Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum as a desktop support specialist and have visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.
To begin deployment of the new branch office, you are preparing AD DS objects. As part of this
preparation, you need to create an OU for the branch office and delegate permission to manage it. Then you need to create users and groups for the new branch office. Finally, you need to reset the secure channel for a computer account that has lost connectivity to the domain in the branch office.
Objectives
After completing this lab, you will be able to:
• Delegate administration for a branch office.
• Create and configure user accounts in AD DS.
• Manage computer objects in AD DS.
Lab Setup
Estimated Time: 60 minutes
Virtual machines 20410B-LON-DC1
20410B-LON-CL1
User name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, from Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
a. User name: Administrator b. Password: Pa$$w0rd c. Domain: Adatum
5. Repeat steps 2 to 4 for 20410B-LON-CL1.
MCT USE ONL Y. STUDENT USE PROHIBITED
Installing and Configuring Windows Server® 2012 3-27
Exercise 1: Delegating Administration for a Branch Office
Scenario
A. Datum delegates management of each branch office to a specific group. This allows an employee who works onsite to be configured as an administrator when required. Each branch office has a branch administrators group that is able to perform full administration within the branch office OU. There is also a branch office help desk group that is able to manage users in the branch office OU, but not other objects. You need to create these groups for the new branch office and delegate permissions to the groups.
The main tasks for this exercise are as follows:
1. Delegate administration for Branch Administrators.
2. Delegate a user administrator for the Branch Office Help Desk.
3. Add a member to the Branch Administrators.
4. Add a member to the Branch Help Desk group.
Task 1: Delegate administration for Branch Administrators
1. On LON-DC1, open Active Directory Users and Computers, and create in the Adatum.com domain a new OU named Branch Office 1.
2. Create the following global security groups in the Branch Office 1 OU:
o Branch 1 Help Desk o Branch 1 Administrators o Branch 1 Users
3. Move Holly Dickson from the IT OU to the Branch Office 1 OU.
4. Move the following users to the Branch Office 1 OU:
o Development\Bart Duncan o Managers\Ed Meadows o Marketing\Connie Vrettos o Research\Barbara Zighetti o Sales\Arlene Huff
5. Move the LON-CL1 computer to the Branch Office 1 OU, and then restart the LON-CL1 computer.
6. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
7. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate administration of the Branch Office 1 OU to the Branch 1 Administrators security group by delegating the following common and custom tasks:
a. Delegate the following common tasks:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete and manage groups
Modify the membership of a group
Manage Group Policy links
MCT USE ONL Y. STUDENT USE PROHIBITED
3-28 Managing Active Directory Domain Services Objects
b. Delegate the following custom tasks:
Create and delete computer objects in the current OU
Full control of computer objects in the current OU
Task 2: Delegate a user administrator for the Branch Office Help Desk
1. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate administration of the Branch Office 1 OU to the Branch 1 Help Desk security group.
2. Delegate the following common tasks:
o Reset user passwords and force password change at next logon o Read all user information
o Modify the membership of a group
Task 3: Add a member to the Branch Administrators
1. On LON-DC1, add Holly Dickson to the Branch 1 Administrators global group.
2. Add the Branch 1 Administrators global group to the Server Operators domain local group. Sign out from LON-DC1.
3. Sign in as Adatum\Holly with the password Pa$$w0rd. You can log on locally at a domain controller because Holly belongs indirectly to the Server Operators domain local group.
4. From Server Manager, open Active Directory Users and Computers. Confirm Holly’s current credentials in the User Account Control dialog box.
5. Attempt to delete Sales\Aaren Ekelund. You are unsuccessful, because Holly lacks the required permissions.
6. Try to delete Branch Office 1\Ed Meadows. You are successful, because Holly has the required permissions.
Task 4: Add a member to the Branch Help Desk group
1. On LON-DC1, add Bart Duncan to the Branch 1 Help Desk global group.
2. Close Active Directory Users and Computers, and then close Server Manager.
3. Open Server Manager, and then open Active Directory Users and Computers. In the User Account Control dialog box, specify Adatum\Administrator and Pa$$w0rd as the required credentials.
Note: To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group.
4. Add the Branch 1 Help Desk global group to the Server Operators domain local group. Sign out from LON-DC1.
5. Sign in as Adatum\Bart with the password Pa$$w0rd. You can log on locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group.
6. Open Server Manager, and then open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box.
7. Try to delete Branch Office 1\Connie Vrettos. You are unsuccessful, because Bart lacks the required permissions.
MCT USE ONL Y. STUDENT USE PROHIBITED
Installing and Configuring Windows Server® 2012 3-29
8. Reset Connie’s password to Pa$$w0rd.
9. After confirming the password reset is successful, sign out from LON-DC1.
10. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
Results: After completing this exercise, you should have successfully created an OU and delegated administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS
Scenario
You have been a given a list of new users for the branch office, and you need to begin creating user accounts for them.
The main tasks for this exercise are as follows:
1. Create a user template for the branch office.
2. Configure the template settings.
3. Create a new user for the branch office, based on the template.
4. Sign in as a user to test account settings.
Task 1: Create a user template for the branch office
1. On LON-DC1, create a folder called C:\branch1-userdata, and then share it.
2. Modify the shared folder permissions so that the Everyone group has Full Control Allow permissions.
3. From Server Manager, open Active Directory Users and Computers, and then create a new user with the following properties in the Branch Office 1 OU:
o Full name: _Branch_template o User logon name: _Branch_template o Password: Pa$$w0rd
o Account is disabled
Task 2: Configure the template settings
• On LON-DC1, modify the following properties of the _Branch_template account:
o City: Slough
o Group: Branch 1 Users
o Home folder: \\lon-dc1\branch1-userdata\%username%
MCT USE ONL Y. STUDENT USE PROHIBITED
3-30 Managing Active Directory Domain Services Objects
Task 3: Create a new user for the branch office, based on the template
1. On LON-DC1, copy the _Branch_template user account, and configure the following properties:
o First name: Ed o Last name: Meadows o Password: Pa$$w0rd
o User must change password at next logon is cleared.
o Account is disabled is cleared.
2. Verify that the following properties have been copied during account creation:
o City: Slough
o Home folder path: \\lon-dc1\branch1-userdata\Ed o Group: Branch 1 Users
3. Sign out from LON-DC1.
Task 4: Sign in as a user to test account settings
1. Switch to LON-CL1 and sign off.2. Sign in to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. You are able to sign in successfully.
3. Verify that you have a drive mapping for drive Z to Ed’s home folder on LON-DC1.
4. Sign out of LON-CL1.
Results: After completing this exercise, you should have successfully created and tested a user account created from a template.
Exercise 3: Managing Computer Objects in AD DS
Scenario
A workstation has lost its connectivity to the domain and cannot authenticate users properly. When users attempt to access resources from this workstation, access is denied. You need to reset the computer account to recreate the trust relationship between the client and the domain.
The main tasks for this exercise are as follows:
1. Reset a computer account.
2. Observe the behavior when a client logs on.
3. Rejoin the domain to reconnect the computer account.
MCT USE ONL Y. STUDENT USE PROHIBITED
Installing and Configuring Windows Server® 2012 3-31
Task 1: Reset a computer account
1. On LON-DC1, sign in as Adatum\Holly with the password Pa$$w0rd.
2. Open Active Directory Users and Computers.
3. Confirm your credentials in the User Account Control dialog box.
4. Navigate to Branch Office 1.
5. Reset the LON-CL1 computer account.
Task 2: Observe the behavior when a client logs on
1. Switch to LON-CL1 and attempt to sign in as Adatum\Ed with the password Pa$$w0rd. A message displays stating that The trust relationship between this workstation and the primary domain failed.
2. Click OK to acknowledge the message.
Task 3: Rejoin the domain to reconnect the computer account
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.2. Open Control Panel, switch to Large icons view, and then open System.
3. View the Advanced system settings, and then click the Computer Name tab.
4. In the System Properties dialog box, use the Network ID button to rejoin the computer to the domain.
5. Complete the wizard using the following settings:
o User name: administrator o Password: Pa$$w0rd o Domain: Adatum
o Do you want to enable a domain user account on this computer: No 6. When prompted, restart the computer.
7. Sign in as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.
Results: After completing this exercise, you should have successfully reset a trust relationship.
To prepare for the next module
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20410B-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410B-LON-DC1.
MCT USE ONL Y. STUDENT USE PROHIBITED
3-32 Managing Active Directory Domain Services Objects
Module Review and Takeaways
Review Questions
Question: A company with branches in multiple cities has members of a sales team that travel frequently between domains. Each of these domains has their own printers that are managed by using domain local groups. How can you provide these members with access to the various domains printers?
Question: You are responsible for managing accounts and access to resources for your group members. A user in your group transfers to another department within the company.
What should you do with the user’s account?
Question: What is the main difference between the Computers container and an OU?
Question: When should you reset a computer account? Why is it better to reset the computer account rather than to disjoin and then rejoin it to the domain?
Question: A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS; however, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this?
Question: You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server–based infrastructure. You have to find a method for joining new Windows 8-based computers to a domain during the installation process, without intervention of a user or an administrator. What is the best way to do this?
Tools
Tool Use Where to find it
Active Directory Users and
Computers Manage groups Administrative Tools
Active Directory module for
Windows Power Shell Manage groups Installed as Windows Feature
DS utilities Manage groups Command line
Active Directory module for
Windows PowerShell Computer account management Administrative Tools
Djoin.exe Offline domain join Command line
Redircmp.exe Change default computer
container Command line
DSACLS View and modify AD DS
permissions Command line
MCT USE ONL Y. STUDENT USE PROHIBITED
Installing and Configuring Windows Server® 2012 3-33