Professional Documents
Culture Documents
ADDS
ADDS
ADDS
Before starting the lab restart the servers. First, restart LON-DC1, then
after it has fully started, restart LON-SVR1. This will put the servers in
sync and avoid replication and time errors.
Overview
This course comes with a virtual lab environment where you can practice what you
learn. Launch the lab environment from the Welcome > Getting Started > Practice
Lab Environment page.
If you are having difficulties with the lab environment check out the Student
Lab Guide. This document is available from the Course Handouts page and
includes basic troubleshooting and the support desk link.
Module 1 – Installation
Peformance Monitor
Create a data collector set
1. Switch to LON-SVR1.
2. Click the Windows logo, and type perfmon.exe to launch
Performance Monitor.
3. Expand Data Collector Sets, right-click User Defined, point to New,
and then click Data Collector Set.
Name: LON-SVR1 Performance.
Create manually (Advanced). Notice the choice to use a Template.
Select the Performance counter check box.
Add a few counters such as Processor\% Processor Time and
PhysicalDisk\% Disk Time
Take some time to check out the other counters you could add to
your data collector set.
After adding your counters, set the the Sample interval to 1. This for
the lab, and would not be a best practice in a production
environment.
On the Where would you like the data to be saved? page, make
a note of where the data will be saved.
4. Finish creating your data collector set, right-click the set and Start
collecting data.
In this exercise you will create a site for the Toronto office and assign a subnet
to that site.
Note: We will discuss Domain Controllers in more detail in the next module, but for
now go ahead and follow these simple steps to add another domain controller
to the domain.
1. Sign in to LON-SVR1.
2. In the Server Manager Dashboard, select Add roles and features.
3. Proceed to the Server Roles page and select the Active Directory
Domain Services role. Agree to add any features that are required.
4. Read through the rest of the pages and Install the role.
5. After the role installs, select the Notifications icon on the top bar, and select
Promote this server to a domain controller.
6. In the wizard, select add the domain controller to an existing domain.
The domain is Adatum.com and you are using the
Adatum\Administrator credentials.
7. On the Domain Controller options page, notice the Site Name is Default-
First- Site-Name. For the DSRM password use Pa55w.rd.
8. Read through the rest of the pages, take the defaults, ignore any errors, and
the
Install.
9. Follow the prompts to restart the server, and sign in again.
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Active Directory Sites
and Services.
3. Expand Sites and notice there is only one site called Default-First-Site-
Name. This site was created when the domain controller was
installed.
4. Right-click the Default-First-Site-Name and Rename the site to London.
5. Right-click Sites, and then click New Site.
Name: Toronto
Select a site-link object for this site: DEFAULTIPSITELINK
6. Read the messages about additional configuration tasks for the Toronto site
such as: linking to other sites, adding subnets to the site, installing domain
controllers in the site, or moving existing domain controllers into the
site.
7. Verify that the Toronto site now displays in the Sites list.
In this exercise you will use PowerShell to create a site, create a subnet, and create a
site link.
In this exercise you will use Server Manager to explore different Window Server roles
and features, and install a role and feature.
1. Switch to LON-DC1.
2. Open Server Manager.
3. Click the Manage menu, notice the Add Roles and Features and Remove
Roles and Features menu selections.
4. Select Add Roles and Features.
5. Click Next until you are on the Server Selection page.
6. Notice you can administer different computers, select LON-DC1.
7. On the Server Roles page notice when you select a Role, a general Description
is shown on the right.
8. Use the Descriptions to answer the following questions.
9. Question: Which server role enables you to centrally configure, mange,
and provide temporary IP addresses and related information for client
computers?
10. Question: Which server role provides the services that you can use to
create and manage virtual machines and their resources?
11. Question: Which server role provides a reliable, manageable, and
scalable Web application infrastructure?
12. Question: Which server role stores information about objects on the
network and makes this information available to users and network
administrators?
13. Question: Which server role allows network administrators to
specify the Microsoft updates that should be installed on different
computers?
14. Select Print and Document Services, and when prompted confirm
you would like the RSAT tools.
15. Click Next until you are on the Features page.
16. Notice when you select a Feature, a general Description is shown on the
right.
17. Use the Descriptions to answer the following questions.
18. Question: Which server feature allows multiple servers to work
together to provide high availability of server roles?
19. Question: Which server feature includes snap-ins and command line
tools for remotely managing roles and features?
20. Question: Which server feature distributes network traffic across several
servers, using the TCP/IP protocol?
21. Question: Which server feature includes Windows PowerShell
cmdlets that facilitate migration of server roles, operating system settings,
files, and shares from computers that are running earlier versions of
Windows Server?
22. Question: Which server feature provides a central framework for
managing your IP address space and DHCP and DNS servers?
23. Select Windows Server Backup. Notice you have added a role and a
feature.
24. Read through the additional information, and then Install the new
components.
25. You can close the wizard, and use the Notification icon (top) to view the
status. For these components a restart is not required.
Answers:
AD DS Schema
In this exercise you will use the ADSIEdit tool to view objects in the Active Directory
database.
Note: Don't delete or change objects within the Active Directory partitions as this
can cause your Active Directory environment to stop working correctly. The following is
just to help conceptualize where and how this data is stored and managed.
1. Switch to LON-DC1.
2. Open a PowerShell prompt and type ADSIEdit to start the LDAP editor.
3. ADSIEdit is a tool that can be used to view, change, create and delete any
object in the Active Directory database.
4. In the console tree, right-click ADSI Edit, and then select Connect to...
5. In the Connection Point section, ensure that the Select a well known
Naming Context dropdown menu displays Default naming context and then
click OK.
6. As soon as you're successfully connected, in the console tree, double-click
Default naming context [LON-DC1.Adatum.com],DC=Adatum,DC=com, double-
click DC=Adatum,DC=com, and then click OU=Managers.
7. Notice the different class types that are within the Managers object. For
example,
user and group.
8. To identify an object, you will use a Distinguished Name. For
example, the Distinguished Name for Ed Meadows is as follows:
CN=Adam Hobbs,OU=Managers,DC=Adatum,DC=com.
9. Right-click CN=Harry Lawrence and view the Properties.
10. Scroll through the Attributes and their associated Values.
11. As you have time, browse other parts of the AD DS database, but don't make
any changes.
12. Did this lab give you a better idea of how AD DS is organized?
Note: If the AD DS role has already been installed on LON-SVR1, you must
unistall the role and restart the machine.
Note: In this lab you will pre-create the RODC computer account. By pre-creating
this account, you can delegate the second part of the RODC deployment to a
non- administrative user. For example, if the remote site (branch office) doesn't have
any IT administrators, a non-IT user at the site can complete the installation. If
your intention is to deploy an RODC yourself and you are a domain
administrator, you will often bypass the pre-creation and just go straight to
the deployment.
In this exercise you will stop AD DS, defragment the database, check the integrity
of the database, and start AD DS. You will use Server Manager and the
NtdsUtil tool to perform these tasks.
Stop AD DS
1. Switch to LON-DC1.
2. Open a Windows PowerShell prompt.
3. Stop the AD DS service.
Stop-Service ntds
4. Notice that other services are affected by this action including the DNS
Server. Thus, you can't stop the service without using the –Force
parameter.
5. Run the Stop-Service ntds –Force command to stop the service.
6. Note that you could also stop the service in Server Manager\Tools\Services.
Module 4 – Administering AD DS
Install the WSUS role on LON-DC1 (this server will receive updates from LON-
SVR1)
1. Switch to LON-DC1.
2. From Server Manager, launch the Add Roles and Features Wizard, and
on the Server Roles page select the Windows Server Update Services
role. Add any necessary features that are suggested.
3. Continue through the wizard reading the text and taking the defaults.
4. On the Content location selection page, store the updates in
C:\WSUSUpdates.
5. Wait for the installation to complete. A restart is not required.
Backup AD DS
In this exercise you will install the Windows Server Backup feature, create a scheduled
backup, perform an interactive backup of the System State.
Note: The backup may take 10 - 20 minutes. To restore the backup (next lab) , you
will need 20- 25 minutes. Ensure you have enough time to complete both labs.
Restoring AD DS
In this exercise you will create a System State backup, and then perform an
authoritative restore to retrieve a deleted AD object.
Note: Wait until the backup from the previous lab is complete before proceeding.
Authoritative restore
1. Restore the deleted Lab OU. Notice you need the distinguished name for
each item.
restore subtree “ou=Lab,ou=Research,dc=adatum,dc=com”
2. Run quit twice to exist NtdsUtil.
3. Restart the server normally.
bcdedit /deletevalue safeboot
Verify that the data has been restored
1. Log on to LON-DC1 as Adatum\Administrator with the password Pa55w.rd.
2. In Server Manager, click Tools, and then Active Directory Users
and Computers.
3. Verify the presence of the Research\Lab OU.
In this exercise you will enable the Recycle Bin and practice deleting and restoring AD
objects using the ADAC.
In this exericse you will enable the Recycle Bin and practice deleting and restoring AD
objects using PowerShell.
Your practice environment does not have a new Nano server virtual machine, but
you can use Azure to see it in action.
Azure Setup
If you already have a Microsoft Azure subscription, you can skip this section. Otherwise,
follow these steps to create a free trial subscription. You will need to provide a
valid credit card number for verification, but you will not be charged for Azure
services – for more information, see the frequently asked questions on the Azure sign-
up page.
1. If you already have a Microsoft account that has not already been used to
sign up for a free Azure trial subscription, you’re ready to get started. If not,
don’t worry, just create a new Microsoft account.
2. After you’ve created a Microsoft account, create your free Microsoft Azure
account. You’ll need to sign-in with your Microsoft account if you’re not
already signed in. Then you’ll need to:
Enter your cellphone number and have Microsoft send you a text
message to verify your identity.
Enter the code you have been sent to verify it.
Provide valid payment details. This is required for verification
purposes only – your credit card won’t be charged for any services
you use during the trial period, and the account is automatically
deactivated at the end of the trial period unless you explicitly
decide to keep it active.
If you have trouble installing the PowerShell modules from the PowerShell
gallery, you can try the WebPI method instead. Visit http://aka.ms/webpi-azps to
download and install the modules.
In this task, you will create a Windows Nano virtual machine in Azure.
On the Azure portal dashboard, you will see the Nano Server being deployed. Once it is up and
running you will see the Overview > Essentials section of the blade of the new server.
In this task, you will connect to a Windows Nano virtual machine in Azure.
In this task, you will connect to the Nano server you deployed in the previous task. In the Azure
portal, in the Overview > Essentials section of the blade of the new Nano server, take the note
of its public IP address. You can connect to the Nano server using the public IP address and
PowerShell remoting. Note: PowerShell Remoting must be setup on the machine you are using
to connect to the Nano server. Also, you will need to add the Nano Server to your trusted host
group.
You can now connect to your Nano Server running in Azure. Watch this video “Nano Server and
Azure PowerShell” for a look at some of PowerShell’s new features running on Nano Server in
Azure - https://channel9.msdn.com/Series/Nano-Server-Team/Nano-Server-and-Azure-PowerShell