Module 1 > Lesson1 > Demonstration: Using the Active Directory

Administrative Center to administer and manage AD DS

Demonstration Steps Navigate within the Active Directory Administrative

Center
1.On LON-DC1, in Server Manager, click Tools, and then click Active Directory
Administrative Center.

2.Click Adatum (local), click Dynamic Access Control, and then click Global Search.

3.In the navigation pane, click the Tree View tab, and then expand the Adatum (local) node
to view the details of the Adatum.com domain.

Perform an administrative task within the Active Directory Administrative

Center
1.In the Active Directory Administrative Center, click Overview.

2.In the Reset Password box, in the Username box, type Adatum\Adam.

3.In the Password and Confirm password boxes, type Pa55w.rd.

4.Clear the User must change password at next log on check box, and then click Apply.

5.In the Global Search box, in the Search box, type lon, and then press Enter.

Create an object
1. In the Active Directory Administrative Center, in the navigation pane tree view, expand
Adatum (local), and then click the Computers container.

2. In the Tasks pane, in the Computers section, click New, and then select Computer.

3. In the Create Computer dialog box, enter the following information, and then click OK:

o Computer name: LON-CL4

o Computer (NetBIOS) name: LON-CL4

4. Click OK.

View all object attributes

1. In the Active Directory Administrative Center, double-click Adatum (local), and then in the
management list, double-click Computers.

2. Select LON-CL4, and then in the Tasks pane, in the LON-CL4 section, click Properties.

3. In the LON-CL4 window, scroll down to the Extensions section, click the Attribute Editor
tab, and then note that all the attributes of the computer object are available here.

4. Click Cancel to close the LON-CL4 window.

Use the Windows PowerShell History viewer

1. In the Active Directory Administrative Center, click the Windows PowerShell History
toolbar in the lower part of the screen.

2. View the details for the New-ADComputer cmdlet that you used to perform the most recent
task.

On LON-DC1, close all open windows

 Module 1 > Lesson2 >Demonstration: Viewing the SRV records
in DNS

Demonstration Steps View the SRV records by using DNS Manager

1. On LON-DC1, sign in with the user name Adatum\Administrator and the password
Pa55w.rd.

2. In Server Manager, click the Tools menu.

3. In the Tools list, click DNS.

4. In the DNS Manager window, on the tree menu, expand LON-DC1, expand Forward
Lookup Zones, and then click Adatum.com. Show the following four Domain Name System
(DNS) subzones:

o _msdcs

o _sites

o _tcp

o _udp

5. Expand Adatum.com, expand _sites, expand Default-First-Site-Name, expand _tcp, and

then select the following record:

o _ldap Service Location (SRV)[0][100][389]lon-dc1.adatum.com

6. If students have sufficient expertise and interest, open c:\windows\system32\config, and

then open the netlogon.dns file in Notepad. Show all the service records (SRV records) that this
domain controller will register in DNS.
Module 1 > Lesson3>Demonstration: Cloning a domain controller

Demonstration Steps Prepare a source domain controller for cloning

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory
Administrative Center.

2. In the Active Directory Administrative Center, double-click Adatum (local), and then in the
management list, double-click the Domain Controllers OU.

3. In the management list, select LON-DC1, if it is not already selected, and then in the Tasks
pane, in the LON-DC1 section, click Add to group.

4. In the Select Groups dialog box, in the Enter the object names to select box, type
Cloneable, and then click Check Names.

5. Ensure that the group name is expanded to Cloneable Domain Controllers, and then click
OK.

6. On the start menu, click Windows PowerShell.

7. At the Windows PowerShell command prompt, type the following command, and then press
Enter.
Get-ADDCCloningExcludedApplicationList

8. Verify the list of critical apps. In production, you need to verify each app or use a domain
controller that has fewer apps installed by default. Type the following command, and then press
Enter.
Get-ADDCCloningExcludedApplicationList –GenerateXML

9. Type the following command to create the DCCloneConfig.xml file, and then press Enter.
New-ADDCCloneConfigFile

10. Type the following command to shut down LON-DC1, and then press Enter.
Stop-Computer

11. Wait for the virtual machine to shut down. You might be asked to confirm the shutdown.

Export the source virtual machine

1. On the host computer, in Microsoft Hyper-V Manager, in the details pane, select the
20742B-LONDC1 virtual machine.

2. In the Actions pane, in the 20742B-LON-DC1 section, click Export.

3. In the Export Virtual Machine dialog box, go to the location D:\Program Files\Microsoft
Learning\20742, and then click Export. Wait until the export finishes.

4. In the Actions pane, in the 20742-LON-DC1 section, click Start.

Create and start the cloned domain controller

1. On the host computer, in Hyper-V Manager, in the Actions pane, in the section named for the
host computer, click Import Virtual Machine.

2. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.

3. On the Locate Folder page, click Browse, browse to the folder D:\Program Files\Microsoft
Learning\20742\20742B-LON-DC1, click Select Folder, and then click Next.

4. On the Select Virtual Machine page, select 20742B-LON-DC1 (if it is not already selected), and
then click Next.

5. On the Choose Import Type page, select Copy the virtual machine (create a new unique ID),
and then click Next.
 6. On the Choose Folders for Virtual Machine Files page, select the Store the virtual machine in a
different location check box. For each folder location, specify D:\Program Files\Microsoft Learning\
20742\ as the path. Click Next.

7. On the Choose Folders to Store Virtual Hard Disks page, provide the path D:\Program Files\
Microsoft Learning\20742\, and then click Next.

8. On the Completing Import Wizard page, click Finish.

9. In the management list, identify and select the newly imported virtual machine named
20742B-LONDC1, which has the State shown as Off. In the lower section of the Actions pane, click
Rename.

10. Type 20742B-LON-DC3 as the name, and then press Enter.

11. In the Actions pane, in the 20742B-LON-DC3 section, click Start, and then click Connect to see
the virtual machine starting.

12. While the server is starting, you might see the message Domain Controller cloning is at x%
completion.

Module 2 > Lesson1 > Demonstration: Managing user accounts

 Demonstration Steps Create a new user account
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory
Administrative Center.

2. In Active Directory Administrative Center, click Adatum (local), and then double-click
Managers.

3. In the Tasks pane, click New, and then click User.

4. In the Create User dialog box, in the First name field, type Sales.

5. In the Last name field, type Manager.

6. In the User UPN logon text box, type SalesManager.

7. In the Password and Confirm password fields, type Pa55w.rd, and then click OK.

Delete a user account

1. Click the Art Odum account.

2. In the Tasks pane, under Art Odum, click Delete.

3. In the Delete Confirmation box, click Yes.

Move a user account

1. Click the Burton Bartels account.

2. In the Tasks pane, under Burton Bartels, click Move.

3. Click the Development OU, and then click OK.

4. In the left pane, click Adatum (local).

5. In the right pane, double-click the Development OU, and then ensure that the Burton
Bartels account is present.

Configure user attributes

1. Double-click the Burton Bartels account.

2. In the left pane, click Organization, and then change the Department field from Managers
to Development.

3. In the left pane, click Member Of.

4. In the Member Of section, click Managers, and then click Remove.

5. Click Add. In the Select Groups dialog box, in the Enter the object names to select
(example):
window, type Development, and then click OK.
6. Click OK to close the Burton Bartels properties.

7. Close Active Directory Administrative Center. Leave Server Manager open for the next
demonstration.
Module 2 > Lesson1a> Demonstration: Using templates to
manage accounts

Demonstration Steps Create a user template

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users
and Computers.
2. Expand Adatum.com, and then click the Sales OU.

3. Click the new user icon on the toolbar.

4. In the New Object – User dialog box, enter the following information, and then click Next:

o First name: _sales o Last name: template

o User logon name: salestemplate

5. In the Password and Confirm password fields, type Pa55w.rd.

6. Clear the User must change password at next logon check box, select the Password
never expires check box, select the Account is disabled check box, and then click Next.
7. Click Finish.

Configure template properties

1. Double-click the _sales template account.

2. In the _sales template properties dialog box, click the Member Of tab, and then click
Add.
3. In the Select Groups dialog box, type Sales, and then click OK.

4. Click the Organization tab. In the Department field, type Sales.

5. In the Manager section, click Change. In the Select User or Contact dialog box, type Erin,
and then click Check Names. Click OK.
6. Click the Profile tab. In the User profile section, in the Logon script field, type \\londc1\
netlogon\logon.bat, and then click OK.

Create a new user by copying the template

1. Right-click the _sales template account, and then click Copy.

2. In the Copy Object – User dialog box, type Sales in the First name field. Type User in the
Last name field.
3. Type salesuser in the User logon name field, and then click Next.

4. In the Password and Confirm password fields, type Pa55w.rd.

5. Clear the Password never expires check box, clear the Account is disabled check box,
select the User must change password at next logon check box, and then click Next.
6. Click Finish.

7. Double-click the Sales User account, and then click the Member Of tab. Ensure that the user is a
member of the Sales group.

8. Click the Organization tab. Ensure that the Department is Sales and the Manager is Erin
Bull.

9. Click the Profile tab. Ensure that the Logon script path is \\lon-dc1\netlogon\logon.bat. Click
OK to close the dialog box.

10. Close Active Directory Users and Computers.

Module 2 > Lesson2> Demonstration: Managing groups in
Windows Server

Demonstration Steps Create a new group and add members

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory
Administrative Center.

2. Expand Adatum (Local), and then double-click IT.

3. In the Tasks list, under IT, point to New, and then click Group.

4. In the Create Group dialog box, in the Group name field, type IT Managers. Notice that
the default is a global security group.

5. In the left pane, click Members, and then click Add.

6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog

box, in Enter the object names to select (examples), type Beth; Logan, click
Check Names, and then click OK.

7. Click OK to close the Create Group: IT Managers dialog box.

Add a user to the group

1. Right-click the user named Maj Hojski, and then click Add to group.

2. In the Select Groups dialog box, in Enter the object names to select (examples),
type IT Managers.

3. Click Check Names, and then click OK.

Change the group type and scope

1. Double-click the IT Managers group.

2. In the IT Managers window, under Group type, click Distribution. Read the highlighted
message.
Under Group scope, click Universal, and then click OK.
Configure a manager for the group
1. Double-click the IT Managers group.

2. In the Managed By section, click Edit.

3. In the Select User, Contact or Groups dialog box, in Enter the object names to
select (examples), type Parsa, click Check Names, and then click OK.

4. Select the check box beside the Manager can update membership list dialog box.

5. Click OK to close the IT Managers Properties dialog box.

6. Close Active Directory Administrative Center.

Module 2> Lesson4 A> Demonstration: Using graphical tools to
perform bulk operations
Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users
and Computers.

2. Expand Adatum.com, and then click the Research OU.

3. In the details pane, click the top of the Type column to sort the object by type.

4. Click the first user object in the list (this should be Arturs Priede).

5. Scroll to the bottom of the list, hold the Shift key, and then click the last User object in the list (this
should be Vera Pace).

6. Right-click the block of selected objects, and then click Properties.

7. In the Properties for Multiple Items dialog box, select the check box beside Office, type
Winnipeg in the field, and then click OK.

8. Double-click any of the user objects and note that the Office field is now set to Winnipeg.

9. Click Cancel, and then close Active Directory Users and Computers.
 Module 2> Lesson4 B> Demonstration: Performing bulk
operations with Windows PowerShell
Demonstration Steps Create a new global group in the IT department
1. On LON-DC1, right-click the Start button, click Run, type PowerShell, and then press Enter.

2. In the Administrator: Windows PowerShell window, type the following command, and
then press Enter:
New-ADGroup -Name Helpdesk -Path "ou=IT,dc=Adatum,dc=com" –GroupScope Global

Add all users in the IT department to the Helpdesk group

• In the Administrator: Windows PowerShell window, type the following command, and then
press Enter:
Get-ADUser -Filter "Department -eq 'IT'" | Foreach {Add-ADGroupMember "Helpdesk" members $_}

Set the address for all users in the Research department

• In the Administrator: Windows PowerShell window, type the following command, and then
press Enter:
Get-ADuser -Filter {Department -eq "Research"} | Set-ADuser -StreetAddress "1530
Nowhere Ave." -City "Winnipeg" -State "Manitoba" -Country "CA"

Note: Notice that this command filters by using brackets rather than quotes and uses the Set-
ADUser cmdlet rather than a foreach loop.

Create a new OU
• In the Administrator: Windows PowerShell window, type the following command, and then
press Enter:
New-ADOrganizationalUnit London -Path "dc=Adatum,dc=com”

Run a script to create new users from a .csv file

1. Open File Explorer, type E:\Labfiles\Mod02 in the address bar, and then press Enter.

2. Right-click DemoUsers.csv, click Open with, and then click Notepad. Explain the structure of
the file to students.

3. Close Notepad.

4. Switch back to the Windows PowerShell window, and then type cd E:\Labfiles\Mod02.

5. To run the script, type .\DemoUsers.ps1, and then press Enter.

Verify that the user accounts were created and that the accounts were
modified
1. In Server Manager, click Tools, and then click Active Directory Users and
Computers.

2. Ensure that the London OU exists.

3. Click the London OU. See that there are three users as defined in the .csv file. Notice that the users’
accounts are disabled. This is because there were no passwords provided.

4. Click the IT OU. Ensure that the Helpdesk group exists.

5. Double-click the Helpdesk group, and then in Helpdesk Properties, click the Members tab.
Ensure that the members are populated with the IT department users, and then click Cancel.
6. Click the Research OU, and then double-click one of the user accounts.

7. In the user’s properties page, click the Address tab. Ensure that the address fields are populated as
expected, and then click Cancel.
Module 2> Lesson5> Demonstration: Delegating administrative
permissions on an OU
Demonstration Steps Create a new OU
1. On LON-DC1, in Active Directory Users and Computers, click Adatum.com.

2. Click the New OU icon on the toolbar.

3. In the New Object – Organizational Unit dialog box, type Human Resources in the
Name field, and then click OK.

Use the Delegation of Control Wizard to assign a task

1. Right-click the Adatum.com domain object, and then click Delegate Control.

2. In the Delegation of Control Wizard, click Next.

3. On the Users or Groups page, click Add.

4. In the Select Users, Computers, or Groups dialog box, in Enter the object names
to select (examples), type Helpdesk, click Check Names, click OK, and then click
Next.

5. On the Tasks to Delegate page, select the check boxes beside Reset user passwords
and force password change at next logon and Join a computer to the
domain, and then click Next.

6. Click Finish.

Assign the Research group the right to modify user addresses and job titles
in the Research OU
1. In Active Directory Users and Computers, click View, and then click Advanced Features.

2. Right-click the Research OU, and then click Properties.

3. Click the Security tab, click Advanced, and then click Add.

4. In the Permission Entry for Research window, click Select a principal.

5. In the Select Users, Computers, or Groups dialog box, in Enter the object names
to select (examples), type Research. Click Check Names, and then click OK.

6. In the Applies to drop-down list box, select Descendant User objects. (Hint: it is at the
bottom of
the list.)

7. In the Properties section, scroll down, and then select the check box beside Write Home
Address.

8. Scroll down further, select the check box beside Write Job Title, and then click OK twice.

9. Click OK to close the Research Properties dialog box.

Training Day 2
 Module 5> Lesson1> Demonstration: Exploring Group Policy
tools and consoles
Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. If necessary, switch to the Group Policy Management window.

3. In Group Policy Management Console, in the navigation pane, expand Forest:

Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy
Objects.

4. Right-click Group Policy Objects, and then click New.

5. In the New GPO dialog box, type Disable Control Panel, and then click OK.

6. In the details pane, right-click Disable Control Panel, and then click Edit.

7. In Group Policy Management Editor, in the navigation pane, under User Configuration, expand
Policies, expand Administrative Templates, and then click Control Panel.

8. In the details pane, double-click Prohibit access to Control Panel and PC Settings.

9. In the Prohibit access to Control Panel and PC Settings dialog box, show the three
possible values for a setting in Administrative Templates, show the Supported on text,
and then show the Help text.

10. Click Enabled. In the Comment text box, type Enabled <date> by <your name>, where
you replace <date> with today’s date and <your name> with your name, and then click OK.

11. In the navigation pane, under User Configuration, expand Preferences, and show the
different categories under both Policies and Preferences.

12. Close the Group Policy Management Editor window.

13. In the Group Policy Management window, in the navigation pane, expand Group Policy
Objects, and then click Disable Control Panel.

14. In the details pane, show the Scope, Details, and Settings tabs.

15. In the navigation pane, click and then right-click Adatum.com, and then click Link an Existing
GPO.

16. In the Select GPO dialog box, click Disable Control Panel, and then click OK.

17. In the navigation pane, click Adatum.com.

18. In the details pane, show the Linked Group Policy Objects and Group Policy
Inheritance tabs.

19. Click Start, and then click Windows PowerShell.

20. In the Administrator: Windows PowerShell window, type the following command, and
then press Enter:
gpupdate

21. Verify that both the computer and user settings updated successfully.

22. At the Windows PowerShell command prompt, type the following command, and then press Enter:

gpresult /r
23. In the output from the command, in the User Settings section, in the Applied GPOs list, verify
that the Disable Control Panel GPO is listed.

24. Close the Windows PowerShell window.

Module 5> Lesson2> Demonstration: Delegating administration
of Group Policy
Demonstration Steps Make Beth a local administrator on LON-SVR1
1. Switch to LON-DC1.

2. On the taskbar, click the File Explorer icon.

3. In the File Explorer window, in the navigation pane, expand Allfiles (E:), expand Labfiles,
and then click Mod05.

4. In the details pane, right-click the Set-LocalAdmin.ps1 file, and then click Run with
Powershell.
Type Y, if prompted, and then press Enter.

Check user permissions before delegation

1. Switch to LON-SVR1.

2. Sign in as Adatum\Beth with the password Pa55w.rd.

3. In Server Manager, click Add roles and features.

4. In Add Roles and Features Wizard, on the Before you begin page, click Next.

5. On the Select installation type page, click Next.

6. On the Select destination server page, click Next.

7. On the Select server roles page, click Next.

8. On the Select features page, select the Group Policy Management check box, and then
click Next.

9. On the Confirm installation selections page, click Install.

10. When the installation completes, click Close.

11. In Server Manager, click Tools, and then click Group Policy Management.

12. If necessary, switch to the Group Policy Management window.

13. In Group Policy Management, expand Forest: Adatum.com, expand Domains,

expand Adatum,com, and then click Group Policy Objects.

14. Right-click Group Policy Objects, and then notice that the New item is dimmed because Beth
does not have permissions to create GPOs.

15. In the navigation pane, right-click the Adatum.com domain, and then notice that menu item Link
an Existing GPO is dimmed because Beth does not have permissions to link GPOs to the domain.

16. In the navigation pane, right-click the IT OU, and then notice that menu item Link an Existing
GPO is dimmed because Beth also does not have permissions to link GPOs to the IT OU.

17. Click Start, and then click Windows PowerShell.

18. In the Windows PowerShell window, type the following command, and then press Enter:

GPResult /r

19. In the output from the command, notice that only the User settings is displayed because Beth is not
assigned the permissions view Group Policy results for computer settings.
 Delegate permissions
1. On LON-DC1, switch to the Group Policy Management window.

2. In Group Policy Management, in the navigation pane, click the Group Policy Objects
container, and then in the details pane, click the Delegation tab.

3. Click Add. In the Select User, Computer, or Group dialog box, type Beth, click Check
Names, and then click OK.

4. In the navigation pane, click the IT OU, and then in the details pane, click the Delegation tab.

5. In the Permission dropdown list, ensure that Link GPOs is selected, and then click Add.

6. In the Select User, Computer, or Group dialog box, type Beth, click Check Names,
and then click OK.

7. In the Add Group or User dialog box, click OK.

8. In the navigation pane, click the Adatum.com domain, and then in the details pane, click the
Delegation tab.

9. In the Permission drop-down list, select Read Group Policy Results data, and then
click Add.

10. In the Select User, Computer, or Group dialog box, type Authenticated Users, click
Check Names, and then click OK.

11. In the Add Group or User dialog box, click OK.

Check permissions after delegation

1. Switch to LON-SVR1.

2. Switch to Group Policy Management.

3. In the Group Policy Management window, click and then right-click the Adatum.com
domain, and then click Refresh.

4. In the navigation pane, right-click Group Policy Objects, and then click New.

5. In the New GPO dialog box, in the Name text box, type Beth’s GPO, and then click OK.

6. In the navigation pane, right-click Adatum.com, and then notice that Link an Existing GPO is
still dimmed.

7. In the navigation pane, right-click IT, and then click Link an Existing GPO.

8. In the Select GPO dialog box, click Beth’s GPO, and then click OK.

9. Switch to the Windows PowerShell window.

10. In the Windows PowerShell window, type the following command and then press Enter:

GPResult /r

11. In the output from the command, notice that both the Computer and the User settings are
displayed.