Account Partner page, ensure that the Enable this account partnercheck box is selected, and then click Next .

13. On the Completing the Add Account Partner Wizard page, click Finish .

Task 7: Create an incoming group claim mapping for the cla ims-aware applica tion

1. Click Account Partners , right-click Woodgrove , point to New , and then click Incoming GroupClaim Mapping .

2. In the Create a New Incoming Group Claim Mapping dialog box, in the Incoming groupclaim name field, type ClaimAppMapping .

3. In Organization group claim , click Woodgrove App Claim , and then click OK .





Result: At the end of this exercise, you will haveconfigured the AD FS components for the resource partner.

Exercise 2: Creating and Configuring Computer Accounts

Task 1: Create a computer account by using Active Directory Users and Computers

1. On NYC-DC1, in Active Directory Users and Computers , right-click Computers , point to New ,and then click Computer .

2. In the New Object-Computer dialog box, enter Vista1 in the Computer name box.

3. Under The following user or group can join this computer to a domain , click Change .

4. In the Select User or Group dialog box, type Doris , click Check Names , and then click OK twice.

Task 2: Delete a computer account in AS DS

1. On NYC-DC1, in Active Directory Users and Computers , click Computers .

2. Right-click NYC-CL1 , and click Delete .

3. In the Active Directory Users and Computers message, click Yes .


25/34

4. On NYC-CL1, press the right ALT key and DELETE. Click Switch User .

5. Click Other User , then log on as Axel with the password of Pa$$w0rd .

6. Press ENTER, read the error message, and then click OK .

Task 3: Join a computer to an AS DS domain

1. On NYC-CL1, click Switch User .

2. Click Other User , then type a user name of NYC-CL1\LocalAdmin and a password of Pa$$w0rd .3. Press ENTER, click Start , right-click Computer , and then click Properties .

4. In the System control panel, click Change settings . In the User Account Control dialog box, clickContinue .

5. On the Computer Name tab, click Change .

6. In the Computer Name/Domain Changes dialog box, type NYC-CL2 as the computer name.

7. Under Member of , click Workgroup , and then type WORKGROUP . Click OK .

8. In the Windows Security dialog box, in the User name box, type Administrator and in thepassword box, type Pa$$w0rd . Click OK .

9. In the Computer Name/Domain Changes dialog box, click OK.

10. In the second Computer Name/Domain Changes dialog box, click OK , and then click Close .

11. Click Restart now .

12. After the computer restarts, log in as LocalAdmin with a password of Pa$$w0rd .

13. Click Start , right-click Computer , and click Properties .

14. In the System control panel, click Change settings .

15. In the Windows needs your permission to continue dialog box, click Continue .

16. On the Computer Name tab, click Change .

17. In the Computer Name/Domain Changes dialog box, under Member of , click Domain , andthen type WoodgroveBank.com . Click OK .

18. In the Windows Security dialog box, type Administrator as the user name and Pa$$w0rd asthe password. Click OK .

19. In the Computer Name/Domain Changes dialog box, click OK.

20. In the second Computer Name/Domain Changes dialog box, click OK , and then click Close .

21. Click Restart now .

22. On NYC-DC1, in Active Directory Users and Computers , click Computers . Verify that the NYC-CL2 account was added to the container object.

23. On NYC-CL1, verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd .





Results: At the end of this exercise, you will have created and


26/34

configured computer accounts , deleted a computer account,and joined a computer to an AS DS domain.

Exercise 2: Planning an OU Hierarchy (Discussion)

Discussion questions:

Question: Which approach to extending the organizational hierarchy of WoodgroveBank.com is most likely

to be applied in creating the new subsidiarys resources: Geographic, Organizational, or Functional? Why?

Answer

The Geographical approach to naming top level OUs (those that already exist within the domain hierarchy)should be extended in order to keep that logic. Geographic naming and organization is permanent, allowsfor future expansion, and its name easily identifies its functionality.

Question: What would be the most logical way to further subdivide the subsidiarys organizational unit:Geographic, Organizational, or Functional?

Answer

Four new OUs inside the Vanvouver OU that are based on the organizations departments would bestsupport the operations of the new subsidiary. Organizations can use these OUs to handle groupings of similar user, computer, and other AD DS resources, according to their similarities. This also supports theneed to delegate administrative roles over those resources, as somebody within each group will be able torespond to most needs in a timely manner.

Question: What does the pattern of naming second level OUs in other centers suggest for the newVancouver OU?

Answer

The naming convention being applied consistently to upper level OUs across the AD DS recognizes thecompanys geographic divisions. Second level OUs at each location match the organizational divisions inthose locations. Therefore, the new subsidiary should name its second level OUs as: Managers, CustomerSupport, Marketing, and Investment.

Question: What would be a simple but effective way of delegating administrative tasksincluding addingusers and computers to the domain, and changing user properties such as password resets, andemployee contact details-- to certain users within a department?

Answer

You can use the Delegation of control wizard to delegate administrative rights at the OU level. Bothusers and groups can be added to the delegation list. Additionally, you can use a list of rights to customizeadministrative capabilities.

Results: At the end of this exercise, you will discuss ed anddetermined how to plan an OU hierarchy.

Exercise 2: Implementing a Shared Folder Implementation


1. Click the 6424A Lab Launcher shortcut on your desktop. The Lab Launcher starts.


3. In the Lab Launcher, next to 6424A-NYC-CL1, click Launch .



27/34


Task 2: Create four new folders by using Windows Explorer

1. On NYC-DC1, click Start , click Computer , and then double-click Local Disk (C:) .

2. To create a folder, click File , point to New , and then click Folder .

3. Name the folder Marketing .

4. Repeat the previous two steps to create three additional folders named:

Managers

Investments

CustomerService

Task 3: Set share properties for the folders

1. In Windows Explorer, with Local Disk (C) : open, right-click the folder named Marketing , and thenclick Share .

2. In the File Sharing dialog box, in Choose people on your network to share with , typeTOR_MarketingGG .

3. Click Add . TOR_MarketingGG will appear in the list window underneath the name box.

4. In the Name column, click TOR_MarketingGG , click the pop-up menu, and then clickContributor .

5. Click Share and then click Done .

6. To assign file-sharing properties for each of the other folders that you created in Task 2, repeat theprevious five steps by using the groups listed:

a. TOR_BranchManagersGG (Managers folder)

b. TOR_InvestmentsGG (Investments folder)

c. TOR_CustomerServiceGG (CustomerService folder)

7. Close the Windows Explorer window.

Task 4: C reate another shared folder by using Share and Storage Management MMC

1. Click Start , click Administrative Tools , and then click Share and Storage Management .

2. On the Action menu, click Provision Share . The Provision Share Wizard will start.

3. In the Provision a Shared Folder Wizard , in the Location field, click Browse .

4. In the Browse For Folder dialog box, click the C$ location. Click Make New Folder , and thentype CompanyNews for the name. Press ENTER.

5. With the CompanyNews folder selected, click OK.

6. Change no other settings, but click Next all the way through to the Review Settings and CreateShare screen. Then click Create .

7. In the confirmation screen, click Close .

8. Back in the Share and Storage Management MMC, on the Shares tab, right-click CompanyNewsand then click Properties .

9. In the CompanyNews Properties dialog box, on the Permissions tab, click SharePermissions . Underneath the Group or user names window, click Add .


28/34

10. In the Select Users, Computers, or Groups dialog box, in the Enter the object names toselect window, type Domain Users , and then click OK.

11. In the Permissions for CompanyNews dialog box, the Domain Users (Woodgrovebank\DomainUsers) now should be listed in the Group or user names window. When you select it, inPermissions for Domain Users , the Read option should be set to Allow .

12. Repeat steps 9 and 10 to add TOR_BranchManagersGG to the Group or user names window.

13. Select the TOR_BranchManagersGG name, and in Permissions for Domain Users window,next to Full Control , click the check box under Allow .

14. Click Everyone , and then click Remove .

15. Click Apply , and then click OK twice.

16. In Share and Storage Management MMC, click File , and then click Exit .

Task 5: C reate a new group and shared folder for an interdepartmental project

1. Click Start , click Administrative Tools , and then click Active Directory Users and Computers .

2. In Active Directory Users and Computers , expand the WoodgroveBank domain, right-click

the Toronto OU , point to New , and then click Group .3. In the New Object Group dialog box, in the Group name field, type TOR_SpecialProjectGG .

Under Group scope , select Global . Under Group type , select Security . Click OK .

4. In Active Directory Users and Computers , expand the Toronto OU , and then click theMarketing OU . Right-click Aidan Delaney , and then click Add to a group .

5. In the Select Groups dialog box, in the Enter the object names to select window, typeTOR_SpecialProjectGG .

6. Click OK.

7. Add other members to the TOR_SpecialProjectGG group by following steps 4 and 5 listed earlier.Use the users listed in the following table:

Look inside TorontoOUs: Find Names:

Investment Aaron Con

Branch Managers Sven Buck

Customer Service Dorena Paschke

8. Exit Active Directory Users and Computers , by clicking File , and then Exit .

9. Click Start , click Computer , and double-click Local drive(C:) .

10. Create a new folder by clicking File , point to New , and then click Folder . Name it SpecialProjects .

11. Right-click SpecialProjects , click Share . In the File Sharing window, under Choose people onyour network to share with , type TOR_SpecialProjectGG , and then click Add .

12. In the name column, select TOR_SpecialProjectGG , and in the pop-up menu, click Contributor .

13. Click Share and then click Done.

14. Close the Windows Explorer window.


29/34


30/34

CN=Partition1,dc=Woodgrove , click New , and then click Object .

2. In Select a Class , choose user , and then click Next .

3. In the Create Object dialog box, in the Value field, type User2 , click Next , and then click Finish .

Task 4: Verify replication on NYC-SVR1 using ADSIEdit

1. On NYC-SVR1, in Server Manager, click Active Directory Lightweight Directory Services , andthen click ADSI Edit .

2. In ADSIEdit, in the console tree of ADSIEdit, expand WoodgroveApplication , and then clickCN=Partition1,dc=Woodgrove .

3. Verify that CN=User2,CN=Partition1,DC=Woodgrove is present.

Task 5: Close all virtual machines and discard undo disks




Results: At the end of this exercise, you will haveconfigured a second replica of an AD LDS application

partition, and then verified replication.

Exercise 3: Creating an OU Hierarchy

Task 1: Create Organizational Units

1. On NYC-DC1, click Start , click Administrative Tools , and then click Active Directory Users andComputers .

2. Click WoodgroveBank.com .

3. On the toolbar, click the New OU button.

4. In the New Object Organizational Unit dialog box, type the name Vancouver . Make sure thatthe Protect container from accidental deletion check box is selected.

5. Click OK .

6. Right-click Vancouver OU , point to New and then click Organizational Unit .

7. In the New Object Organizational Unit dialog box, type the name: BranchManagers . ClickOK .

8. Create two more OUs by repeating the last two steps, and name them:

CustomerService

Marketing

Task 2: C reate an OU by using the directory service tool Dsadd

1. On 6424A-NYC-DC1, click Start , and then click Command Prompt .

2. Enter the following command at the command prompt, and then press ENTER:

dsadd ou ou=Investments,dc=WoodgroveBank,dc=com -desc Investment department -dWoodgroveBank.com -u Administrator -p Pa$$w0rd

3. In Active Directory Users and Computers , click WoodgroveBank.com , and then clickRefresh .


31/34

4. Note the presence of the new Investments OU.

Task 3: Nest an OU inside another OU

1. In Active Directory Users and Computers , right-click Investments OU , and then click Move .

2. In the Move dialog box, select Vancouver OU and then click OK .

Task 4: Move groups from Exercise 1 into the appropriate OUs

1. In Active Directory Users and Groups , click Users , and note the groups created in Exercise 1.

2. Move the following groups into the following Vancouver OUs (see methods later in this section):

Van_MarketingGG group to Vancouver\Marketing OU

Van_BranchManagersGG group to Vancouver\BranchManagers OU

Van_InvestmentsGG group to Vancouver\Investments OU

Van_CustomerServiceGG group to Vancouver\CustomerService OU

You may select any of the following methods to move the above groups:

a. Drag the group into the appropriate Vancouver OU object. When the AD DS warning appears, clickOK .

b. Use Copy and Paste to move the group into the appropriate Vancouver OU:

i. Right-click the group, and then click CUT .

ii. Locate and expand the Vancouver OU:

iii. Right-click the appropriate subordinate OU, and then click Paste .

iv. When the AD DS warning appears, click OK .

c. Use the Move command to move the group into the appropriate Vancouver OU:

i. Right-click the group, and then click Move .

ii. In the Move object into container dialog box, expand the Vancouver OU.

iii. Click the appropriate subordinate OU, and then click OK .

Task 5: Find a nd move use rs into Vancouver OUs

Use Active Directory Users and Computers to find and move the following users into the OUs notednext to their names.

Find Move to Vancouver OU

Neville Burdan BranchManagers

Suchitra Mohan BranchManagers

Anton Kirilov CustomerService

Shelley Dyck CustomerService

Barbara Moreland Investments


32/34

Nate Sun Investments

Yvonne McKay Marketing

Monika Buschmann Marketing

Bernard Duerr Marketing

1. Right-click WoodgroveBank domain, and click Find .

2. In the Find Users, Contacts, and Groups dialog box, on the Users, Contacts, and Groupstab, in the Name field, type Neville, and then click Find Now .

3. In the Search results box, right-click Neville Burdan , and the click Move .

4. In In the Move dialog box, expand the WoodgroveBank.com object.

5. Locate and expand the Vancouver object, click BranchManagers , and then click OK .

6. Repeat the previous six steps for each name in the chart and then close the Find Users,Contacts, and Groups dialog box.

Task 6: Delegate control over an OU

1. In Active Directory Users and Computers , right-click Vancouver\Marketing OU, and thenclick Delegate control .

2. The Delegation of Control Wizard opens. Click Next .

3. In the Users or Groups screen, click Add .

4. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to

select box, type Yvonne McKay , and then click OK .

5. Click Next .

6. In the Tasks to Delegate screen, keep Delegate the following common tasks selected, andselect the boxes next to the following common tasks:

Create, delete, and manage user accounts

Reset user passwords and force password change at next logon

Create, delete and manage groups

Modify the membership of a group7. Click Next .

8. On the Completing the Delegation of Control Wizard page, click Finish .

Task 7: Te st delegated user rights

1. Log on to NYC-SVR1 using username Yvonne and password Pa$$w0rd .

2. Click Start , point to Administrative Tools , right-click Server Manager , and click Run asAdministrator .

3. In the User Account Control dialog box, type Administrator as the User name and Pa$$w0rdas the Password . Click OK .

4. In Server Manager, on the Action menu, click Add Features .


33/34


34/34

Results: At the end of this exercise, you will havecreated OUs by using Active Directory Users andComputers and Dsadd. You also will havedelegated and tested administrative permissions .

Exercise 3: Evaluating the Shared Folder Implementation

Task 1: Log on to NYC-CL1 as Sven

Log on to NYC-CL1 as Sven , with password Pa$$w0rd .

Task 2: Check permissions for Company News

1. Click Start , and in the Search box, type \\ NYC -DC1 , and press ENTER. Double-click theCompanyNews folder.

2. Right-click the open window, click New , and then click Folder . Type News , and press ENTER.

3. Right-click the Company News open window again, point to New , and then click Text document. Type Welcome ! as the name, and press ENTER.

4. Drag the Welcome! File, and drop it onto the News folder.

5. On the Company News navigator bar, click the Back arrow.

6. Log off Svens account.

Results: Sven, a member of the BranchManagersGG, shouldhave ownership of the DropFolder and CompanyNews folders.He should be able to create files and folders in both locations .

Task 3: C heck permissions of the interdepartmental sha red folder named Special Projects

1. On NYC-CL1, log on as Dorena with password Pa$$w0rd .

2. Click Start , and in the Search box, type \\ NYC -DC1 , and press ENTER.

3. Double-click the Special Project folder.

4. Right-click inside the folder, point to New , and then click Text Document .

5. On the navigation bar of the Special Project folder, click the back button.

6. Double-click Company News . Double-click the News folder, and double-click Welcome!

7. Close all windows, and log off as Dorena.



