Professional Documents
Culture Documents
Microsoft - Active Directory Deployment and Management Enhancements
Microsoft - Active Directory Deployment and Management Enhancements
2012
Deployment and
Management
Enhancements Hands-on lab
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter
in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Hyper-V, Windows PowerShell, and Windows Server 2012 are trademarks of the Microsoft group of
companies.
Introduction
Estimated time to complete this lab
30 minutes
Objectives
After completing this lab, you will be able to:
Prerequisites
Before working on this lab, you must have:
Intended audience
This lab is intended for individuals who are responsible for deploying Active Directory and wish to
leverage the newer features of Windows Server 2012 to simplify the process for deploying new domain
controllers. This lab is also designed for individuals who are responsible for automation of Active Directory
tasks.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 3
Active Directory Deployment and Management Enhancements
Note on activation
The virtual machines for these labs may have been built by using software that has not been activated.
This is by design in the lab to prevent the redistribution of activated software. The unactivated state of
software has been taken into account in the design of the lab. Consequently, the lab is in no way affected
by this state. For operating systems other than Windows 8, please press Cancel or Close if prompted by an
activation dialog box. If you are prompted by an Activate screen for Windows 8, press the Windows key to
display the Start screen.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 4
Active Directory Deployment and Management Enhancements
1. Open Server Manager, and then click Add other servers to manage.
2. In the Name (CN): dialog box type Server1, and then click Find Now.
9. Check the Active Directory Domain Services check box, click Add Features, and then click Next.
10. Click Next until you reach the end of the wizard, and then click Install.
NOTE: This does not configure a domain controller, but installs the Active Directory components.
1. In Server Manager, click the notification flag, and then click Task Details.
IMPORTANT: You may need to wait for the installation activity from the previous exercise to complete
before proceeding.
2. When the feature installation is complete, in the Task Details dialog box, click the Add Roles and
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 5
Active Directory Deployment and Management Enhancements
3. In the Task Details dialog box, locate the task with the message Configuration required for Active
Directory Domain Services at Server1, and then click Promote this server to a domain
controller.
4. On the Deployment Configuration page, click Change, type Contoso\administrator and the
password Passw0rd!, and then click OK.
5. Click Next.
6. On the Domain Controller Options page, under Type the Directory Services Restore Mode (DSRM)
password, in Password and Confirm password, type Passw0rd!, and then click Next.
7. Click Next until you reach the Review Options page.
11. Click Next, and then when the prerequisites check completes, click Install.
NOTE: The installation progress will be shown in Server Manager. Wait for this to complete.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 6
Active Directory Deployment and Management Enhancements
TIP: You can use tab completion on all parameters to simplify typing.
3. When prompted for credentials, enter the username Contoso\Administrator and the password
Passw0rd!.
4. When prompted for a SafeModeAdministratorPassword, type Passw0rd!, and then press ENTER.
6. When prompted that the server will be configured as a domain controller, press Y, and then press
ENTER.
7. Wait for the command to complete, and then close the Windows PowerShell window.
1. From the taskbar, maximize the Active Directory Sites and Services console you minimized in a
previous step.
2. Navigate to Sites/Default-First-Site-Name, and then click Servers.
3. Verify that you see DC, Server1 and Server2 as domain controllers.
TIP: You may need to press F5 to refresh the view.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 7
Active Directory Deployment and Management Enhancements
IMPORTANT: Leave Active Directory Administrator Center open. If you close it then the Windows
4. In the Tasks pane, under Managed-Objects, click New, and then click Organizational Unit.
6. Clear the Protect from accidental deletion check box, and then click OK.
7. Open Sales.
9. Create a new user with the following properties, and then click OK.
Property Value
First Name Don
Last Name Hall
Full Name Don Hall
User UPN Logon DONHALL
Password Passw0rd!
Confirm Password Passw0rd!
Department Sales_APAC
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 8
Active Directory Deployment and Management Enhancements
2. On the Tasks menu, under Contoso (local), click Enable Recycle Bin, and then in the Enable
6. Click Don Hall, and then on the Tasks menu, click Locate Parent.
NOTE: It highlights the Sales OU, since it was the last parent OU.
7. Click Don Hall, and then on the Tasks menu, click Restore To.
Settings Container.
2. On the Tasks menu, click New, and then click Password Settings.
6. In Select Users or Groups, type Domain Users, and then click OK.
7. Click OK.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 9
Active Directory Deployment and Management Enhancements
13. In Select Users or Groups, type Domain Admins, and then click OK.
4. Click Cancel.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 10
Active Directory Deployment and Management Enhancements
2. Scroll through and review the recent actions recorded as Windows PowerShell commands.
3. In Windows PowerShell History, click Start Task, and then type CreateOU.
4. Navigate to Contoso\Managed-Objects.
11. Under Organizational Unit, in Country/Region, select Japan, and then click OK.
3. In Windows PowerShell ISE, maximize the window, and then expand the Script pane.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 11
Active Directory Deployment and Management Enhancements
IMPORTANT: Ensure that NewADorganizationalUnit is the first command used. If needed, switch the two
lines around.
14. Switch to Active Directory Administrative Center, and then verify the creation of your new
Organizational Unit.
TIP: You may have to refresh the display.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 12
Active Directory Deployment and Management Enhancements
2. On the Tools menu, click Active Directory Module for Windows PowerShell.
NOTE: The full list of Active Directory cmdlets is listed. These are sourced from the Active Directory
module and the Active Directory deployment modules. These are the only installed modules currently;
however there are other modules available to manage Active Directory roles.
↪ Get-WindowsFeature
NOTE: The full list of available modules is listed. Scroll up to see the Active Directory modules, and the
5. To browse the Active Directory domain using Windows PowerShell, type the following commands,
↪ CD AD:
↪ DIR| Format-Table –Auto
↪ CD “DC=Contoso, DC=Com”
↪ DIR
6. To list all objects in a container and then filter to only users, type the following commands,
↪ CD CN=Users
↪ DIR | FT –a
↪ Get-ADUser –Filter {name –like “*”}
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 13
Active Directory Deployment and Management Enhancements
7. To enable the built-in Guest account, type the following commands, pressing ENTER after each
one.
NOTE: The Guest account is now enabled. Notice that Don Hall’s account is located in the Users
container after you recovered the account earlier.
Perform this task logged on to DC as Contoso\Administrator with the password Passw0rd! with the
Active Directory Module for Windows PowerShell open from the previous task.
NOTE: The properties of the new Organizational Unit, located under Managed-Objects, are now
displayed.
3. When prompted for an AccountPassword, type Passw0rd!, and then press ENTER.
NOTE: This has now created a new user named Mark Hassall with the password of Passw0rd! in the
APAC OU.
Perform this task logged on to DC as Contoso\Administrator with the password Passw0rd! with the
Active Directory Module for Windows PowerShell open from the previous task.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 14
Active Directory Deployment and Management Enhancements
NOTE: Don Hall’s account no longer shows as it has moved from the Users container to the APAC OU.
2. On the Tools menu, click Active Directory Module for Windows PowerShell.
3. Type the following command, and then press ENTER.
↪ Get-ADReplicationSite
↪ New-ADReplicationSite Sydney
↪ Get-ADReplicationSiteLink –filter *
NOTE: There is only a single Site Link, and it does not include the newly created Sydney site.
NOTE: The new site link has been created with a cost of 100 and a replication frequency of 15 minutes
Perform this task logged on to DC as Contoso\Administrator with the password Passw0rd! with the
Active Directory Module for Windows PowerShell open from the previous task.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 15
Active Directory Deployment and Management Enhancements
Perform this task logged on to DC as Contoso\Administrator with the password Passw0rd! with the
Active Directory Module for Windows PowerShell open from the previous task.
NOTE: The DC has multiple replication partners while Server2 only has one.
NOTE: The USNFilter values do not need to be exactly the same; however if they are significantly
different, this can indicate an issue with replication.
↪ Get-ADReplicationFailure Server2.contoso.com
↪ Get-ADReplicationFailure Server1.contoso.com
↪ Get-ADReplicationFailure DC.contoso.com
NOTE: Any replication failures would be listed after these commands. If there are no results returned,
then there have been no failures.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 16
Active Directory Deployment and Management Enhancements
With Windows Server 2012, services or service administrators do not need to manage password
synchronization between service instances when using group Managed Service Accounts (gMSA). You
provision the gMSA in Active Directory, and then configure the service which supports Managed Service
Accounts.
domain’s forest needs to be at the Windows Server 2012 version in order to create a gMSA.
5. Click Cancel.
↪ Add-KDSRootkey –EffectiveImmediately
↪ Add-KDSRootkey –EffectiveTime ((get-date).addhours(-10))
NOTE: The second command is to bypass a built in wait time of 10 hours. This is only supported in a lab.
In a production environment, the first command would be run and then the administrator would need
to wait for 10 hours before proceeding to ensure that replication has completed.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 17
Active Directory Deployment and Management Enhancements
Perform this task logged on to DC as Contoso\Administrator with the password Passw0rd! with the
Active Directory Module for Windows PowerShell open.
1. In Active Directory Module for Windows PowerShell, type the following command, and then press
ENTER.
1. In Active Directory Module for Windows PowerShell, type the following command, and then press
ENTER.
↪ Install-ADServiceAccount gMSA_SQL
↪ Test-ADServiceAccount gMSA_SQL
NOTE: The value of true indicates that the gMSA_SQL account is active and able to be retrieved from the
host machine.
NOTE: To use the account to leverage for access as a Service Account, modify the logon credentials of
the service to use the account name, such as Contoso\gMSA_SQL, and a blank password.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 18
Active Directory Deployment and Management Enhancements
In this exercise, you will prepare a domain controller for cloning; however you will not be able to complete
the cloning process.
This is the same group that the cloned domain controllers will be added to after cloning.
Perform this task logged on to DC as Contoso\Administrator with the password Passw0rd!
8. In the Select, Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
types, select Computers, and then click OK.
9. In Enter the object names to select, type Server1, and then click Check Names.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 19
Active Directory Deployment and Management Enhancements
2. On the Tools menu, click Active Directory Module for Windows PowerShell.
↪ Get-ADDCCloningExcludedApplicationList
NOTE: The services displayed are currently excluded from the cloning process.
↪ Get-ADDCCloningExcludedApplicationList –GenerateXml
NOTE: If you see a dialog box with a message that the content is blocked, click Close to close the dialog
box.
NOTE: The CustomDCCloneAllowList.xml holds the additional services that will be included in the
cloning process. If you need to exclude any services, then edit the XML to remove their entries.
Perform this task logged on to Server1 as Contoso\Administrator with the password Passw0rd!
with the Active Directory Module for Windows PowerShell open.
NOTE: The settings that will be read by the new cloned domain controller on start are now displayed.
NOTE: In the lab environment, this is as far as the steps can be completed. The next steps to complete
the cloning process would be to shut down and export the virtual machine, import and rename the new
cloned virtual machine, and then power it on. On startup, the cloned DC will read and apply the
contents of the DCCloneConfig.xml file.
Lab created by HynesITe, Inc. For questions or comments, send an email message to labs@holsystems.com Page | 20