windows server 2003 expert workshop

7/31/2019 Windows Server 2003 Expert Workshop

1/102

Released: 4/16/2003 Microsoft Windows Server 2003 Expert Workshop

Hands-on Lab Exercises

Microsoft Windows Server 2003Expert Workshop



2/102



Table of Contents

TABLE OF CONTENTS......................................................................................................................... 2CLASSROOM LAYOUT......................................................................................................................... 4COMPUTER NAMES AND IP ADDRESSES ........................................................................................ 5LAB 01 INSTALL & CONFIGURING DNS SERVER ......................................................................... 6LAB 02 INSTALLING ACTIVE DIRECTORY...................................................................................... 13LAB 03 INSTALLING ADDITIONAL DOMAIN CONTROLLERS IN EACH DOMAIN .................... 18LAB 04 ELEVATE DOMAIN FUNCTIONAL LEVEL TO WINDOWS 2000 NATIVE MODE ........... 24LAB 05 TESTING THE AFFECTS OF REPLICATING CHANGES TO MULTI-VALUED

ATTRIBUTES ....................................................................................................................................... 27LAB 06 ELEVATE FOREST FUNCTIONALITY TO WINDOWS SERVER 2003 AND TEST MULTI-

VALUE REPLICATION ........................................................................................................................ 30LAB 07 CREATE MULTIPLE SITES ................................................................................................ 33LAB 08 TEST GLOBAL CATALOG FAILURE ................................................................................ 36LAB 09 ENABLE AND TEST UNIVERSAL GROUP CACHING ..................................................... 39LAB 10 RESET DIRECTORY SERVICES RESTORE MODE PASSWORD (OPTIONAL)............. 42LAB 11 CREATE AN INETORGPERSON OBJECT (OPTIONAL).................................................. 44LAB 12 MARK A SCHEMA OBJECT AS DEFUNCT (OPTIONAL) ................................................ 46LAB 13 CREATE AN APPLICATION PARTITION .......................................................................... 49LAB 14 RENAMING OF DOMAIN CONTROLLERS ....................................................................... 53LAB 15 RENAMING DOMAIN NETBIOS NAME (TO BE PERFORMED ON THE LAST DAY AS

AN OPTIONAL LAB) ........................................................................................................................... 56LAB 16 SETUP AND TEST CROSS FOREST TRUSTS ................................................................. 59LAB 17 IIS APPLICATION POOLS.................................................................................................. 65LAB 18 TERMINAL SERVICES (OPTIONAL) ................................................................................. 73LAB 19 REMOTE ASSISTANT (OPTIONAL) .................................................................................. 76LAB 20 CREATE SOFTWARE RESTRICTION POLICY (OPTIONAL)........................................... 80LAB 21 RESULT SET OF POLICY (RSOP) TOOLS (OPTIONAL) ................................................. 82


3/102



LAB 22 RESTORE DEFAULT GPOS (OPTIONAL) ....................................................................... 84LAB 23 - USING VOLUME SHADOW COPY SERVICE TO RECOVER FILES ................................ 86LAB 24 EFS ...................................................................................................................................... 90LAB 25 COMMAND LINE TOOLS (OPTIONAL) ........................................................................... 100APPENDIX A...................................................................................................................................... 102


4/102



CLASSROOM LAYOUT

DomainBDomainA DomainC DomainD

DomainFDomainE DomainHDomainG

W2K3.Net

Forest A Forest B

Forest E Forest G

Server01 Server02

Server16Server15Server14Server13Server12Server11Server10Server09

Server08Server07Server06Server05Server04Server03

Instructor

Forest

W2K3

All labs that are not optional must be done. This is to ensure that all labs at the end will function

correctly. Optional labs are at the discretion of the instructor.


5/102



Computer Names and IP AddressesStudent

Number

Computer

Name

IP

Address

Subnet

Mask

DNS

Address

Domain Forest

01 Server01 10.1.1.1 255.255.0.0 10.1.1.1 DomainA.com DomainA.com

Forest

02 Server02 10.1.1.2 255.255.0.0 10.1.1.1 DomainA.com DomainA.com

Forest

03 Server03 10.1.2.3 255.255.0.0 10.1.2.3 DomainB.com DomainA.com

Forest

04 Server04 10.1.2.4 255.255.0.0 10.1.2.3 DomainB.com DomainA.com

Forest

05 Server05 10.1.1.5 255.255.0.0 10.1.1.5 DomainC.com DomainC.com

Forest

06 Server06 10.1.1.6 255.255.0.0 10.1.1.5 DomainC.com DomainC.com

Forest

07 Server07 10.1.2.7 255.255.0.0 10.1.2.7 DomainD.com DomainC.com

Forest

08 Server08 10.1.2.8 255.255.0.0 10.1.2.7 DomainD.com DomainC.com

Forest

09 Server09 10.1.1.9 255.255.0.0 10.1.1.9 DomainE.com DomainE.com

Forest

10 Server10 10.1.1.10 255.255.0.0 10.1.1.9 DomainE.com DomainE.com

Forest

11 Server11 10.1.2.11 255.255.0.0 10.1.2.11 DomainF.com DomainE.com

Forest

12 Server12 10.1.2.12 255.255.0.0 10.1.2.11 DomainF.com DomainE.com

Forest

13 Server13 10.1.1.13 255.255.0.0 10.1.1.13 DomainG.com DomainG.com

Forest

14 Server14 10.1.1.14 255.255.0.0 10.1.1.13 DomainG.com DomainG.com

Forest

15 Server15 10.1.2.15 255.255.0.0 10.1.2.15 DomainH.com DomainG.com

Forest

16 Server16 10.1.2.16 255.255.0.0 10.1.2.15 DomainH.com DomainG.com

Forest


6/102



Lab 01 Install & Configuring DNS Server

NOTE: This lab must be done before continuing with the rest of the labs.

Prerequisites

Must be familiar with DNS concepts and operations

Objectives

Install DNS Server services

Create Forward and Reverse Lookup Zones

Create and configure Conditional Forwarding

Test DNS by using nslookup command

Lab Setup

A computer running Windows Server 2003 Enterprise Server that is configured as astandalone server.

Static IP Address and subnet mask.

DNS domain name. Refer to the table on page 5 for this information.


7/102



Exercise 1 - Installing the Primary DNS Server Service

Goal

In this exercise, you will configure the DNS domain name of your computer and install DNS.

NOTE: The installation of DNS services will only take place on the following servers: Server1,

Server3, Server5, Server7, Server9, Server11, Server13 and Server15.

Tasks Detailed Steps

1. Start the Windows

Components wizard and

install the DNS

subcomponent of the

Networking Services. Copy

the required files from the

Windows Server 2003

Advanced Server compact

disc.

a. Log on as Administrator with a password ofpassword.

b. By default a screen called Manage Your Server will open.

This screen allows you to add roles to your server and to

manage your server roles.

c. UnderAdding Roles to Your Server, click Add or remove a

Role.

d. On the Preliminary Steps page, click Next.

e. On the Server Role page, select DNS Server and click Next.

f. On the Summary of Selections page, review the summary

and click Next.

DNS will start to install.(Insert Windows Server 2003 CD

when required)

2. Create a Standard Primary

Forward Lookup Zone for

your domain.

a. On the Welcome to the Configure a DNS Server Wizard

page, click Next.

b. On the Select Configuration Action page, select Create

forward and reverse lookup zones (recommended for

large networks) and click Next.

c. On the Forward Lookup Zone page, select Yes, create a

forward lookup zone now (recommended), click Next.

d. On the Zone Type page, select Primary Zone, click Next.

NOTE:SelectOnlyPrimary Zone on the first server in each

domain.

e. On the Zone Name page, enter the zone name for example

domainname.com and click Next.

f. Leave defaults on Zone File page, click Next.

g. On the Dynamic Update page, select Allow both non-

secure and secure dynamic updates, click Next.


8/102



3. Create a Standard Primary

Reverse Lookup Zone for

your Network ID.

a. On the Reverse Lookup Zone page, select Yes, create a

reverse lookup zone now, and click Next.

b. On the Zone Type page, select Primary Zone, click Next.

NOTE:The Primary Zone selection must only be used on the

first server in each domain.

c. On the Reverse Lookup Zone Name page, enter the

Network ID for your zone. For example 10.1.1

d. On the Zone File page leave as default, click Next.

e. On the Dynamic Update page, select Allow both secure

and non-secure dynamic updates, click Next.

4. Create Forwarders to the

instructors server.

1. On the Forwarders page, select Yes, it should forward

queries to DNS servers with the following IP addresses

2. Enter the instructors server IP address in: 10.1.200.1, click

Next.

It will start searching for Root Hints.

3. On the Completing the Configure a DNS Server Wizard,

click Finish.

NOTE: If an error message appears click OK. This message

states that it could not configure the Root Hints. Once completed

open the DNS server, right click the server name and then

select properties. UnderServerX properties select root hints.Ensure that the root hints is available.

4. On the This Server is Now a DNS Server page, click Finish.

5. Enter the Primary DNS Suffix

under the My Computer

properties

a. Click Start Right Click My ComputerProperties

b. Click Computer NameChangeMore

c. In the Primary DNS Suffix of this computer enter your DNS

domain suffix. E.g. DomainX.com

d. Click OK to close all windows and then click Yes to restart

the computer.


9/102



6. Ensure computer can resolve

both forward and reverse

lookups by means of

NSLOOKUP

a. Logon as Administrator with the password of password

b. Click Start Administrative Tools DNS

c. Expand your Server, then expand reverse lookup zones

d. Click on yoursubnet

e. Ensure that a pointer record exist for your computer.

f. If the pointer record does not exist create a pointer record by

right-clicking the subnet New Pointer Record

g. Under the New Resource Record enter the IP address of

the Host computer and enter the Host name under Host

Name.

h. Once completed click OK and close all windows.

i. Open the command prompt. Start Run CMD

j. At the command prompt, type NSLOOKUP

k. You will receive the following:

Default: computername.domainname.com

Address: 10.1.x.x

l. Exit NSLOOKUP by typing exit at the command prompt.

7. Add your partners computer

and IP Address to the Name

Servers

a. Open the DNS console

b. Expand your server and then expand forward lookup zone

c. Right-click your Domain name Properties Name

Servers

d. UnderName Servers, click Add

e. In the Server fully qualified Domain Name (FQDN), type

your partners computer name. E.g. server02.domaina.com

f. Under IP Address, enter your partners IP Address, click

Add, and then OK.

g. Click OK to close the Properties window. Close all otherwindows.

NOTE: DNS servers/services can still be installed using the Add/Remove Windows Components

underAdd/Remove Programs menu.


10/102



Exercise 2 Installing the Secondary DNS Server Services

Goal

During this exercise you will install and configure your Server as a secondary DNS server. Only asecondary forward lookup zone will be created. The reverse lookup zone will be kept on the primary

DNS Server. Thus no secondary reverse lookup zone needs to be created.

NOTE: The installation of DNS services will only take place on the following servers: Server2,

Server4, Server6, Server8, Server10, Server12, Server14 and Server16.


1. Start the Windows

Components wizard and

install the DNS

subcomponent of the

Networking Services. Copy

the required files from the

Windows Server 2003

Advanced Server compact

disc.


b. By default a screen called Manage Your Server will open.This screen allows you to add roles to your server and to

manage your server roles.

c. UnderAdding Roles to Your Server, click Add or remove a

Role.

d. On the Preliminary Steps page, click Next.

e. On the Server Role page, select DNS Server and click Next.

f. On the Summary of Selections page, review the summary

and click Next.

DNS will start to install.(Insert Windows Server 2003 CD

when required)

2. Create a Secondary Forward

Lookup Zone for your

domain.

a. On the Welcome to the Configure a DNS Server Wizard

page, click Next.

b. On the Select Configuration Action page, select Create

forward and reverse lookup zones (recommended for

large networks) and click Next.

c. On the Forward Lookup Zone page, select Yes, create a

forward lookup zone now (recommended), click Next.

d. On the Zone Type page, click to select Secondary zone,

click Next.

e. On the Zone Name page, enter the Zone Name: and click

Next.

f. On the Master DNS Servers page, enter the IP Address of

your partners DNS server, click Add and then click Next.


11/102



g. On the Reverse Lookup Zone page, click No, dont create a

reverse lookup zone now, and click Next.

h. On the Forwarders page, select Yes, it should forward

queries to DNS servers with the following IP addresses

i. Enter the instructors server IP address: 10.1.200.1, click

Next.

It will start searching for Root Hints.

j. On the Completing the Configure a DNS Server Wizard,

click Finish.

NOTE: If an error message appears click OK. This message

states that it could not configure the Root Hints. Once

completed open the DNS server, right click the server name

and then select properties. UnderServerX propertiesselect root hints. Ensure that the root hints is available.

k. On the This Server is Now a DNS Server page, click Finish.

3. Enter the Primary DNS Suffix

under the My Computer

properties

a. Click Start Right Click My ComputerProperties

b. Click Computer NameChangeMore

c. In the Primary DNS Suffix of this computer enter your DNS

domain suffix. E.g. DomainX.com

d. Click OK to close all windows and then click Yes to restart

the computer.

Ask your partner to check to see if your pointer record has registered. If not ask him/her to create a

pointer record.


12/102



Exercise 3 - Configure Conditional Forwarding in DNS

Goal

Students in each domain will be working as a team when setting up and configuring conditionalforwarding between multiple DNS servers.


1. Perform the following tasks

Test name resolution

using NSLOOKUP.

Setup conditional

forwarding betweenpartner forests DNS

zones

Use NSLOOKUP to

verify resolution to

partners forest.

Perform for each forest

and domain in class.

a. Open command prompt and type NSLOOKUP

b. At the prompt type, your partners FQDN in and press ENTER.

c. Open the DNS console, right-click your computer name

Properties and select Forwarders.

d. UnderDNS domain: click New and type in the domain name

of all partner domains in the classroom.

e. UnderSelected domains forwarder IP Address list: enter

the DNS server IP address of your partners domain and click

Add.

f. Use NSLOOKUP to see if you can resolve queries in your

partners domain.

g. Perform this for all domains in the classroom.


13/102



Lab 02 Installing Active Directory

NOTE: This lab is depended on lab 01.

Objectives

After completing this lab, you will be able to install Active Directory by using the Manage Your Server

Wizard.

NOTE: The Manage Your Server is used to familiarise yourself with the new Wizards and tasks that

can be performed. However, you can still promote a server to become a domain controller using the

DCPROMO command.

Prerequisites

Understand the logical components of Active Directory

Understand the purpose and function of Domain Controllers

Lab Setup

A computer running Windows Server 2003 Enterprise Server that is configured as a

standalone server.

Drive C formatted with NTFS

Static IP Address and subnet mask.

A domain name is required. Refer to the table on page 5 for this information.

A forward lookup zone is required that matches your domain name. The forward lookup zone

should have been created in exercise 1 of lab 01.


14/102



Exercise 1 Installing Active Directory

Goal

In this exercise, you will create a Windows 2003 domain by installing Active Directory. This will onlybe done on one computer in each domain. The rest of the servers will be promoted during a different

lab exercise.


1. Start the Active Directory

Installation Wizard to create:

A new domain controller

for a new domain.

A new domain tree.

A new forest of domain

trees

The following steps need to be performed on only these servers:

Server Name Forest Name

Server1 DomainA.Com Forest

Server5 DomainC.Com Forest

Server9 DomainE.Com Forest

Server13 DomainG.Com Forest

NOTE: These servers are the primary servers for each domain

which will be containing all the FSMO roles and the global catalog

service.


b. On the Manage Your Server page, click Add or remove arole.

c. On the Preliminary Steps page, click Next.

d. On the Server Role page, select Domain Controller (Active

Directory), click Next.

e. On the Summary of Selections page, click Next.

f. On the Welcome to the Active Directory Installation

Wizard page, click Next.

g. On the Operating System Compatibility page, review theinformation then click Next.

h. On the Domain Controller Type page, select Domain

Controller for a new domain, click Next.

i. In the Create New Domain page, select Domain in a new

forest, click Next.

j. On the New Domain Name page, enter your domain name in

and then click Next.

k. In the NetBIOS Domain Name page, select the default


15/102



Domain NetBIOS name, click Next.

l. On the Database and Log Folders page, select the default

settings and click Next.

m. On the Shared System Volume page, select the default


n. Review the DNS Registration Diagnostics and click Next.

o. On the Permissions page, leave as default and click Next.

p. On the Directory Services Restore Mode Administrator

Password page, enter the Restore Mode Password:

password and Confirm password: password.

q. Review the summary and click Next.

r. Once completed Restart the Server.

s. Logon as Administrator and Click Finish.

2. Start the Active Directory

Installation Wizard to create:

A new domain controller

for a new domain.

A new domain tree in an

existing forest.

The following steps need to be performed on only these servers:

Server Name Forest Name

Server3 DomainA.Com Forest

Server7 DomainC.Com Forest

Server11 DomainE.Com Forest

Server115 DomainG.Com Forest

NOTE: These servers are the domain controllers for the second

domains within each forest. They will not contain the Global

Catalog service at this point.

a. Log on as Administrator and a password ofpassword.

b. On the Manage Your Server page, click Add or remove a

role.

c. On the Preliminary Steps page, click Next.

d. On the Server Role page, select Domain Controller (ActiveDirectory), click Next.

e. On the Summary of Selections page, click Next.

f. On the Welcome to the Active Directory Installation


g. On the Operating System Compatibility page, review the

information then click Next.

h. On the Domain Controller Type, select Domain controller


16/102



for a new domain, click Next.

i. On the Create New Domain page, select Domain tree in an

existing forest, click Next.

j. On the Network Credentials page, enter the administrator

name and password. Enter the first domain name under

Domain. For example

Username = Administrator

Password = password

Domain = DomainA

k. On the New Domain Tree page, enter the DNS name for the

new domain, click Next.

l. In the NetBIOS Domain Name page, select the default

Domain NetBIOS name, click Next.

m. On the Database and Log Folders page, select the default


n. On the Shared System Volume page, select the default


o. Review the DNS Registration Diagnostics and click Next.

p. On the Permissions page, click Next.

q. On the Directory Services Restore Mode Administrator

Password page, enter the Restore Mode Password:

password and Confirm password: password.

r. Review the summary and click Next.

s. Once completed Restart the Server


17/102



3. Allow everyone the rights to

logon locally onto the domain

controllers and update the

policy.

This only needs to be done from one Domain Controller.

a. Log on as Administrator with a password of password.

b. On the Manage Your Server page, select Manage users

and computers in Active Directory.

c. In the left pane, right click Domain Controllers and select

Properties.

d. Select Group Policy underDomain Controller Properties.

e. Select the Default Domain Controller Policy and Click Edit.

f. Under the Group Policy Object Editor page navigate to

Computer ConfigurationWindows SettingsSecurity

Settings Local PoliciesUser Rights Assignment.

g. Double click Allow log on locally.

h. Under the Allow log on locally window, click Add User or

Group and add the Everyone group.

i. Click OK and close the Group Policy Object Editor window

and the Domain Controller Properties window.

j. Close Mange Users and Computers in Active Directory.

k. From the run command type the following command:gpupdate


18/102



Lab 03 Installing additional domain controllers ineach domain


Objectives

After completing this lab, you will be able to promote a member server to become a second Domain

Controller by using backup media.

Prerequisites

Understanding of how to use replica from media

Understanding of how to promote a server using the replica media

Knowledge on performing a back ups

Active Directory should have been configured in exercise 1 lab 02

Lab Setup

A computer running Windows Server 2003 Enterprise Server that is configured as a

standalone server

Drive C formatted with NTFS

Static IP Address and subnet mask

Connectivity to your partners computer

Sufficient disk space to keep a backup

Access to the Support Tools


19/102



Exercise 1 - Backup Current Domain Controllers

Goal

During this exercise your partner will backup his/her domain controller. Once the backup process hascompleted you will then copy the AD Backup.bkf file to you computer.


1. Backup the current system

state of the domain controller.

This part of the lab only needs to be performed on the students

computer that contains Active Directory.

a. Open Windows Explorer.

b. On the C:\drive create a folder called backup.

c. Once created, share this folder as backup

d. Open Backup. Start All Programs Accessories

System Tools Backup

e. On the Welcome to the Backup or Restore Wizard page,

deselect Always start in wizard mode, click Next.

f. On the Backup or Restore page, select Back up files and

settings, click Next.

g. On the What to Back Up page, select Let me choose what

to back up, click Next.

h. On the Items to Back Up page, expand My Computer on the

left pane and select System State, click Next.

i. On the Backup Type, Destination and Name page, type or

select the following:

Select the backup type: File

Choose a place to save your backup: Browse to

C:\Backup

Type a name for this backup: AD Backup

j. Click Next and then click Finish.

k. The backup process will start.


20/102



2. The following tasks needs to

be performed:

Copy back up file to your

computer.

Create Restore folder

Create Temp folder

These steps only need to be performed on the students

computers who are member servers.

a. Open Windows Explorer.

b. On the C:\drive, create a folder called Temp

c. On the C:\drive, create a folder called Restore.

d. Connect to your partners computer and copy the AD

Backup.bkf file to the Restore directory on your computer.


21/102



Exercise 2 Promoting Member Servers to Domain Controllers

using the Replicate from Media method

Goal

In this exercise the servers without Active Directory will be promoted by means of using the replicate

from media method to become an Active Directory Domain Controller.


1. Restore System state data to

temp directory.

These steps only need to be performed from the member server

computers.

a. Open Backup. Start All Programs Accessories

System Tools Backup

b. On the Welcome to the Backup or Restore Wizard page,

deselect Always start in wizard mode, click Next.

c. On the Backup or Restore page, select Restore files and

settings, click Next.

d. On the What to Restore page, click Browse and browse to

the path c:\restore\Ad Backup.Bkf. Click OK.

e. In the Items to restore pane expand File, expand AD

Backup.Bkf then select System State tick box. Click Next.

f. On the Completing the Restore Wizard page, click

Advanced.

g. On the Where to Restore page, select Restore files to:

Alternative location.

h. In the Alternative Location: Type or Browse to c:\temp, click

Next.

i. On the How to Restore page, select Leave existing files(Recommended), click Next.

j. On the Advanced Restore Options page, accept the

defaults and click Next.

k. On the Completing the Restore Wizard page, click Finish.

2. Promote the server to a

Domain Controller using the

restored data

a. From the Run command type DCPROMO /ADV

b. On the Welcome to the Active Directory Installation



22/102




c. On the Operating System Compatibility page, click Next.

d. On the Domain Controller Type page, select Additional

Domain Controller for an existing domain, click Next.

e. On the Copying Domain Information page, select the From

these restored backup files and then Browse to C:\temp,

click OK, then Next.

f. On the Global Catalog page, select No, click Next.

NOTE: This Domain Controller must NOT become a Global

Catalog server at this point in time.

g. On the Network Credentials page, enter the administrators

username and password and confirm the domain name is

correct, click Next.

h. On the Database and Log Folders page, accept the default

locations by clicking Next.

i. On the Shared System Volume page, accept the default

locations by clicking Next.

j. On the Directory Services Restore Mode Administrator

Password page, in the Password and Confirm password

boxes, type password and then click Next.

k. On the Summary page, review the options you selected, andthen click Next.

l. When the Completing the Active Directory Installation

Wizard page appears, click Finish and then restart your

computer.


23/102



Exercise 3 Install Support Tools

Goal

This exercise needs to be performed on all the servers. The Windows 2003 Advanced server supporttools and utilities needs to be installed for later exercises.


1. Install Windows 2003 Server

Support Tools

a. Open Windows Explorer

b. Select the CD-Rom drive and then double click the Support

folder.

c. Double click the Tools folder.

d. Double click suptool.msi

e. On the Welcome to the Windows Support Tools Setup


f. On the End User License Agreement page, select I Agree

then click Next.

g. On the User Information page, select default values and

click Next.

h. On the Destination Directory page, accept the default

locations and click Install Now.

i. On the Completing the Windows Support Tools Setup

Wizard page, click Finish.


24/102



Lab 04 Elevate Domain functional level toWindows 2000 Native Mode

NOTE: Do not rush through this lab exercise. If you do, you will not be able to go back and

correct your mistake! This lab is depended on lab 02.

Objectives

After completing this lab, you will be able to determine in which mode the domain is in and raise the

Domain functionality.

Prerequisites

Knowledge about the different Active Directory versioning

Knowledge about the different Active Directory functionality levels

Lab Setup

To complete this lab, you require a computer running Windows Server 2003 that is configured as a

Domain Controller.


25/102



Exercise 1

Goal

This exercise consists of the following steps:

1. Use ADSI Edit to determine the current domain mode.

2. Raising the domain functional level to enable additional functionality. This will be required for

later exercises.

3. Use ADSI Edit to verify the change in the functional level.


1. Use ADSI Edit to verify that

nTMixedDomain = 1

This part of the exercise needs to be performed by all the

students.

a. From the Run Command type MMC then click OK.

b. On the Console click FileAdd/Remove Snap-in

c. UnderAdd/Remove Snap-in click Add

d. UnderAdd Standalone Snap-in, select ADSI Edit and click

Add, then close once added.

e. On the Add/Remove Snap-in page, click OK.

f. On ADSI Edit right click and select Connect to

g. Connection Settings window appears, accept default

settings and click OK.

h. Expand Domain.

i. Right click DC=DomainX,DC=com (where X is your domain

number) and select Properties.

j. Scroll down the attributes until you find nTMixedDomain.

Check to see if the value is set to 1.

k. Click OK to close the Properties page.

l. Save the console as ADSI Edit underAdministrative Tools


26/102



2. Raise the Domain

Functionality to Windows

2000 Native

Only one student per domain needs to perform the following task.

a. Open Active Directory Users and Computers.

b. Right click DomainX.com (where X is your domain letter) andselect Raise Domain Functional Level

c. On the Raise Domain Functional Level page, ensure that

Windows 2000 Native is selected and then click Raise.

d. A Message appear stating that: This change affects the

entire domain. After you raise the domain functional level

it cannot be reversed, click OK.

e. A second message appears stating that the Functional level

was raised successfully, click OK.


nTMixedDomain = 0

All students need to perform the following section.

a. Open ADSI Edit console that you saved.

b. Right click DC=DomainX,DC=com (where X is your domain


c. Scroll down the attributes until you find nTMixedDomain.

Check to see if the value is set to 0.

d. Click OK to close the Properties page and Exit the console.


27/102



Lab 05 Testing the affects of replicating changesto multi-valued attributes


Objectives

After completing this lab, you will be able to test the affects of replicating changes to multi-valued

attributes.

Prerequisites

Be familiar with Active Directory Users and Computers

Understand how replication works between domain controllers

Active Directory should have been configured as in exercise 1 lab 02

Lab Setup

To complete this lab, you require computers running Windows Server 2003 that is configured as a

Domain Controllers. Only one computer in each of the forests should be configured as a Global

Catalog server.


28/102



Exercise 1

Goal

In this exercise you will test the effects of replication changes between multi-valued attributes withinan organization. Students will create several user accounts and add two of them to a group. Then

the server with the global catalog will be unplugged and you will then add two more users to the group

from both the domain controllers. Once completed you will plug the network cable back in and see

which of these account successfully replicated across.


1. Create the following in the

User container:

Six user accounts:

User1, User2, User3,

User4, User5, User6

Global Group called

Group1

This part of the exercise can be performed by all students. Each

student needs to create three (3) user accounts and one user will

need to create a global group.

Open Active Directory Users and Computers.

a. Expand the domain name

b. On the User container right click New User

c. On the New Object User page, Fill in the following details

and then click Next

First name: User1

User logon name: User1

User logon name (pre-Windows 2000): User1

d. Enter a password called password and confirm the password

e. Deselect User must change password at next logon, click

Next and then click Finish.

f. Repeat Steps C F until all six (6) users are created.

g. On the User container right click New Group

h. In the Group Name enter Group1 and leave the settings as

default, click OK.

i. Double click the group called group1 and click the Members

Tab.

j. Click Add enter User1; User2 and the click Check Names,

click OK twice.

k. Ensure that the users and group has replicated before

continuing.

Unplug the Network Cable form the machine that contains the Global Catalog.


29/102



2. Perform the following

Add User3 to Group1 on

the first DC.


the second DC.

Perform these steps on the first DC

a. Double click the group called group1 and click the Members

Tab.

b. Click Add, enter User3 and the click Check Names, and click

OK twice.

Perform these steps on the second DC

c. Double click the group called group1 and click the Members

Tab.

NOTE: A message appears stating that a Global Catalog

cannot be located to retrieve the icons for the member list.

Some icons may be shown. Click OK.

d. Click Add, enter User4 and the click Check Names, and click

OK twice.

3. Plug the Network Cable back

in and force replication

Perform the following task on any of the DC

a. From the Run command type the following syntax:

repadmin.exe /syncall /P

What are the results on the group membership and why?


30/102



Lab 06 Elevate forest functionality to WindowsServer 2003 and test multi-value replication

NOTE: This lab is depended on lab 02 & lab 04

Objectives

After completing this lab, you will be able to:

Elevate the forest functionality

Test multi-value replication

Prerequisites

Understand the different Forest functionalities

Understand how replication works between domain controllers

Domain functional level should been configured as in exercise 1 Lab 04

Lab Setup

To complete this lab, you require computers running Windows Server 2003 that is configured as a

Domain Controllers. Only one computer in each of the forests should be configured as a Global

Catalog server.


31/102



Exercise 1

Goaln

This exercise is almost the same as in Lab 05. However you will first elevate the forest functionality to.Net and then test the effects of multi-valued replication. Once this has been done you will again

disconnect the network cable from the Global Catalog server and add an account to the group on both

domain controllers. Then plug the cable back in and replicate the information to see what effect the

elevation of the forest functionality has.


1. Raise the Forest

Functionality to Windows.Net

Perform the following task on only one of the Domain Controllers.

Decide between each other how will perform this task.

a. Open Active Directory Domains and Trusts.

b. Right click Active Directory Domains and Trusts and select

Raise Forest Functional Level.

c. On the Raise Forest Functional Level accept the default

settings and click Raise.

d. Two messages appear, read the messages and then click

OK for each of them.


mSDS-Behavior-Version = 2

This task should be performed by all students.

a. Open ADSI Edit console that you saved.

b. Right click DC=DomainX,DC=com (where X is your domain


c. Scroll down the attributes until you find mSDS-Behavior-

Version. Check to see if the value is set to 2.

a. Click OK to close the Properties page and Exit the console

Unplug the Network Cable form the server that contains the Global Catalog.

3. Perform the following


the first DC.


the second DC.

Perform these steps on the first DCs

a. Double click the group called group1 and click the Members

Tab.

b. Click Add enter User5 and the click Check Names, click OK

twice.

Perform these steps on the second DC


32/102



c. Double click the group called group1 and click the Members

Tab.

NOTE: A message appears stating that a Global Catalog

cannot be located to retrieve the icons for the member list.

Some icons may be shown. Click OK.

d. Click Add enter User6 and the click Check Names, click OK

twice.

4. Plug the Network Cable back

in and force replication

Perform the following task on any of the DC

b. From the Run command type the following syntax:

repadmin.exe /syncall /P

Review the group membership. Is there a difference Why?


33/102



Lab 07 Create Multiple Sites


Objectives

Create a site and subnet

Configure the properties of a site link

Prerequisites

Understanding of TCP/IP subnets

Understanding of Sites and Site Links

Lab Setup

To complete this lab, you require computers running Windows Server 2003 that is configured

as a Domain Controllers.

User performing the tasks should have Enterprise Admin Rights


34/102



Exercise 1

Goal

NOTE: Students should NOT modify their IP addresses at any stage during this lab!!

In this exercise student will work in teams, where they will create several sites within the Active

Directory Sites and Services. In additional to this you will also create subnet masks and map these

subnet masks to each of the sites that where created. After completing the creation of the sites and

subnet masks you will then move the appropriate servers into the correct sites.


1. Create two new sites with

the name of Site1 and Site2

and link it to the

DEFAULTSITELINK

Perform the following tasks on only one Domain Controller in

each forest.

a. Open Active Directory Sites and Services from the

Administrative Tools menu, right click Sites and then click

New Site.

b. In the Name box, type Site1 in and select

DEFAULTIPSITELINK and click OK.

c. Review the message and click OK.

d. Repeat steps B & C for Site2

2. Create a new subnet object

with the network ID of

10.1.x.0/24 (where x is 1 for

forest root domain and x = 2

for second domains).

Associate the subnet object

with your site.

a. In Active Directory Sites and Service, right click Subnets and

then click New Subnet.

b. In the New Object Subnet dialog box, in the Address box,

type 10.1.x.0 (where x is 1 for forest root domain and x = 2 for

second domains).

c. In the Mask box, type 255.255.255.0

d. UnderSite Name, click Site1 and then click OK.

e. Repeat steps A D forSite2


on/in the Inter-Site Transport

object:

Set the properties of

Inter-Site Transport for

the IP to Ignore

Schedules.

Change the

a. In Active Directory Sites and Service, expand Inter-Site

Transports.

b. Right click IP and then click Properties.

c. On the Properties page, select Ignore Schedule and click

OK.

d. In the IP object container right click DEFAULTIPSITELINK

and click Properties.

e. On the DEFAULTIPSITELINK Properties page, change the


35/102



DEFAULTIPSITELINK

replication value to 15

minutes.

Replicate very, value to 15 minutes and click OK.

4. Move the server to the

appropriate sites.

a. In Active Directory Site and Services, expand Default-

First-Site-Name then expand Servers.

b. Right click ServerX (where X is your server name in your

domain) and then click Move.

c. In the Move Server page, click the Site to which your server

needs to be moved and then click OK.

d. Repeat Steps B and C for all the domain controllers.

Run the following command on all servers: Repadmin /kcc serverX.domainX.com

(Where X is your server or domain number/letter).


36/102



Lab 08 Test Global Catalog Failure


Objectives

After completing this lab, you will be able to see and understand the importance of a Global Catalog

server within an organization

Prerequisites

Knowledge about the role of a Global Catalog server

Sites and Subnets should have been configured in exercise 1 Lab 07

Lab Setup



A single Global Catalog Server within each Forest


37/102



Exercise 1

Goal

All students that do not have a Global Catalog service on their domain controller will perform thisexercise. You will logon as a client that does not have any administrative rights on the server to see

the effects it has on a failed Global Catalog service or if no Global Catalog service is available.


1. Check to see if everyone

group has the rights to Log

on Locally

Check to see if the Everyone group has the rights to Log on

Locally


b. Expand your domain and right click Domain Controllers and

select Properties.

c. Select Group Policy on the Domain Controllers Properties

page.

d. Select the Default Domain Controller Policy and Click Edit

e. Under the Group Policy Object Editor page navigate to

Computer ConfigurationWindows SettingsSecurity

Settings

Local Policies

User Rights Assignment.

f. Double click Allow log on locally.

g. Under the Allow log on locally window, Ensure that the

Everyone group is added.

h. If not, add the Everyone group.

i. From the run command run: gpupdate.exe /force

2. Create user account in the

2nd

domain of the forest and

force replication after thecreation of the account.


b. Expand the domain name

c. On the User container right click New User

d. On the New Object User page, Fill in the following details

and then click Next

First name: Peter1

User logon name: Peter1

User logon name (pre-Windows 2000): Peter1

e. Enter a password called password and confirm the password


38/102



as password.

f. Deselect User must change password at next logon, click

Next and then click Finish.

g. Force replication by running this syntax: repadmin.exe

/syncall /P

Log on with the newly created account on all GC servers. Then logoff the account.

Unplug the Network Cable on the 1st

DC/GC in the forest root domain. Perform this task on all the

servers that contains Global Catalogs. These servers are 1, 5, 9 and 13.

3. On the second domain in the forest, logon as the newly created user in that domain. The Global

Catalog must not be available. This can take some time.

What was the result and Why?

Plug the Network Cable back in once the lab has been completed.


39/102



Lab 09 Enable and Test Universal Group Caching

NOTE: This lab is depended on lab 02 & 07

Objectives

After completing this lab, you will be able to configure and manage Universal Group Caching.

Prerequisites

Knowledge of Global Catalog servers

Knowledge of Universal Group Caching

Sites and Subnets should have been configured in exercise 1 Lab 07

Lab Setup



A single Global Catalog Server within each Forest

User performing the tasks should have Enterprise Admin Rights


40/102



Exercise 1

Goal

Only the students without a Global Catalog will be doing this exercise. In this exercise, you willenable universal group caching and test client logons once again to see the effects of universal group

caching.


1. In the second domain set the

NTDS Site Settings to

cache membership from the

Partner site which is the

first domain. Force

Replication.

This should only be done from the second domain in each of the

forests.

NOTE: Before you can do this exercise you require Enterprise

Admin rights. Use the Run As command when opening Active

Directory Sites and Services. Logon as the Administrator of the

root domain in your forest.

a. Open Active Directory Sites and Services, expand Sites

and then select the site in which you want to Enable

Universal Group Membership Caching.

b. In the Details pane on the right, right-click NTDS Site

Settings and then click Properties.

c. Select the Enable Universal Group Membership Caching

check box.

d. In Refresh Cache from, click Site1 from which this Site2 will

refresh its cache from, click OK.

e. From the Run command type the following syntax in:

repadmin /syncall /P

Logon to the DC in the second domain with account details that does not contain any admin rights.

This will populate the cache.

Unplug the network cable from the back of the machine that hosts the Global Catalog.

From second domain in the forest, logon with the user account that does not contain administrative

right. Remember the Global Catalog must not be available.


41/102



What is the result and Why?


42/102



Lab 10 Reset Directory Services Restore Modepassword (Optional)

Objectives

After completing this lab, you will be able to reset the Directory Services Restore Mode password.

Prerequisites

Knowledge about the NTDSUTIL utility

Active Directory should be configured as in exercise 1 Lab 02

Lab Setup

A computer running Windows Server 2003 Enterprise Server that is configured as a Domain

Controller


43/102



Exercise 1

Goal

All students will perform this exercise. You must change the Directory Services Restore ModePassword.


1. Use the NTDSUTIL to rest

the DSRM password to

password

a. Open the Command Prompt window.

b. At the command prompt, type NTDSUTIL and press

ENTER.

c. At the NTDSUTIL prompt type, set DSRM Password and

press ENTER.

d. At the Set DSRM Password prompt, type Reset Password

on Server Null (Null is used the local server) and press

ENTER.

e. At the Please type password for DS Restore Mode

Administrator Account: type password and press ENTER.

f. At the Please confirm new password: type password and

press ENTER.

g. At the Reset DSRM Administrator Password prompt, typequit and press ENTER

h. At the NTDSUTIL prompt, type quit and press ENTER

i. Close the command prompt window.


44/102



Lab 11 Create an InetOrgPerson Object (Optional)

Objectives

After completing this lab, you will be able to create an InetOrgPerson.

Prerequisites

Knowledge of using Active Directory Users and Computers

Active Directory should be configured in exercise 1 Lab 02

Lab Setup

A computer running Windows Server 2003 Enterprise Server that is configured as a Domain

Controller


45/102



Exercise 1

Goal

All students can perform this exercise. Here you will create an inetOrgPerson account within theActive Directory.


1. Create an inetOrgPerson

account with a password of

password.


b. Expand yourdomain and right-click the Users container,

select New and then select InetOrgPerson.

c. In the New Object InetOrgPerson windows, type studentX

(where X is your student number) in the First name and UserLogon name boxes, click Next.

d. In the password field type password and confirm the

password. Deselect User must change password at next

logon, click Next and then Finish.

Logoff as Administrator and logon as the newly created account.


46/102



Lab 12 Mark a Schema object as defunct (Optional)

NOTE to Instructor (If not already done) - Create a directory called OIDGen on your computer and

share that directory as OIDGen. Ensure that the application called OIDGen is available in the

directory. The application is available on the Windows 2000 Resource Kit.

Objectives

After completing this lab, you will be able to create a schema object and mark the object as defunct.

Prerequisites

Knowledge of schema objects


Lab Setup

A computer running Windows Server 2003 Enterprise Server that is configured as a DomainController

Schema Administrator rights to be able to create new schema objects

OIDGEN to create unique Object Identifiers


47/102



Exercise 1

Goal

This exercise needs to be preformed by all students. You will create an attribute within the ActiveDirectory schema. Once you have created this attribute in the Active Directory, you will then make

this object defunct. You will also create a second attribute with the same settings as the first one to

see the effects of an attribute that has already been created.



Register the Schema

Management Snap-in.

Copy and Run OIDGen

from your computer to

generate an Object

Identifier.

a. Connect to you instructors computer and copy the OIDGen

file to the temp directory on your local computer.

b. From the command prompt, run OIDGen.exe

c. Do not close the command prompt.

d. At the run command type the following command in: regsvr32

c:\windows\system32\schmmgmt.dll and then press

ENTER.

2. Perform the following task:

Create a new attribute

called studentX (where X

is your student number).

Remove Attribute is

active of the newly

created attribute.

Refresh to ensure

attribute is no longer

available.

a. Create a custom MMC console and add the Active

Directory Schema.

b. Expand Active Directory Schema, right-click Attributes,

click Create Attribute.

c. On the Warning message, click Continue.

d. On the Create New Attribute page, type StudentX (where X

is your student name) into the following boxes, Command

Name and LDAP Display Name.

e. In the Unique X500 Object ID: enter the Attribute Base OID

number generated by the OIDGen application.

f. Under the Syntax select Integer and click OK.

g. Browse to the newly created Object, right-click Properties

and deselect Attribute is Active.

h. Click Yes to accept the Warning Message and click OK.

i. Refresh to verify that the attribute is not visible in Schema

Management.


Use Show defunct

objects in Schema

a. In the Schema Management Console, click View and then

Defunct Objects.


48/102



Management or use

ADSI Edit to locate the

Attribute.

b. Browse to the object and see that the Status of the object is.

c. Open the ADSI Edit console, right-click ADSI Edit and select

Connect To.

d. On the Connection Settings page, select Schema under the

dropdown list ofSelect a well known Naming Context, and

click OK.

e. Browse for the attribute that you created, right-click

Properties.

f. Ensure the value ofisDefunct is set to TRUE, click OK and

close ADSI Edit.

Create a new Attribute with the same settings as the defunct attribute.

Does this work?

Note: While you can reuse the OID and LDAP name you cannot reuse the common name.


49/102



Lab 13 Create an application partition

Objectives

After completing this lab, you will be able to create application partitions and replicate these partitions

to different domain controllers within you domain or forest.

Prerequisites

Knowledge of application partitions

Knowledge of the NTDSUTIL utility

DNS should be configured as in exercise 1 Lab 01


Lab Setup

Computers running Windows Server 2003 Enterprise Server that is configured as a Domain

Controller

A computer running DNS Server

Network connectivity between computers within the same forest


50/102



Exercise 1

Goal

All students can perform this exercise. Here you will create an application partition and then replicatethis partition to all domain controllers with the Active Directory domain/forest.


1. Perform the following tasks:

On each DC use

NTDSUTIL to create an

Application Partition

called ApptestX (where

X is you student number)

Add a replica of the

application partition to

your partners Domain

Controller.

a. Open the command prompt window.

b. At the command prompt, type NTDSUTIL and press

ENTER.

c. At the NTDSUTIL prompt type, Domain Management and

press ENTER.

d. At the Domain Management prompt type, connections and

press ENTER.

e. At the Server connections prompt, type Connect to server

[your server name], and press ENTER. Example: connect to

server server1

f. At the Server connections prompt type, quit and press

ENTER.

g. At the Domain Management prompt type, list and pressENTER.

This will show you all the Directory Partitions for the forest.

h. At the Domain Management prompt type, create nc

dc=APPTESTX (where X is your student number),dc=your

domain name,dc=com Null, press ENTER. Example:

create nc dc=applicationpartition,dc=domainX,dc=com null

i. At the Domain Management prompt type, list and press

ENTER.

j. At the Domain Management prompt type, Add nc replica dc

=APPTESTX,dc=your domain name,dc=com

server2.yourDomainName.com and press ENTER.

Example: Add nc replica

dc=APPTESTX.dc=domainX,dc=com serverx.domainx.com

k. At the Domain Management prompt type, list nc replicas


51/102



dc=APPTESTX,dc=domainX,dc=com and press ENTER.

l. At the Domain Management prompt type, quit and press

ENTER.

m. At the NTDSUTIL prompt type, quit and press ENTER.

2. Perform the following tasks:

Create a new DNS zone

and store the information

into the application

partition.

Force Replication

Verify that all zones are

updated on both

DC/DNS servers

a. Open the command prompt

b. At the command prompt runrepadmin /kcc

/serverx.domainx.com

c. Also stop and start the DNS Services by running:

d. Net stop DNS and then Net Start DNS.

e. Open DNS console and expand your server name.

f. On the Forward Lookup Zones, right-click and select New

Zone.

g. On the Welcome to the New Zone Wizard page, click Next.

h. On the Zone Type page, select Primary Zone, leave the

Store the zone in Active Directory (available only if DNS

server is a domain controller) tick box and click Next.

i. On the Active Directory Zone Replication Scope page,

select To all domain controllers specified in the scope of

the following application directory.

j. Select the Application partition that you created, (ApptestX,

where x is your student number) and click Next.

k. On the Zone Name page, type Nwtraders.com and click

Next.

l. On the Dynamic Update page, select Allow only secure

dynamic updates (recommended for Active Directory),

click Next.

m. On the Completing the New Zone Wizard page, click

Finish.

n. Force replication between the DC/DNS servers using the

repadmin /syncall /P command.

3. Use ADSI Edit to view

properties of the Application

partition.

a. Open the ADSI Edit Console that you created earlier.

b. Right-click ADSI Edit, select Connect to

c. On the Connection Settings page, UnderSelect a well

known Naming Context select Configuration, and press

OK.


52/102



d. Expand the Configuration container and click Partitions.

e. On the right side underDirectory Partition Name find your

partition you created and Browse its properties.

f. Exit and close ADSI Edit.


53/102



Lab 14 Renaming of Domain Controllers

Objectives

After completing this lab, you will be able to rename Domain Controllers.

NOTE: There is several ways in renaming Domain Controllers. In this exercise, the command line

version will be used to rename the Domain Controllers. Ask the instructor to demo the renaming of a

Domain Controller using the GUI.

Prerequisites

Knowledge, which regards to the impact a renaming of Domain Controllers, can have.

Knowledge about the NETDOM utility


Fully Qualified Domain Name (FQDN) of your domain


54/102



Exercise 1

NOTE: Fully Qualified Domain Names (FQDN) must be used when performing this exercise.

Perform the rename exercise on only one Domain Controller at a time. Wait for the process to

complete before continuing. The table below defines the current and the new server name you mustuse.

Old Computer Name New Computer Name

Server1 Server101

Server2 Server102

Server3 Server103

Server4 Server104

Server5 Server105

Server6 Server106

Server7 Server107

Server8 Server108

Server9 Server109

Server10 Server110

Server11 Server111

Server12 Server112

Server13 Server113

Server14 Server114

Server15 Server115

Server16 Server116


55/102




1. Using the Netdom command

rename your server. Use the

table above for your new

computer name. Also checkto see if your computer has

been successfully renamed.

NOTE: ServerX = original server name while ServerY = New

Server Name

a. Open the command prompt.

The command below will be used to add the new server

name.

b. At the command prompt type: netdom computername

serverx.domainx.com /add:servery.domainx.com and

press ENTER. (Serverx is your old server number and

servery is your new server number. Domainx is your domain

letter).

The command is used to make the new name the primaryname.

c. At the command prompt type: netdom computername

serverx.domainx.com /makeprimary

servery.domainx.com and press ENTER.

This command enumerates the old computer name.

d. At the command prompt type, netdom computername

serverx.domainx.com /enumerate, press ENTER.

e. Reboot the server.

f. Logon as the administrator.

g. Open the command prompt.

This command will remove the old server name.

h. At the command prompt type, netdom computername

servery.domainx.com /remove serverx.domainx.com,

press ENTER.

i. Reboot the server.

j. Logon as administrator, open command prompt, type

hostname and press ENTER.

This will show you if you computer has been successfully

renamed.


56/102



Lab 15 Renaming Domain NetBIOS Name (To beperformed on the last day as an optional lab)

Objectives


Rename the NetBIOS name of the Domain

Prerequisites

Thorough understanding of Domain Renaming

DNS should be configured as in exercise 1 Lab 01


Lab Setup


as Domain Controllers.


57/102



Exercise 1

Goal

This exercise must only be done at the end of the week. You will be working with your partner duringthis exercise. The goal of this exercise is to rename the current NetBIOS domain name to a new

NetBIOS domain name. The utility that will be used to rename the NetBIOS domain names is

rendom.exe.



to prepare the domain for

renaming:

Configure DNS to

support the New domain

name called

DomainRenameX

(where X is your domain

letter)

DNS must be AD

integrated, support

dynamic updates and

have a Host record for

the server.

Copy random.exe and

GPFixup.exe to

c:\domainrename

Perform the following on all the odd numbered Domain

Controllers.

a. Open DNS console and create a Forward Lookup Zone

called DomainrenameX.com (where X is your domain letter).

Ensure that the zone AD integrated is selected and

Replicated to all DNS server in the forest is selected.

b. Ensure there is a Host (A) record created. If not perform the

following action:

c. Right-click the newly created domain name and select New

Host (A)

d. In the New Host page, type in your server name in the

Name (uses parent domain name if blank): box.

e. Under the IP address, enteryour machines IP address in

then click Add Host.

f. Close DNS Console

Perform the following on all Even number Domain Controllers

g. Create a directory called domainrename on the c:\ drive.

h. Copy all the files in the VALUEADD\MSFT\MGMT\DOMREN

which is located on your Windows 2003 Advanced Server into

this directory.


58/102



2. The following tasks need to

be performed to rename the

domain.

Rendom /list

Save a copy of

Domainlist.xml as

domainlist-save.xml

Edit NetBIOS name in

domainlist.xml file and

save it.

Rendom /showforest and

verify change is correct.

Rendom /upload and

view content of dclist.xml

Run repadmin /syncall /P

Rendom /prepare and in

dclist.xml verify that

Prepared is true for all DCs.

Rendom /execute and in

dclist.xml verify that

done is

true for all DCs

The following tasks need to be performed from all the even

numbered domain controllers in each domain. However it is

recommended that your partners follow in what you are doing.

a. Open the command prompt and type cd\domainrename

and press ENTER.

b. At the domainrename prompt type: random /list

c. Save a copy of the domainlist.xml file as domainlistsave.xml

in the same directory.

d. Change the domain NetBIOS name by editing the sections

between in the

domainlist.xml file and save the changes.

e. At the domainrename prompt type: random /showforest toverify that your changes are correct.

f. At the domainrename prompt type: random /upload and view

the contents ofdclist.xml

g. On all domain controllers within the forest run the following

syntax: repadmin /syncall /P

h. At the domainrename prompt type: random /prepare and

verify in the dslist.xml that prepare< /STATE > is

true for all DCs.

i. At the domainrename prompt type: random /execute and

verify in the dslist.xml that done< /STATE > is true

for all DCs

j. All the machines in the forest will automatically reboot.

k. Logon and run the command below.

Run GPFixup /oldnb:OldDomainNetBIOSName /Newnb:NewDomainNetBIOSName

/dc:DCdnsName

Restart all odd numbered domain controllers in the domain/forest. After logon, all the evenly

numbered domain controllers must be restarted.

Run repadmin /syncall /P on all the domain controllers in the forest. If you get an error message

restart the computer again and retry the command again.

NOTE: The control station might need to be rebooted twice before the command will work.


59/102



Lab 16 Setup and Test Cross Forest Trusts

Instructor Note: review with students trust directions. Make sure they know the difference between

trusted and trusting.

Objectives

After completing this lab, you will be able to create cross-forest trust relationships and administer

these cross-forest trusts.

Prerequisites

Knowledge on the different types of trust relationships

Multiple Active Directories should be configured as per exercise 1 Lab 02

Multiple Forest should have be created within the classroom environment


60/102



Exercise 1

Goal

Students will work as a team during this exercise. A Forest Trust relationship needs to beimplemented between the following forests:

Forest A and Forest C.

Forest E and Forest G.

Forest C and W2K3.Net forest

Forest G and W2K3.Net forest


1. Create a two-way trust

relationship between two

forests within the classroom.

a. Open Active Directory Domains and Trusts, select the

domain and click Properties.

b. In Properties of the domain click Trusts and click New

Trust.

c. On the Welcome to the New Trust Wizard page, click Next.

d. In the Trust Name page, under Name enter the NetBIOS

name of the forest root domain you want to trust, click Next.

e. On the Trust Type page, select Forest Trust and click Next.

f. On the Direction of Trust page, select Two-Way and click

Next.

g. On Sides of Trust page, select Both this domain and the

specified domain, click Next.

h. On the User Name and Password page, enter

Administrator into the User Name box and password into

the Password box, click Next.

i. On the Outgoing Trust Authentication Level Local

Forest page, select Forest-wide authentication and click

Next.

j. On the Outgoing Trust Authentication Level Specified

Forest page, select Forest-wide authentication and click

Next.

k. On the Trust Selections Complete page, review the settings

and click Next.

l. On the Trust Creation Complete page, review settings and

click Next.


61/102



m. On the Confirm Outgoing Trust page, select Yes, confirm

the outgoing trust, click Next.

n. On the Confirm Incoming Trust page, select Yes, confirm

incoming trust, click Next.

o. On the Completing the New Trust Wizard page, click

Finish.

p. Click OK to close the domainx.com properties page and close

Active Directory Domains and Trusts.


62/102



Exercise 2 Test cross forest resource access


1. Create a folder called forest

and share it as forest. Give

users from a different forest

the Change rights

permission to the directory

shared directory.

a. On the servers create a directory called Forest and share the

directory as Forest.

b. Click Permissions in Forest Properties.

c. Click Add underPermissions for Forest.

d. On the Select Users, Computers, or Groups click

Locations

e. Click DomainX.com (Where X is the domain letter with how

you created a forest trust with) then click OK.

f. In Enter the object names to select type in Domain Usersand click Check Names, click OK.

g. In the windows forPermissions for Domain Users select

Allow Change, click OK.

h. Click OK to close Forest Properties.

2. a. Logon as a user that was created earlier.

b. From the Run command type: \\serverx\forest (where X is the

server number), click OK.

c. Once open right-click in the blank area, select new and thenselect bitmap image, press ENTER.

d. Close the window. This has allowed you to create a file on

the server in a different forest.


63/102



Exercise 3 Test cross forest delegations


1. Create an OU called

DelegateX (where X is your

student number) and assign

the Domain Admins in the

trusted domain access to

create and delete users.

a. Open Active Directory Users and Computers and click on

the Users Container.

b. Create an OU called DelegateX (Where X is your student

number)

c. Right-click the OU and click Delegate Control

d. On the Welcome to the Delegation of Control Wizard, click

Next.

e. On the Users or Groups page, click Add, click Locations

and highlight the second forest then click OK.

f. In the Enter the object names to select type Domain Admins

and click Check Names, click OK.

g. On the Users or Groups page, ensure that

DomainX\Domain Admins is selected, click Next.

h. On the Tasks to Delegate page, select Create, delete, and

Manage user accounts, click Next.

i. On the Completing the Delegation of Control Wizard page,

click Finish.

j. Logof from the computer


64/102



2. Test the Delegation by

creating a User account in

the OU in your partners

forest domain.

Logon as a user with Domain Admin rights before starting this

exercise. The user must not be the Administrator account.

a. Open Active Directory Users and Computers, right-click

your domain and select Connect to Domain.

b. On the Connect to Domain page, type the domain name in

to which you want to connect and click OK.

c. Expand the domain to which you connected and click the OU

called DelegationX (where X is will be the student number of

the user that administers that domain).

d. Right-click the OU and click New User.

e. Type a user name into the following boxes: First name and

User logon Name, click Next.

f. Type in password in the Password and Confirm password

boxes, click Next.

g. Review the details and click Finish.


65/102



Lab 17 IIS

Objectives


Installing and Configuring IIS

Determine which Isolation mode your IIS server is.

View the different processes currently running

Creating Application Pools

Recycling Processes

Prerequisites

Knowledge of IIS

Lab Setup

A computer running Windows Server 2003 Enterprise configured as a Domain Controller.


66/102



Exercise 1

Goal

The goal of this exercise is to install and configure IIS for the rest of the exercises.


This Exercise can be performed by all Students

1. View or change the

Application Isolation Mode

using IIS Manager

a. Click StartMange Your Server

b. On Mange Your ServerAdd or Remove a Role

c. On the Configure Server Wizard Page click Next.

d. On the Server Role Page click Application Server (IIS,ASP.Net) and click Next.

e. In the Application Server Option Page leave as default and

click Next

f. On the summary page click Next

g. This starts the installation and configuration of IIS.

h. Once completed click Finish

i. On the Manage your Server page click Manage this

Application Server

j. Browse around the interface to familiarize yourself with the

interface.


67/102



Exercise 2

Goal

The goal of this exercise is to establish in which isolation mode your current IIS server is running in.



1. View or change the

Application Isolation Mode

using IIS Manager

a. Open the IIS snap-in (Click Start, click Programs, click

Administrative Tools, and then click Internet Information

Services)

b. Right click on the Web Sites folder and choose Properties

c. Click on the Service tab

d. View the status of the checkbox labeled Isolation Mode

e. If the box is unchecked, you are running in worker process

isolation mode

f. If the box is checked, you are running in IIS5 Isolation Mode

g. Verify that the check box is unchecked uncheck if

necessary

(You will be required to run in worker process isolation mode forthe remainder of these exercises)

h. Click Apply

i. You will now be prompted to restart the Web services; click

Yes to restart IIS. After IIS restarts, click OK to close the

Web Sites properties sheet. Verify the Application Pools

folder is present.


68/102



Exercise 3

Goal

In this exercise, you will use a VBScript to view process information.



1. Execute the listw3wp.vbs to

view process information

a. From the command prompt, change directory to the path

containing the script file listw3wp.vbs. It should be C:\IIS

b. Execute the command: listw3wp.vbs

c. If there are no worker processes running, you should see a

message indicating there are no running w3wp.exe

instances

d. To view worker processes using the script, navigate to any

local URL using Internet Explorer, such as http://localhost

(disregard the page that is returned)

e. Re-run listw3wp.vbs and you should see the Process ID (PID)

and the Application Pool name of the running worker process.

Note: You must be running your server in worker process

isolation mode for this exercise to work, and for listw3wp to returninformation. If your configuration is running in IIS5 isolation

mode, or you are unsure of the mode, revisit the first exercise on

isolation modes.


69/102



Exercise 4

Goal

In

windows server 2003 expert workshop

Documents