Exercise 1: Configuring AD DS Trusts
Task 1: Start the virtual machines, and then log on 1. In the Lab Launcher, next to 6419A-VAN-DC1, click Launch.
2. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch.
3. In the Lab Launcher, next to 6419A-NYC-DC2, click Launch.
4. Log on to VAN-DC1 as FABRIKAM\Administrator with the password Pa$$w0rd.
5. Minimize the Lab Launcher window.
Task 2: Configure the Network and DNS Settings to enable the forest trust
1. On VAN-DC1, click Start, point to Control Panel, point to Network Connections, and then click Local Area Connection.
2. In the Local Area Connection Status dialog box, click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred DNS server to 10.10.0.110.
5. Click OK, and then click Close twice.
6. Click Start, and then click Run.
7. In the Open box, type cmd, and then click OK.
8. At the command prompt, type net time \\10.10.0.10 /set /y and then press ENTER. This command synchronizes the time between VAN-DC1 and NYC-DC1.
9. Type exit and then press ENTER.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Configuring Active Directory Trusts L5-45
10. Click Start, point to Administrative Tools, and then click DNS.
11. In the console pane, expand VAN-DC1.
12. Right-click VAN-DC1, and then click Properties.
13. On the Forwarders tab, click New.
14. Type Woodgrovebank.com, and then click OK.
15. In the Selected domain’s forwarder IP address list field, type 10.10.0.10, and then click Add.
16. Click OK, and then close the DNS management console.
17. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
18. In console pane, right-click Fabrikam.com, and then click Raise Domain Functional Level.
19. In the Raise Domain Functional Level dialog box, in the Select an available domain functional level list, click Windows Server 2003.
20. Click Raise, and then click OK twice.
21. Right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
22. In the Raise Forest Functional Level dialog box, click Raise, and then click OK twice.
23. Close Active Directory Domains and Trusts.
24. On NYC-DC1, log on as WOODGROVEBANK\Administrator.
25. Click Start, point to Administrative Tools, and then click DNS.
26. In the console pane, expand NYC-DC1.
27. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
28. In the DNS Domain field, type Fabrikam.com.
29. Click under IP Address, and then type 10.10.0.110.
30. Press ENTER, and then click OK.
31. Close DNS Manager.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L5-46 Module 5: Configuring Active Directory Objects and Trusts
Task 3: Configure a forest trust between WoodgroveBank.com and Fabrikam.com
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2. In then console pane, right-click WoodgroveBank.com, and then click Properties.
3. On the Trusts tab, click New Trust.
4. In the New Trust Wizard, click Next.
5. On the Trust Name page, type Fabrikam.com, and then click Next.
6. On the Trust Type page, click Forest trust, and then click Next.
7. On the Direction of Trust page, click Two-way, and then click Next.
8. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.
9. On the User Name and Password page, in the User name field, type [email protected], and in the Password field, type Pa$$w0rd, and then click Next.
10. On the Outgoing Trust Authentication Level- Local Forest page, click Forest-wide authentication, and then click Next.
11. On the Outgoing Trust Authentication Level- Specified Forest page, click Forest-wide authentication, and then click Next.
12. On the Trust Selections Complete page, click Next.
13. On the Trust Creation Complete page, click Next.
14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.
15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.
16. On the Completing the New Trust Wizard page, click Finish and then click OK.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab B: Configuring Active Directory Trusts L5-47
Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2
1. In Active Directory Domains and Trusts, right-click WoodgroveBank.com, and then click Properties.
2. On the Trusts tab, under Domains that trust this domain (incoming trusts), click Fabrikam.com, and then click Properties.
3. In the Fabrikam.com Properties dialog box, on the Authentication tab, click Selective Authentication.
4. Click OK twice, and then close Active Directory Domains and Trusts.
5. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
6. On the View menu, ensure that Advanced Features is selected.
7. In the console pane, click Domain Controllers.
8. In the details pane, double-click NYC-DC2.
9. In the NYC-DC2 Properties dialog box, on the Security tab, click Add.
10. In the Select Users, Computers, or Groups dialog box, click Locations, click Fabrikam.com, and then click OK.
11. In the Select Users, Computers, or Groups dialog box, type MarketingGG, and then click OK.
12. Under Permissions for MarketingGG, next to Allowed to authenticate, select the Allow check box, and then click OK.
13. In the console pane, click Computers.
14. In the details pane, double-click NYC-CL1.
15. In the NYC-CL1 Properties dialog box, on the Security tab, click Add.
16. In the Select Users, Computers, or Groups dialog box, click Locations, click Fabrikam.com, and then click OK.
17. In the Select Users, Computers, or Groups dialog box, type MarketingGG, and then click OK.
18. Under Permissions for MarketingGG, next to Allowed to authenticate, select the Allow check box, and then click OK.
19. Close Active Directory Users and Computers.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L5-48 Module 5: Configuring Active Directory Objects and Trusts
Task 5: Test the selective authentication
1. Log on to NYC-CL1 as FABRIKAM\Adam with the password Pa$$w0rd.
Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to a computer in the WoodgroveBank.com domain because of the trust between the two forests, and because he has been allowed to authenticate to NYC-CL1.
2. Click Start, type \\NYC-DC2\netlogon, and then press ENTER. Adam should be able to access to the folder.
3. Click Start, \\NYC-DC1\netlogon, and then press ENTER. Adam should not be able to access the folder because the server is not configured for selective authentication.
Task 6: Close all virtual machines and discard undo disks
1. For each running virtual machine, close the Virtual Machine Remote Control window.
2. In the Close box, select Turn off machine and discard changes, and then click OK.
3. Close the 6419A Lab Launcher.
Result: At the end of this exercise you will have configured trusts based on a trust configuration design.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Creating and Configuring GPOs L6-49