Exercise 1: Installing an RODC
Task 1: Verify the prerequisites for a staged installation of an RODC
1. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers.
2. Right-click Contoso.com and click Properties.
3. Verify that the forest functional level is at least Microsoft Windows Server 2003 and then click OK.
4. Close Active Directory Users and Computers.
5. On NYC-SVR1, open Server Manager, under Computer Information, note the domain status. This computer needs to be in a workgroup to pre-stage it as an RODC.
6. Click Change System Properties.
7. In the System Properties window, click Change.
8. In the Computer Name/Domain Changes window, click Workgroup, type TEMPORARY, and click OK.
9. Click OK to close the warning.
10. Click OK to confirm changing to the TEMPORARY workgroup.
11. Click OK to close the message about restarting.
12. In the System Properties window, click Close.
13. When prompted, click Restart Now.
Task 2: Stage a delegated installation of an RODC
1. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers.
2. Expand Contoso.com, and then click the Computers container, right-click NYC-SVR1, and click Delete.
3. Click Yes to confirm deleting the computer account.
4. Click Yes to confirm subtree deletion.
5. Right-click Domain Controllers and click Pre-create Read-only Domain Controller account.
6. In the Active Directory Domain Services Installation Wizard, click Next.
7. On the Operating System Compatibility page, click Next.
8. On the Network Credentials page, click Next.
9. On the Specify the Computer Name page, type NYC-SVR1, and then click Next.
10. On the Select a Site page, click Next.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L12-2 Lab A: Deploying a Read-Only Domain Controller
11. On the Additional Domain Controller Options page, click Next.
12. On the Delegation of RODC Installation and Administration page, in the Group or user box, type CONTOSO\IT, and then click Next.
13. Review your selections on the Summary page, and then click Next.
14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
15. Click the Domain Controllers OU and read the DC Type for NYC-SVR1.
Task 3: Complete a staged installation of an RODC
1. Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd.
2. On NYC-SVR1, click Start, type dcpromo, and press ENTER.
3. In the Active Directory Domain Services Installation Wizard, click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Choose a Deployment Configuration page, select Existing forest, click Add a domain controller to an existing domain, and then click Next.
6. On the Network Credentials page, type contoso.com.
7. Click Set.
8. In the User Name box, type Andrea. Andrea is a member of the IT group that was delegated permission to install in the previous task.
9. In the Password box, type Pa$$w0rd, and then press ENTER.
10. On the Network Credentials page, click Next.
11. On the Select a Domain page, select contoso.com (forest root domain), and then click Next.
A message appears to inform you that your credentials do not belong to the Domain Admins or Enterprise Admins groups. Because you have prestaged and delegated administration of the RODC, you can proceed with the delegated credentials.
12. Click Yes to continue.
A message appears to inform you that the account for NYC-SVR1 has been prestaged in Active Directory as an RODC.
13. Click OK to use the existing an account.
14. On the Location For Database, Log Files, and SYSVOL page, click Next.
15. On the Directory Services Restore Mode Administrator Password page, in the Password and Confirm Password boxes, type Pa$$w0rd, and then click Next.
16. On the Summary page, click Next.
17. In the progress window, select the Reboot On Completion check box.
Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Deploying a Read-Only Domain Controller L12-3
Exercise 2: Configuring Password Replication Policy and Credential Caching
Task 1: Configure domain-wide password replication policy
1. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, expand Contoso.com, and then click the Users container.
3. Double-click Allowed RODC Password Replication Group.
4. Click the Members tab.
5. Examine the default membership of Allowed RODC Password Replication Group and note that there are no members by default.
6. Click OK.
7. Double-click Denied RODC Password Replication Group.
8. Click the Members tab.
9. Click Add, type DNSAdmins, and then press ENTER.
10. Click OK.
11. In the console tree, click the Domain Controllers OU.
12. Right-click NYC-SVR1 and click Properties.
13. Click the Password Replication Policy tab. Verify that the Allowed RODC Password Replication Group and Denied RODC Password Replication Group are listed.
14. Click OK.
Task 2: Create a group to manage password replication to the remote office RODC
1. In the Active Directory Users and Computers console tree, click the Research OU.2. Right-click Research, point to New, and then click Group.
3. In the Group name: box, type Remote Office Users, and then click OK.
4. Right-click Remote Office Users, and then click Properties.
5. Click the Members tab, and then click the Add button.
6. Click Object Types, select the Computers check box, and then click OK.
7. Type Alan; Alexander; Dylan; Max; NYC-CL1, and then click OK.
8. Click OK to close the Remote Office Users Properties dialog box.
Task 3: Configure password replication policy for the remote office RODC
1. In the console tree, click the Domain Controllers OU.2. Right-click NYC-SVR1 and click Properties.
3. Click the Password Replication Policy tab.
4. Click the Add button.
5. Click Allow passwords for the account to replicate to this RODC, and then click OK.
6. In the Select Users, Computers, or Groups window, type Remote Office Users, and then press ENTER.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L12-4 Lab A: Deploying a Read-Only Domain Controller
7. Click OK to close the NYC-SVR1 Properties dialog box.
Task 4: Evaluate resultant password replication policy
1. Right-click NYC-SVR1 and click Properties.2. Click the Password Replication Policy tab.
3. Click the Advanced button.
4. In the Advanced Password Replication Policy for NYC-SVR1 window, click the Resultant Policy tab, and then click the Add button.
5. Type Alex, and then press ENTER. Confirm that Alexander’s password can be cached.
6. Click Close.
7. Click OK to close the NYC-SVR1 Properties dialog box.
Task 5: Monitor credential caching
1. Attempt to log on to NYC-SRV1 as Alexander with the password Pa$$w0rd. This logon will fail because Alexander does not have the permission to log on to the RODC, but authentication is performed. Click OK at the error message.
2. On NYC-DC1, in the Active Directory Users and Computers right-click NYC-SVR1, and then click Properties.
3. Click the Password Replication Policy tab.
4. Click the Advanced button.
5. From the drop-down list, select Accounts that have been authenticated to this Read-only Domain Controller. Notice that Alexander’s password has been cached.
6. Click Close, and then click OK.
Task 6: Prepopulate credential caching
1. In the Active Directory Users and Computers console, right-click NYC-SVR1, and then click Properties.
2. Click the Password Replication Policy tab.
3. Click the Advanced button.
4. On the Policy Usage tab, click Prepopulate Passwords.
5. Type Alan; NYC-CL1, and then click OK.
6. Click Yes to confirm that you want to send the credentials to the RODC.
7. Click OK to clear the message indicating that the password was successfully cached.
8. On the Policy Usage tab, read the list of cached passwords to confirm that the passwords for Alan and NYC-CL1 have been cached.
9. Click Close.
10. Click OK.
Task 7: Test cached passwords on NYC-SVR1
1. Shut down NYC-DC1.2. On NYC-CL1, click Start and click Control Panel.
3. Click Network and Internet and click Network and Sharing Center.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Deploying a Read-Only Domain Controller L12-5
4. Click Local Area Connection 3 and then click Properties.
5. In the Local Area Connection 3 Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the Alternate DNS box, type 10.10.0.11, and then click OK.
7. In the Local Area Connection 3 Properties window, click Close.
8. Close all open windows and log off.
9. On NYC-CL1, log off and then log on as Alexander with a password of Pa$$w0rd.
10. On NYC-CL1, log off and then log on as Alan with a password of Pa$$w0rd.
Results: In this exercise, you configured and tested password replication for an RODC.
To prepare for the next lab
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L12-6 Lab A: Deploying a Read-Only Domain Controller