Practical Windows Lab 1 25
Uploaded by
RFID DemarkaPractical Windows Lab 1 25
Uploaded by
RFID DemarkalOMoARcPSD|5957588
Practical - Windows lab 1-25
Windows server technology (Hogeschool West-Vlaanderen)
StuDocu no está patrocinado ni avalado por ningún colegio o universidad.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 1
INSTALLATION OF A WINDOWS SERVER
In this lab you will install two Windows Server 2012 R2s in a virtual environment (VMware
Workstation) on your laptop: the first one as a full installation and the second one as a
core installation.
1. If you have not done this yet, install VMware Workstation 12 Pro on your laptop. You
can download this software from our Howest software server:
https://software.howest.be/software%20studenten/Virtualizatie/VMware_Player-
Workstation/
In this folder you can also find a file with the key that you need for your VMware
Workstation Pro.
2. Download the latest ISO file of Microsoft Windows Server 2012 R2 with Update
(English). This file is also present on the Howest software server:
https://software.howest.be/software%20studenten/Microsoft/Windows%20Server%2
02012%20R2%20(x64)%20-
%20DVD%20(English)/en_windows_server_2012_r2_with_update_x64_dvd_60527
08.iso
3. Create a new virtual machine in VMware Workstation Pro. A wizard will help you to
create the virtual machine (VM):
a. Choose for Typical installation
b. Choose to install from an ISO file and select your downloaded ISO file.
VMware will use Easy Install to install the OS. This will automate the
installation and install the VMware Tools.
c. In the next window:
i. Don’t enter your Windows product key
ii. Choose “Windows Server 2012 R2 Datacenter” as the version of
Windows to install
iii. Enter your (first) name and a password (choose preliminary 123456 as
your initial password)
d. VMware will warn you for not entering the product key. Click “Yes” to continue.
e. Enter “Windows Server 2012 R2” as your virtual machine name.
f. Leave all the defaults until you arrive at the “Specify Disk Capacity” step.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
g. Choose “store virtual disk as a single file” and continue with the defaults.
h. Click the “Finish” button. VMware will now install Windows Server.
4. After the installation, VMware will restart your Windows Server VM. Log in to your
server with the credentials you entered before (see 3ciii). As you will see, the
NumLock is not enabled…
5. A consequence of the previous installation procedure (Easy Install), you are stucked
with a QWERTY keyboard. Check this out!
HKCU/Keyboard Layout/Preload/1 00000813 (azerty)
If that’s a problem for you: change the keyboard layout to AZERTY.
6. Shut your Windows Server down and change the VM BIOS settings to solve the
NumLock problem.
7. Restart your Windows server. Your NumLock should now be enabled when you enter
your credentials.
8. Log in with your own user account. Change your password and choose a complex
password (this is the default password policy).
9. Log in with the built in Administrator account. Normally you will be asked to choose a
password for this account.
10. Create a second Windows Server VM. A wizard will help you to create the virtual
machine (VM):
a. Select Typical installation
b. Choose to install from an ISO file and select your downloaded ISO file.
VMware will use Easy Install to install the OS. This will automate the
installation and install the VMware Tools.
c. In the next window:
i. Don’t enter your Windows product key
ii. Choose “Windows Server 2012 R2 Datacenter Core” as the version
of Windows to install
iii. Enter your (first) name and a password (choose preliminary 123456 as
your initial password)
d. VMware will warn you for not entering the product key. Click “Yes” to continue.
e. Enter “Windows Server 2012 R2 bis” as your virtual machine name.
f. Choose “store virtual disk as a single file”.
g. Click the “Finish” button. VMware will now install Windows Server.
11. As a consequence of the previous installation procedure (Easy Install) you are stuck
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
with a QWERTY keyboard. Check this out!
If that’s a problem for you: change the keyboard layout to AZERTY.
12. Make sure that the NumLock is on before you log in to your new Windows VM (see
exercise 6).
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 2
BASIC CONFIGURATION OF A WINDOWS SERVER
In this lab you will do some basic configuration on your servers.
1. Log in to your first Windows Server and use Server Manager.
Change the computer name of your server into: DC-YourFirstName (for example:
DC-chris).
Attention: don’t do this by changing the field “computer description” !!!
You will have to restart your server.
2. After restarting your VM, log in to your server with your own credentials.
By default, VMware Workstation makes use of NAT networking: a VM is created in a
separate private network, and gets an IP address from the virtual DHCP server.
Some characteristics of the default NAT network (VMnet 8):
- IP address range: 192.168.x.128 -192.168.x.254
- Subnet IP address: 192.168.x.0
- Default gateway: 192.168.x.2
- IP address DHCP Server: 192.168.x.254
(x is a random number between 0 and 255)
For more details about virtual networks in VMware Workstation: cfr chapter 9 p. 177
in the VMware Workstation 12 Pro Documentation (PDF):
URL: http://pubs.vmware.com/workstation-12/topic/com.vmware.ICbase/PDF/workstation-
pro-12-user-guide.pdf
Check the value of x on your laptop in the VMware Workstation console (menu Edit
> Virtual Network Editor).
Write down this value here: x = 148
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
3. Record the following information about the network card (Ethernet0) of your server.
Make use of the GUI interface to search this information.
- IPv4 address: 192.168.148.132
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.148.2
- DHCP Server: 192.168.148.254
- DNS Server: 192.168.148.2
4. Usually servers have a fixed (static) IP address. Because your server has a dynamic
IP address, you will have to change that.
Use the following configuration:
- IPv4 address: 192.168.x.100 (x is the number you wrote down in exercise 2)
o 192.168.148.132
- Subnet Mask: the same as in exercise 3
o 255.255.255.0
- Default gateway: the same as in exercise 3
o 192.168.148.2
- DNS Server: the same as in exercise 3
o 192.168.148.254
5. You can check your new IP configuration by pinging from your server to the IP
address of your host machine (laptop).
Write down your ping command here: ping 192.168.56.1 ( from server to host )
Windows firewall - Advanced Settings - Inbound Rules - Enable File and Printer
sharing ( Echo Request - ICMPv4 and v6 in )
Then --> ping 192.168.241.100
Try to ping from your host to your server. This will not work because incoming ICMP
messages are blocked by the Windows Firewall on your server. Check this out!
Change the Windows Firewall settings on your server to avoid this blocking. All you
have to do, is to enable one incoming built-in rule…
6. Check out if you can browse to www.google.com
This will not be possible, because the Internet Explorer Enhanced Security
Configuration (IE ESC) is enabled by default (for security reasons).
Because you are using your servers for testing, you have to disable IE ESC for all
users.
Server manager - Local server - IE Enhanced Security Configuration Setting ( default
on ) - Set both on OFF. Restart server ..
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Surfing is enabled.
Hint: use Server Manager!
Check whether you can actually surf to any site now.
7. Log in to your second Windows Server (Windows core server) with your own
credentials. Because you’re on a core server now, you will need to resolve all
remaining exercises with commands! Note these commands down under each task.
Display the name of your computer, making use of the hostname command.
Hostname
Display the name of your computer, making use of an environment variable. Make
use of a Windows command and a PowerShell command.
8. Use the sconfig command to change the computer name of your server into:
testserver
You will have to restart your server.
Log in to your core server with your own credentials and change the computer name
in MS-YourFirstName (for example: MS-chris), making use of a Powershell
command.
sconfig
4 - change computer name to 'testserver' - restart
Change to MS-Nicolas
-> in cmd - type 'powershell' -> Rename-Computer MS-Nicolas -> Restart
9. Write down the IP address of your core server.
IPv4 address: 192.168.148.133
10. Usually servers have a fixed (static) IP address. Because your core server also has
a dynamic IP address, you will have to change that.
netsh interface ip set address name"=Ethernet0" static 192.168.148.101
255.255.255.0 192.168.148.2
Choose the following configuration:
- IPv4 address: 192.168.x.101 (x is the number you wrote down in exercise 2)
- Subnet Mask: the same as in exercise 3
- Default gateway: the same as in exercise 3
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- DNS Server: the same as in exercise 3
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 3
ROLES & FEATURES ON A WINDOWS SERVER
In this lab you will add and remove roles and features with PowerShell and the GUI.
1. Log in to your second Windows Server (Windows Server Core) with your own user
account. Run Windows PowerShell as an administrator and perform the following
tasks with PowerShell commands.
a) Update the help files on your server.
Update-Help
b) Display a list of PS-cmdlets with feature in their name.
Get-command -CommandType Cmdlet -Name *feature
c) Display a list of roles and features on your server (take a good look at the output
of the previous command).
Get-WindowsFeature
d) Display a list of all installed roles and features.
Get-WindowsFeature | Where Installed
Hint: first of all, use the get-help command for examples about the usage of your
previous command.
e) Switch your core server to a full GUI server.
Install-WindowsFeature Server-Gui-Mgmt-Infra
2. Switch your new full GUI Server back to a core server by using the GUI interface.
From shell to GUI
--> Install-WindowsFeature Server-Gui-Shell -> succes
or
mkdir c:\mount
dism /get-wiminfo /wimfile:d:\sources\install.wim
dism /mount-wim /wimfile: d:\sources\install.wim /Index:3 /mountdir:C:\Mount\
/readonly
Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra -Source
C:\Mount\Windows\SXS
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
From GUI to shell
------------------
Server Manager
manage
Remove roles and features
features
Untick user interfaces and Infrastructure - remove features
Confirmation -> Next -> Remove
OR
Removing the GUI from a full installation , using powershell
------
Uninstall-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 4
INSTALLATION OF A DOMAIN
In this lab you will install one domain controller and one member server belonging to the
same domain.
1. Log in to your first server (full GUI server) with your own account and take a
snapshot (name: “Full installation standalone server”).
Vmware -> VM -> Snapshot -> Name = Full installation standalone server
2. Convert your server from a standalone server to a domain controller. First of all,
you have to install the server role “Active Directory Domain Services” and all
features that are required for this server role.
After the installation, Windows will notice that additional steps are required to make
your server a domain controller. Click the (blue) link “Promote this server to a
domain controller” to do so.
The “Active Directory Domain Services Configuration Wizard” will help you with the
configuration process:
- First window: select the third radio button (because it’s your first DC) and enter
wst-YourFirstName.local (e.g.: wst-chris.local) as your root domain name.
- Second window:
o Because we are using only Windows Server 2012 R2 servers, you don’t
have to change the default settings for forest and domain functional level
(Windows Server 2012 R2)
o Don’t change the domain controller capabilities (DNS server, GC server,
no RODC)
Why can’t you configure this server as a RODC?
It’s our first DC , if this would be a RODC we would not be able to do anything
o Enter a password for the Directory Services Restore Mode.
- Third window: Windows will warn you that a delegation for this DNS cannot be
created because the parent zone cannot be found, but that’s no problem in our
virtual network. So you don’t have to configure DNS delegation.
- Fourth window: the suggested NETBIOS name (wst-YourFirstName) is OK.
- Fifth window: the default settings are OK
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- Sixth window: the default settings are OK
- Seventh window: click the “Install” button (you have to wait a moment because of
the prerequisites check)
Server manager
Manage
Add roles or features
Server roles -> Active directory Domain Services -> Add Features -> install
Promote server -> Add a new Forest -> Domain name : wst-Nicolas.local -> next -
> Password : Nicolas123456. (qwerty @ login)
NetBIOS domain name = wst-Nicolas
3. At the end of the installation process, Windows will restart your server and will
suggest you to log in with your domain account (and not your local account).
Enter your password to sign in and use a Windows command to display the current
user name.
Write down this name: wst-Nicolas\poppe
4. By converting your server to a domain controller, Windows has installed a lot of
new tools. Check this out with Server Manager.
5. Open the ADU&C (Active Directory Users and Computers) console and check out
if your server is in the “Domain Controllers” container.
Tools - Active Directory Users and Computers
wst-Nicolas.local is present in the Domain Controller
6. In the following exercise you have to make your second server (core server) a
member server of the domain you just installed. This will only be possible if your core
server can translate the domain name to an IP address. This is currently not the case
because your core server doesn’t use a DNS server that can do this translation.
Customize this!
Hint: use the sconfig command!
Use the NSLOOKUP command on your core server to check if you can resolve the
name of your domain controller.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
7. Join your second server (core server) to the domain you created in exercise 2 (wst-
YourFirstName.local). Make use of a PS cmdlet to do so.
Powershell -> Add-Computer -DomainName wst-Nicolas
8. At the end of the join process, your core server will restart. Log in with your personal
domain account and check out if your server is converted from a standalone to a
member server. Check this on your core server and on your domain controller.
9. Use a Windows command to display the current user name on your core server.
Write down this name:
Log off your core server and log in with your local user account.
Use a Windows command to display the current user name on your core server.
Write down this name:
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 5
DOMAIN SPECIFIC CONSOLES
In this lab you will learn to use some domain specific consoles and commands for
querying the Active Directory.
1. Log in to your domain controller with your personal domain account and open the
“Active Directory Users & Computers” (ADU&C). Look for the following objects in
AD:
all users and groups having a name beginning with the letter “a”
all computers
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
2. In which AD container can you find the “Administrators” group?
Which users and groups are members of the group “Administrators”?
Administrators , Domain Admins , Entreprise admins , Nicolas
3. Open the properties of your own account in the ADU&C console. In this window
you can find the most frequently used attributes of the selected account.
To view all the attributes of a user account, you first have to select the “Advanced
Features” in the menu “View” of the ADU&C-console, and then select the
“Attribute editor” tab.
Use a filter to show all attributes of your user account that has values.
4. Open the “Active Directory Sites and Services” console and answer the following
questions:
- How many sites are part of your domain? 1
- What is the (value of the) default inter site replication time? 180
5. Use the “Active Directory Domains and Trusts” console to demonstrate that …
- your domain is the only domain in the forest
- the domain and the forest functional level = “Windows Server 2012 R2”
Commando mmc en dan add/remove snapp-in
6. With the “Schema Master Management” console, you can retrieve information
about the schema (and all attributes) of your domain.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
To use this console, you have to load the schmmgtm.dll in the registry. Use the
following command:
regsvr32 schmmgmt.dll
You will not find the “Schema Master Management” console in the “Tools” menu of
Server Manager…
Hint: use the “mmc” command.
regsvr32 schmmgmt.dll
Use the Schema Master Management” console to find out the use of the “sn”
attribute. Surname Attribute
7. Open the DNS server management console and search the host record of your
domain controller.
Active Directory uses DNS as its locator service to support the various types of
services that AD offers, such as the Global Catalog (GC). As a consequence you
can find the GC-servers by searching the corresponding records in the DNS server
management console. Check this out!
Search the host record of the GC-server(s) by using a Windows command.
nslookup gc._msdcs.wst-Nicolas.local
or
nslookup gc._msdcs %USERDNSDOMAIN%
Prove that your DC is a GC-server by using the Active Directory Sites & Services
console.
NTDS settings of your server
8. You can use the command-line tool dsquery for finding objects in the Active
Directory.
Use the dsquery tool to …
- list all computers in your domain.
dsquery computer
- list all domain controllers in your domain
dsquery server
- list the schema master of your domain (forest)
dsquery server -hasfsmo schema
9. Log in to your core server with your personal account and check out if you can use
the dsquery tool on that server.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
This will not be possible because the dsquery tool is only available if you have the
Active Directory Domain Services (AD DS) server role installed.
To use the dsquery from your member server, you have to make a remote
PowerShell connection with your DC. You can do this with the pssession
command. The prompt will tell you, you are working on the DC.
Make a remote PS-connection from your MS with your DC and …
pssession
- list all users of your domain with a dsquery command
dsquery user
- list the GCs of your forest with a dsquery command
dquery server-isgc
- list the GCs (and nothing else) of your forest with a PS-cmdlet
get-adforest | select GlobalCatalogs
- list the PDC (and nothing else) of your domain with a PS-cmdlet
get-adforest | select PDCEmulator
- exit the remote PS-connection
exit
10. Turn back to your DC and enable the Recycle Bin for the Active Directory.
11. Add a new OU in the ADU&C console.
Remove this OU.
Restore this OU using the AD Recycle Bin
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 6
USER MANAGEMENT
In this lab you will learn how to manage users and groups in a Windows domain.
1. Log in to your member server with the built-in domain administrator account
and perform the following tasks with Windows commands (no PS cmdlets):
Display the name of the current user
whoami
Display the SID of the current user
Whoami /user
Display the DN (distinguished name of the current user)
Whoami /FQDN
Display a list of all local users.
Net users
Display a list of all domain users.
Net users /domain
Add a new domain user with the name jan.
Net user jan /add Test123. /domain
Make jan a member of the local Backup Operators.
Net localgroup “Backup Operators” jan /add
Display a list of all members of the local Backup Operators group.
Net localgroup “Backup Operators”
Display a list of all members of the domain Backup Operators group.
Net localgroup “Backup operators” /domain
Display the domain based password policy settings.
Net accounts
Change the minimum password length for all domain users to 8 characters.
Net accounts /MINPWLEN:8
Check this by displaying the domain based password policy settings again.
You will notice the minimum password length hasn’t been changed. Why?
Was instantly changed
Update all domain policy settings and verify the password settings. The
minimum password length should be changed now…
2. Log in to your domain controller with your personal user account and note the
DN of user jan, by using the GUI.
First of all Tools AD Computers and Users View Advanced Features
Tools AD Computers and Users Users Jan Properties
DN = CN=jan,CN=Users,DC=wst-nicolas,DC=local
3. Take a screenshot of the window where you can find the SID and GUID of jan.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. Log in to your domain controller with the built-in Administrator account.
How many days can a domain user use his password before the system requires
the user to change it? Check this setting by viewing the Default Domain
Controllers Policy.
Tools Group Policy Management Click Forest Click wst-nicolas.local
click Default Domain Policy Settings
Number of days = 42
Edit on days Policies Windows Settings Security Settings Account
Policies Passsword Settings
Change this number of days to 300 by using the Default Domain Controllers
Policy.
OU = Organizational Unit
5. Create an OU in the Active Directory with the name “Testusers” and create a
domain user in it with the following properties:
Tools User and Computers Right click ‘new – Organizational Unit’
- First and last name: your own first and last name (don’t use initials)
- User logon name: your last name (without spaces), followed by the first
letter of your first name (e.g.: ledouxc)
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- Password: Server2012
- This user should not have to change his password at next logon
- The account must expire at 30 September 2016
- Description: free to choose
- First create then EDIT ( via properties )
- Office: RSS
- This user may only log on to your member server, every day from 8h to
18h
- The user must be a member of the Domain Admins group
6. Check the user settings of the new account using a Windows command.
Net user poppen
7. Perform the following tasks with PS cmdlets:
Display all attributes of the account, created in exercise 5.
Get-aduser poppen –properties *
Display the SID and the GUID of that account
Get-aduser poppen –properties sid,objectguid
Display the samaccount and the distinguished names of all users.
Get-aduser poppen –properties distinguishedname,samaccountname
8. Log in to your member(core) server with the account created in exercise 5.
Poppen , password = Server2012
Are you logged in with a local or a roaming profile? Explain!
Local
In which folder is your profile stored?
It’s stored in the Users folder
9. Go to your DC and change the password of the domain guest account
With the GUI
With a Windows command
i. Net user Guest password:Test
10. Change the following settings of the account created in exercise 5, using only 1
PS-cmdlet:
- Delete the Description
- Add a title: CIO
- Change the office to: Bruges
Set-aduser –Identity poppen –Description ‘’ –Title CIO –Office Bruges
11. Create a domain user with the following attributes, using only 1 PS-cmdlet:
- Logon name: pietersp
- Password: Friday13th!
- First name: Piet
- Last name: Pieters
- Display name: Piet Pieters
- OU: Testusers
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- Account enabled
Use the following parameter in your cmdlet to set the password:
-AccountPassword (ConvertTo-SecureString -AsPlainText "Friday13th!" -Force)
Check all the account settings after the creation of this new account.
New-aduser -name pietersp -AccountPassword (ConvertTo-SecureString -
AsPlainText "Friday13th!"
-Force) -displayName "Piet Pieters" -enabled 1 -givenname Piet -Path
"Ou=Testusers, DC=wst-nicolas, DC=local" –Surname Pieter
12. Make use of a fine-grained password policy to ensure that only the user pietersp
has to use a password of minimum 15 characters.
Tools Active directory Administrative Center Tree View (!) wst-nicolas
System Password Settings Container New Name = pietersp , precedence
= 1 + minimum password length = 15
13. Turn off your domain controller and log out of your member server.
Log in to your member server with the account created in exercise 5.
Despite your DC being turned off, you can still log in to the domain. Explain why!
Password is being cached
Log out of your member server.
14. Turn on your domain controller and log in with the built-in domain administrator
account.
Make sure user credentials are no longer cached on computers in your domain.
To do this, create a new GPO (Group Policy Object), with the name
NoCachedCredentials and link this GPO to your domain.
Group policy mmc Group Policy Object new Name =
NoCachedCredentials Ok , Edit afterwards
In Edit Policies Windows settings Security Settings Local policies
Security Options Interactive logon Number of previous logons …
Properties Set Number to ‘0’.
Repeat exercise 12 to test your new GPO.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
15. With which PS cmdlet can you display a list of …
a) all domain users and their logon time
Get-AdUser -Filter * -properties * |select lastlogondate
b) all domain users with a disabled account
Get-AdUser –Filter ‘Enabled –eq $false’
c) all groups where the administrator account belongs to
Get-AdPrincipalGroupmembership administrator | select name
16. Create a global security group (name: testglobalgroup) and make 2 accounts a
member of this group (the first account with the GUI, the second with a
command).
Check if you can use this group to assign NTFS permissions to a folder on your
computer.
GUI
CMD Add-AdgroupMember testglobalgroup poppen
17. Create a domain local distribution group (name: testdomainlocalgroup) and
make 2 accounts a member of this group.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Check if you can use this group to assign NTFS permissions to a folder on your
computer.
18. Find out if it’s possible to add a domain local group to a global group.
?
19. Find out if it’s possible to add a global group to a domain local group.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 7
NTFS PERMISSIONS
In this lab you will learn how to manage NTFS permissions on files and folders.
1. Log in to your domain controller with your personal user account and use the
GUI to check the NTFS permissions on your local profile folder.
Do you have explicit or inherited NTFS permissions on this folder? Explain!
2. Use File Explorer to create a folder named TEST in the root of the C-drive with
the following NTFS permissions:
- Administrators: Full Control
- Domain Users: the default Read permission
- Domain Guest: Deny all permissions
File explorer properties Security – Add permissions
If domain guest is not visible yet Edit Add Domain Guest
3. Use a Windows command to view the NTFS permissions on this new folder.
Icacls C:\TEST
Use a PS-cmdlet to view the NTFS permissions on this folder.
Cacls C:\TEST
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Use the format-list PS-cmdlet to format the output of your PS-cmdlet.
get-acl C:\TEST | FL AccessToString
4. Use File Explorer to check the owner of your TEST folder.
Properties Security tab Advanaced Owner = poppen
Use a Windows command to view the owner of your TEST folder.
Dir C:\TEST /Q
Use a PS-cmdlet to view the owner of your TEST folder in the following format:
Get-ACL C:\TEST | select-object owner
5. Use File Explorer to view the effective permissions of the user jan on your TEST
folder. ( perhaps you have to add the user ‘jan’)
6. Create a new subfolder (name : SUB) in your TEST folder and check out if the
NTFS permissions got inherited by this folder.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Ensure that the NTFS permissions of the domain guests on the SUB folder will
not be passed on to subfolders that will be made later in the SUB folder.
Verify this! CHECK , edit !
7. Log in to your core (member server) with the local Administrator account and
create the folder C:\TEST.
Mkdir TEST
Use a Windows command to ensure that the local Administrator has no longer
access to this TEST folder.
Icacls C:\TEST /deny Administrator:F
Verify this with the following command:
cd \TEST
Make sure you can access this folder again. You will need 2 Windows
commands to accomplish this….
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Icacls C:\TEST /grant Administrator:F
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 8
SHARED FOLDERS
In this lab you will learn how to manage shared folders and how to access those
shares.
1. Log in to your domain controller with the Administrator account and display a
list of all shares on your server, using a …
- Windows command
net share
- PS-cmdlet
Get-smbshare
2. Display a list of all shares on your member server, using a remote PowerShell
session on your DC.
enter-pssession ms-nicolas
get-smbshare
exit
3. Use a Windows command to create a network drive (drive letter: N) on your DC
to connect to the root share on your member server.
Net use n: \\dc-nicolas\netlogon /persistent:no
The command completed successfully !
Use a Windows command to display the content of the Windows drive on your
member server, using drive letter N.
Dir n:\
4. Open an empty console on your DC and try to add the Shared Folder snap-in
of your member server (not the local Shared Folder console) to view the shared
folders on your member server.
You will get an error message, because by default, the firewall on your member
server blocks such requests. So you have to enable the built-in firewall rules
for “File and Printer Sharing” on your member server, using a PS-cmdlet.
Once done, you can access the Shared Folder console of your member server.
Verify this and take a screenshot of the opened sessions in this console.
set-netfirewallrule -displaygroup "windows firewall remote management"
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Close the Shared Folder console.
5. Use a PS-cmdlet to display the SMB-protocol version.
Get-SmbConnection
6. Disconnect the mapped network drive on your DC with a Windows command.
Net use n: /delete
7. Use a PS-cmdlet to display a list of installed Windows features on your member
server. You will notice the legacy SMB1 protocol is installed.
Get-WindowsFeature FS-SMB1
Use a single PS-cmdlet to remove the SMB1 protocol on your member server
and to reboot right after.
Remove-WindowsFeature FS-SMB1
Immediate shutdown - shutdown -t 0 -r -f
8. Create a new domain user with user logon name Peter.
Net user Peter Friday13th! /domain /add
9. You should configure a roaming profile for Peter. Please follow these
configuration steps:
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
a) Create a shared folder, named Profiles, on your DC and apply the following
permissions on this folder:
Basic NTFS-permissions:
- Domain admins: Full Control
- Domain users: Read
Attention: apply the Read permission for the domain users on this folder
only (because otherwise each user can view the profile of any other user).
Share-permissions:
- Everyone: Full Control
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
b) Create a subfolder, named Peter.V2, in the Profiles folder and apply the
following basic NTS permissions to this subfolder:
- Domain admins: Full Control
- Peter: Modify
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
c) Apply a roaming profile to Peter by adding the following profile path to his
user properties (tab profile):
\\DC-Chris\Profiles\%username%
10. Create a logon script for Peter, which creates a mapped network drive (drive
letter: P) when he logs on to the domain. Make sure you store this script in the
default location (the NETLOGON share).
?????????
11. You should configure a home folder for Peter. Please use these configuration
steps:
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
a) Create a shared folder (name: Homefolders), on your DC and apply
appropriate permissions on this folder (cfr exercise 9a).
b) Create a subfolder (name: Peter), in the folder Homefolders and apply
appropriate permissions on this folder (cfr exercise 9b).
c) Apply a home folder to Peter by connecting drive letter H to the UNC path
of his home folder in his user properties (tab profile).
12. Log on to your member server with the credentials of Peter.
You should now be able to use drive letters H and P…. Verify this!
Create a text file in your H-drive.
On the member server login with peter , password : Server2012.
Log off and check out if this file has been created on your DC.
Check the content of the profile folder of Peter. This folder should contain
folders like Desktop, Documents, Downloads,...
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 9
EFS
1. Log in to your domain controller with your personal user account (not the
built-in Administrator)..
Poppen = Server2012
Create a folder, named PRIVATE, in the root of the C-drive and encrypt this
folder and its contents with EFS, using the GUI.
How do you recognize an encrypted folder in File Explorer?
Green Colored map name
Which attribute is set on this folder by EFS? You can view this attribute in File
Explorer by showing the Attributes column…
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
2. Create a text file in the PRIVATE folder with some text in it. You will notice
this file is automatically encrypted.
Open this encrypted file. You will notice this file will be decrypted
automatically.
Check the properties of this file to find out which 2 users can access/decrypt
this file.
Poppen & Administrator
Log in to your domain controller with another account (not your personal
account and not the built-in Administrator account) and try to access the
encrypted file. You should get an “access denied” error…
Account = Poppe
impossible to login with Jan , reason ? Jan is member on the member server and
cannot login on a DC
3. Log in to your domain controller with your personal user account.
Check out what happens to an unencrypted file when you copy that file to
your encrypted folder.
The copied file turns into an encrypted file
Check out what happens to an encrypted file when you copy that file from
your encrypted folder to an unencrypted folder on the same server.
Remains encrypted
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Check out what happens to an encrypted file when you copy that file from
your encrypted folder to an unencrypted shared folder on another server (your
member server).
Remains encrypted
4. When you encrypt a file or folder for the first time on a Windows server,
Windows will automatically create a personal EFS certificate for you.
This certificate can be viewed in two ways: with the Certificates console or
with the “Manage your file encryption certificates” wizard (via Control Panel >
User Accounts).
Use one of the above methods to answer the following questions:
- period of validity
valid from 3/16/2016 to 2/21/2116
- public key algorithm
RSA(2048bits)
- length of the public key
2048bits
- algorithm for digital signature
sha1RSA
- length of the digital signature
38 bytes
5. Export your personal EFS certificate and the corresponding private key to a
password protected file.
Certificatenvenseter –tab Details –copy to File certificate export to pfx-file
File = certificateEx5
Password : Server2012
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
6. Decrypt your PRIVATE folder with a Windows command.
Cipher /d /s:c:\private
7. Login to your member server with your personal user account and use
Powershell to perform the following actions:
- Change the current location to the personal certificate store of your user
account
PS => Set-Location cert:\currentuser\my
- Show a list of all your personal certificates
Dir or ls or Get-Childitem
- Pipe the output of your command to the format-list cmdlet for a list view.
Get-childitem|format-list
- Use the property * option of the format-list command to view all properties
of your certificate.
Get-childitem|format-list –property *
- Use another property option to view the digital signature only.
Get-childitem|format-list –property Thumbprint
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 10
SHADOW COPIES
1) Log in to your domain controller with the Administrator account and enable the
“Shadow Copies” feature with the default settings on the C-drive.
What is the default schedule setting of “Shadow Copies”?
See picture
When will the first shadow copy be created?
Weekly at 7 am
What is the maximum amount of hard disk space available for the “Shadow
Copies”? 3071 MB and at least 300MB free space to create a SC
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
2) By using “Shadow Copies”, you can recover deleted or modified files.
a) Create a testshadow file in the home folder of Peter.
b) Create a shadow copy.
Created on the C drive – properties – make shadown copy
c) Erase the testshadow file permanently (with the Shift+Delete key combination).
done
d) Recover the testshadow file.
Peter – Properties – Previous versions – Peter - Restore
3) Disable the “Shadow Copies” feature on the C-drive.
done
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 11
DFS
1) Log on to your DC and MS with the built-in Administrator account.
Create a shared folder (name: DFS1), on your DC.
Create a shared folder (name: DFS2) on your MS.
2) Create a domain-based namespace (name: your first name) on your DC, so your
DC can be used as a DFS host server for the 2 shared folders you created in
exercise 1. To do so, you have to create 2 folders in the namespace: one folder
with folder target DFS1 and one folder with folder target DFS2.
Enable DFS by adding roles
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
3) From now on, you can access DFS1 and DFS2 by using the same UNC path,
(without the name of a server). Write down the name of that path:
DFS1 = OK
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
DFS2 = OK
Powershell on core installation = install-windowsFeature FS-DFS-Replication
Path = wst-nicolas.local\Namespace-Nicolas\DFS1
4) You can use DFS for folder replication between DFS1 and DFS2. You can
accomplish this by performing the following actions:
- Create a second DFS namespace on your DC (name: your last name)
OK
- Create a folder in this namespace with folder target DFS1.
OK
- Add DFS2 as a second folder target to this folder.
OK
Please notice that you will have to install the DFS replication service on the
member server. You can do this by using Server Manager on your DC. Once
done, you have to use the Replication Folder Wizard to configure a replication
scheme. You can use the default settings for this.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
5) Test the folder replication by adding a new file to DFS1. After a while, this file
should also appear in the other folder (DFS2).
Check out reverse replication (DFS2 DFS1) by adding a new file in DFS2.
6) Disable the folder replication between DFS1 and DFS2 (don’t delete the folder
targets!).
Verify this out by adding a new file in one of the 2 folders. If you have done this
correctly, this new file should not appear in the other folder…
OK
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 12
DISK QUOTA & FILE SCREENING
1. Log on to your DC with the built-in Administrator account.
Check if volume based disk quota is enabled on your DC. Don’t change any
settings!!
File explorer - This PC- Rightclick C drive - properties - tab Quota
button show quata settings --> standard not enable ( do not enable)
2. Which role do you have to install on a server to be able to configure folder
quota on that server?
Install this role on your DC.
File server resource manager
3. Make sure that no user can save more than 100 MB in his home folder. Since
this needs to be set per user, you have to apply this quota to each existing
and new subfolders of the Homefolders folder you created in lab 8. You can
use the default “100 MB Limit” quota template.
4. Answer the following questions about the quota template:
- Is this quota a hard or soft quota? What’s the difference between these
two quota types? Hard quota
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- When and how will users be notified about their folder quota?
Warning at 85 : email
Warning at 95 : email , event log
Warning at 100 : email , event log
5. Test the folder quota by performing the following steps:
- Make sure that Peter is a member of the Domain Admins group.
OK
- Log on to your DC with Peter’s account.
OK
- Open File Explorer to check the size of his home folder (H-drive).
0 bytes
- Copy the c:\windows\system32\imageres.dll (47 MB) file several times
into his home folder. You will get an error when you do this for the third
time. Why? File is 47 mb , 3 times exceeds the predefined 100Mb
quoate
Notice you can view the percentage of the quota limit, used by Peter, in the
File server resource Manager console…
Percentage = 95 %
6. Because the warning limit has been exceeded by Peter, Windows has
generated an error message in the Applications Log. Verify this using the
Event Viewer.
Tools – Event viewer – Windows logs -- Application
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
7. Block audio and video files in the home folders of the users. You can do this
by using file screening in the FSRM-console.
Which file extensions are blocked?
Test this by adding an audio or video file to your home folder.
impossible
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 13
INSTALLATION AND USE OF A CA
1. Log on to your DC with the built-in Administrator account.
Be sure your DC has the right name: DC-YourFirstname, because you can’t change
this name anymore after you have installed a CA on your DC…
2. Install the “Active Directory Certificate Services” role.
Select the Certification Authority and the Certification Authority Web Enrollment
role services to install.
Add the indicated (default) features that are required for Certificate Enrollment Web
Services (IIS will also be installed).
Select the indicated (default) role services to install for Web Server (IIS).
OK
3. After installation, you have to configure Active Directory Certificate Services on your
DC (post-deployment):
- Select the built-in Administrator credentials
- Select the Certification Authority and Certification Authority Web
Enrollment role services
- Select the Enterprise CA setup type
- Select the Root CA type
- Select the Create a new private key option
- Write down the following properties:
Default key length = 2048
Maximum key length = SHA1RSA
Hash algorithm = SHA1
Choose the default settings for the cryptographic options
- Choose the default name of the CA
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- Write down your CA expiration date = 16 march 2021
Choose the default validity period
- Choose the default database locations
4. Open the installed Certification Authority console and write down the values of the
following fields of the self-signed certificate (the root certificate) of your CA:
- Serial number = 6d 43 55 41 45 1e b5 bf 46 a3 ce 5a 73 b4 ac 26
- Public key + key length = too long to wright down , length= 2048
- Thumbprint = ed 97 08 70 02 d+ 6+ fb 77 78 f1 80 b4 a0 8a 73 fd 37 7c f8
5. Are there any issued or revoked certificates in your CA console?
One issued request id 2
6. Back up the private key and the root certificate. Use a password to gain access to the
backup file.
Password = Server2012
7. Request a new certificate on your DC with the Certificates console (this is not the same
as the CA console!). Choose an Administrator certificate.
Certmgr Personal -- >Certificates rightclick all tasks new certificiate
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
certificate with same key
Write down the values of the following fields of this certificate:
- Serial number = 2e 6e b7 e1 88 25 76 86 4b 23 41 b3 38 03 23 9d
- Public key + key length = too long , 2048 bits
- Thumbprint = 59 c5 15 38 78 25 90 be 67 6b 29 6a 3a e2 04 03 53 08 6e 89
You will find this new certificate in your CA console too. Check this!
8. Open the IIS console to check the webpage you have to use for requesting certificates
with web enrollment.
Inetmgr
Write down the URL for web enrollment = http://localhost/certsrv/
Request a new certificate by using web enrollment.
You will get a message with instructions. What do you have to do first, if you want to
use web enrollment? Configure HTTPS
Attention: don’t use the root certificate as the SSL-certificate!!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
After you have done this, you can request a new certificate again, using HTTPS and
the FQDN of your DC. Use the credentials of the built-in Administrator account.
You may install the issued certificate on your DC.
If you have done this well, you should be able to view this certificate in the CA console
and in the Certificates console. Check this out!
9. Open the Internet Explorer browser on your host machine and request a certificate
from your CA with web enrolment.
Try to install the issued certificate on your host machine. You will get an error because
your CA is not trusted. So you have to install the CA’s root certificate.
Not trusted
Check the certificate manager console on your host machine and search for the
installed root certificate.
In which container can you find this certificate? You have to copy this certificate to the
Trusted Root Certification Authorities container to be able to install your issued
certificate on your host machine. Check this out!
Intermediate Certification – Root agency
Copy to Personal
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 14
INSTALLATION OF A SECURED WEBSERVER
1. Log on to your DC with the built-in Administrator account.
2. Use IIS to add a new web site (don’t use the default web site) on your DC with the
following requirements:
- Physical location = C:\Website-YourFirstname (e.g.: C:\Website-Chris)
- Content: free to choose
- Bindings: HTTP protocol, TCP port 8080
3. Check out if you can browse to your web site from your host machine.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. Make sure that SSL is required to browse to your web site.
What happens now if you try to browse on your DC with the following URLs? Explain!
- http://localhost:8080 certificate error
- https://localhost certificate error
- https://dc-chris.wst-chris.local (replace chris by your own first name) OK
- https://192.168.x.100 (replace x by your own VMware number) certificate
error
5. Is it also possible to connect to the HTTPS web site on your web server from your
host machine?
No
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 15
GPOs
1. Log on to your DC with the built-in Administrator account and open the GPMC console.
a. How many GPOs are explicitly applied to your DC? 1
Group policy management Domain controllers 1
Or
Group policy management wst-nicolas.local group policy
inheritance tab 1
Default you always have inheritance by your domain controller
How many GPOs are implicitly applied to your DC? 1
b. Which of the GPOs linked to your domain will be the last one to be applied
(and hence has the highest priority)?
c. How can you quickly view the settings of the NoCacheCredentials GPO
(made in lab 6, exercise 14)?
Group policy management Wst-nicolas group policy objects
NoCachedCredentials
d. Change the GPO Status of the NoCachedCredentials GPO to minimize the
processing time of this GPO. Don’t forget to update your policies!
e. Write down the GUID of the NoCachedCredentials GPO below. You will
need this GUID for exercise 2…
GUID =
f. Check whether the Default Domain Policy is enforced on the domain or not.
Not enforced
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
g. Enable “Block Inheritance” on an OU. How does this OU appear in the
console tree? Disable “Block inheritance” on the OU.
2. Search for the GPC of the NoCachedCredentials GPO in the Active Directory and
search for the version number of this GPO.
Convert this number to its hexadecimal equivalent (use the windows calaclator)
Compare this hexadecimal number with the user version and computer version of the
GPO in the Group Policy Management console.
Search for the GPT of the NoCachedCredentials GPO in the SYSVOL folder.
Take a screenshot of the content of the file containing the GPO setting.
3. When you want to shut down a server, Windows will ask you why you want to do
that. Create a new GPO (name: DisableShutdownEventTracker) to disable this
setting. Verify this!
Disable setting daarna GPO UPDATE !
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. Create a new GPO (name: HomePageHowest) to assign www.howest.be as the
home page for Internet Explorer for domain users Jan and Peter. Use Policies (not
Preferences) to accomplish this. Attention: don’t use any filters!
Log on with the account of Peter and start Internet Explorer to check your GPO. If
you have configured it correctly, you should see the Howest site…
Disable changing home page settings needs to be disabled!! ( user / windows
components / internet explorer / Disable changing home page settings)
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Unlink this GPO. Logon again with the account of Peter and start Internet Explorer
again. What page do you see now?
5. Create a new GPO (name: HomePageGoogle) to assign www.google.be as the
home page for Internet Explorer for domain users Jan and Peter. Use Preferences
(not Policies) to accomplish this. Don’t use any filters!
NOT WORKING
Attention: you must press F5 (or F6), to confirm the home page entry. If
you do not, the setting will not be applied. Once you have done so, the
entry turns green!
Log on with the account of Peter and start Internet Explorer to check your GPO. If
you have configured it correctly, you should see the Google site…
Unlink this GPO. Logon again with the account of Peter and start Internet Explorer
again. What page do you see now? Explain this!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
6. Create a new GPO (name: LogonMessage) to display an interactive logon message
(a message that is displayed after you use the Ctrl-Alt-Del key combination to log
on) on your MS (not on your DC). Use security filtering to accomplish this.
Don’t forget to add the GPO to your wst-…local!
If you can’t find the MS-Nicolas , you have to tick ‘computers’ in security filtering –
add – object types
The message should be something like this:
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
7. Modify the GPO of exercise 6, so that the logon message will be displayed for all
current and future member servers.
WMI – filter add
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Tip: use a WMI filter!
8. Use the Group Policy Results wizard on your DC to see what Group Policy
settings are actually in effect for user Jan, when logging on to the domain from the
member server.
Open Server Manager and expand Features > Group Policy Management > Forest.
Right-click on Group Policy Results and select Group Policy Results Wizard, then click Next:
Policies
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Use the gpresult command to see the resultant set of group policies.
Gpresult /r
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 16
REMOTE DESKTOP
1. Log on to your DC with the built-in Administrator account and check if users are allowed
to make an RDP connection to your DC. Don’t change any settings!
Impossible
2. Create a GPO (name: RemoteDesktopAllowed) to make sure users are allowed to
make an RDP connection to all computers in your domain. Require user authentication
for remote connections by using Network Level Authentication.
Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Allow Log on through Remote Desktop Services.
Add Users or Group…
Attention: to make this work, make sure you change the Windows Firewall
settings on all your domain computers (inbound Remote Desktop Exceptions
must be allowed)! You can do this with an appropriate GPO setting in the
RemoteDesktopAllowed GPO…
Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow
Inbound Remote Desktop exceptions: Enabled
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Computer Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote Desktop Session
Host\Connections\Allow user to connect remotely by using Remote Desktop
Services: Enabled
Computer Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote Desktop Session
Host\Security\Do not allow local administrators to customize permissions:
Enabled
Computer Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote Desktop Session
Host\Security\Require user authentication for remote connections by using
NLA: Disabled
Not all settings are asked for , but can be set in place if asked for.
Check the Remote Desktop settings on your DC. These settings should be greyed out,
like so:
3. Make a Remote Desktop connection to your DC from your Windows host machine.
Be sure your local disk drive (on your host machine) is available in your RDP session.
Log on with your personal domain account. What kind of warning do you get? Why?
You can discard this warning.
The host is having problems with the security certificate , possibly unsafe
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
First connection was without the availability of the C-drive from the host machine.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Second connection was availability of the c-drive from the host machine + same
certificate warning.
Local user = poppe
Password = Server2012.
Use File Explorer to check whether the local drive of your host machine is available in
your RDP session.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. Use Task Manager in your console session on your DC (your VM) to check whether
the 2 users are logged on to your DC (the Administrator through a console session and
your personal account through a RDP session).
Send a message in the console session to the other user account (your personal
account) and check your RDP session. You should see that message!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
5. Which key combination can you use to open Task Manager in your RDP session?
CTRL+ALT+END
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
6. Make another Remote Desktop connection to your DC, from your Windows host
machine, and try to sign in with a domain account. Do not use the built-in Administrator
or your personal domain account. Make sure you use an account which is a member
of the domain admins group (for example: Adam).
You will get an error message. Why?
Select your personal account to disconnect without forcing this disconnection.
Switch to your existing RDP session. You will see the request. Cancel this request!
Repeat this exercise, but force the disconnection of the RDP session. Now you will
be able to sign in with the other account (Adam).
CHECK
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
7. Use a Windows command to query information about sessions on your DC.
qwinsta
Notice the RDP session of your personal account was disconnected, but still exists on
your server…
Sign off with your personal account with a Windows command.
Rwinsta id , so rwinsta 2 = this will disconnect the RDP connection
8. Install the Remote Desktop Services on your DC
Note: it’s not recommended to do this on a domain controller, but we only have 1 full
GUI Windows Server…
Attention: do not use the “default role based” installation, but choose the
“remote desktop services installation’!
Choose the “standard deployment”, and the session-based desktop deployment.
Which 3 role services will be installed?
Remote desktop connection broker , Remote Desktop Web Access and Remote
Desktop Session Host
Install all 3 role services on your DC.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
After installing and rebooting, you may notice a new item in Server Manager. Which
one?
Remote Desktop Services tab
9. Configure a “per device” RD licensing mode, but don’t install a Licensing Server for
now.
Why do you not need a Licensing Server right now?
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
10. Since you have installed an RD Session Host Server on your DC, you should be able
to log on with more than 2 user accounts on your DC. Verify this!
CHECK , user Poppe , user Peter , user Jan
Passwords : Server2012.
11. Create a GPO (name: RemoteDesktopSessionSettings) with the following settings for
Remote Desktop sessions applied to all of your servers:
- Disconnected sessions may remain active no longer than 30 minutes
o Windows Components / Remote Desktop Services / Remote Desktop
Session Host / Session Time Limits / Set time limit for disconnected
sessions
- At most 3 simultaneous connections should be possible
o Windows Components / Remote Desktop Services / Remote Desktop
Session Host / Connections / Limit number of connections
12. Create a “session collection” (name: your first name) with the following settings:
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Remote Desktop Services – Collections – Tasks – Create Collection
- RD Session Host: your DC
- User groups: all domain users
Attention: don’t enable user profile disks! (this is not the default setting)
You will probably get a warning. Why?
DisconnectedSessionLimit and UserAuthenticationrequired is configured.
13. Change the properties of your “session collection” in order to end a disconnected
session after 5 minutes.
Notice that Windows will refuse to do this. Why?
Unlink the RemoteDesktopSessionSettings GPO (do not delete it).
Don’t forget gpupdate!
You should now be able to configure the setting at the beginning of this exercise…
Verify this!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
14. Publish Notepad and Calculator as RemoteApps on your DC.
Make sure those RemoteApp appear in a folder (name: Windows Apps) on the RD
Web Access Server.
15. Start Notepad as a RemoteApp from your host machine.
Working on vmware administrator client not on host.
Tip: you have to use a web browser (use Internet Explorer) on your host machine…
Write down the URL you need for this:
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
URL = https://192.168.148.132/RDWeb
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Sign in with your personal domain account to open the Notepad RemoteApp.
You probably can’t open the RemoteApp. Why? Fix this!
Add a DNS entry in the host machine file
192.168.148.132 DC-NICOLAS.WST-NICOLAS.LOCAL
Enter a few words in a new Notepad document and save this document as a file on
the local desktop. Don’t close your Notepad application!
Where is your Notepad file stored: on the desktop of your DC or on the desktop of
your host machine?
On the DC
Use Task Manager in your console session on your DC to sign out from your RDP
session, corresponding to your RemoteApp. Your Notepad program will be closed…
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
16. Be sure the Notepad RemoteApp is only visible for the built-in Administrator account;
Verify this!
Works !
Wordpad is not available on the regular user
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 17
DHCP
1. Add 2 network adapters to your MS VM. Use NAT as the network connection type:
(default setting).
CHECK
2. Log on to your MS with the built-in Administrator account and check the names and
the IPv4 address configuration of your extra network adapters.
Do your extra network adapters use static or dynamic addresses?
DHCP server is enabled , so dynamic
Which DHCP server has allocated these addresses?
192.168.148.254
3. Since you will set up and use your own DHCP server, you have to stop the VMware
DHCP service on your host machine for this lab. Unchecked!
4. Use Windows commands to:
‐ Release the IP configuration on your MS
Ipconfig /release
‐ Renew the IP configuration on your MS
Ipconfig /renew
What kind of IP addresses are allocated to you extra network cards? How do you
know this? APIPA starts with 169.254.x.x = autoconfiguration IPv4 Address
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
5. Log on to your DC with the built-in Administrator account. Install a DHCP Server on
your DC.
Don’t forget to install the DHCP post-install wizard to complete the DHCP installation.
6. Open the DHCP Manager console and add a new DHCP scope with the following
properties:
- Name: your first name
- Start IP address: 192.168.x.20
- End IP address: 192.168.x.30
- Subnet mask: default setting
- Don’t add exclusions or delays
- Lease duration: default setting
- Default gateway: the default gateway of your VM-network
- Parent domain: default setting
- DNS Server: your DC
- Don’t specify a WINS Server
Activate your new scope! Done
7. How can you unauthorize your DHCP server? (don’t do this!)
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
8. Does your DHCP server already have leased IP addresses? If not, which Windows
command do you have to use to force this (on your MS)? Yes , command?
Check the unique ID column of the IP address leases in the DHCP console. What
kind of information is stored here? The mac of the leaser
9. Modify the lease time from 8 to 10 days. DONE
10. Make sure the Ethernet1 interface of your MS will always get the IP address
192.168.x.66 from your DHCP server.
Verify this by releasing and renewing the IP address configuration of your Ethernet1
interface.
Check if this new address was added to the DNS database of your DNS server.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 18
DHCP AVAILABILITY
1. Log on to your DC with the built-in Administrator account. Install a DHCP server on
your MS, using the Server Manager console on your DC.
Don’t forget to install the DHCP post-install wizard to complete the DHCP installation.
First Manage add servers to ALL SERVERS add MS-Nicolas
Then add Roles and Features wizard Role-based or feature based installation and
choose MS-Nicolas
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Add DHCP-server
2. Open the DHCP Manager console of your MS. You can do this from within the
Server Manager console on your DC.
Normally, you can now add a DHCP scope on your MS (just like you did on your DC
in lab 17), but you don’t have to do this, because a scope will be installed
automatically, by configuring a split-scope on your DC.
3. Configure a DHCP split-scope on your DC for the scope with your first name, the one
you installed in lab 17. 70% of the available IP addresses should be distributed by
your DC and 30% by your MS.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Additional DHCP server MS
Check the IP address pool on your DC. What is the last IP address that can be
distributed by this server? 192.168.148.20 – 192.168.148.30
Check the IP address pool on your MS. What is the first IP address that can be
distributed by this server? 192.168.148.27 – 192.168.148.30
Notice that the scope on your MS is not yet activated. Activate this scope!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. Test your DHCP split-scope configuration like so:
‐ deactivate the scope on your DC
‐ release and renew the IP address configuration on your MS
Which IP address should your Ethernet2 interface get? Why?
192.168.148.27 – the starting ip of the configured pool
5. Delete the scope on your MS.
Delete the exclusions in the scope on your DC and activate this scope.
6. Create a failover relationship between your 2 DHCP servers (use the default
settings). (on DC)
Shared secret : Nicolas123.
Check the DHCP scope on your MS. What’s different from the split-scope scenario?
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
7. Test your DHCP failover configuration like so:
‐ deactivate the scope on your DC
‐ release and renew the IP address configuration on your MS
Which IP address should your Ethernet2 interface get? Why?
192.168.148.20
8. Activate the scope on your DC and deconfigure the DHCP failover relationship on
your DC.
Check the DHCP Manager on your MS. What do you notice? All scopes are gone
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 19
DNS
1. Log on to your DC with the built-in Administrator account and check out the IP address
of its DNS server. Why does your DC use that IP address?
Ipconfig /all ::1 + 127.0.0.1 , since my DC is also my DNS-server
2. Open your browser and go to the website www.tijd.be.
Display your local DNS cache. You should find a DNS record with its FQDN inside.
Ipconfig /displaydns
How long will this record stay in your local DNS cache?
Ttl = 191
Flush your local DNS cache and display your local DNS cache again (in order to verify
your answer).
Ipconfig /flushdns.
3. Since your DC is also your DNS server, you should also find this DNS record in the
DNS cache of your DNS server (the so-called server-side DNS cache). Verify this!
Dnscmd /info
Clear your server-side DNS cache.
Dnscmd /ClearCache
4. You will find 2 forward lookup zones in your DNS Manager console: one zone which is
reserved for specific Microsoft services and one which contains the DNS records of
your domain.
What kind of zone type has been chosen for both forward lookup zones: primary,
secondary, AD integrated or stub? AD integrated
Can you change this zone type? (don’t change it)
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Can updates of your zone records be accepted from untrusted sources? Explain!
Yes if you add a new zone you can allow this
5. Go to the command line and use the nslookup command in the interactive mode.
You can do this by entering the nslookup command without any arguments.
You’re presented with the nslookup prompt (>). Use this special nslookup prompt to
answer all questions in this exercise.
You can use the nslookup command to resolve hostnames. The Default Server in the
output of the nslookup command is the server that will be used for the resolving
process.
What is the IP address of this default DNS server? Can you explain this? ::1 , DC =
DNS server
Find the IP address of your member server. MS-Nicolas = ip addresses :
192.168.148.28 + 192.168.148.101 + 192.168.148.20
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Find the IP address of www.alibaba.com
205.204.101.42 + 198.11.132.23
Change the default DNS lookup server to the DNS server used by the wireless NIC on
your host machine.
Find the IP address of bru-print.hogeschool-wvl.be. DNS server down
Try to resolve the hostname of your member server. Why can’t you do this?
Because the dns of the nic does not know your MS
Exit from the nslookup prompt.
Change Dns server again to 127.0.0.1!!
6. Use the nslookup command in the non-interative mode for translating the IP address
of your member server (192.168.x.101) to its name.
This will not work… CHECK
To make this work, you have to install a reverse lookup zone for your domain. Don’t
forget to add the records for your DC and MS!
Add new zone primary zone all default network id 192.168.148 next , ..
Add new POINTER ip 192.168.148.101
Afterwards, you should be able to translate the IP address of your member server to
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
its name. Verify this!
7. What kind of server will be used for resolving queries for zones that don’t exist on your
local DNS server?
Dns forwarder
What’s the IP address of this server?
172.20.0.2 (default 192.168.148.2)
Suppose that your DNS server didn’t use a forwarder. Which server should then be
used?
Write down one name and corresponding IP address of such a server.
See above
8. Write down the serial number of the SOA record in your domain zone on your DNS
server.
Dc-Nicolas Forward Lookup zones wst-nicolas.local properties SOA 127
Add an alias record for your DC to your domain zone (name: alias-YourFirstname; for
example: alias-chris).
Once again, write down the serial number of the SOA record in your domain zone on
your DNS server and compare this with the number you wrote down before. Explain
what you see! 133
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Check if you can ping to the alias name of your DC.
Ping alias-nicolas
9. Does your DNS Server supports Round Robin and subnetmask ordering by
default? Yes
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Test the Round Robin feature:
‐ Create 2 host records on your DNS Server with the same name (for example: your
first name), but with a different IPv4 address (one referring to your DC and the other
referring to your MS).
‐ Use the nslookup command to resolve the hostname you just added. You should
see the 2 different IP addresses associated with your hostname…
‐ Use the same nslookup command once again and compare the output with the
output of the first nslookup command. What is the difference between those?
‐ Ping to the hostname you just added.
‐ Ping once again to the hostname you just added. Since Round Robin is enabled,
you should get a reply from the other IP address, but this is not the case. Why?
‐ Which command do you have to use to make this work? Test this!
10. Check if DNSSEC is enabled on the domain zone on your DC.
Not enablef but you are able to sign a zone
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 20
WORKING WITH 2 DNS SERVERS
1. Log on to your DC with the built-in Administrator account and install the DNS
Server role on your MS. You can do this with the Server Manager on your DC.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
2. Open the DNS Manager console of your MS (you can do this with the Server
Manager on your DC) and check if there are any configured forward lookup zones.
DNS for MS rightclick DNS MANAGER
Add a new forward lookup zone to your MS with the following properties:
- Type: secondary zone
- Zone name: your domain name = wst-nicolas.local
- Master server: your DC = 192.168.148.100
3. The new zone doesn’t have any records yet, because the transfer of the zone data
from the master (your DC) failed. You can fix that by going through following steps:
- Use the DNS Manager console on your DC to make the MS server
authoritative for your domain.
- Use the DNS Manager console on your DC to allow a zone transfer from
your DC to all authoritative name servers.
- Enforce a zone transfer right now by using the “Transfer from master”
option on the zone in the DNS Manager of your MS.
MS-Nicolas right click on forward lookup zones wst-nicolas.local
Transfer from master
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. Windows stores the DNS records of a secondary zone in a text file. Open this text
file on your MS server.
On the ms-server
Cd C:\Windows\System32\dns
Type wst-nicolas.local.dns
5. A zone transfer will automatically occur when the refresh time expires.
What’s the default refresh interval for your domain zone on your DC?
Narrow this interval to 1 minute.
Verify this by adding a new alias record to your domain zone on your DC.
Normally, after one minute this record should appear in the domain zone on your
MS. If not: be patient ;-) not working?
6. A zone transfer can automatically occur after you changed the zone data on your
DC, if you configure a Notify List on your DC. Verify this! (you first have to
augment the refresh time interval, otherwise it’s confusing…).
7. Check if you can add records to your secondary zone on your MS.
Why doesn’t this work? This MS is a secondary server
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 21
USER AUTHORIZATION
1. Log on to your DC with your personal user account and use a Windows command to
view your “privileges”.
Cmd as administrator
Whoami /priv
GUI search cmd right-click run as admin
Show the privileges of the Administrator account without logging off.
Runas /user:wst-nicolas\administrator cmd
Show the privileges of yet another account (for example: jan) without logging off.
Runas /user:wst-nicolas\jan cmd
2. Create a non-administrator account with the name helpdesk1.
Create a global group with the name Helpdeskusers and make the helpdesk1 account
a member of this new group.
Copy the account helpdesk1 and give the new account the name helpdesk2.
Right-click helpdesk1 copy and
What is the advantage of copying this account (instead of just making a new
account)? It is immediately added to the helpdeskusers-group
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
3. Make sure the Helpdeskusers group may reset the passwords (and nothing more)
of user accounts belonging to the Users container in the ADU&C console.
Tip: use the “Delegate Control” wizard to create a custom task to delegate the
“password reset” function for the user objects in the Users container to the
Helpdeskusers group. Users delegate control
You should be able to view this special permission on the Users container. Check
this!
CHECK
4. Which groups have the right to log on to a domain controller?
Tip: use the Group Policy Management console to view this!
Make sure the helpdesk1 user can log on to your DC, without adding his account
to one of these groups.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Tip: use a GPO!
USE GPUPDATE !! + RESTART GUEST
5. Check out if you can log on to your DC with the helpdesk1 account.
Check if you can reset the password of a user belonging to the Users container, using
a Powershell cmdlet.
Set-ADAccountPassword eve –reset:$true
Also check if you can reset the password of a user which doesn’t belong to the User
container. You should get an “Access is denied” error.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 22
APPLOCKER
1. Log on to your DC with your personal user account.
To be sure that AppLocker rules can be applied on all computers in your domain, the
“Application Identity” service must be started on that computers. Make sure this is
done through a group policy.
Computer Configuration\Windows Settings\Security Settings, click System Services.
2. Make sure all versions of Internet Explorer are blocked for the built-in domain
Administrator account (but not for the other domain admins) on all computers in your
domain.
Secpol.msc
Tip: use a published rule in AppLocker!
Log on with the built-in Administrator account and try to run Internet Explorer. You
should get an error message now…
Not able to start internet explorer
Log on with your personal user account and try to run Internet Explorer. This should
work… works!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
3. Change the enforcement mode of the AppLocker rules to “Audit only”.
Log on with the built-in Administrator account and try to run Internet Explorer. You
should not get an error message now, but you should find a warning about this in the
Event Viewer. Check this out!
4. Disable the AppLocker GPO (but don’t delete it!). CHECK
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 23
WINDOWS TIME SERVICE
1. Log on to your DC with your personal user account and use the w32tm utility to query
the time source of your DC.
W32tm /query /source
2. Change the time source of your DC to an external time server (pool.ntp.org) with the
following command:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
needs to be as Admin !
Use Windows commands to stop and start the time service to make this work.
Check the time source again.
3. Log on to your MS with your personal user account and query the time source of your
MS.
Change the time on your MS (eg: one hour earlier).
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Use the w32tm utility to synchronize the time with the time source. You will get the
message “the computer did not resync because no time data was available”, but if
you check the time again, you will notice it is synchronized!
Time is ok
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 24
AUDITING
1. Log on to your DC with your personal domain account and open the Security Log.
How many events are recorded in this log?
What’s the maximum size of this log file? Can you adjust this size?
What will happen to the events in this file when the maximum log size is reached?
2. Clear the Security Log file on your DC and on your MS.
3. Try to Log on to your MS with the domain user account of jan, but with a wrong
password.
Log on to your MS with the domain user account of jan, but with the right
password.
Log out of your MS.
Search for logon or logoff records of the user account of jan in the Security Log files
on both servers.
Use a filter to only view the audit failures. On which server can you find the logon
failure event of jan?
Does this event contain information about the computer which was used by jan to try
to log on?
4. Create a custom view in the Event Viewer to view all requested Kerberos TGT
tickets. First you have to choose the event source. In this case, choose “Microsoft
Windows Security Auditing”.
Once you have chosen an event source, you have to choose the appropriate task
category. There are 2 task categories for Kerberos. Choose the right one!
Save your custom view (name: TGT).
Log on to your MS with a domain account. Check out if you can view the
corresponding TGT request in your custom view.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
5. Deny all outgoing NTLM traffic to remote servers on your DC.
Tip: use a GPO!
Try to access the shared root folder of your MS, from your DC with the following
Windows command:
net use X: \\ms-chris\c$ (replace my name by your name)
This should work…
Now, try to do the same thing with the IP address of the MS (instead of its name).
So you have to use a command like this:
net use Y: \\192.168.157.101\c$ (replace my IP address by your IP address)
Now you should get a system error 67…
Here’s the reason why: if you access a shared folder using an IP address,
Windows will use NTLM instead of Kerberos!!! your GPO has blocked the
NTLM authentication.
Check this by searching for blocked authentication traffic events in the Event Viewer.
Unlink the GPO you made for this exercise.
6. Create a shared folder (name: IMPORTANT) on your DC.
Make sure every possible access attempt (both successful as failure) by any user -
except for the built-in Administrator account - is tracked in a log.
Log on to your MS with your personal user account and create a file in the
IMPORTANT folder.
This event should be recorded in a log. Verify this!
Unlink the GPO you made for this exercise.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
LAB 25
BACKUP & RESTORE
1. Log on to your DC with your personal domain account and install the Windows
Server Backup (WSB) utility on it.
Click Start, and then click Server Manager.
In the left pane, click Features, and then in the right pane clickAdd Features. The Add Features
Wizard appears. In the Add Features Wizard, on the Select Features page, expand Windows
Server Backup Features, and then select the check boxes for Windows Server
Backup and Command-line Tools. If you are prompted to do so, select the Windows
PowerShell check box also.
Click Next
2. Create a shared folder on your MS for storing backups (name: Backups).
Be sure this share will only be accessible to domain administrators!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
3. Make a backup right now of the Program Files folder of your DC. The backup must
be stored in the Backups share on your MS and must only be accessible to domain
administrators!
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
4. View the list of all backed up files.
5. Check the contents of the Backups folder on your MS. You will see a lot of XML
files and one backup file.
Via DC Windows Explorer \\Ms-Nicolas Backups ..
Which extension does Windows use for this backup file?
.VHDX
What kind of file does this extension refer to?
Try to mount this file. You will get an error. If you read the error message carefully,
you will know what you have to do to solve the problem…
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
6. Erase the C:\Program Files\VMware\VMWareTools\vmacthlp.txt file on your DC
and restore this by using the backup file on your MS.
CHECK
Will the ACL by default be restored to the file being recovered?
Yes
Check if the file really has been recovered.
7. Add a new folder to the Program Files folder of your DC and make a new backup
of the Program Files folder. The new backup must also be stored in the Backups
share on your MS.
CHECK
Windows will ask you if you want to overwrite the old backup by the new backup.
Do this!
CHECK
8. View the files that have been backed up now.
What is your conclusion: was this an incremental or a full backup?
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
Windows used this kind of backup because the backup was stored on a network
share…
9. Add an extra hard disk to your DC and make this disk available in Windows (use
driveletter E:).
Check if you can see the drive(letter) in File Explorer.
Disk management !
10. Make a backup schedule on your DC with the following properties:
- Type: custom
- Items for backup: the Profiles folder on your DC
- Backup time: the nearest time
- Destination type: Volume (your new hard disk)
11. Open Task Scheduler to view the details of this schedule.
Run this task right now.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
After the task has been completed, you can check the result on your new disk…
Right-click settings allow task tob e run on demand
12. There are plenty of tasks in Task Scheduler. Check the history of the chkdsk task.
13. Stop the scheduled backup task in the Windows Backup console.
?
14. Use a Windows command to query the scheduled tasks on your DC.
15. Add an extra folder to the Profiles folder of your DC and make a backup of this
folder on your extra hard disk. (local)
Which backup type has been used: full of incremental? Why
FULL
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
16. Make a backup of the system state of your DC and store this backup on the extra
hard disk of your DC. Be patient!
What kind of objects are backed up when you backup the system state? Search
the Microsoft Technet site to find the answer.
Active Directory objects
17. Delete a domain user account.
It’s easy to recover the deleted account with the Recycle Bin of the Active
Directory, but in this exercise, you have to do it by recovering Active Directory from
the system state made in exercise 16.
To be able to do this, you have to use the Directory Service Repair Mode
(DSRM). This is only possible if you still remember the DSRM password you’ve
entered in lab 4 (when you installed the Active Directory).
If you’re not sure about the DSRM password, you have to reset it first!!!
Tip: use the ntdsutil utility! Password = q
When you’re sure about the DSRM password, go through the following steps to
repair the Active Directory:
- Reboot your DC, using the command: shutdown –r –t 0 –o (o = options)
- After rebooting, choose the “Troubleshoot” option
- Click on “Startup Settings”
- Click in the Restart button
- After restarting, choose the “Directory Services Repair Mode” (DSRM)
option
- Sign in with the local Administrator account and the DSRM password
Use Windows Server Backup to restore the system state. Be patient!
After rebooting, you will get a message that the system state recovery operation
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
has succesfully completed.
Check your AD to see if the domain account you’ve deleted has been recovered.
18. Make a full server backup of your MS on the extra hard disk of your DC.
19. In this exercise you have to make a bare metal recovery of your MS. Before
doing this, make a backup of the VM folder of your MS on your host machine
(just in case something went wrong).
A bare metal restore is the restoring of the entire system from scratch with a
completely blank hard drive (for example, in case of a hard disk crash).
You can make a bare metal recovery of your MS by going through the following
steps:
- Start your MS from DVD, with the Windows DVD in the DVD drive (in our
case: with the Windows ISO file in the DVD drive).
Tip: to be able to start from DVD, you probably have to change the BIOS
settings of your MS…
- Press any key to boot from DVD.
- Choose the Language, time and currency like you did in the first lab.
Descargado por Andreas Deris ([email protected])
lOMoARcPSD|5957588
- Click on the “Repair your computer” link.
- Choose the “Troubleshoot” option.
- Choose the “System Image Recovery” option.
- Choose the “Format and reparation disk” option.
After the bare metal recovery process has finished, reboot your server from disk
to check if everything is OK.
Descargado por Andreas Deris ([email protected])
You might also like
- Lab 3 Submission - Program - Light An LEDNo ratings yetLab 3 Submission - Program - Light An LED4 pages
- Configuration of a Simple Samba File Server, Quota and Schedule BackupFrom EverandConfiguration of a Simple Samba File Server, Quota and Schedule BackupNo ratings yet
- SuperMicro SuperStorage 2027B DE2R24L ManualNo ratings yetSuperMicro SuperStorage 2027B DE2R24L Manual112 pages
- Deploying VMM For System Center 2012 by Using A VHDNo ratings yetDeploying VMM For System Center 2012 by Using A VHD10 pages
- Configuring Local Security Settings: This Lab Contains The Following Exercises and ActivitiesNo ratings yetConfiguring Local Security Settings: This Lab Contains The Following Exercises and Activities11 pages
- Managing Active Directory and Sysvol Replication: This Lab Contains The Following Exercises and ActivitiesNo ratings yetManaging Active Directory and Sysvol Replication: This Lab Contains The Following Exercises and Activities13 pages
- A Successful SAP Migration: Michael A. Moore Brach's Confections, IncNo ratings yetA Successful SAP Migration: Michael A. Moore Brach's Confections, Inc43 pages
- Deploy - Configure BranchCache in Windows Server 2012 R2No ratings yetDeploy - Configure BranchCache in Windows Server 2012 R226 pages
- Configuring Backups: This Lab Contains The Following Exercises and ActivitiesNo ratings yetConfiguring Backups: This Lab Contains The Following Exercises and Activities7 pages
- Digital Marketing Course Curriculum PDF Download Free Innomatics Research LNo ratings yetDigital Marketing Course Curriculum PDF Download Free Innomatics Research L18 pages
- Configuring and Maintaining Network Security: This Lab Contains The Following Exercises and ActivitiesNo ratings yetConfiguring and Maintaining Network Security: This Lab Contains The Following Exercises and Activities9 pages
- Quick Start Guide: Netcommander Ip Cat5 Multi-User KVM SwitchNo ratings yetQuick Start Guide: Netcommander Ip Cat5 Multi-User KVM Switch12 pages
- 10 - Rhcsa Ex200 - Study Guide (Joaoubaldo)No ratings yet10 - Rhcsa Ex200 - Study Guide (Joaoubaldo)6 pages
- Installing Workstation On A Windows HostNo ratings yetInstalling Workstation On A Windows Host4 pages
- Prepared by - , Deptt of Information Technology Assam University SilcharNo ratings yetPrepared by - , Deptt of Information Technology Assam University Silchar29 pages
- Learning Powercli: Chapter No. 1 "Introduction To Powercli"No ratings yetLearning Powercli: Chapter No. 1 "Introduction To Powercli"34 pages
- Configuring System Recovery Options: This Lab Contains The Following Exercises and ActivitiesNo ratings yetConfiguring System Recovery Options: This Lab Contains The Following Exercises and Activities10 pages
- EdgeRouter - L2TP IPsec VPN Server - Ubiquiti Networks Support and Help Center100% (1)EdgeRouter - L2TP IPsec VPN Server - Ubiquiti Networks Support and Help Center11 pages
- Case Study ON: Virtualization Using VmwareNo ratings yetCase Study ON: Virtualization Using Vmware22 pages
- Smart Attendance System Based On Face RecognitionNo ratings yetSmart Attendance System Based On Face Recognition23 pages
- Linux Iptables Firewall Configuration: Prince - KenshiNo ratings yetLinux Iptables Firewall Configuration: Prince - Kenshi8 pages
- PDF Learning Ansible 2 2nd Edition Fabio Alessandro Locati download100% (3)PDF Learning Ansible 2 2nd Edition Fabio Alessandro Locati download55 pages
- Installing Hyper-V and Deploying Windows Server 2008 As Your First Virtual Machine - Part INo ratings yetInstalling Hyper-V and Deploying Windows Server 2008 As Your First Virtual Machine - Part I27 pages
- Introduction To Unix/Linux: Operating SystemNo ratings yetIntroduction To Unix/Linux: Operating System7 pages
- Instant Migration from Windows Server 2008 and 2008 R2 to 2012 How-toFrom EverandInstant Migration from Windows Server 2008 and 2008 R2 to 2012 How-toNo ratings yet
- Hack Windows Using Metasploit Lab ManualNo ratings yetHack Windows Using Metasploit Lab Manual3 pages
- ADFS Design Considerations and Deployment OptionsNo ratings yetADFS Design Considerations and Deployment Options12 pages
- Mastering The XMPP Framework: Develop XMPP Chat Applications for iOSFrom EverandMastering The XMPP Framework: Develop XMPP Chat Applications for iOS4.5/5 (2)
- How to Switch from Windows to Linux at Home without Fear of Change, Aimed at Users with No Experience in Linux and with Amazing ResultsFrom EverandHow to Switch from Windows to Linux at Home without Fear of Change, Aimed at Users with No Experience in Linux and with Amazing ResultsNo ratings yet
- Microsoft Windows Server 2012 Administration Instant ReferenceFrom EverandMicrosoft Windows Server 2012 Administration Instant ReferenceNo ratings yet
- Creation of Postfix Mail Server Based on Virtual Users and DomainsFrom EverandCreation of Postfix Mail Server Based on Virtual Users and DomainsNo ratings yet
- CentOS Stream 9 Essentials: Learn to Install, Administer, and Deploy CentOS Stream 9 SystemsFrom EverandCentOS Stream 9 Essentials: Learn to Install, Administer, and Deploy CentOS Stream 9 SystemsNo ratings yet
- Codigo en C para Transmision FM en RaspberryNo ratings yetCodigo en C para Transmision FM en Raspberry5 pages
- Windows Server Proposal For Fixing Windows LLCNo ratings yetWindows Server Proposal For Fixing Windows LLC8 pages
- Chapter Four: Data Communication and NetworkingNo ratings yetChapter Four: Data Communication and Networking33 pages
- Visvesvaraya Technological University: Belgaum, Karnataka-590014No ratings yetVisvesvaraya Technological University: Belgaum, Karnataka-59001442 pages
- 0IVL20151874 No Backlight & 40modified& 41No ratings yet0IVL20151874 No Backlight & 40modified& 418 pages
- Journal of Advanced Zoology: Research Paper On Artificial Intelligence and It's ApplicationsNo ratings yetJournal of Advanced Zoology: Research Paper On Artificial Intelligence and It's Applications10 pages
- Example: A List of Names, A Table of World CitiesNo ratings yetExample: A List of Names, A Table of World Cities24 pages
- Thk2e BrE L2 End of Term Standard Test 1-1No ratings yetThk2e BrE L2 End of Term Standard Test 1-14 pages
- Project Information Document Ethiopia Digital Foundations Project P171034100% (1)Project Information Document Ethiopia Digital Foundations Project P17103420 pages
- SAS301 - Multi Tenant Meets ML Building ML Based SaaS EnvironmentsNo ratings yetSAS301 - Multi Tenant Meets ML Building ML Based SaaS Environments23 pages
- Aristos Dicom Conformance Statement vb21No ratings yetAristos Dicom Conformance Statement vb2181 pages
- KYE Corporation Service Advisory: No. ofNo ratings yetKYE Corporation Service Advisory: No. of5 pages
