MCT USE ONLY.

STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20742B
Identity with Windows Server 2016
 MCT USE ONLY. STUDENT USE PROHIBITED
L1-1

Module 1: Installing and configuring domain controllers

Lab: Deploying and administering AD DS
Exercise 1: Deploying AD DS
 Task 1: Install AD DS binaries
1. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell.

2. At the command prompt in the Windows PowerShell command-line interface, type the following
command, and then press Enter:

Install-WindowsFeature –Name AD-Domain-Services –ComputerName LON-SVR1

3. Type the following command to verify that the AD DS role is installed on LON-SVR1, and then press
Enter:

Get-WindowsFeature –ComputerName LON-SVR1

4. In the output of the previous command, scroll up and search for Active Directory Domain Services.
Verify that this check box is selected. Search for Remote Server Administration Tools. Look for the
Role Administration Tools node below it, and then look for the AD DS and AD LDS Tools node.

Note: Below the AD DS and AD LDS Tools node, only Active Directory module for
Windows PowerShell has been installed and not the graphical tools, such as the Active
Directory Administrative Center. If you centrally manage your servers, you will not usually
need these on each server. If you want to install them, you need to specify the AD DS tools by
running the Add-WindowsFeature cmdlet with the RSAT-ADDS command name.

Note: You might need to wait a short time after the installation process completes
before verifying that the AD DS role has installed. If you do not see the expected results from
the Get-WindowsFeature command, you can try again after a few minutes.

 Task 2: Prepare the AD DS installation and promote a remote server

Add LON-SVR1 to Server Manager on LON-DC1

1. On LON-DC1, in Server Manager, select the All Servers view.

2. On the Manage menu, click Add Servers.

3. In the Add Servers dialog box, maintain the default settings, and then click Find Now.

4. In the Active Directory list of servers, select LON-SVR1, click the arrow to add it to the Selected list,
and then click OK.

Remotely configure AD DS by using Server Manager

1. On LON-DC1, ensure that the installation of the AD DS role on LON-SRV1 is complete and that the
server was added to Server Manager. Then click the Notifications flag symbol.

2. Note the post-deployment configuration of LON-SVR1, and then click the Promote this server to a
domain controller link.
 MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Installing and configuring domain controllers

3. In the Active Directory Domain Services Configuration Wizard, on the Deployment

Configuration page, under Select the deployment operation, verify that Add a domain controller
to an existing domain is selected.

4. Ensure that the Adatum.com domain is specified, and then in the Supply the credentials to perform
this operation section, click Change.

5. In the Credentials for deployment operation dialog box, in the User name box, type
Adatum\Administrator, and then in the Password box, type Pa55w.rd.

6. Click OK, and then click Next.

7. On the Domain Controller Options page, clear the selections for Domain Name System (DNS)
server and Global Catalog (GC). Ensure that Read-only domain controller (RODC) is cleared.

8. In the Type the Directory Services Restore Mode (DSRM) password section, type and confirm the
password Pa55w.rd, and then click Next.

9. On the Additional Options page, click Next.

10. On the Paths page, keep the default path settings for the Database folder, Log files folder, and
SYSVOL folder, and then click Next.

11. On the Review Options page, click View script to open the generated Windows PowerShell script.

12. In Notepad, edit the generated Windows PowerShell script:

o Delete the comment lines that begin with the number sign (#).

o Remove the Import-Module line.

o Remove the grave accents (`) at the end of each line.

o Remove the line breaks.

13. Now the Install-ADDSDomainController command and all the parameters are on one line. Place the
cursor in front of the line, and then press Shift+End to select the whole line. On the menu, click Edit,
and then click Copy.

14. Switch to the Active Directory Domain Services Configuration Wizard, and then click Cancel.

15. When prompted for confirmation, click Yes to cancel the wizard.

16. Switch to Server Manager. On the menu, click Tools, and then click Windows PowerShell.

17. At the Windows PowerShell command prompt, type the following command:

Invoke-Command –ComputerName LON-SVR1 { }

18. Place the cursor between the braces ({ }), and then paste the content of the copied script line from the
clipboard. The whole line should now be as follows:

Invoke-Command –ComputerName LON-SVR1 {Install-ADDSDomainController –

NoGlobalCatalog:$true –Credential (Get-Credential) –CriticalReplicationOnly:$false –
DatabasePath “C:\Windows\NTDS” –DomainName “Adatum.com” –InstallDns:$false –LogPath
“C:\Windows\NTDS” –NoRebootonCompletion:$false –SiteName “Default-First-Site-Name” –
SysvolPath “C:\Windows\SYSVOL” –Force:$true }

19. Press Enter to start the command.

20. In the Windows PowerShell Credential Request dialog box, type Adatum\Administrator in the
User name box, type Pa55w.rd in the Password box, and then click OK.

21. When prompted for the password, in the SafeModeAdministratorPassword text box, type
Pa55w.rd, and then press Enter.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L1-3

22. When prompted for confirmation, in the Confirm password text box, type Pa55w.rd, and then press
Enter.

23. Wait until the command runs and the Status Success message is returned. The LON-SVR1 virtual
machine restarts.

24. Close Notepad without saving the file.

25. After LON-SVR1 restarts, on LON-DC1, switch to Server Manager, and on the left side, click the AD DS
node. Note that LON-SVR1 has been added as a server and that the warning notification has
disappeared. You might have to click Refresh.

 Task 3: Run the AD DS Best Practices Analyzer

1. On LON-DC1, in Server Manager, go to the AD DS dashboard view.

2. Scroll down to the Best Practices Analyzer section, click the Tasks menu, and then click Start BPA
Scan.

3. In the Select Servers dialog box, select LON-DC1.Adatum.com and LON-SVR1.Adatum.com.

4. Click Start Scan, and then wait until the Best Practices Analyzer (BPA) finishes the scan.

5. Review the results of the BPA.

Results: After this exercise, you should have successfully created a new domain controller and reviewed the
Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) results for that domain controller.

Exercise 2: Deploying domain controllers by performing domain controller

cloning
 Task 1: Check for domain controller clone prerequisites
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In the Active Directory Administrative Center, double-click Adatum (local), and then in the
management list, double-click the Domain Controllers organizational unit (OU).

3. In the management list, select LON-DC1, if it is not already selected, and then in the Tasks pane, in the
LON-DC1 section, click Add to group.
4. In the Select Groups dialog box, in the Enter the object names to select box, type Cloneable, and
then click Check Names.

5. Ensure that the group name is expanded to Cloneable Domain Controllers, and then click OK.

6. On LON-DC1, on the taskbar, click the Windows PowerShell icon.

7. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Get-ADDCCloningExcludedApplicationList

8. Verify the list of critical apps, if any. (In production, verify each app or use a domain controller that has
fewer apps installed by default.) Type the following command, and then press Enter:

Get-ADDCCloningExcludedApplicationList –GenerateXML
 MCT USE ONLY. STUDENT USE PROHIBITED
L1-4 Installing and configuring domain controllers

9. Run the following command to create the DCCloneConfig.xml file:

New-ADDCCloneConfigFile

 Task 2: Copy the source domain controller

1. Type the following command to shut down LON-DC1, and then press Enter:

Stop-Computer

2. On the host computer, in Hyper-V Manager, in the management list, select the 20742B-LON-DC1
virtual machine.

3. In the Actions pane, in the 20742B-LON-DC1 section, click Export.

4. In the Export Virtual Machine dialog box, type the location D:\Program Files\Microsoft Learning
\20742, and then click Export. Wait until the export finishes.

Note: Depending on your classroom’s setup, the Program Files\Microsoft Learning

\20742 folder might be on drive C. Please locate and use the existing folder for the remainder
of the lab.

5. In the Actions pane, in the 20742-LON-DC1 section, click Start, and then sign in as
Adatum\Administrator with the password Pa55w.rd.

 Task 3: Perform domain controller cloning

1. On the host computer, in Hyper-V Manager, in the Actions pane, in the section that is named for the
host computer, click Import Virtual Machine.

2. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.

3. On the Locate Folder page, click Browse, browse to the folder D:\Program Files
\Microsoft Learning\20742\20742B-LON-DC1, click Select Folder, and then click Next.

4. On the Select Virtual Machine page, select 20742B-LON-DC1 (if it is not already selected), and then
click Next.

5. On the Choose Import Type page, select Copy the virtual machine (create a new unique ID), and
then click Next.

6. On the Choose Folders for Virtual Machine Files page, select the Store the virtual machine in a
different location check box.

7. For each folder location, specify D:\Program Files\Microsoft Learning\20742\ as the path, and then
click Next.

8. On the Choose Folders to Store Virtual Hard Disks page, provide the path D:\Program Files
\Microsoft Learning\20742\, and then click Next.

9. On the Completing Import Wizard page, click Finish.

10. In the management list, identify and select the newly imported virtual machine named
20742B-LON-DC1, which has the State shown as Off. In the lower section of the Actions pane,
click Rename.
11. Type 20742B-LON-DC3 as the name, and then press Enter.

12. In the Actions pane, in the 20742B-LON-DC3 section, click Start, and then click Connect to see the
virtual machine starting.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L1-5

13. While the server is starting, you might see the message “Domain Controller cloning is at x%
completion.”

Results: After completing this exercise, you should have successfully deployed a domain controller by
cloning it in Microsoft Hyper-V.

Exercise 3: Administering AD DS
 Task 1: Use the Active Directory Administrative Center

Navigate within the Active Directory Administrative Center

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In the navigation pane, click the Tree View tab, and then expand Adatum (local).

Perform an administrative task within the Active Directory Administrative Center

1. In the Active Directory Administrative Center, click Overview.

2. In the Reset Password section, in the User name box, type Adatum\Adam.

3. In the Password and Confirm password boxes, type Pa55w.rd.

4. Clear the User must change password at next log on check box, and then click Apply.

5. In the Global Search section, in the Search box, type Lon, and then press Enter.

Create objects
1. In the Active Directory Administrative Center, in the navigation pane tree view, expand Adatum
(local), and then click the Computers container.

2. In the Tasks pane, in the Computers section, click New, and then select Computer.
3. In the Create Computer dialog box, type the following information, and then click OK:

o Computer name: LON-CL4

o Computer (NetBIOS) name: LON-CL4

View all object attributes

1. In the Active Directory Administrative Center, double-click Adatum (local), and then in the
management list, double-click Computers.

2. Select LON-CL4, and then in the Tasks pane, in the LON-CL4 section, click Properties.

3. In the LON-CL4 window, scroll down to the Extensions section, click the Attribute Editor tab, and
then note that all the attributes of the computer object are available here.

4. Close the LON-CL4 window by clicking Cancel.

 MCT USE ONLY. STUDENT USE PROHIBITED
L1-6 Installing and configuring domain controllers

Use the Windows PowerShell History viewer

1. In the Active Directory Administrative Center, click the Windows PowerShell History toolbar at the
bottom of the screen.

2. View the details for the New-ADComputer cmdlet that you used to perform the most recent task.

3. On LON-DC1, close all open windows.

Results: After completing this exercise, you should have successfully used the Active Directory
Administrative Center to manage AD DS and reviewed the Windows PowerShell cmdlets that run in the
background.

 Task 2: Prepare for the next module

When you are finished with the lab, revert all virtual machines to their initial state:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-SVR1.

 MCT USE ONLY. STUDENT USE PROHIBITED
L2-7

Module 2: Managing objects in AD DS

Lab A: Managing AD DS objects
Exercise 1: Creating and managing groups in AD DS
 Task 1: Create groups and add members
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. Click Adatum (local), and then click Managers.

3. In the Tasks pane, under Managers, click New, and then click Group.

4. In the Group name: field, type Enterprise Managers.

5. Under Group scope, click Universal.

6. Click OK to close the Create Group: Enterprise Managers window.

7. Click Adatum (local), and then click the Research organizational unit (OU).

8. In the Tasks pane, under Research, click New, and then click Group.

9. In the Group name: field, type Research Mail.

10. In the Group type section, select Distribution.

11. In the Email field, type [email protected].

12. In the Managed By section, click Edit.

13. In the Select Users, Contacts, or Groups dialog box, in Enter the object names to select
(examples), type Cai, click Check Names, and then click OK.

14. Select the Manager can update membership list check box.

15. Click OK to close the Create Group: Research Mail window.

16. In the Tasks pane, under Research, click New, and then click Group.

17. In the Group name: field, type Research Managers.

18. Scroll to the Members section, and then click Add.

19. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in Enter the
object names to select (examples), type Cai; Vera, click Check Names, and then click OK.

20. Click OK to close the Create Group: Research Managers window.

 Task 2: Configure group nesting

1. Double-click Adatum(Local) and then double-click the Managers OU.

2. Right-click the Enterprise Managers group, and then click Properties.

3. In the navigation pane, click Members, and then click Add.

4. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in Enter the
object names to select (examples), type Managers; Research Managers, click Check Names, and
then click OK.
5. Click OK to close the Enterprise Managers window.
 MCT USE ONLY. STUDENT USE PROHIBITED
L2-8 Managing objects in AD DS Identity with Windows Server 2016

 Task 3: Convert a group type from distribution to security

1. In the navigation pane, click Research.

2. Double-click the Research Mail group.

3. Under Group type, click Security, and then click OK.

Results: After completing this exercise, you will have:

 Created groups and added members.

 Configured group nesting.

 Converted a group type.

Exercise 2: Creating and configuring user accounts in AD DS

 Task 1: Create and configure a user template for the Research department
1. Ensure that the Research OU is selected.

2. In the Tasks pane, under Research, click New, and then click User.
3. In the Create User window, in the First name field, type _Research Template.

4. In the User UPN logon field, type ResearchTemplate.

5. In the Password and Confirm password fields, type Pa55w.rd.

6. In the navigation pane, click Organization, and then in the Department field, type Research.

7. In the Company field, type Adatum.

8. In the Manager field, click Edit.

9. In the Select Users or Contacts dialog box, in Enter the object names to select (examples), type
Cai, click Check Names, and then click OK.

10. In the navigation pane, click Member Of.

11. Click Add.

12. In the Select Groups dialog box, in Enter the object names to select (examples), type Research,
and then click Check Names. In the Multiple Names Found dialog box, select Research, and then
click OK twice.

13. In the navigation pane, click Profile.

14. In the Log on script field, type \\LON-DC1\Netlogon\Logon.bat, and then click OK.

15. Click the _Research Template account, and then in the Tasks pane, under _Research Template, click
Disable.

16. Close Active Directory Administrative Center.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L2-9

 Task 2: Create new users for the Research branch office based on the template
1. In Server Manager, click Tools, and then click Active Directory Users and Computers.

2. Expand Adatum.com, and then click the Research OU.

3. Right-click the _Research Template account, and then click Copy.

4. In the Copy Object – User dialog box, type Research in the First name field, and then type User in
the Last name field.
5. In the User logon name field, type ResearchUser, and click Next.

6. In the Password and Confirm password fields, type Pa55w.rd.

7. Clear the Account is disabled check box, and then click Next.

8. Click Finish.

 Task 3: Validate the template

1. Double-click Research User.

2. Click the Profile tab, and then ensure that the Logon script path is \\LON-DC1\Netlogon\Logon.bat.
3. Click the Organization tab, and then ensure that the Department is Research, the Company is
Adatum, and the Manager is Cai Chu.

4. Click the Member Of tab, and then ensure that the user is a member of the Research group.

5. Click Cancel to close the Research User Properties dialog box.

Results: After completing this exercise, you will have:

 Created and configured a user template for Research users.

 Created three new users based on the template.

 Signed in to test that the accounts are functioning as expected.

Exercise 3: Managing computer objects in AD DS

 Task 1: Reset a computer account
1. In Active Directory Users and Computers, click the Computers container.

2. In the details pane, right-click the LON-CL1 computer account, and then click Reset Account.
3. In the Active Directory Domain Services dialog box, click Yes.

4. In the Active Directory Domain Services message box, click OK.

 Task 2: Observe the behavior when a client attempts to sign in

 Restart LON-CL1, and then attempt to sign in as Adatum\Adam with the password Pa55w.rd.

Question: What is the message displayed?

Answer: The trust relationship between this workstation and the primary domain failed.
 MCT USE ONLY. STUDENT USE PROHIBITED
L2-10 Managing objects in AD DS Identity with Windows Server 2016

 Task 3: Resolve the computer issue

1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa55w.rd.

2. Right-click the Start button, and then click Run.

3. Type PowerShell, and then press Enter.

4. In the Administrator: Windows PowerShell window, type the following cmdlet, and then press Enter:

Test-ComputerSecureChannel –Repair

5. Close the Windows PowerShell window, and then sign out.

6. Sign in as Adatum\Adam with the password Pa55w.rd. The sign in will succeed now.

7. Sign out of LON-CL1.

8. Leave the VMs running for the next lab.

Results: After completing this exercise, you will have:

 Reset a computer account.

 Observed the behavior when a client signs in.

 Resolved the computer issue.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L2-11

Lab B: Administering AD DS
Exercise 1: Delegating administration for OUs
 Task 1: Create a new OU for the branch office
1. On LON-DC1, in Active Directory Users and Computers, right-click Adatum.com, click New, and then
click Organizational Unit.

2. In the New Object – Organizational Unit dialog box, type London in the Name field, and then click
OK.

 Task 2: Create groups for branch administrators and branch help-desk personnel
1. Right-click the London OU, click New, and then click Group.

2. In the New Object – Group dialog box, type London Admins, and then click OK.
3. Repeat steps 1 and 2 to create a group named London Helpdesk.

 Task 3: Add members to the group

1. Click the IT OU.

2. Right-click the Beth Burke user account, and then click Add to a group.
3. In the Select Groups dialog box, in Enter the object names to select (examples):, type London
Admins. Click Check Names, and then click OK.

4. In the Active Directory Domain Services message box, click OK.

5. Right-click the Dante Dabney user account, and then click Add to a group.

6. In the Select Groups dialog box, in Enter the object names to select (example):, type London
Helpdesk. Click Check Names, and then click OK.
7. In the Active Directory Domain Services message box, click OK.

 Task 4: Delegate permissions to the group

1. In Active Directory Users and Computers, click View, and then click Advanced Features.

2. Right-click the London OU, and then click Properties.

3. Click the Security tab, and then click Add.

4. In the Select Users, Computers, Service Accounts or Groups dialog box, in Enter the object names
to select (example):, type London Admins. Click Check Names, and then click OK.
5. Ensure that the London Admins group is selected, check Full Control in the Allow column, and then
click OK.

6. Right-click the London OU, and then click Delegate Control.

7. In the Delegation of Control Wizard, click Next.

8. On the Users or Groups page, click Add.

9. In the Select Users, Computers, or Groups dialog box, in Enter the object names to select
(example):, type London Helpdesk. Click Check Names, click OK, and then click Next.

10. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

11. On the Active Directory Object Type page, click Only the following object in this folder.
 MCT USE ONLY. STUDENT USE PROHIBITED
L2-12 Managing objects in AD DS Identity with Windows Server 2016

12. Scroll to the bottom of the list. Click User objects, and then select the check boxes for Create selected
objects in this folder and Delete selected objects in this folder, and then click Next.

13. On the Permissions page, click Full Control, and then click Next.

14. Click Finish.

 Task 5: Test permissions

1. Switch to LON-SVR1.

2. Click Start, click Server Manager, and then click Add roles and features.

3. In the Add Roles and Features Wizard, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Next.

7. On the Select features page, expand Remote Server Administration Tools, and then expand Role
Administration Tools. Expand AD DS and AD LDS Tools. Select the check box beside AD DS Tools,
and then click Next.

8. Click Install. Wait for the installation to complete.

9. When the installation is complete, click Close.

10. Sign out of LON-SVR1.

Test permissions for London Admins

1. Sign in to LON-SVR1 as Beth with the password Pa55w.rd.

2. Click Start, and then click the Server Manager tile.

3. Click Tools, and then click Active Directory Users and Computers.

4. Expand Adatum.com, and then click the Research OU. Notice that the icons on the toolbar to create
users, groups, or OUs are dimmed.

5. Click the London OU. Notice that those icons are available now.

6. Right-click the London OU, click New, and then click Organizational Unit.

7. In the New Object – Organizational Unit dialog box, type Laptops in the Name field, and then click
OK. The creation will succeed.

8. Sign out of LON-SVR1.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L2-13

Test permissions for London Helpdesk

1. Sign in to LON-SVR1 as Dante with the password Pa55w.rd.

2. Click Start, and then click the Server Manager tile.

3. Click Tools, and then click Active Directory Users and Computers.

4. Expand Adatum.com, and then click the London OU. Notice that the only available icon is the create
user icon.

Results: After completing this exercise, you will have:

 Created a new OU for the branch office.

 Created groups for branch administrators and branch help-desk personnel.

 Added members to the group.

 Delegated permission to the groups.

 Installed Active Directory Domain Services (AD DS) tools and tested permissions.

Exercise 2: Creating and modifying AD DS objects with Windows PowerShell

 Task 1: Create a user account by using Windows PowerShell
1. Switch to LON-DC1.

2. Right-click the Start button, and then click Windows PowerShell (Admin).

3. Create a user account for Ty Carlson in the London OU by running the following command:

New‐ADUser ‐Name Ty ‐DisplayName "Ty Carlson" ‐GivenName Ty ‐Surname Carlson ‐Path

"ou=London,dc=adatum,dc=com"

4. Set the password for the account by running the following command:

Set-ADAccountPassword Ty

5. When you receive a prompt for the current password, press Enter.

6. When you receive a prompt for the desired password, type Pa55w.rd, and then press Enter.

7. When you receive a prompt to repeat the password, type Pa55w.rd, and then press Enter.

8. To enable the account, run the following command:

Enable-ADAccount Ty

9. Test the account by switching to LON-CL1, and then sign in as Ty with the password Pa55w.rd.

 Task 2: Create a new group by using Windows PowerShell

 On LON-DC1, in the Administrator: Windows PowerShell window, run the following command:

New‐ADGroup LondonBranchUsers ‐Path "ou=London,dc=adatum,dc=com" ‐GroupScope Global

‐GroupCategory Security
 MCT USE ONLY. STUDENT USE PROHIBITED
L2-14 Managing objects in AD DS Identity with Windows Server 2016

 Task 3: Add a member to the group by using Windows PowerShell

1. In the Administrator: Windows PowerShell window, run the following command:

Add‐ADGroupMember LondonBranchUsers ‐Members Ty

2. Confirm that the user is in the group by running the following command:

Get‐ADGroupMember LondonBranchUsers

 Task 4: Modify the .csv file

1. On the taskbar, click the File Explorer icon.

2. In File Explorer, expand Allfiles (E:), expand Labfiles, and then click Mod02.

3. Right-click LabUsers.ps1, and then click Edit. In Administrator: Windows PowerShell (ISE), read the
comments at the top of the script, and then identify the requirements for the header in the .csv file.

4. In File Explorer, double-click LabUsers.csv.

5. In the How do you want to open this type of file (.csv)? message, click Notepad. Click OK.
6. In Notepad, type the following line at the top of the file:

FirstName,LastName,Department,DefaultPassword

7. Click File, and then click Save.

8. Close Notepad.

 Task 5: Modify the script

1. In the Administrator: Windows PowerShell (ISE) window, under Variables, replace C:\path\file.csv
with E:\Labfiles\Mod02\LabUsers.csv.

2. Under Variables, replace "ou=orgunit,dc=domain,dc=com" with

"ou=London,dc=adatum,dc=com".

3. Click File, and then click Save. Scroll down, and then review the contents of the script.

4. Close the Administrator: Windows PowerShell (ISE) window.

 Task 6: Run the script

1. Switch to the Administrator: Windows PowerShell window.

2. At the prompt, type cd E:\Labfiles\Mod02, and then press Enter.

3. Type .\LabUsers.ps1, and then press Enter.

4. To view the users just created, type the following command, and then press Enter:

Get‐ADUser ‐Filter * ‐SearchBase "ou=London,dc=adatum,dc=com"

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L2-15

 Task 7: Prepare for the next module

When you are finished with the lab, revert all VMs to their initial state:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-SVR1, and 20742B-LON-CL1.

Results: After completing this lab, you will have:

 Created a user account by using Windows PowerShell.

 Created a group by using Windows PowerShell.

 Added a user to a group by using Windows PowerShell.

 Modified the .csv file.

 Modified the script.

 Run the script.

MCT USE ONLY. STUDENT USE PROHIBITED
 MCT USE ONLY. STUDENT USE PROHIBITED
L3-17

Module 3: Advanced AD DS infrastructure management

Lab: Domain and trust management in
AD DS
Exercise 1: Implementing forest trusts
 Task 1: Configure stub zones for DNS name resolution
1. On LON-DC1, in Server Manager, click the Tools menu, and then in the drop-down menu, click DNS.

2. In the DNS tree pane, expand LON-DC1, click and right-click Forward Lookup Zones, and then click
New Zone.

3. In the New Zone Wizard, click Next.

4. On the Zone Type page, click Stub zone, and then click Next.
5. On the Active Directory Zone Replication Scope page, click To all DNS servers running on domain
controllers in this forest: adatum.com, and then click Next.

6. In the Zone name text box, type treyresearch.net, and then click Next.
7. On the Master DNS Servers page, click <Click here to add an IP Address or DNS Name>, type
172.16.10.10, click the free space, and then click Next.

8. On the Completing the New Zone Wizard page, click Next, and then click Finish.

9. Expand Forward Lookup Zones, click and right-click the new stub zone treyresearch.net, and then
click Transfer from Master.

10. Right-click treyresearch.net, and then click Refresh.

11. Confirm that the treyresearch.net stub zone contains records, and then close DNS Manager.

12. Switch to TREY-DC1.

13. In Server Manager, click the Tools menu, and then in the drop-down menu, click DNS.
14. In the tree pane, expand TREY-DC1, click and right-click Forward Lookup Zones, and then click New
Zone.

15. In the New Zone Wizard, click Next.

16. On the Zone Type page, click Stub zone, and then click Next.

17. On the Active Directory Zone Replication Scope page, click To all DNS servers running on domain
controllers in this forest: Treyresearch.net, and then click Next.
18. In the Zone name text box, type adatum.com, and then click Next.

19. On the Master DNS Servers page, click <Click here to add an IP Address or DNS Name>, type
172.16.0.10, click the free space, and then click Next.

20. On the Completing the New Zone Wizard page, click Next, and then click Finish.

21. Expand Forward Lookup Zones, click and right-click the new stub zone adatum.com, and then click
Transfer from Master.

22. Right-click adatum.com, and then click Refresh.

23. Confirm that the adatum.com stub zone contains records.

24. Close DNS Manager.

 MCT USE ONLY. STUDENT USE PROHIBITED
L3-18 Advanced AD DS infrastructure management

 Task 2: Configure a forest trust with selective authentication

1. On LON-DC1, on the Tools menu, click Active Directory Domain and Trusts.

2. In the Active Directory Domains and Trusts management console, right-click Adatum.com, and
then click Properties.

3. In the Adatum.com Properties dialog box, click the Trusts tab, and then click New Trust.

4. On the New Trust Wizard page, click Next.

5. On the Trust Name page, in the Name text box, type treyresearch.net, and then click Next.

6. On the Trust Type page, click Forest trust, and then click Next.

7. On the Direction of Trust page, click One-way: outgoing, and then click Next.

8. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

9. On the User Name and Password page, type Administrator as the user name and Pa55w.rd as the
password in the appropriate boxes, and then click Next.
10. On the Outgoing Trust Authentication Level-Local Forest page, click Selective authentication,
and then click Next.

11. On the Trust Selections Complete page, click Next.

12. On the Trust Creation Complete page, click Next.

13. On the Confirm Outgoing Trust page, click Next.

14. On the Completing the New Trust Wizard page, click Finish.

15. In the Adatum.com Properties dialog box, click the Trusts tab.

16. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), click
treyresearch.net, and then click Properties.
17. In the treyresearch.net Properties dialog box, click Validate.

18. Review the “The trust has been validated. It is in place and active” message that displays, click OK, and
then at the prompt, click No.
19. In the TreyResearch.net Properties dialog box, click OK, and then click OK in the Adatum.com
Properties dialog box.

20. Close Active Directory Domains and Trusts.

 Task 3: Configure a server for selective authentication

1. On LON-DC1, in Server Manager, on the Tools menu, click Active Directory Users and Computers.

2. In the Active Directory Users and Computers console, on the View menu, click Advanced Features.

3. Expand Adatum.com, and then click Computers.

4. Right-click LON-SVR2, and then click Properties.

5. In the LON-SVR2 Properties dialog box, click the Security tab, and then click Add.

6. On the Select Users, Computers, Service Accounts, or Groups page, click Locations.

7. Click treyresearch.net, and then click OK.

8. In the Enter the object name to select (examples:) text box, type IT, and then click Check Names.
When prompted for credentials, type TreyResearch\Administrator with the password Pa55w.rd, and
then click OK.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L3-19

9. On the Select Users, Computers, Service Accounts, or Groups page, click OK.

10. In the LON-SVR2 Properties window, ensure that IT (TreyResearch\IT) is highlighted, select the
Allow check box that is in line with Allowed to authenticate, and then click OK.

11. Switch to LON-SVR2.

12. On the taskbar, click the File Explorer icon.

13. In the File Explorer window, expand This PC, and then click Local Disk (C).

14. Right-click in the details pane, click New, and then click Folder.

15. In the Name text box, type IT-Data, and then press Enter.

16. Right-click IT-Data, and then click Properties.

17. In the IT-Data Properties dialog box, click the Sharing tab, and then click Advanced Sharing.

18. In the Advanced Sharing dialog box, click Share this folder, and then click Permissions.
19. In the Permissions for IT-Data dialog box, click Add.

20. On the Select Users, Computers, Service Accounts, or Groups page, click Locations.

21. Click treyresearch.net, and then click OK.

22. In the Enter the object name to select (examples:) text box, type IT, and then click Check Names.
When prompted for credentials, type TreyResearch\Administrator with the password Pa55w.rd, and
then click OK.

23. On the Select Users, Computers, Service Accounts, or Groups page, click OK.

24. In the Permissions for IT-Data dialog box, click OK.

25. In the Advanced Sharing dialog box, click OK.

26. Sign out of TREY-DC1.

27. Sign in to TREY-DC1 as TreyResearch\Alice with the password Pa55w.rd.

28. Click Start, and then click Search.

29. In the Search text box, type \\LON-SVR2.adatum.com\IT-Data, and then press Enter. The folder
opens.

Results: After completing this exercise, you should have successfully implemented forest trusts.

Exercise 2: Implementing child domains in AD DS

 Task 1: Install a domain controller in a child domain
1. On TOR-DC1, click Start, and then click Server Manager. In Server Manager, click Manage, and then
in the drop-down list, click Add Roles and Features.

2. On the Before you begin page, click Next.

3. On the Select installation type page, confirm that the Role-based or feature-based installation
option is selected, and then click Next.

4. On the Select destination server page, ensure that the Select a server from the server pool option
is selected and that TOR-DC1.adatum.com is highlighted, and then click Next.
 MCT USE ONLY. STUDENT USE PROHIBITED
L3-20 Advanced AD DS infrastructure management

5. On the Select server roles page, click Active Directory Domain Services.

6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features.

7. On the Select server roles page, click Next.

8. On the Select features page, click Next.

9. On the Active Directory Domain Services page, click Next.

10. On the Confirm installation selections page, click Install. This might take a few minutes to complete.

11. When the Active Directory Domain Services (AD DS) binaries have installed, click the blue Promote
this server to a domain controller link.

12. In the Deployment Configuration window, click Add a new domain to an existing forest.

13. Verify that Select domain type is set to Child Domain and that Parent domain name is set to
Adatum.com.

14. In the New domain name text box, type na.

15. Confirm that Supply the credentials to perform this operation is set to ADATUM\Administrator
(Current user), and then click Next.

Note: If the credentials are not set to Adatum\Administrator, use the Change button to
enter the credentials Adatum\Administrator with the password Pa55w.rd.

16. In the Domain Controller Options window, ensure that Domain functional level is set to Windows
Server 2016.

17. Ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are
selected.

18. Confirm that Site name: is set to Default-First-Site-Name.

19. Under Type the Directory Services Restore Mode (DSRM) password, type Pa55w.rd in both text
boxes, and then click Next.

20. On the DNS Options page, click Next.

21. On the Additional Options page, click Next.

22. On the Paths page, click Next.

23. On the Review Options page, click Next.

24. On the Prerequisites Check page, confirm that there are no issues, and then click Install.

Note: If you receive a “Windows Server 2016 domain controllers have a default for the
security setting named ‘Allow cryptography algorithms compatible with Windows NT 4.0’”
warning, you may safely ignore it.

After the configuration completes, the server restarts automatically.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L3-21

 Task 2: Verify the default trust configuration

1. Sign in to TOR-DC1 as NA\Administrator with the password Pa55w.rd.

2. Click Start, click Server Manager, and then in Server Manager, click Local Server.

3. Verify that Windows Firewall shows Domain: Off. If it does not, perform the following steps:

a. Click the underlined blue text next to Windows Firewall. In the Windows Firewall window, click
Turn Windows Firewall on or off.
b. Under each section, select Turn off Windows Firewall (not recommended), and then click OK.
Ignore any warning prompts that appear regarding Windows Firewall.

c. In Server Manager, click the Refresh "Local Server" icon, indicated by double arrows.
d. After the refresh completes, verify that Windows Firewall shows Public: Off.

4. In Server Manager, on the Tools menu, click Active Directory Domains and Trusts.

5. In the Active Directory Domains and Trusts console, expand Adatum.com, right-click
na.adatum.com, and then click Properties.

6. In the na.adatum.com Properties dialog box, click the Trusts tab, in the Domains trusted by this
domain (outgoing trusts) text box, click Adatum.com, and then click Properties.

7. In the Adatum.com Properties dialog box, click Validate, and then click Yes, validate the incoming
trust.

8. In the User name text box, type administrator, in the Password text box, type Pa55w.rd, and then
click OK.

9. When the “The trust has been validated. It is in place and active” message appears, click OK.

Note: If you receive a message that the trust cannot be validated or that the secure channel
verification has failed, ensure that you have completed step 3, and then wait for at least 10–15
minutes before trying again.

10. Click OK twice to close the Adatum.com Properties dialog box.

Results: After completing this exercise, you should have successfully implemented child domains in AD DS.

 Task 3: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-TOR-DC1, 20742B-TREY-DC1, and 20742B-LON-SVR2.

MCT USE ONLY. STUDENT USE PROHIBITED
 MCT USE ONLY. STUDENT USE PROHIBITED
L4-23

Module 4: Implementing and administering AD DS sites

and replication
Lab: Implementing AD DS sites and
replication
Exercise 1: Modifying the default site
 Task 1: Install the Toronto domain controller
1. On TOR-DC1, click Start, and then click Server Manager.

2. In Server Manager, click Manage, and then from the drop-down list, click Add Roles and Features.

3. On the Before you begin page, click Next.

4. On the Select installation type page, confirm that Role-based or feature-based installation is
selected, and then click Next.

5. On the Select destination server page, ensure that Select a server from the server pool is selected
and that TOR-DC1.adatum.com is highlighted, and then click Next.
6. On the Select server roles page, select the Active Directory Domain Services check box.

7. On the Add features that are required for Active Directory Domain Services? page, click Add
Features, and then click Next.
8. On the Select features page, click Next.

9. On the Active Directory Domain Services page, click Next.

10. On the Confirm installation selections page, click Install.

Note: This might take a few minutes to complete.

11. When the AD DS binaries have installed, do not click Close, but click the blue Promote this server to a
domain controller link.

12. In the Deployment Configuration window, click Add a domain controller to an existing domain,
and then click Next.

13. In the Domain Controller Options window, ensure that both the Domain Name system (DNS)
server and Global Catalog (GC) check boxes are selected.

14. Confirm that Site name: is set to Default-First-Site-Name, and then under Type the Directory
Services Restore Mode (DSRM) password, type Pa55w.rd in both the Password and Confirm
password boxes. Click Next.

15. On the DNS Options page, click Next.

16. In the Additional Options page, click Next.

17. In the Paths window, click Next.

18. In the Review Options window, click Next.

19. In the Prerequisites Check window, click Install. The server will restart automatically.

20. After TOR-DC1 restarts, sign in as Adatum\Administrator with the password Pa55w.rd.
 MCT USE ONLY. STUDENT USE PROHIBITED
L4-24 Implementing and administering AD DS sites and replication

 Task 2: Rename the default site

1. If necessary, on LON-DC1, open the Server Manager console.

2. In Server Manager, click Tools, and then click Active Directory Sites and Services.

3. In Active Directory Sites and Services, in the navigation pane, expand Sites.

4. Right-click Default-First-Site-Name, and then click Rename.

5. Type LondonHQ, and then press Enter.

6. Expand LondonHQ, expand the Servers folder, and then verify that both LON-DC1 and TOR-DC1
belong to the LondonHQ site.

 Task 3: Configure IP subnets that are associated with the default site
1. If necessary, on LON-DC1, open the Server Manager console, and then open Active Directory Site
and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, and then
click the Subnets folder.

3. Right-click Subnets, and then click New Subnet.

4. In the New Object – Subnet dialog box, under Prefix, type 172.16.0.0/24.

5. Under Select a site object for this prefix, click LondonHQ, and then click OK.

Results: After completing this exercise, you should have successfully reconfigured the default site and
assigned IP address subnets to the site.

Exercise 2: Creating additional sites and subnets

 Task 1: Create the AD DS sites for Toronto
1. If necessary, on LON-DC1, open the Server Manager console, click Tools, and then click Active
Directory Sites and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then
click New Site.

3. In the New Object – Site dialog box, in the Name text box, type Toronto.

4. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK.

5. In the Active Directory Domain Services dialog box, click OK. The Toronto site displays in the
navigation pane.
6. In the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then
click New Site.

7. In the New Object – Site dialog box, in the Name text box, type TestSite.
8. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK. The test
site displays in the navigation pane.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L4-25

 Task 2: Create IP subnets that are associated with the Toronto sites
1. If necessary, on LON-DC1, open the Server Manager console, click Tools, and then click Active
Directory Sites and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, and then
click the Subnets folder.

3. Right-click Subnets, and then click New Subnet.

4. In the New Object – Subnet dialog box, under Prefix, type 172.16.1.0/24.

5. Under Select a site object for this prefix, click Toronto, and then click OK.

6. Right-click Subnets, and then click New Subnet.

7. In the New Object – Subnet dialog box, under Prefix, type 172.16.100.0/24.

8. Under Select a site object for this prefix, click TestSite, and then click OK.

9. In the navigation pane, click the Subnets folder. Verify in the details pane that the two subnets are
created and associated with their appropriate site.

Note: There are three subnets in total (172.16.0.0 was created in Exercise 1, Task 3,
“Configure IP subnets that are associated with the default site”).

Results: After completing this exercise, you should have successfully created two additional sites
representing the IP subnet addresses in Toronto.

Exercise 3: Configuring AD DS replication

 Task 1: Configure site links between AD DS sites
1. If necessary, on LON-DC1, open the Server Manager console, click Tools, and then click Active
Directory Sites and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand
Inter-Site Transports, and then click the IP folder.

3. Right-click IP, and then click New Site Link.

4. In the New Object – Site Link dialog box, in the Name text box, type TOR-TEST.

5. Under Sites not in this site link, press Ctrl on the keyboard, click Toronto, click TestSite, click Add,
and then click OK.

6. Right-click TOR-TEST, and then click Properties.

7. In the TOR-TEST Properties dialog box, click Change Schedule.

8. In the Schedule for TOR-TEST dialog box, highlight the range from Monday 9 AM to Friday 3 PM, as
follows:

o Click the Monday at 9:00AM tile, press and hold the mouse button, and then drag the cursor to
the Friday at 3:00 PM tile.
9. Click Replication Not Available, and then click OK.

10. Click OK to close TOR-TEST Properties.

 MCT USE ONLY. STUDENT USE PROHIBITED
L4-26 Implementing and administering AD DS sites and replication

11. Right-click DEFAULTIPSITELINK, and then click Rename.

12. Type LON-TOR, and then press Enter.

13. Right-click LON-TOR, and then click Properties.

14. Under Sites in this site link, click TestSite, and then click Remove.

15. In the Replicate Every spin box, change the value to 60 minutes, and then click OK.

 Task 2: Move TOR-DC1 to the Toronto site

1. If necessary, on LON-DC1, click Tools, and then click Active Directory Sites and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand
LondonHQ, and then expand the Servers folder.

3. Right-click TOR-DC1, and then click Move.

4. In the Move Server dialog box, click Toronto, and then click OK.

5. In the navigation pane, expand the Toronto site, expand Servers, and then click TOR-DC1.

 Task 3: Monitor AD DS site replication

1. On LON-DC1, click Start, and then click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, type the following, and then press Enter:

Repadmin /kcc

This command recalculates the inbound replication topology for the server.
3. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Repadmin /showrepl

4. Verify that the last replication with TOR-DC1 was successful.

5. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Repadmin /bridgeheads

This command displays the bridgehead servers for the site topology.

6. At the Windows PowerShell command prompt, type the following, and then press Enter:

Repadmin /replsummary

This command displays a summary of replication tasks. Verify that no errors appear.

7. At the Windows PowerShell command prompt, type the following, and then press Enter:

DCDiag /test:replications

8. Verify that all connectivity and replication tests pass successfully.

9. Switch to TOR-DC1, and then repeat steps 1 through 8 to view information from TOR-DC1. For step 4,
verify that the last replication with LON-DC1 was successful.

Results: After completing this exercise, you should have successfully configured site links and monitored
replication.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L4-27

Exercise 4: Monitoring and troubleshooting AD DS replication

 Task 1: Produce an error
1. If necessary, on LON-DC1, open Server Manager.

2. In Server Manager, click Tools, and then click Active Directory Sites and Services.

3. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand
LondonHQ, expand the Servers folder, expand LON-DC1, and then select NTDS Settings.

4. In the details pane, right-click the TOR-DC1 connection object, and then click Replicate Now.

5. In the Replicate Now dialog box, click OK.

6. In Active Directory Sites and Services, examine all the objects you created earlier, and then on the
taskbar, click the Windows PowerShell icon.

7. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADReplicationUpToDatenessVectorTable –Target “adatum.com”

Note: This cmdlet will show you the last several replication events. Make a note of the date
and time of the last (top) event.

8. Go to TOR-DC1.

9. Click Start, and the click Windows PowerShell.

10. At the Windows PowerShell command prompt, type the following, and then press Enter after each
command:

CD \Labfiles\Mod04
.\Mod04Ex4.ps1

 Task 2: Monitor AD DS site replication

1. If necessary, on TOR-DC1, open the Server Manager console, click Tools, and then click Active
Directory Sites and Services.

2. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand
Toronto, expand Servers, expand TOR-DC1, and then select NTDS Settings.

3. In the details pane, right click LON-DC1, and then select Replicate Now.

4. Click OK on the Replicate Now pop-up.

5. On TOR-DC1, on the taskbar, click the Windows PowerShell icon.

6. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-ADReplicationUpToDatenessVectorTable –Target “adatum.com”

Note: This cmdlet will show you the last several replication events. Note that the last date
and time shown (Replication from LON-DC1) is not updating. This indicates that one-way
replication is not occurring.
 MCT USE ONLY. STUDENT USE PROHIBITED
L4-28 Implementing and administering AD DS sites and replication

7. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-AdReplicationSubnet –filter *

Note: This cmdlet will show detailed information about any subnets assigned to any sites.
Note that nothing is returned.

8. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-AdReplicationSiteLink –filter *

Note: This cmdlet will show detailed information about any site links assigned to particular
sites. Note that nothing is returned.

 Task 3: Troubleshoot AD DS replication

1. If necessary, on TOR-DC1, open Windows PowerShell.

2. At the Windows PowerShell command prompt, type the following, and then press Enter:

Ipconfig /all

3. Examine the results. The DNS server address should be 10.0.0.1.

4. At the Windows PowerShell command prompt, type the following, and then press Enter:

Get-DnsClient | Set-DnsClientServerAddress -ServerAddresses

("172.16.0.10","172.16.0.25")

5. Run the Ipconfig /all command again. The DNS server addresses should be 172.16.0.10 and
172.16.0.25.

6. If necessary, on TOR-DC1, open the Server Manager console, click Tools, and then click Active
Directory Sites and Services.

7. In the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand
Toronto, expand Servers, expand TOR-DC1, and then select NTDS Settings.

8. In the details pane, right click LON-DC1, and then select Replicate Now.

9. In the Replication Now window, click OK.

10. In Active Directory Sites and Services, examine all objects that you created earlier. Are any missing?

11. On TOR-DC1, open File Explorer. Browse to C:\Labfiles\Mod04.

12. Right-click the Mod04EX4Fix.ps1 file, and then select Run with PowerShell. Type Y when prompted
about execution policy, and then press Enter.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L4-29

13. In Active Directory Sites and Services, examine all the objects that you created earlier. Ensure that
the site link has been created in the Inter-Site Transports node, and subnets have been created in the
Subnets node.

14. On LON-DC1 and TOR-DC1, close all open windows, and then sign out of both virtual machines.

Results: After completing this exercise, you should have successfully diagnosed and resolved replication
issues.

 Task 3: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following
steps:

1. On the host computer, start Hyper-V Manager.

2. On the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-TOR-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED
 MCT USE ONLY. STUDENT USE PROHIBITED
L5-31

Module 5: Implementing Group Policy

Lab A: Implementing a Group Policy
infrastructure
Exercise 1: Creating and configuring GPOs
 Task 1: Create and edit a GPO
1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.

2. If necessary, switch to the Group Policy Management window.

3. In Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com,
Domains, and Adatum.com, and then click the Group Policy Objects container.

4. In the navigation pane, right-click the Group Policy Objects container, and then click New.
5. In the Name text box, type ADATUM Standards, and then click OK.

6. In the details pane, right-click the ADATUM Standards Group Policy Object (GPO), and then click Edit.

7. In the Group Policy Management Editor window, in the navigation pane, expand User
Configuration, expand Policies, expand Administrative Templates, and then click System.

8. Double-click the Prevent access to registry editing tools policy setting.

9. In the Prevent access to registry editing tools dialog box, click Enabled, and then click OK.
10. In the navigation pane, expand User Configuration, expand Policies, expand Administrative
Templates, expand Control Panel, and then click Personalization.

11. In the details pane, double-click the Screen saver timeout policy setting.
12. In the Screen saver timeout dialog box, click Enabled, in the Seconds text box, type 600, and then
click OK.

13. Double-click the Password protect the screen saver policy setting.
14. In the Password protect the screen saver dialog box, click Enabled, and then click OK.

15. Close the Group Policy Management Editor window.

 Task 2: Link the GPO

1. In the Group Policy Management window, in the navigation pane, right-click the Adatum.com
domain, and then click Link an Existing GPO.

2. In the Select GPO dialog box, click ADATUM Standards, and then click OK.

 Task 3: View the effects of the GPO’s settings

1. Switch to LON-CL1, and then sign in as Adatum\Administrator with the password Pa55w.rd.

2. Right-click Start, and then click Control Panel.

3. Click System and Security, and then click Allow an app through Windows Firewall.

4. In the Allowed apps and features list, select the following check boxes, and then click OK:

o Remote Event Log Management

o Windows Management Instrumentation (WMI)

5. Sign out, and then sign in as Adatum\Connie with the password Pa55w.rd.
 MCT USE ONLY. STUDENT USE PROHIBITED
L5-32 Implementing Group Policy

6. Click Start, type screen saver, and then click Change screen saver. (It may take a few minutes for the
option to appear.)

7. In the Screen Saver Settings dialog box, notice that the Wait option is dimmed—you cannot change
the time-out. Notice that the On resume, display logon screen option is selected and dimmed and
that you cannot change the settings. If the On resume, display logon screen option is not selected
and dimmed, then perform the following steps:

a. Right-click Start and then click Run.

b. In the Run dialog box, in the Open text box, type gpupdate /force, and then click OK.

c. Click Start, type screen saver, and then click Change screen saver.

d. Click OK.

e. Right-click Start, and then click Run.

f. In the Run dialog box, in the Open text box, type regedit, and then click OK.

g. In the Registry Editor dialog box, click OK.

Results: After completing this exercise, you should have created, edited, and linked the required GPO
successfully.

Exercise 2: Managing GPO scope

 Task 1: Create and link the required GPOs
1. On LON-DC1, in Group Policy Management Console, in the navigation pane, if necessary, expand
Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Research.

2. Right-click the Research organizational unit (OU), and then click Create a GPO in this domain, and
Link it here.

3. In the New GPO dialog box, in the Name text box, type Research Application Override, and then
click OK.
4. In the details pane, right-click the Research Application Override GPO, and then click Edit.

5. In the console tree, expand User Configuration, expand Policies, expand Administrative Templates,
expand Control Panel, and then click Personalization.

6. Double-click the Screen saver timeout policy setting.

7. Click Disabled, and then click OK.

8. Close the Group Policy Management Editor window.

 Task 2: Verify the order of precedence

 In the Group Policy Management Console tree, click the Research OU, and then click the Group Policy
Inheritance tab. Notice that the Research Application Override GPO has higher precedence than the
ADATUM Standards GPO. The screen saver time-out policy setting that you just configured in the
Research Application Override GPO is applied after the setting in the ADATUM Standards GPO.
Therefore, the new setting will overwrite the standards setting and will prevail. Screen saver time-out
will be unavailable for users within the scope of the Research Application Override GPO.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L5-33

 Task 3: Configure the scope of a GPO with security filtering

1. On LON-DC1, in Group Policy Management Console, in the navigation pane, if necessary, expand
the Research OU, and then click the Research Application Override GPO under the Research OU.

2. In the Group Policy Management Console dialog box, read the message, select the Do not show
this message again check box, and then click OK.

3. In the Security Filtering section, you will see that the GPO applies by default to all authenticated users.

4. In the Security Filtering section, click Authenticated Users, and then click Remove.

5. In the Group Policy Management dialog box, click OK.

6. In the details pane, click Add.

7. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples): text box, type Research, and then click OK.

8. In the details pane, under Security Filtering, click Add.

9. In the Select User, Computer, or Group dialog box, click Object Types.

10. In the Object Types dialog box, select the Computers check box and then click OK.

11. In the Select User, Computer, or Group dialog box, in the Enter Object Names to select (Examples)
text box, type LON-CL1, and then click OK.

 Task 4: Configure loopback processing

1. On LON-DC1, in Group Policy Management Console, in the navigation pane, click Adatum.com,
right-click Adatum.com, and then click New Organizational Unit.

2. In the New Organizational Unit dialog box, in the Name text box, type Kiosks, and then click OK.

3. Right-click Kiosks, and then click New Organizational Unit.

4. In the New Organizational Unit dialog box, in the Name text box, type Conference Rooms, and then
click OK.

5. In the navigation pane, expand the Kiosks OU, and then click the Conference Rooms OU.

6. Right-click the Conference Rooms OU, and then click Create a GPO in this domain, and Link
it here.

7. In the New GPO dialog box, in the Name text box, type Conference Room Settings, and then
click OK.

8. In the navigation pane, expand Conference Rooms, and then click the Conference Room
Settings GPO.

9. In the navigation pane, right-click the Conference Room Settings GPO, and then click Edit.

10. In the Group Policy Management Editor window, in the navigation pane, expand User
Configuration, expand Policies, expand Administrative Templates, expand Control Panel, and then
click Personalization.

11. In the details pane, double-click the Screen saver timeout policy setting, and then click Enabled.

12. In the Seconds text box, type 7200, and then click OK

13. In the navigation pane, expand Computer Configuration, expand Policies, expand Administrative
Templates, expand System, and then click Group Policy.

14. In the details pane, double-click the Configure user Group Policy loopback processing mode policy
setting, and then click Enabled.
 MCT USE ONLY. STUDENT USE PROHIBITED
L5-34 Implementing Group Policy

15. In the Mode drop-down list, select Merge, and then click OK.

16. Close the Group Policy Management Editor window.

Results: After completing this exercise, you should have configured the required scope of the GPOs
successfully.

 Task 5: Prepare for the next lab

 After you finish this lab, leave the virtual machines running for the next lab.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L5-35

Lab B: Troubleshooting Group Policy

infrastructure
Exercise 1: Verifying GPO application
 Task 1: Perform RSoP analysis
1. Switch to LON-CL1, and then verify that you are signed in as Adatum\Connie. If necessary, use the
password Pa55w.rd.

2. Click Start, type cmd, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

gpupdate /force

4. Wait for the command to complete. Make a note of the current system time, which you will need to
know for a task later in this lab. To record the system time, type the following command, and then
press Enter twice:

Time

5. Restart LON-CL1. Wait for LON-CL1 to restart before proceeding with the next task. Do not sign in to
LON-CL1.

6. Switch to LON-DC1.

7. Switch to Group Policy Management Console.

8. In the navigation pane, if necessary, expand Forest: Adatum.com, and then click Group Policy
Results.

9. Right-click Group Policy Results, and then click Group Policy Results Wizard.

10. On the Welcome to the Group Policy Results Wizard page, click Next.
11. On the Computer Selection page, select the Another computer option, type LON-CL1, and then
click Next.

12. On the User Selection page, click ADATUM\Connie, and then click Next.

13. On the Summary of Selections page, review your settings, and then click Next.

14. Click Finish. The RSoP report appears in the details pane of Group Policy Management Console.

15. Review the summary results. For both the user and the computer configuration, identify the time of the
last policy refresh and the list of allowed and denied GPOs. Identify the components that were used to
process policy settings.

16. Click the Details tab. Review the settings that were applied during user and computer policy
application, and then identify the GPO from which the settings were obtained.

17. Click the Policy Events tab, and then locate the event that logs the policy refresh that you triggered
with the gpupdate command.

18. Click the Summary tab, right-click an empty space on the page, and then click Save Report.

19. In the navigation pane, click Desktop, and then click Save.
 MCT USE ONLY. STUDENT USE PROHIBITED
L5-36 Implementing Group Policy

20. On the desktop, right-click Connie on LON-CL1.htm, point to Open with, and then click Internet
Explorer.

21. When you have examined the report, close Microsoft Internet Explorer.

 Task 2: Analyze RSoP with GPResult

1. Sign in to LON-CL1 as Adatum\Connie with the password Pa55w.rd.

2. Right-click Start, and then click Command Prompt.

3. At the command prompt, type the following command, and then press Enter:

gpresult /r

4. RSoP summary results are displayed. Notice that the information is very similar to the Summary tab of
the RSoP report that was produced by Group Policy Results Wizard.

5. At the command prompt, type the following command, and then press Enter:

gpresult /v | more

6. Press the spacebar to proceed through the report. Notice that many of the Group Policy settings that
were applied by the client are listed in this report.

7. At the command prompt, type the following command, and then press Enter:

gpresult /z | more

8. Press the spacebar to proceed through the report. This is the most detailed RSoP report.

9. At the command prompt, type the following command, and then press Enter:

gpresult /h:"%userprofile%\Desktop\RSOP.html"

An RSoP report is saved as an HTML file to your desktop.

10. Open the saved RSoP report from your desktop. Compare the report, its information, and its
formatting with the RSoP report that you saved in the previous task.
11. Sign out of LON-CL1.

 Task 3: Evaluate GPO results by using Group Policy Modeling Wizard

1. On LON-DC1, in Group Policy Management Console, in the navigation pane, click Group Policy
Modeling.

2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.

3. In the Group Policy Modeling Wizard, click Next.

4. On the Domain Controller Selection page, click Next.

5. On the User and Computer Selection page, in the User information section, select the User option,
and then click Browse. In the Select User dialog box type Connie, and then press Enter.

6. In the Computer information section, select the Computer option, and then click Browse. In the
Select Computer dialog box, type LON-CL1, and then press Enter.

7. In the Group Policy Modeling Wizard, click Next.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L5-37

8. On the Advanced Simulation Options page, select the Loopback Processing check box, and then
select the Merge option. Even though the Conference Room Settings GPO specifies loopback
processing, you must instruct Group Policy Modeling Wizard to consider loopback processing in its
simulation. Click Next.

9. On the Alternate Active Directory Paths page, next to Computer location, click Browse.

10. In the Choose Computer Container dialog box, expand Adatum, expand Kiosks, and then click
Conference Rooms. You are simulating the effect of LON-CL1 as a conference room computer. Click
OK, and then click Next.

11. On the User Security Groups page, click Next.

12. On the Computer Security Groups page, click Next.

13. On the WMI Filters for Users page, click Next.

14. On the WMI Filters for Computers page, click Next.

15. Review your settings on the Summary of Selections page, click Next, and then click Finish.

16. In the details pane, click the Details tab, if necessary expand User Details, expand Group Policy
Objects, and then expand Applied GPOs.

17. Verify if the Conference Room Settings GPO applies to Connie as a User policy when she signs in to
LON-CL1, if LON-CL1 is in the Conference Rooms OU.

18. Scroll to, and if necessary expand, User Details, expand Settings, expand Policies, expand
Administrative Templates, and then expand Control Panel/Personalization.

19. Confirm that the screen saver timeout is 7,200 seconds (2 hours)—the setting configured by the
Conference Room Settings GPO that overrides the 10-minute standard configured by the ADATUM
Standards GPO.

 Task 4: Review policy events

1. Switch to LON-CL1. Sign in as Adatum\Administrator with the password Pa55w.rd.
2. Right-click Start, and then click Event Viewer.

3. In the navigation pane, expand Windows Logs, and then click the System log.

4. Click the Source column header to sort the System log by source.

5. Locate event 1500, 1501, 1502, or 1503 with Group Policy as the source.

6. Review the information that is associated with Group Policy events.

7. In the navigation pane, expand Applications and Services Logs, expand Microsoft, expand
Windows, expand Group Policy, and then click Operational.

8. Locate the first event related to the Group Policy refresh that you initiated in the first exercise with the
gpupdate command. Review that event and the events that followed it.

9. Sign out of LON-CL1.

Results: After completing this exercise, you should have used the RSoP tools successfully to verify the
correct application of your GPOs, examined Group Policy events, and verified the health of the Group Policy
infrastructure.
 MCT USE ONLY. STUDENT USE PROHIBITED
L5-38 Implementing Group Policy

Exercise 2: Troubleshooting GPOs

 Task 1: Read the Help desk Incident Record and simulate the problem
1. Read Help desk Incident Record 604531 in the exercise scenario.

2. On LON-DC1, on the taskbar, click File Explorer.

3. In File Explorer, in the navigation pane, expand Allfiles (E:), expand Labfiles, and then click Mod05.
4. In the details pane, right-click Mod05-1.ps1, and then click Run with PowerShell. If prompted, press Y
and then press Enter.

 Task 2: Update the Plan of Action section of the Incident Record

1. Read the Additional Information section of the Incident Record in the exercise scenario in the
student manual.

2. Update the Plan of Action section of the Incident Record in the student manual with your
recommendations:

o Verify the configuration for Connie Vaughn.

o RSoP from Group Policy Results Wizard will afterward provide the configuration information for
Connie Vaughn.
o The Research Application Override GPO should provide the correct configuration. Investigate
the configuration of the GPO.

 Task 3: Troubleshoot and resolve the problem

1. On LON-CL1, sign in as Adatum\Connie with the password Pa55w.rd.
2. Right-click Start, and then click Control Panel.

3. In Control Panel, click Appearance and Personalization, and then click Change Screen Saver.

4. Verify that Wait is dimmed and has a value of 10 minutes.

5. Sign out of LON-CL1.

6. Switch to LON-DC1.

7. In the Group Policy Management window, in the navigation pane, click Group Policy Results.

8. Right-click Group Policy Results, and then click Group Policy Results Wizard.

9. On the Welcome to the Group Policy Results Wizard page, click Next.

10. On the Computer Selection page, select the Another computer option, type LON-CL1, and then
click Next.

11. On the User Selection page, click ADATUM\Connie, and then click Next.

12. On the Summary of Selections page, review your settings, and then click Next.

13. Click Finish.

14. Click the Details tab, and then click Show all.

15. In the User Details section, locate the Settings section, and then in Control Panel/Personalization,
verify that the screen saver timeout is 600 seconds and the winning GPO is ADATUM Standards.

16. In the User Details section, locate the denied GPOs and verify that the Research Application
Override GPO is in the list of denied GPOs with a reason of Disabled Link. In this case, it appears that
the GPO link for the Research OU is disabled.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L5-39

17. In the navigation pane, click the Research OU, right-click the Research OU, and then click Refresh.

18. Expand the Research OU.

19. Notice that the link for the Research Application Override GPO is disabed. In the navigation pane,
right-click the Research Application Override GPO, and then click Link Enabled.

20. Switch to LON-CL1.

21. On LON-CL1, sign in as Adatum\Connie with the password Pa55w.rd.

22. Right-click Start, and then click Control Panel.

23. In Control Panel, click Appearance and Personalization, and then click Change Screen Saver.

24. Verify that Wait is no longer dimmed and has a value of 1 minutes.

25. If Wait is still dimmed, then perform the following steps:

a. Right-click Start, hover over Shut down or sign out and then click Restart.
b. Sign in as Adatum\Connie with the password Pa55w.rd.

26. Perform steps 22-24.

27. Sign out of LON-CL1.

Results: After completing this exercise, you will have resolved the GPO application problem.

 Task 4: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED
 MCT USE ONLY. STUDENT USE PROHIBITED
L6-41

Module 6: Managing user settings with Group Policy

Lab: Managing user settings with Group
Policy
Exercise 1: Using administrative templates to manage user settings
 Task 1: Import administrative templates for Microsoft Office 2016
1. On LON-DC1, on the taskbar, click the File Explorer icon.

2. In File Explorer, in the navigation pane, expand Allfiles (E:), expand Labfiles, and then click Mod06.

3. Double-click admintemplates_x64_4390-1000_en-us.exe.

4. In The Microsoft Office 2016 Administrative Templates dialog box, select the Click here to accept
the Microsoft Software License Terms check box, and then click Continue.
5. In the Browse for Folder dialog box, click Desktop, and then click OK.

6. In The Microsoft Office 2016 Administrative Templates dialog box, click OK.

7. In File Explorer, in the navigation pane, click Desktop, and then in the content pane, double-click
admx.

8. Press Ctrl+A to select all files, right-click, and then click Copy.

9. In the navigation pane, expand Local Disk (C:), expand Windows, right-click PolicyDefinitions, and
then click Paste.

10. Close File Explorer.

 Task 2: Configure Office 2016 settings

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. Switch to the Group Policy Management window.

3. In the navigation pane, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and
then click Group Policy Objects.

4. Right-click Group Policy Objects, and then click New.

5. In the New GPO dialog box, type Office 2016 settings, and then click OK.

6. In the contents pane, right-click Office 2016 settings, and then click Edit.

7. In the Group Policy Management Editor, in the navigation pane, expand User Configuration,
expand Policies, expand Administrative Templates, and then click Microsoft Excel 2016.

8. Expand Microsoft Excel 2016, expand Excel Options, click Customize Ribbon, and then double-click
Display Developer tab in the Ribbon.

9. In the Display Developer tab in the Ribbon dialog box, click Enabled, and then click OK.

10. In the Group Policy Management Editor, click Save, and then double-click Default file location.
11. In the Default file location dialog box, click Enabled, in the Default file location text box, type
%userprofile%\Desktop, and then click OK.

12. Close the Group Policy Management Editor.

 MCT USE ONLY. STUDENT USE PROHIBITED
L6-42 Managing user settings with Group Policy

13. In Group Policy Management, right-click the Adatum.com domain, and then click Link an
Existing GPO.

14. In the Select GPO dialog box, click Office 2016 settings, and then click OK.

 Task 3: Apply and verify settings on the client computer

1. Switch to LON-CL1.

2. Right-click Start, and then click Command Prompt.

3. In the Command Prompt window, type the following command, and then press Enter:

Gpupdate /force

4. Close the Command Prompt window.

5. Click Start, and then click Excel 2016.

6. In the Microsoft Office Activation Wizard dialog box, click Close.

7. In the First things first dialog box, select the Ask me later option, and then click Accept.

8. Click Blank workbook.

9. Verify that the Developer tab displays on the ribbon.

10. If the Developer tab is not displayed on the ribbon, perform the following steps:

a. Right-click Start, hover over Shutdown or Sign out, and then click Restart.
b. After the computer has restarted, sign in as Adatum\Administrator with the password Pa55w.rd.

c. Perform steps 5-9 again.

11. Click File, click Save, and then click Browse.

12. In the Save as dialog box, in the address bar, verify that Desktop displays, and then click Cancel.

13. Close Excel 2016.

Results: After this exercise, you should have extended administrative templates with templates for
Office 2016 and configured some Office settings by using Group Policy.

Exercise 2: Implementing settings by using Group Policy preferences

 Task 1: Set up the current environment
1. Switch to LON-DC1.

2. On LON-DC1, on the taskbar, click the File Explorer icon.

3. In the navigation pane, expand Allfiles (E:), expand Labfiles, and then click Mod06.
4. In the details pane, right-click Mod06-1.ps1, and then click Run with PowerShell.

5. If prompted, type Y, and then press Enter.

6. Right-click BranchScript.cmd, and then click Copy.

7. Switch to the Group Policy Management window.

8. In the navigation pane, right-click Group Policy Objects, and then click Refresh.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L6-43

9. Right-click the Branch1 Group Policy Object (GPO), and then click Edit.

10. In the Group Policy Management Editor window, under User Configuration, expand Policies,
expand Windows Settings, and then click Scripts (Logon/Logoff).

11. In the details pane, double-click Logon.

12. In the Logon Properties dialog box, click Show Files.

13. In the details pane, right-click a blank area, and then click Paste.

14. Close the Logon window.

15. In the Logon Properties dialog box, click Add.

16. In the Add a Script dialog box, click Browse.

17. Click BranchScript.cmd, and then click Open.

18. Click OK twice to close all dialog boxes.

19. Close the Group Policy Management Editor window.

 Task 2: Test mapped drive for Branch Office 1 users

1. Switch to LON-CL1.

2. Right-click Start, hover over Shut down or sign out, and then click Restart.
3. When the computer has restarted, sign in as Adatum\Abbi with the password Pa55w.rd.

4. On the taskbar, click the File Explorer icon.

5. In File Explorer, click This PC.

6. Verify that in the details pane, in the Network Locations section, drive S displays.

7. If drive S is not available, perform these steps:

a. Right-click Start, and click Command Prompt.

b. In the Command Prompt window, type the following two commands, and press Enter after each
command:

Gpupdate /force
Shutdown /r /t 0

c. Perform steps 3-6 again.

 Task 3: Create a Preferences GPO with the required Group Policy preferences
1. Switch to LON-DC1.

2. On LON-DC1, switch to Server Manager, click Tools and then click Active Directory Users and
Computers.

3. In the Active Directory Users and Computers window, right-click IT, hover over New, and then click
Group.
4. In the New Object – Group dialog box, in the Group name text box, type Computer Administrators,
and then click OK.

5. Switch to the Group Policy Management Console, right-click the Adatum.com domain, and then
click Refresh.

6. Expand Branch Office 1, right-click the Branch1 GPO, and then click Delete.

7. In the Group Policy Management dialog box, click OK.

 MCT USE ONLY. STUDENT USE PROHIBITED
L6-44 Managing user settings with Group Policy

8. Right-click the Adatum.com domain, and then click Create a GPO in this domain, and Link it here.

9. In the New GPO dialog box, in the Name text box, type Preferences, and then click OK.

10. In the navigation pane, right-click Preferences, and then click Edit.

11. Expand User Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts,
hover over New, and then click Shortcut.
12. In the New Shortcut Properties dialog box, in the Action list, click Create.

13. In the Name text box, type Notepad.

14. In the Location box, click the arrow, and then select All Users Desktop.

15. In the Target path box, type C:\Windows\System32\Notepad.exe.

16. On the Common tab, clear the Run in logged-on user’s security context (user policy option) check
box.

17. Select the Item-level targeting check box, and then click Targeting.

18. In the Targeting Editor dialog box, click New Item, and then click Security Group.

19. In the lower part of the dialog box, click the ellipsis button (…).
20. In the Select Group dialog box, in the Enter the object name to select (examples) box, type IT, and
then click OK.

21. Click OK two more times.

22. Right-click Drive Maps, hover over New, and then click Mapped Drive.

23. In the New Drive Properties dialog box, in the Location text box, type \\LON-DC1\Branch1, and
then select the Reconnect check box. In the Label as text box, type Drive for Branch Office 1, in the
Use drop-down list box, select S.

24. On the Common tab, select the Run in logged-on user’s security context (user policy option)
check box.
25. Select the Item-level targeting check box, and then click Targeting.

26. In the Targeting Editor dialog box, click New Item, and then click Organizational Unit.

27. In the lower part of the dialog box, click the ellipsis button (…).

28. In the Find Custom Search dialog box, in the Search results list, select Branch Office 1, and then
click OK.

29. Click OK two more times.

30. Expand Computer Configuration, expand Preferences, and then expand Control Panel Settings.

31. Right-click Local Users and Groups, hover over New, and then click Local Group.

32. In the New Local Group Properties dialog box, in the Group name text box, type Administrators,
and then click Add.

33. In the Local Group Member dialog box, click the ellipsis button (…).

34. In the Select User, Computer or Group dialog box, in the Enter the object name to select
(examples) text box, type Computer Administrators, and then click OK twice.

35. In the New Local Group Properties dialog box, click the Common tab.

36. On the Common tab, select the Item-level targeting check box, and then click Targeting.

37. In the Targeting Editor dialog box, click New Item, and then click Operating System.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L6-45

38. In the Product drop-down list box, select Windows Server 2016 Family, and then click OK twice.

39. Close all open windows except Group Policy Management and Server Manager.

 Task 4: Test the preferences

1. Switch to LON-CL1.

2. Right-click Start, hover over Shut down or sign out, and then click Restart.

3. When the computer has restarted, sign in as Adatum\Abbi with the password Pa55w.rd.
4. On the taskbar, click the File Explorer icon.

5. In File Explorer, click This PC.

6. Verify that in the details pane, in the Network Locations section, drive S displays.

Note: The drive label now is Drive for Branch Office 1, which verifies that the drive is
mapped through Group Policy preferences.

7. On the desktop, verify that a shortcut exists for Notepad.

8. If the shortcut for Notepad is not available, perform these steps:

a. Right-click Start, and click Command Prompt.

b. In the Command Prompt window, type the following two commands, and press Enter after each
command:

Gpupdate /force
Shutdown /r /t 0

c. Perform step 3 again.

The shortcut for Notepad should now display on the desktop.

9. Right-click Start, and then click Computer Management.

10. In Computer Management, expand Local Users and Groups, and then click Groups.

11. In the details pane, double-click Administrators.

12. Verify that the Computer Administrators group is not a member of the Administrators group.

Note: The Computer Administrators group is not a member of the Administrators group
because the Preferences setting only applies to servers.

13. Sign out of LON-CL1.

Results: After this exercise, you should have removed the logon scripts, configured preference settings, and
then assigned them by using GPOs.
 MCT USE ONLY. STUDENT USE PROHIBITED
L6-46 Managing user settings with Group Policy

Exercise 3: Configuring Folder Redirection

 Task 1: Create a shared folder to store the redirected folders
1. On LON-DC1, on the taskbar, click the File Explorer icon.

2. In the navigation pane, click This PC.

3. In the details pane, double-click Local Disk (C:), and then on the Home tab, click New folder.
4. Name the new folder Branch1Redirect.

5. Right-click the Branch1Redirect folder, click Share with, and then click Specific people.

6. In the File Sharing dialog box, click the drop-down list box, select Everyone, and then click Add.

7. For the Everyone group, click the Permission Level drop-down list box, and then click Read/Write.

8. Click Share, and then click Done.

9. Close File Explorer.

 Task 2: Create a new GPO and link it to the Branch Office 1 organizational unit (OU)
1. On LON-DC1, switch to Group Policy Management.

2. In Group Policy Management, expand and right-click Branch Office 1, and then click Create a GPO in
this domain and Link it here.
3. In the New GPO dialog box, in the Name text box, type Folder Redirection, and then click OK.

 Task 3: Edit the Folder Redirection settings in the policy

1. Expand Branch Office 1, right-click Folder Redirection, and then click Edit.

2. In the Group Policy Management Editor window, under User Configuration, expand Policies,
expand Windows Settings, and then expand Folder Redirection.

3. Right-click Documents, and then click Properties.

4. In the Document Properties dialog box, on the Target tab, in the Setting drop-down list box, select
Basic – Redirect everyone’s folder to the same location.

5. Ensure that the Target folder location box is set to Create a folder for each user under the
root path.

6. In the Root Path text box, type \\LON-DC1\Branch1Redirect, and then click OK.

7. In the Warning dialog box, click Yes.

8. Right-click Pictures, and then click Properties.

9. In the Pictures Properties dialog box, on the Target tab, in the Setting drop-down list box, select
Follow the Documents folder, and then click OK.

10. In the Warning dialog box, click Yes.

11. Right-click Music, and then click Properties.

12. In the Music Properties dialog box, on the Target tab, in the Setting drop-down list box, select
Follow the Documents folder, and then click OK.

13. In the Warning dialog box, click Yes.

14. Close all open windows on LON-DC1.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L6-47

 Task 4: Test the Folder Redirection settings

1. Switch to LON-CL1.

2. Sign in as Adatum\Abbi with the password Pa55w.rd.

3. Right-click Start, and then click Command Prompt.

4. In the Command Prompt window, type the following command, and then press Enter:

gpupdate /force

5. When prompted, type the following and then press Enter:

6. Sign out, and then sign back in to LON-CL1 as Adatum\Abbi with the password Pa55w.rd.

7. On the taskbar, click the File Explorer icon.

8. In File Explorer, in the navigation pane, right-click Documents, and then click Properties.
9. In the Documents properties dialog box, verify that the location is
\\LON-DC1\Branch1Redirect\Abbi, and then click OK.

Note: If the location is C:\Users\Abbi, perform steps 3 through 9 again. If the location has
not changed, restart LON-CL1 and perform steps 2 through 9 again.

10. Click Documents, and verify that two subfolders, Music and Pictures exist.

Note: This verifies that Music and Pictures are redirected as well.

11. Sign out of LON-CL1.

Results: After this exercise, you should have successfully configured Folder Redirection to a shared folder
on the LON-DC1 server.

Exercise 4: Planning Group Policy (optional)

 Task 1: Read the supporting documentation
 Read the documentation provided.

 Task 2: Update the proposal document with your planned course of action
 Answer the questions in the proposals section of the A. Datum GPO Strategy Proposal document.

Proposals
 Which of the requirements will necessitate creating one or more GPOs?

The central IT administrators in London must be able to manage all GPOs and settings in the
organization. Administrators in each office should be able to manage only GPOs that apply to that
office. Although you can complete any of the remaining tasks manually on each computer, using GPOs
requires the least effort. You could implement some of the other requirements, such as the security
 MCT USE ONLY. STUDENT USE PROHIBITED
L6-48 Managing user settings with Group Policy

warning or preventing access to registry editing tools, by using local policies only. However, because
local policies are hard to manage, GPOs are also beneficial for these settings.

 Can you fulfill any of the requirements without creating GPOs?

You can fulfill all the requirements without creating GPOs.

 Are there any exceptions to the default GPO application that you must consider?
Yes, there is one exception: security filtering of administrator desktops so that they will not be
prevented from accessing registry editing tools.

 List the GPOs that you must create to fulfill the lab scenario’s requirements. Provide the following
information in the table provided:

o Name of the GPO

o The requirements that the GPO fulfills

o The configuration settings (user policies, computer policies, user preferences, or computer
preferences) the GPO will contain

o The container (domain, OU, site) to which the GPO will be linked

Requirements
Name Configuration settings Applies to
fulfilled

All_Clients Configures the Computer Configuration\Policies OU=Clients

local admin \Windows Settings\Security
accounts Settings
\Restricted Groups

All_Clients Configures general Computer Configuration\Policies OU=Clients

Windows Update \Administrative Templates
settings \Windows Components
\Windows Update
\Configure Automatic Updates

All_Users_but_Admins Prevents editing of User Configuration DC=adatum

the registry \Policies
\Administrative Templates
\System
\Prevent access to registry editing
tools

London_Clients Displays a Computer Configuration OU=London,

compliance \Windows Settings OU=Clients
message \Security Settings
\Local Policies\Security Options
\Interactive Logon: Message text
for users attempting to log on
Interactive Logon: Message title
for users attempting to log on

Marketing_Share Users must have a User Configuration OU=Marketing

default set of \Preferences\Windows Settings
mapped drives \Drive Maps
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L6-49

 List other configuration tasks that you must perform within the Group Policy Management Console to
fulfill the scenario requirements.

Other configuration tasks include:

 The All_Users_but_Admins policy needs security filtering to deny access. This will apply the policy to the
users but not to the administrators group, Group IT.

You must configure the administration of GPOs as desired.

 Task 3: Examine the suggested proposals in the Lab Answer Key

 Compare your proposals with the ones shown previously.

 Task 4: Discuss your proposed solution with the class, as guided by your instructor
 Be prepared to discuss your proposals with the class.

Results: After completing this exercise, you will be able to:

 Design a GPO strategy.

 Task 5: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps two and three for 20742B-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-51

Module 7: Securing Active Directory Domain Services

Lab: Securing AD DS
Exercise 1: Implementing security policies for accounts, passwords, and
administrative groups
 Task 1: Identify the required settings
1. Read the documentation provided.

2. Fill in the table of settings according to the requirements of A. Datum Corporation.

Configuration for IT
Setting Configuration for all users
administrators

Enforce password history 10 10

Maximum password age 60 days 30 days

Minimum password age 1 day 1 day

Minimum password length 8 characters 10 characters

Passwords must meet True True

complexity requirements

Store password using False False

reversible encryption

Account lockout duration 1 hour Administrator must unlock

Account lockout threshold 5 3

Reset account lockout 20 minutes 20 minutes

counter after

3. Answer the additional questions from the proposals document.

o How can you configure that IT administrators have different password and account lockout
settings than regular users?
Answer: Use the Default Domain Policy, which applies to all users, and create a fine-grained
password policy object that applies only to the required administrative groups.

o How can you identify IT administrators in terms of more restricted password and account lockout
settings?

Answer: The administrative password and account lockout settings should apply to the IT group
and the Domain Admins group.

o How can you meet the requirement to limit the membership list for the local Administrators
groups on all member servers to only the local Administrator account, the Domain Admins group,
and the IT group?
Answer: Ensure that you have domain member servers in the same OU hierarchy. Assign a policy
to it, and then use the restricted groups feature to restrict the local Administrators group forcefully
to contain only administrators, the Domain Admins group, and the IT group.
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-52 Securing Active Directory Domain Services

o How can you meet the requirement that the Domain Admins group must include only the
Administrator account and that the Enterprise Admins and Schema Admins groups must be empty
during normal operations?

Answer: You cannot configure groups other than local groups with the restricted groups feature.
For Domain Admins, Enterprise Admins, and Schema Admins, you must configure the group
membership manually and audit their changes.

o How can you meet the requirement that other built-in groups, such as Account Operators and
Server Operators, must not contain members?
Answer: Use the restricted groups feature.

o How can you meet the requirement that you must audit all changes to users or groups in Active
Directory Domain Services (AD DS)?

Answer: Configure advanced auditing policies to audit directory services changes.

 Task 2: Configure password settings for all users

1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management console, in the navigation pane, expand Forest:
Adatum.com\Domains\ Adatum.com\Group Policy Objects, and then select the Default Domain
Policy.

3. Right-click Default Domain Policy, and then click Edit.

4. In the Group Policy Management Editor window, in the navigation pane, expand
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies, and
then double-click Password Policy.
5. In the details pane, double-click Enforce password history.

6. In the Enforce password history Properties dialog box, ensure that Define this policy setting is
selected.
7. Configure Keep password history for: to 10 passwords remembered, click OK, and then double-
click Maximum password age.

8. In the Maximum password age Properties dialog box, ensure that Define this policy setting is
selected.

9. Configure Password will expire in to 60 days, click OK, and then double-click Minimum
password age.

10. In the Minimum password age Properties dialog box, ensure that Define this policy setting is
selected.

11. Configure Password can be changed after to 1 days, click OK, and then double-click Minimum
password length.

12. In the Minimum password length Properties dialog box, ensure that Define this policy setting is
selected.

13. Configure Password must be at least to 8 characters, click OK, and then double-click Password
must meet complexity requirements.

14. In the Password must meet complexity requirements Properties dialog box, ensure that Define
this policy setting is selected.

15. Select Enabled, click OK, and then double-click Store passwords using reversible encryption.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L7-53

16. In the Store passwords using reversible encryption Properties dialog box, ensure that Define this
policy setting is selected.

17. Select Disabled, and then click OK.

18. In the navigation pane, click to select Account Lockout Policy.

19. In the details pane, double-click Account lockout duration.

20. In the Account lockout duration Properties dialog box, click Define this policy setting.

21. Configure Account is locked out for to 60 minutes, and then click OK.

22. In the Suggested Value Changes dialog box, click OK, and then double-click Account lockout
threshold.

23. In the Account lockout threshold Properties dialog box, configure Account will lock out after to
5 invalid logon attempts, click OK, and then double-click Reset account lockout counter after.

24. In the Reset account lockout counter after Properties dialog box, configure Reset account lockout
counter after to 20 minutes, and then click OK.

25. Close the Group Policy Management Editor window and the Group Policy Management console.

 Task 3: Configure a PSO for IT administrators

1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).
3. In the details pane, scroll to and double-click System, and then double-click Password Settings
Container.

4. In the Tasks pane, in the Password Settings Container section, click New, and then click Password
Settings.

5. In the Create Password Settings dialog box, in the Password Settings section, in the Name field,
type Adatum Administrators Password Settings.
6. In the Precedence field, type 10, and then ensure that Enforce minimum password length is
selected.

7. In the Minimum password length (characters) text box, type 10, and then ensure that Enforce
password history is selected.

8. In the Number of passwords remembered text box, type 10, ensure that Password must meet
complexity requirements is selected, and then ensure that Store password using reversible
encryption is not selected.

9. Under Password age options, ensure that Enforce minimum password age is selected.

10. In the User cannot change the password within (days) text box, type 1, and then ensure that the
Enforce maximum password age check box is selected.

11. In the User must change the password after (days) text box, type 30, and then select the Enforce
account lockout policy check box.

12. In the Number of failed logon attempts allowed text box, type 3.

13. In the Reset failed logon attempts count after (mins) text box, type 20, and then select Account
will be locked out, Until an administrator manually unlocks the account.
14. In the Directly Applies To section, click Add.
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-54 Securing Active Directory Domain Services

15. In the Select Users or Groups dialog box, under Enter the object names to select, type IT, and then
click Check Names.

16. The Name Not Found dialog box appears because IT is not a global group but a Universal Group. Click
Cancel.

17. Switch to Server Manager, click Tools, and then click Windows PowerShell.

18. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Get-ADGroup IT

19. Verify that the IT group has a group scope of Universal.

20. At the command prompt, type the following command, and then press Enter:

Set-ADGroup IT –GroupScope Global

21. Switch back to the Create Password Settings: Adatum Administrative Password Settings
dialog box.

22. In the Select Users or Groups dialog box, under Enter the object names to select, type IT; Domain
Admins, and then click Check Names. The names are both resolved. Click OK.

23. Click OK to close the Create Password Settings: Adatum Administrative Password Settings dialog
box and create the Password Settings object (PSO).

24. In Active Directory Administrative Center, in the navigation pane, click Overview.

25. In the details pane, in the Global Search box, type Abbi Skinner, and then press Enter. The user object
of Abbi Skinner is found.
26. In the Tasks pane, click View resultant password settings. Note that the Adatum Administrative
Password Settings PSO applies (Abbi is in the IT group), and then click Cancel.

27. In the Global Search box, type Adam Hobbs, and then press Enter.
28. In the Tasks pane, click View resultant password settings. Note that no resultant fine- grained
password settings apply (Adam is not in the IT group and the Default Domain Policies settings apply to
him), and then click OK.

29. Close Active Directory Administrative Center and Windows PowerShell.

 Task 4: Implement administrative security policies

1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).

3. In the Tasks pane, in the Adatum (local) section, click New, and then click Organizational Unit.

4. In the Create Organizational Unit dialog box, in the Name field, type Adatum Servers, and then
click OK.

5. In Active Directory Administrative Center, in the details pane, double-click Computers, select
LON-SVR1, and then press and hold the Shift key and click LON-SVR2. Both servers now are selected.

6. In the Tasks pane, in the 2 items selected section, click Move.

7. In the Move dialog box, select Adatum Servers, and then click OK.

8. Close Active Directory Administrative Center.

9. In Server Manager, click Tools, and then click Group Policy Management.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L7-55

10. In the Group Policy Management console, under Forests: Adatum.com\Domains\Adatum.com,

locate and click to select Adatum Servers. Right-click Adatum Servers, and then click Create a GPO
in this domain, and Link it here.

11. In the New GPO dialog box, in the Name field, type Restricted Administrators on Member Servers,
and then click OK.

12. In the details pane, right-click the Restricted Administrators on Member Servers GPO, and then
click Edit.

13. In the Group Policy Management Editor window, expand Computer Configuration\Policies
\Windows Settings\Security Settings, click to select Restricted Groups, right-click Restricted
Groups, and then click Add Group.

14. In the Add Group dialog box, in the Group field, type Administrators, and then click OK.

15. In the Administrators Properties dialog box, under Members of this group, click Add.

16. In the Add Member dialog box, click Browse.

17. In the Select Users, Service Accounts or Groups dialog box, in the Enter the object names to select
text box, type Domain Admins; IT, click Check Names, and then click OK.

18. In the Add Member dialog box, in the Members of this group section, add ;Administrator to the
string, and then click OK.
19. Verify that the Administrator Properties dialog box now shows the following in Members of this
group, and then click OK:

o ADATUM\Domain Admins
o ADATUM\IT

o Administrator

20. Close the Group Policy Management Editor window.

21. On LON-SVR1, click Start, type cmd, and then click Command Prompt.

22. In the Administrator: Command Prompt window, type the following command, and then press
Enter:

gpupdate /force

23. Wait until the command updates the Computer Policy and the User Policy.

24. On LON-SVR1, click Start, and then click Server Manager.

25. From Server Manager, click Tools, and then click Computer Management.
26. In Computer Management, expand System Tools\Local Users and Groups, and then click Groups.

27. Double-click Administrators, and then verify that ADATUM\Domain Admins, ADATUM\IT, and the
local Administrator are members of this group.
28. Close all open windows except for Server Manager.

29. Switch back to LON-DC1, and then switch to Group Policy Management.

30. In the Group Policy Management console, expand Domain Controllers, right-click the Default
Domain Controllers Policy link, and then click Edit.

31. In the Group Policy Management Editor window, expand Computer Configuration\Policies
\Windows Settings\Security Settings, click to select Restricted Groups, right-click Restricted
Groups, and then click Add Group.
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-56 Securing Active Directory Domain Services

32. In the Add Group dialog box, in the Group field, type Server Operators, and then click OK.

33. In the Server Operators Properties dialog box, keep the default settings of This group should
contain no members, and then click OK.

34. Repeat the steps 30 to 33 for the Account Operators group.

35. Close the Group Policy Management Editor window and the Group Policy Management console.

 Task 5: Implement administrative auditing

1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management console, expand Forest: Adatum.com\Domains,

Adatum.com\Group Policy Objects, select the Default Domain Controllers Policy, right-click
Default Domain Controllers Policy, and then click Edit.

3. In the Group Policy Management Editor window, expand Computer Configuration\Policies

\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies, and
then click to select DS Access.

4. In the details pane, double-click Audit Directory Services Changes.

5. In the Audit Directory Services Changes Properties dialog box, select Configure the following
audit events, select the Success check box, and then click OK.

6. In the navigation pane, navigate to Computer Configuration\Policies\Windows Settings

\Security Settings\Advanced Audit Policy Configuration\Audit Policies, and then click to select
Account Management.

7. In the details pane, double-click Audit Security Group Management.

8. In the Audit Security Group Management Properties dialog box, select Configure the following
audit events, select the Success check box, and then click OK.

9. In the navigation pane, navigate to Computer Configuration\Policies\Windows Settings

\Security Settings\Local Policies, click to select Security Options, and then double-click the
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy
category settings.

10. In the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit
policy category settings dialog box, select Define this policy setting, ensure that Enabled is
selected, and then click OK.

11. Close the Group Policy Management Editor window and the Group Policy Management console.
12. On LON-DC1, from Start screen, type cmd, and then click Command Prompt.

13. In the Administrator: Command Prompt window, type the following command, and then press
Enter:

gpupdate /force

14. From Server Manager, click Tools, and then click Active Directory Users and Computers.

15. In Active Directory Users and Computers, from the View menu, enable the Advanced Features
view.

16. In the navigation pane, click to select Adatum.com, right-click Adatum.com, and then click
Properties.

17. In the Adatum.com Properties dialog box, on the Security tab, click Advanced.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L7-57

18. In the Advanced Security Settings for Adatum dialog box, on the Auditing tab, double-click the
Success auditing entry for Everyone with Special access, which applies to This object only.

19. In the Auditing Entry for Adatum dialog box, in the Applies to drop-down list box, select This
object and all descendent objects.

20. Click OK three times to close all open dialog boxes.

21. In Active Directory Users and Computers, in the navigation pane, if necessary, expand
Adatum.com, and then click to select Users.

22. In the details pane, double-click Domain Admins.

23. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

24. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select text box, type Abbi, click Check Names, select Abbi Skinner and then click
OK three times.

25. In Active Directory Users and Computers, in the navigation pane, click to select Marketing.

26. In the details pane, double-click Ada Russel.

27. In the Ada Russel Properties dialog box, on the Address tab, in the City text box, select London, type
Birmingham, and then click OK.

28. Close Active Directory Users and Computers.

29. In Server Manager, click Tools, and then click Event Viewer.

30. In Event Viewer, expand Windows Logs, and then click Security.

31. In the details pane, search for the most recent Event ID 4728, and then double-click the event.

32. In the Event Properties – Event 4728, Microsoft Windows security auditing dialog box, you get the
message “A member was added to a security-enabled global group.” You can see that
ADATUM\Administrator invoked the change and that ADATUM\Abbi was added to the
ADATUM\Domain Admins group.

33. In Event Viewer, in the Windows Logs\Security Log node, search for the two most recent Event IDs
5136, then double-click the older of the two events.
34. In the Event Properties – Event 5136, Microsoft Windows security auditing dialog box, you will see
the following message: “A directory service object was modified.” You can see that
ADATUM\Administrator has modified the user object cn=Ada Russel, and then deleted the London
value. On the right side of the dialog box, click the Up Arrow to move to the next event.

Note: In the Event Properties details page, notice that ADATUM\Administrator modified
Ada Russel and added the Birmingham value.

35. Close all open windows except for Server Manager.

Results: After this exercise, you should have identified and configured the security policies for A. Datum.
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-58 Securing Active Directory Domain Services

Exercise 2: Deploying and configuring an RODC

 Task 1: Stage a delegated installation of an RODC

Preparation
To prestage an RODC account, the computer name must not be in use in the domain. Therefore, you first
need to remove LON-SVR1 from the domain by performing the following steps:

1. On LON-SVR1, in Server Manager, on the left side, click Local Server.

2. In the Properties for LON-SVR1 section, click the domain Adatum.com.

3. In the System Properties dialog box, click Change.

4. In the Computer Name/Domain Changes dialog box, in the Member of section, select Workgroup,
type MUNICH, and then click OK.

5. In the Computer Name/Domain Changes dialog box, click OK.

6. In the Computer Name/Domain Changes dialog box, you will see the following message: “Welcome
to the MUNICH workgroup.” Click OK.

7. In the Computer Name/Domain Changes dialog box, you will see the following message: “You must
restart your computer to apply these changes.” Click OK.

8. In the System Properties dialog box, click Close.

9. In the Microsoft Windows dialog box, click Restart Now.

10. Sign in as:

o User name: Administrator

o Password: Pa55w.rd

11. Switch to LON-DC1. In Server Manager, click Tools, and then click Active Directory Users and
Computers.

12. In the navigation pane, expand Adatum.com, click to select Adatum Servers, right-click LON-SVR1,
and then click Delete.

13. In the Active Directory Domain Services dialog box, confirm the deletion by clicking Yes.

14. In the Confirm Subtree Deletion dialog box, click Yes.

Stage a delegated installation of an RODC

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services.

2. In Active Directory Sites and Services, in the navigation pane, click Sites. From the Action menu,
click New Site.

3. In the New Object – Site dialog box, in the Name field, type Munich, select the DEFAULTIPSITELINK
site link object, and then click OK.

4. In the Active Directory Domain Services dialog box, click OK.

5. Switch to Server Manager, click Tools, and then click Active Directory Administrative Center.

6. In Active Directory Administrative Center, in the navigation pane, click Adatum (local), and then in
the details pane, double-click the Domain Controllers OU.

7. In the Tasks pane, in the Domain Controllers section, click Pre-create a Read-only domain
controller account.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L7-59

8. In the Active Directory Domain Services Installation Wizard, on the Welcome to the Active
Directory Domain Services Installation Wizard page, click Next.

9. On the Network Credentials page, click Next.

10. On the Specify the Computer Name page, type the computer name LON-SVR1, and then click Next.

11. On the Select a Site page, click Munich, and then click Next.
12. On the Additional Domain Controller Options page, accept the default selections of DNS Server
and Global Catalog, and then click Next.

13. On the Delegation of RODC Installation and Administration page, click Set.

14. In the Select User or Group dialog box, in the Enter the object name to select field, type Nestor,
and then click Check Names.

15. Verify that Nestor Fiore is resolved, and then click OK.

16. On the Delegation of RODC Installation and Administration page, click Next.

17. On the Summary page, review your selections, and then click Next.

18. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

 Task 2: Run the Active Directory Domain Services Installation Wizard on an RODC to
complete the deployment process
1. Switch to LON-SVR1. From Server Manager, click Manage, and then click Add Roles and Features.

2. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

3. On the Select installation type page, accept the default of Role-based or feature-based
installation, and then click Next.

4. On the Select destination server page, accept the default with LON-SVR1 being selected, and then
click Next.
5. On the Select server roles page, in the Roles list, select Active Directory Domain Services.

6. In the Add Roles and Features Wizard, accept to install the features and management tools, click
Add Features, and then click Next.

7. On the Select features page, click Next.

8. On the Active Directory Domain Services page, click Next.

9. On the Confirm installation selections page, click Install.

10. Wait until the role installs. You can click Close at any time, but monitor the Notification icon in Server
Manager.

11. When the installation of the new role is finished, click the Notification icon for notifications.

12. In the Post-deployment Configuration message box, click Promote this server to a domain
controller.

13. In the Active Directory Domain Services Configuration Wizard, on the Deployment
Configuration page, leave the default to Add a domain controller to an existing domain.

14. In the Supply the credentials to perform this operation section, click Change.

15. In the Windows Security dialog box, enter the following credentials and then click OK:

o User name: Adatum\Nestor

o Password: Pa55w.rd
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-60 Securing Active Directory Domain Services

16. Under Specify the domain information for this operation, click Select, then select the domain
Adatum.com, click OK, and then click Next.

You will receive a notification that an RODC account that matches the name of the server exists in the
directory.

17. On the Domain Controller Options page, accept the default to Use existing RODC account, in the
Password and Confirm password fields, type Pa55w.rd, and then click Next.

18. On the Additional Options page, accept the defaults, and then click Next.

19. On the Paths page, accept the defaults, and then click Next.
20. On the Review Options page, review your options, and then click Next.

21. After the prerequisites check has been performed, click Install.

Note: The computer will configure AD DS and restart, but you can proceed to the next task.

 Task 3: Configure the domain-wide password replication policy

1. Switch to LON-DC1. In Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).

3. In the details pane, double-click IT.

4. Locate the IT group, right-click the group, and then click Add to another group.

5. In the Select Groups dialog box, in the Enter the object names to select text box, type denied, and
then click Check Names.

6. Verify that the name of the group is expanded to Denied RODC Password Replication Group, and
then click OK.

Note: The members of the IT group have elevated permissions, so storing their password on
an RODC would be a security risk. Therefore, you add the IT group to the global Deny List, which
applies to every RODC in the domain.

7. Close the Active Directory Administrative Center.

 Task 4: Create a group to manage password replication to the branch office RODC
1. Switch to Server Manager, click Tools, and then click Active Directory Users and Computers.

2. In the navigation pane, expand Adatum.com, and then click Users.

3. On the Action menu, click New, and then click Group.

4. In the New Object – Group dialog box, type the group name Munich Allowed RODC Password
Replication Group, click OK, and then double-click the Munich Allowed RODC Password
Replication Group.

5. On the Members tab, click Add.

6. In the Select Users, Contacts, Computers, Services Accounts, or Groups dialog box, in the Enter
the object names to select text box, type Ana, and then click Check Names.

7. In the Multiple Names Found dialog box, select Ana Cantrell, and then click OK.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L7-61

8. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, click OK, and
then in the Munich Allowed RODC Password Replication Group Properties dialog box, click OK.

9. Close Active Directory Users and Computers.

10. In Active Directory Administrative Center, from the Domain Controllers OU, view the properties
for LON-SVR1.

11. In the Extensions section, on the Password Replication Policy tab, click Add.

12. In the Add Groups, Users and Computers dialog box, select Allow passwords for the account to
replicate to this RODC, and then click OK.
13. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select text box, type Munich, click Check Names, and then click OK.

14. In the LON-SVR1 dialog box, click OK to close the dialog box.

 Task 5: Evaluate the resultant password replication policy

1. In Active Directory Administrative Center, in the Tasks pane, in the LON-SVR1 section, click
Properties.

2. In the properties of LON-SVR1, in the Extensions section, on the Password Replication Policy tab,
click Advanced.

Note: Note that this dialog box shows all accounts with passwords that are stored in the
RODC.

3. Select Accounts that have been authenticated to this Read-only Domain Controller, and then
note that this only shows accounts that have the permissions and already have been authenticated by
this RODC.
4. Click the Resultant Policy tab, and then add Ana Cantrell. Notice that Ana Cantrell has a resultant
policy of Allow.

5. Close all open dialog boxes.

Results: After this exercise, you should have deployed and configured an RODC.

Exercise 3: Creating and associating a group MSA

 Task 1: Create and associate an MSA
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Module for Windows
PowerShell.

2. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

3. At the Windows PowerShell command prompt, type the following command, and then press Enter:

New-ADServiceAccount –Name Webservice –DNSHostName LON-DC1 –

PrincipalsAllowedToRetrieveManagedPassword LON-DC1$
 MCT USE ONLY. STUDENT USE PROHIBITED
L7-62 Securing Active Directory Domain Services

4. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Add-ADComputerServiceAccount –identity LON-DC1 –ServiceAccount Webservice

5. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Get-ADServiceAccount -Filter *

6. Note the output of the command, and then ensure the newly-created account is listed.

7. Minimize the Windows PowerShell command window.

 Task 2: Install a group MSA

1. On LON-DC1, at the Windows PowerShell command prompt, type the following command, and then
press Enter:

Install-ADServiceAccount –Identity Webservice

2. In Server Manager, click the Tools menu, and then click Internet Information Services (IIS)
Manager.

3. Expand LON-DC1 (Adatum\Administrator), and then click Application Pools.

4. In the details pane, right-click the DefaultAppPool, and then click Advanced Settings.

5. In the Advanced Settings dialog box, in the Process Model section, click Identity, and then click the
ellipsis (…).

6. In the Application Pool Identity dialog box, click Custom Account, and then click Set.

7. In the Set Credentials dialog box, type Adatum\Webservice$ in the User name field, and then click
OK three times.

8. In the Actions pane, click Stop to stop the application pool.

9. Click Start to start the application pool.

10. Close Internet Information Services (IIS) Manager.

Results: After completing this exercise, you should have configured an MSA.

 Task 3: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps two and three for 20742B-LON-SVR1.

 MCT USE ONLY. STUDENT USE PROHIBITED
L8-63

Module 8: Deploying and managing AD CS

Lab: Deploying and configuring a two-tier
CA hierarchy
Exercise 1: Deploying an offline root CA
 Task 1: Create file and printer sharing exceptions
1. Sign in to CA-SVR1 as Administrator with the password Pa55w.rd.

2. Click Start, and then click Control Panel.

3. In the Control Panel window, click View network status and tasks.

4. In the Network and Sharing Center window, click Change advanced sharing settings.

5. Under Guest or Public (current profile), select the Turn on file and printer sharing option, and
then click Save changes.

6. Switch to LON-SVR1.

7. Click Start, and then click Control Panel.

8. In the Control Panel window, click View network status and tasks.

9. In the Network and Sharing Center window, click Change advanced sharing settings.

10. Under Domain (current profile), select the Turn on file and printer sharing option, and then click
Save changes.

 Task 2: Install and configure Active Directory Certificate Services (AD CS) on CA-SVR1
1. Switch to CA-SVR1.

2. Click Start, and then click Server Manager.

3. In Server Manager, click Add roles and features.

4. On the Before you begin page, click Next.

5. On the Select installation type page, click Next.

6. On the Select destination server page, click Next.

7. On the Select server roles page, select Active Directory Certificate Services. When the Add Roles
and Features Wizard window displays, click Add Features, and then click Next.

8. On the Select features page, click Next.

9. On the Active Directory Certificate Services page, click Next.

10. On the Select role services page, ensure that Certification Authority is selected, and then click Next.
11. On the Confirm installation selections page, click Install.

12. On the Installation progress page, after installation completes successfully, click the Configure
Active Directory Certificate Services on the destination server text.

13. In the AD CS Configuration Wizard, on the Credentials page, click Next.

14. On the Role Services page, select Certification Authority, and then click Next.

15. On the Setup Type page, ensure that Standalone CA is selected, and then click Next.
 MCT USE ONLY. STUDENT USE PROHIBITED
L8-64 Deploying and managing AD CS

16. On the CA Type page, ensure that Root CA is selected, and then click Next.

17. On the Private Key page, ensure that Create a new private key is selected, and then click Next.

18. On the Cryptography for CA page, keep the default selections for Select a cryptographic provider
and Select the hash algorithm for signing certificates issued by this CA, but set the Key length to
4096, and then click Next.

19. On the CA Name page, in the Common name for this CA text box, type AdatumRootCA, and then
click Next.

20. On the Validity Period page, click Next.

21. On the CA Database page, click Next.

22. On the Confirmation page, click Configure.

23. On the Results page, click Close.

24. On the Installation progress page, click Close.

25. On CA-SVR1, in Server Manager, click Tools, and then click Certification Authority.

26. In the certsrv – [Certification Authority (Local)] console, right-click AdatumRootCA, and then click
Properties.

27. In the AdatumRootCA Properties dialog box, click the Extensions tab.

28. In the Select extension drop-down list, click CRL Distribution Point (CDP), and then click Add.
29. In the Location text box, type http://lon-svr1.adatum.com/CertData/.

30. In the Variable drop-down list, click <CaName>, and then click Insert.

31. In the Variable drop-down list, click <CRLNameSuffix>, and then click Insert.

32. In the Variable drop-down list, click <DeltaCRLAllowed>, and then click Insert.

33. In the Location text box, position the cursor at the end of the URL, type .crl, and then click OK.

34. Select the following options, and then click Apply:

o Include in the CDP extension of issued certificates

o Include in CRLs. Clients use this to find Delta CRL locations

35. In the Certification Authority pop-up window, click No.

36. In the Select extension drop-down list, click Authority Information Access (AIA), and then
click Add.

37. In the Location text box, type http://lon-svr1.adatum.com/CertData/.

38. In the Variable drop-down list, click <ServerDNSName>, and then click Insert.

39. In the Location text box, type an underscore (_), in the Variable drop-down list, click <CaName>, and
then click Insert. Position the cursor at the end of the URL.

40. In the Variable drop-down list, click <CertificateName>, and then click Insert.

41. In the Location text box, position the cursor at the end of the URL, type .crt, and then click OK.

42. Select the Include in the AIA extension of issued certificates check box, and then click OK.

43. Click Yes to restart the Certification Authority service.

44. In the Certification Authority console, expand AdatumRootCA, right-click Revoked Certificates,
point to All Tasks, and then click Publish.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L8-65

45. In the Publish CRL window, click OK.

46. Right-click AdatumRootCA, and then click Properties.

47. In the AdatumRootCA Properties dialog box, click View Certificate.

48. In the Certificate dialog box, click the Details tab, and then click Copy to File.

49. In the Certificate Export Wizard, on the Welcome page, click Next.

50. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

51. On the File to Export page, click Browse, in the File name text box, type \\lon-svr1\C$, and then
press Enter.

52. In the File name text box, type RootCA, click Save, and then click Next.

53. Click Finish, and then click OK three times.

54. Open a File Explorer window, and then browse to C:\Windows\System32\CertSrv\CertEnroll.

55. In the Cert Enroll folder, select both files, right-click the highlighted files, and then click Copy.

56. In the File Explorer address bar, type \\lon-svr1\C$, and then press Enter.

57. Right-click the empty space, and then click Paste.

58. Close File Explorer.

 Task 3: Create a Domain Name System (DNS) record for an offline root CA
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.

2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, click Adatum.com,
right-click Adatum.com, and then click New Host (A or AAAA).

3. In the New Host window, in the Name text box, type CA-SVR1.

4. In the IP address window, type 172.16.0.40, click Add Host, click OK, and then click Done.

5. Close DNS Manager.

Results: After completing this exercise, you should have successfully installed and configured the
standalone root certification authority (CA) role on the CA-SVR1 server. Additionally, you should have
created an appropriate DNS record in Active Directory Domain Services (AD DS) so that other servers can
connect to CA-SVR1.

Exercise 2: Deploying an enterprise subordinate CA

 Task 1: Install and configure AD CS on LON-SVR1
1. On LON-SVR1, click Start, click Server Manager, and then click Add roles and features.

2. On the Before you begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, click Next.

5. On the Select server roles page, select Active Directory Certificate Services.

6. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.
 MCT USE ONLY. STUDENT USE PROHIBITED
L8-66 Deploying and managing AD CS

7. On the Select features page, click Next.

8. On the Active Directory Certificate Services page, click Next.

9. On the Select role services page, ensure that Certification Authority is selected already, and then
select Certification Authority Web Enrollment.

10. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.
11. On the Confirm installation selections page, click Install.

12. On the Installation progress page, after installation is successful, click the Configure Active
Directory Certificate Services on the destination server text.

13. In the AD CS Configuration wizard, on the Credentials page, click Next.

14. On the Role Services page, select both Certification Authority and Certification Authority Web
Enrollment, and then click Next.

15. On the Setup Type page, select Enterprise CA, and then click Next.

16. On the CA Type page, click Subordinate CA, and then click Next.

17. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
18. On the Cryptography for CA page, keep the default selections, and then click Next.

19. On the CA Name page, in the Common name for this CA text box, type Adatum-IssuingCA, and
then click Next.
20. On the Certificate Request page, ensure that Save a certificate request to file on the target
machine is selected, and then click Next.

21. On the CA Database page, click Next.

22. On the Confirmation page, click Configure.

23. On the Results page, ignore the warning messages, and then click Close.

24. On the Installation progress page, click Close.

 Task 2: Install a subordinate CA certificate

1. On LON-SVR1, open a File Explorer window, and then browse to Local Disk (C:).

2. Right-click RootCA.cer, and then click Install Certificate.

3. In the Certificate Import wizard, click Local Machine, and then click Next.

4. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.

5. Select Trusted Root Certification Authorities, click OK, click Next, and then click Finish.

6. When the Certificate Import wizard window appears, click OK.

7. In the File Explorer window, Select the AdatumRootCA.crl and CA-SVR1_AdatumRootCA.crt files,
right-click the files, and then click Copy.

8. Double-click inetpub.

9. Double-click wwwroot.

10. Create a new folder, and then name it CertData.

11. Paste the two copied files into that folder.

12. Switch to Local Disk (C:).

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L8-67

13. Right-click the LON-SVR1.Adatum.com_Adatum-LON-SVR1-CA.req file, and then click Copy.

14. In the File Explorer address bar, type \\CA-SVR1\C$, and then press Enter.

15. In the File Explorer window, right-click an empty space, and then click Paste. Make sure that the
request file copies to CA-SVR1.

16. Switch to the CA-SVR1 server.

17. In the Certificate Authority console, right-click AdatumRootCA, point to All Tasks, and then click
Submit new request.

18. In the Open Request File window, navigate to Local Disk (C:), click the
LON-SVR1.Adatum.com_Adatum- LON-SVR1-CA.req file, and then click Open.

19. In the Certification Authority console, click the Pending Requests container. Right-click Pending
Requests, and then click Refresh.

20. In the details pane, right-click the request (with ID 2), point to All Tasks, and then click Issue.

21. In the Certification Authority console, click the Issued Certificates container.

22. In the details pane, double-click the certificate, click the Details tab, and then click Copy to File.

23. In the Certificate Export wizard, on the Welcome page, click Next.

24. On the Export File Format page, click Cryptographic Message Syntax Standard – PKCS #7
Certificates (.P7B), click Include all certificates in the certification path if possible, and then click
Next.

25. On the File to Export page, click Browse.

26. In the File name text box, type SubCA, click Save, click Next, click Finish, and then click OK twice.
27. Switch to LON-SVR1.

28. In Server Manager, click Tools, and then click Certification Authority.

29. In the Certification Authority console, right-click Adatum-IssuingCA, point to All Tasks, and then
click Install CA Certificate.

30. Go to Local Disk (C:), click the SubCA.p7b file, and then click Open.

31. Wait for 15–20 seconds, and then on the toolbar, click the green icon to start the CA service.

32. Ensure that the CA successfully starts.

33. Switch to CA-SVR1.

34. Shut down the server.

Note: From this point, you can safely take the root CA offline and use just the enterprise
subordinate CA.

 Task 3: Publish a root CA certificate through Group Policy

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.

3. In the Computer Configuration node, expand Policies, expand Windows Settings, expand Security
Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities, click
Import, and then click Next.
 MCT USE ONLY. STUDENT USE PROHIBITED
L8-68 Deploying and managing AD CS

4. On the File to Import page, click Browse.

5. In the file name text box, type \\lon-svr1\C$, and then press Enter.

6. Click file RootCA.cer, and then click Open.

7. Click Next two times, and then click Finish.

8. When the Certificate Import wizard window appears, click OK.

Note: It might take 15–20 seconds for this window to appear.

9. Close the Group Policy Management Editor and the Group Policy Management Console.

Results: After completing this exercise, you should have successfully deployed and configured an
enterprise subordinate CA. You also should have a subordinate CA certificate issued by a root CA installed
on LON-SVR1. To establish trust between the root CA and domain member clients, you will use Group
Policy to deploy a root CA certificate.

 Task 4: Prepare for the next module

After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-SVR1 and 20742B-CA-SVR1.

 MCT USE ONLY. STUDENT USE PROHIBITED
L9-69

Module 9: Deploying and managing certificates

Lab: Deploying and using certificates
Exercise 1: Configuring certificate templates
 Task 1: Create a new template based on the Web Server template
1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.

2. In the Certification Authority console, expand AdatumCA, right-click Certificate Templates, and
then select Manage.

3. In the Certificate Templates Console, locate the Web Server template in the list, right-click it, and
then click Duplicate Template.

4. Click the General tab, in the Template display name text box, type Production Web Server, and
then type 3 in the Validity period text box.

5. Click the Request Handling tab, select Allow private key to be exported, and then click OK.
Minimize the Certificate Templates Console.

6. In the Certification Authority console on LON-DC1, right-click Revoked Certificates, select All
tasks, click Publish, and then click OK.

 Task 2: Create a new template for users that includes smart card sign in
1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.

2. Expand AdatumCA, right-click Certificate Templates, and then click Manage. In the Certificate
Templates Console, right-click the User certificate template, and then click Duplicate Template.
3. In the Properties of New Template dialog box, click the General tab, and then in the Template
display name text box, type Adatum User.

4. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail
name check boxes.

5. On the Extensions tab, click Application Policies, and then click Edit.

6. In the Edit Application Policies Extension dialog box, click Add.

7. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.

8. Click the Superseded Templates tab, click Add, click the User template, and then click OK.

9. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select
the Allow check boxes for Read, Enroll, and Autoenroll, and then click OK.

10. Close the Certificate Templates Console.

 Task 3: Configure templates so that they can be issued

1. On LON-DC1, in the Certification Authority console, right-click Certificate Templates, point to
New, and then click Certificate Template to Issue.

2. In the Enable Certificate Templates window, hold the Ctrl key and click both Adatum User and
Production Web Server. Then click OK.
 MCT USE ONLY. STUDENT USE PROHIBITED
L9-70 Deploying and managing certificates

 Task 4: Enroll the Web Server certificate on LON-SVR2

1. Switch to LON-SVR2.

2. Click Start, and then click the Windows PowerShell icon.

3. At the command prompt in the Windows PowerShell command-line interface, type gpupdate /force,
and then press Enter.

4. Click Start, and then click Server Manager. From Server Manager, click Tools, and then click
Internet Information Services (IIS) Manager.

5. In the IIS console, click LON-SVR2, and then in the central pane, double-click Server Certificates.

6. In the Actions pane, click Create Domain Certificate.

7. On the Distinguished Name Properties page, complete the following fields, and then click Next:

o Common name: lon-svr2.adatum.com

o Organization: Adatum
o Organizational unit: IT

o City/locality: Seattle

o State/province: WA

o Country

o region: US

8. On the Online Certification Authority page, click Select, click AdatumCA, and then click OK.
9. In the Friendly name text box, type lon-svr2, and then click Finish.

10. Ensure that the certificate displays in the Server Certificates console.

11. In the IIS console, expand LON-SVR2, expand Sites, and then click Default Web Site.
12. In the Actions pane, click Bindings.

13. In the Site Bindings window, select Add.

14. In the Add Site Binding window, select https from the Type drop-down list. In the SSL certificate
drop-down list, click lon-svr2, click OK, and then click Close.

15. Close Internet Information Services (IIS) Manager.

16. Switch to LON-CL1. In the Cortana search field, type Internet Explorer. Click Internet Explorer in the
search results returned.

17. In Internet Explorer, type https://lon-svr2.adatum.com in the address bar, and then press Enter.

18. Ensure that the Internet Information Services page opens and that no certificate error displays.

Results: After completing this exercise, you should have configured certificate templates.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L9-71

Exercise 2: Enrolling and using certificates

 Task 1: Configure autoenrollment for users
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain
Policy, and then click Edit.

3. Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings,
and then click to highlight Public Key Policies.

4. In the details pane, double-click Certificate Services Client – Auto-Enrollment.

5. In the Configuration Model drop-down list, click Enabled, select Renew expired certificates,
update pending certificates, and remove revoked certificates and Update certificates that use
certificate templates, and then click OK to close the properties window.
6. In the right pane, double-click the Certificate Services Client – Certificate Enrollment Policy object.

7. On the Enrollment Policy tab, set the Configuration Model to Enabled, and then ensure that the
Certificate Enrollment Policy list displays the Active Directory Enrollment policy. It should have a
check mark next to it and display a status of Enabled. Click OK to close the window.

8. Close both the Group Policy Management Editor window and the Group Policy Management
console.

 Task 2: Verify autoenrollment

1. On LON-CL1, click Start, type PowerShell, and then click the Windows PowerShell icon.

2. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

3. After the policy refreshes, type mmc.exe, and then press Enter.

4. In Console1, click File, click Add/Remove Snap-in, click Certificates, click Add, click Finish, and then
click OK.

5. Expand Certificates – Current User, expand Personal, and then click Certificates.

6. Verify that a certificate based on the Adatum User template is issued for Administrator. To verify the
name of the template, scroll to the right in the console window.

7. Close Console1 without saving changes.

8. Sign out of LON-CL1.

 Task 3: Configure the enrollment agent for smart card certificates

1. On LON-DC1, in Server Manager, click Tools, and then open Certification Authority.

2. In the certsrv console, expand AdatumCA, right-click Certificate Templates, and then click Manage.
3. In the Certificate Templates Console, double-click Enrollment Agent.

4. Click the Security tab, and then click Add.

5. In the Select Users, Computers, Service Accounts, or Groups window, type Annie, click Check
Names, and then click OK.

6. On the Security tab, click Annie Conner, select the Allow check box for Read and Enroll permissions,
and then click OK.

7. Close the Certificate Templates Console.

 MCT USE ONLY. STUDENT USE PROHIBITED
L9-72 Deploying and managing certificates

8. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.

9. In the list of templates, click Enrollment Agent, and then click OK.

10. Switch to LON-CL1, and then sign in as Adatum\Annie with the password Pa55w.rd.

11. Click Start, type Command Prompt, and then press Enter. In the Command Prompt window, type
mmc.exe, and then press Enter.

12. In Console1, click File, and then click Add/Remove Snap-in.

13. Click Certificates, click Add, and then click OK.

14. Expand Certificates – Current User, expand Personal, click Certificates, right-click Certificates,
point to All Tasks, and then click Request New Certificate.

15. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.

16. On the Select Certificate Enrollment Policy page, click Next.

17. On the Request Certificates page, select Enrollment Agent, click Enroll, and then click Finish.

18. Sign out of LON-CL1.

19. Switch to LON-DC1.

20. In the Certification Authority console, right-click AdatumCA, and then click Properties.

21. On the Enrollment Agents tab, click Restrict Enrollment agents.

22. On the pop-up window that displays, click OK.

23. In the Enrollment agents section, click Add.

24. In the Select User, Computer or Group field, type Annie, click Check Names, and then click OK.
25. Click Everyone, and then click Remove.

26. In the Certificate Templates section, click Add.

27. In the list of templates, select Adatum User, and then click OK.

28. In the Certificate Templates section, click <All>, and then click Remove.

29. In the Permission section, click Add.

30. In the Select User, Computer or Group field, type Marketing, click Check Names, and then
click OK.

31. In the Permission section, click Everyone, click Remove, and then click OK.

 Task 4: Use certificates for digital signing of a Microsoft Office document

1. On LON-CL1, sign in as Adatum\Administrator with the password Pa55w.rd.

2. Click the Start button, type Word 2016, and then click Word 2016.

Note: If you receive a prompt from the Microsoft Office Activation Wizard, click
Close. If prompted to update, select Ask me later, and then click Accept.

3. Click blank document, type some text, and then save the document to the desktop.

4. On the toolbar, click INSERT, and then in the Text pane, in the Signature Line drop-down list, click
Microsoft Office Signature Line.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L9-73

5. In the Signature Setup window, type your name in the Suggested signer text box, type
Administrator in the Suggested signer’s title text box, type [email protected] in the
Suggested signer’s email address text box, and then click OK.

6. Right-click the signature line in the document, and then click Sign….

7. In the Sign window, click Change.

8. In the Windows Security window under Select a certificate, select the Administrator certificate with
today’s date, and then click OK.

9. In the text box to the right of the X, type your name, click Sign, and then click OK. Instead of typing
your name, you also can select an image. This image can be your scanned handwriting signature.

10. Ensure that you cannot edit the document further.

Note: Try to type some text in the document.

11. Close Microsoft Word 2016, and then save changes if you receive a prompt.

12. Sign out of LON-CL1.

Results: After completing this exercise, you should have implemented certificate enrollment.

Exercise 3: Configuring and implementing key recovery

 Task 1: Configure the certification authority to issue KRA certificates
1. On LON-DC1, in the Certification Authority console, expand the AdatumCA node, right-click the
Certificates Templates folder, and then click Manage.

2. In the details pane, right-click the Key Recovery Agent certificate, and then click Properties.
3. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab, and then
clear the CA certificate manager approval check box.

4. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that
have the Enroll permission, and then click OK.

5. Close the Certificate Templates Console.

6. In the Certification Authority console, right-click Certificate Templates, point to New, and then
click Certificate Template to Issue.

7. In the Enable Certificate Templates dialog box, click the Key Recovery Agent template, and then
click OK.

8. Close the Certification Authority console.

 Task 2: Acquire the KRA certificate

1. On LON-DC1, click Start, and then click the Windows PowerShell icon.

2. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter.

3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
 MCT USE ONLY. STUDENT USE PROHIBITED
L9-74 Deploying and managing certificates

5. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.

6. Expand the Certificates - Current User node, right-click Personal, point to All Tasks, and then click
Request New Certificate.

7. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.

8. On the Select Certificate Enrollment Policy page, click Next.

9. On the Request Certificates page, select the Key Recovery Agent check box, click Enroll, and then
click Finish.

10. Refresh the console, and then view the Key Recovery Agent (KRA) in the personal store; scroll across the
certificate properties and verify that Certificate Template Key Recovery Agent is present.

11. Close Console1 without your saving changes.

 Task 3: Configure the CA to allow key recovery

1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority. In the
Certification Authority console, right-click AdatumCA, and then click Properties.

2. In the AdatumCA Properties dialog box, click the Recovery Agents tab, and then select Archive the
key.

3. Under Key recovery agent certificates, click Add.

4. In the Key Recovery Agent Selection dialog box, click More Choices and click the certificate with the
KRA purpose (it most likely will be last on the list issued to Administrator), and then click OK twice.
5. When prompted to restart the certification authority (CA), click Yes.

 Task 4: Configure a custom template for key archival

1. On LON-DC1, in the Certification Authority console, expand AdatumCA. Right-click the Certificates
Templates folder, and then click Manage.

2. In the Certificate Templates Console, right-click the User certificate, and then click Duplicate
Template.

3. In the Properties of New Template dialog box, on the General tab, in the Template display name
text box, type Archive User.

4. On the Request Handling tab, select the Archive subject's encryption private key check box.

5. If a pop-up window displays, click OK.

6. Click the Subject Name tab, clear the E-mail name and Include E-mail name in subject name check
boxes, and then click OK.

7. Close the Certificate Templates Console.

8. In the Certification Authority console, right-click the Certificates Templates folder, point to New,
and then click Certificate Template to Issue.

9. In the Enable Certificate Templates dialog box, click the Archive User template, and then
click OK.

10. Close the Certification Authority console.

 Task 5: Verify key archival functionality

1. Sign in to LON-CL1 as Adatum\Aidan with the password Pa55w.rd.

2. On the Start screen, type mmc.exe, and then press Enter. If prompted, click Yes in the User Account
Control window.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L9-75

3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, and then click OK.

5. Expand the Certificates - Current User node, right-click Personal, click All Tasks, and then click
Request New Certificate.

6. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
7. On the Select Certificate Enrollment Policy page, click Next.

8. On the Request Certificates page, select the Archive User check box, click Enroll, and then click
Finish.

9. Refresh the console, then expand Personal and click Certificates. Note that a certificate is issued to
Aidan based on the Archive User certificate template.

10. Simulate the loss of a private key by deleting the certificate. In the central pane, right-click the
certificate that you just enrolled, select Delete, and then click Yes to confirm.

11. Switch to LON-DC1.

12. Open the Certification Authority console, expand AdatumCA, and then click the Issued Certificates
store.

13. In the details pane, double-click a certificate with a Requestor Name of Adatum\Aidan and a
Certificate Template name of Archive User.

14. Click the Details tab, copy the Serial number, and then click OK. You might copy the number either
by selecting it and pressing Ctrl+C or by noting it in a document.

15. Click the Start button, and then click the Windows PowerShell icon.
16. At the Windows PowerShell command prompt, type the following command, where <serial number>
is the serial number that you copied, and then press Enter:

Certutil –getkey <serial number> outputblob

Note: If you copy and paste the serial number, remove the spaces between the numbers
or enclose the serial number between double quotes.

17. Verify that the Outputblob file now displays in the C:\Users\Administrator folder.

18. To convert the Outputblob file into a .pfx file, at the Windows PowerShell command prompt, type
the following command, and then press Enter:

Certutil –recoverkey outputblob aidan.pfx

19. When prompted for the new password, type Pa55w.rd, and then confirm the password.

20. After the command executes, close Windows PowerShell.

21. Go to C:\Users\Administrator, and then verify that aidan.pfx—the recovered key—is created.

22. Switch to LON-CL1.

23. Open File Explorer, and then browse to \\LON-DC1.adatum.com\c$. When prompted for
credentials, use Adatum\Administrator with the password Pa55w.rd.

24. Go to \\LON-DC1.adatum.com\c$\users\administrator.
 MCT USE ONLY. STUDENT USE PROHIBITED
L9-76 Deploying and managing certificates

25. Right-click the aidan.pfx file, and then select Copy. Go to C:\Users\aidan. In the empty space, right-
click, and then select Paste.

26. Double-click the aidan.pfx file.

27. On the Welcome to the Certificate Import Wizard page, click Next.

28. On the File to Import page, click Next.

29. On the Password page, type the password Pa55w.rd, and then click Next.

30. On the Certificate Store page, click Next, click Finish, and then click OK.

31. In Console1, expand the Certificates - Current User node, expand Personal, and then click
Certificates.

32. Refresh the console, and then verify that the certificate for Aidan is restored.

Results: After completing this exercise, you should have configured key recovery.

 Task 6: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-CL1, 20742B-LON-SVR1, and 20742B-LON-SVR2.

 MCT USE ONLY. STUDENT USE PROHIBITED
L10-77

Module 10: Implementing and administering AD FS

Lab: Implementing AD FS
Exercise 1: Configuring the AD FS prerequisites
 Task 1: Configure the DNS forwarders
1. On LON-DC1, in the Server Manager window, click Tools, and then click DNS.

2. In DNS Manager, expand LON-DC1, and then click Conditional Forwarders.

3. Right-click Conditional Forwarders, and then click New Conditional Forwarder.

4. In the New Conditional Forwarder window, in the DNS Domain box, type TreyResearch.net.

5. In the IP addresses of the master servers box, type 172.16.10.10, and then press Enter.

Note: If you receive a notification that the IP address is not authoritative for the required
zone, you can safely ignore and proceed.

6. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check
box, select All DNS servers in this forest, and then click OK.

7. Close DNS Manager.

8. On TREY-DC1, in the Server Manager window, click Tools, and then click DNS.

9. In DNS Manager, expand TREY-DC1, and then click Conditional Forwarders.

10. Right-click Conditional Forwarders, and then click New Conditional Forwarder.

11. In the New Conditional Forwarder window, in the DNS Domain box, type Adatum.com.

12. In the IP addresses of the master servers box, type 172.16.0.10, and then press Enter.

Note: If you receive a notification that the IP address is not authoritative for the required
zone, you can safely ignore and proceed.

13. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check
box, select All DNS servers in this forest, and then click OK.

14. Close DNS Manager.

Note: In a production environment, you probably will use Internet DNS instead of
conditional forwarders.

 Task 2: Configure the certificate trusts

1. On LON-DC1, open File Explorer, go to \\TREY-DC1\CertEnroll, and then copy
TREY-DC1.TreyResearch.net_TreyResearchCA.crt to C:\.

2. Close File Explorer.

3. In Server Manager, click Tools, and then click Group Policy Management.
 MCT USE ONLY. STUDENT USE PROHIBITED
L10-78 Implementing and administering AD FS

4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand Adatum.com,
right-click Default Domain Policy, and then click Edit.

5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Public Key Policies, and then click Trusted
Root Certification Authorities.

6. Right-click Trusted Root Certification Authorities, and then click Import.

7. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Next.

8. On the File to Import page, type C:\TREY-DC1.TreyResearch.net_TreyResearchCA.crt, and then

click Next.

9. On the Certificate Store page, click Place all certificates in the following store, select Trusted Root
Certification Authorities, and then click Next.

10. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close the
success message.

11. Close the Group Policy Management Editor.

12. Close Group Policy Management.

13. On TREY-DC1, open File Explorer, and then go to \\LON-DC1\CertEnroll.

14. Right-click LON-DC1.Adatum.com_AdatumCA.crt, and then click Install Certificate.

15. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Local Machine, and then click Next.
16. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.

17. In the Select Certificate Store window, click Trusted Root Certification Authorities, and then
click OK.

18. On the Certificate Store page, click Next.

19. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close the
success message.

20. Close File Explorer.

21. On LON-SVR1, click Start and then click Windows PowerShell.

22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.

23. Close Windows PowerShell.

Note: If you obtain certificates from a trusted certification authority (CA), you do not
need to configure a certificate trust between the organizations.

 Task 3: Request and install a certificate for the web server

1. On LON-SVR1, open Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.

2. In Microsoft Internet Information Services (IIS) Manager, click LON-SVR1 (ADATUM\Administrator),

and then double-click Server Certificates.

3. In the Actions pane, click Create Domain Certificate.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L10-79

4. In the Create Certificate wizard, on the Distinguished Name Properties page, type the following
information, and then click Next:

o Common name: lon-svr1.adatum.com

o Organization: A. Datum Corporation

o Organizational unit: IT
o City/locality: London

o State/Province: England

o Country/region: GB

5. On the Online Certification Authority page, click Select.

6. In the Select Certification Authority page, click AdatumCA, and then click OK.

7. On the Online Certification Authority page, in the Friendly name box, type AdatumTestApp
Certificate, and then click Finish.

8. In IIS Manager, expand LON-SVR1 (ADATUM\Administrator), expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
9. In the Site Bindings window, click Add.

10. In the Add Site Binding window, in the Type list, select https.

11. In the SSL certificate list, select AdatumTestApp Certificate, and then click OK.

12. In the Site Bindings window, click Close.

13. Close IIS Manager.

Results: After completing this exercise, you should have enabled DNS resolution and certificate trusts
between the domains successfully. Also, you will have enabled an SSL certificate for the website and
validated access to it.

Exercise 2: Installing and configuring AD FS

 Task 1: Create a DNS record for AD FS
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.

2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).

4. In the New Host window, in the Name box, type adfs.

5. In the IP address box, type 172.16.0.10, and then click Add Host.

6. In the DNS window, click OK.

7. Click Done, and then close DNS Manager.

 MCT USE ONLY. STUDENT USE PROHIBITED
L10-80 Implementing and administering AD FS

 Task 2: Install AD FS
1. On LON-DC1, click Start, right-click Windows PowerShell, and then click Run as Administrator.

2. At the command prompt, type the following command, and then press Enter:

Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))

This command creates the Microsoft Group Key Distribution Service root key to generate group
Managed Service Account (gMSA) passwords for the account that you will use later in this lab. You
should receive a globally unique identifier (GUID) as a response to this command.

3. Click Start, click Server Manager, click Manage, and then click Add Roles and Features.

4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

5. On the Select installation type page, click Role-based or feature-based installation, and then click
Next.

6. On the Select destination server page, click Select a server from the server pool, click
LON-DC1.Adatum.com, and then click Next.

7. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.

8. On the Select features page, click Next.

9. On the Active Directory Federation Services (AD FS) page, click Next.

10. On the Confirm installation selections page, click Install.

11. When the installation is complete, click Close.

 Task 3: Configure AD FS
1. On LON-DC1, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.

2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click
Create the first federation server in a federation server farm, and then click Next.

3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate list, select adfs.adatum.com.

5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.

6. On the Specify Service Account page, click Create a Group Managed Service Account.

7. In the Account Name box, type ADFSService, and then click Next.

8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.

9. On the Review Options page, click Next.

10. On the Pre-requisite Checks page, click Configure.

11. On the Results page, click Close.

Note: The adfs.adatum.com certificate was preconfigured for this task. In your own
environment, you must obtain this certificate.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L10-81

 Task 4: Verify AD FS functionality

1. On LON-CL1, click Start, click Windows Accessories, and then click Internet Explorer.

2. In Internet Explorer, on the address bar, type https://adfs.adatum.com/federationmetadata

/2007-06/federationmetadata.xml, and then press Enter.

3. Verify that the file loads, and then close Internet Explorer.

Results: After completing this exercise, you should have installed and configured AD FS successfully. You
also should have verified that it is functioning by viewing the contents of the FederationMetaData.xml
file.

Exercise 3: Configuring an internal application for AD FS

 Task 1: Configure the Active Directory claims provider trust
1. On LON-DC1, in Server Manager, click Tools, and then click AD FS Management.

2. In the AD FS management console, click Claims Provider Trusts.

3. In the list of Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

4. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template list, select Send LDAP Attributes as Claims, and then click Next.

6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store list, select Active Directory.

8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type, and then click Finish:

o E-Mail-Addresses: E-Mail Address

o User-Principal-Name: UPN

o Display-Name: Name

9. In the Edit Claim Rules for Active Directory window, click OK.

 Task 2: Configure the application to trust incoming claims

1. On LON-SVR1, open Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.

2. On the Welcome to the Federation Utility Wizard page, in the Application configuration location
box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the sample
web.config file.

3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the

path to the sample application that will trust the incoming claims from the federation server, and then
click Next.

4. On the Security Token Service page, click Use an existing STS, and then in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata/2007-06
/federationmetadata.xml. Click Next.
 MCT USE ONLY. STUDENT USE PROHIBITED
L10-82 Implementing and administering AD FS

5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.

6. On the Security token encryption page, click No encryption, and then click Next.

7. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.

8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.

9. In the Success window, click OK.

 Task 3: Configure a relying party trust for the claims-aware application

 On LON-DC1, at the Windows PowerShell command prompt, type the following command to add a
relying party trust, and then press Enter:

Add-ADFSRelyingPartyTrust –Name ‘A. Datum Corporation Test App’ –MetadataURL

‘https://lon-svr1.adatum.com/AdatumTestApp/federationmetadata/2007-
06/federationmetadata.xml’

 Task 4: Configure claim rules for the relying party trust

1. On LON-DC1, in the AD FS management console, in the list of Relying Party Trusts, click A. Datum
Corporation Test App, and then select Edit Claim Issuance policy.

2. In the Edit Claim Issuance Policy for A. Datum Corporation Test App window, on the Issuance
Transform Rules tab, click Add Rule.

3. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.

4. In the Claim rule name box, type Pass through Windows account name.
5. In the Incoming claim type list, click Windows account name, and then click Finish.

6. On the Issuance Transform Rules tab, click Add Rule.

7. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.

8. In the Claim rule name box, type Pass through E-Mail Address.

9. In the Incoming claim type list, click E-Mail Address, and then click Finish.

10. On the Issuance Transform Rules tab, click Add Rule.

11. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.

12. In the Claim rule name box, type Pass through UPN.

13. In the Incoming claim type list, click UPN, and then click Finish.

14. On the Issuance Transform Rules tab, click Add Rule.

15. In the Claim rule template dialog box, select Pass Through or Filter an Incoming Claim, and then
click Next.

16. In the Claim rule name box, type Pass through Name.

17. In the Incoming claim type list, click Name, and then click Finish.

18. On the Issuance Transform Rules tab, click OK.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L10-83

19. In the AD FS management console, in the list of Relying Party Trusts, click A. Datum Corporation
Test App, and then select Edit Access Control Policy.

20. In Edit Access Control Policy for A. Datum Corporation Test App, select Permit everyone, and
click OK.

 Task 5: Test access to the claims-aware application

1. On LON-CL1, open Internet Explorer.

2. In Internet Explorer, on the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/, and

then press Enter.

Note: It is critical to use the trailing forward slash (/) in the URL for step 2.

3. In the Windows Security window, sign in as Adatum\Adam with the password Pa55w.rd.

4. Review the claim information that the application displays.

5. Close Internet Explorer.

 Task 6: Configure Internet Explorer to pass local credentials to the application

automatically
1. On LON-CL1, click Start, type Internet Options, and then click Internet Options.

2. In the Internet Properties window, on the Security tab, click Local intranet, and then click Sites.
3. In the Local intranet window, click Advanced.

4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.
5. In the Add this website to the zone box, type https://lon-svr1.adatum.com, click Add, and then
click Close.

6. In the Local intranet window, click OK.

7. In the Internet Properties window, click OK.

8. On LON-CL1, open Internet Explorer.

9. In Internet Explorer, on the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/, and

then press Enter.

Note: It is critical to use the trailing forward slash (/) in the URL for step 9.

10. Notice that you were not prompted for credentials.

11. Review the claim information that is displayed by the application.

12. Close Internet Explorer.

Results: After completing this exercise, you should have configured AD FS successfully to support
application authentication.
 MCT USE ONLY. STUDENT USE PROHIBITED
L10-84 Implementing and administering AD FS

Exercise 4: Configuring AD FS for federated business partners

 Task 1: Create a DNS record for AD FS at Trey Research
1. On TREY-DC1, in Server Manager, click Tools, and then click DNS.

2. In DNS Manager, expand TREY-DC1, expand Forward Lookup Zones, and then click
TreyResearch.net.

3. Right-click TreyResearch.net, and then click New Host (A or AAAA).

4. In the New Host window, in the Name box, type adfs.

5. In the IP address box, type 172.16.10.10, and then click Add Host.
6. In the DNS window, click OK.

7. Click Done, and then close DNS Manager.

 Task 2: Create a certificate for AD FS at Trey Research

1. On TREY-DC1, in Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.

2. In IIS Manager, click TREY-DC1 (TREYRESEARCH\Administrator), and then double-click Server

Certificates.

3. In the Actions pane, click Create Domain Certificate.

4. In the Create Certificate window, on the Distinguished Name Properties page, type the following
information, and then click Next:
o Common name: adfs.TreyResearch.net

o Organization: Trey Research

o Organizational unit: IT

o City/locality: London

o State/Province: England

o Country/region: GB
5. On the Online Certification Authority page, click Select.

6. In the Select Certification Authority window, click TreyResearchCA, and then click OK.

7. On the Online Certification Authority page, in the Friendly name box, type adfs.TreyResearch.net,
and then click Finish.

8. Close IIS Manager.

 Task 3: Install AD FS for Trey Research

1. On TREY-DC1, click Start, right-click Windows PowerShell and then click Run as Administrator.

2. At the command prompt, type the following command, and then press Enter:

Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))

This command creates the Key Distribution Service root key to generate gMSA passwords for the
account that you will use later in this lab. You should receive a GUID as a response to this command.

3. Click Start, click Server Manager, click Manage, and then click Add Roles and Features.

4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L10-85

5. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.

6. On the Select destination server page, click Select a server from the server pool, click
TREY-DC1.TreyResearch.net, and then click Next.

7. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.

8. On the Select features page, click Next.

9. On the Active Directory Federation Services (AD FS) page, click Next.
10. On the Confirm installation selections page, click Install.

11. When the installation completes, click Close.

 Task 4: Configure AD FS for Trey Research

1. On TREY-DC1, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.

2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click
Create the first federation server in a federation server farm, and then click Next.

3. On the Connect to Active Directory Domain Services page, click Next to use
TreyResearch\Administrator to perform the configuration.

4. On the Specify Service Properties page, in the SSL Certificate list, select adfs.treyresearch.net.
5. In the Federation Service Display Name box, type Trey Research, and then click Next.

6. On the Specify Service Account page, click Create a Group Managed Service Account.

7. In the Account Name box, type ADFSService, and then click Next.
8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.

9. On the Review Options page, click Next.

10. On the Pre-requisite Checks page, click Configure.

11. On the Results page, click Close.

12. Right-click Start, select Shut down or sign out, select Restart, and then click Continue.

13. Wait until TREY-DC1 is online before continuing to the next step.

 Task 5: Configure a claims provider trust for the Trey Research AD FS server
1. On LON-DC1, at the Windows PowerShell command prompt, type the following command to add a
claims provider trust, and then press Enter:

Add-AdfsClaimsProviderTrust –Name ‘Trey Research’ –MetadataUrl

‘https://adfs.treyresearch.net/federationmetadata/2007-06/federationmetadata.xml’

2. Because of compatibility issues with Internet Explorer 11 (including Microsoft Edge), type the following
command to disable token binding in AD FS, and then press Enter:

Set-AdfsProperties –IgnoreTokenBinding $true

3. On LON-DC1, open the AD FS management console.

4. In the list of Claims Provider Trusts, right-click Trey Research, and then select Edit Claim Rules….
 MCT USE ONLY. STUDENT USE PROHIBITED
L10-86 Implementing and administering AD FS

5. In the Edit Claim Rules for Trey Research window, on the Acceptance Transform Rules tab, click
Add Rule.

6. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template list, select Pass Through or Filter an Incoming Claim, and then click Next.

7. On the Configure Rule page, in the Claim rule name box, type Pass through Windows account
name.

8. In the Incoming claim type list, select Windows account name.

9. Select Pass through all claim values, and then click Finish.
10. In the AD FS Management dialog box, click Yes to acknowledge the warning.

11. In the Edit Claim Rules for Trey Research window, click OK, and then close the AD FS management
console.

 Task 6: Configure a relying party trust for the A. Datum Corporation application
1. On TREY-DC1, open the Windows PowerShell command prompt.

2. At the Windows PowerShell command prompt, type the following to create a new relying party trust,
and then press Enter:

Add-ADFSRelyingPartyTrust –Name ‘A. Datum Corporation’ –MetadataURL

‘https://adfs.adatum.com/federationmetadata/2007-06/federationmetadata.xml’

3. In the Server Manager, click Tools, and then click AD FS Management.

4. In the AD FS management console, click Relying Party Trusts.

5. In the Actions pane, click Edit Claim Issuance Policy.

6. In the Edit Claim Issuance Policy for A. Datum Corporation window, click Add Rule.

7. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Pass Through or Filter an Incoming Claim, and then click Next.

8. On the Configure Rule page, in the Claim rule name box, type Pass through Windows account
name.
9. In the Incoming claim type list, select Windows account name.

10. Click Pass through all claim values, click Finish, and then click OK.

11. In the Edit Claim Issuance Policy for A. Datum Corporation window, click OK.
12. In the list of Relying Party Trusts, click A. Datum Corporation, and then select Edit Access Control
Policy.

13. In Edit Access Control Policy for A. Datum Corporation, select Permit everyone, and click OK.

14. Close the AD FS management console.

 Task 7: Verify access to the website

1. On TREY-DC1, in Internet Explorer, open Internet Options, select Privacy, and then select Sites.

2. On the Per Site Privacy Actions page, in the Address of website box, type adatum.com, click Allow,
click OK to close the Per Site Privacy Actions page, and then click OK to close the Internet Options
window.

3. In Internet Explorer, on the address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and

then press Enter.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L10-87

4. On the A. Datum Corporation page, click Trey Research.

Note: If you receive the error message This page cannot be displayed, click Refresh
and try this step again.

5. In the Windows Security dialog box, sign in as TreyResearch\April with the password Pa55w.rd.

6. After the application loads, close Internet Explorer.

7. Open Internet Explorer.

8. In Internet Explorer, on the address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and

then press Enter.
9. In the Windows Security dialog box, sign in as TreyResearch\April with the password Pa55w.rd.

10. Close Internet Explorer.

Note: You are not prompted for a home realm on the second access. After a user selects
a home realm and a realm authority authenticates that user, the relying party’s federation
server issues a _LSRealm cookie. The default lifetime for the cookie is 30 days. Therefore, to
sign in multiple times, you should delete that cookie after each sign-in attempt to return to a
clean state.

 Task 8: Configure issuance-authorization claim rules to allow access only for

specific groups
1. On TREY-DC1, in Server Manager, click Tools, and then click AD FS Management.

2. In the AD FS management console, click Relying Party Trusts.

3. Right-click A. Datum Corporation, and then click Edit Claim Issuance Policy.

4. In the Edit Claim Issuance Policy for A. Datum Corporation window, on the Issuance Transform
Rules tab, click Remove Rule, and then click Yes.

5. Click Add Rule.

6. In the Claim rule template box, select Pass Through or Filter an Incoming Claim and then click
Next.

7. On the Claim rule name box, type Allow Production Members.

8. On the Incoming claim type, select Group.

9. Click Pass through only a specific claim value, and then in the Incoming claim value, type
TreyResearch-Production.
10. Click Finish and then click OK.

11. In the AD FS management console, click Claims Provider Trusts, right-click Active Directory, and
then click Edit Claim Rules.

12. In the Edit Claim Rules for Active Directory window, click Add Rule.

13. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send Group Membership as a Claim, and then click Next.

14. On the Configure Rule page, in the Claim rule name box, type Production Group Claim.

15. To set the User’s group, click Browse, type Production, and then click OK.
 MCT USE ONLY. STUDENT USE PROHIBITED
L10-88 Implementing and administering AD FS

16. In the Outgoing claim type box, select Group.

17. In the Outgoing claim value box, type TreyResearch-Production, and then click Finish.

18. In the Edit Claim Rules for Active Directory window, click OK.

19. Close the AD FS management console.

 Task 9: Verify access to the website with the group restrictions

1. On TREY-DC1, in Internet Explorer, on the address bar, type https://lon-svr1.adatum.com
/adatumtestapp/.

2. In the Windows Security dialog box, sign in as TreyResearch\Ben with the password Pa55w.rd.

3. Verify that you can access the application because Ben is a member of the TreyResearch\Production
group.

4. Close Internet Explorer.

Results: After completing this exercise, you should have successfully configured access for a claims-aware
application in a partner organization.

 Task 10: Prepare for the next module

When you finish the lab, revert the VMs to their initial state. To do this, complete the following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-SVR1, 20742B-TREY-DC1, and 20742B-LON-CL1.

 MCT USE ONLY. STUDENT USE PROHIBITED
L11-89

Module 11: Implementing and administering AD RMS

Lab: Implementing an AD RMS infrastructure
Exercise 1: Installing and configuring AD RMS
 Task 1: Configure DNS and the AD RMS service account
1. Sign in to LON-DC1 as Adatum\Administrator by using the password Pa55w.rd.

2. In Server Manager, click Tools, and then click Active Directory Administrative Center.

3. Select and then right-click Adatum (local), click New, and then click Organizational Unit.

4. In the Create Organizational Unit dialog box, in the Name box, type Service Accounts, and then
click OK.
5. Right-click the Service Accounts organizational unit (OU) in the middle pane, click New, and then
click User.

6. In the Create User dialog box, provide the following details, and then click OK:
o First name: ADRMSSVC

o User UPN logon: ADRMSSVC

o User SamAccountName logon: Adatum\ADRMSSVC

o Password: Pa55w.rd

o Confirm Password: Pa55w.rd

o Password never expires: Enabled (you should click on Other password options to be able to
select this)

o User cannot change password: Enabled

7. Right-click the Users container, click New, and then click Group.

8. In the Create Group dialog box, type the following details, and then click OK:

o Group name: ADRMS_SuperUsers

o E-mail: [email protected]

9. Right-click the Users container, click New, and then click Group.

10. In the Create Group dialog box, type the following details, and then click OK:

o Group name: Executives

o E-mail: [email protected]

11. Double-click the Managers OU, and then Ctrl+click the following users:

o Aidan Norman
o Holly Spencer

12. In the Tasks pane, click Add to group.

13. In the Select Groups dialog box, type Executives, and then click OK.
14. Close the Active Directory Administrative Center.

15. In Server Manager, click Tools, and then click DNS.

 MCT USE ONLY. STUDENT USE PROHIBITED
L11-90 Implementing and administering AD RMS

16. In the DNS Manager console, click and expand LON-DC1, and then expand Forward Lookup Zones.

17. Select and then right-click Adatum.com, and then click New Host (A or AAAA).

18. In the New Host dialog box, type the following information, and then click Add Host:

o Name: adrms

o IP address: 172.16.0.21

19. Click OK, and then click Done.

Note: This is the address of LON-SVR1, where you will install AD RMS.

20. Close the DNS Manager console.

 Task 2: Install and configure the AD RMS server role

1. Sign in to LON-SVR1 as Adatum\Administrator by using the password Pa55w.rd.

2. Click Start, click Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next three times.

4. On the Select server roles page, click Active Directory Rights Management Services.

5. In the Add Roles and Features Wizard dialog box, click Add Features, click Next four times, click
Install, and then, when the installation completes, click Close.

6. In Server Manager, click the AD RMS node.

7. Next to Configuration required for Active Directory Rights Management Services at LON-SVR1,
click More.

8. On the All Servers Task Details and Notifications page, click Perform additional configuration.

9. On the AD RMS page, in the AD RMS Configuration: LON-SVR1.adatum.com window, click Next.

10. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.

11. On the Configuration Database page, click Use Windows Internal Database on this server, and
then click Next.

12. On the Service Account page, click Specify.

13. In the Windows Security dialog box, type the following details, click OK, and then click Next:

o User name: ADRMSSVC

o Password: Pa55w.rd

14. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.

15. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then click
Next.

16. On the Cluster Key Password page, type Pa55w.rd twice, and then click Next.

17. On the Cluster Web Site page, verify that Default Web Site is selected, and then click Next.
18. On the Cluster Address page, provide the following information, and then click Next:

o Connection Type: Use an unencrypted connection (http://)

o Fully Qualified Domain Name: adrms.adatum.com

o Port: 80
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L11-91

Note: This lab uses port 80 for convenience. In production environments, you would help to
protect Active Directory Rights Management Services (AD RMS) by using an encrypted connection.

19. On the Licensor Certificate page, type AdatumADRMS, and then click Next.

20. On the SCP Registration page, click Register the SCP now, and then click Next.

21. On the Confirmation page, click Install, and then click Close.
22. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

23. In the Internet Information Services (IIS) Manager console, expand LON-SVR1\Sites
\Default Web Site, and then click _wmcs.

24. In the middle pane, double-click Authentication, click Anonymous Authentication, and then, in the
Actions pane, click Enable.

25. In the Connections pane, expand _wmcs, and then click licensing.

26. In the middle pane, double-click Authentication, click Anonymous Authentication, and then, in the
Actions pane, click Enable. Close the Internet Information Services (IIS) Manager console.

Note: You will not enable Anonymous Authentication in a production environment. This is
just to make the configuration easier in the lab.

27. On the Start screen, click Administrator icon on the left side of the menu, and then click Sign Out.

Note: You must sign out before you can manage AD RMS.

 Task 3: Configure the AD RMS Super Users group

1. Sign in to LON-SVR1 as Adatum\Administrator by using the password Pa55w.rd.

2. Open Server Manager, click Tools, and then click Active Directory Rights Management Services.
3. In the AD RMS console, expand the lon-svr1 (Local) node, and then click Security Policies.

4. In the Security Policies area, under Super Users, click Change super user settings.

5. In the Actions pane, click Enable Super Users.

6. In the Super Users area, click Change super user group.

7. In the Super Users dialog box, in the Super user group box, type
[email protected], and then click OK.

Results: After completing this exercise, you should have installed and configured AD RMS.
 MCT USE ONLY. STUDENT USE PROHIBITED
L11-92 Implementing and administering AD RMS

Exercise 2: Configuring AD RMS templates

 Task 1: Configure a new rights policy template
1. Ensure that you are signed in to LON-SVR1.

2. In the AD RMS console, click the Rights Policy Templates node.

3. In the Actions pane, click Create Distributed Rights Policy Template.

4. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification
information page, click Add.

5. On the Add New Template Identification Information page, provide the following information,
click Add, and then click Next:

o Language: English (United States)

o Name: ReadOnly

o Description: Read-only access. No copy or print.

6. On the Add User Rights page, click Add.

7. On the Add User or Group page, type [email protected], and then click OK.
8. When [email protected] is selected, under Rights for [email protected], click View.
Verify that Grant owner (author) full control right with no expiration is selected, and then click
Next.

9. On the Specify Expiration Policy page, select the following settings, and then click Next:

o Content Expiration: Expires after the following duration (days): 7

o Use license expiration: Expires after the following duration (days): 7

10. On the Specify Extended Policy page, click Require a new use license every time content is
consumed (disable client-side caching), and then click Next.

11. On the Specify Revocation Policy page, click Finish.

 Task 2: Configure the rights policy template distribution

1. On LON-SVR1, click Start, and then click Windows PowerShell.

2. At the Windows PowerShell command prompt, type the following command, and then press Enter:

New-Item c:\rmstemplates -ItemType Directory

3. At the Windows PowerShell command prompt, type the following command, and then press Enter:

New-SmbShare -Name RMSTEMPLATES -Path c:\rmstemplates -FullAccess ADATUM\ADRMSSVC

4. At the Windows PowerShell command prompt, type the following command, and then press Enter:

New-Item c:\docshare -ItemType Directory

5. At the Windows PowerShell command prompt, type the following command, and then press Enter:

New-SmbShare -Name docshare -Path c:\docshare -FullAccess Everyone

6. Type exit, and then press Enter to exit Windows PowerShell.

7. Switch to the AD RMS console, click the Rights Policy Templates node, and then, in the Distributed
Rights Policy Templates area, click Change distributed rights policy templates file location.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L11-93

8. In the Rights Policy Templates dialog box, click Enable export.

9. In the Specify templates file location (UNC) box, type \\LON-SVR1\RMSTEMPLATES, and then
click OK.

10. On the taskbar, click File Explorer.

11. Navigate to the C:\rmstemplates folder, and then verify that ReadOnly.xml is present.
12. Close the File Explorer window.

 Task 3: Configure an exclusion policy

1. On LON-SVR1, switch to the AD RMS console, click the Exclusion Policies node, and then click
Manage application exclusion list.

2. In the Actions pane, click Enable Application Exclusion.

3. In the Actions pane, click Exclude Application.

4. In the Exclude Application dialog box, type the following information, and then click Finish:

o Application File name: Powerpnt.exe

o Minimum version: 14.0.0.0

o Maximum version: 16.0.0.0

5. Close the AD RMS console.

Results: After completing this exercise, you should have configured AD RMS templates.

Exercise 3: Using AD RMS on clients

 Task 1: Create a rights-protected document
1. Sign in to LON-CL1 as Adatum\Aidan by using the password Pa55w.rd.

2. Click Start, type Internet, and then click Internet Explorer. In the Internet Explorer window, right-
click the toolbar, click Menu bar, click Tools, and then select Internet options. If the Set up Internet
Explorer 11 window appears, select Use recommended security and compatibility settings, and
then click OK.

3. In the Internet options dialog box, click Security, click Local intranet, click Sites, click Advanced,
and then, under Add this website to the zone, type http://adrms.adatum.com. Click Add, click
Close, and then click OK two times.

Note: Note that you added adrms.adatum.com to the local intranet sites to achieve a single
sign on experience when signing in to the AD RMS servers.

4. Close Internet Explorer. If you receive a prompt, click Close all tabs.

5. On the Start menu, type Word, and then, in the results area, click Word 2016. If the First things first
window appears, click Ask me later, and then click Accept. If the Welcome to your new Office
window appears, close it.

6. In the Microsoft Word 2016 app, click Blank document.

 MCT USE ONLY. STUDENT USE PROHIBITED
L11-94 Implementing and administering AD RMS

7. In the Word document, type the following text: This document is for executives only, and it should
not be modified. Click File, click Protect Document, click Restrict Access, and then click Read Only.

Note: If the ReadOnly template does not appear, you might need to first click Connect to
Rights Management Servers and get templates. After 20-30 seconds try again.

8. Click Save, and then click Browse.

9. In the Save As dialog box, save the document to the \\lon-svr1\docshare location with the name
Executives Only.docx.

10. Close Word 2016.

11. Click the Start menu, click the Aidan Norman icon, and then click Sign out.

 Task 2: Verify internal access to AD RMS-protected content as an authorized user

1. Sign in to LON-CL1 as Adatum\Holly by using the password Pa55w.rd.

2. Click Start, type Internet, and then click Internet Explorer. If the Set up Internet Explorer 11 window
appears, select Use recommended security and compatibility settings, and then click OK. In the
Internet Explorer window, right-click the toolbar, click Menu bar, click Tools, and then select
Internet options.
3. In Internet options, click Security, click Local intranet, click Sites, click Advanced, and then, under
Add this website to the zone, type http://adrms.adatum.com. Click Add, click Close, and then click
OK twice.
4. Close Internet Explorer. If you receive a prompt, click Close all tabs.

5. On the taskbar, click the File Explorer icon.

6. In the File Explorer window, navigate to \\lon-svr1\docshare.

7. In the docshare folder, double-click the Executives Only document.

8. When the document opens, verify that you are unable to modify or save the document. If the First
things first window appears in Word, click Ask me later, and then click Accept. If the Welcome to
your new Office window appears, close it.

9. Select a line of text in the document, right-click it, and then verify that you cannot make changes.

10. Click View Permission, review the permissions, and then click OK. You can see that Holly has only the
View permission. She is a member of the Executives group and can access the content.

11. Close Word 2016.

12. Click the Start screen, click the Holly Spencer icon, and then click Sign Out.

 Task 3: Open the rights-protected document as an unauthorized user

1. Sign in to LON-CL1 as Adatum\Harry by using the password Pa55w.rd.

2. Click Start, type Internet, and then click Internet Explorer. If the Set up Internet Explorer 11 window
appears, select Use recommended security and compatibility settings, and then click OK. In the
Internet Explorer window, right-click the toolbar, click Menu bar, click Tools, and then select
Internet options.

3. In Internet options, click Security, click Local intranet, click Sites, click Advanced, and then, under
Add this website to the zone, type http://adrms.adatum.com. Click Add, click Close, and then click
OK twice.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L11-95

4. Close Internet Explorer. If you receive a prompt, click Close all tabs.

5. On the taskbar, click the File Explorer icon.

6. In the File Explorer window, navigate to \\lon-svr1\docshare.

7. In the docshare folder, double-click the Executives Only document, and then click OK in the
Microsoft Word window.
8. Verify that Harry is unable to open the document. Note that Harry cannot open the document because
the document is protected with an RMS template that allows only the Executives group to view the
document. If the First things first window appears in Word, click Ask me later, and then click Accept.
If the Welcome to your new Office window appears, close it.

9. Close Word 2016.

10. Click to Start screen, click the Harry Lawrence icon, and then click Sign Out.

 Task 4: Prepare for the next module

When you finish the lab, revert the VMs to their initial state. To do this, complete the following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20742B-LON-SVR1 and 20742B-LON-CL1.

Results: After completing this exercise, you should have verified that the AD RMS deployment was
successful.
MCT USE ONLY. STUDENT USE PROHIBITED
 MCT USE ONLY. STUDENT USE PROHIBITED
L12-97

Module 12: Implementing AD DS synchronization with

Microsoft Azure AD
Lab: Configuring directory synchronization
Exercise 1: Preparing for directory synchronization
 Task 1: Create a trial Office 365 E5 subscription
1. On LON-CL1, open the Internet Explorer browser from the taskbar.

2. Open the https://products.office.com/en-us/business/office-365-enterprise-e5-business-

software URL, and then click the Free trial link.

3. On the Welcome, let’s get to know you page, in the Country drop-down list, select your
country/region. If your country/region is not listed, choose United States.

4. Enter the rest of your data in the fields. Type Adatum for the Company name, and then select
250-999 people from the Your organization size drop-down list.
5. Click Next.

6. On the Create your user ID page, type the user name of your choice in the User name text box, and
then type Adatumyyxxxxx in the Yourcompany text box (for example, Adatum12332).

Note: If the name is not available, try a different name.

In the following step, you will create a password for the Office 365 user account. Consider writing
down this password with the user ID information to ensure that you can use it later.

7. Choose a password and type it in the New password and Confirm password text boxes.

8. Click Create my account.

9. On the Prove. You’re. Not. A. Robot. page, type your mobile phone number, and then click
Text me.

Note: If you do not have a mobile phone with you, ask your instructor for help.

10. In the Enter your verification code text box, type the code that you received in the text message,
and then click Next.

11. On the Save this info. You’ll need it later page, ensure that you save your Microsoft Online user ID
data, and then click You’re ready to go.

Note: Your user ID will be in the format: [email protected].

Ensure that you write it down because you will use this account as a global admin account for
your Azure AD tenant.

12. Ensure that the Office 365 portal opens.

13. Leave the Internet Explorer browser window open.

 MCT USE ONLY. STUDENT USE PROHIBITED
L12-98 Implementing AD DS synchronization with Microsoft Azure AD

 Task 2: Verify the Azure AD tenant and add a domain

1. On LON-CL1, in the Internet Explorer window, open a new tab, and then go to
https://portal.azure.com.

2. In the Azure portal, in the left navigation pane, click Azure Active Directory.

3. In the MANAGE options list, click Custom Domain names.

4. Verify that you can see your adatumyyxxxxx.onmicrosoft.com domain that you created in the
previous task.

5. Click Add Custom Domain.

6. In the Custom Domain name pane, type Adatum.com in the Custom Domain name text box, and
then click Add Domain.

7. On the page to verify domain, review the content, and then close the Adatum.com window.

8. Leave the Azure portal open.

Results: After completing this exercise, you should have created the Azure AD tenant.

Exercise 2: Configuring directory synchronization

 Task 1: Configure a synchronization account
1. On LON-CL1, in the Azure portal, in the middle navigation pane, click Users and groups.

2. Click All users. You will see only your account.

3. Click New user.

4. In the User pane, type SYNC in the Name text box.

5. Type [email protected] (where adatumyyxxxx.onmicrosoft.com is your

domain name that was defined in Exercise 1, Task 1) in the User name text box.
6. Click Directory role.

7. In the Directory role pane, click Global administrator, and then click Ok.

8. Click Show Password. Copy the password shown in the text box to Notepad.
9. Click Create.

10. Right-click the Internet Explorer icon on the taskbar, and then click Start InPrivate Browsing.

11. In the new browser window, go to https://portal.azure.com.

12. Sign in as [email protected] with the temporary password that you copied in
step 8.
13. On the Update your password page, type your temporary password in the Current password text
box, and then type a new password in the New password and Confirm password text boxes. Click
Update password and sign in. Document the password for the SYNC account.

14. Verify that the Azure portal opens. Close the Internet Explorer window. Keep Internet Explorer,
where you are signed in with your account, open.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016L 12-99

 Task 2: Install and configure Azure AD Connect

1. On LON-SVR1, sign in as Adatum\Administrator.

2. Open Internet Explorer from the taskbar, and then go to https://portal.azure.com.

3. On the Microsoft Azure page, sign in with the global administrative credentials that you created in
Exercise 1, Task 1.

4. In the Microsoft Azure portal, click Azure Active Directory in the left navigation pane.
5. In the middle navigation pane, click Azure AD Connect.

6. On the adatum-Azure AD Connect page, click Download Azure AD Connect. A new tab will open
in Internet Explorer.

7. On the Microsoft Azure Active Directory Connect webpage, click Download.

8. When prompted to run or save the file, click Run. Minimize the Internet Explorer window.

9. In the Microsoft Azure Active Directory Connect Wizard, on the Welcome to Azure AD Connect
page, select I agree to the license terms and privacy notice, and then click Continue.

10. On the Express Settings page, click Use express settings.

11. On the Connect to Azure AD page, in the USERNAME text box, type the SYNC account user name.
In the PASSWORD text box, type the password that you assigned to the SYNC account, and then
click Next.

12. On the Connect to AD DS page, in the USERNAME text box, type Adatum\administrator. In the
PASSWORD box, type Pa55w.rd, and then click Next.

13. On the Azure AD sign-in configuration page, select Continue without any verified domains, and
then click Next.
14. On the Ready to configure page, click Install, and when the configuration is complete, click Exit.

15. Now, the synchronization of objects from your local Active Directory Domain Services (AD DS) and
Microsoft Azure Active Directory (Azure AD) begins. You must wait approximately 5-10 minutes for
this process to complete.

16. Close the Internet Explorer window on LON-SVR1.

 Task 3: Verify the initial synchronization and manage the settings

1. Switch to Internet Explorer on LON-CL1. You should have the Azure portal open.
2. Click Users and groups in the MANAGE options list.

3. Click All users.

4. Verify that you can see the user accounts from your local AD DS. You should be able to see all users
from your local adatum.com domain.

5. Switch to LON-SVR1.
6. On LON-SVR1, click Start, and then click Azure AD Connect. Expand Azure AD Connect, and then
click Synchronization Service.

7. In the Synchronization Service Manager on LON-SVR1 window, click the Operations tab.

8. Ensure that you can see the Export, Full Synchronization, and Full Import tasks.

9. Ensure that all the tasks have a current time and date in the Start Time and End Time columns. Also,
ensure that all tasks show success in the Status column.
 MCT USE ONLY. STUDENT USE PROHIBITED
L12-100 Implementing AD DS synchronization with Microsoft Azure AD

Note: It is normal for some tasks to have the completed-no-objects status.

10. Close the Synchronization Service Manager window.

11. On LON-SVR1, click Start, and then open Windows PowerShell.

12. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter.

Get-ADSyncScheduler

Note: If this command returns an error, restart the LON-SVR1 computer, and then repeat
step 12.

13. Review the results. Ensure that the AllowedSyncCycleInterval value and the
CurrentlyEffectiveSyncCycleInterval value are set to 30 minutes.

14. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter.

Set-ADSyncScheduler –CustomizedSyncCycleInterval 01:00:00

15. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter.

Start-ADSyncSyncCycle –PolicyType Delta

16. Wait for approximately two minutes.

17. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter.

Get-ADSyncScheduler

18. Ensure that the new value is applied for the CurrentlyEffectiveSyncCycleInterval variable.

19. Close the Windows PowerShell window.

Results: After completing this exercise, you should have installed Azure AD Connect with the customized
settings, completed directory synchronization to Azure AD, and verified that the synchronization was
successful.

Exercise 3: Managing Active Directory users and groups and monitoring

directory synchronization
 Task 1: Add new objects in AD DS
1. Switch to LON-DC1.

2. Open Server Manager, click Tools, and then click Active Directory Users and Computers.

3. In the navigation pane, expand Adatum.com, right-click Sales, click New, and then click User.
4. In the New Object – User dialog box, in the Full name text box, type your name.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016L 12-101

5. In the User logon name text box, type your first name, and then click Next.

6. In the Password and Confirm password boxes, type Pa55w.rd, and then clear User must change
password at next logon.

7. Click Next, click Finish, and then click Sales.

8. Right-click your user account, and then click Add to a group.

9. In the Select Groups dialog box, in the Enter the object names to select (examples) text box, type
Sales, and then click OK.

10. In the Active Directory Domain Services dialog box, click OK.

 Task 2: Verify the synchronization of the new user objects

1. On LON-SVR1, right-click Start, and then click Windows PowerShell (Admin).

2. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter.

Start-ADSyncSyncCycle –PolicyType Delta

3. Wait for approximately four minutes. Do not close the Administrator: Windows PowerShell
window. However, you can minimize it.

4. Switch to Internet Explorer on LON-CL1, where you have the Azure portal open.
5. Refresh the webpage, click All users, and then verify that the user account you just added is present
and that it has the Windows Server AD value in the SOURCE column.

6. Click All groups, and then click Sales. Click Members.

7. Verify that your account was also added to the Sales group. Leave the browser window open.

 Task 3: Configure Azure AD Connect Health

1. On LON-DC1, open Internet Explorer, and then go to https://portal.azure.com.

2. Sign in with the global admin account that you created in Exercise 1, Task 1.
3. In the Azure portal, click Azure Active Directory in the left navigation page.

4. In the middle navigation pane, click Enterprise applications.

5. In the right pane, click Start a free trial to use this feature. Click the same title again on the next
screen.

6. In the Activate window, in the AZURE AD PREMIUM section, click Free trial.

7. In the Activate Azure AD Premium trial window, click Activate.

8. Wait for a few minutes.

9. In the Azure portal, in the left navigation pane, click More services.

10. In the search box, type Azure AD Connect.

11. In the results below, click the star beside Azure AD Connect Health and then click Azure AD Connect
Health.

12. In the Azure AD Connect Health window, click Quick Start.

13. On the Quick Start page, click Download Azure AD Connect Health Agent for AD DS.

14. When prompted, click Run.

 MCT USE ONLY. STUDENT USE PROHIBITED
L12-102 Implementing AD DS synchronization with Microsoft Azure AD

15. In the Microsoft Azure AD Connect Health agent for AD DS window, click Install.

16. When setup finishes, click Configure Now.

17. When prompted for an Azure account, type the global admin account that you created in Exercise 1,
Task 1, and then click Continue. Use the password that you assigned to the global admin account as
the password, and then click Sign in.

18. Wait for a few minutes until in the PowerShell window you get the message that Agent registration
completed successfully.

19. In the Azure portal, close the Quick Start page.

20. On the Azure Active Directory Connect Health page, in the Azure Active Directory Connect
(Sync) section, click your domain name. Review the provided data, and then close the page.
21. On the Azure Active Directory Connect Health page, in the Active Directory Domain Services
section, click Adatum.com, and then click Settings.

22. On the Settings page, click Property. Review the provided data, and then close the Property page.

23. Click FSMO Roles. Review the provided data, and then close the FSMO Roles page.

24. Click Users. On the Users page, click Add.

25. On the Add permissions page, in the Role drop-down list, select Contributor.

26. Click the Select field, select August Towle from the list, and then click Save.
27. Close the Settings page. Review the rest of the data about your local AD DS, and then close Internet
Explorer.

 Task 4: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 to revert 20742B-LON-SVR1 and 20742B-LON-CL1.

Results: After completing this exercise, you should have identified how managing user and group
accounts has changed with directory synchronization.
 MCT USE ONLY. STUDENT USE PROHIBITED
L13-103

Module 13: Monitoring, managing, and recovering AD DS

Lab: Recovering objects in AD DS
Exercise 1: Backing up and restoring AD DS
 Task 1: Install the Windows Server Backup feature
1. Switch to LON-DC1.

2. In Server Manager, click Manage, and then click Add roles and features.

3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Next.

7. On the Select features page, in the Features list, select the Windows Server Backup check box, and
then click Next.

8. On the Confirm installation selections page, click Install.

9. When the installation finishes, click Close.

10. Click Start, type cmd, and then press Enter.

11. In the Command Prompt window, type the following, and then press Enter.

cacls C:\Windows\System32\InputMethod\CHS\chsime.exe /E /P system:R

Note: This command is only required for the lab environment, and is not part of typical
backup procedures.

12. Close the Command Prompt window.

 Task 2: Create a scheduled backup

1. On LON-DC1, in Server Manager, click Tools, and then click Windows Server Backup.

2. In Windows Server Backup, click Local Backup, and then click Backup Schedule.
3. In the Backup Schedule Wizard, on the Getting Started page, click Next.

4. On the Select Backup Configuration page, click Custom, and then click Next.

5. On the Select Items for Backup page, click Add Items.

6. In the Select Items dialog box, select Bare metal recovery, click OK, and then click Next.

7. On the Specify Backup Time page, click Once a day.

8. In the Select time of day list, select 12:00 am, and then click Next.

9. On the Specify Destination Type page, click Back up to a hard disk that is dedicated for backups
(recommended), and then click Next.

10. On the Select Destination Disk page, click Show All Available Disks.
11. In the Show All Available Disks dialog box, select the Disk 1 check box, and then click OK.
 MCT USE ONLY. STUDENT USE PROHIBITED
L13-104 Monitoring, managing, and recovering AD DS

12. On the Select Destination Disk page, select the Disk 1 check box, and then click Next.

13. When the Windows Server Backup dialog box appears, informing you that all data on the disk will be
deleted, click Yes to continue.

Note: You will cancel the process in the next step to avoid formatting drive E.

14. On the Confirmation page, click Cancel to avoid formatting drive E.

 Task 3: Perform an interactive backup

1. In the Actions pane, click Backup Once.

2. On the Backup Options page, ensure that Different options is selected, and then click Next.

3. On the Select Backup Configuration page, click Custom, and then click Next.

4. On the Select Items for Backup page, click Add Items.

5. In the Select Items dialog box, click System state, and then click OK.
6. Click Advanced Settings, and then click the VSS Settings tab.

7. Click VSS full Backup, click OK, and then click Next.

8. On the Specify Destination Type page, click Next.

9. On the Select Backup Destination page, click Next.

10. On the Confirmation page, click Backup, and then click Close.

Note: The backup will take about 10–15 minutes to complete. After the backup
completes, close Windows Server Backup.

 Task 4: Delete an OU

Note: Wait until the backup completes before proceeding.

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.

2. On the Menu bar, click View, and then click Advanced Features.

3. In the console tree, expand Adatum.com, and then click the Research organizational unit (OU).
4. Right-click Research, and then click Properties.

5. In the Research Properties dialog box, on the Object tab, clear the Protect object from accidental
deletion check box, and then click OK.
6. In the navigation pane, right-click Research, and then click Delete.

7. When a confirmation message appears, click Yes.

8. When a warning message appears, click Yes.

9. Wait for the deletion to complete.

10. Verify that the Research OU was deleted.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L13-105

 Task 5: Restart in Directory Services Restore Mode (DSRM)

1. On LON-DC1, click Start, right-click Windows PowerShell, and then click Run as Administrator.

2. In the Windows PowerShell command-line interface, at the command prompt, type the following
command, and then press Enter:

bcdedit /set safeboot dsrepair

3. At the command prompt, type the following command, and then press Enter:

shutdown /t 0 /r

 Task 6: Restore System state data

1. Sign in to LON-DC1 as Administrator with the password Pa55w.rd.

2. Click Start, right-click Windows PowerShell, click More, and then click Run as Administrator.

3. At the Windows PowerShell command prompt, type the following command, and then press Enter:

wbadmin get versions -backuptarget:E: -machine:LON-DC1

Note the version identifier that the command returns.

4. At the command prompt, type the following command, where version is the number that you recorded
in the previous step, and then press Enter:

wbadmin start systemstaterecovery -version:<version> -backuptarget:E: -machine:LON-

DC1

For example:

wbadmin start systemstaterecovery -version:01/22/2011-10:37 -backuptarget:E: -

machine:LON-DC1

5. Type Y, and then press Enter.

6. Type Y, and then press Enter.

Note: The restoration will take about 30–35 minutes. Depending on the host machine, it
could take up to an hour.

7. When prompted to restart, type Y, and then press Enter.

 Task 7: Mark restored information as authoritative

1. Sign in to LON-DC1 as Administrator with the password Pa55w.rd.

2. When prompted, press Enter.

3. Click Start, right-click Windows PowerShell, point to More, and then click Run as administrator.

4. At the Windows PowerShell command prompt, type the following command, and then press Enter:

NtdsUtil.exe

5. At the command prompt, type the following command, and then press Enter:

activate instance ntds

 MCT USE ONLY. STUDENT USE PROHIBITED
L13-106 Monitoring, managing, and recovering AD DS

6. At the command prompt, type the following command, and then press Enter:

authoritative restore

7. At the command prompt, type the following command, and then press Enter:

restore subtree "ou=Research,dc=adatum,dc=com"

8. In the confirmation dialog message box that displays, click Yes.

9. Type quit, and then press Enter.

10. Type quit, and then press Enter.

11. At the command prompt, type the following command, and then press Enter:

bcdedit /deletevalue safeboot

12. At the command prompt, type the following command, and then press Enter:

shutdown /t 0 /r

 Task 8: Verify that the data has been restored

1. Wait for LON-DC1 to restart.
2. Sign in to LON-DC1 as Adatum\Administrator with the password Pa55w.rd.

3. In Server Manager, from the Tools menu, click Active Directory Users and Computers.

4. In the console tree, expand Adatum.com, and then verify that the Research OU is restored. Note that
you might have to force a site replication in Active Directory Sites and Services to see the change
immediately.

Results: After completing this exercise, you should have successfully performed an interactive backup and
an authoritative restore of Active Directory Domain System (AD DS).

Exercise 2: Recovering objects in AD DS

 Task 1: Verify requirements for Active Directory Recycle Bin
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Domains and Trusts.

2. In the Active Directory Domains and Trusts console, right-click Active Directory Domains and
Trusts, and then click Raise Forest Functional Level.

3. Confirm that the value of Current forest functional level is Windows Server 2012 R2, and then click
Cancel.

4. Close the Active Directory Domains and Trust console.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 L13-107

 Task 2: Enable the Active Directory Recycle Bin feature

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Module for
Windows PowerShell.

2. At the command prompt, type the following command, and then press Enter:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional

Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
DC=adatum,DC=com’ –Scope ForestOrConfigurationSet –Target ‘adatum.com’

3. Type Y, and then press Enter.

4. After the command prompt is returned to you, close the Windows PowerShell window.

 Task 3: Delete objects to simulate accidental deletion

1. In Server Manager, click Tools, and then click Active Directory Users and Computers.

2. Navigate to the Sales OU.

3. Right-click Abbie Parsons, and then click Delete.

4. In the confirmation window, click Yes.

5. Close Active Directory Users and Computers.

 Task 4: Perform object restoration with the Active Directory Module for Windows
PowerShell
1. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.

2. Type the following command, and then press Enter:

Get-ADObject -Filter {displayName -eq "Abbie Parsons"} -IncludeDeletedObjects |

Restore-ADObject

3. Close the Windows PowerShell window.

 Task 5: Verify object restoration

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. Make sure that Abbie Parsons exists within the Sales OU.

Results: After completing the exercise, you should have enabled and tested the Active Directory Recycle
Bin feature successfully.

 Task 6: Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

MCT USE ONLY. STUDENT USE PROHIBITED