Task 1: Add the Active Directory Domain Services role

1. Log on to Server machine as Administrator The Windows desktop appears and then the Server Manager window appears. 2. If the Server Manager window does not appear, click the Server Manager link in the Quick Launch button on the Quick Launch bar. 3. In the Roles Summary section of the Server Manager home page, click Add Roles.The Add Roles Wizard appears. 4. On the Before You Begin page, click Next. 5. On the Select Server Roles page, select the Active Directory Domain Services check box. 6. When prompted to add features required for Active Directory Domain Services, click Add Required Features, and then click Next. 7. On the Active Directory Domain Services page, click Next. 8. On the Confirm Installation Selections page, click Install.The Installation Progress page reports the status of installation tasks. 9. After the installation is complete, click Close.

Task 2: Configure a new Windows Server 2008 R2 forest named Emerson.local with HQDC01 as the first domain controller
1. In the Server Manager window, expand the Roles node in the tree pane, and then click Active Directory Domain Services. 2. Click the Run the Active Directory Domain Services Installation Wizard (dcpromo.exe) link.The Active Directory Domain Services Installation Wizard appears. 3. On the Welcome page, click Next. 4. On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 domain controllers, and then click Next. 5. On the Choose a Deployment Configuration page, clickCreate a new domain in a new forest, and then click Next. 6. On the Name the Forest Root Domain page, under FQDN of the forest root domain, type Emerson.local, and then click Next.The system checks to ensure that the DNS and NetBIOS names are not already in use on the network. 7. On the Set Forest Functional Level page, clickWindows Server 2008, and then click Next. Each of the functional levels is described in the Details box. Choosing the Windows Server 2008 forest functional level ensures that all domains in the forest operate at the Windows Server 2008 domain functional level, which enables several new features provided by Windows Server 2008.In a production environment, you would choose Windows Server 2008 R2 forest functional level if you require the features of the Windows Server 2008 R2 functional level and if you do not add any domain controllers running operating systems prior to Windows Server 2008 R2. 8. On the Set Domain Functional Level page, clickWindows Server 2008, and then click Next.The Additional Domain Controller Optionspage appears. 9. Notice that the DNS Server is selected by default. The Active Directory Domain Services Installation Wizard will create a DNS infrastructure during the AD DS installation. The first domain controller in a forest must be a global catalog server and cannot be a read-only domain controller (RODC), so these options are not configurable.Click Next.A warning message about delegation for DNS server appears. Read the text and click Yes.In the context of this exercise, you can ignore this error. Delegations of DNS domains will be discussed later in this course. 10. On the Location for Database, Log Files, and SYSVOL page, accept the default locations for the database file, the directory service log files, and the SYSVOL files, and then click Next.
Note: The best practice in a production environment is to store these files on three separate volumes that do not contain applications or other files not related to AD DS. This bestpractice design improves performance and increases the efficiency of backup and

restore.

11. On the Directory Services Restore Mode Administrator Password page, type Pa$$w0rd in both Password and Confirm Password boxes, and thenclick Next.
Important:In a production environment, you should use a strong password for the Directory Services Restore Mode Administrator Password. Do not forget the password you assign to the Directory Services Restore Mode Administrator.

12. On the Summary page, review your selections.If any settings are incorrect, click Back to make modifications. 13. Click Next.Configuration of AD DS begins. After several minutes of configuration, the Completing the Active Directory Domain Services Installation Wizard page appears. 14. Click Finish. 15. Click Restart Now. The computer restarts

Task 3: Raise the domain functional level to Windows Server 2008 R2

1. Log on to HQDC01 as Administrator with the password Pa$$w0rd. 2. Open the Active Directory Domains and Trustsconsole from the Administrative Tools menu. 3. In the console tree, right-click emerson.local, and then clickRaise Domain Functional Level. 4. In the Select an available domain functional level list, ensure that Windows Server 2008 R2 is selected, and then click Raise. A message appears to remind you that the action might not be possible to reverse. 5. Click OK to confirm your change.A message appears informing you that the functional level was raised successfully. 6. Click OK.

Task 2: Raise the forest functional level to Windows Server 2008 R2

1. In the console tree, right-click Active Directory Domains and Trusts,and then click Raise Forest Functional Level. The Raise Forest Functional Leveldialog box appears. 2. Ensure that the Current forest functional level is Windows Server 2008. 3. In the Select an available forest functional level list, click Windows Server 2008 R2. 4. Click Raise. A message appears to remind you that the action cannot be reversed. 5. Click OK to confirm your change.A message appears informing you that the functional level was raised successfully. 6. Click OK. Task 3: View and create objects by using Active Directory Users and

Computers. 1: Creates Employees OU 2: Create new User 3: Edit Attributes Employee ID

Task 4: Create a custom MMC console & configure it to run as administrator service. Task 5: Create a saved query that shows all user accounts with nonexpiring passwords.
1. In the console tree, right-click Saved Queries, point to New, and then click Query. 2. In the New Query dialog box, type Non-Expiring Passwords in the Name

box. 3. Click Define Query. 4. Select the Non expiring passwords check box, and then click OK two times. In a production environment, user accounts should not be configured with non-expiring passwords.

Task 6: List all commands in the Active Directory module.

1. On the Start menu of HQDC1, click AllPrograms, click Administrative Tools, and then click Active Directory Module forWindowsPowerShell. 2. In the PowerShell window, type the following command and press Enter.
Get-Command -Module ActiveDirectory

Task 7: Reset user passwords and address information.

1. In the PowerShell window, type the following command, and then press Enter.
Get-ADUser -Filter 'office -eq"New York"'

2. In the PowerShell window, type the following command, and then press Enter after each line.
Get-Help Read-Host -Full Get-Help Set-ADAccountPassword -Full

3. In the PowerShell window, type the following command, and then press Enter.
Get-ADUser -Filter 'office -eq"New York"' | Set-ADAccountPassword -Reset -NewPassword (Read-Host -AsSecureString 'New password')

4. When prompted, enter the password,Pa$$w0rd1, and then press Enter.

Pa$$w0rd1

Task 8: Create a user account template for Sales.

1. In theActive Directory Users and Computersconsole tree, expand the domain and the User Accounts OU, and then click the Employees OU. 2. Right-click the Employees OU, point to New, and then click User. 3. Leave the First namebox empty. 4. Leave the Last name box empty. 5. In the Full name box, type _Sales User.[ 6. In the User logon namebox, type Template.Sales. 7. In the User logon name (pre-Windows 2000) text box, enter the preWindows 2000 logon name,Template.Sales. 8. Click Next. 9. Type Pa$$w0rd in the Password and Confirmpassword boxes. 10. Ensure that theUser must change password at next logon check box is selected. 11. Select Account is disabled. 12. Click Next. 13. Review the summary and click Finish. 14. Right-click _Sales User,and then clickProperties. 15. Click the Member Of tab. 16. Click Add. 17. Type Sales and click OK. The Multiple Names Found dialog box appears. 18. ClickSales, and then click OK. 19. Click the Organization tab. 20. In the Departmentbox, type Sales. 21. In the Company box, type company name 22. Click the Change button in the Manager section. 23. In the Select dialog box, type User Name, and then click OK. 24. Click the Account tab. 25. In the Account Expires section, click End of, and then select the last day of the current year. 26. Click OK

Task 9: Create a new user account based on a template.

1. Right-click _Sales User, and then click Copy. 2. In the First name box, type Rob. 3. In the Last name box, type Young. 4. In the User logon name box, type Rob.Young. 5. Confirm that the User logon name (pre-Windows 2000) is Rob.Young, and then click Next. 6. In the Password and Confirm password boxes, type Pa$$w0rd. 7. Clear Account is disabled. 8. Click Next. 9. Review the summary, and then click Finish. Task 10: Import Users using CSVDE command 1: Create a sample csv file. 2: import using following command

csvde [-i] [-f Filename] [-k] Task 11: Protect a group from accidental deletion.
1. Click the View menu, and then select Advanced Features, so that the Advanced Features option is enabled. 2. In the console tree, click the Groups\Access OU. 3. Right-click the a group, and then clickProperties. 4. Click the Object tab. 5. Select the Protect object from accidental deletion check box and click OK. 6. Right-click GOUP, and then clickDelete. A message appears asking if you are sure. 7. Click Yes. A message appears: You do not have sufficient privileges to delete , or this object is protected from accidental deletion. 8. Click OK. Task 12: Ceate a computer account & join to domain.

Task 13 Perform an Offline Domain Join

1: Ensure that the client computer is not joined to the domain.
1. Log on to Client1as Admin, with password, Pa$$w0rd 2. On Client1, click Start, right-click Computer, and then click Properties. Ensure that the computer is not joined to any domain. 3. Close the System window.

Task 2: Provision a computer account and perform an Offline Domain Join

1. On HQDC1, open aCommandPrompt using administrative privileges with the account, Administrator 2. Type the following command and press Enter. djoin /provision /domain Emerson.local /machine Client1/savefile C:\Client1.txt 3. Ensure that the command completes successfully. 4. Open the Active Directory Users and Computers console, navigate to the Computers container, and ensure that the Clientaccount is created there. 5. Switch to Client1. 6. Open Windows Explorer and create a folder called C:\DJOIN. 7. Browse to \\HQDC1\C$. When prompted for credentials provide Administrator with the password of Pa$$w0rd. 8. Copy \\HQDC1\C$\Client1.txt to C:\DJOIN. 9. Open aCommandPrompt using administrative privileges, type the following command, and then press Enter. djoin /requestodj /loadfile C:\DJOIN\Client1.txt /windowspath %SystemRoot% /localos

10. Ensure that the command completes successfully. 11. Restart Client1. 12. Log on to Client1 as Administrator 13. On Client1, click Start, right-click Computer and click Properties. Ensure that computer is joined to the domain. Task 14 : Create,

Edit, and Link Group Policy Objects

Create a GPO
1. On HQDC1, run Group Policy Management with administrative credentials. 2. In the console tree, expand Forest: emerson.local, Domains, and emerson.local, and then click the Group Policy Objects container. 3. In the console tree, right-click the Group Policy Objects container, and then click New. 4. In the Name box: type Company Standards, and then click OK.

Edit the settings of a GPO

1. In the details pane of the Group Policy Management console (GPMC), rightclick the COmpany Standards GPO, and then click Edit.The Group Policy Management Editor (GPME) appears. 2. In the console tree, expand User Configuration, Policies, and Administrative Templates, and then click System. 3. Double-click the Prevent access to registry editing tools policy setting. 4. Click Enabled. 5. In the Disable regedit from running silently? drop-down list, select Yes. 6. Click OK. 7. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization. 8. In the details pane, click the Screen saver timeout policy setting. Note the explanatory text in the left margin of the consoles details pane. 9. Double-click the Screen Saver timeout policy setting. 10. Review the explanatory text in the Help section. 11. Click Enabled. 12. In the Seconds box, type 600, and click OK. 13. Double-click the Password protect the screen saver policy setting. 14. Click Enabled, and click OK. 15. Close the GPME. The changes you make in the GPME are saved in real time. There is no Save command.

Scope a GPO with a GPO link

1. In the GPMC console tree, right-click the domain, and then click Link an Existing GPO. 2. Select COmpany Standards, and then click OK.

View the effects of Group Policy application

1. Switch to Client1. 3. Log on to Client1. 4. Right-click the desktop, and then click Personalize. 5. Click Screen Saver. 6. Notice that the Wait control is disabledyou cannot change the timeout. 7. Notice that the On resume, display logon screen option is selected and disabledyou cannot disable password protection. 8. Click OK to close the Screen SaverSettingsdialog box. 9. Click Start, and in the Seach programs and files box, type regedit.exe, andthen press ENTER.The followingmessage appears: Registry editing has been disabled by your administrator. 10. Click OK.

Explore GPO settings

1. Switch to domain conctrolle. 2. Right-click the Company Standards GPO, and then click Edit. 3. Spend time exploring the settings that are available in a GPO. Do not make any changes.