6419B ENU LabManual

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6419B
Lab Instructions and Lab Answer Key:
Configuring, Managing, and Maintaining
Windows Server 2008-based Servers

Nova 4, LLC
Sep 7 2011 9:53PM
Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1

Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2011 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.

Product Number: 6419B
Part Number: X17-53274
Released: 04/2011
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Overview of the Windows Server 2008 Management Environment 1

Module 1
Lab Instructions: Overview of the Windows Server 2008
Management Environment
Contents:
Exercise 1: Determine Server Roles and Installation Types 3
Exercise 2: Install Windows Server 2008 Server Roles and Features 5
Exercise 3: Manage Windows Server 2008 Server Core 6

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Overview of the Windows Server 2008 Management Environment
Lab: Managing Server Roles in a Windows Server 2008
Environment

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Determine Server Roles and Installation Types
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1.
6. Repeat steps 2 and 3 for 6419B-NYC-SVRCORE. Do not log on until directed to do so.
Lab Scenario
You have been asked to complete the final configuration for a server being deployed to the Contoso,
Ltd.s New York City location. Your supervisor, Ed Meadows, has sent you an email detailing the
requirements for the final configuration steps that need to be taken on the server.
The main tasks for this exercise are as follows:
1. Review the supporting documentation.
2. Determine the server roles, server features, and installation types, and record them in the answers to
the questions in the deployment plan document.
Task 1: Review the supporting documentation.
1. Review the following email message received from Ed Meadows.
To: You
From: Ed Meadows [Ed@contoso.com]
Sent: Apr 20 2010 14:20
To: you@contoso.com
Subject: NYC-SVR1 deployment
Hi,
Weve arranged to have the new server for the New York City location physically deployed while you are
onsite there.
The server name is NYC-SVR1 and its to be configured as a print server for the New York office. Theyve
just deployed Windows 7 to all desktops in that location and theyre switching away from users having
printers connected directly to their machines and setting up network printers in various locations in the
office, instead.
After youve completed the initial configuration, the server administration team in New York will take over
the management of the server. Theyre located on the fifth floor and this server will be on the eighth floor,
so theyd like to have some type of remote access to the server to perform their management tasks. I
believe there are four of them who will be working together to manage the server; Ill leave the solution
for this up to you.
Nova 4, LLC
Sep 7 2011 9:53PM
One more thing, the New York admins would also like to be able to back up the server on a regular basis,
so Id like you to configure the server to give them the ability to do local backups.
Thats it for now, let me know if you need anything, and enjoy New York.
Regards,
Ed
Task 2: Determine the server roles, server features, and installation types.
1. Complete the requirements document by answering the following questions:
New York Location New Server Final Configuration Plan
Document Reference Number: CW010210/1
Document
Author
Date
You
Apr 24, 2011
Requirements Overview
To determine the server roles and features to be installed on the newly deployed NYC-SVR1
Additional Information
The server must be able to provide network printing capabilities for the New York City office.
Administrators in New York will manage the server from their desktop computers and will also be
responsible for ensuring the new server is backed up.
Questions
1. What server role(s) should be installed on NYC-SVR1? How should the server role(s) be
configured?
2. What additional server features will be needed to fulfill the requirements specified by Ed?
3. Are there any additional management considerations that need to be considered for the
ongoing management of NYC-SVR1?

Results: After completing this exercise, you should have determined the server roles, server features,
and installation types to install on NYC-SVR1, according to the requirements document.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Install Windows Server 2008 Server Roles and Features
Lab Scenario
You have read the requirements document and determined what server roles and features need to be
installed on NYC-SVR1. Using your implementation proposal, you have been asked to implement the
recommended server roles and server features on NYC-SVR1 and report to Ed regarding which
management tools need to be installed on the desktop computers of the Server Admins group.
1. Use Server Manager to install the Print and Document Services Server Role.
2. Use Server Manager to install the Windows Server Backup Features.
Task 1: Use Server Manager to install the Print and Document Services Server Role.
1. Connect to the 6419B-NYC-SVR1 virtual machine and log on with a user name, Administrator, and
the password, Pa$$w0rd.
2. Open Server Manager from the Start Menu.
3. Open the Roles node in Server Manager and add the Print and Document Services server role.
Task 2: Use Server Manager to install the Windows Server Backup Features.
1. Within Server Manager, select the Features node.
2. Add the Windows Server Backup feature.
3. Close Server Manager.
Result: After completing this exercise, you will have used Server Manager to install server roles and
server features.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Manage Windows Server 2008 Server Core
Lab Scenario
You have been asked to complete the configuration for another server in the New York location.
A new server running the Windows 2008 R2 Server Core installation has been installed in the New York
location. You have been asked to finalize the network configuration on the server and configure the newly
named NYC-SVRCORE to enable Server Manager access for remote management.
The network information is as follows.
NYC-SVRCORE Configuration Spec Sheet
IP State
IP Address
Subnet Mask
Default Gateway
Primary DNS
Secondary DNS

Domain membership
Computer name
STATIC
10.10.0.20
255.255.0.0
10.10.0.1
10.10.0.10
None

Contoso.com
NYC-SVRCORE
Please install the Windows Server Backup feature on this server so the New York IT staff can perform
backup and recovery operations.
Please enable remote administration to allow the New York IT staff to manage this server remotely by
using Server Manager.
1. Use Sconfig to configure Server Core installation options.
2. Use Dism to enable the Windows Server Backup feature.
3. Configure Server Core to enable Server Manager remote administration.
4. Use Server Manager connect to Server Core
Task 1: Use Sconfig to configure Server Core installation options.
1. Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2. Start Sconfig and use the menu options to configure the IP address settings according to the
information supplied.
3. Join the computer to the Contoso.com domain and rename it to NYC-SVRCORE.
Task 2: Use Dism to install the Windows Server Backup feature
1. Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2. Run the Dism command using the /online and /get-features switches to confirm that the
WindowsServerBackup feature is not installed..
3. Run the Dism command using the /online, /enable-feature and /featurename: switches to install
the WindowsServerBackup feature.
Nova 4, LLC
Sep 7 2011 9:53PM
4. Run the Dism command using the /online and /get-features switches to verify the Windows Server
Backup feature has been installed.
Task 3: Use Sconfig to configure Server Core remote management
1. Start Sconfig and navigate to the Configure Remote Management screen,
2. Enable both Windows Powershell and Server Manager remote administration options. Restart
when prompted and log back on as Administrator with the password of Pa$$w0rd.
Task 4: Use Server Manager to connect to Server Core
1. Connect to the 6419B-NYC-DC1 virtual machine and log on with the user name, Administrator, and
the password, Pa$$w0rd.
2. Open Server Manager from the Administrative Tools section on the Start Menu.
3. In Server Manager, connect to NYC-SVRCORE.
4. View the Server Manager nodes available.
Result: After completing this exercise, you should have performed management tasks on a Server Core
installation of Windows Server 2008.
To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Managing Windows Server 2008 Infrastructure Roles 1
Module 2
Lab Instructions: Managing Windows Server 2008
Infrastructure Roles
Contents:
Lab A: Installing and Configuring the DNS Server Role
Exercise 1: Installing and Configuring DNS Server Role and Zones 3
Exercise 2: Configuring Resource Records, Aging, and Scavenging 5
Exercise 3: Verifying DNS Settings 6
Lab B: Installing and Configuring the DHCP Server Role
Exercise 1: Installing and Authorizing the DHCP Server Role 9
Exercise 2: Configuring DHCP Scopes, Options, and Reservations 10

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Managing Windows Server 2008 Infrastructure Roles
Lab A: Installing and Configuring DNS Server Role

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1.
Lab Scenario
You are the DNS administrator for Contoso.com. You need to perform the following DNS tasks to help
provide a more effective DNS infrastructure:
Install the DNS server role on NYC-SVR1.
Configure zone transfers for the Contoso.com zone.
Create a secondary zone for Contoso.com to be hosted on NYC-SVR1.
Create a reverse lookup zone for 10.10.0.0.
Configure aging and scavenging for the Contoso.com zone.
Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 1: Installing and Configuring DNS Server Role and Zones
Scenario
To support the latest DNS requirements, you need to install and configure the DNS server role on NYC-
SVR1. After you have installed the DNS server role, you will create a secondary zone and a reverse lookup
zone for Contoso.com.
1. Install the DNS Server role on NYC-SVR1.
2. Allow zone transfers for Contoso.com.
3. Configure a secondary zone for Contoso.com.
4. Configure a reverse lookup zone.
Task 1: Install the DNS Server role on NYC-SVR1.
1. On NYC-SVR1, open Server Manager and install the DNS Server role.
Task 2: Allow Zone Transfers for Contoso.com.
1. On NYC-DC1, open the DNS Manager.
2. For the Contoso.com zone, configure the following:
Allow zone transfers: enabled
Only to the following servers: 10.10.0.11
Automatically notify: 10.10.0.11
Task 3: Configure a Secondary Zone for Contoso.com.
1. On NYC-SVR1, open DNS Manager.
2. Configure a new Forward Lookup zone with the following parameters:
Zone Type: Secondary zone
Zone Name: Contoso.com
Master DNS Servers: 10.10.0.10
3. Verify that all of the resource records are available in the secondary zone.
Task 4: Configure a Reverse Lookup Zone.
1. On NYC-DC1, configure a new Reverse Lookup zone with the following parameters:
Zone Type: Primary zone (store the zone in Active Directory)
Active Directory Zone Replication Scope: All DNS servers running on domain controllers in
the Contoso.com domain
Reverse Lookup zone name: IPv4
Network ID: 10.10.0
Dynamic Update: Allow only secure dynamic updates
2. Update the associated pointer record for NYC-SVR1.
Nova 4, LLC
Sep 7 2011 9:53PM
Results: At the end of this exercise, you will have installed the DNS Server role and configured
secondary and reverse lookup zones.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Resource Records, Aging, and Scavenging
Scenario
You have been provided additional requirements for the Contoso.com DNS zone. You need to create an
alias for NYC-SVR1 called www. You also need to enable aging and scavenging.
1. Add resource records for Contoso.com.
2. Configure aging and scavenging for Contsoso.com.
Task 1: Add resource records for Contoso.com.
1. On NYC-DC1, use DNS Manager to add an alias for NYC-SVR1.Contoso.com called www.
Task 2: Configure aging and scavenging for Contoso.com.
1. On NYC-DC1, enable automatic scavenging of stale records to take place every 10 days.
2. Enable zone aging and scavenging for Contoso.com by using the default 7-day no-refresh and
refresh intervals.
Results: At the end of this exercise, you will have configured a resource record for Contoso.com and
enabled aging and scavenging.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Verifying DNS Settings
Scenario
You need to verify that the DNS settings work as expected. You also need to produce a report on the DNS
settings to verify that DNS is configured correctly.
1. Verify that the secondary zone is functional.
2. Verify records by using Nslookup and DNSlint.
Task 1: Verify that the secondary zone is functional.
1. Switch to the NYC-SVR1 virtual machine.
2. In DNS Manager, refresh the Contoso.com zone and verify that www has been transferred
successfully from the authoritative server.
3. Open the Local Area Network Properties and modify the TCP/IPv4 settings to use 10.10.0.11 as the
preferred DNS Server.
4. Ping www.contoso.com and verify that the name is resolved.
5. Close all open windows.
Task 2: Verify records by using Nslookup and DNSlint
1. Switch to the NYC-DC1 virtual machine.
2. Use NSlookup to verify the SOA information.
3. Run DNSLint from C:\Tools\Dnslint and create a zone report. Hint: use the following command.
Dnslint /s 10.10.0.10 /d contoso.com
4. Read through the report results and then close all open windows.
Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.

Note: Do not shut down the virtual machines; you will need them for the next lab.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab B: Installing and Configuring DHCP Server Role

Lab Setup
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat the steps 2 through 4 for 6419B-NYC-SVR1.
Lab Scenario
You are the network administrator at Contoso, Ltd. You have just deployed a new subnet and have
decided to configure the DHCP service to provide IP addresses and configuration options. You need to
address the following requirements:
Install the DHCP server role on NYC-DC1.
Configure an IPv4-based scope for the IP range 10.10.0.50/16 to 10.10.0.100/16.
Lease duration for clients need to be 5 days.
Scope options need to include:
DNS Domain Name: Contoso.com
Nova 4, LLC
Sep 7 2011 9:53PM
DNS Servers: 10.10.0.10
Router: 10.10.0.1
A reservation needs to be configured for NYC-SVR1 to automatically assign 10.10.0.55 with the
default scope options.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Installing and Authorizing the DHCP Server Role
Scenario
You need to install the DHCP server role on NYC-DC1.
1. Install the DHCP server role on NYC-DC1.
2. Verify DHCP authorization.
Task 1: Install the DHCP Server role on NYC-DC1.
1. On NYC-DC1, open Server Manager and install the DHCP Server role.
Task 2: Verify DHCP Authorization.
1. On NYC-DC1, in the DHCP console, open the Manage authorized servers dialog box and verify that
nyc-dc1.contoso.com is an authorized DHCP server.
Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP
authorization.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring DHCP Scopes, Options, and Reservations
Scenario
Now that you have installed the DHCP server role, you need to configure a valid DHCP scope. You also
need to configure the options as outlined in the requirements list. Finally, you need to configure the
reservation setting for NYC-SVR1.
1. Configure a DHCP scope.
2. Configure scope options.
3. Configure a DHCP reservation.
Task 1: Configure a DHCP Scope.
1. On NYC-DC1, in the DHCP console, use the New Scope Wizard to configure a scope with the
following settings:
Scope Name: ContosoScope1
Start IP Address: 10.10.0.50
End IP Address: 10.10.0.100
Length: 16
Lease Duration: 5 days
DHCP Options: Domain Name and DNS Servers set at default
Activate Scope: Yes
Task 2: Configure Scope Options.
1. On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Scope Options.
2. Add a new scope option for 003 Router with an IP address of 10.10.0.1.
Task 3: Configure a DHCP Reservation.
1. On NYC-SVR1, open a command prompt and use ipconfig/all to determine the physical MAC address
for the server. Write down the MAC address here:
On NYC-SVR1, open the Local Area Properties dialog box and configure the network adapter to
obtain both the IP address and DNS server automatically.
2. On NYC-DC1, configure a DHCP reservation with the following settings:
Reservation name: NYC-SVR1
IP address: 10.10.0.55
MAC Address: [Enter the value entered for step 1. For example: 00-15-5D-01-71-71]
3. Switch back to NYC-SVR1 and use the ipconfig command to release and then renew the IP address
configuration.
4. Verify that NYC-SVR1 receives an IP address of 10.10.0.55 with valid scope options.
Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a DHCP
reservation.
Nova 4, LLC
Sep 7 2011 9:53PM
following steps:
4. Repeat these steps for 6419B-NYC-SVR1.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Configuring Access to File Services 1
Module 3
Lab Instructions: Configuring Access to File Services
Contents:
Exercise 1: Planning a Shared Folder Implementation (Discussion) 4
Exercise 2: Implementing a Shared Folder Implementation 5
Exercise 3: Evaluating the Shared Folder Implementation 6

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Configuring Access to File Services
Lab: Managing Access to File Services

Lab Setup
5. User name: Administrator
6. Password: Pa$$w0rd
7. Domain: Contoso
8. Repeat steps 2 through 4 for 6419B-NYC-SVR1
9. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.
Lab Scenario
Contoso, Ltd has recently deployed a new file server, NYC-SVR1, to its New York location. The New York
office has staff from both the Production and Research departments. Both departments require the ability
to save their documents to the new file server. Their files will be created in the E:\Labfiles\Mod03 folder.
The Production department work together on tasks and projects, and all members need the ability to save
files to the folder from their desktop. Any member of the Production team should be able to modify the
folders saved by anyone in the Production department. The Production department manager, Susanna
Stubberod, needs a folder for her monthly reports configured, so her staff can view the reports, but only
she should be able to make changes to files in the folder.
The Research department needs a folder to store the project results. All project results will be saved
directly to the server locally from an application installed on NYC-SVR1. All members of the Research
Nova 4, LLC
Sep 7 2011 9:53PM
department should be able to make modifications to the files if they are logged on to NYC-SVR1. The
Research department needs to access their files from the network, but no changes should be allowed to
be made to the files, because that will interfere with the application. Max Stevens of the Research
department also uses a laptop, NYC-CL1, which he frequently takes offsite. He needs access to the
Research department files when he is not connected to the network.
1. Planning the shared folder implementation.
2. Implementing the shared folder structure.
3. Evaluating the shared folder structure.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Planning a Shared Folder Implementation (Discussion)
In this exercise, you will discuss and determine the best solutions for a shared folder implementation.
Discussion Questions:
1. What folder structure should be created on NYC-SVR1 to support the requirements of this scenario?
2. Which NTFS permissions should be assigned to the Production departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
3. Which NTFS permissions should be assigned to the Research departments folder structure to fulfill
4. How will you make the Research departments files available to Max Stevens when he is offsite with
the NYC-CL1?
Result: In this exercise, you discussed and determined solutions for a shared folder implementation.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing a Shared Folder Implementation
In this exercise, you will create the shared folder implementation based on the discussions in the previous
exercise.
The main tasks are as follows:
1. Verify the File Services Role on NYC-SVR1.
2. Create a shared folder structure by using Windows Explorer.
3. Create a shared folder structure by using the Share and Storage Management console.
4. Configure offline files.
Task 1: Verify the File Services Role on NYC-SVR1
1. On NYC-SVR1, open Server Manager.
2. Verify that the File Services role has been installed with the File Server role service.
Task 2: Create a shared folder structure by using Windows Explorer
1. On NYC-SVR1, open Windows Explorer.
2. Create the E:\Labfiles\Mod03\Production folder and assign the Production group Full Control
permissions.
3. Share the Production folder, assign the Contoso\Production group Change permissions on the shared
folder, and remove the Everyone group.
4. Create a new text document in E:\Labfiles\Mod03\Production.
5. Create the E:\Labfiles\Mod03\Production\Reports folder and create a new text document in
E:\Labfiles\Mod03\Production\Reports named Report1.txt
6. Assign Susanna Stubberod Full Control permissions on the E:\Labfiles\Mod03\Production\Reports
folder. Block permissions inheritance to ensure that no other users have permissions on this folder.
Task 3: Create shared folders by using the Share and Storage Management Console
1. On NYC-SVR1, open the Share and Storage Management console.
2. Run the Provision a Shared Folder Wizard to provision a share named Research located at
E:\Labfiles\Mod03\Research.
3. Assign the following NTFS permissions to the E:\Labfiles\Mod03\Research folder. Assign Full Control
for the Research group.
4. Assign the following shared folder permissions to the Research shared folder. Assign Read for the
Research group.
Task 4: Configure Offline files
1. Log on to NYC-CL1 as Contoso\Max, with password Pa$$w0rd.
2. Map the \\NYC-SVR1\Research network location to the R: drive.
3. Configure Drive R to be always available offline.
Results: In this exercise, you implemented a shared folder structure.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Evaluating the Shared Folder Implementation
In this exercise, you will evaluate the shared folder implementation you created in the previous exercise.
Task 1: Test Research Folder Permissions
1. If necessary, log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd.
2. Test to ensure that Max cannot create any new documents on the Research folder (Drive R).
3. Log off of NYC-CL1.
Task 2: Test Production Shared Folder Permissions
1. Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd.
2. Test to ensure that Scott has Full Control to \\NYC-SVR1\Production and no access to \\NYC-
SVR1\Production\Reports.
3. Log off NYC-CL1.
4. Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd.
5. Test to ensure that Susanna has Full Control to \\NYC-SVR1\Production and \\NYC-
SVR1\Production\Reports.
6. Log off NYC-CL1.
Results: In this exercise, you evaluated a shared folder implementation.
following steps:
4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Configuring and Managing Distributed File System 1
Module 4
Lab Instructions: Configuring and Managing Distributed File
System
Contents:
Exercise 1: Installing the Distributed File System Role Service 4
Exercise 2: Creating a DFS Namespace 5
Exercise 3: Configuring Folder Targets 6
Exercise 4: Configuring DFS Folder Replication 7
Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Configuring and Managing Distributed File System
Lab: Installing and Configuring the Distributed File
System Role Service

Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps from 2 through 4 for 6419B-NYC-SVR1.
Lab Scenario
You are a network administrator for Contoso, Ltd. Your organization currently stores files on a number of
servers located throughout the infrastructure. To simplify file access for users and provide high availability
and redundancy of the file services, you decide to implement a DFS solution. For this project, you must
complete the following tasks:
Install the DFS role service to include DFS namespaces and DFS replication.
Create a domain-based DFS namespace called, CorpDocs, with NYC-SVR1 as the namespace server.
Enable Access-Based Enumeration for the CorpDocs namespace.
Nova 4, LLC
Sep 7 2011 9:53PM
Add the following folders to the CorpDocs namespace:
MarketingTemplates folder target located on NYC-DC1
PolicyFiles folder target located on NYC-SVR1
Configure availability and redundancy by adding additional folder targets and replicating the folder
targets for the PolicyFiles folder.
Configure the replicated folder target for PolicyFiles to be read-only.
Provide reports on the health of the CorpDocs folder replication.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Installing the Distributed File System Role Service
Scenario
In this exercise, you will install the DFS role service on NYC-DC1 and NYC-SVR1.
1. Install the DFS role service on NYC-SVR1.
2. Install the DFS role service on NYC-DC1.
Task 1: Install the Distributed File System Role Service on NYC-SVR1.
2. Use the Add Role Services wizard to install the Distributed File System role services and configure
the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Create a DFS Namespace: Create a namespace later.
Task 2: Install the Distributed File System Role Service on NYC-DC1.
1. On NYC-DC1, open Server Manager.
2. In the details pane, under the File Services section, use the Add Role Services wizard to install the
Distributed File System role services and configure the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Create a DFS Namespace: Create a namespace later.
Results: After completing this exercise, you have installed the DFS role service on NYC-SVR1 and NYC-
DC1.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Creating a DFS Namespace
Scenario
You decide to create the CorpDocs namespace on NYC-SVR1. As per the requirements, the namespace
will be domain-based and will have access-based enumeration enabled.
1. Use the New Namespace Wizard to create the CorpDocs namespace.
2. Enable access-based enumeration for the CorpDocs namespace.
Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.
1. On NYC-SVR1, open the DFS Management console.
2. Start the New Namespace Wizard and configure the following:
Namespace Server: NYC-SVR1
Namespace Name and Settings: CorpDocs
Namespace Type: Domain-based namespace
Enable Windows Server 2008 mode: Enabled
3. Use the DFS Management console to verify that the \\NYC-SVR1\CorpDocs namespace is enabled.
Task 2: Enable access-based enumeration for the CorpDocs namespace.
1. From the \\Contoso.com\CorpDocs Properties dialog box, enable access-based enumeration.
Results: After completing this exercise, you have created the CorpDocs namespace and configured it to
use access-based enumeration.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Configuring Folder Targets
Scenario
Two folders need to be added to the CorpDocs workspace. One folder is located on NYC-DC1 and is
called, MarketingTemplates. The other folder is located on NYC-SVR1 and is called, PolicyFiles.
1. Add the MarketingTemplates folder to the CorpDocs Namespace.
2. Add the PolicyFiles folder to the CorpDocs Namespace.
3. Verify the CorpDocs Namespace.
Task 1: Add the MarketingTemplates folder to the CorpDocs namespace.
2. In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: MarketingTemplates
Folder Target: \\NYC-DC1\MarketingTemplates
Task 2: Add the PolicyFiles folder to the CorpDocs namespace.
1. In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: PolicyFiles
Folder Target: \\NYC-SVR1\PolicyFiles
Task 3: Verify the CorpDocs namespace.
1. On NYC-SVR1, access the \\Contoso.com\Corpdocs namespace and verify that both
MarketingTemplates and PolicyFiles are visible.
Results: After completing this exercise, you have configured Folder Targets for the CorpDocs
namespace.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 4: Configuring DFS Folder Replication
Scenario
Your requirements state to configure the PolicyFiles folder to be highly available and redundant. You
decide to add a second folder target for the PolicyFiles folder on NYC-DC1 and configure replication to
keep the two folders synchronized.
1. Create another Folder Target for PolicyFiles.
2. Configure DFS Replication.
3. View Diagnostic Reports.
Task 1: Create another Folder Target for PolicyFiles.
2. In DFS Management, under Contoso.com\CorpDocs\PolicyFiles, create a new folder target with the
following configuration:
Folder Target: \\NYC-DC1\PolicyFiles
Local path of shared folder: C:\PolicyFiles
Shared folder permissions: Administrators have full access; other users have read and write
permissions
Click Yes to start the Replicate Folder Wizard.
Task 2: Configure DFS Replication.
1. In DFS Management, complete the Replicate Folder Wizard with the following configuration:
Replication Group and Replicated Folder Name: Default settings
Replication Eligibility: Verify that both servers are eligible
Primary Member: NYC-SVR1
Topology Selection: Full mesh
Replication Group Schedule and Bandwidth: Replicate continuously using the specified
bandwidth
2. Verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1.
3. From the DFS Management console, configure the NYC-DC1 member to be read-only.
Task 3: View Diagnostic Reports.
1. On NYC-SVR1, in the DFS Management console, under Replication, use the Diagnostic Report
Wizard to create a Health report. Use NYC-SVR1 as the reference member.
2. Review the DFS Replication Health Report for errors.
Results: After completing this exercise, you will have configured DFS Folder Replication and produced a
diagnostic report.
Nova 4, LLC
Sep 7 2011 9:53PM
To prepare for the next module.
When you complete the lab exercises, revert the virtual machines to their initial state. To do this, complete
the following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Managing File Resources Using File Server Resource Manager 1
Module 5
Lab Instructions: Managing File Resources Using File Server
Resource Manager
Contents:
Lab A: Installing FSRM and Implementing Quota Management
Exercise 1: Installing the FSRM Role Service 3
Exercise 2: Configuring Storage Quotas 4
Lab B: Configuring File Screening and Storage Reports
Exercise 1: Configuring File Screening 6
Exercise 2: Generating Storage Reports 7
Lab C: Configuring Classification and File Management Tasks
Exercise 1: Configuring Classification Management 9
Exercise 2: Implementing File Management Tasks 10

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Managing File Resources Using File Server Resource Manager
Lab A: Installing FSRM and Implementing Quota
Management

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You need to begin the implementation and configuration of FSRM for NYC-SVR1. The first step in this
process is installing the FSRM role service.
You have also been asked to establish an initial quota governing user data directories. You must configure
a quota template that allows users a maximum of 100 MB of data in their user folders. When users exceed
85 percent of the quota, or when they attempt to add files larger than 100 MB, an event should be logged
to the Event Viewer on the server.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Installing the FSRM Role Service
You need to install the FSRM role service on NYC-SVR1.
The main task is as follows:
1. Install the FSRM Role Service.
Task 1: Install the FSRM role service.
2. Add File Server Resource Manager role service.
3. In the Configure Storage Usage Monitoring page, select Allfiles (E:).
4. After the installation is complete, close the Add Role Services Wizard.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Storage Quotas
You must configure a quota template that allows users a maximum of 100 MB of data in their user folders.
When users exceed 85 percent of the quota, or when they attempt to add files larger than 100 MB, an
event should be logged to the Event Viewer on the server.
1. Create a quota template.
2. Configure a quota based on the quota template.
3. Test that the quota is functional.
Task 1: Create a quota template.
1. In the File Server Resource Manager console, use the Quota Templates node to configure a template
that sets a hard limit of 100 MB on the maximum folder size. Make sure this template also notifies the
Event Viewer when the folder reaches 85 percent and 100 percent capacity.
Task 2: Configure a quota based on the quota template.
1. Use the File Server Resource Manager console and the Quotas node to create a quota on the
E:\Labfiles\Mod05\Users folder by using the quota template that you created in Task 1. Configure
the quota to auto apply on existing and new subfolders.
2. Create an additional folder named Max in the E:\Labfiles\Mod05\Users folder, and ensure that the
new folder is listed in the quotas list in FSRM.
Task 3: Test that the quota is functional.
1. Open a command prompt and use the fsutil file createnew file1.txt 89400000 command to create
a file in the E:\Labfiles\Mod05\Users\Max folder.
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press
Enter.
Hint: fsutil file createnew file2.txt 16400000
4. Close the command prompt.
5. Close all open windows on NYC-SVR1.
Results: In this exercise, you configured a storage quota.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab Setup
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Microsoft Project files (.mpp) is
not affected by your file screening setup.
You have also been asked to provide a report to your manager about the attempts to save these media
files on NYC-SVR1.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring File Screening
You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Project files (.mpp) is not affected
by your file screening setup.
Task 1: Create a file group.
1. Open the File Server Resource Manager console.
2. Open the File Server Resource Manager Configuration Options dialog box and enable the Record
file screening activity in auditing database option on the File Screen Audit tab.
Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit
report to be run in Exercise 2
3. Create a new File Group with the following properties.
File group name: MPx Media Files
Files to include: *.mp*
Files to exclude *.mpp
Task 2: Create a file screen template.
1. Create a File Screen Template with the following properties.
Template name: Block MPx Media Files
Screening type: Active
File groups: MPx Media Files
Event Log: Send a warning to the event log
Task 3: Create a file screen.
1. Create a File Screen based on the Block MPx Media Files File Screen Template for the
E:\Labfiles\Mod05\Users directory.
2. Close the File Server Resources Manager.
Task 4: Test the file screen.
1. Click Start, and then click Computer.
2. Create a new text document in E:\Labfiles\Mod05 and rename it as musicfile.mp3.
3. Copy musicfile.mp3 into E:\Labfiles\Mod05\Users. You will be notified that the system was unable
to copy the file to E:\Labfiles\Mod05\User.
Results: After this exercise, you should have configured file screening by creating a file group, a file
screen template, and a file screen.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Generating Storage Reports
You need to provide a report that documents attempts to save these media files on NYC-SVR1.
Task 1: Generate an On-Demand Storage Report.
1. Open the File Services Resource Manager console.
2. Right-click Storage Reports Management, select Generate Reports Now and then provide the
following parameters:
Report on E:\Labfiles\Mod05\Users.
Generate only the File Screening Audit report.
Results: In this exercise, you generated a storage report.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab C: Configuring Classification and File
Management Tasks

Lab Setup
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The Finance department of Contoso, Ltd has discovered that several payroll documents are being stored
in locations that are not secure.
You have been asked to use the Classification Management and File Management Tasks components of
FSRM to ensure that all payroll-related files are located in a secure location.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring Classification Management
The Finance department wants all documents related to the company payroll to be classified as
confidential. You must create a Classification Property and a Classification Rule that classifies any files
containing the word payroll as confidential.
Task 1: Create a classification property.
1. Create a Classification Property with the following attributes.
Property name: Confidential
Description: Assigns a confidentiality value of Yes or No
Property Type: Yes/No
Task 2: Apply classification properties by using classification rules.
1. Create a new Classification Rule.
2. Configure the Rule Settings tab with the following attributes.
Rule name: Confidential Payroll Documents
Description: Classify documents containing the word payroll as confidential
Scope: E:\Labfiles\Mod05\Data
3. Configure the Classification tab with the following attributes
Classification Mechanism: Content Classifier
Property name: Confidential
Property value: Yes
4. On the Classification tab, click Advanced.
5. Click the Additional Classification Parameters tab and add the following parameters.
Name: String
Value: payroll
6. Right-click the Classification Rules node and Run Classification With All Rules Now and selecting
the Wait for classification to complete execution option.
7. View the generated report and ensure that January.txt is displayed in the report.
8. View the contents of E:\Labfiles\Mod05\Data\January.txt.
Results: In this exercise, you configured Classification Management.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing File Management Tasks
You have been notified that the Finance department wants all payroll-related documents that you have
classified to be relocated to a more secure location. Your task is to create a File Management task that will
move any documents classified as confidential to the E:\Labfiles\Mod05\Confidential folder.
Task 1: Configure file management tasks based on classification properties.
1. Open the File Server Resource Manager and create a File Management task and configure the
properties according to the following steps.
2. On the General tab, configure the following attributes:
Task name: Move Confidential Files
Description: Move confidential documents to another folder
Scope: E:\Labfiles\Mod05\Data.
3. On the Action tab, configure the following attributes.
Type: File expiration
Expiration directory: E:\Labfiles\Mod05\Confidential
4. On the Condition tab, configure the following attributes.
Property conditions:
Property: Confidential
Operator: Equals
Value: Yes
5. On the Schedule tab, create a schedule to run at 9:00 A.M. every day, starting today.
6. Right-click the newly created task, and then click Run File Management Task Now. Select the
option to wait for task to complete execution and then review the report. Ensure that January.txt is
listed in the report.
7. In Windows Explorer, browse to the E:\Labfiles\Mod05\Confidential folder. January.txt should be
located in this folder and no longer in E:\Labfiles\Mod05\Data.
Results: In this exercise, you implemented File Management Tasks.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Configuring and Securing Remote Access 1
Module 6
Lab Instructions: Configuring and Securing Remote Access
Contents:
Lab A: Implementing a Virtual Private Network
Exercise 1: Configuring Routing and Remote Access as a VPN Remote
Access Solution 3
Exercise 2: Configuring a Custom Network Policy 5
Lab B: Implementing NAP into a VPN Remote Access Solution
Exercise 1: Configuring NAP Components 9
Exercise 2: Configuring Client Settings to support NAP 12

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Configuring and Securing Remote Access

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat these steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.
Lab Scenario
Contoso, Ltd. would like to implement a remote access solution for its employees, so they can connect to
the corporate network while away from the office. Contoso, Ltd. requires a network policy that mandates
that VPN connections are encrypted for security reasons. You are required to enable and configure the
necessary server services to facilitate this remote access.
For this project, you must complete the following tasks:
Configure Routing and Remote Access as a VPN remote access solution.
Configure a custom Network Policy.

Nova 4, LLC
Sep 7 2011 9:53PM
Access Solution
Scenario
In this exercise, you will install and configure the Network Policy and Access Services role to support the
requirements of the Contoso, Ltd. workforce.
1. Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.
2. Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients.
3. Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP
connections.
Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.
1. Switch to the NYC-EDGE1 virtual server.
2. Open Server Manager.
3. Add the Network Policy and Access Services role with the following role services:
a. Network Policy Server
b. Routing and Remote Access Services
Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for
Remote Access clients.
1. On NYC-EDGE1, open Routing and Remote Access.
2. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable
Routing and Remote Access.
3. Use the following settings to configure the service:
a. On the Configuration page, accept the defaults.
b. On the Remote Access page, select the VPN check box.
c. On the VPN Connection page, select the Public interface.
d. On the IP Address Assignment page, select the From a specified range of addresses option.
e. On the Address Range Assignment page, create an address pool with 75 entries with a start
address of 10.10.0.60.
f. On the Managing Multiple Remote Access Servers page, accept the defaults.
g. Accept any messages by clicking OK.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25
L2TP connections.
1. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then
right-click Ports, and then click Properties.
2. Use the following information to complete the configuration process:
a. Number of WAN Miniport (SSTP) ports: 25
b. Number of WAN Miniport (PPTP) ports: 25
Nova 4, LLC
Sep 7 2011 9:53PM
c. Number of WAN Miniport (L2TP) ports: 25
3. Click OK to confirm any prompts.
4. Close the Routing and Remote Access tool.
Results: At the end of exercise, you enabled routing and remote access on the NYC-EDGE1 server.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring a Custom Network Policy
Scenario
In this exercise, you will create and verify a custom network policy in accordance with the requirements of
Contoso, Ltd. The requirements for this policy are:
Supported tunnel types: L2TP, PPTP
Supported authentication methods: MS-CHAP-v2 with strongest authentication
Constraints: Connections disallowed between 11P.M. and 6 A.M. Monday through Friday
1. Open the Network Policy Server management tool on 6419B-NYC-EDGE1
2. Create a new network policy for RRAS clients
3. Create and test a VPN Connection.
Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1.
1. Switch to the NYC-EDGE1 virtual computer.
2. Open the Network Policy Server tool.
Task 2: Create a new network policy for RRAS clients.
1. In the Network Policy Server console, create a new policy with the following settings:
a. Name: Secure VPN.
b. Type of network access server: Remote Access Server (VPN-Dial up).
c. Conditions: Tunnel Type = L2TP, PPTP, SSTP.
d. Access permission: Access granted.
e. Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2).
f. Constraints: Day and time restrictions = 11PM to 6AM Monday thru Friday Denied.
g. Settings: Encryption = Strongest encryption (MPPE 128-bit).
2. Ensure that the Secure VPN policy is the first in the list of any policies.
3. Close the Network Policy Server tool.
Task 3: Create and Test a VPN Connection.
1. Switch to the NYC-CL1 computer.
2. Open Network and Sharing Center.
3. Change the network adapter settings as follows:
a. IP Address: 131.107.0.20
b. Subnet mask: 255.255.255.0
c. Default gateway: 131.107.0.1
4. Create a VPN with the following settings:
a. Internet address to connect to: 131.107.0.2.
b. Name: Contoso VPN.
5. Connect with the new VPN properties as follows:
Nova 4, LLC
Sep 7 2011 9:53PM
a. User name: Administrator
b. Password: Pa$$w0rd
c. Domain: Contoso
Note: The VPN connects successfully.
6. Disconnect the VPN and close all open windows.
Results: In this exercise, you created and tested a VPN connection.
To prepare for the next lab
following steps:
4. Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab B: Implementing NAP into a VPN Remote Access
Solution

Lab Setup
4. Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
5. Repeat the steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.
Lab Scenario
Contoso, Ltd. is required to extend its virtual private network solution to include Network Access
Protection.
There have been a number of problems with users connecting to the Contoso network with a VPN from
their unmanaged home computers. It is important to ensure that these computers are in compliance with
Contoso health policies.
As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers
automatically into compliance. You will do this by using Network Policy Server, creating client compliance
policies, and configuring an NAP server to check the current health of computers.
Nova 4, LLC
Sep 7 2011 9:53PM
For this project, you must complete the following tasks:
Configure NAP Server Components
Configure NAP for VPN clients

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring NAP Components
Scenario
In this exercise, you will configure the required server-side components to support the Contoso, Ltd.
requirement.
1. Configure a computer certificate.
2. Configure NYC-EDGE1 with NPS functioning as a health policy server.
3. Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN
server.
4. Allow ping on NYC-EDGE1.
Task 1: Configure a computer certificate
1. Switch to the NYC-DC1 virtual server.
2. Open the Certification Authority tool.
3. From the Certificate Templates console, open the properties of the Computer certificate template.
4. On the Security tab, grant the Authenticated Users group the AllowEnroll permission.
5. Close the Certification Authority tool.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server
1. Switch to the NYC-EDGE1 computer Create a management console by running mmc.exe.
2. Add the Certificates snap-in with the focus on the local computer account.
3. Navigate to the Personal certificate store and Request New Certificate.
4. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
5. Enroll the Computer certificate listed.
6. Close the console and do not save the console settings.
7. Using Server Manager, install the NPS Server with the following role services: Network Policy
Server and Remote Access Service.
8. Open the Network Policy Server tool.
9. Under Network Access Protection, open Default Configuration for the Windows Security Health
Validator.
10. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all
network connections.
11. Create a health policy with the following settings:
a. Name: Compliant
b. Client SHV checks: Client passes all SHV checks
c. SHVs used in this health policy: Windows Security Health Validator
12. Create a health policy with the following settings:
a. Name: Noncompliant
Nova 4, LLC
Sep 7 2011 9:53PM
b. Client SHV checks: Client fails one or more SHV checks
c. SHVs used in this health policy: Windows Security Health Validator
13. Disable all existing network policies.
14. Configure a new network policy with the following settings:
a. Name: Compliant-Full-Access
b. Conditions: Health Policies = Compliant
c. Access permissions: Access granted
d. Settings: NAP Enforcement = Allow full network access
15. Configure a new network policy with the following settings:
a. Name: Noncompliant-Restricted
b. Conditions: Health Policies = Noncompliant
c. Access permissions: Access granted
Note: A setting of Access granted does not mean that noncompliant clients are granted full network
access. It specifies that the policy should continue to evaluate the clients matching these conditions.
d. Settings:
i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of
client computers is not selected.
ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and
IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.
16. Disable existing connection request policies.
17. Create a new Connection Request Policy with the following settings:
a. Policy name: VPN connections
b. Type of network access server: Remote Access Server (VPN-Dial up)
c. Conditions: Tunnel type = L2TP, SSTP, and PPTP
d. Authenticate requests on this server = True
e. Authentication methods:
i. Select Override network policy authentication settings
ii. Add Microsoft: Protected EAP (PEAP).
iii. Add Microsoft: Secured password (EAP-MSCHAP v2)
f. Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is
enabled.
18. Close the Network Policy Server console.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server
1. On NYC-EDGE1, open Routing and Remote Access.
2. Select Configure and Enable Routing and Remote Access.
Nova 4, LLC
Sep 7 2011 9:53PM
3. Use the following settings to complete configuration:
a. Select Remote access (dial-up or VPN).
b. Select the VPN check box.
c. Choose the interface called Public and clear the Enable security on the selected interface by
setting up static packet filters check box.
d. IP Address Assignment: From a specified range of addresses:
i. 10.10.0.100 > 10.10.0.110
e. Complete the process by accepting defaults when prompted and confirming any messages by
clicking OK.
4. In the Network Policy Server, click the Connection Request Policies node and disable Microsoft
Routing and Remote Access Service Policy. This was created automatically when Routing and
Remote Access was enabled.
5. Close the Network Policy Server management console and the Routing and Remote Access console.
Task 4: Allow ping on NYC-EDGE1
1. Open Windows Firewall with Advanced Security.
2. Create an Inbound Rule with the following properties:
a. Type: Custom
b. All programs
c. Protocol type: Select ICMPv4 and then click Customize
i. Specific ICMP types: Echo Request
d. Default scope
e. Action: Allow the connection
f. Default profile
g. Name: ICMPv4 echo request
3. Close the Windows Firewall with Advanced Security console.
Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Client Settings to support NAP
Scenario
In this exercise, you will implement a VPN on NYC-CL1 and test the computers health against the NAP
configuration you previously created.
1. Configure Security Center
2. Enable client NAP enforcement
3. Move the client to the Internet
4. Create a VPN on NYC-CL1
Task 1: Configure Security Center.
2. Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer
Configuration/Administrative Templates/Windows Components/Security Center/Turn on
Security Center (Domain PCs only) setting.
3. Close the Local Group Policy Editor.
Task 2: Enable client NAP enforcement.
1. Run the NAP Client Configuration tool (napclcfg.msc).
2. Under Enforcement Clients, enable EAP Quarantine Enforcement Client.
3. Close the NAP Client Configuration tool.
4. Run services.msc and configure the Network Access Protection Agent service for automatic startup.
5. Start the service.
6. Close the services console.
Task 3: Move the client to the Internet.
1. Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection
Internet Protocol Version 4 (TCP/IPv4) settings:
a. IP address: 131.107.0.20
b. Subnet mask: 255.255.255.0
c. Default gateway: blank
d. Preferred DNS server: blank
2. Verify that you can successfully ping 131.107.0.2
Task 4: Create a VPN on NYC-CL1.
1. Create a new VPN connection with the following properties:
a. Internet address to connect to: 131.107.0.2
b. Destination name: Contoso VPN
c. Allow other people to use this connection: True
d. User name: Administrator
Nova 4, LLC
Sep 7 2011 9:53PM
e. Password: Pa$$word
f. Domain: CONTOSO
2. After you have created the VPN, modify its settings by viewing the properties of the connection and
then selecting the Security tab. Use the following settings to reconfigure the VPN:
a. Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled).
b. Properties of this authentication type:
i. Validate server certificate: true
ii. Connect to these servers: false
iii. Authentication method: Secured password (EAP-MSCHAP v2)
iv. Enable Fast Reconnect: false
v. Enforce Network Access Protection: true
3. Test the VPN connection:
a. In the Network Connections window, right-click the Contoso VPN connection, and then click
Connect.
b. In the Connect Contoso VPN window, click Connect.
c. View the details of the Windows Security Alert. Ensure that the correct certificate information is
displayed and then click Connect.
4. Verify that your computer meets the health requirements of the NAP policy:
a. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted.
b. Ping10.10.0.10.
5. Disconnect the Contoso VPN.
6. Configure Windows Security Health Validator to require an antivirus application:
a. Switch to NYC-EDGE1 and open Network Policy Server.
b. Modify the Default Configuration of the Windows Security Health Validator so that An
antivirus application is application is on check box is enabled on the Windows 7/Windows
Vista selection.
7. Switch back to NYC-CL1 and reconnect the VPN.
8. Verify your computer does not meet the health requirements of the NAP policy:
a. Verify that a message is displayed in the Action Center that states that the computer doesnt
meet security standards.
b. Use IPCONFIG /all to verify that the System Quarantine State is Restricted.
9. Disconnect the VPN.
Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement
policy for Contoso.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
4. Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Managing Active Directory Domain Services 1
Module 7
Lab Instructions: Managing Active Directory Domain Services
Contents:
Lab A: Creating and Managing User and Computer Accounts
Exercise 1: Creating and Configuring User Accounts 3
Exercise 2: Creating and Configuring Computer Accounts 6
Lab B: Managing Groups and Locating Objects in AD DS
Exercise 1: Implement Role-Based Management Using Groups 9
Exercise 2: Finding Objects in Active Directory 11

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Managing Active Directory Domain Services
Lab A: Creating and Managing User and Computer
Accounts

Lab Setup
Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. is expanding its operations and creating a new Finance department. You have been asked to
create the appropriate objects in AD DS, so the Finance department can begin operation as scheduled
next month.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Creating and Configuring User Accounts
The Finance department has two new users, Eva Corets and Mark Steele. You have been asked to create
an OU for the Finance department in the root of the Contoso.com domain where the user accounts will
be stored and create user account objects for Eva and Mark configured as follows:
User account name: Users first name
Password: Pa$$w0rd
Do not prompt for password change at next logon
Department: Finance
After the accounts are properly set up, you have been asked to test them to ensure that the users can log
on and then disable the accounts until Eva and Mark begin their jobs next month.
1. Create the Finance OU.
2. Create a user account template for the Finance users.
3. Create new accounts for Eva and Mark.
4. Confirm the functionality of user accounts.
5. Disable the new user accounts.
Task 1: Create the Finance OU
1. On NYC-DC1, from Administrative Tools, open Active Directory Module for Windows
PowerShell.
2. Create a new Finance OU in the root of the Contoso domain by using the New-
ADOrganizationalUnit cmdlet.
New-ADOrganizationalUnit -Name Finance -Path "DC=CONTOSO,DC=COM"
Task 2: Create a user template account for the Finance users
1. On NYC-DC1, open Active Directory Users and Computers.
2. Create a user account in the Finance OU with the following properties
Property Value
First name Finance
Last name Template
Full name Finance Template
User logon name Finance Template
Password Pa$$w0rd
User must change password at
next logon
Not Selected
Nova 4, LLC
Sep 7 2011 9:53PM
Property Value
Account is disabled Selected
Department Finance
Task 3: Create new accounts for Eva and Mark
1. Create an account for Eva Corets by copying the Finance template and using the following account
properties.
Property Value
First name Eva
Last name Corets
Full name Eva Corets
User logon name Eva
Password Pa$$w0rd
Account is disabled Not Selected
2. Create an account for Mark Steele by copying the Finance template and using the following account
properties.
Property Value
First name Mark
Last name Steele
Full name Mark Steele
User logon name Mark
Password Pa$$w0rd
3. Close the Active Directory Users and Computers window.
Task 4: Confirm the functionality of user accounts
1. Switch to the 6149B-NYC-CL1 virtual machine.
2. On NYC-CL1, log on as Contoso\Eva with a password of Pa$$w0rd.
4. On NYC-CL1, log on as Contoso\Mark with a password of Pa$$w0rd.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 5: Disable the new user accounts
1. Switch to the 6149B-NYC-DC1 virtual machine.
2. On NYC-DC1, open Active Directory Administrative Center.
3. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and
then double-click Finance OU in the middle pane.
4. Disable the accounts for Eva Corets and Mark Steele.
Results: At the end of the exercise, you created and configured user accounts.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Creating and Configuring Computer Accounts
The Finance department will also be using the two computers, NYC-CL5 and NYC-CL6. Both computers
will be arriving with Eva and Mark in New York when they begin their jobs. You need to prestage the
computer accounts into the Finance OU, so the desktop support team can join the computers to the
domain after they are configured.
1. Create computer accounts by using Active Directory management tools.
2. Configure computer account attributes.
Task 1: Create computer accounts by using Active Directory management tools
2. In the Computers container, create a new computer object named NYC-CL5.
4. On NYC-DC1, open Active Directory Module for Windows PowerShell.
5. At the command prompt, type the following command:
New-ADComputer Name NYC-CL6 SamAccountName NYC-CL6 -Path
CN=Computers,DC=CONTOSO,DC=COM'
6. Close the command prompt window.
Task 2: Configure computer accounts attributes
1. Open Active Directory Administrative Center.
then double-click the Computers container in the middle pane.
3. Move NYC-CL5 and NYC-CL6 to the Finance OU.
4. Close the Active Directory Administrative Center window.
Results: In this exercise, you configured computer account attributes.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab B: Managing Groups and Locating Objects in AD
DS

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The Finance department requires access to several folders containing financial documents on several
different servers within the Contoso.com domain.
You have been asked to create a group structure that will do the following:
1. Group the Finance department users together in one AD DS group.
2. Allow the Finance group to obtain change access to several folders on company servers. You should
be able easily add to this group other users or groups from the organization. You do not have to
configure the actual access; just create the group that will be assigned access.
Nova 4, LLC
Sep 7 2011 9:53PM
Also, you have been asked to confirm the following properties of the new AD DS objects created for the
Finance department:
1. The Finance OU should contain:
Eva Corets (user)
Mark Steele (user)
Finance Template (user)
NYC-CL5 (computer)
NYC-CL6 (computer)
Finance (group)
2. Eva Corets and Mark Steeles user accounts should be disabled.
3. Eva Corets and Mark Steele should be members of the Finance Group.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Implement Role-Based Management Using Groups
You must create a group structure that groups the Finance department users together and allows them to
be assigned Change permissions on a number of shared folders located on different servers in the
domain. Other users and groups should also be able to assign Change permissions on the folders as well.
1. Determine group requirements
2. Use management tools to create AD DS groups
3. Modify group attributes
Task 1: Determine group requirements
1. Answer the questions below to determine how the group structure should be created.
Question: What type of group would you create to group the Finance users together?
Question: How can you create a group structure that allows the Finance department members
change permissions and also allows other users and groups from the organization to easily be
assigned these permissions as well?
Task 2: Use management tools to create AD DS groups
1. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for
Windows PowerShell.
2. At the command prompt, type the following and press ENTER.
New-ADGroup Name Finance SAMAccountName Finance GroupCategory Security GroupScope
Global DisplayName Finance Department Path OU=Finance,DC=CONTOSO,DC=COM
New-ADGroup Name Finance_Folders_Change SAMAccountName FinanceFoldersChange
GroupCategory Security GroupScope DomainLocal DisplayName Change Access to Finance
Folders Path OU=Finance,DC=CONTOSO,DC=COM
4. Close the Active Directory Module for Windows PowerShell window.
Task 3: Modify group attributes
1. Click Start, click Administrative Tools, and then click Active Directory Administrative Center.
then double-click the Finance OU in the middle pane.
3. Click Eva Corets, press and hold the Ctrl key, and then click Mark Steele. Release the Ctrl key, right-
click Mark Steele, and then click Add to group.
4. In the Enter the object name to select field, type Finance, and then click Check Names.
5. In the Multiple Names Found window, click Finance, and then click OK.
6. In the Select Groups window, click OK.
8. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
9. In the Active Directory Users and Computers window, click the Finance OU in the left pane, right-
click the Finance_Folders_Change group in the right pane, and then click Properties.
Nova 4, LLC
Sep 7 2011 9:53PM
10. In the Finance_Folders_Change Properties window, click the Members tab, and then click the Add
button.
11. In the Enter the object name to select field, type Finance, and then click Check Names.
13. In the Select Users, Contacts, Computers, Service Accounts or Groups window, click OK.
14. In the Finance_Folders_Change Properties window, click OK.
Results: In this exercise, you implemented role-based management using groups.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Finding Objects in Active Directory
You must confirm the following by examining the Contoso.com AD DS domain.
The only Finance-related groups are:
Finance
Finance_Folders_Change
Eva Corets and Mark Steeles user accounts should be disabled.
Eva Corets and Mark Steele should be members of the Finance group.

1. Create and save an AD DS query
2. Use dsquery to locate AD DS objects.
3. Use Windows PowerShell to locate AD DS objects.
Task 1: Create and save an AD DS query
2. Right-click Saved queries and create a new query.
3. Configure the query to find all groups starting with Finance.
4. Expand Saved Queries, and then click the Finance Groups query to confirm the result.
Task 2: Use dsquery to locate AD DS objects
1. Open a command prompt.
2. At the command prompt, type the following command, and then press ENTER.
dsquery user "ou=Finance,dc=Contoso,dc=com" disabled
3. View the results and confirm that Eva Corets and Mark Steele are listed.
Task 3: Use Windows PowerShell to locate AD DS objects
Windows PowerShell.
2. At the command prompt, type the following command and then press ENTER.
Get-ADGroupMember Finance
Results: In this exercise, you located objects in Active Directory.

Nova 4, LLC
Sep 7 2011 9:53PM
following steps:
4. Repeat these steps for 6419B-NYC-CL1.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Configuring Active Directory Object Administration and Domain Trust 1
Module 8
Lab Instructions: Configuring Active Directory Object
Administration and Domain Trust
Contents:
Lab A: Configuring Active Directory Delegation
Exercise 1: Delegating Control of AD DS Objects 4
Exercise 2: Creating Managed Service Accounts in AD DS 5
Lab B: Administering Trust Relationships
Exercise 1: Configuring Name Resolution between Contoso.com and
Adatum.com 8
Exercise 2: Configuring a Forest Trust 9

Nova 4, LLC
Sep 7 2011 9:53PM
2 Labb Instructions: Configuring Active Directorry Object Administrattion and Domain Truust
Lab A
La
Fo
co
1.
2.
3.
4.
5.
La
Yo
O
ta
Yo
in

A: Config
ab Setup
or this lab, you
omplete the fo
. On the hos
Manager.
. In Hyper-V
. In the Actio
. Log on by u
User na
Passwo
Domai
. Repeat step
do so.
ab Scenario
ou are a netwo
Organizational
asks to the ma
ou have also b
nstalled on NYC
Delegate th
Organizatio
Create a m
guring
u will use the a
ollowing steps:
t computer, cl
Manager, clic
ons pane, click
using the follo
ame: Adminis
ord: Pa$$w0rd
n: Contoso
ps 2 and 3 for
o
ork administra
Unit in the AD
nagers of each
been asked to
C-SVR1. For th
he Marketing M
onal Unit.
anaged service
Active Directoory Dele
available virtua
:
ick Start, poin
k 6419B-NYC
k Connect. Wa
owing credenti
strator
d
6419B-NYC-S
ator for Contos
D DS infrastruc
h department.
implement a m
his project, you
Managers secu
e account calle
al machine env
nt to Administ
C-DC1, and in t
ait until the virt
als:
SVR1. Do not
so, Ltd. Each d
ture. You need

managed servi
u must comple
urity group the
ed, App1_SVR1
egation

vironment. Beffore you beginn the lab, you must
trative Tools, and then clickk Hyper-V
the Actions paane, click Startt.
tual machine sstarts.
log on to this virtual machinne until instruccted to
epartment in C
d to delegate O
Contoso, Ltd.
Organizationa
has its own
al Unit adminisstrative
ice account fo
ete the followi
r an applicatio
ng tasks:
on that will be
e right to mannage user accounts in the Maarketing
1, and assign it to NYC-SVR11.
Nova 4, LLC
Sep 7 2011 9:53PM
Install the App1_SRV1 service account on NYC-SVR1.

Nova 4, LLC
Sep 7 2011 9:53PM
4 Lab Instructions: Configuring Active Directory Object Administration and Domain Trust
Exercise 1: Delegating Control of AD DS Objects
Scenario
In this exercise, you will delegate control of the Marketing Organizational Unit to the Marketing Managers
security group. All Marketing Managers should be able to fully manage user accounts in the OU.
1. Delegate management tasks for the Marketing OU.
2. Verify effective permissions assigned for the Marketing OU.
3. Test delegated permissions.
Task 1: Delegate management tasks for the Marketing OU.
2. Use the Delegation of Control Wizard to configure the following:
Organizational Unit: Marketing
Users or Groups: Marketing_Managers
Tasks to Delegate: Create, delete, and manage user accounts
Task 2: Verify effective permissions assigned for the Marketing OU.
1. On NYC-DC1, open the properties of the Marketing Organizational Unit.
2. Verify the effective permissions for Don Roessler on the Marketing OU.
Task 3: Test delegated permissions.
1. Log on to NYC-SVR1 as Contoso\Don, with the password, Pa$$w0rd.
2. Open Active Directory Users and Computers and verify that Don can create new user accounts.
3. Log off from NYC-SVR1.
Results: After completing this exercise, you will have delegated the right to manage user accounts to
the Marketing Managers.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Creating Managed Service Accounts in AD DS
Scenario
You have been asked to create a managed service account called, App1_SVR1, to be used by an
application located on NYC-SVR1.
1. Use Windows PowerShell to create and associate a managed service account.
2. Install a managed service account on a server.
Note: Because of the complexity of the PowerShell commands, these steps are the same as the Lab
Answer key.
Task 1: Use Windows PowerShell to create and associate a managed service account.
1. On NYC-DC1, open the Active Directory Module for Windows PowerShell console.
2. At the prompt, type the following command, and then press ENTER.
New-ADServiceAccount Name App1_SVR1
3. At the prompt type the following command and then press ENTER:
Add-ADComputerServiceAccount identity NYC-SVR1 ServiceAccount App1_SVR1
Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers A
5. Verify that the App1_SVR1 service account is associated with NYC-SVR1.
6. Close all open windows on NYC-DC1.
Task 2: Install a managed service account on a server.
2. Log on to NYC-SVR1 as Contoso\Administrator, with the password, Pa$$w0rd.
3. Click Start, point to Administrative Tools, and then click Active Directory Module for Windows
PowerShell. The Administrator: Active Directory Module for Windows PowerShell console
opens.
Install-ADServiceAccount -Identity App1_SVR1
5. Click Start, point to Administrative Tools, and then click Services.
6. In the Services console, right-click Disk Defragmenter, and then click Properties.
Note: The Disk Defragmenter service is just used as an example for this lab. In a production
environment, you would use the actual service that should be assigned the managed service account.
7. In the Disk Defragmenter Properties dialog box, click the Log On tab.
8. On the Log On tab, click This account, and then type Contoso\App1_SVR1$.
Nova 4, LLC
Sep 7 2011 9:53PM
9. Clear the password for both the Password and Confirm password boxes. Click OK.
10. Click OK at all prompts.
11. Close the Services console.
Results: After completing this exercise, you will have created and installed a managed service
account.
To prepare for the next lab.
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Configuring Active Directory OObject Administrationn and Domain Trust 7
L
La
Fo
co
1.
2.
3.
4.
5.
La
Co
do
ta

Lab B: A
ab Setup
or this lab, you
omplete the fo
. On the hos
. In Hyper-V
. In the Actio
. Log on by u
User na
Passwo
Domai
. Repeat step
password, P
ab Scenario
ontoso, Ltd. ha
omain will nee
asks:
Configure n
Configure a
Configure S
Administ
u will use the a
ollowing steps:
t computer, cl
Manager, cl
ons pane, click
using the follo
ame: Adminis
ord: Pa$$w0rd
n: Contoso
ps 2 and3 for 6
Pa$$w0rd.
o
as initiated a s
ed to have acc
name resolutio
a forest trust re
Selective Auth
ter Trusst Relationshipps

available virtua
:
al machine envvironment. Beffore you beginn the lab, you must
ick Start, poinnt to Administtrative Tools, and then clickk Hyper-V Maanager.
lick 6419B-NYYC-DC1, and inn the Actions ppane, click Staart.
k Connect. Waait until the virttual machine sstarts.
owing credentials:
strator
d
6419B-VAN-DDC1. Log on too VAN-DC1 ass Adatum\Addministrator, wwith the
strategic partn
ess to file shar
ership with A.
res located at A
Datum Corpo
Adatum.com.
oration. Users f
You need to p
from the Conto
perform the fo
oso.com
llowing
on between the two forests.
elationship beetween Contoso.com and Addatum.com.
entication to oonly allow Adaatum.com dommain users to aaccess NYC-SVR1.
Nova 4, LLC
Sep 7 2011 9:53PM
Adatum.com
Scenario
In this exercise, you will configure conditional forwarding to provide name resolution between the
Contoso.com domain and the Adatum.com domain.
1. Configure DNS conditional forwarding on NYC-DC1.
2. Configure DNS conditional forwarding on VAN-DC1.
Note: Conditional Forwarding is covered in detail in Module 2: Managing Windows Server 2008
Infrastructure Roles.
Task 1: Configure DNS conditional forwarding on NYC-DC1.
1. On NYC-DC1, open DNS Manager.
2. Configure a Conditional Forwarder with the following settings:
DNS Domain: Adatum.com.
IP address of master servers: 10.10.0.100
Task 2: Configure DNS conditional forwarding on VAN-DC1.
1. On VAN-DC1, open DNS Manager.
2. Configure a Conditional Forwarder with the following settings:
DNS Domain: Contoso.com.
IP address of master servers: 10.10.0.10
Results: After completing this exercise, you will have configured name resolution between the

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring a Forest Trust
Scenario
You need to configure a forest trust between Contoso.com and Adatum.com.
1. Use the New Trust Wizard to create a Forest Trust.
2. Configure Selective Authentication.
Task 1: Use the New Trust Wizard to create a Forest Trust.
1. On NYC-DC1, open the Active Directory Domains and Trusts console.
2. Start the New Trust Wizard and configure the following:
Trust Name: Adatum.com
Trust Type: Forest Trust
Direction of Trust: Two-way
Sides of Trust: Both this domain and the specified domain
User Name: Administrator
Password: Pa$$w0rd
Outgoing Trust Authentication Level Local Forest: Forest-wide authentication
Outgoing Trust Authentication Level Specified Forest: Forest-wide authentication
Confirm both the outgoing and incoming trust
3. On NYC-DC1 configure Selective Authentication to only allow Adatum.com domain users to
authenticate to NYC-SVR1.
Task 2: Configure Selective Authentication
1. On NYC-DC1, open the Active Directory Domains and Trusts console.
2. Open the Properties pane for the Contoso.com domain and enable Selective Authentication for
the Adatum.com domain.
3. Close Active Directory Domains and Trusts.
4. Open the Active Directory Users and Computers console.
5. Using the Advanced Features, configure NYC-SVR1 to allow the ADATUM\Domain Users group to
authenticate.
6. Close Active Directory Users and Computers.
Results: After completing this exercise, you will have created a Forest Trust and configured Selective
Authentication.

Nova 4, LLC
Sep 7 2011 9:53PM
following steps:
4. Repeat these steps for 6419B-VAN-DC1.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Creating and Managing Group Policy Objects 1
Module 9
Lab Instructions: Creating and Managing Group Policy
Objects
Contents:
Lab A: Creating and Configuring GPOs
Exercise 1: Creating and Configuring Group Policy Objects 4
Exercise 2: Managing the Scope of GPO Application 5
Lab B: Managing Group Policy Objects
Exercise 1: Verifying GPO Application 7
Exercise 2: Managing GPOs 8
Lab C: Troubleshooting Group Policy
Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1 11

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Creating and Managing Group Policy Objects

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Scenario
Contoso, Ltd. has decided to implement Group Policy to manage user desktops and to configure
computer security. The organization has already implemented an OU configuration that includes top-level
OUs by different departments. User accounts are in the same container as their workstation computer
accounts. Server computer accounts are spread throughout various OUs.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings
and may not always follow best practices.
Nova 4, LLC
Sep 7 2011 9:53PM
Group Policy Requirements
Domain users will not have access to the Run menu. The policy will apply to all users, except users in
the IT OU.
All domain computers will have a mandatory baseline security policy applied that does not display
the name of the last logged on user.
Computers running Windows 7 or Windows Vista will have additional settings applied to wait for the
network at startup.
Users in the IT OU will have the URL for Microsoft support added to their Favorites.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Creating and Configuring Group Policy Objects
You will create and link the GPOs that the enterprise administrators design specifies. Tasks include
modifying the default domain policy and creating policy settings linked to specific OUs and sites.
1. Create the GPOs.
2. Configure the GPO settings.
3. Link the GPOs to the appropriate containers.
Task 1: Create the GPOs.
On NYC-DC1, open the Group Policy Management console, browse to the Group Policy Objects
container and then perform the following:
Create a GPO named, Restrict Run Command.
Create a GPO named, Baseline Security.
Create a GPO named, Windows 7 and Windows Vista Security.
Create a GPO named, IT Favorites.
Task 2: Configure the GPO settings.
1. Edit the Restrict Run Command GPO (User Configuration\Policies
\Administrative Templates\Start Menu and Taskbar\Remove Run Menu from the Start Menu) to
prevent access to the Run menu.
2. Edit the Baseline Security GPO (Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\ Interactive logon: Do not display last user name) so that the
name of the last logged on user is not displayed.
3. Edit the Windows 7 and Windows Vista Security GPO (Computer Configuration\Policies
\Administrative Templates\System\Logon\Always wait for the network at computer startup and
logon) to ensure that computers wait for the network at startup.
4. Edit the IT Favorites GPO (User Configuration\Policies\Windows Settings\Internet Explorer
Maintenance\URLs\Favorites and Links) to include the URL for Microsoft tech support
(http://support.microsoft.com) in the Internet Favorites.
Task 3: Link the GPOs to the appropriate containers.
Use the GPMC to perform the following:
Link the Restrict Run Command GPO to the domain container.
Link the Baseline Security GPO to the domain container.
Link the Windows 7 and Windows Vista Security GPO to the domain container
Link the IT Favorites GPO to the IT OU.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Managing the Scope of GPO Application
In this exercise, you will configure the scope of GPO settings based on the enterprise administrators
design. Tasks include blocking and enforcing inheritance, and applying filtering based on security groups
and WMI filters.
1. Configure Group Policy management for the domain container.
2. Configure Group Policy management for the IT Admin OU.
3. Create and apply a WMI filter for the Windows 7 and Windows Vista Security GPO.
Task 1: Configure Group Policy management for the domain container.
1. Configure the Baseline Security link to be Enforced.
2. Configure the Windows 7 and Windows Vista Security link to be Enforced.
Task 2: Configure Group Policy management for the IT OU.
Block inheritance at the IT OU, to exempt the IT OU users from the Restrict Run Command GPO.
Task 3: Create and apply a WMI filter for the Windows Vista and Windows 7 Security
GPO.
1. Create a new WMI filter called Windows 7 or Windows Vista Operating Systems configured to find
only Windows 7 and Windows Vista operating systems.
Hint:
Select * from Win32OperatingSystem where Caption = Microsoft Windows 7 Enterprise OR
Caption = Microsoft Windows Vista Enterprise
2. Assign the WMI filter to the Windows 7 and Windows Vista Security GPO.
Result: At the end of this exercise, you will have configured the scope of GPO settings.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab Scenario
The enterprise administrator has created a GPO deployment plan. You have been asked to create GPOs so
that certain policies can be applied to all domain objects. Some policies are considered mandatory.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings
and may not always follow best practices.
Group Policy Requirements
Domain users will not have access to the Run menu. The policy will apply to all users, except users in
the IT OU.
All domain computers will have a mandatory baseline security policy applied that does not display
the name of the last logged on user.
Computers running Windows 7 or Windows Vista will have additional settings applied to wait for the
network at startup.
Users in the IT OU will have the URL for Microsoft support added to their Favorites.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Verifying GPO Application
In this exercise, you will test the application of GPOs to ensure that the GPOs are being applied as the
design specifies. Students will log on as specific users, to verify that GPOs are being applied correctly.
1. Verify that a user in the domain has the Run command removed from the Start menu.
2. Verify that a user in the IT Admin OU is receiving the correct policy.
3. Verify that the user name does not appear.
Task 1: Verify that a user in the domain has the Run command removed from the Start
menu.
1. Log on to NYC-CL1 as CONTOSO\Max, with the password, Pa$$w0rd.
2. Ensure that a link to the Run menu does not appear in the Accessories folder on the Start menu.
Task 2: Verify that a user in the IT OU is receiving the correct policy.
1. Log on to NYC-CL1 as CONTOSO\Ed, with the password, Pa$$w0rd.
2. Ensure that a link to the Run menu appears in the Accessories folder on the Start menu.
3. Start Internet Explorer, open the Favorites pane, and then ensure that the link to Tech Support
appears. If the Set Up Windows Internet Explorer 8 dialog box opens, click Ask me later.
4. Restart NYC-CL1.
Task 3: Verify that the last logged on user name does not appear.
After NYC-CL1 is restarted, verify that the last logged on user name does not appear.
Note: To see this information, press CTRL-ALT-DEL to see the logon screen.

Result: After completing this exercise, you will have tested and verified a GPO application.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Managing GPOs
In this exercise, you will use GPMC to back up, restore, and import GPOs.
1. Back up an individual policy.
2. Back up all GPOs.
3. Delete and restore an individual GPO.
4. Import a GPO.
Task 1: Back up an individual policy.
1. On NYC-DC1, open Windows Explorer and create a folder named,
C:\GPO Backup.
2. In GPMC, browse to the Group Policy Objects folder.
3. Right-click the Restrict Run Command policy, and then click Backup.
4. Browse to C:\GPO Backup.
5. Click Backup, and then click OK after the backup succeeds.
Task 2: Back up all GPOs.
1. Right-click the Group Policy Objects folder, and then click Back Up All.
2. Ensure that C:\GPOBackup is the backup location. Click OK.
3. Click OK after the backup succeeds.
Task 3: Delete and restore an individual GPO.
1. Right-click the IT Favorites policy, and then click Delete. Click Yes, and then click OK when the
deletion succeeds.
2. Right-click the Group Policy Objects folder, and then click Manage Backups.
3. Restore the IT Favorites GPO.
4. Confirm that the IT Favorites policy appears in the Group Policy Objects folder.
Task 4: Import a GPO.
1. Create a new GPO named, Import, in the Group Policy Objects folder.
2. Right-click the Import GPO, and then click Import Settings.
3. In the Import Settings Wizard, click Next.
4. On the Backup GPO window, click Next.
5. Ensure the Backup folder location is C:\GPOBackup.
6. On the Source GPO screen, click Restrict Run Command, and then click Next.
Note: If more than one copy of the Restrict Run Command GPO appears, choose the newer one.

Nova 4, LLC
Sep 7 2011 9:53PM
7. Finish the Import Settings wizard.
8. Click Import GPO, click the Settings tab, and then ensure that the Remove Run menu from Start
Menu setting is Enabled.
Result: After completing this exercise, you will have backed up, restored, and imported GPOs.

Nova 4, LLC
Sep 7 2011 9:53PM

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1
Scenario
Users in the IT OU should not have access to the Run command on the Start menu. You will restore and
link the TestA GPO to apply this setting.
The local desktop technician has escalated the following issue to the server team:
Description of problem: No users should be able to access the Run command on the Start menu, but
all users in the IT OU currently have access to the Run command.
The main tasks in this exercise are:
1. Restore the TestA GPO.
2. Link the TestA GPO to the IT OU.
3. Test the GPO.
4. Troubleshoot the GPO.
5. Resolve the issue and test the resolution.
Task 1: Restore the TestA GPO.
On NYC-DC1, in the Group Policy Management window, restore the TestA GPO from backup. The
TestA GPO is located at C:\Tools\GPOBackup.
Task 2: Link the TestA GPO to the IT OU.
In the Group Policy Management window, link the TestA GPO to the IT OU.
Task 3: Test the GPO.
1. On NYC-CLI, log on as CONTOSO\Ed with the password, Pa$$w0rd.
2. Click Start, and then notice the presence of the Run command. It should not be present.
3. Log off from NYC-CL1.
Task 4: Troubleshoot the GPO.
1. On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.
2. In the report summary, under User Configuration Summary, notice that the TestA GPO is being
applied.
3. On the Settings tab, under User Configuration, notice that the Add the Run command to the
Start Menu setting is enabled.
Task 5: Resolve the issue and test the resolution.
1. Edit the TestA GPO.
2. In the Group Policy Management Editor window, under User Configuration, Policies,
Administrative Templates, Start Menu and Taskbar, change Add the Run command to the Start
Menu to Disabled, and then click OK.
3. On NYC-CLI, log on as CONTOSO\Ed, with the password, Pa$$w0rd.

Nova 4, LLC
Sep 7 2011 9:53PM
4. Click Start, and notice that the Run command is no longer present.
5. Do not log off from NYC-CL1.
Result: After completing this exercise, you will have resolved a Group Policy object issue.

Nova 4, LLC
Sep 7 2011 9:53PM
Scenario
You have been asked to restore the TestB GPO and link it to the Loopback OU. This GPO is designed to
enhance security.
The local desktop technician has escalated the following issue to the server team:
Description of problem: Since the application of the GPO, Ed has access to the Run command on his
Start menu.
1. Create a new OU named, Loopback.
2. Restore the TestB GPO.
3. Link the TestB GPO to the Loopback OU.
4. Move NYC-CL1 to the Loopback OU.
5. Test the GPO.
6. Troubleshoot the GPO.
7. Resolve the issue and test the resolution.
Task 1: Create a new OU named, Loopback.
2. Create a new Organizational Unit under Contoso.com named, Loopback.
Task 2: Restore the TestB GPO.
On NYC-DC1, in the Group Policy Management window, restore the TestB GPO from backup. The
TestB GPO is located at C:\Tools\GPOBackup.
Task 3: Link the TestB GPO to the Loopback OU.
In the Group Policy Management window, link the TestB GPO to the Loopback OU. You may need
to refresh the Group Policy Management console to view the new OU.
Task 4: Move NYC-CL1 to the Loopback OU.
In Active Directory Users and Computers, move the NYC-CL1 computer from the Computers
container to the Loopback OU.
1. Restart NYC-CL1.
2. When the computer restarts, log on as Contoso\Ed, with the password, Pa$$w0rd.
3. Click Start and notice that the Run command is present once again.
1. On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.
2. In the summary report, under Computer Configuration, review the applied GPOs and notice that
the TestB GPO has been applied.
Nova 4, LLC
Sep 7 2011 9:53PM
3. On the Settings tab, under Computer Configuration, notice that loopback processing mode is
enabled.
Note: Group Policy applies to the user, computer, or both in a manner that depends on where both the
user and the computer objects are located in Active Directory. However, in some cases, users may need
policy applied to them based on the location of the computer object alone. You can use the Group
Policy loopback feature to apply GPOs that depend only on which computer the user logs on to.
1. In the Group Policy Management window, disable the link for the TestB GPO.
Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there
were other settings in the GPO that you did wish to have applied.
2. Restart NYC-CL1.
3. When the computer restarts, log on as CONTOSO\Ed, with the password, Pa$$w0rd.
4. Click Start and notice that the Run command is no longer present.
Result: After completing this exercise, you will have resolved a Group Policy objects issue.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Using Group Policy to Configure User and Computer Settings 1
Module 10
Lab Instructions: Using Group Policy to Configure
User and Computer Settings
Contents:
Lab A: Using Group Policy to Configure Scripts and Folder Redirection
Exercise 1: Using a Group Policy Logon Script to Map a Network Drive 3
Exercise 2: Using Group Policy to Redirect Folders 4
Lab B: Configuring Administrative Templates
Exercise 1: Configuring Administrative Templates 6
Lab C: Deploying Software Using Group Policy
Exercise 1: Deploying a Software Package Using Group Policy 9
Lab D: Deploying Group Policy Preferences
Exercise 1: Deploying Group Policy Preferences 11

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Using Group Policy to Configure User and Computer Settings
Lab A: Using Group Policy to Configure Scripts and
Folder Redirection

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has decided to implement Group Policy to manage user desktops. The organization has
already implemented an organizational unit (OU) configuration that includes top-level OUs of different
departments. Contoso, Ltd. wants to use Group Policy to map network locations for users and redirect the
documents of specific users to ensure their data is secured and backed up.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Using a Group Policy Logon Script to Map a Network Drive
Scenario
You need to create a logon script that maps a network drive to the shared folder named Data on NYC-
DC1. Then, you need to use Group Policy to assign the script to all users in the Contoso domain. The script
needs to be stored in a highly available location.
1. Create a script to map a drive.
2. Create and link a GPO.
3. Edit the GPO and store the script in Sysvol.
4. Test the script.
Task 1: Create a script to map a drive to the data share
1. On NYC-DC1, use Notepad to create a batch file named Map.bat that maps drive T to the \\nyc-
dc1\data share.
2. Save the file to the default location. In the Save As dialog box, click the Save as type: drop-down
arrow and select All Files (*.*) as the type. Save the file to the default location of Documents.
3. Browse to the saved location and copy the file to the clipboard.
Task 2: Create and link a GPO
Create a GPO named Drivemap and link it to the Contoso.com domain.
Task 3: Edit the GPO and store the script in Sysvol
1. Edit the Drivemap GPO to assign the Map.bat logon script to users.
2. Copy the Map.bat script to the Netlogon share.
Task 4: Test the results
1. On NYC-CL1, log on as Contoso\Administrator with a password of Pa$$word.
2. Verify that drive has been mapped.
3. Log off NYC-CL1.
Results: In this exercise, you created a script and a GPO to assign the script and store the script in a
highly available location.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Using Group Policy to Redirect Folders
Scenario
You need to create a network folder on NYC-DC1 and set permissions to share and secure the folder. You
will create and test a GPO to redirect the Documents folder for all members of the Research OU.
1. Create a shared folder.
2. Create a GPO to redirect the Documents folder.
3. Test folder redirection.
Task 1: Create a shared folder
1. On NYC-DC1, create a new folder C:\Redirect
2. Share the Redirect folder to the Research group and grant them Read/Write permission.
Task 2: Create a GPO to redirect the Documents folder
1. Create and link a new GPO named Redirect to the Research OU.
2. Edit the Redirect GPO to redirect the Documents folder with the following settings:
Setting: Basic Redirect everyones folder to the same location.
Target folder location: Create a folder for each user under the root path.
Root Path: \\NYC-DC1\Redirect.
Task 3: Test folder redirection
1. Log on to NYC-CL1as Dylan with a password of Pa$$w0rd.
2. Examine the properties of the Documents folder. Note that the location of the folder is now the
Redirect network share in a subfolder named for the user.
3. Close all open Windows and log off.
Note: Due to cached credentials, it may require two logons to see the redirection unless the user has
never logged on to this computer before.

Results: In this exercise, you created and set permissions on a shared folder. You created and linked a
GPO to redirect the executives documents to the shared folder.
When you finish the lab, leave the virtual machines running.
Nova 4, LLC
Sep 7 2011 9:53PM

Lab Setup
1. Log on to 6419B-NYC-DC1 by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
2. Do not log on to NYC-CL1 until directed to do so.
Lab Scenario
The organization has already implemented an OU configuration that includes top-level OUs for different
departments. User accounts are in the same container as their workstation computer accounts. All users
are running the Windows 7 operating system. You need to configure several Group Policy settings to
control the user environment and make the desktop more secure.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring Administrative Templates
Scenario
You need to control the following areas of desktop systems in the Research OU.
Users should not have access to registry editing tools.
Users should not have access to the Run menu.
Users should be denied write access to removable storage.
Users should not be able to change their desktop background images.
You will also modify the Default Domain Policy to allow remote administration through the firewall,
allowing you to run Group Policy Results queries against target computers in the domain.
1. Create and link a GPO to the Research OU.
2. Deny access to the registry editing tools.
3. Deny access to the Run menu.
4. Deny write access to removable storage.
5. Deny access to the desktop display settings.
6. Allow remote administration through the firewall.
Task 1: Create and link a GPO to the Research OU
On NYC-DC1, open Group Policy Management and create and link a new GPO named
ResearchDesktop to the Research OU.
Task 2: Deny access to the registry editing tools
Edit the ResearchDesktop GPO to Enable the Prevent access to registry editing tools setting.
Task 3: Deny access to the Run menu
Edit the ResearchDesktop GPO to enable the Remove Run menu from Start Menu setting.
Task 4: Deny write access to removable storage
Edit the ResearchDesktop GPO to enable the Removable disks: Deny write access setting.
Task 5: Deny access to the desktop background settings
Edit the ResearchDesktop GPO to enable the Prevent changing desktop background setting.
Task 6: Allow remote administration through the Windows Firewall
Edit the Default Domain Policy to Enable the Windows Firewall: Allow inbound remote
administration exception for the LocalSubnet.
Task 7: Test the settings
1. Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd.
2. Ensure that the Run menu does not appear on the Accessories menu.
3. Ensure that the Change desktop background feature is disabled.
4. Ensure that Regedit.exe does not launch.
5. Close all open windows and log off.
Nova 4, LLC
Sep 7 2011 9:53PM
Results: In this exercise, you created and linked a GPO to control the desktop environment.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab Setup
2. In Hyper-V Manager, click 6419B-NYC-SVR1, and in the actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso
5. Do not log on to NYC-CL1 or NYC-SVR1 until directed to do so.
Lab Scenario.
Users in the IT department need to have the XML Notepad 2007 application available on the network if
they need to install it on their computers. It has been decided to use Group Policy Software Installation to
publish the application so that it is available to install on any computers that an IT user logs on. You will
create and populate a software distribution share. Then, you will create and configure a GPO to publish
the software.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Deploying a Software Package Using Group Policy
Scenario
Users in the IT department need to have the XML Notepad 2007 application available on the network if
they need to install it on their computers. It has been decided to use Group Policy Software Installation to
publish the application so that it is available to install on any computers that an IT user logs on. You will
create and populate a software distribution share. Then, you will create and configure a GPO to publish
the software.
1. Create and populate a shared folder to act as a software distribution point
2. Create and link a GPO to deploy the software to the IT OU
3. Configure the GPO to publish the XML Notepad 2007 application
4. Test the deployment
Task 1: Create and populate a shared folder to act as a software distribution point
1. On NYC-DC1, create a folder named C:\AppDeploy.
2. Share the folder to Everyone with Read permission.
3. Copy XMLNotepad.msi from \\NYC-SVR1\E$\labfiles\Mod10 to the AppDeploy folder.
Task 2: Create and link a GPO to deploy the software to the IT OU
Create and link a GPO named Software Deploy to the IT OU.
Task 3: Configure the GPO to publish the XML Notepad 2007 application
Edit the Software Deploy GPO to publish a new package located at
\\NYC-DC1\AppDeploy\XMLNotepad.msi.
Task 4: Test the deployment
1. Log on to NYC-CL1 as Ed with a password of Pa$$w0rd.
2. Access the Programs applet in Control Panel and install the XML Notepad 2007 from the network.
Results: In this exercise, you created and populated a software distribution share and created and
configured a GPO to publish an application

Nova 4, LLC
Sep 7 2011 9:53PM

Lab Setup
Password: Pa$$w0rd
Domain: Contoso
2. Do not log on to NYC-CL1 until directed to do so.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Deploying Group Policy Preferences
Scenario
To simplify Group Policy management, including eliminating the need for logon scripts, you need to
deploy Group Policy preferences that allow more flexibility for corporate users.
The IT department needs a network location to house their knowledgebase documentation. All members
of the IT department need access to that location no matter where they log on. All corporate users need
an application shortcut placed on their desktop.
1. Create a shared folder to contain the IT knowledgebase documents.
2. You will use preferences to map a drive for the IT group to the IT documents folder.
3. You will create a desktop shortcut for the all users.
4. You will verify the settings.
Task 1: Create and share a folder to contain the IT documents
1. On NYC-DC1, create C:\ITDocs and share the folder to Everyone.
Task 2: Use preferences to map a drive for the IT group
1. Edit the Default Domain policy to configure the following User preferences:
Create a new mapped drive to \\NYC-DC1\ITDocs.
Reconnect at logon.
Use the drive letter R.
Run the preference in the logged-on users security context.
Configure item-level targeting for the Contoso\IT security group.
Task 3: Use preferences to create a desktop shortcut to the Notepad application
1. Edit the Default Domain Policy to configure the following user preferences:
Create a new shortcut item.
Name the shortcut Notepad.
Ensure that the target is a File System Object.
Set the location to All Users Desktop.
Set the target path to C:\Windows\System32\notepad.exe.
On the Common tab, clear the Run in logged-on users security context check box.
Task 4: Test the preference settings
1. Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd. Ensure that the Notepad shortcut
appears on the desktop.
2. Ensure that drive R is mapped to the ITDocs shared folder.
3. Log on as Dylan with a password of Pa$$w0rd. Ensure that the Notepad shortcut appears on the
desktop.
4. Ensure there is no drive mapped to the ITDocs shared folder.
Nova 4, LLC
Sep 7 2011 9:53PM
Results: In this exercise, you used Group Policy preferences to map a drive to selected users and
create a desktop shortcut for all users.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Implementing Security Settings Using Group Policy 1
Module 11
Lab Instructions: Implementing Security Settings Using
Group Policy
Contents:
Lab A: Implementing Security by Using Group Policy
Exercise 1: Configuring Account and Security Policy Settings 3
Exercise 2: Implementing Fine-Grained Password Policies 5
Lab B: Configuring Restricted Groups and Application Control Policies
Exercise 1: Configuring Restricted Groups 8
Exercise 2: Configuring Application Control Policies 9

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Implementing Security Settings Using Group Policy
Lab A: Implementing Security Using Group Policy

Lab Setup
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has decided to implement Group Policy to configure security for users and computers in the
organization. The company recently upgraded all the workstations to Windows 7, and all the servers to
Windows Server 2008. The organization wants to utilize Group Policy to implement security settings for
the workstations, servers, and users.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring Account and Security Policy Settings
You have been tasked to implement a domain account policy with the following criteria:
Domain passwords will be eight characters.
Strong passwords will be enforced.
Passwords will be changed exactly every 20 days.
Accounts will be locked out for 30 minutes after five invalid logon attempts.
You will also configure a local policy on the Windows 7 client that enables the local Administrator
account, and prohibits access to the Run menu for Non-Administrators.
Then, you will create a wireless network policy for Windows 7 that creates a profile for the Corp wireless
network. This profile will define 802.1x as the authentication method. This policy will also deny access to a
wireless network named, Research.
Finally, you will configure a policy to prevent the Windows Installer service from running on any domain
controller.
1. Create an account policy for the domain.
2. Configure local policy settings for a Windows 7 client.
3. Create a wireless network GPO for Windows 7 client.
4. Configure a GPO that prohibits the Windows Installer service on all domain controllers.
Task 1: Create an account policy for the domain.
1. On NYC-DC1, start the Group Policy Management Console.
2. In the Group Policy Management console pane, expand Forest: Contoso.com, expand Domains,
expand Contoso.com, and then click Group Policy Objects.
3. In the details pane, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, and then expand Account Policies.
5. Edit the Account Policy in the Default Domain Policy with the following values:
Password Policy:
Domain passwords: 8 characters in length
Strong passwords: enforced
Minimum password age: 19 days
Maximum password age: 20 days
Account lockout policy:
Account Lockout Threshold: 5 invalid logon attempts
Account lockout duration: 30 minutes
Lockout counter: reset after 30 minutes
Task 2: Configure local policy settings for a Windows 7 client.
1. Start NYC-CL1 and log on as Contoso\Administrator, with the password, Pa$$w0rd.
Nova 4, LLC
Sep 7 2011 9:53PM
2. Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the Local
Computer.
3. Open Computer Configurations Windows Settings, open Security Settings, open Local Policies,
open Security Options, and then enable the Accounts: Administrator Account Status setting.
4. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse.
5. Click the Users tab, select the Non-Administrators group, click OK, and then click Finish.
6. In then console pane, expand Local Computer\Non-Administrators Policy, expand User
Configuration, expand Administrative Templates, and then click Start Menu and Taskbar, and
then enable the Remove Run from Start Menu setting.
7. Close the MMC without saving the changes.
8. Restart NYC-CL1.
Task 3: Create a wireless network GPO for Windows 7 client.
1. On NYC-DC1, in the GPMC, create a new GPO named, Windows 7 Wireless.
2. Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless Network (IEEE
802.11) Policies, and then clicking Create a New Wireless Network Policy for Windows Vista and
Later Releases.
3. In the New Wireless Network Policy dialog box, click Add, and then click Infrastructure.
4. Create a new profile named, Corporate, and then, in the Network Name (SSID) field, type Corp.
5. Click the Security tab, change the Authentication method to Open with 802.1X, and then click OK.
6. Click the Network Permissions tab, and then click Add.
7. Type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK
twice.
8. Close the Group Policy Management Editor, and then leave the GPMC open.
Task 4: Configure a policy that prohibits a service on all domain controllers.
1. On NYC-DC1, in the GPMC, edit the following to disable the Windows Installer service: Default
Domain Controller Policy, Computer Configuration, Policies, Windows Settings, Security
Settings, and System Services.
2. Close the Group Policy Management Editor and leave the GPMC open.
Result: After completing this exercise, you will have configured account and security policy settings.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing Fine-Grained Password Policies
Your corporate security policy dictates that members of the Domain Admins group will have strict
password policies. The passwords must meet the following criteria:
30 passwords will be remembered in password history.
Domain passwords will be 10 characters.
Strong passwords will be enforced.
Passwords will not be stored with reversible encryption.
Passwords will be changed every seven days exactly.
Accounts will be locked out for 30 minutes after three invalid logon attempts.
You will create a fine-grained password policy to enforce these policies for the Domain Admins global
group.
1. Create a PSO by using ADSI Edit.
2. Assign the PSO to the Domain Admins global group.
Task 1: Create a PSO by using ADSI Edit.
1. On NYC-DC1, in the Run menu, type adsiedit.msc, and then press ENTER.
2. Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults.
3. Navigate to DC=Contoso, DC=com, CN=System, CN=Password Settings Container, right-click
CN=Password Settings Container, and then create a new object.
4. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next. Provide the
following values:
In Value box, type ITAdmin.
In the msDS-PasswordSettingsPrecedence value, type 10.
In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE.
In the msDS-PasswordHistoryLength value, type 30.
In the msDS-PasswordComplexityEnabled value, type TRUE.
In the msDS-MinimumPasswordLength value, type 10.
In the msDS-MinimumPasswordAge value, type 06:00:00:00.
In the msDS-MaximumPasswordAge value, type 07:00:00:00.
In the msDS-LockoutThreshold value, type 3.
In the msDS-LockoutObservationWindow value, type 00:00:30:00.
In the msDS-LockoutDuration value, type 00:00:30:00.
Task 2: Assign the PSO to the Domain Admins global group.
1. In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click
CN=ITAdmin.
2. In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo.
3. Link the Domain Admins account to the object.
Nova 4, LLC
Sep 7 2011 9:53PM
4. Close the ADSI Edit window.
Results: After completing this exercise, you will have implemented a fine-grained password policy.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab B: Configuring Restricted Groups and Application
Control Policies

Lab Scenario
The enterprise administrator created a design that includes modifications to further security areas.
Ensuring that IT staff members have access to the proper administrative rights on client computers is
critical and you have been asked to configure the domain environment to allow this.
In addition, you have been asked to ensure that a widely used application in the environment that has
been recently replaced by a new software suite is no longer used at Contoso, Ltd.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring Restricted Groups
You need to ensure that the IT global group is included in the local Administrators group for all of the
organizations computers.
1. Configure restricted groups for the local Administrators group.
2. Test restricted groups for the local Administrators group.
Task 1: Configure restricted groups for the local administrators group.
1. On NYC-DC1, open the GPMC, browse to the Group Policy Objects folder, and then edit the
Default Domain Policy.
2. Navigate to Computer Configuration, expand Policies, expand Windows Settings, expand
Security Settings, right-click Restricted Groups, and then click Add Group.
3. Add the Administrators group, and then click OK.
4. In the Administrators Properties dialog box, add the following groups:
Contoso\IT
Contoso\Domain Admins
1. Close the Group Policy Management Editor.
Task 2: Test restricted groups for the local administrators group.
1. Start the 6419B-NYC-CL1 VM. If the VM is already started, shut down and restart NYC-CL1.
2. Log on to NYC-CL1 as Contoso\Ed with a password of Pa$$w0rd.
3. Open the Edit local users and groups window using the Start Menu Search dialog.
4. Confirm that the Administrators group contains both CONTOSO\Domain Admins and
CONTOSO\IT as members.
5. Close the local users and groups window and log off NYC-CL1.
Results: After completing this exercise, you configured and tested restricted groups by using Group
Policy.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Application Control Policies
Scenario
Microsoft Office 2007 has recently been installed in the Research Department at Contoso, Ltd on all client
computers. Previously, WordPad was used for word processing tasks in the Research Department. To
encourage users to use the new word processing capabilities of Office Word 2007, you have been asked
to restrict users in the Research Department from running WordPad on their computers.
1. Create a GPO to enforce the default AppLocker Executable rules.
2. Apply the GPO to the Contoso.com domain.
3. Test the AppLocker rule.
Task 1: Create a GPO to enforce the default AppLocker Executable rules.
1. On NYC-DC1, in the Group Policy Management console, create a new GPO entitled, Wordpad
Restriction Policy.
2. Edit the new GPO with the following settings:
Application Control Policy: Under Executable Rules, create a new executable publisher rule for
C:\Program Files\Windows NT\Accessories\wordpad.exe that denies Everyone access to
run any version of wordpad.exe.
Configure Executable rules to be enforced.
Configure the Application Identity service to run and set it to Automatic.
Task 2: Apply the GPO to the Contoso.com domain.
Apply the WordPad Restriction Policy GPO to the Contoso.com domain container.
Task 3: Test the AppLocker rule.
1. Restart and then log on to NYC-CL1 as Contoso\Alan with the password, Pa$$w0rd.
2. Refresh Group Policy by running gpupdate /force from the command prompt.
3. Try to run Start - All Programs - Accessories WordPad.
Note: The AppLocker policy should restrict you from running this application. If the application
runs, log off from NYC-CL1 and log on again. It may take a few minutes for the policy setting to
apply to NYC-CL1. After the policy setting is applied, the application will be restricted.

Results: After completing this exercise, you will have restricted an application by using AppLocker.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Providing Efficient Network Access for Remote Offices 1
Module 12
Lab Instructions: Providing Efficient Network Access for
Remote Offices
Contents:
Lab A: Deploying a Read-Only Domain Controller
Exercise 1: Installing an RODC 3
Exercise 2: Configuring Password Replication Policy and
Credential Caching 5
Lab B: Deploying BranchCache
Exercise 1: Configuring BranchCache in Distributed Cache Mode 8
Exercise 2: Configuring BranchCache in Hosted Cache Mode (Optional) 11

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Providing Efficient Network Access for Remote Offices

Lab Setup
3. In the actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1 and 6419B-NYC-CL1.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Installing an RODC
Scenario
You are a server administrator at Contoso, Ltd. Your organization has a head office and many remote
offices. The remote offices are small and have low speed connectivity to the head office. You want to
speed up authentication at the remote offices containing a file server by configuring the file server as an
RODC.
NYC-DC1 is the head office domain controller. NYC-SVR1 is the file server in the remote office being
configured as an RODC. NYC-CL1 is a client computer located in the remote office.
1. Verify the prerequisites for a staged installation of an RODC.
2. Stage a delegated installation of an RODC.
3. Complete a staged installation an RODC.
Task 1: Verify the prerequisites for a staged installation of an RODC
2. In the properties of Contoso.com, verify that the forest functional level is at least Windows Server
2003.
3. On NYC-SVR1, open Server Manager and verify whether the computer is a member of a domain.
4. Use the Change System Properties option to place NYC-SVR1 in a workgroup named TEMPORARY.
5. Restart NYC-SVR1.
Task 2: Stage a delegated installation of an RODC
2. Delete the NYC-SVR1 computer account from the Computers container.
3. At the Domain Controllers OU, precreate a read-only domain controller account by using default
settings, except for the following:
Computer name: NYC-SVR1
Delegate to: CONTOSO\IT
4. View the DC Type for the NYC-SVR1 computer account in the Domain Controllers OU.
Task 3: Complete a staged installation of an RODC
1. Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd.
2. On NYC-SVR1, run dcpromo.exe.
3. Complete Active Directory Domain Services Installation Wizard by using default options except
those listed below:
Create the domain controller in an Existing forest.
Add the domain controller to an existing domain.
Network credentials: Andrea (a member of the IT group)
Password for Andrea: Pa$$w0rd
Nova 4, LLC
Sep 7 2011 9:53PM
Directory Services restore mode password: Pa$$w0rd
4. When installation is complete, reboot NYC-SVR1.
Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Password Replication Policy and Credential
Caching
Scenario
After installing an RODC for a remote office, you need to configure password replication and credential
caching for the remote office. A specific group of research users who work in the remote office need to
have their passwords cached in this office. You need to verify that password caching is functioning
correctly.
1. Configure domain-wide password replication.
2. Create a group to manage password replication to the remote office RODC.
3. Configure password replication policy for the remote office RODC.
4. Evaluate resultant password replication policy.
5. Monitor credential caching.
6. Prepopulate credential caching.
7. Test cached passwords on NYC-SVR1.
Task 1: Configure domain-wide password replication policy.
2. In the Users container, view the membership of the Allowed RODC Password Replication Group
and verify that there are no current members.
3. Add the DNSAdmins group to the Denied RODC Password Replication Group.
4. In the Domain Controllers OU, open the properties of NYC-SVR1.
5. On the Password Replication Policy tab, verify that the Allowed RODC Password Replication
Group and Denied RODC Password Replication Group are listed.
Task 2: Create a group to manage password replication to the remote office RODC.
1. On NYC-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
2. Add Alan, Alexander, Dylan, Max, and NYC-CL1 to the membership of Remote Office Users.
Task 3: Configure password replication policy for the remote office RODC
1. On NYC-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then
open the properties of NYC-SVR1.
2. On the Password Replication Policy tab, allow the Remote Office Users group to replicate
passwords to NYC-SVR1.
Task 4: Evaluate resultant password replication policy.
1. On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of NYC-SVR1.
2. On the Password Replication Policy tab, open the Advanced configuration.
3. On the Resultant Policy tab, add Alexander and confirm that Alexanders password can be cached.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 5: Monitor credential caching.
1. Attempt to log on to NYC-SVR1 as Alexander. This logon will fail because Alexander does not have
permission to logon to the RODC, but authentication is performed.
2. On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of NYC-SVR1.
4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only
Domain Controller option. Notice that Alexanders password has been cached.
Task 6: Prepopulate credential caching.
1. On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
NYC-SVR1 and click Properties.
3. On the Policy Usage tab, prepopulate the passwords for Alan and NYC-CL1.
4. Read the list of cached passwords and confirm that Alan and NYC-CL1 have been added.
Task 7: Test cached passwords on NYC-SVR1.
1. Shut down NYC-DC1.
2. On NYC-CL1, open Network and Sharing Center.
3. In Network and Sharing Center, open the properties of Local Area Connection 3, and add an
Alternate DNS server of 10.10.0.11 in the properties of TCP/IPv4.
4. Log off and log on as Alexander with a password of Pa$$w0rd.
5. Log off and log on as Alan with a password of Pa$$w0rd.
Results: In this exercise, you configured and tested password replication for an RODC.
following steps:
4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1.
Nova 4, LLC
Sep 7 2011 9:53PM
v
Lab Setup
Password: Pa$$w0rd
Domain: Contoso

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring BranchCache in Distributed Cache Mode
Scenario
offices. Many of the remote offices are small and have low speed connectivity to the head office. For the
smallest offices without a server, you are configuring BranchCache in Distributed Cache mode.
NYC-DC1 is the head office file server. NYC-CL1 and NYC-CL2 are the client computers located in a
remote office.
Note: Due to lab constraints, some additional configuration is required to simulate the slow connection
between the clients and the head office server.
1. Configure NYC-DC1 to use BranchCache.
2. Simulate a slow link to the remote office.
3. Enable a file share for BranchCache.
4. Configure client to use BranchCache in distributed mode.
5. Configure client firewall rules for BranchCache.
6. Apply BrancheCache settings to the clients.
7. Test BranchCache in Distributed Caching mode.
Task 1: Configure NYC-DC1 to use BranchCache.
1. On NYC-DC1, use Server Manager to add the BranchCache for network files role service.
2. Run gpedit.msc to open the Local Group Policy Editor console.
3. In the Local Group Policy Editor console, in Computer Configuration\Administrative
Templates\Network\Lanman Server, enable Hash Publication for BranchCache only for shared
folders on which BranchCache is enabled.
4. Leave the Local Group Policy Editor console open for the next task.
Task 2: Simulate a slow link to the remote office.
1. On NYC-DC1, in the Local Group Policy Editor console, in Computer Configuration\Windows
Settings\Policy-based QoS, create a new policy with the following settings:
Policy name: Limit to 100 KBps
Outbound Throttle Rate: 100 KBps
All other settings as default
Task 3: Enable a file share for BranchCache.
1. On NYC-DC1, use Windows Explorer to browse to C:\.
2. Open the properties of the Share folder.
3. On the Sharing tab, open Advanced Sharing.
4. Click Caching and enable BranchCache.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 4: Configure clients to use BranchCache in distributed cache mode.
1. Open the Group Policy Management console in Administrative Tools.
2. In the Group Policy Management console, create a new GPO named BranchCache that is linked to
Contoso.com.
3. Edit the BranchCache GPO and browse to Computer Configuration\Policies\Administrative
Templates\Network\BranchCache.
4. To enable BranchCache on all clients, enable the Turn on BranchCache setting.
5. To configure the clients to use BranchCache in distributed mode, enable the Set BranchCache
Distributed Cache mode setting.
6. To force the client to use BranchCache for all file transfers, enable Configure BranchCache for
network files setting and set it for 0 milliseconds. This setting is required to simulate access from a
remote office and is not typically required.
7. Leave the Group Policy Management Editor open for the next task.
Task 5: Configure client firewall rules for BranchCache.
1. On NYC-DC1, in the Group Policy Management Editor, browse to Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security, and then click Inbound Rules.
2. Create a new predefined inbound rule for BranchCacheContent Retrieval (Uses HTTP).
3. Create a new predefined inbound rule for BranchCachePeer Discovery (Uses WSD).
Task 6: Apply BranchCache settings to the clients.
1. Start 6419B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd.
2. On NYC-CL1, open a command prompt.
3. To force updating of Group Policy objects, type the following code and then press ENTER.
gpupdate /force
4. To verify that BranchCache is enabled and properly configured, type the following code and then
press ENTER.
netsh branchcache show status all
5. Restart NYC-CL1. After the computer restarts, log on as Contoso\Administrator with the password
of Pa$$w0rd.
6. Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
7. Add all of the BranchCache counters to Performance Monitor.
8. Change Performance Monitor to Report view.
password of Pa$$w0rd
11. To force updating of Group Policy objects, type the following code and then press ENTER.
Nova 4, LLC
Sep 7 2011 9:53PM
gpupdate /force
12. To verify that BranchCache is enabled and properly configured, type the following code and then
press ENTER.
of Pa$$w0rd.
Monitor.
Task 7: Test BranchCache in distributed caching mode.
1. On NYC-CL1, browse to \\NYC-DC1.contoso.com\Share.
2. Copy mspaint.exe from the share on NYC-DC1 to the desktop of NYC-CL1.
3. Review the performance statistics on Performance Monitor. Notice that the file is downloaded from
the server.
4. To verify that there is now content in the cache, type the following code and press ENTER.
6. Copy mspaint.exe from the share on NYC-DC1 to the desktop of NYC-CL2.
7. Review the performance statistics on Performance Monitor. Notice that the file is downloaded from
cache.
8. To view the BranchCache statistics, type the following code and then press ENTER.
Results: In this exercise, you configured BranchCache in the Distributed Cache mode and verified that it
is functional.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring BranchCache in Hosted Cache Mode (Optional)
Scenario
offices. Many of the remote offices are small and have low speed connectivity to the head office. For the
remote offices with a server, you are configuring BranchCache in Hosted Cache mode.
NYC-DC1 is the head office file server. NYC-CL1 and NYC-CL2 are the client computers located in the
branch office. NYC-SVR1 is the BranchCache hosted cache server in the remote office.
1. Configure clients to use BranchCache in hosted cache mode.
2. Install the BranchCache feature on NYC-SVR1.
3. Request a certificate and link it to BranchCache.
4. Start the BranchCache host server.
5. Configure Performance Monitor or NYC-SVR1.
6. Clear BranchCache data and performance statistics on NYC-CL1.
7. Clear BranchCache data and performance statistics on NYC-CL2.
8. Test BranchCache in Hosted Caching mode
Task 1: Configure clients to use BranchCache in hosted cache mode.
1. On NYC-DC1, open the Group Policy Management administrative tool.
2. Edit the BranchCache GPO that is linked to Contoso.com.
3. Browse to Computer Configuration\Policies\Administrative Templates\Network\BranchCache.
4. Modify the Set BranchCache Distributed Cache mode setting to Not Configuration.
5. Enable the Set BranchCache Hosted Cache mode settings and configure NYC-SVR1.contoso.com as
the hosted cache.
6. On NYC-CL1, open a command prompt, type the following code, and then press ENTER.
gpupdate /force
7. To verify the configuration, type the following code, and then press ENTER.
8. On NYC-CL2, open a command prompt, type the following code, and then press ENTER.
gpupdate /force
Task 2: Install the BranchCache feature on NYC-SVR1.
1. Start 6419B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the
Nova 4, LLC
Sep 7 2011 9:53PM
2. On NYC-SVR1, use Server Manager to add the BranchCache feature.
Task 3: Request a certificate and link it to BranchCache
1. On NYC-SVR1, open a blank Microsoft Management Console and add the Certificates snap-in for
the Computer Account.
2. At the Personal node in the Certificates snap-in, request a new Computer certificate.
3. In the Personal node of the Certificates snap-in, open the new certificate.
4. On the Details tab, identify the Thumbprint and copy the value to the clipboard.
5. Open a command prompt.
6. Type the following code and then press Enter. You can paste the certificatehashvalue from the
certificate, but you must remove the spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-
a714-454d-8de2-492e4c1bd8f8}
Task 4: Start the BranchCache Host Server.
2. In Contoso.com, create a new OU named BranchCacheHost.
3. Move the computer account for NYC-SVR1 into the BranchCacheHost OU.
4. Open the Group Policy Management administrative tool.
5. Block inheritance to the BranchCacheHost OU.
6. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd..
7. To enable NYC-SVR1 as a BranchCache Hosted Cache server, open a command prompt, type the
following code, and then press ENTER.
netsh branchcache set service hostedserver
Task 5: Configure Performance Monitor or NYC-SVR1.
1. On NYC-SVR1, open the Performance administrative tool and remove all existing counters from
Performance Monitor.
Task 6: Clear BranchCache data and performance statistics on NYC-CL1.
2. To clear the BranchCache data, at the command prompt, type the following code, and then press
ENTER.
netsh branchcache flush
Nova 4, LLC
Sep 7 2011 9:53PM
3. To clear the BranchCache performance statistics, stop and start the BranchCache service.
4. From the Start menu, open Manage offline files.
5. Delete temporary files from the Disk Usage tab.
Monitor.
Task 7: Clear BranchCache data and performance statistics on NYC-CL2.
ENTER.
3. To clear the BranchCache performance statistics, stop and start the BranchCache service.
4. From the Start menu, open Manage offline files.
5. Delete temporary files from the Disk Usage tab.
Monitor.
Task 8: Test BranchCache in hosted caching mode.
2. Copy MSpaint.exe to the desktop.
3. Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval:
Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval:
Bytes Served).
5. Copy MSpaint.exe to the desktop.
6. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
7. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
4. Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-CL1 and 6419B-NYC-CL2.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Monitoring and Maintaining Windows Server 2008 1
Module 13
Lab Instructions: Monitoring and Maintaining Windows
Server 2008
Contents:
Exercise 1: Determining Performance Metrics 3
Exercise 2: Configuring a Performance Baseline 4
Exercise 3: Viewing Performance Using Monitoring Tools 5

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Monitoring and Maintaining Windows Server 2008
Lab: Creating a Baseline of Performance Metrics

Lab Setup
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and then, in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2-4 for 6419B-NYC-SVR1
Lab Scenario
NYC-SVR1 has just been deployed at the New York office of Contoso, Ltd. You have been asked to
establish a performance baseline for this server for comparison to real time performance stats and to
ensure the server is currently operating properly and efficiently.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Determining Performance Metrics
You have been asked to assess NYC-SVR1 and establish a performance baseline for this server by using
Performance Monitor. Before establishing the baseline, you must identify what performance counters you
will use to record performance information. You have been asked by your manager to ensure the four
primary hardware components of the server are measured.
The main task is as follows:
1. Determine the performance counter objects to use
Task 1: Determine the performance counter objects to use.
Question: What are the main hardware components that you should be measuring on NYC-SVR1?
Question: Which Performance Monitor objects correspond to these components?
Note: After completing this exercise, you will have determined performance metrics.

Nova 4, LLC
Sep 7 2011 9:53PM
4 Lab Instructions: Monitoring and Maintaining Windows Server 2008
Exercise 2: Configuring a Performance Baseline
You have been asked to establish a performance baseline for NYC-SVR1 based on the Processor, Memory,
Physical Disk, and Network objects within Performance Monitor. The baseline should be as thorough as
possible, so you have been asked to include all counters from these objects.
1. Create a Data Collector Set to log the counters for the Processor, Memory, PhysicalDisk, and Network
Interface objects.
2. Review the Data Collector Set Report to ensure that performance data has been captured.
Task 1: Create a Data Collector Set to log the counters for the Processor, Memory,
PhysicalDisk, and Network Interface objects.
1. On NYC-SVR1, open Performance Monitor.
2. Expand the Data Collector Sets node and create a new User Defined Data Collector Set named,
NYC-SVR1 Baseline.
3. Add all counters for the Processer, Memory, PhysicalDisk, and Network Interface objects.
4. Run the Data Collector Set when the wizard is complete.
Note: The Data Collector Set will take a few moments to collect data. Complete Exercise 3 and then
come back to finish Task 2 of this exercise.
Task 2: Review the Data Collector Set report to ensure that performance data has been
captured.
1. Stop the NYC-SVR1 Baseline data collector set.
2. Expand the Reports node and view the most recent report run for the user-defined NYC-SVR1
Baseline object.
3. Ensure that the report has collected the performance data.
Note: After completing this exercise, you will have configured a performance baseline.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Viewing Performance Using Monitoring Tools
You have been asked to ensure that there are no significant performance related issues on NYC-SVR1
1. Use Resource Monitor to view system performance statistics.
2. Use Reliability Monitor to view server reliability history.
Task 1: Use Resource Monitor to view system performance statistics.
1. On NYC-SVR1, open Resource Monitor.
2. View the graphs on the right of the screen to ensure none of them are near the top of the graph
window.
3. Click each tab in the Resource Monitor window to view the real time performance data for the
associated component.
4. Close the Resource Monitor.
Task 2: Use Reliability Monitor to view server reliability history
1. On NYC-SVR1, open Reliability Monitor
2. Check the Reliability Monitor for any Error events represented by a red X icon.
3. Close the Reliability Monitor.
Note: After completing this exercise, you will have viewed performance by using monitoring tools.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Instructions: Managing Window Server 2008 Backup and Recovery 1
Module 14
Lab Instructions: Managing Window Server 2008 Backup and
Recovery
Contents:
Lab A: Implementing Windows Server Backup and Recovery
Exercise 1: Evaluating the Existing Backup Plan 3
Exercise 2: Implementing a Backup Plan 5
Lab B: Recovering Active Directory Objects
Exercise 1: Enabling Active Directory Recycle Bin 7
Exercise 2: Restoring a Deleted Active Directory Object 8

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Instructions: Managing Window Server 2008 Backup and Recovery
Lab A: Implementing Windows Server Backup and
Recovery

Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 - 4 for 6419B-NYC-SVR1.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Evaluating the Existing Backup Plan
Scenario
At Contoso. Ltd., data for several departments is stored across servers on the network. In the New York
office, several file servers are part of a domain-based Distributed Files System DFS namespace and host
the following shares:
Sales. This share holds the shared data for the Sales department. The Sales department updates it
regularly with budgets, forecasts, and sales figures.
Finance. This share holds important data for the Finance department that supplements the Finance
application database. The Finance database should not form part of your backup plan.
Human Resources. This share holds highly confidential data for the Human Resources department. You
have encrypted some of this data by using Encrypting File System (EFS).
Technical Library. This share holds technical information, such as white papers and guidance documents,
for the IT department. The IT department updates this information infrequently.
Projects. This share holds documents that relate to any projects that are running at the New York office,
and changes frequently.
In addition to the file servers, you are responsible for ensuring that four intranet Web servers and two
domain controllers can have the data or server restored in the event of a disaster. Web pages on the
intranet Web sites do not change frequently.
Currently, there is a scheduled weekly backup of the volumes that contain the shares on the file servers
and the volumes that contain the Web page content on the Web servers.
In this exercise, you must review the existing backup plan against requirements that the management
team at Contoso, Ltd. have specified.
1. Review an existing backup plan.
2. Propose changes to the plan based upon scenario requirements.
3. Install the Windows Server Backup feature.
4. Schedule a full server backup.
5. Back up an individual folder.
Task 1: Review an existing backup plan.
Scenario
1. You have agreed that no more than one day's critical data should be lost in the event of a disaster.
Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet this
requirement?
2. Currently, you copy the Human Resources confidential data onto a removable hard disk that is
attached to a computer in the Human Resources office. This task is performed weekly by using a
script to preserve the encryption on the files. What are the consequences of this process and how
would you deal with them?
3. You have also agreed that if a server fails, you should be able to restore that server, including all
installed roles, features, applications, and security identity, in six hours. Does the current backup plan
enable you to restore the servers in this way?
Nova 4, LLC
Sep 7 2011 9:53PM
Task 2: Propose changes to the backup plan.
Scenario
1. Propose an appropriate backup frequency for the shares in the following table.
Backup Frequency
Sales
Finance
Human Resources
Technical Library
Projects

2. How would you fulfill the requirement to restore the servers and how frequently would you back up
the servers?
Task 3: Install Windows Server Backup Feature.
1. On NYC-DC1, use Server Manager to install the Windows Server Backup feature with the
Command-line tools.
Task 4: Use the backup wizard to schedule a backup.
1. Start the Windows Server Backup MMC.
2. Use the Backup Schedule Wizard to create a backup with the following configurations:
Backup configuration: Full server
Backup time: Daily at 1:00 A.M.
Destination type: Back up to a shared network location
Remote shared folder: \\NYC-SVR1\Backup
Credentials: Contoso\Administrator, with the password, Pa$$w0rd
Task 5: Back up an individual folder.
1. Use the Backup Once wizard to back up with the following configurations:
Backup Options: Different options
Backup configuration: Custom
Items for Backup: C:\MarketingTemplates
Destination Type: Remote shared folder
Remote Folder: \\NYC-SVR1\Backup
Results: After completing this exercise, you should have reviewed an existing backup plan and
proposed changes to that plan. You will also have configured backups to become familiar with the
Windows Server Backup feature.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing a Backup Plan
Scenario
The management team at Contoso, Ltd. has decided that an SLA should be put in place for the mission-
critical data stored on the intranet file servers and Web servers. The SLA will specify availability for data
and the recovery of deleted items.
In addition, Contoso, Ltd. must also comply with legal regulations that state how long the customer and
financial data must be retained. Failure to comply with these requirements entails heavy fines and
penalties for the company. You must keep Human Resources and financial information for a minimum of
seven years. In the event of an audit, you must provide access to this data within three working days.
In this exercise, you will examine the SLA and legal requirements, and propose solutions to ensure
compliance.
1. Review an existing recovery plan.
2. Propose changes to the plan.
3. Perform a test recovery.
Task 1: Create a backup strategy to comply with the SLA.
1. You should be able to restore critical data, which includes the Sales, Finance, and Projects shares, as
quickly as possible in the event of a disaster. What factors affect how quickly you can restore data?
2. Given that you have a limited budget to meet the SLA requirements, how can you maximize your
budget while providing backup for the entire network data for which you are responsible?
Task 2: Create a backup strategy to comply with legal requirements.
1. How will you ensure that the required data is stored for the minimum legal requirement period and
that the data is available for audit purposes when it is required?
Task 3: Use the Recovery Wizard to restore the data.
1. On NYC-DC1, open Windows Explorer, navigate to C:\MarketingTemplates, and delete the contents
in the folder.
2. Use the Recovery Wizard to recover the contents of the MarketingTemplates folder.
Question: List at least one example of how administrators can create an effective backup policy.
Results: After completing this exercise, you should have reviewed an existing recovery plan and
proposed changes to that plan. You should also have tested data recovery.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab Setup
Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1 and in the Actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 - 4 for 6419B-NYC-DC2. Be sure to start 6419B-NYC-DC2 after DC1 has fully started.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Enabling Active Directory Recycle Bin
Scenario
The Contoso, Ltd. domain controller also acts as a file and print server. In the past, the company has
occasionally had to restore Active Directory objects that were accidentally deleted. This has caused loss of
productivity because of server downtime. Contoso, Ltd. wants the ability to be able to restore Active
Directory objects without causing any downtime of the domain controller.
In this exercise, you will:
Raise the forest functional level.
Enable the Active Directory Recycle Bin.
Task 1: Raise the forest functional level.
1. On NYC-DC1, start the Active Directory Module for Windows PowerShell.
2. Run the following command.
Set-ADForestMode Identity contoso.com -ForestMode Windows2008R2Forest
Task 2: Enable the Active Directory Recycle Bin.
In the Active Directory Module for Windows PowerShell, run the following command.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature, CN=Optional Features,
CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=contoso,DC=com
Scope ForestOrConfigurationSet Target contoso.com
Results: After completing this exercise, you should have raised the forest functional level and enabled
Active Directory Recycle Bin.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Restoring a Deleted Active Directory Object
Scenario
You will test the effectiveness of restore methods by restoring Active Directory objects from the Active
Directory Recycle Bin by using different methods.
In this exercise, you will:
Delete an Active Directory object.
Use LDP.exe to display the deleted objects container.
Restore a deleted AD object by using LDP.exe.
Use Windows PowerShell to restore a deleted AD object.
Task 1: Delete Active Directory Objects.
Use Active Directory Users and Computers to delete the following users:
Dylan Miller
Allan Brewer
Task 2: Use LDP.exe to display the deleted objects container.
1. Start an Administrative command prompt and then start LDP.exe.
2. Configure the LPD to return deleted objects.
3. Connect and bind to the local server.
4. View the Contoso.com tree.
5. Expand the tree to expose the Deleted Objects container.
Task 3: Restore a deleted AD object by using LDP.exe.
1. In the Deleted Objects container, modify Dylan Miller as follows:
Delete the isDeleted attribute.
Replace the distinguishedname attribute with
CN=Dylan Miller,OU=Research,DC=Contoso,DC=Com
Select the Extended check box.
2. Ensure that Dylan Millers user account has been restored to Active Directory.
Task 4: Use Windows PowerShell to restore a deleted Active Directory object.
1. Start the Active Directory Module for Windows PowerShell as Administrator.
2. Run the following command.
Get-ADObject -Filter {displayName -eq "Alan Brewer"} -IncludeDeletedObjects | Restore-
ADObject
3. Ensure that Alan Brewers user account has been restored to Active Directory.
Results: After completing this exercise, you should have used LDP.exe to view deleted objects, and
restored objects by using both LDP.exe and Windows PowerShell.
Nova 4, LLC
Sep 7 2011 9:53PM
To revert the virtual machines.
following steps:
Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1 and 6419B-NYC-DC2.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Overview of the Windows Server 2008 Management Environment 1
Module 1
Lab Answer Key: Overview of the Windows Server 2008
Management Environment
Contents:
Exercise 1: Determine Server Roles and Installation Types 2
Exercise 2: Install Windows Server 2008 Server Roles and Features 3
Exercise 3: Manage Windows Server 2008 Server Core 4

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Overview of the Windows Server 2008 Management Environment

Lab: Managing Server Roles in a Windows
Server 2008 Environment
Exercise 1: Determine Server Roles and Installation Types
Task 1: Review the supporting documentation.
1. Review the following email message received from Ed Meadows.
Task 2: Determine the server roles, server features, and installation types.
1. What server role(s) should be installed on NYC-SVR1? How should the server role(s) be configured?
Answer: You should install the Print and Document Services server role on NYC-SVR1. Since only
network printing from Windows 7-based clients is being performed, the Print Server is the only Role
Service that should be installed.
2. What additional server features will be needed to fulfill the requirements specified by Ed?
Answer: The Windows Server Backup Features will need to be enabled in order for the New York City
administrators to perform backups of NYC-SVR1.
3. Are there any additional management considerations that need to be considered for the ongoing
management of NYC-SVR1?
Answer: Since the administrators in New York that will be responsible for managing the servers want
to be able to perform management tasks from their desktop computers, the appropriate Remote
Server Administration Tools will need to be installed on their computers to manage both the Print
and Document Services Role as well as the Windows Backup feature.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Install Windows Server 2008 Server Roles and Features
Task 1: Use Server Manager to install the Print and Document Services Server Role.
1. On NYC-SVR1, click Start, click Administrative Tools and then click Server Manager.
2. In the Server Manager window, click on the Roles node in the left hand pane.
3. In the right-hand pane, click Add Roles.
4. In the Add Roles Wizard window, click Next.
5. On the Select Server Roles page, click the checkbox to select Print and Document Services and
then click Next.
6. On the Print and Document Services page, click Next.
7. On the Select Role Services page, click Next.
8. On the Confirm Installation Selections screen, click Install.
Note: The installation process will take a few moments to complete.
9. On the Installation Results page, click Close.
Task 2: Use Server Manager to install the Windows Server Backup Features.
1. In the Server Manager window, click the Features node in the left-hand pane.
2. In the right-hand pane, click Add Features.
3. On the Select Features page, scroll down, click the checkbox to select Windows Server Backup
Features and then click Next.
4. On the Confirm Installation Selections page, click Install.
Note: The installation process will take a few moments to complete.
Results: In this exercise, you will have installed Windows Server 2008 Server Roles and Features.

Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 3: Manage Windows Server 2008 Server Core
Task 1: Use Sconfig to configure Server Core installation options
1. Switch to the 6419B-NYC-SVRCORE virtual machine.
2. Log on to NYC-SVRCORE as Administrator with the password Pa$$w0rd.
3. In the Administrator: C:\Windows\system32\cmd.exe window, type the following and press
ENTER.
Sconfig
4. On the Server Configuration screen type 8 and press ENTER.
5. At the Select Network Adapter prompt, type 0 and press ENTER.
6. At the Select option prompt, type 1 and press ENTER.
7. At the Select (D)HCP, (S)tatic IP prompt, type S and press ENTER.
8. At the Enter Static IP Address prompt, type the following and press ENTER:
10.10.0.20
9. At the Enter subnet mask prompt, type the following and press ENTER:
255.255.0.0
10. At the Enter default gateway prompt, type the following and press ENTER:
10.10.0.1
12. At the Enter new preferred DNS server prompt, type the following and press ENTER:
10.10.0.10
13. In the Network settings window, click OK.
14. At the Enter alternate DNS server prompt, press ENTER.
16. At Server Configuration screen, type 1 and press ENTER.
17. At the Join (D)omain or (W)orkgroup? prompt, type D and press ENTER.
18. At the Name of domain to join prompt, type the following and press ENTER:
Contoso.com
19. At the Specify an authorized domain\user prompt, type the following and press ENTER:
contoso\administrator
20. At the Type the password associated with the domain user prompt, type the following and press
ENTER:
Pa$$w0rd
Nova 4, LLC
Sep 7 2011 9:53PM
21. In the Change computer name window, click Yes.
22. At the Enter new computer name prompt, type the following and press ENTER:
NYC-SVRCORE
23. At the Specify an authorized domain\user prompt, type the following and press ENTER:
contoso\administrator
24. At the Type the password associated with the domain user prompt, type the following and press
ENTER:
Pa$$w0rd
25. In the Restart window, click Yes.
Note: Wait for NYC-SVRCORE to restart before proceeding to the next task.
Task 2: Use Dism to install the Windows Server Backup feature
ENTER.
dism /online /get-features /format:table
Note: This command will display the list of features available on this server along with the installation
status of each feature. Check to ensure that WindowsServerBackup shows as Disabled. You will find
it near the top of the list.
ENTER.
dism /online /enable-feature /featurename:WindowsServerBackup
ENTER.
dism /online /get-features /format:table
Note: Check to ensure that WindowsServerBackup shows as Enabled. You will find it near the top
of the list.
Task 3: Use Sconfig to configure Server Core remote management
Nova 4, LLC
Sep 7 2011 9:53PM

ENTER.
Sconfig
5. On the Configure Remote Management screen, type 3 and press ENTER.
6. Click OK.
Note: Windows PowerShell must be enabled to allow Server Manager remote access.
7. On the Configure Remote Management screen, type 2 and then press ENTER.
8. In the Restart window, click Yes. The virtual machine restarts.
ENTER.
Sconfig
12. On the Configure Remote Management screen, type 3 and press ENTER.
Note: This process will take a few moments to complete.
13. In the Enabled window, click OK.
14. On the Configure Remote Management screen, type 5 and then press ENTER.
15. On the Server Configuration screen, type 13 and then press ENTER.
Task 4: Use Server Manager to connect to Server Core
2. Log on to NYC-DC1 as Contoso\Administrator with the password Pa$$w0rd.
3. Click Start, click Administrative Tools and then click Server Manager.
4. In the Server Manager window, right-click Server Manager (NYC-DC1) in the left-hand pane and
then click Connect to Another Computer.
5. In the Connect to Another Computer window, type NYC-SVRCORE, and then click OK.
6. In the Server Manager window, click on the Roles node in the left hand pane.
7. View the Roles pane.
Note: You cannot add or remove Roles from Server Core installation using Server Manager.
Nova 4, LLC
Sep 7 2011 9:53PM
8. In the Server Manager window, click on the Features node in the left hand pane.
9. View the Features pane.
Note: You cannot add or remove Features from Server Core installation using Server Manager.
10. In the Server Manager window, click on the Diagnostics node in the left hand pane.
11. View the Diagnostics pane and the available Diagnostics components.
12. In the Server Manager window, click on the Configuration node in the left hand pane.
13. View the Configuration pane and the available Configuration components.
14. In the Server Manager window, click on the Storage node in the left hand pane.
15. View the Storage pane and the available Storage components.
Results: In this exercise, you will have configured Windows Server 2008 Server Core.
following steps:
4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Managing Windows Server 2008 Infrastructure Roles 1
Module 2
Lab Answer Key: Managing Windows Server 2008
Infrastructure Roles
Contents:
Lab A: Installing and Configuring the DNS Server Role
Exercise 1: Installing and Configuring the DNS Server Role and Zones 2
Exercise 2: Configuring Resource Records, Aging, and Scavenging 4
Exercise 3: Verify DNS Settings 5
Lab B: Installing and Configuring the DHCP Server Role
Exercise 1: Installing and Authorizing DHCP Server Role 7
Exercise 2: Configuring DHCP Scopes, Options, and Reservations 8

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Managing Windows Server 2008 Infrastructure Roles
Lab A: Installing and Configuring DNS Server
Role
Exercise 1: Installing and Configuring the DNS Server Role and Zones
Task 1: Install the DNS Server Role on NYC-SVR1
2. On the task bar, click the Server Manager button. The Server Manager appears.
3. In the left pane, click Roles.
4. In the details pane, click Add Roles. The Add Roles Wizard appears, and then click Next.
5. On the Select Server Roles page, select the DNS Server check box, and then click Next.
6. On the DNS Server page, click Next.
Task 2: Allow Zone Transfers for Contoso.com
2. Click Start, point to Administrative Tools, and then click DNS. The DNS Manager appears.
3. In DNS Manager, expand NYC-DC1, expand Forward Lookup Zones, and then click Contoso.com.
Contoso.com is the DNS zone that represents the Contoso.com Active Directory Domain Services
domain.
4. Right-click Contoso.com and then click Properties.
5. In the Contoso.com Properties dialog box, click the Zone Transfers tab.
6. On the Zone Transfers tab, select the Allow zone transfers check box.
7. Under Allow zone transfers, click Only to the following servers, and then click Edit.
8. Under IP address type, 10.10.0.11, press ENTER, and then click OK. Note that a red X will appear.
This is expected for this example.
9. On the Zone Transfers tab, click Notify.
10. In the Notify dialog box, ensure that Automatically notify is selected, under IP Address, type
10.10.0.11,press ENTER, and then click OK.
11. Click OK to close the Contoso.com Properties dialog box.
Task 3: Configure a Secondary Zone for Contoso.com
2. Click Start, point to Administrative Tools, and then click DNS. The DNS Manager window appears.
3. In the DNS Manager, expand NYC-SVR1, and then click Forward Lookup Zones.
Nova 4, LLC
Sep 7 2011 9:53PM
4. Right-click Forward Lookup Zones, and then click New Zone. The New Zone Wizard appears. Click
Next.
5. On the Zone Type page, click Secondary zone, and then click Next.
6. On the Zone Name page, under Zone name, type Contoso.com, and then click Next.
7. On the Master DNS Servers page, under IP Address, type 10.10.0.10, press ENTER, and then click
Next.
8. On the Completing the New Zone Wizard page, click Finish.
9. Under Forward Lookup Zones, click Contoso.com. Verify that all of the resource records are visible
for the Contoso.com zone.
Task 4: Configure a Reverse Lookup Zone
2. In DNS Manager, expand NYC-DC1, and then click Reverse Lookup Zones.
3. Right-click Reverse Lookup Zones, and then click New Zone. The New Zone Wizard appears. Click
Next.
4. On the Zone Type page, click Primary zone. Ensure that the Store the zone in Active Directory
check box is selected, and then click Next.
5. On the Active Directory Zone Replication Scope page, click To all DNS servers running on
domain controllers in this domain: Contoso.com, and then click Next.
6. On the Reverse Lookup Zone Name page, click IPv4 Reverse Lookup Zone, and then click Next.
7. On the Reverse Lookup Zone Name page, next to Network ID, type 10.10.0, and then click Next.
8. On the Dynamic Update page, click Allow only secure dynamic updates, and then click Next.
9. On the Completing the New Zone Wizard page, click Finish.
10. Under Forward Lookup Zones, click Contoso.com.
11. Right-click NYC-SVR1, and then click Properties.
12. On the Host (A) tab, select the Update associated pointer (PTR) record check box, and then click
OK.
Results: At the end of this exercise, you will have installed the DNS Server role and configured
secondary and reverse lookup zones.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Resource Records, Aging, and Scavenging
Task 1: Add resource records for Contoso.com
1. On NYC-DC1, in DNS Manager, under Forward Lookup Zones, click Contoso.com.
2. Right-click Contoso.com, and then click New Alias (CNAME).
3. In the New Resource Record dialog box, under Alias name, type www.
4. Under Fully qualified domain name (FQDN) for target host, type NYC-SVR1.Contoso.com.
5. Click OK to close the New Resource Record dialog box.
Task 2: Configure Aging and Scavenging for Contoso.com
1. On NYC-DC1, in DNS Manager, right-click NYC-DC1, and then click Properties.
2. In the NYC-DC1 Properties dialog box, click the Advanced tab.
3. On the Advanced tab, select the Enable automatic scavenging of stale records check box.
4. Next to Scavenging period, configure 10 days, and then click OK.
5. Right-click Contoso.com and then click Properties.
6. On the General tab, click the Aging button.
7. On the Zone Aging/Scavenging Properties dialog box, click the Scavenge stale resource records
check box.
8. Leave the No-refresh interval and the Refresh interval at the default setting of 7 days, and then
click OK.
9. Click OK to close the Contoso.com Properties dialog box.
Results: At the end of this exercise, you will have configured a resource record for Contoso.com and
enabled Aging and Scavenging.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Verify DNS Settings
Task 1: Verify that the secondary zone is functional
2. In DNS Manager, right-click Contoso.com, and then click Refresh. Verify that www is listed in the
zone. www has been transferred successfully from the master DNS server.
3. On the task bar, click Start, type Network, and then click View network connections.
4. In the Network Connections window, right-click Local Area Connection, and then click Properties.
5. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4),
and then click Properties.
6. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, next to Preferred DNS
server, type 10.10.0.11, and then click OK.
7. In the Local Area Connection Properties dialog box, click Close.
8. Close the Network Connections window.
9. Click Start, and then type cmd. Press ENTER.
10. In the command prompt window, type the following command and then press ENTER:
Ping www.contoso.com
11. Ensure that you receive four replies. The four replies verify that the secondary zone is resolving IP
addresses as expected.
Task 2: Verify records by using Nslookup and DNSlint
2. Click Start, type cmd, and then press ENTER.
3. At the command prompt, type nslookup, and then press ENTER.
4. At the command prompt, type the following commands each followed by ENTER:
Set querytype=SOA
Contoso.com
5. Take note of the SOA information for the NYC-DC1 DNS server.
6. At the command prompt, type exit and then press ENTER.
7. At the command prompt, type C:\ and then press ENTER.
8. At the command prompt, type cd \Tools\dnslint, and then press ENTER.
9. At the command prompt, type dnslint, and then press ENTER. Notice the command-line help
associated with dnslint.
10. At the command prompt, type the following command followed by ENTER:
Dnslint /s 10.10.0.10 /d contoso.com
Nova 4, LLC
Sep 7 2011 9:53PM
11. Read through the report results, and then close the report window.
Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.

Note: Do not shut down the virtual machines; you will need them for the next lab.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab B: Installing and Configuring DHCP Server
Role
Exercise 1: Installing and Authorizing DHCP Server Role
Task 1: Install the DHCP Server Role on NYC-DC1
2. On the task bar, click the Server Manager button. The Server Manager appears.
3. In the left pane, click Roles.
4. In the details pane, click Add Roles. The Add Roles Wizard opens. Click Next.
5. On the Select Server Roles page, select the DHCP Server check box, and then click Next.
6. On the DHCP Server page, click Next.
7. On the Select Network Connection Bindings page, ensure that 10.10.0.10 is selected and then
click Next.
8. On the Specify IPv4 DNS Server Settings page, ensure that Parent domain is Contoso.com and
Preferred DNS server IPv4 address is 10.10.0.10, and then click Next.
9. On the Specify IPv4 WINS Server Settings page, click Next.
10. On the Add or Edit DHCP Scopes page, click Next. You will add DHCP scopes in the next exercise.
11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this
server, and then click Next.
12. On the Authorize DHCP Server page, ensure that Use current credentials is selected, and then click
Next.
Task 2: Verify DHCP Authorization
1. Click Start, point to Administrative Tools, and then click DHCP. The DHCP console appears.
2. In the DHCP console, right-click DHCP, and then click Manage authorized servers.
3. Verify that nyc-dc1.contoso.com is in the authorized DHCP servers list.
4. Click Close to close the Manage Authorized Servers dialog box.
Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP
authorization.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring DHCP Scopes, Options, and Reservations
Task 1: Configure a DHCP Scope
1. On NYC-DC1, in the DHCP console, expand nyc-dc1.contoso.com, and then click IPv4.
2. Right-click IPv4, and then click New Scope. The New Scope Wizard starts. Click Next.
3. On the Scope Name page, in the Name box, type ContosoScope1, and then click Next.
4. On the IP Address Range page, next to Start IP Address, type 10.10.0.50.
5. On the IP Address Range page, next to End IP Address, type 10.10.0.100.
6. Next to Length, type 16. Click Next.
7. On the Add Exclusions and Delay page, click Next.
8. On the Lease Duration page, under Days, type 5. Click Next.
9. On the Configure DHCP Options page, click Yes, I want to configure these options now, and
then click Next.
10. On the Router (Default Gateway) page, click Next.
11. On the Domain Name and DNS Servers page, accept the default settings, and then click Next.
12. On the WINS Servers page, click Next.
13. On the Activate Scope page, ensure that Yes, I want to activate this scope now is selected, and
then click Next.
14. On the Completing the New Scope Wizard page, click Finish.
15. In the DHCP console, expand Scope [10.10.0.0] ContosoScope1.
16. Click Address Pool and verify that the start and end IP addresses are configured as expected.
Task 2: Configure Scope Options
1. On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Scope Options.
2. Right-click Scope Options, and then click Configure Options.
3. On the General tab, select the 003 Router check box.
4. Under IP address, type 10.10.0.1, click Add, and then click OK.
Task 3: Configure a DHCP Reservation
2. Click Start, type cmd, and then press ENTER.
3. At the command prompt, type ipconfig /all.
4. In the results take note of the physical address and write it down below (for example: 00-15-5D-01-
71-71):
5. On the task bar, click Start, type Network, and then click View network connections.
6. In the Network Connections window, right-click Local Area Connection, and then click Properties.
7. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4),
Nova 4, LLC
Sep 7 2011 9:53PM
8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain DNS server
address automatically, and then Click OK.
10. In the Local Area Connection Properties dialog box, click Close.
11. Close the Network Connections window.
13. In the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Reservations.
14. Right-click Reservations, and then click New Reservation.
15. In the New Reservation dialog box, configure the following, and then click Add:
Reservation name: NYC-SVR1
IP address: 10.10.0.55
MAC Address: [Enter the value entered for step 4. For example:00-15-5D-01-71-71]
16. Click Close to close the New Reservation dialog box.
18. At the command prompt, type ipconfig/release.
19. At the command prompt, type ipconfig/renew.
20. Verify that NYC-SVR1 receives an IP address of 10.10.0.55, with valid scope options.
Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a
DHCP reservation.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Configuring Access to File Services 1
Module 3
Lab Answer Key: Configuring Access to File Services
Contents:
Exercise 1: Planning a Shared Folder Implementation (Discussion) 2
Exercise 2: Implementing a Shared Folder Implementation 3
Exercise 3: Evaluating the Shared Folder Implementation 6

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Configuring Access to File Services

Lab: Managing Access to File Services
Exercise 1: Planning a Shared Folder Implementation (Discussion)
1. What folder structure should be created on NYC-SVR1 to support the requirements of this scenario?
Answer: Two folders should be created at, E:\Labfiles\Mod03\Production and
E:\Labfiles\Mod03\Research. Both folders should be shared. An additional folder,
E:\Labfiles\Mod03\Production\Reports, should be created for Susanna Stubberods reports.
2. Which NTFS permissions should be assigned to the Production departments folder structure to fulfill
Answer: NTFS permissions should be assigned as follows. The Production group should be assigned full
control permissions for E:\Labfiles\Mod03\Production. Only Susanna Stubberod should be assigned Full
Control for E:\Labfiles\Mod03\Production\Reports, and this folder should not inherit permissions from its
parent. Shared folder permissions should be assigned as follows. The Production department should be
assigned Change permissions on the folder. Full Control is not necessary because the Production
department does not need to change permissions or take ownership of the shared folder.
3. Which NTFS permissions should be assigned to the Research departments folder structure to fulfill
Answer: NTFS permissions should be assigned as follows. The Research department should be assigned
full control permissions for E:\Labfiles\Mod03\Research. Shared folder permissions should be assigned as
follows. The Research department should be assigned Read permissions on the folder, so they do not
interfere with the application on the server.
4. How will you make the Research departments files available to Max Stevens when he is offsite with
the NYC-CL1?
Answer: On NYC-CL1, map a network drive to \\NYC-SVR1\Research. Right-click the mapped drive, and
click Always available offline.
Result: In this exercise, you discussed and determined solutions for a shared folder implementation.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing a Shared Folder Implementation
Task 1: Verify the File Services Role on NYC-SVR1
1. On NYC-SVR1, click Start, click Administrative Tools, and then click Server Manager.
2. In the Server Manager window, click the Roles node,
3. Verify that File Services is listed as an installed role.
4. In the File Services section, verify that the File Server role service is installed.
Task 2: Create a shared folder structure by using Windows Explorer
1. On NYC-SVR1, click Start, and then click Computer.
2. In the Computer window, in the left pane, click Allfiles (E:).
3. In the details, pane, browse to Labfiles\Mod03.
4. On the toolbar, click New folder.
5. Type Production and press Enter.
6. Right-click Production, and then click Properties.
7. In the Production Properties window, click the Security tab.
8. In the Group or user names section, click Edit.
9. In the Permissions for Production window, click Add.
10. In the Select Users, Computers, Service Accounts, or Groups windows, type Production, click
Check Names, and then click OK.
11. In the Permissions for Production window, select the Allow check box next to the Full control
option, and then click OK.
12. In the Production Properties window, click the Sharing tab, and then click Advanced Sharing.
13. In the Advanced Sharing window, click the check box next to Share this folder and then click the
Permissions button.
14. In the Permissions for Production window, click Everyone, click Remove, and then click Add.
15. In the Select Users, Computers, Service Accounts, or Groups window, type Production, click
Check Names, and then click OK.
16. In the Permissions for Production window, click the Allow check box next to the Change option
and then click OK.
17. In the Advanced Sharing window, click OK.
18. In the Production Properties window, click Close.
19. Double-click the Production folder, right-click the empty pane, click New, click Text Document and
then press ENTER.
20. On the toolbar menu, click New folder.
21. Type Reports and press Enter.
22. Double-click the Reports folder, right-click the empty pane, click New, and then click Text
Document.
23. Rename the New Text Document file to Report1.txt.
Nova 4, LLC
Sep 7 2011 9:53PM

24. Click the Back button to go back to the Production folder.
25. Right-click the Reports folder and the click Properties.
26. Click the Security tab, and then click the Advanced button.
27. On the Advanced Security Settings for Reports dialog box, click Change Permissions.
28. Remove the check mark next to Include inheritable permissions from this objects parent.
29. In the Windows Security dialog box, click Remove.
30. On the Advanced Security Settings for Reports dialog box, click Add.
31. In the Select Users, Computers, Service Accounts, or Groups windows, type Susanna, click Check
Names, and then click OK.
32. In the Permission Entry for Reports window, click the Allow check box next to the Full control
option and then click OK
33. On the Advanced Security Settings for Reports dialog box, click OK. Click OK again to close the
Advanced Security Settings for Reports dialog box.
34. On the Reports Properties dialog box, click OK.
35. Close the Production window.
Task 3: Create shared folders by using the Share and Storage Management Console
1. On NYC-SVR1, click Start, click Administrative Tools, and then click Share and Storage
Management.
2. In the Share and Storage Management console, click Provision Share in the right pane.
3. In the Shared Folder Location page, click Browse.
4. In the Browse for Folder window, expand e$, expand Labfiles, click Mod03, and then click Make
New Folder.
5. Type Research, press ENTER, and then click OK.
6. In the Shared Folder Location page, click Next.
7. In the NTFS permissions page, select the Yes, change NTFS permissions option, and then click Edit
Permissions.
8. In the Permissions for Research window, click Add.
9. In the Select Users, Computers, Service Accounts, or Groups window, type Research, click Check
Names, and then click OK.
10. In the Permissions for Research page, remove the Allow check mark next to Read & Execute and
List Folder Contents (Allow Read should be the only permission selected) and then click OK.
11. In the NTFS Permissions page, click Next.
12. In the Share Protocols page, click Next.
13. In the SMB Settings page, click Next.
14. In the SMB permissions page, select the Users and groups have custom share permissions option,
and then click the Permissions button.
15. In the Permissions for Research window, click Everyone, click Remove, and then click Add.
16. In the Select Users, Computers, Service Accounts, or Groups window, type Research, click the
Check Names button, and then click OK.
Nova 4, LLC
Sep 7 2011 9:53PM
17. In the Permissions for Research window, ensure that Allow is selected for Read, and then click OK.
18. In the SMB Permissions page, click Next.
19. In the DFS Namespace Publishing page, click Next.
20. In the Review Settings and Create Share page, click Create.
21. In the Confirmation page, click Close.
Task 4: Configure Offline files
1. Log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd.
3. In the Windows Explorer window, on the toolbar, click Map network drive .
4. In the Map Network Drive window, click the Drive: drop-down box and select R, in the Folder box,
type \\NYC-SVR1\Research, and then click Finish.
5. In the Windows Explore window, expand Computer, right-click Research (\\NYC-SVR1)(R:), and
then click Always available offline.
6. Close all open windows on NYC-CL1.
Results: In this exercise, you implemented a shared folder structure.

Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 3: Evaluating the Shared Folder Implementation
Task 1: Test Research Folder Permissions
1. On NYC-CL1, click Start and then click Computer. Double-click Research (\\NYC-SVR1)(R:).
2. In the details pane, right-click the empty space, point to New, and then click Text Document. An
access-denied message appears.
3. Click Cancel.
4. Close Windows Explorer and log off of NYC-CL1.
Task 2: Test Production Shared Folder Permissions
1. Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd.
2. Click Start and then in the Search programs and files box, type \\NYC-SVR1\Production and then
press ENTER.
3. In the Windows Explorer window, double-click New Text Document to open the file in Notepad.
4. In the New Text Document Notepad window, type Testing file permissions, and then save the
file.
5. Close Notepad.
6. Double-click the Reports folder. An access-denied message appears. Click Close.
8. Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd.
9. Click Start and then in the Search programs and files box, type \\NYC-SVR1\Production and then
press ENTER.
10. Double-click Reports.
11. Double-click Report1 and ensure that you can open and save the file.
12. Close Notepad and then log off of NYC-CL1.
Results: In this exercise, you evaluated a shared folder implementation.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Configuring and Managing Distributed File System 1
Module 4
Lab Answer Key: Configuring and Managing Distributed File
System
Contents:
Exercise 1: Installing the Distributed File System Role Service 2
Exercise 2: Creating a DFS Namespace 2
Exercise 3: Configuring Folder Targets 4
Exercise 4: Configuring DFS Folder Replication 5

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Configuring and Managing Distributed File System
Lab: Installing and Configuring the Distributed
File System Role Service
Exercise 1: Installing the Distributed File System Role Service
Task 1: Install the Distributed File System Role Service on NYC-SVR1.
2. On the task bar, click the Server Manager button. The Server Manager opens.
3. In the console pane, click Roles.
4. In the details pane, click Add Role Services. The Add Role Services wizard opens.
5. On the Select Role Services page, select the check box next to Distributed File System. Ensure that
the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next.
6. On the Create a DFS Namespace page, select Create a namespace later using the DFS
Management snap-in in Server Manager, and then click Next.
Task 2: Install the Distributed File System Role Service on NYC-DC1.
2. On the task bar, click the Server Manager button. The Server Manager opens.
3. In the console pane, click Roles.
4. In the details pane, under File Services, click Add Role Services. The Add Role Services wizard
opens.
5. On the Select Role Services page, select the check box next to Distributed File System. Ensure that
the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next.
6. On the Create a DFS Namespace page, select Create a namespace later using the DFS
Management snap-in in Server Manager, and then click Next.
Results: After completing this exercise, you will have installed the DFS role service on NYC-SVR1 and
NYC-DC1.
Exercise 2: Creating a DFS Namespace
Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.
1. On NYC-SVR1, click Start, point to Administrative Tools, and then click DFS Management. The DFS
Management console opens.
Nova 4, LLC
Sep 7 2011 9:53PM
2. In the console pane, click Namespaces.
3. Right-click Namespaces, and then click New Namespace. The New Namespace Wizard starts.
4. On the Namespace Server page, under Server, type NYC-SVR1, and then click Next.
5. On the Namespace Name and Settings page, under Name, type CorpDocs, and then click Next.
6. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that
the namespace will be accessed by \\Contoso.com\CorpDocs.
7. Ensure that the check box next to Enable Windows Server 2008 mode is selected and then click
Next.
8. On the Review Settings and Create Namespace page, click Create.
9. On the Confirmation page, ensure that the Create namespace task is successful, and then click
Close.
10. In the console pane, under Namespaces, click \\Contoso.com\CorpDocs.
11. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is
enabled for \\NYC-SVR1\CorpDocs.
Task 2: Enable access-based enumeration for the CorpDocs namespace.
1. In the console pane, under Namespaces, right-click \\Contoso.com\CorpDocs, and then click
Properties.
2. In the \\Contoso.com\CorpDocs Properties dialog box, click the Advanced tab.
3. On the Advanced tab, select the check box next to Enable access-based enumeration for this
namespace, and then click OK.
Results: After completing this exercise, you will have created the CorpDocs namespace and configured
it to use access-based enumeration.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Configuring Folder Targets
Task 1: Add the MarketingTemplates folder to the CorpDocs namespace.
2. In DFS Management, right-click \\Contoso.com\CorpDocs, and then click New Folder. The New
Folder dialog box opens.
3. In the New Folder dialog box, under Name, type MarketingTemplates.
4. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens.
5. In the Add Folder Target dialog box, type \\NYC-DC1\MarketingTemplates, and then click OK.
6. Click OK again to close the New Folder dialog box.
Task 2: Add the PolicyFiles folder to the CorpDocs namespace.
1. In DFS Management, right-click \\Contoso.com\CorpDocs, and then click New Folder. The New
Folder dialog box opens.
2. In the New Folder dialog box, under Name, type PolicyFiles.
3. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens.
4. In the Add Folder Target dialog box, type \\NYC-SVR1\PolicyFiles, and then click OK.
5. Click OK again to close the New Folder dialog box.
Task 3: Verify the CorpDocs namespace.
1. On NYC-SVR1, click Start, and then, in the Search programs and files box, type
\\Contoso.com\Corpdocs. Press ENTER.
2. In the corpdocs window, verify that both MarketingTemplates and PolicyFiles are visible.
3. Close the corpdocs window.
Results: After completing this exercise, you will have configured Folder Targets for the CorpDocs
namespace.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 4: Configuring DFS Folder Replication
Task 1: Create another Folder Target for PolicyFiles.
2. In DFS Management, expand \\Contoso.com\CorpDocs, and then click PolicyFiles. In the details
pane, notice that there is currently only one folder target.
3. Right-click PolicyFiles, and then click Add Folder Target.
4. In the New Folder Target dialog box, under Path to folder target, type \\NYC-DC1\PolicyFiles,
and then click OK.
5. In the Warning dialog box, click Yes to create the shared folder on NYC-DC1.
6. In the Create Share dialog box, under Local path of shared folder, type C:\PolicyFiles.
7. In the Create Share dialog box, under Shared folder permissions, select Administrators have full
access; other users have read and write permissions, and then click OK.
8. In the Warning dialog box, click Yes to create the folder on NYC-DC1.
9. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 2: Configure DFS Replication.
1. In DFS Management, in the Replicate Folder Wizard, on the Replication Group and Replicated
Folder Name page, accept the default settings, and then click Next.
2. On the Replication Eligibility page, click Next.
3. On the Primary Member page, select NYC-SVR1, and then click Next.
4. On the Topology Selection page, select Full mesh, and then click Next.
5. On the Replication Group Schedule and Bandwidth page, ensure that Replicate continuously
using the specified bandwidth is selected, and then click Next.
6. On the Review Settings and Create Replication Group page, click Create.
7. On the Confirmation page, verify that all tasks are successful, and then click Close.
8. At the Replication Delay message, click OK.
9. In the DFS Management console, expand Replication, and then click
contoso.com\corpdocs\policyfiles.
10. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYC-
DC1 and NYC-SVR1.
11. On the Memberships tab, right-click NYC-DC1, and then click Make read-only. This setting will
automatically configure the replicated copy to be read-only.
Task 3: View Diagnostic Reports.
1. On NYC-SVR1, in the DFS Management console, right-click contoso.com\corpdocs\policyfiles, and
then click Create Diagnostic Report. The Diagnostic Report Wizard starts.
2. On the Type of Diagnostic Report of Test page, click Health report, and then click Next.
3. On the Path and Name page, accept the default settings, and then click Next
Nova 4, LLC
Sep 7 2011 9:53PM
4. On the Members to Include page, ensure that both NYC-DC1 and NYC-SVR1 are included members,
and then click Next.
5. On the Options page, next to Reference Member, select NYC-SVR1, and then click Next.
6. On the Review Settings and Create Report page, click Create.
7. Review the DFS Replication Health Report for errors.
Results: After completing this exercise, you will have configured DFS Folder Replication and produced
a diagnostic report.
When you complete the lab exercises, revert the virtual machines to their initial state. To do this, complete
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Managing File Resources Using File Server Resource Manager 1
Module 5
Lab Answer Key: Managing File Resources Using File Server
Resource Manager
Contents:
Lab A: Installing FSRM and Implementing Quota Management
Exercise 1: Installing the FSRM Role Service 2
Exercise 2: Configuring Storage Quotas 3
Exercise 1: Configuring File Screening 5
Exercise 2: Generating Storage Reports 7
Lab C: Configuring Classification and File Management Tasks
Exercise 1: Configuring Classification Management 8
Exercise 2: Implementing File Management Tasks 10

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Managing File Resources Using File Server Resource Manager

Lab A: Installing FSRM and Implementing
Quota Management
Exercise 1: Installing the FSRM Role Service
Task 1: Install the FSRM role service.
1. On NYC-SVR1, click Start, click Administrative Tools, and then click Server Manager.
2. In the Server Manager window, click Roles.
3. In the details pane, under Role Services, click Add Role Services.
4. In the Select Role Services page, click the File Server Resource Manager check box, and then click
Next.
5. In the Configure Storage Usage Monitoring page, click to select the checkbox next to Allfiles (E:)
6. In the Set Report Options page, click Next.
7. In the Confirm Installation Selections page, click Install.
8. After the installation is completed, click Close.
9. Close the Server Manager window.
Results: In this exercise, you installed the FSRM role service.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Storage Quotas
Task 1: Create a quota template.
1. On NYC-SVR1, click Start, point to Administrative tools, and then click File Server Resource
Manager.
2. In the File Server Resource Manager console pane, expand Quota Management, and then click
Quota Templates.
3. Right-click Quota Templates, and then click Create Quota Template.
4. In the Create Quota Template dialog box, in the Template name field, type 100 MB Limit Log to
Event Viewer.
5. Under Notification thresholds, click Add.
6. In the Add Threshold dialog box, click the Event log tab.
7. Select the Send warning to event log check box, and then click OK.
8. In the Create Quota Template dialog box, click Add.
9. In the Add Threshold dialog box, in the Generate notification when the usage reaches (%) field,
type 100.
10. Click the Event Log tab, and then select the Send warning to event log check box.
11. Click OK twice.
Task 2: Configure a quota based on the quota template.
1. In the File Server Resource Manager console pane, click Quotas.
2. Right-click Quotas, and then click Create Quota.
3. On the Create Quota dialog box, in the Quota path field, type E:\Labfiles\Mod05\Users.
4. Click Auto apply template and create quotas on existing and new subfolders.
5. In the Derive properties from this quota template (recommended) list, click 100MB Limit Log to
Event Viewer, and then click Create.
6. In the details pane, verify that the E:\Labfiles\Mod05\Users\* path has been configured with its own
quota entry. You may have to refresh the Quotas folder to view the changes.
7. Right-click Start, and then click Open Windows Explorer.
8. In Windows Explorer, browse to E:\Labfiles\Mod05\Users.
9. Create a new folder named Max.
10. In File Server Resource Manager, on the Action menu, click Refresh.
11. In the details pane, notice that the newly created folder appears in the list.
Task 3: Test that the quota is functional.
1. Click Start, click All Programs, click Accessories, and then click Command Prompt.
2. Type E:, and then press Enter.
3. Type cd \Labfiles\Mod05\Users\Max, and then press Enter.
4. Type fsutil file createnew file1.txt 89400000, and then press Enter. This creates a file that is over 85
MB, which will generate a warning in Event Viewer.
5. Click Start, point to Administrative Tools, and then click Event Viewer.
Nova 4, LLC
Sep 7 2011 9:53PM

6. In the Event Viewer console pane, expand Windows Logs, and then click Application.
7. In the details pane, note the event with Event ID of 12325.
8. In the Command Prompt window, type fsutil file createnew file2.txt 16400000, and then press
Enter. Notice that the file cannot be created because it would surpass the quota limit.
9. Type exit, and then press Enter.
Results: In this exercise, you configured a storage quota.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab B: Configuring File Screening and Storage
Reports
Exercise 1: Configuring File Screening
Task 1: Create a file group.
1. On NYC-SVR1, click Start, click Administrative Tools, and then click File Server Resource Manager.
2. Right-click File Server Resource Manager (Local) and then click Configure Options.
3. On the File Server Resource Manager Options dialog box, click the File Screen Audit tab.
4. Select the check box next to Record file screening activity in auditing database. Click OK.
Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit
report to be run in Exercise 2
5. In the File Server Resource Manager console tree, expand File Screening Management and then
click File Groups.
6. Right-click File Groups, and then click Create File Group.
7. In the Create File Group Properties window, enter MPx Media Files into the File group name box.
8. In the Files to include box, type *.mp*, and then click Add.
9. In the Files to exclude box, type *.mpp, and then click Add.
10. Click OK.
Task 2: Create a file screen template.
1. In the File Server Resource Manager console tree, click File Screen Templates.
2. Right-click File Screen Templates, and then click Create File Screen Template.
3. In the Create File Screen Template window, in the Template name box, type Block MPx Media
files.
4. Under Screening type, ensure that Active screening. Do not allow users to save unauthorized
files is selected.
5. In the File groups section, click to select the checkbox next to the MPx Media Files file group.
6. Click the Event Log Tab.
7. Click the check box next to Send warning to event log. Click OK.
Task 3 Create a file screen.
1. In the File Server Resource Manager console tree, select and then right-click File Screens, and then
click Create File Screen.
2. In the Create File Screen window, in the File screen path box, type E:\Labfiles\Mod05\Users.
3. In the Create File Screen window, click the Derive properties from this file screen template
(recommended) drop-down box, and click Block MPx Media Files.
4. Click Create.
Nova 4, LLC
Sep 7 2011 9:53PM

5. Close File Server Resource Manager.
Task 4 Test the file screen.
2. In the left pane, click Allfiles (E:)
3. In the right pane, right-click and point to New, and then click Text Document.
4. Rename New Text Document.txt to musicfile.mp3. Click Yes to change the file name extension.
5. Right-click musicfile.mp3, and then click Copy.
6. In the left pane, expand Allfiles (E:), expand Labfiles, expand Mod05, right-click Users, and then
click Paste. You will be notified that the system was unable to copy the file to
E:\Labfiles\Mod05\Users.
Results: After this exercise, you should have configured file screening by creating a file group, a file
screen template, and a file screen.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Generating Storage Reports
Task 1: Generate an On-Demand Storage Report.
2. In the File Server Resource Manager console pane, click Storage Reports Management.
3. Right-click Storage Reports Management, and then click Generate Reports Now.
4. In the Storage Reports Task Properties dialog box, click Add.
5. In the Browse For Folder dialog box, browse to E:\Labfiles\Mod05\Users, and then click OK.
6. Under Select reports to generate, select the File Screening Audit check box, and then click OK.
7. In the Generate Storage Reports dialog box, verify that Wait for reports to be generated and
then display them is selected, and then click OK.
8. In the Windows Internet Explorer window, review the generated reports.
Results: In this exercise, you generated a storage report.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab C: Configuring Classification and File
Management Tasks
Exercise 1: Configuring Classification Management
Task 1: Create a classification property.
2. Expand the Classification Management node, and then click Classification Properties.
3. Right-click Classification Properties, and then click Create Property.
4. In the Create Classification Property Definition window, in the Property name box, type
Confidential and in the Description field, type Assigns a confidentiality value of Yes or No.
5. Under Property type, click the drop-down box and select Yes/No.
6. Click OK.
Task 2: Apply classification properties by using classification rules.
1. Click the Classification Rules node.
2. Right-click the Classification Rules node, and then click Create a New Rule.
3. In the Rule name box, type Confidential Payroll Documents.
4. In the Description box, type Classify documents containing the word payroll as confidential.
5. In the Scope section, click the Add button.
6. In the Browse For Folder window, expand Allfiles (E:), then expand Labfiles, then expand Mod05,
click Data, and then click OK.
7. In the Classification Rule Definitions window, click the Classification tab.
8. In the Classification mechanism area, click the drop-down box and select Content Classifier.
9. In the Property name section, select Confidential (Assigns a confidentiality value of Yes or No)
for Property Name, in the Property value section, select Yes for Property value, and then click
Advanced.
10. In the Additional Rule Parameters window, click the Additional Classification Parameters tab.
11. On the Additional Classification Parameters tab, double-click in the blank cell below the Name
column and type String.
12. Double-click in the Value column and type payroll.
13. Click OK.
14. In the Classification Rule Definitions window, click OK.
15. Right-click the Classification Rules node, and then click Run Classification With All Rules Now.
16. In the Run Classification window, select the Wait for classification to complete execution option,
and then click OK.

Nova 4, LLC
Sep 7 2011 9:53PM
17. View the report and ensure that January.txt in listed on the report.
18. Browse to the E:\Labfiles\Mod05\Data folder and view the contents of January.txt.
Results: In this exercise, you configured Classification Management.

Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 2: Implementing File Management Tasks
Task 1: Configure file management tasks based on classification properties.
2. Select and then right-click the File Management Tasks node, and then click Create File
Management Task.
3. In the Task name box, type Move Confidential Files
4. In the Description box, type Move confidential documents to another folder.
5. In the Scope section, click the Add button.
6. Expand Allfiles (E:), expand Labfiles, expand Mod05, click Data, and then click OK.
7. In the Create File Management Task window, click the Action tab.
8. On the Action tab, for Type, select File expiration.
9. In the Expiration directory field type E:\Labfiles\Mod05\Confidential.
10. In the Create File Management Task window, click the Condition tab.
11. On the Condition tab, under the Property conditions section, click the Add button.
12. In the Property Condition window, click the Property drop-down box, select Confidential, click the
Operator drop-down box, select Equal, click the Value drop-down box , and then select Yes.
13. Click OK.
14. In the Create File Management Task window, click the Schedule tab.
15. On the Schedule tab, click the Create button.
16. In the Schedule window, click the New button, and then click OK.
17. In the Create File Management Task window, click OK.
18. Right-click the Move Confidential Files task, and then click Run File Management Task Now.
19. In the Run File Management Task window, select the Wait for task to complete execution option,
and then click OK.
20. View the generated report, ensuring that January.txt is on the list.
21. Open the E:\Labfiles\Mod05\Confidential folder and view the contents. The relocated folder
structure for January.txt is now located in this folder.
Results: In this exercise, you implemented File Management Tasks.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Configuring and Securing Remote Access 1
Module 6
Lab Answer Key: Configuring and Securing Remote Access
Contents:
Access Solution 2
Exercise 2: Configuring a Custom Network Policy 4
Lab B: Implementing NAP into a VPN Remote Access Solution
Exercise 1: Configuring NAP Components 6
Exercise 2: Configuring Client Settings to support NAP 11

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Configuring and Securing Remote Access

Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access
Solution
Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1
1. On NYC-EDGE1, click Start, and then click Administrative Tools.
2. From the Administrative Tools menu, click Server Manager. The Server Manager opens.
3. In the Server Manager (NYC-EDGE1) list pane, right-click Roles, and then click Add Roles. The Add
Roles Wizard appears. Click Next.
4. On the Select Server Roles page, select Network Policy and Access Services, and then click Next.
5. On the Network Policy and Access Services introduction page, click Next.
6. On the Select Role Services page, select the Network Policy Server and Routing and Remote
Access Services check boxes, and then click Next.
8. On the Installation Results page, verify Installation succeeded appears in the details pane, and
then click Close.
9. Close the Server Manager. The Network Policy and Routing and Remote Access Services roles are
installed on 6419B-NYC-EDGE1.
Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for
Remote Access clients
2. From the Administrative Tools menu, click Routing and Remote Access. The Routing and Remote
Access administrative tool appears.
3. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable
Routing and Remote Access.
4. On the wizard Welcome page, click Next.
5. On the Configuration page, leave the default Remote Access (dial-up or VPN) selected, and click
Next.
6. On the Remote Access page, select the VPN check box, and click Next.
7. On the VPN Connection page, select the Public, and then click Next.
8. On the IP Address Assignment page, select From a specified range of addresses, and then click
Next.
9. On the Address Range Assignment page, click New, and in the Start IP address box, type the
following value 10.10.0.60. In the Number of addresses box, type the value of 75, and click OK.
Click Next.
10. On the Managing Multiple Remote Access Servers page, leave the default selection No, use
Routing and Remote Access to authenticate connection requests, and click Next. Click Finish.
11. In the Routing and Remote Access dialog box, click OK.
12. In the Routing and Remote Access dialog box regarding the DHCP Relay agent, click OK. The
Routing and Remote Access service starts.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25
L2TP connections
1. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, right-click
Ports, and then click Properties.
2. In the Ports Properties dialog box, double-click WAN Miniport (SSTP).
3. In the Configure Device WAN Miniport (SSTP) dialog box, assign a value of 25 in the Maximum
ports box, and then click OK.
4. In the Routing and Remote Access dialog box, click Yes to continue.
5. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and in the Configure
Device WAN Miniport (PPTP) dialog box, assign a value of 25 in the Maximum ports box, and
then click OK.
6. In the Routing and Remote Access dialog box, click Yes to continue.
7. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP).
8. In the Ports Properties dialog box, click OK.
9. Close the Routing and Remote Access administrative tool.
Results: In this exercise, you enabled routing and remote access on the NYC-EDGE1 server.

Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 2: Configuring a Custom Network Policy
Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1
2. On the Administrative Tools menu, click Network Policy Server. The Network Policy Server
administrative tool appears.
Task 2: Create a new network policy for RRAS clients
1. In the list pane, expand Policies, right-click Network Policies, and then click New.
2. On the New Network Policy Specify Network Policy Name and Connection Type page, type
Secure VPN in the Policy name text box, and in the Type of network access server drop-down list,
click Remote Access Server (VPN-Dial up), and then click Next.
3. On the Specify Conditions page, click Add. In the Select Condition dialog box, scroll down and
double-click Tunnel Type. In the Tunnel Type dialog box, select L2TP, PPTP, and SSTP, click OK,
4. On the Specify Access Permission page, leave the default of Access granted, and click Next.
5. On the Configure Authentication Methods page, deselect the Microsoft Encrypted
Authentication (MS-CHAP) check box, and then click Next.
6. On the Configure Constraints page, under Constraints, select Day and time restrictions, and in
the details pane, select Allow access only on these days and at these times, and click Edit. Change
the Time of day constraints to Denied access from 11PM to 6AMMonday thru Friday, click OK,
7. In the Configure Settings dialog box, under Settings, click Encryption, and in the details pane,
deselect all settings except Strongest encryption (MPPE 128-bit), click Next, and then click Finish.
8. In the list pane of the Network Policy Server tool, click the Network Policies node.
9. If necessary, right-click the Secure VPN policy, and then click Move Up. Repeat this step to make the
policy the first in the list.
10. Close the Network Policy Server tool.
Task 3: Create and Test a VPN Connection
2. Click Start, and then click Control Panel.
3. In the Control Panel window, under Network and Internet, click View network status and tasks.
4. In the Network and Sharing Center window, click Change adapter settings.
5. Right-click Local Area Connection 3, and then click Properties.
6. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
7. Configure the following IP address settings, and then click OK:
IP Address: 131.107.0.20
Subnet mask: 255.255.255.0
Default gateway: 131.107.0.1
8. Click Close, and then click the Back button to return to the Network and Sharing Center.
Nova 4, LLC
Sep 7 2011 9:53PM
9. In the Network and Sharing Center window, under Change your networking settings, click Set up a
new connection or network. In the Choose a connection option dialog box, click Connect to a
workplace, and then click Next.
10. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option.
When prompted, click Ill set up an Internet connection later.
11. In the Type the Internet address to connect to dialog box, specify an Internet address of
131.107.0.2 and a Destination Name of Contoso VPN, and then click Next.
12. On the Type your user name and password page, leave the user name and password blank, and
then click Create.
13. Click Close in the Connect to a Workplace dialog box.
14. In the Network and Sharing Center window, click Change adapter settings.
15. On the Network Connections page, right-click Contoso VPN, and then click Connect.
16. Use the following information in the Connect Contoso VPN text boxes, and then click Connect:
Password: Pa$$w0rd
Domain: Contoso
The VPN connects successfully.
17. Right-click Contoso VPN, and click Disconnect. The VPN disconnects.
18. Close all open windows on NYC-CL1.
following steps:
4. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1.
Results: In this exercise, you created and tested a VPN connection.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab B: Implementing NAP into a VPN Remote
Access Solution
Exercise 1: Configuring NAP Components
Task 1: Configure a Computer Certificate
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.
2. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then
click Manage.
3. In the Certificate Templates Console details pane, right-click Computer, and then click Properties.
4. In the Computer Properties dialog box, click Security, and then select Authenticated Users.
5. In the permissions for Authenticated Users, select the Allow check box for the Enroll permission,
and then click OK.
6. Close the Certificate Templates console, and then close the certsrv management console.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server
1. Switch to the NYC-EDGE1computer.
2. Obtain a computer certificate and install it on NYC-EDGE1for server-side PEAP authentication:
a. Click Start, click Run, type mmc, and then press ENTER.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer
account, click Next, and then click Finish.
d. Click OK to close the Add or Remove Snap-ins dialog box.
e. In the console tree, expand Certificates (Local Computer), right-click Personal, point to All
Tasks, and then click Request New Certificate.
f. The Certificate Enrollment dialog box opens. Click Next.
g. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy,
h. Select the Computer check box, and then click Enroll.
i. Verify the status of certificate installation as Succeeded, and then click Finish.
j. Close the Console1 window.
k. Click No when prompted to save console settings.
3. Install the NPS Server role:
a. On NYC-EDGE1, click Start, click Administrative Tools, and then click Server Manager.
b. Click Roles, under Roles Summary, click Add Roles, and then click Next.
c. Select the Network Policy and Access Services check box, and then click Next twice.
d. Select the Network Policy Server and Remote Access Service check boxes, click Next, and
then click Install.
e. Verify the installation was successful, and then click Close.
Nova 4, LLC
Sep 7 2011 9:53PM
f. Close the Server Manager window.
4. Configure NPS as a NAP health policy server:
a. Click Start, point to Administrative Tools, and then click Network Policy Server.
b. Expand Network Access Protection, expand System Health Validators, expand Windows
Security Health Validator, and then click Settings.
c. In the right pane under Name, double-click Default Configuration.
d. On the Windows 7/Windows Vista selection, clear all check boxes, except A firewall is enabled
for all network connections.
e. Click OK to close the Windows Security Health Validator dialog box.
5. Configure health policies:
a. Expand Policies.
b. Right-click Health Policies, and then click New.
c. In the Create New Health Policy dialog box, under Policy name, type Compliant.
d. Under Client SHV checks, verify that Client passes all SHV checks is selected.
e. Under SHVs used in this health policy, select the Windows Security Health Validator check
box.
f. Click OK.
g. Right-click Health Policies, and then click New.
h. In the Create New Health Policy dialog box, under Policy name, type Noncompliant.
i. Under Client SHV checks, select Client fails one or more SHV checks.
j. Under SHVs used in this health policy, select the Windows Security Health Validator check
box.
k. Click OK.
6. Configure network policies for compliant computers:
a. Ensure Policies is expanded.
b. Click Network Policies.
c. Disable the two default policies found under Policy Name by right-clicking the policies, and then
clicking Disable.
d. Right-click Network Policies, and then click New.
e. In the Specify Network Policy Name and Connection Type window, under Policy name, type
Compliant-Full-Access, and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition dialog box, double-click Health Policies.
h. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
i. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a
value of Compliant, and then click Next.
j. In the Specify Access Permission window, verify that Access granted is selected.
k. Click Next three times.
Nova 4, LLC
Sep 7 2011 9:53PM

l. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network
access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish.
7. Configure network policies for noncompliant computers:
a. Right-click Network Policies, and then click New.
b. In the Specify Network Policy Name and Connection Type window, under Policy name, type
Noncompliant-Restricted, and then click Next.
c. In the Specify Conditions window, click Add.
d. In the Select condition dialog box, double-click Health Policies.
e. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click
OK.
f. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a
value of Noncompliant, and then click Next.
g. In the Specify Access Permission window, verify that Access granted is selected.
Note: A setting of Access granted does not mean that noncompliant clients are granted full
network access. It specifies that the policy should continue to evaluate the clients matching these
conditions.
h. Click Next three times.
i. In the Configure Settings window, click NAP Enforcement. Select Allow limited access, and
clear the Enable auto-remediation of client computers check box.
j. In the Configure Settings window, click IP Filters.
k. Under IPv4, click Input Filters, and then click New.
l. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP
address, and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic
from noncompliant clients can reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed
below in the Inbound Filters dialog box.
n. Click OK to close the Inbound Filters dialog box.
o. Under IPv4, click Output Filters, and then click New.
p. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address, and
then type 255.255.255.255 next to Subnet mask.
q. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed
below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can
be sent to noncompliant clients.
r. Click OK to close the Outbound Filters dialog box.
s. In the Configure Settings window, click Next.
t. In the Completing New Network Policy window, click Finish.

Nova 4, LLC
Sep 7 2011 9:53PM
8. Configure connection request policies:
a. Click Connection Request Policies.
b. Disable the default Connection Request policy found under Policy Name by right-clicking the
policy, and then clicking Disable.
c. Right-click Connection Request Policies, and then click New.
d. In the Specify Connection Request Policy Name and Connection Type window, under Policy
name, type VPN connections.
e. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then
click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP, click
OK, and then click Next.
h. In the Specify Connection Request Forwarding window, verify that Authenticate requests on
this server is selected, and then click Next.
i. In the Specify Authentication Methods window, select Override network policy authentication
settings.
j. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Protected EAP (PEAP), and then click OK.
k. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Secured password (EAP-MSCHAP v2), and then click OK.
l. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
m. Verify that Enforce Network Access Protection is selected, and then click OK.
n. Click Next twice, and then click Finish.
9. Close the Network Policy Server console.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server
1. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote
Access.
2. In the Routing and Remote Access console, right-click NYC-EDGE1 (local), and then click
Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access
Server Setup Wizard.
3. Click Next, select Remote access (dial-up or VPN), and then click Next.
4. Select the VPN check box, and then click Next.
5. Click the network interface called Public. Clear the Enable security on the selected interface by
setting up static packet filters check box, and then click Next. This ensures that NYC-EDGE1 will be
able to ping NYC-DC1 when attached to the Internet subnet without requiring that you configure
additional packet filters for Internet Control Message Protocol (ICMP) traffic.
6. On the IP Address Assignment page, select From a specified range of addresses, and then click
Next.
7. On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address
and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses are assigned
for remote clients, and then click Next.
Nova 4, LLC
Sep 7 2011 9:53PM

8. On the Managing Multiple Remote Access Servers page, ensure No, use Routing and Remote
Access to authenticate connection requests is already selected and then click Next.
9. Click Finish.
10. Click OK twice, and wait for the Routing and Remote Access Service to start.
11. Click Start, point to Administrative Tools, and then click Network Policy Server. Click the
Connection Request Policies node and disable the Microsoft Routing and Remote Access Service
Policy. This is created automatically when Routing and Remote Access is enabled.
12. Close the Network Policy Server management console.
13. Close Routing and Remote Access.
Task 4: Allow ping on NYC-EDGE1
1. Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced
Security.
2. Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
3. Select Custom, and then click Next.
4. Select All programs, and then click Next.
5. Next to Protocol type, select ICMPv4, and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
7. Click Next to accept the default scope.
8. In the Action window, verify that Allow the connection is selected, and then click Next.
9. Click Next to accept the default profile.
10. In the Name window, under Name, type ICMPv4 echo request, and then click Finish.
11. Close the Windows Firewall with the Advanced Security console.
Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Client Settings to support NAP
Task 1: Configure Security Center
2. Configure NYC-CL1 so that Security Center is always enabled:
a. Click Start, point to All Programs, click Accessories, and then click Run.
b. Type gpedit.msc, and then press ENTER.
c. In the console tree, click Local Computer Policy/Computer Configuration/Administrative
Templates/Windows Components/Security Center.
d. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
e. Close the Local Group Policy Editor.
Task 2: Enable client NAP enforcement
1. Enable the remote-access, quarantine-enforcement client:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type napclcfg.msc, and then press ENTER.
c. In the console tree, click Enforcement Clients.
d. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable.
e. Close the NAP Client Configuration window.
2. Enable and start the NAP agent service:
a. Click Start, click Control Panel, click System and Security, and then click Administrative Tools.
b. Double-click Services.
c. In the Services list, double-click Network Access Protection Agent.
d. In the Network Access Protection Agent Properties dialog box, change the Startup type to
Automatic, and then click Start.
e. Wait for the NAP Agent service to start, and then click OK.
f. Close the Services console, and then close the Administrative Tools and System and Security
windows.
Task 3: Move the client to the Internet
1. Configure NYC-CL1 for the Internet network segment:
a. Click Start, click Control Panel, and then click Network and Internet.
b. Click Network and Sharing Center.
c. Click Change adapter settings.
d. Right-click Local Area Connection 3, and then click Properties.
e. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
f. Ensure Use the following IP address is already selected. Next to IP address, type 131.107.0.20.
Next to Subnet mask, type 255.255.255.0. Remove the Default gateway.
g. Next to Preferred DNS server, remove 10.10.0.10.
h. Click OK, and then click Close to close the Local Area Connection 3 Properties dialog box.
Nova 4, LLC
Sep 7 2011 9:53PM

i. Close the Network Connections window.
2. Verify network connectivity for NYC-CL1:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type cmd, and then press ENTER.
c. At the command prompt, type ping 131.107.0.2 and then press ENTER.
d. Verify that the response reads Reply from 131.107.0.2
e. Close the command window.
Task 4: Create a VPN on NYC-CL1
1. Configure a VPN connection:
a. Click Start, click Control Panel, and then click Network and Internet.
b. Click Network and Sharing Center.
c. Click Set up a new connection or network.
d. On the Choose a connection option page, click Connect to a workplace, and then click Next.
e. On the How do you want to connect page, click Use my Internet connection (VPN).
f. Click Ill set up an Internet connection later.
g. On the Type the Internet address to connect to page, next to Internet address, type
131.107.0.2. Next to Destination name, type Contoso VPN, select the Allow other people to
use this connection check box, and then click Next.
h. On the Type your user name and password page, type administrator next to User name, and
type Pa$$w0rd next to Password, select the Remember this password check box, type
Contoso next to Domain (optional), and then click Create.
i. On The connection is ready to use page, click Close.
j. In the Network and Sharing Center window, click Change adapter settings.
k. Right-click the Contoso VPN connection, click Properties, and then click the Security tab.
l. Under Authentication, click Use Extensible Authentication Protocol (EAP).
m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click
Microsoft: Protected EAP (PEAP) (encryption enabled), and then click Properties.
n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to
these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already
selected under Select Authentication Method, clear the Enable Fast Reconnect check box, and
then select the Enforce Network Access Protection check box.
o. Click OK twice to accept these settings.
2. Test the VPN connection:
a. In the Network Connections window, right-click the Contoso VPN connection, and then click
Connect.
b. In the Connect Contoso VPN window, click Connect.
c. You are presented with a Windows Security Alert window the first time this VPN connection is
used. Click Details, and verify that Certificate Information states that the certificate was issued
to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.
Nova 4, LLC
Sep 7 2011 9:53PM
d. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have
unlimited access to the intranet subnet.
e. Click Start, click All Programs, click Accessories, and then click Command Prompt.
f. Type ipconfig /all, and view the IP configuration. System Quarantine State should be Not
Restricted.
g. In the command window, type ping 10.10.0.10 and then press Enter. This should be successful.
The client now meets the requirement for VPN full connectivity.
h. Disconnect from the Contoso VPN.
3. Configure Windows Security Health Validator to require an antivirus application:
a. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Network Policy
Server.
b. Expand Network Access Protection, expand System Health Validators, expand Windows
Security Health Validator, and then click Settings.
c. In the right pane under Name, double-click Default Configuration.
d. On the Windows 7/Windows Vista selection, select the An antivirus application is on check
box, and then click OK.
4. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN, and then click
Connect.
b. Click Connect.
c. Wait for the VPN connection to be made. Verify that a message appears in the Action Center that
states that the computer doesnt meet security standards.
d. Click Start, click All Programs, click Accessories, and then click Command Prompt.
e. Type ipconfig /all and then press ENTER. View the IP configuration. System Quarantine State
should be Restricted.
The client does not meet the requirements for the network, and therefore is placed on the
restricted network.
f. Disconnect the Contoso VPN.
Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso
Ltd.

following steps:
4. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Managing Active Directory Domain Services 1
Module 7
Lab Answer Key: Managing Active Directory Domain Services
Contents:
Lab A: Creating and Managing User and Computer Accounts
Exercise 1: Creating and Configuring User Accounts 2
Exercise 2: Creating and Configuring Computer Accounts 5
Lab B: Managing Groups and Locating Objects in AD DS
Exercise 1: Implement Role-Based Management by Using Groups 6
Exercise 2: Finding Objects in Active Directory 8

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Managing Active Directory Domain Services
Lab A: Creating and Managing User and
Computer Accounts
Exercise 1: Creating and Configuring User Accounts
Task 1: Create the Finance OU
Windows PowerShell.
New-ADOrganizationalUnit -Name Finance -Path "DC=CONTOSO,DC=COM"
Task 2: Create a user template account for the Finance users
Computers
2. In the Active Directory Users and Computers window, expand Contoso.com and then click the
Finance OU in the left pane.
3. On the toolbar, click Action, click New, and then click User.
4. In the New Object User window, populate the fields as follows.
Property Value
First name Finance
Last name Template
Full name Finance Template
User logon name FinanceTemplate
5. Click Next and populate the fields as follows, and then click Next and then Finish.
Property Value
Password Pa$$w0rd
Confirm Password Pa$$w0rd
User must change password at
next logon
Not Selected
Account is disabled Selected
6. In the right pane right-click the Finance Template user, click Properties, click Organization,
populate the fields as follows, and then click OK.
Property Value
Nova 4, LLC
Sep 7 2011 9:53PM
Property Value
Department Finance
Task 3: Create new accounts for Eva and Mark
1. In the Active Directory Users and Computers window, right-click the Finance Template user, and
then click Copy.
2. In the Copy Object User window, populate the fields as follows, and then click Next.
Property Value
First name Eva
Last name Corets
Full name Eva Corets
User logon name Eva
3. In the Copy Object User window, populate the fields as follows, click Next, and then click Finish.
Property Value
Password Pa$$w0rd
4. In the Active Directory Users and Computers window, right-click the Finance Template user, and
then click Copy.
5. In the Copy Object User window, populate the fields as follows, and then click Next.
Property Value
First name Mark
Last name Steele
Full name Mark Steele
User logon name Mark
6. In the Copy Object User window, populate the fields as follows, click Next, and then click Finish.
Property Value
Password Pa$$w0rd
Nova 4, LLC
Sep 7 2011 9:53PM
Task 4: Confirm the functionality of user accounts
1. Switch to the 6419B-NYC-CL1 virtual machine.
2. On NYC-CL1, log on as Contoso\Eva with a password of Pa$$w0rd.
4. On NYC-CL1, log on as Contoso\Mark with a password of Pa$$w0rd.
Task 5: Disable the new user accounts
2. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory
Administrative Center.
4. Click Eva Corets, press and hold the Ctrl key, and click Mark Steele. Release the Ctrl key, right-click
Mark Steele, and then click Disable All.
Results: In this exercise, you created and configured user accounts.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Creating and Configuring Computer Accounts
Task 1: Create computer accounts by using Active Directory management tools
Computers.
2. In the Active Directory Users and Computers window, click the Computers container in the left
pane.
3. On the toolbar, click Action, click New, and then click Computer.
4. In the Computer name box, type NYC-CL5, and then click OK.
Windows PowerShell.
7. At the command prompt, type the following command and then press ENTER:
New-ADComputer Name NYC-CL6 -SamAccountName NYC-CL6 -Path
CN=Computers,DC=CONTOSO,DC=COM'
8. Close the command prompt window.
Task 2: Configure computer accounts attributes
then double-click the Computers container in the middle pane.
3. Click NYC-CL5, press and hold the Ctrl key and click NYC-CL6. Release the Ctrl key, right-click NYC-
CL6, and then click Move.
4. In the Move window, click the Finance OU, and then click OK.
Results: In this exercise, you configured computer account attributes.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab B: Managing Groups and Locating Objects
in AD DS
Exercise 1: Implement Role-Based Management by Using Groups
Task 1: Determine group requirements
Question: Which type of group should you create to group the Finance users together?
Answer: A global group should be created for the Finance department users. This group type gives the
most flexibility in group membership within the domain.
Question: How can you create a group structure that allows the Finance department members change
permissions and also allows other users and groups from the organization to be easily assigned these
permissions as well?
Answer: You could create a domain local group called Finance_Folders_Change and place the Finance
global group inside of it. Then, the Finance_Folders_Change group could be assigned Change permission
rights on the necessary folders. If new users or groups need to have the same access, they can simply be
added to the Finance_Folders_Change domain local group.
Task 2: Use management tools to create AD DS groups
Windows PowerShell.
New-ADGroup Name Finance SAMAccountName Finance GroupCategory Security GroupScope
Global DisplayName Finance Department Path OU=Finance,DC=CONTOSO,DC=COM
New-ADGroup Name Finance_Folders_Change SAMAccountName FinanceFoldersChange
GroupCategory Security GroupScope DomainLocal DisplayName Change Access to Finance
Folders Path OU=Finance,DC=CONTOSO,DC=COM
Task 3: Modify group attributes
3. Click Eva Corets, press and hold the Ctrl key, and click Mark Steele. Release the Ctrl key, right-click
Mark Steele, and then click Add to group.
4. In the Enter the object name to select box, type Finance, and then click Check Names.
6. In the Select Groups window, click OK.
Computers.
Nova 4, LLC
Sep 7 2011 9:53PM
9. In the Active Directory Users and Computers window, click the Finance OU in the left pane, right-
click the Finance_Folders_Change group in the right pane, and then click Properties.
10. In the Finance_Folders_Change Properties window, click the Members tab, and then click Add.
11. In the Enter the object name to select box, type Finance, and then click Check Names.
13. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, click OK.
14. In the Finance_Folders_Change Properties window, click OK.
Results: In this exercise, you implemented role-based management by using groups.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Finding Objects in Active Directory
Task 1: Create and save an AD DS query
Computers.
2. In the Active Directory Users and Computers window, right-click Saved Queries, click New, and
then click Query.
3. In the New Query window, type Finance Groups, in the Name box, and then click Define Query.
4. In the Find Common Queries window, click the Groups tab, click the drop-down box beside the
Name box, and then click Starts with.
5. In the Name field, type Finance, and then click OK.
6. In the New Query window, click OK.
7. Expand Saved Queries, and then click the Finance Groups query to confirm the result.
Task 2: Use dsquery to locate AD DS objects
1. On NYC-DC1, click Start, click Run, type cmd in the Open box, and then click OK.
dsquery user "ou=Finance,dc=Contoso,dc=com" disabled
Task 3: Use Windows PowerShell to query AD DS
Windows PowerShell.
Get-ADGroupMember Finance
Results: In this exercise, you located objects in Active Directory.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Configuring Active Directory Object Administration and Domain Trust 1
Module 8
Lab Answer Key: Configuring Active Directory Object
Administration and Domain Trust
Contents:
Exercise 1: Delegating Control of AD DS Objects 2
Exercise 2: Creating Managed Service Accounts in AD DS 4
Lab B: Administer Trust Relationships
Adatum.com 6
Exercise 2: Configuring a Forest Trust 7

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Configuring Active Directory Object Administration and Domain Trust

Exercise 1: Delegating Control of AD DS Objects
Task 1: Delegate management tasks for the Marketing OU.
2. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers console opens.
3. In the console pane, expand Contoso.com, and then click Marketing.
4. Right-click Marketing, and then click Delegate Control. The Delegation of Control Wizard opens.
5. In the Delegation of Control Wizard, click Next.
6. On the Users or Groups page, click Add.
7. In the Select Users, Computers, or Groups dialog box, type Marketing_Managers, click OK, and
then click Next.
8. On the Tasks to Delegate page, select the Create, delete, and manage user accounts check box,
click Next, and then click Finish.
Task 2: Verify effective permissions assigned for the Marketing OU.
1. In the Active Directory Users and Computers console, click the View menu, and then click
Advanced Features.
2. Right-click the Marketing OU, and then click Properties.
3. In the Marketing Properties dialog box, click the Security tab.
4. On the Security tab, click Advanced.
5. On the Advanced Security Settings for Marketing dialog box, click the Effective Permissions tab.
6. On the Effective Permissions tab, click Select.
7. In the Select User, Computer, Service Account, or Group dialog box, type Don, and then click OK.
Verify that Don Roessler has permissions to create and delete user objects.
8. Click OK to close the Advanced Security Settings for Marketing dialog box.
9. Click OK to close the Marketing Properties dialog box.
Task 3: Test delegated permissions.
1. Log on to NYC-SVR1 as Contoso\Don, with the password, Pa$$w0rd.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
The Active Directory Users and Computers console opens.
3. Expand Contoso.com, and then click the Marketing OU.

Nova 4, LLC
Sep 7 2011 9:53PM
4. Right-click the Marketing OU, and then point to New. Notice that you are only able to create a new
user.
5. Close Active Directory Users and Computers and log off from NYC-SVR1.
Results: After completing this exercise, you will have delegated the right to manage user accounts to
the Marketing Managers.

Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 2: Creating Managed Service Accounts in AD DS
Task 1: Use Windows PowerShell to create and associate a managed service account.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module
for Windows PowerShell. The Administrator: Active Directory Module for Windows PowerShell
console opens.
2. At the prompt, type the following command and then press Enter.
New-ADServiceAccount Name App1_SVR1
3. At the prompt, type the following command, and then press Enter.
Add-ADComputerServiceAccount identity NYC-SVR1 ServiceAccount App1_SVR1
Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers A
5. Verify that the App1_SVR1 service account is associated with NYC-SVR1.
Task 2: Install a managed service account on a server.
2. Log on to NYC-SVR1 as Contoso\Administrator, with the password, Pa$$w0rd.
3. Click Start, point to Administrative Tools, and then click Active Directory Module for Windows
PowerShell. The Administrator: Active Directory Module for Windows Powershell console
opens.
Install-ADServiceAccount -Identity App1_SVR1
5. Click Start, point to Administrative Tools, and then click Services.
6. In the Services console, right-click Disk Defragmenter, and then click Properties.
Note: The Disk Defragmenter service is just used as an example for this lab. In a production
environment, you would use the actual service that should be assigned the managed service account.
7. In the Disk Defragmenter Properties dialog box, click the Log On tab.
8. On the Log On tab, click This account, and then type Contoso\App1_SVR1$.
9. Clear the password for both the Password and Confirm password boxes. Click OK.
10. Click OK at all prompts.
11. Close the Services console.
Nova 4, LLC
Sep 7 2011 9:53PM
Results: After completing this exercise, you will have created and installed a managed service
account.
To prepare for the next lab.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM

Lab B: Administer Trust Relationships
Adatum.com
Task 1: Configure DNS conditional forwarding on NYC-DC1.
2. On NYC-DC1, click Start, point to Administrative Tools, and then click DNS. The DNS Manager
console opens.
3. In the console pane, click Conditional Forwarders.
4. Right-click Conditional Forwarders, and then click New Conditional Forwarder. The New
Conditional Forwarder dialog box appears.
5. In the New Conditional Forwarder dialog box, under DNS Domain, type Adatum.com.
6. Under IP addresses of the master servers, type 10.10.0.100, and then press Enter.
7. Select the check box next to Store this conditional forwarder in Active Directory, and replicate it
as follows, and then click OK.
8. Close the DNS Manager.
Task 2: Configure DNS conditional forwarding on VAN-DC1.
1. Switch to the VAN-DC1 virtual machine.
2. On VAN-DC1, click Start, point to Administrative Tools, and then click DNS. The DNS Manager
console opens.
3. In the console pane, expand VAN-DC1, and then click Conditional Forwarders.
4. Right-click Conditional Forwarders and then click New Conditional Forwarder. The New
Conditional Forwarder dialog box appears.
5. In the New Conditional Forwarder dialog box, under DNS Domain, type Contoso.com.
6. Under IP addresses of the master servers, type 10.10.0.10, and then press Enter.
7. Select the check box next to Store this conditional forwarder in Active Directory, and replicate it
as follows, and then click OK.
8. Close the DNS Manager.
Results: After completing this exercise, you will have configured name resolution between the

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring a Forest Trust
Task 1: Use the New Trust Wizard to create a Forest Trust.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Domains
and Trusts. The Active Directory Domains and Trusts console opens.
2. In the console pane, right-click Contoso.com and then click Properties.
3. In the Contoso.com Properties dialog box, click the Trusts tab.
4. On the Trusts tab, click New Trust. The New Trust Wizard starts. Click Next.
5. On the Trust Name page, type Adatum.com, and then click Next.
6. On the Trust Type page, select Forest trust, and then click Next.
7. On the Direction of Trust page, select Two-way, and then click Next.
8. On the Sides of Trust page, select Both this domain and the specified domain, and then click
Next.
9. On the User Name and Password page, configure the following and then click Next:
Password: Pa$$w0rd
10. On the Outgoing Trust Authentication Level Local Forest page, select Forest-wide
authentication, and then click Next.
11. On the Outgoing Trust Authentication Level Specified Forest page, select Forest-wide
authentication, and then click Next.
12. On the Trust Selections Complete page, click Next.
13. On the Trust Selections Complete page, click Next.
14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.
15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.
16. On the Completing the New Trust Wizard, verify that the trust relationship is successfully created
and confirmed, and then click Finish.
17. Click OK to close the Contoso.com Properties box, and then close Active Directory Domains and
Trusts.
Task 2: Configure selective authentication.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Domains
and Trusts. The Active Directory Domains and Trusts console opens.
2. In the console pane, right-click Contoso.com, and then click Properties.
3. In the Contoso.com Properties dialog box, click the Trusts tab.
4. Under Domains trusted by this domain, select Adatum.com, and then click Properties.
5. On the Adatum.com Properties dialog box, click the Authentication tab.
6. On the Authentication tab, click Selective authentication, and then click OK.
Nova 4, LLC
Sep 7 2011 9:53PM

7. Click OK to close the Contoso.com Properties box, and then close Active Directory Domains and
Trusts.
8. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
The Active Directory Users and Computers console opens.
9. On the View menu, click Advanced Features.
10. Expand Contoso.com and then click the Computers container.
11. Right-click NYC-SVR1, and then click Properties.
12. Click the Security tab.
13. Click Add, and then, in the Select Users, Computers, Service Accounts, or Groups dialog box, click
Locations.
14. In the Locations dialog box, click Adatum.com, and then click OK.
15. In the Select Users, Computers, Service Accounts, or Groups dialog box, type Domain Users, and
then click OK.
16. Ensure that Domain Users (ADATUM\Domain Users) is selected, and then select the Allow check
box next to the Allowed to authenticate permission.
17. Click OK to close the NYC-SVR1 Properties dialog box.
Results: After completing this exercise, you will have created a Forest Trust and Selective
authentication.
following steps:
4. Repeat these steps for 6419B-VAN-DC1.
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Creating and Managing Group Policy Objects 1
Module 9
Lab Answer Key: Creating and Managing Group Policy
Objects
Contents:
Exercise 1: Creating and Configuring Group Policy Objects 2
Exercise 2: Managing the Scope of GPO Application 5
Exercise 1: Verifying GPO Application 6
Exercise 2: Managing GPOs 7

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Creating and Managing Group Policy Objects

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete
Password: Pa$$w0rd
Domain: Contoso
Exercise 1: Creating and Configuring Group Policy Objects
Task 1: Create the GPOs.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the Group Policy Management window, expand
Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group Policy
Objects.
3. Right-click the Group Policy Objects folder, and then click New.
4. In the New GPO dialog box, in the Name field, type Restrict Run Command, and then click OK.
5. Repeat the previous two steps to create the following GPOs:
Baseline Security
Windows 7 and Windows Vista Security
IT Favorites
Task 2: Configure the GPO settings.
A. Configure the Restrict Run Command policy
1. In the Group Policy Management window, in the Group Policy Objects folder, right-click the
Restrict Run Command policy, and then click Edit.
2. In the Group Policy Management Editor window, under User Configuration, expand Policies,
expand Administrative Templates, and then click Start Menu and Taskbar.
3. In the details pane, double-click Remove Run menu from the Start Menu.
4. In the Remove Run menu from Start Menu dialog box, click Enabled, and then click OK.
5. Close Group Policy Management Editor.
B. Configure the Baseline Security Policy
Baseline Security policy, and then click Edit.
Nova 4, LLC
Sep 7 2011 9:53PM
2. In the Group Policy Management Editor window, under Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then
click Security Options.
3. In the details pane, double-click Interactive logon: Do not display last user name.
4. In the Interactive logon: Do not display last user name Properties dialog box, select the Define
this policy setting check box, click Enabled, and then click OK.
C. Configure the Windows 7 and Windows Vista Security policy
Windows 7 and Windows Vista Security GPO, and then click Edit.
Policies, expand Administrative Templates, expand System, and then click Logon.
3. In the details pane, double-click Always wait for the network at computer startup and logon.
4. In the Always wait for the network at computer startup and logon dialog box, click Enabled, and
then click OK.
D. Configure the IT Favorites Policy
1. In the Group Policy Management window, in the Group Policy Objects folder, right-click the IT
Favorites policy, and then click Edit.
expand Windows Settings, expand Internet Explorer Maintenance, and then click URLs.
3. In the details pane, double-click Favorites and Links.
4. In the Favorites and Links dialog box, click Add URL.
5. In the Details dialog box, in the Name field, type Tech Support.
6. In the URL field, type http://support.microsoft.com.
7. Click OK twice.
Task 3: Link the GPOs to the appropriate containers.
1. In the Group Policy Management window, right-click the Contoso.com domain, and then click Link
an Existing GPO.
2. In the Select GPO dialog box, click the Baseline Security GPO. Hold down CTRL and then click the
following GPOs:
Restrict Run Command
Windows 7 and Windows Vista Security
3. Click OK.

Nova 4, LLC
Sep 7 2011 9:53PM

4. Right-click the IT OU, and then click Link an Existing GPO.
5. In the Select GPO dialog box, click the IT Favorites GPO, and then click OK.
Result: After completing this exercise you will have created and configured GPOs.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Managing the Scope of GPO Application
Task 1: Configure Group Policy management for the domain container.
1. In the Group Policy Management window, expand the Contoso.com domain to expose the linked
policies (denoted by the shortcut icons).
2. Right-click the Baseline Security link, and then click Enforced.
3. Right-click the Windows 7 and Windows Vista Security link, and then click Enforced.
Task 2: Configure Group Policy management for the IT OU.
In the Group Policy Management window, right-click the IT OU, and then click Block Inheritance.
Task 3: Create and apply a WMI filter for the Server Security GPO.
1. In the Group Policy Management window console pane, right-click the WMI Filters folder, and
then click New.
2. In the New WMI Filter dialog box, in the Name field, type Windows 7 or Windows Vista
operating system.
3. Click Add.
4. In the WMI Query dialog box, in the Query field, type
Select * from Win32OperatingSystem where Caption = Microsoft Windows 7 Enterprise OR
Caption = Microsoft Windows Vista Enterprise.
5. Click OK, and then click Save.
6. In the left-hand console pane, expand the Group Policy Objects folder, click the Windows 7 and
Windows Vista Security policy, and then, in the details pane, click the Scope tab.
7. In the WMI Filtering list, click Windows 7 or Windows Vista operating system.
8. In the Group Policy Management dialog, click Yes.
Result: After completing this exercise you will have configured the scope of GPO settings.
Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 1: Verifying GPO Application
Task 1: Verify that a user in the domain has the Run command removed from the Start
menu.
1. Log on to NYC-CL1 as CONTOSO\Max, with the password, Pa$$w0rd.
2. Click Start, point to All Programs, point to Accessories and then verify that Run is not present in
the Start menu.
Task 2: Verify that a user in the IT OU is receiving the correct policy.
1. Log on to NYC-CL1 as CONTOSO\Ed, with the password, Pa$$w0rd.
2. Click Start, point to All Programs, click Accessories and then verify that Run is present.
3. Click Start, point to All Programs, and then click Internet Explorer. At the Set Up Windows
Internet Explorer 8 dialog box, click Ask me later.
4. In the Internet Explorer window, click the Favorites button, and then verify that the link to Tech
Support is present.
5. Restart NYC-CL1.
Task 3: Verify that the last logged on user name does not appear.
After NYC-CL1 is restarted, verify that the last logged on user name does not appear.
Note: To see this information, press CTRL-ALT-DEL to see the logon screen.

Result: After completing this exercise you will have tested and verified a GPO application

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Managing GPOs
Task 1: Back up an individual policy.
1. On NYC-DC1, in the Group Policy Management window, under the Group Policy Objects folder,
right-click the Restrict Run Command policy, and then click Back Up.
2. In the Back Up Group Policy Object dialog box, click Browse.
3. Browse to Local Disk (C:) and then click Make New Folder.
4. Type GPO Backup, and then press Enter.
5. Click OK, and then click Back Up.
6. When the backup completes, click OK.
Task 2: Back up all GPOs.
1. In the console pane, right-click the Group Policy Objects folder, and then click Back Up All.
2. In the Back Up Group Policy Object dialog box, in the Location field, type C:\GPO Backup and
then click Back Up.
3. When the backup completes, click OK.
Task 3: Delete and restore an individual GPO.
1. In the Group Policy Objects folder, right-click the IT Favorites policy, and then click Delete.
2. In the Group Policy Management dialog box, click Yes.
3. Right-click the Group Policy Objects folder, and then click Manage Backups.
4. In the Manage Backups dialog, click the IT Favorites GPO, and then click Restore.
5. In the Group Policy Management dialog box, click OK.
6. In the Restore dialog box, click OK and then click Close.
7. Verify that the IT Favorites GPO appears in the Group Policy Objects folder.
Task 4: Import a GPO.
1. Right-click the Group Policy Objects folder, and then click New.
2. In the New GPO dialog box, in the Name field, type Import, and then click OK.
3. Right-click the Import GPO, and then click Import Settings.
4. In the Import Settings Wizard, click Next.
5. On the Backup GPO page, click Next.
6. On the Backup location page, verify the Backup folder is C:\GPO Backup, and then click Next.
7. On the Source GPO page, click Restrict Run Command, and then click Next.
Note: If more than one copy of the Restrict Run Command GPO appears, choose the newer one.
8. On the Scanning Backup page, click Next, and then click Finish.
9. When the import completes, click OK.
Nova 4, LLC
Sep 7 2011 9:53PM

10. In the left-hand console pane, expand the Group Policy Objects folder, click the Import GPO, and
then, in the details pane, click the Settings tab.
11. Click show all.
12. Verify that the Remove Run menu from Start Menu policy setting is enabled.
Result: After completing this exercise you will have backed up restored and imported GPOs.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1.
Task 1: Restore the TestA GPO.
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects,
and then click Manage Backups.
2. In the Backup location box, type C:\Tools\GPOBackup and then press Enter.
3. In the Manage Backups dialog box, click TestA, and then click Restore.
4. Click OK twice, and then click Close.
Task 2: Link the TestA GPO to the IT OU.
1. In the Group Policy Management console pane, right-click IT, and then click Link an Existing
GPO.
2. In the Select GPO dialog box, click TestA, and then click OK.
2. Click Start, and then notice the presence of the Run command. According to the scenario, this is not
the desired behavior.
1. On NYC-DC1, in the Group Policy Management console pane, expand Group Policy Results, right-
click Ed on NYC-CL1, and then click Rerun Query.
2. Click Ed on NYC-CL1.
3. In the details pane, on the Summary tab, under User Configuration Summary, click Group Policy
Objects, and then click Applied GPOs. Notice that the TestA GPO is being applied.
4. On the Settings tab, under User Configuration, click Administrative Templates, and then click
Start Menu and Taskbar. Notice that the Add the Run command to the Start Menu setting is
enabled.
1. In the Group Policy Management console pane, under Group Policy Objects, right-click TestA,
and then click Edit.
expand Administrative Templates, and then click Start Menu and Taskbar.
3. In the details pane, double-click Add the Run command to the Start Menu.
4. In the Add the Run command to the Start Menu dialog box, click Disabled, and then click OK.

Nova 4, LLC
Sep 7 2011 9:53PM

7. Click Start, and then notice that the Run command is no longer present.

Result: After completing this exercise, you will have resolved a Group Policy object issue.

Nova 4, LLC
Sep 7 2011 9:53PM
Task 1: Create a new OU named, Loopback.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
2. In the Active Directory Users and Computers console pane, right-click CONTOSO.com, point to
New, and then click Organizational Unit.
3. In the New Object Organizational Unit dialog box, type Loopback, and then click OK.
Task 2: Restore the TestB GPO.
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects,
and then click Manage Backups.
2. In the Backup location field, type C:\Tools\GPOBackup, and then press ENTER.
3. In the Manage Backups dialog box, click TestB, and then click Restore.
4. Click OK twice, and then click Close.
Task 3: Link the TestB GPO to the Loopback OU.
1. In the Group Policy Management console pane, right-click Group Policy Management, and then
click Refresh.
2. Right-click Loopback, and then click Link an Existing GPO.
3. In the Select GPO dialog box, click TestB, and then click OK.
Task 4: Move NYC-CL1 to the Loopback OU.
1. In the Active Directory Users and Computers console pane, expand Contoso.com, and then click
Computers.
2. In the details pane, right-click NYC-CL1, and then click Move.
3. In the Move dialog box, click Loopback, and then click OK.
1. On NYC-CL1, restart the computer.
2. When the computer restarts, log on as Contoso\Ed, with the password, Pa$$w0rd.
3. Click Start and notice that the Run command is present again.
1. On NYC-DC1, in the Group Policy Management console pane, right-click Ed on NYC-CL1, and then
click Rerun Query.
2. In the details pane, on the Summary tab, under Computer Configuration Summary, click Group
Policy Objects, and then click Applied GPOs. Notice that the Test B GPO has been applied.
3. On the Settings tab, under Computer Configuration, click Administrative Templates, and then
click System/Group Policy. Notice that loopback processing mode is enabled.
Note: Group Policy applies to the user or computer in a manner that depends on where both the user
and the computer objects are located in Active Directory. However, in some cases, users may need
Nova 4, LLC
Sep 7 2011 9:53PM

policy applied to them based on the location of the computer object alone. You can use the Group
Policy loopback feature to apply Group Policy objects (GPOs) that depend only on which computer the
user logs on to.
1. In the Group Policy Management console pane, expand the Loopback OU, right-click TestB, and
then click Link Enabled to clear the check mark.
Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there
were other settings in the GPO that you did wish to have applied.
2. Close Group Policy Management.
3. On NYC-CL1, restart the computer.
4. When the computer restarts, log on as CONTOSO\Ed, with the password, Pa$$w0rd.
5. Click Start and notice that the Run command is no longer present.
Result: After completing this exercise, you will have resolved a Group Policy objects issue.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Using Group Policy to Configure User and Computer Settings 1
Module 10
Lab Answer Key: Using Group Policy to Configure User and
Computer Settings
Contents:
Lab A: Using Group Policy to Configure Scripts and Folder Redirection
Exercise 1: Using a Group Policy Logon Script to Map a Network Drive 2
Exercise 2: Using Group Policy to Redirect Folders 4
Exercise 1: Configuring Administrative Templates 6
Exercise 1: Deploying a Software Package by Using Group Policy 8
Exercise 1: Deploying Group Policy Preferences 10

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Using Group Policy to Configure User and Computer Settings
Lab A: Using Group Policy to Configure Scripts
and Folder Redirection
Exercise 1: Using a Group Policy Logon Script to Map a Network Drive
Task 1: Create a script to map a drive to the data share
1. On NYC-DC1, click Start, in the Search programs and files box, type Notepad, and then press ENTER.
2. In the Notepad, type Net use t: \\nyc-dc1\data.
3. Click File and click Save. Save the file as Map.bat. Ensure that you click the Save as type: drop-down
arrow in the Save As dialog box and select All Files (*.*) as the type. Save the file to the default
location of Documents.
4. Close Notepad.
5. Click Start, click Computer, and then click Documents.
6. Right-click the Map.bat file and click Copy. (You will paste it into the Netlogon share later.)
7. Close the Documents window.
Task 2: Create and link a GPO
1. Click Start, point to Administrative Tools, and then click Group Policy Management.
2. Expand Forest:Contoso.com, and then expand Domains.
3. Right-click Contoso.com, click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, in the Name box, type DriveMap, and then click OK.
Task 3: Edit the GPO and store the script in Sysvol
1. Expand Contoso.com, right-click the Drivemap GPO, and then click Edit.
2. In Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, and click Scripts (Logon\Logoff).
3. In the details pane, double-click Logon.
4. In the Logon Properties dialog box, click Show Files. (This opens the Netlogon share in Computer).
5. In the details pane, right-click a blank area and then click Paste.
6. Close the Logon window.
7. In the Logon Properties dialog box, click Add.
8. In the Add a Script dialog box, click Browse.
9. Click the Map.bat script and then click Open.
10. Click OK twice to close all dialog boxes.
11. Close the Group Policy Management Editor and the Group Policy Management console.
Task 4: Test the results
1. OnNYCCL1,logonasContoso\AdministratorwithapasswordofPa$$word.
2. Click Start and click Computer and then verify that drive has been mapped.
Nova 4, LLC
Sep 7 2011 9:53PM
3. Log off NYC-CL1.
Results: In this exercise, you created a script and a GPO to assign the script and store the script in a
highly available location.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Using Group Policy to Redirect Folders
Task 1: Create a shared folder
1. On NYC-DC1, click Start, and then click Computer
2. Double-click Local Disk (C:) drive and then click New folder.
3. Name the new folder Redirect.
4. Right-click the Redirect folder, click Share with, and then click Specific people.
5. In the File Sharing dialog box, click the drop-down arrow, and then select Find people.
6. In the Select Users or Groups dialog box, type Research, and then click OK.
7. In the File Sharing dialog box, click the Permission Level drop-down arrow for the Research group,
and then click Read/Write.
8. Click Share and then click Done.
9. Close the Local Disk (C:) window.
Task 2: Create a GPO to redirect the Documents folder
1. Click Start, point to Administrative Tools, and then click Group Policy Management.
2. Expand Forest: Contoso.com, expand Domains, and then expand Contoso.com
3. Right-click the Research OU, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, in the Name box, type Redirect, and then click OK.
5. Expand the Research OU, right-click the Redirect GPO, and then click Edit.
6. In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection.
7. Right-click Documents and then click Properties.
8. In the Document Properties dialog box, on the Target tab, In the Setting box, select Basic
Redirect everyones folder to the same location.
9. Ensure the Target folder location box is set to Create a folder for each user under the root path.
10. In the Root Path box, type \\NYC-DC1\Redirect, click OK. In the Warning dialog box, click Yes.
Task 3: Test folder redirection
2. Click Start, right-click Documents, and then click Properties. In the Documents Properties dialog
box, note that the location of the folder is now the Redirect network share in a subfolder named for
the user.
Note: Due to cached credentials, you may need to log on twice to see the redirection unless the
user has never logged on to this computer before.
Nova 4, LLC
Sep 7 2011 9:53PM
Results: In this exercise, you created and set permissions on a shared folder. You created and
linked a GPO to redirect the executives documents to the shared folder.
1. When you finish the lab, leave the virtual machines running.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring Administrative Templates
Task 1: Create and link a GPO to the Research OU
2. Expand Forest:Contoso.com, expand Domains, and then expand Contoso.com.
3. Right-click the Research OU, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, in the Name box, type ResearchDesktop, and then click OK.
Task 2: Deny access to registry editing tools
1. Expand the Research OU, right-click the ResearchDesktop GPO, and then click Edit.
2. In Group Policy Management Editor, under User Configuration, expand Policies, and then
expand Administrative Templates
3. Click System. In the details pane, double-click Prevent access to registry editing tools.
4. In the Prevent access to registry editing tools dialog box, click Enabled, and then click OK.
Task 3: Deny access to the Run menu
1. In the folder tree, click the Start Menu and Taskbar folder.
2. In the details pane, double-click the Remove Run menu from Start Menu setting.
Task 4: Deny write access to removable storage
1. In the folder tree, expand the System folder, and then click the Removable Storage Access folder.
2. In the details pane, double-click the Removable disks: Deny write access setting.
3. In the Removable disks: Deny write access dialog box, click Enabled, and then click OK.
Task 5: Deny access to the desktop background settings
1. In the folder tree, expand the Control Panel folder, and then click the Personalization folder.
2. In the details pane, double-click Prevent changing desktop background.
3. In the Prevent changing desktop background dialog box, click Enabled, and then click OK.
Task 6: Allow remote administration through the Windows Firewall
1. Expand Contoso.com, right-click the Default Domain Policy, and then click Edit.
2. Under Computer Configuration, expand Policies, expand Administrative Templates, expand
Network, expand Network Connections, expand Windows Firewall, and then click Domain
Profile.
3. In the details pane, double-click Windows Firewall: Allow inbound remote administration
exception.
4. In the Windows Firewall: Allow inbound remote administration exception dialog box, click
Enabled.
Nova 4, LLC
Sep 7 2011 9:53PM
5. In the Options section, in the Allow unsolicited incoming messages from these IP addresses: box,
type LocalSubnet, and then click OK.
Task 7: Test the settings
2. Click Start, click All Programs, and then click Accessories. Ensure that the Run Menu does not
appear.
3. Click Start, click Control Panel, and then click Change desktop background. Ensure that the
feature has been disabled.
4. Click Start and type Regedit.exe in the Search box. Ensure that Regedit.exe does not appear in the
search results.
Results: In this exercise, you created and linked a GPO to control the desktop environment.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Deploying a Software Package by Using Group Policy
Task 1: Create and populate a shared folder to act as a software distribution point
Create and populate an application distribution folder
2. Double-click Local Disk (C:), and then click New folder.
3. Name the new folder AppDeploy.
4. Right-click the AppDeploy folder, click Share with, and then click Specific people.
5. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
Ensure the permission level for Everyone is Read.
6. Click Share and click Done.
7. Click Start and type \\NYC-SVR1\E$\labfiles\Mod10 in the search box and press ENTER.
8. Right-click and copy XMLNotepad.msi file.
9. Browse to C:\AppDeploy and paste the file.
10. Close the AppDeploy window.
Task 2: Create and link a GPO to deploy the software to the IT OU
1. Click Start, click Administrative Tools, and then click Group Policy Management.
2. Click Forest:Contoso.com, expand Domains, and then expand Contoso.com.
3. Right-click the IT OU, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, in the Name box, type Software Deploy, and then click OK.
Task 3: Configure the GPO to publish the XML Notepad 2007 application
1. Expand the IT OU, right-click the Software Deploy GPO, and then click Edit.
2. In Group Policy Management Editor, under User Configuration, expand Policies, expand Software
Settings, and then click Software Installation.
3. Right-click Software Installation, click New, and then click Package.
4. In the Open dialog box, in the File Name box, type \\NYC-DC1\AppDeploy\XMLNotepad.msi, and
click Open.
5. In the Deploy Software dialog box, click Published, and then click OK.
Task 4: Test the deployment
1. Log on to NYC-CL1 as Ed with a password of Pa$$w0rd.
2. Click Start, click Control Panel, click Programs, click Programs and Features, and then click Install a
program from the network.
3. Double-click the XML Notepad 2007 icon.
4. In the XML Notepad 2007 Setup dialog box, click Next.
5. In the XML Notepad 2007 license agreement dialog box, select the checkbox to accept the license
agreement, and click Next.
Nova 4, LLC
Sep 7 2011 9:53PM
6. In the XML Notepad 2007 Setup dialog box, click Next.
7. In the XML Notepad 2007 Setup dialog box, click Install, and then click Finish.
Results: In this exercise, you created and populated a software distribution share and created and
configured a GPO to publish an application.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Deploying Group Policy Preferences
Task 1: Create and share a folder to contain the IT documents
2. Double-click Local Disk (C:) drive, and then click New folder.
3. Name the new folder ITDocs.
4. Right-click the ITDocs folder, click Share with, and then click Specific people.
5. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
6. Click Share, and then click Done.
7. Close the Local Disk (C:) window.
Task 2: Use preferences to map a drive for the IT group
1. Click Start, click Administrative Tools, and then click Group Policy Management. Then, expand
Forest:Contoso.com, expand Domains, expand Contoso.com, right-click the Default Domain
Policy, and then click Edit.
2. Under User Configuration, expand Preferences, and then expand Windows Settings.
3. Right-click Drive Maps, click New, and then click Mapped Drive.
4. In the New Drive Properties dialog box, click the Action drop-down arrow, and then select Create.
5. In the Location box, type \\NYC-DC1\ITDocs.
6. Select the Reconnect check box.
7. In the Drive Letter section, click Use, click the drop-down arrow, and then select the drive letter R.
8. Click the Common tab.
9. Select the Run in logged-on users security context (user policy option) check box.
10. Select the Item-level targeting check box.
11. Click Targeting.
12. In the Targeting Editor dialog box, click New Item, and then select Security Group.
13. Click the elipsis beside the Group field and type IT into the Enter the object name to select box and
then click Check Names and then click OK.
14. Click OK to close the Targeting Editor dialog box.
15. Click OK to close the New Drive Properties dialog box.
Task 3: Use preferences to create a desktop shortcut to the Notepad application
1. Right-click Shortcuts, point to New, and then click Shortcut.
2. In the New Shortcut Properties dialog box, in the Action list, select Create.
3. In the Name box, type Notepad.
4. Ensure the Target type is File System Object.
5. In the Location list select All Users Desktop.
6. In the Target path, type C:\Windows\System32\notepad.exe.
Nova 4, LLC
Sep 7 2011 9:53PM
7. Click Common, clear the Run in logged-on users security context (user policy option) check box,
and then click OK.
Task 4: Test the preference settings
1. Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd. Ensure the Notepad shortcut appears on
the desktop.
2. Click Start, click Computer. Ensure that R: drive is mapped to the ITDocs shared folder.
3. Log off NYC-CL1.
4. Log on as Dylan with a password of Pa$$w0rd. Ensure that the Notepad shortcut appears on the
desktop.
5. Click Start and click Computer. Ensure that there is no drive mapped to the ITDocs shared folder.
Results: In this exercise, you used Group Policy preferences to map a drive to selected users and
create a desktop shortcut for all users.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Implementing Security Settings Using Group Policy 1
Module 11
Lab Answer Key: Implementing Security Settings Using
Group Policy
Contents:
Lab A: Implementing Security Using Group Policy
Exercise 1: Configuring Account and Security Policy Settings 2
Exercise 2: Implementing Fine-Grained Password Policies 5
Lab B: Configuring Restricted Groups and Application Control Policies
Exercise 1: Configuring Restricted Groups 6
Exercise 2: Configuring Application Control Policies 7

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Implementing Security Settings Using Group Policy

Lab A: Implementing Security Using Group
Policy
Lab Setup
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Exercise 1: Configuring Account and Security Policy Settings
Task 1: Create an account policy for the domain.
2. In the Group Policy Management console pane, expand Forest: Contoso.com, expand Domains,
expand Contoso.com, and then click Group Policy Objects.
3. In the details pane, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Account Policies, and then click
Password Policy.
5. In the details pane, double-click Minimum password length.
6. In the Minimum password length Properties dialog box, in the Password must be at least field,
type 8, and then click OK.
7. Double-click Minimum password age.
8. In the Minimum password age Properties dialog box, in the Password can be changed after field,
type 19, and then click OK.
9. Double-click Maximum password age.
10. In the Maximum password age Properties dialog box, in the Password will expire in field, type
20, and then click OK.
11. In the console pane, click Account Lockout Policy.
12. In the details pane, double-click Account lockout threshold.
13. In the Account lockout threshold Properties dialog box, under Account will not lock out, type 5,
and then click OK.
14. In the Suggested Value Changes dialog box, click OK to accept the values of 30 minutes.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 2: Configure local policy settings for a Windows 7 client.
1. Start NYC-CL1 and log on as Contoso\Administrator, with the password, Pa$$w0rd.
2. Click Start, type MMC in the search programs and files box, and then press Enter.
3. In the Console1 window, on the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, click Finish
and then click OK.
5. In the console pane, expand Local Computer Policy, expand Computer Configuration, expand
Windows Settings, expand Security Settings, expand Local Policies, and then click Security
Options.
6. In the details pane, double-click Accounts: Administrator account status.
7. In the Accounts: Administrator account status Properties dialog box, click Enabled, and then click
OK.
8. On the File menu, click Add/Remove Snap-in.
9. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, click Add, and then
click Browse.
10. In the Browse for a Group Policy Object dialog box, click the Users tab.
11. Click Non-Administrators, click OK, click Finish, and then click OK.
12. In then console pane, expand Local Computer\Non-Administrators Policy, expand User
Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.
13. In the details pane, double-click Remove Run menu from Start Menu.
15. Close the MMC window and do not save the changes.
16. Restart NYC-CL1.
Task 3: Create a wireless network GPO for Windows 7 client.
1. On NYC-DC1, in the Group Policy Management console pane, right-click Group Policy Objects, and
then click New.
2. In the New GPO dialog box, in the Name field, type Windows 7 Wireless, and then click OK.
3. Expand Group Policy Objects, right-click Windows 7 Wireless, and then click Edit.
expand Windows Settings, and then expand Security Settings.
5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create a New Wireless
Network Policy for Windows Vista and Later Releases.
6. In the New Wireless Network Policy Properties dialog box, click Add, and then click
Infrastructure.
7. In the New Profiles properties dialog box, in the Profile Name field, type Corporate.
8. In the Network Name(s) (SSID) field, type Corp, and then click Add.
9. On the Security tab, in the Authentication list, click Open with 802.1X, and then click OK.
10. On the Network Permissions tab, click Add.
Nova 4, LLC
Sep 7 2011 9:53PM

11. In the New Permission Entry dialog box, in the Network Name (SSID): field, type Research, verify
that Permission is set to Deny, and then click OK twice.
13. In the Group Policy Management console pane, right-click Contoso.com, and then click Link an
Existing GPO.
14. In the Select GPO dialog box, click Windows 7 Wireless, and then click OK.
Task 4: Configure a policy that prohibits a service on all domain controllers.
1. In the Group Policy Management console pane, expand Group Policy Objects, right-click Default
Domain Controllers Policy, and then click Edit.
expand Windows Settings, expand Security Settings, and then click System Services.
3. In the details pane, double-click Windows Installer.

4. In the Windows Installer Properties dialog box, select the Define this policy setting check box,
verify that Disabled is selected, and then click OK.
Result: After completing this exercise, you will have configured account and security policy settings.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing Fine-Grained Password Policies
Task 1: Create a PSO by using ADSI edit.
1. On NYC-DC1, click Start, click Run, type adsiedit.msc into the Run dialog box , and then press
Enter.
2. Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults.
3. Navigate to DC=Contoso, DC=com, expand CN=System, click CN=Password Settings Container.
4. Right-click CN=Password Settings Container, and then point to New and then click Object. .
5. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next.
6. In Value box, type ITAdmin, and then click Next.
7. In the msDS-PasswordSettingsPrecedence value, type 10. Click Next.
8. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE. Click Next.
9. In the msDS-PasswordHistoryLength value, type 30. Click Next.
10. In the msDS-PasswordComplexityEnabled value, type TRUE. Click Next.
11. In the msDS-MinimumPasswordLength value, type 10. Click Next.
12. In the msDS-MinimumPasswordAge value, type 06:00:00:00. Click Next.
13. In the msDS-MaximumPasswordAge value, type 07:00:00:00. Click Next.
14. In the msDS-LockoutThreshold value, type 3. Click Next.
15. In the msDS-LockoutObservationWindow value, type 00:00:30:00. Click Next.
16. In the msDS-LockoutDuration value, type 00:00:30:00, and then click Next and then click Finish.
Task 2: Assign the PSO to the Domain Admins global group.
1. In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click
CN=ITAdmin.
2. In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo.
3. Click Add Windows Account, type Domain Admins into the Enter the object names to select
(examples) field and then click OK.
4. Click OK.
5. Click OK to close the CN=ITAdmin Properties box and then close the ADSI Edit window.
Results: After completing this exercise, you will have implemented a fine-grained password policy.

Nova 4, LLC
Sep 7 2011 9:53PM

Lab B: Configuring Restricted Groups and
Application Control Policies
Exercise 1: Configuring Restricted Groups
Task 1: Configure restricted groups for the local administrators group.
1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
2. In the Group Policy Management console, expand Forest: Contoso.com, expand Domains, expand
Contoso.com, expand Group Policy Objects, right-click Default Domain Policy, and then click
Edit.
Policies, expand Windows Settings, expand Security Settings, and then click Restricted Groups.
4. Right-click Restricted Groups, and then click Add Group.
5. In the Add Group dialog box, type Administrators, and then click OK.
6. In the Administrators Properties dialog box, next to Members of this group, click Add.
7. In the Add Member dialog box, type CONTOSO\IT, and then click OK.
8. Next to Members of this group, click Add.
9. In the Add Member dialog box, type CONTOSO\Domain Admins, and then click OK twice.
Task 2: Test restricted groups for the local administrators group.
1. Start the 6419B-NYC-CL1 VM. If the VM is already started, shut down NYC-CL1 and restart it.
2. Log on to NYC-CL1 as Contoso\Ed with a password of Pa$$w0rd.
3. .Click Start and in the Start Search field, type Edit local users and groups and then press Enter.
4. In the lusrmgr [Local Users and Groups (Local)] window, click the Groups node in the left hand
pane.
5. In the right hand pane, double-click the Administrators group.
6. In the Administrators Properties window, confirm that CONTOSO\Domain Admins and
CONTOSO\IT are listed in the Members pane.
7. Close the Administrators Properties window.
8. Close the lusrmgr [Local Users and Groups (Local)] window.
Results: After completing this exercise, you configured and tested restricted groups by using Group
Policy.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Application Control Policies
Task 1: Create a GPO to enforce the default AppLocker Executable rules.
1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
2. Expand Forest: Contoso.com, and then expand Domains.
3. Expand Contoso.com.
4. Click Group Policy Objects.
5. Right-click Group Policy Objects and click New.
6. Name the new GPO, WordPad Restriction Policy, and then click OK.
7. Right-click WordPad Restriction Policy and click Edit.
8. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand Application Control Policies, and then expand AppLocker.
9. Select Executable Rules, and then right-click and select Create New Rule.
10. Click Next.
11. On the Permissions page, select Deny, and then click Next.
12. On the Conditions page, select Publisher, and then click Next.
13. Click Browse , and then click Computer.
14. Double-click Local Disk (C:).
15. Double-click Program Files, double-click Windows NT, double-click Accessories, select
wordpad.exe, and then click Open.
16. Move the slider up to the File name: position and click Next.
17. Click Next again, and then click Create.
18. Click Yes if prompted to create default rules.
19. In the Group Policy Management Editor, expand Computer Configuration, expand Policies,
20. Expand Application Control Policies.
21. Click AppLocker, and then right-click and select Properties.
22. On the Enforcement tab, under Executable rules, select the Configured check box, and then select
Enforce rules.
23. Click OK.
24. In the Group Policy Management Editor, expand Computer Configuration, expand Policies,
25. Click System Services, and then double-click Application Identity.
26. In the Application Identity Properties dialog box, select the Define this policy setting check box.
27. Select Automatic under Select service startup mode, and click OK.

Nova 4, LLC
Sep 7 2011 9:53PM

Task 2: Apply the GPO to the Contoso.com domain.
1. In the Group Policy Management window, expand Forest: Contoso.com.
2. Expand Domains.
3. Expand Contoso.com.
4. Expand Group Policy Objects.
5. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container.
6. Click OK to link the GPO to the domain.
7. Close the Group Policy Management console.
8. Click Start, in the Search programs and files box, type cmd, and then press Enter.
9. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to
be updated.
Task 3: Test the AppLocker rule.
1. Restart and then log on to the NYC-CL1 as Contoso\Alan, with the password, Pa$$w0rd.
2. Click Start, in the Search programs and files box, type command, and then press Enter.
3. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to
be updated.
4. Click Start, click All programs, click Accessories, and then click WordPad.
5. Click OK when prompted with a message.
Note: The AppLocker policy should restrict you from running this application. If the application runs,
log off from NYC-CL1 and log on again. It may take a few minutes for the policy setting to apply to
NYC-CL1. After the policy setting is applied, the application will be restricted.

Results: After completing this exercise, you will have restricted an application by using AppLocker.
following steps:
Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Providing Efficient Network Access for Remote Offices 1
Module 12
Lab Answer Key: Providing Efficient Network Access for
Remote Offices
Contents:
Exercise 1: Installing an RODC 2
Exercise 2: Configuring Password Replication Policy and Credential Caching 4
Exercise 1: Configuring BranchCache in Distributed Cache Mode 7
Exercise 2: Configuring BranchCache in Hosted Cache Mode (Optional) 12

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Providing Efficient Network Access for Remote Offices
Lab A: Deploying a Read-Only Domain
Controller
Exercise 1: Installing an RODC
Task 1: Verify the prerequisites for a staged installation of an RODC
1. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and
Computers.
2. Right-click Contoso.com and click Properties.
3. Verify that the forest functional level is at least Microsoft Windows Server 2003 and then click OK.
5. On NYC-SVR1, open Server Manager, under Computer Information, note the domain status. This
computer needs to be in a workgroup to pre-stage it as an RODC.
6. Click Change System Properties.
7. In the System Properties window, click Change.
8. In the Computer Name/Domain Changes window, click Workgroup, type TEMPORARY, and click
OK.
9. Click OK to close the warning.
10. Click OK to confirm changing to the TEMPORARY workgroup.
11. Click OK to close the message about restarting.
12. In the System Properties window, click Close.
13. When prompted, click Restart Now.
Task 2: Stage a delegated installation of an RODC
Computers.
2. Expand Contoso.com, and then click the Computers container, right-click NYC-SVR1, and click
Delete.
3. Click Yes to confirm deleting the computer account.
4. Click Yes to confirm subtree deletion.
5. Right-click Domain Controllers and click Pre-create Read-only Domain Controller account.
6. In the Active Directory Domain Services Installation Wizard, click Next.
7. On the Operating System Compatibility page, click Next.
8. On the Network Credentials page, click Next.
9. On the Specify the Computer Name page, type NYC-SVR1, and then click Next.
10. On the Select a Site page, click Next.
11. On the Additional Domain Controller Options page, click Next.
Nova 4, LLC
Sep 7 2011 9:53PM
12. On the Delegation of RODC Installation and Administration page, in the Group or user box, type
CONTOSO\IT, and then click Next.
13. Review your selections on the Summary page, and then click Next.
14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
15. Click the Domain Controllers OU and read the DC Type for NYC-SVR1.
Task 3: Complete a staged installation of an RODC
1. Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd.
2. On NYC-SVR1, click Start, type dcpromo, and press ENTER.
3. In the Active Directory Domain Services Installation Wizard, click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Choose a Deployment Configuration page, select Existing forest, click Add a domain
controller to an existing domain, and then click Next.
6. On the Network Credentials page, type contoso.com.
7. Click Set.
8. In the User Name box, type Andrea. Andrea is a member of the IT group that was delegated
permission to install in the previous task.
9. In the Password box, type Pa$$w0rd, and then press ENTER.
10. On the Network Credentials page, click Next.
11. On the Select a Domain page, select contoso.com (forest root domain), and then click Next.
A message appears to inform you that your credentials do not belong to the Domain Admins or
Enterprise Admins groups. Because you have prestaged and delegated administration of the RODC,
you can proceed with the delegated credentials.
12. Click Yes to continue.
A message appears to inform you that the account for NYC-SVR1 has been prestaged in Active
Directory as an RODC.
13. Click OK to use the existing an account.
14. On the Location For Database, Log Files, and SYSVOL page, click Next.
15. On the Directory Services Restore Mode Administrator Password page, in the Password and
Confirm Password boxes, type Pa$$w0rd, and then click Next.
16. On the Summary page, click Next.
17. In the progress window, select the Reboot On Completion check box.
Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.
Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring Password Replication Policy and Credential Caching
Task 1: Configure domain-wide password replication policy
Computers.
2. In the Active Directory Users and Computers console tree, expand Contoso.com, and then click
the Users container.
3. Double-click Allowed RODC Password Replication Group.
4. Click the Members tab.
5. Examine the default membership of Allowed RODC Password Replication Group and note that
there are no members by default.
6. Click OK.
7. Double-click Denied RODC Password Replication Group.
8. Click the Members tab.
9. Click Add, type DNSAdmins, and then press ENTER.
10. Click OK.
11. In the console tree, click the Domain Controllers OU.
12. Right-click NYC-SVR1 and click Properties.
13. Click the Password Replication Policy tab. Verify that the Allowed RODC Password Replication
Group and Denied RODC Password Replication Group are listed.
14. Click OK.
Task 2: Create a group to manage password replication to the remote office RODC
1. In the Active Directory Users and Computers console tree, click the Research OU.
2. Right-click Research, point to New, and then click Group.
3. In the Group name: box, type Remote Office Users, and then click OK.
4. Right-click Remote Office Users, and then click Properties.
5. Click the Members tab, and then click the Add button.
6. Click Object Types, select the Computers check box, and then click OK.
7. Type Alan; Alexander; Dylan; Max; NYC-CL1, and then click OK.
8. Click OK to close the Remote Office Users Properties dialog box.
Task 3: Configure password replication policy for the remote office RODC
1. In the console tree, click the Domain Controllers OU.
3. Click the Password Replication Policy tab.
4. Click the Add button.
5. Click Allow passwords for the account to replicate to this RODC, and then click OK.
6. In the Select Users, Computers, or Groups window, type Remote Office Users, and then press
ENTER.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 4: Evaluate resultant password replication policy
3. Click the Advanced button.
4. In the Advanced Password Replication Policy for NYC-SVR1 window, click the Resultant Policy tab,
and then click the Add button.
5. Type Alex, and then press ENTER. Confirm that Alexanders password can be cached.
6. Click Close.
Task 5: Monitor credential caching
1. Attempt to log on to NYC-SRV1 as Alexander with the password Pa$$w0rd. This logon will fail
because Alexander does not have the permission to log on to the RODC, but authentication is
performed. Click OK at the error message.
2. On NYC-DC1, in the Active Directory Users and Computers right-click NYC-SVR1, and then click
Properties.
5. From the drop-down list, select Accounts that have been authenticated to this Read-only
Domain Controller. Notice that Alexanders password has been cached.
6. Click Close, and then click OK.
Task 6: Prepopulate credential caching
1. In the Active Directory Users and Computers console, right-click NYC-SVR1, and then click
Properties.
4. On the Policy Usage tab, click Prepopulate Passwords.
5. Type Alan; NYC-CL1, and then click OK.
6. Click Yes to confirm that you want to send the credentials to the RODC.
7. Click OK to clear the message indicating that the password was successfully cached.
8. On the Policy Usage tab, read the list of cached passwords to confirm that the passwords for Alan
and NYC-CL1 have been cached.
9. Click Close.
10. Click OK.
Task 7: Test cached passwords on NYC-SVR1
1. Shut down NYC-DC1.
2. On NYC-CL1, click Start and click Control Panel.
3. Click Network and Internet and click Network and Sharing Center.
Nova 4, LLC
Sep 7 2011 9:53PM
4. Click Local Area Connection 3 and then click Properties.
5. In the Local Area Connection 3 Properties window, click Internet Protocol Version 4 (TCP/IPv4),
6. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the Alternate DNS box, type
10.10.0.11, and then click OK.
7. In the Local Area Connection 3 Properties window, click Close.
9. On NYC-CL1, log off and then log on as Alexander with a password of Pa$$w0rd.
10. On NYC-CL1, log off and then log on as Alan with a password of Pa$$w0rd.
Results: In this exercise, you configured and tested password replication for an RODC.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Configuring BranchCache in Distributed Cache Mode
Task 1: Configure NYC-DC1 to use BranchCache
1. On the Start menu of NYC-DC1, point to Administrative Tools, and then click Server Manager.
2. In the tree pane of the Server Manager console, click Roles.
3. In the details pane, scroll down to the File Services section and then click Add Role Services.
4. On the Select Role Services page, in the Role services list, select the BranchCache for network
files check box, and then click Next.
8. On the Start menu of NYC-DC1, in the Search programs and files box, type gpedit.msc, and then
press ENTER.
9. In the tree pane of the Local Group Policy Editor console, under Computer Configuration, expand
Administrative Templates, expand Network, and then click Lanman Server.
10. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache,
and then click Edit.
11. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions box, select Allow hash publication only for shared folders on which BranchCache is
enabled, and then click OK.
Task 2: Simulate slow link to the remote office
1. In the tree pane of the Local Group Policy Editor console, under Computer Configuration, expand
Windows Settings, right-click Policy-based QoS, and then click Create new policy.
2. On the Create a QoS policy page of the Policy-based QoS wizard, in the Policy name box, type
Limit to 100 KBps, select the Specify Outbound Throttle Rate: check box, type 100, and then click
Next.
3. On the This QoS policy applies to page, click Next.
4. On the Specify the source and destination IP addresses page, click Next.
5. On the Specify the protocol and port numbers page, click Finish.
6. Close the Local Group Policy Editor.
Task 3: Enable a file share for BranchCache
1. On the Start menu of NYC-DC1, click Computer.
2. In the Computer window, browse to Local Disk (C:).
3. Right-click Share, and then click Properties.
4. In the Share Properties dialog box, on the Sharing tab, click Advanced Sharing.
5. In the Advanced Sharing dialog box, click Caching.
6. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
Nova 4, LLC
Sep 7 2011 9:53PM
7. In the Advanced Sharing dialog box, click OK.
8. In the Share Properties dialog box, click Close.
9. Close Windows Explorer.
Task 4: Configure clients to use BranchCache in distributed cache mode
1. On the Start menu of NYC-DC1, point to Administrative Tools, and then click Group Policy
Management.
2. In the tree pane of the Group Policy Management console, expand Forest: Contoso.com, expand
Domains, right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
3. In the Name box of the New GPO dialog box, type BranchCache, and then click OK.
4. In the tree pane of the Group Policy Management console, under Domains, expand Contoso.com,
right-click BranchCache, and then click Edit.
5. In the tree pane of the Group Policy Management Editor console, under Computer Configuration,
expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.
6. In the Setting list of the BranchCache result pane, right-click Turn on BranchCache, and then click
Edit.
7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.
8. In the Setting list of the BranchCache result pane, right-click Set BranchCache Distributed Cache
mode, and then click Edit.
9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then click OK.
10. In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network
files, and then click Edit.
11. In the Configure BranchCache for network files dialog box, click Enabled, in the Enter the round
trip network latency value in milliseconds above which network files must be cached in the
branch office box, type 0, and then click OK. This setting is required to simulate access from a
remote office and is not typically required.
Task 5: Configure client firewall rules for BranchCache
1. On NYC-DC1, in the tree pane of the Group Policy Management Editor console, under Computer
Configuration, under Policies, expand Windows Settings, expand Security Settings, and then
expand Windows Firewall with Advanced Security.
2. In the tree pane, under Windows Firewall with Advanced Security, expand Windows Firewall
with Advanced Security, and then click Inbound Rules.
3. Right-click Inbound Rules and click New Rule.
4. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache
Content Retrieval (Uses HTTP), and then click Next.
5. On the Predefined Rules page, click Next.
6. On the Action page, click Finish to create the firewall inbound rule.
7. In the Group Policy Management Editor console, right-click Inbound Rules and click New Rule.
8. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache
Peer Discovery (Uses WSD), and then click Next.
9. On the Predefined Rules page, click Next.
10. On the Action page, click Finish.
Nova 4, LLC
Sep 7 2011 9:53PM
11. Close the Group Policy Management Editor console.
Task 6: Apply BranchCache settings to the clients
2. On the Start menu of NYC-CL1, point to All Programs, click Accessories, and then click Command
Prompt.
3. At the command prompt window, type the following code, and then press ENTER.
gpupdate /force
4. At the command prompt, type the following code, and then press ENTER.
of Pa$$w0rd.
6. On the Start menu of NYC-CL1, in the Search programs and files box, type Performance, and then
press ENTER.
7. In the tree pane of the Performance Monitor console, under Monitoring Tools, click Performance
Monitor.
8. In the Performance Monitor result pane, click the Delete (Delete Key) icon.
9. In the Performance Monitor result pane, click the Add (Ctrl+N) icon.
10. In the Select counters from computer box of the Add Counters dialog box, click BranchCache,
and then click Add.
11. In the Add Counters dialog box, click OK.
12. Change the graph type to Report.
Prompt.
gpupdate /force
of Pa$$w0rd.
18. On the Start menu of NYC-CL2, in the Search programs and files box, type Performance, and then
press ENTER.
Monitor.
Nova 4, LLC
Sep 7 2011 9:53PM
22. In the Select counters from computer box of the Add Counters dialog box, click BranchCache,
and then click Add.
23. In the Add Counters dialog box, click OK.
24. Change the graph type to Report.
Task 7: Test BranchCache in the distributed caching mode
1. On the Start menu of NYC-CL1, in the Search programs and files box, type \\NYC-
DC1.contoso.com\Share, and then press ENTER.
2. In the Name list of the Share window, right-click mspaint, and then click Copy.
3. In the Share window, click Minimize.
4. In the Performance Monitor console, click Minimize.
5. On the Desktop, right-click anywhere, and then click Paste.
Note: While copying the file, view the Performance Monitor graph. Notice that computer
attempted discovery is not running successfully because you are copying the file to the branch
office for the first time. Also, make note of how long it takes to copy the file to NYC-CL1. If the
performance counters do not change try restarting the BranchCache service or restarting NYC-CL1.
Prompt.
10. In the Share window, click the Minimize button.
11. In the Performance Monitor console, click the Minimize button.
Note: While copying the file, view the Performance Monitor graph. Notice that computer
attempted discovery is successful and the file was copied much faster. Also, view the SMB:Bytes
from cache counter to confirm that file was copied from the BranchCache. If the performance
counters do not change and the file copy is slow, try restarting the BranchCache service or
restarting NYC-CL2.
Prompt.
Nova 4, LLC
Sep 7 2011 9:53PM
15. On NYC-CL2, close all open windows.
16. On NYC-CL1, close all open Windows.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring BranchCache in Hosted Cache Mode (optional)
Task 1: Configure clients to use BranchCache in hosted cache mode
1. On the Start menu of NYC-DC1, point to Administrative Tools, and then click Group Policy
Management.
2. In the tree pane of the Group Policy Management console, if necessary, expand Forest:
Contoso.com, expand Domains, and then expand Contoso.com.
3. In the tree pane, under Contoso.com, right-click BranchCache, and then click Edit.
4. In the tree pane of the Group Policy Management Editor console, under Computer Configuration,
expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.
5. In the Setting list of the BranchCache result pane, right-click Set BranchCache Distributed Cache
6. In the Set BranchCache Distributed Cache mode dialog box, click Not Configured, and then click
OK.
7. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache
8. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of
hosted cache box, type NYC-SVR1.contoso.com, and then click OK.
9. Close the Group Policy Management Editor console.
prompt.
gpupdate /force
prompt.
gpupdate /force
Task 2: Install the BranchCache feature on NYC-SVR1
1. Start 6419B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the
2. On the Start menu of NYC-SVR1, point to Administrative Tools, and then click Server Manager.
3. In the tree pane of the Server Manager console, right-click Features, and then click Add Features.
Nova 4, LLC
Sep 7 2011 9:53PM
4. On the Select Features page of the Add Features Wizard, select the BranchCache check box, and
then click Next.
Task 3: Request a certificate and link it to BranchCache.
1. On the Start menu of NYC-SVR1, click Run.
2. In the Open box of the Run dialog box, type mmc, and then click OK.
3. On the File menu of the Console1 [Console Root] console, click Add/Remove Snap-ins.
4. In the Available snap-ins area of the Add or Remove Snap-in dialog box, click Certificates, and
then click Add.
5. In the This snap-in will always manage certificates for page of the Certificates Snap-in wizard,
click Computer account, and then click Next.
6. On the Select the computer you want this snap-in to manage page, click Finish.
7. In the Add or Remove Snap-ins dialog box, click OK.
8. In the tree pane of the Console1 [Console Root] console, expand Certificates (Local Computer),
right-click Personal, point to All Tasks, and then click Request New Certificate.
9. On the Before You Begin page of the Certificate Enrollment wizard, click Next.
10. On the Select Certificate Enrollment Policy page, click Next.
11. On the Request Certificates page, select the Computer check box, and then click Enroll.
12. On the Certificate Installation Results page, click Finish.
13. In the tree pane of the Console1 [Console Root] console, under Personal, click Certificates.
14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com, and then click Open.
15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select
thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then
click OK.
16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt.
17. At the command prompt window, type the following code, and then press Enter. You can paste the
certificatehashvalue from the certificate, but you must remove the spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-
a714-454d-8de2-492e4c1bd8f8}
Task 4: Start the BranchCache Host Server
Computers.
2. Right-click Contoso.com, point to New, and click Organizational Unit.
3. In the New Object - Organization Unit window, type BranchCacheHost, and then click OK.
Nova 4, LLC
Sep 7 2011 9:53PM
4. Click the Computers container.
5. Click NYC-SVR1 and drag it to BranchCacheHost.
6. Click Yes to clear the warning about moving objects.
8. Click Start, point to Administrative Tools, and click Group Policy Management.
9. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance.
10. On NYC-DC1, close all open windows.
11. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd..
12. On NYC-SVR1, open a command prompt, type the following code, and then press Enter.
netsh branchcache set service hostedserver
Task 5: Configure Performance Monitor on NYC-SVR1
1. On the Start menu of NYC-SVR1, in the Search programs and files box, type Performance, and
then press ENTER.
Monitor.
5. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click
Add, and then click OK.
6. Change graph type to Report.
Task 6: Clear BranchCache data and Performance statistics on NYC-CL1
1. On NYC-CL1, click Start, type cmd.exe and press ENTER.
ENTER.
Net stop branchcache
Net start branchcache
5. Click Start, type offline, and then click Manage offline files.
6. In the Offline Files window, on the Disk Usage tab, click Delete temporary files.
7. Close the Offline Files window
8. On the Start menu, in the Search programs and files box, type Performance, and then press
ENTER.
Nova 4, LLC
Sep 7 2011 9:53PM
Monitor.
13. Change graph type to Report. Notice that the value of all performance statistics is zero.
Task 7: Clear BranchCache data and performance statistics on NYC-CL2
1. On NYC-CL2, click Start, type cmd.exe and press Enter.
ENTER.
Net stop branchcache
Net start branchcache
5. Click Start, type offline, and then click Manage offline files.
6. In the Offline Files window, on the Disk Usage tab, click Delete temporary files.
7. Close the Offline Files window
8. On the Start menu, in the Search programs and files box, type Performance, and then press
ENTER.
Monitor.
13. Change graph type to Report. Notice that the value for all performance statistics is zero.
Task 8: Test BranchCache in hosted caching mode
4. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize.
Nova 4, LLC
Sep 7 2011 9:53PM
6. Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval:
Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval:
Bytes Served)
10. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize.
12. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
13. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
following steps:
4. Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-CL1 and 6419B-NYC-CL2.

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Monitoring and Maintaining Windows Server 2008 1
Module 13
Lab Answer Key: Monitoring and Maintaining Windows
Server 2008
Contents:
Exercise 1: Determining Performance Metrics 2
Exercise 2: Configuring a Performance Baseline 3
Exercise 3: Viewing Performance Using Monitoring Tools 5

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Monitoring and Maintaining Windows Server 2008

Lab: Creating a Baseline of Performance Metrics
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 and 3 for 6419B-NYC-SVR1.
Exercise 1: Determining Performance Metrics

Task 1: Determine performance counters to use
Question: What are the main hardware components that you should be measuring on NYC-SVR?
Answer: Processor, Memory, Hard Disk and Network.
Question: Which Performance Monitor objects correspond to these components?
Answer: The key objects are: Processor, Memory, Physical Disk and Network Interface.
Note: After completing this exercise, you will have determined performance metrics.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Configuring a Performance Baseline

Task 1: Create a Data Collector Set to log the counters for the Processor, Memory,
Physical Disk and Network Interface objects
1. On NYC-SVR1, click Start, click Administrative Tools and then click Performance Monitor.
2. In the Performance Monitor window, expand the Data Collector Sets node, right-click on User
Defined, click New, and then click Data Collector Set.
3. In the Create new Data Collector Set window, type NYC-SVR1 Baseline in the Name field, select
Create Manually (Advanced), and then click Next.
4. Select Create data logs, click the checkbox to select Performance counter and then click Next.
5. In the Performance counters field, click the Add button
6. In the Available counters section, scroll to find Processor, and then expand Processor, ensuring all
counters are highlighted.
7. In the Instances of selected object section, click <All Instances>, and then click the Add button.
8. In the Available counters section, scroll to find Memory, expand Memory, and then highlight all
counters under Memory.
9. In the Instances of selected object section, click the Add button.
10. In the Available counters section, scroll to find Physical Disk, expand Physical Disk, and then
highlight all counters under Physical Disk.
11. In the Instances of selected object section, click <All Instances>, and then click the Add button.
12. In the Available counters section, scroll to find Network Interface, expand Network Interface,
and then highlight all counters under Network Interface.
13. In the Instances of selected object section, click Microsoft Virtual Machine Bus Network Adapter
_2, click the Add button, and then click OK.
14. In the Create new Data Collector Set window, click Next
15. Click Next.
16. On the Create the Data Collector Set? screen, select Start this Data Collector Set now, and then
click Finish.
Note: The Data Collector Set will take a few moments to complete. Complete Exercise 3 and then
come back to finish Task 2 of this exercise.


Nova 4, LLC
Sep 7 2011 9:53PM
4 Lab Answer Key: Monitoring and Maintaining Windows Server 2008

Task 2: Review the Data Collector Set Report to ensure performance data has been
captured
1. In the Performance Monitor window, expand the Reports node, expand the User Defined node,
expand the NYC-SVR1 Baseline node, and then click the NYC-SVR1_XXXXXXXX node.
2. View the report in the right hand column and ensure that performance data was collected.
Note: After completing this exercise, you will have configured a performance baseline.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 3: Viewing Performance Using Monitoring Tools
Task 1: Use Resource Monitor to view system performance statistics
1. On NYC-SVR1, click Start, in the Start Menu Search box, type Resource Monitor and then press
ENTER.
2. View the graphs on the right hand side of the screen to ensure none of them is near the top of the
graph window.
3. Click each tab in the Resource Monitor window to view the real time performance data for the
associated component.
Task 2: Use Reliability Monitor to view server reliability history
1. On NYC-SVR1, click Start, in the Start Menu Search box, type Reliability and then press ENTER.
2. Check the Reliability Monitor for any Error events represented by a red X icon.
following steps:

Nova 4, LLC
Sep 7 2011 9:53PM
Lab Answer Key: Managing Window Server 2008 Backup and Recovery 1
Module 14
Lab Answer Key: Managing Window Server 2008 Backup and
Recovery
Contents:
Lab A: Implementing Windows Server Backup and Recovery
Exercise 1: Evaluating the Existing Backup Plan 2
Exercise 2: Implementing a Backup Plan 5
Exercise 1: Enabling Active Directory Recycle Bin 7
Exercise 2: Restoring a Deleted Active Directory Object 8

Nova 4, LLC
Sep 7 2011 9:53PM
2 Lab Answer Key: Managing Window Server 2008 Backup and Recovery

Lab A: Implementing Windows Server Backup
and Recovery
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 - 4 for 6419B-NYC-SVR1.
Exercise 1: Evaluating the Existing Backup Plan
Task 1: Review an existing backup plan.
1. You have agreed that no more than one day's data should be lost in the event of a disaster. Critical
data includes the Sales, Finance, and Projects data. Does the current backup plan meet this
requirement?
Answer: No. The current weekly backup plan means that if data is lost, the data that is restored could
be up to a week old.
2. Currently, you copy the Human Resources confidential data onto a removable hard disk that is
attached to a computer in the Human Resources office. This task is performed weekly by using a
script to preserve the encryption on the files. What are the consequences of this process and how
would you deal with them?
Answer: The issue is that the confidential files are on an easily removable device in an unsecured
office. You could provide a secure data storage device, or you could place the removable hard disk in
a secure area after the backup job is complete.
3. You have also agreed that if a server fails, you should be able to restore that server, including all
installed roles, features, applications, and security identity, in six hours. Does the current backup plan
enable you to restore the servers in this way?
Answer: No. No system state backups are being performed on the servers, so the servers must be
rebuilt in the event of a failure. This would make restoring the original configuration very difficult.
Task 2: Propose changes to the backup plan.
1. Propose an appropriate backup frequency for the shares in the following table.
Backup Frequency
Sales Daily
Finance Daily
Nova 4, LLC
Sep 7 2011 9:53PM
Backup Frequency
Human Resources Daily
Technical Library Weekly
Projects Daily, or perhaps more frequently
2. How would you meet the requirement to restore the servers and how frequently would you back up
the servers?
Answer: Back up the system state data on the servers so that you can restore them later. The backup
should be at an appropriate frequency, so this will depend on how often the server configuration is
changed. Typical schedules may be weekly or monthly.
Task 3: Install Windows Server Backup feature.
1. On NYC-DC1, click Server Manager on the Task bar.
2. In the left pane, click Features.
3. In the details pane, click Add Features.
4. In the Add Features Wizard, select Windows Server Backup Features. Click the plus sign to expand
the feature. Note that command-line tools are not selected by default.
5. Select the check box to select the Command-line tools and click Next
6. Click Install
7. Click Close, and then close Server Manager.
Task 4: Use the backup wizard to schedule a backup.
1. Click Start, click Administrative Tools, and then click Windows Server Backup.
2. In the Actions pane, click Backup Schedule.
3. In the Backup Schedule Wizard, click Next.
4. On the Select Backup Configuration page, click Full server, and then click Next.
5. On the Specify Backup Time page, click the drop-down arrow, select 1:00 AM as the Time of day,
6. On the Specify Destination Type page, click Back up to a shared network folder, and then click
Next. In the Windows Server Backup dialog box, click OK.
7. In the Location field, type \\NYC-SVR1\backup, and then click Next.
8. In the Register Backup Schedule dialog box, type Contoso\Administrator.
9. In the password field, type Pa$$w0rd, and then click OK.
10. Click Finish, and then click Close.
Task 5: Back up an individual folder.
1. In the Actions pane, click Backup Once.
2. On the Backup Options page, click Different options, and then click Next.
3. On the Select Backup Configuration page click Custom, and then click Next.
4. On the Select Items for Backup page, click Add Items.
Nova 4, LLC
Sep 7 2011 9:53PM

5. Expand Local disk (C:), and then select the check box next to MarketingTemplates, click OK, and
then click Next.
6. On the Specify Destination Type page, click Remote shared folder, and then click Next.
7. In the Specify Remote Folder dialog box, type \\NYC-SVR1\Backup, and then click Next.
8. On the Confirmation page, click Backup.
9. On the Backup Progress page, click Close after the backup completes.
Results: After completing this exercise, you will have reviewed an existing backup plan and proposed
changes to that plan. Then, you will have configured backups to become familiar with the Windows
Server Backup feature.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 2: Implementing a Backup Plan
Task 1: Create a backup strategy to comply with the SLA.
1. You should be able to restore critical data, which includes the Sales, Finance, and Projects shares, as
quickly as possible in the event of a disaster. What factors affect how quickly you can restore data?
Answer: The size of the backed-up data and the backup hardware and media both affect how quickly
you can restore data.
2. Given that you have a limited budget to meet the SLA requirements, how could you maximize your
budget while providing backup for the entire network data for which you are responsible?
Answer: Consider using a tiered approach to back up and restore. Use faster backup hardware and
media for critical data, which costs more, but use slower backup hardware and media for noncritical
data to reduce costs.
Task 2: Create a backup strategy to comply with legal requirements.
1. How will you ensure that the required data is stored for the minimum legal requirement period and
that the data is available for audit purposes when it is required?
Answer: Various approaches are valid, such as:
Create separate archive backups for legal compliance purposes. Include only the required data in
these archives. A user who has restore privilege is required to access the data if an audit is
performed. You must also consider the storage lifetime of the mediaa tape may not retain
seven-year-old data if it is not refreshed.
Store the legal compliance data on a separate network device such as another server or archive
device. This device may offer policies to help you control retention requirements.
Task 3: Use the Recovery Wizard to restore the data.
1. On NYC-DC1, open Windows Explorer, navigate to C:\MarketingTemplates, and delete the contents
in the folder.
2. Switch to Windows Server Backup and in the Actions pane, click Recover.
3. On the Getting Started page, click A backup stored on another location. Click Next.
4. On the Specify Location Type page, click Remote shared folder. Click Next.
5. On the Specify Remote Folder page, type \\NYC-SVR1\Backup, and then click Next.
6. On the Select Backup Date page, click Next.
7. On the Select Recovery Type page, click Next.
8. On the Select Items to Recover page, expand NYC-DC1, expand Local disk (C:):, select
MarketingTemplates, and then click Next.
9. On the Specify Recovery Options page, type C:\MarketingTemplates, and then click Next.
10. On the Confirmation page, click Recover.
11. On the Recovery Progress page, click Close.
12. Navigate to C:\MarketingTemplates and ensure that the content been restored.
Nova 4, LLC
Sep 7 2011 9:53PM

Results: After completing this exercise, you should have reviewed an existing recovery plan and
proposed changes to that plan. You should also have tested data recovery.
following steps:
Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1.

Nova 4, LLC
Sep 7 2011 9:53PM
Exercise 1: Enabling Active Directory Recycle Bin
Task 1: Raise the forest functional level.
Windows PowerShell.
Set-ADForestMode Identity contoso.com -ForestMode Windows2008R2Forest
3. Press Y, and then press ENTER.
Task 2: Enable the Active Directory Recycle Bin.
1. In the Active Directory Module for Windows PowerShell, type the following command, and then press
ENTER.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature, CN=Optional
Features, CN=Directory Service, CN=Windows NT,
CN=Services,CN=Configuration, DC=contoso,DC=com Scope
ForestOrConfigurationSet Target contoso.com
2. Press Y, and then press ENTER.
3. Close the Active Directory Module for Windows PowerShell.
Results: After completing this exercise, you will have raised the forest functional level and enabled
Active Directory Recycle Bin.

Nova 4, LLC
Sep 7 2011 9:53PM

Exercise 2: Restoring a Deleted Active Directory Object
Task 1: Delete Active Directory Objects.
1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2. Expand Contoso.com, and then click the Research OU.
3. Right-click Dylan Miller, and then click Delete.
4. In the Active Directory Domain Services dialog box, click Yes.
5. Right-click Alan Brewer, and then click Delete.
6. In the Active Directory Domain Services dialog box, click Yes.
7. Minimize Active Directory Users and Computers.
Task 2: Use LDP.exe to display the deleted objects container.
1. Click Start, click All Programs, click Accessories, right-click Command Prompt, click Run as
administrator, type ldp.exe, and then press ENTER.
2. On the Options menu, click Controls.
3. In the Controls dialog box, expand the Load Predefined drop-down menu, click Return deleted
objects, and then click OK.
4. Click the Connection menu, and then click Connect.
5. In the Connect dialog box, click OK
6. Click the Connection menu, and then click Bind.
7. In the Bind dialog box, click OK.
8. Click View, click Tree, in the BaseDN field, type DC=Contoso,DC=Com, and then click OK.
9. In the console tree, expand DC=Contoso,DC=Com and double-click CN=Deleted Objects,
DC=Contoso,DC=Com.
Task 3: Restore a deleted AD object by using LDP.exe.
1. In the Deleted Objects container, locate the user you deleted in the previous task, Dylan Miller,
right-click and then click Modify.
2. In the Modify dialog box, in the Edit Entry Attribute field, type isDeleted.
3. In the Operation section, click Delete, and then click Enter.
4. In the Edit Entry Attribute field, type distinguishedname.
5. In the Values field, type CN=Dylan Miller,OU=Research,DC=Contoso,DC=Com.
6. In the Operation section, click Replace.
7. Select the Extended check box.
8. Click the Enter button, and then click Run.
9. Close the LDP application.
10. Restore Active Directory Users and Computers.
11. Right-click the Research OU, and then click Refresh. Dylan Millers user account has been restored to
the OU.
Nova 4, LLC
Sep 7 2011 9:53PM
Task 4: Use Windows PowerShell to restore a deleted Active Directory object.
1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows
PowerShell, and then click Run as administrator.
2. At the Active Directory module for Windows PowerShell command prompt, type the following
command, and then press ENTER.
Get-ADObject -Filter {displayName -eq "Alan Brewer"} -IncludeDeletedObjects | Restore-
ADObject
3. Open Active Directory Users and Computers, right-click the Research OU, and then click Refresh.
Alan Brewers user account has been restored to the OU.
4. Close all open windows.
Results: After completing this exercise, you should have used the LDP.exe to view deleted objects,
and restored objects by using both LDP.exe and Windows PowerShell.
following steps:
Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1 and 6419B-NYC-DC2.

Nova 4, LLC
Sep 7 2011 9:53PM

6419B ENU LabManual

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

6419B ENU LabManual

Diunggah oleh

Hak Cipta:

Format Tersedia

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

Anda mungkin juga menyukai