Laura Duggan
07314299
14/7/14
MSc Computer Science
(Conversion)
Systems Management
Module Assignment – Users’
Manual
Laura Duggan
07314299
1
Laura Duggan
07314299
14/7/14
Table of Contents
Part A
Task A1
Windows Lite Touch Installation
Task A2
BitLocker Drive Encryption
p3
p18
Part B
Task A
Windows Server 2008 Full Installation
Windows Server 2008 Server Core Installation
p31
p38
Task B
Setting up Active Directory
Adding a domain controller
Adding client machine to domain
Adding server core as member server
p41
p47
p50
p51
Task C
Installing new hard disks
Setting up mirrored volume
Setting up spanned volume
p53
p54
p56
Task D
Configuring Active Directory
p57
Task E
User groups
Group permissions
Creating group policy objects
p63
p64
p66
Task F
Setting up server core installation as a file server
Configuring server core installation for remote administration
Accessing server core installation using remote desktop
p85
p86
p90
Task G
Installing DHCP
Configuring client to use DHCP
Disabling DHCP
p92
p96
p97
Task H
Demoting a domain controller
Demoting an unbootable domain controller
References
p98
p98
103
2
Laura Duggan
07314299
14/7/14
Part A
Task A1.
Using Virtual Machines to mimic the use of Physical Machines, document and Install
Microsoft Windows 7 using the Lite Touch Installation (LTI) method.
Windows 7 allows for four deployment strategies –
1. High-touch deployment with retail media
- Aimed towards less than 100 deployments
- Allows admins to focus on each system individually
2. High-touch deployment with standard image
- Aimed for between 100 and 200 deployments
- Main advantage is that you can include any applications and files with the image;
therefore they don’t need to be added after installation.
- Disadvantage is that it doesn’t scale well, a technician and a flash drive is
required for each deployment.
3. Lite-touch, high-volume deployment
- Aimed towards 200 – 500 deployments by skilled IT staff with deployment
experience.
- Advantage is that it offers limited interaction with technician, thus reducing
deployment time and costs.
4. Zero-touch, high-volume deployment
- A fully automated deployment aimed at over 500 deployments
- Requires an IT professional with deployment and Config Manager 2007 R2
experience.
(Rodriguez, 2011)
To decide on a strategy it is important to take into account both your skill level and the
amount of computers which you plan on rolling out to. LTI uses a standardized image and
then rolls it out over the network. As the configuration will be the same across all computer
systems problems are less likely to occur. (Microsoft)
Installation adapted from Step-by-Step: Basic Windows 7 Deployment for IT Professionals.
Retrieved from
http://technet.microsoft.com/en%E2%80%90us/library/dd349348(v=ws.10).aspx
(Microsoft, Step by Step: Basic Windows 7 Deployment for IT Professionals, 2010)
For this deployment you need –
- A Windows 7 product disk.
- A Windows 7 AIK DVD disk (can be downloaded from
http://go.microsoft.com/fwlink/?LinkId=136976.)
- A technician computer running Windows Server 2003, Windows Vista or
Windows 7, it must have a network adapter, a working network environment,
and access to CD and DVD-ROM drive.
- A reference computer (the first machine on which we will install our customized
version of Windows7 – we will then image this computer and roll out the image
3
Laura Duggan
07314299
14/7/14
-
over the network to the rest of our machines), it must have a network adapter
and a working network environment.
A USB flash drive
A blank CD-R/RW
A destination computer (to which we will roll out our image over the network).
There are 5 steps in the deployment –
1. Building an Answer File
2. Building a Reference Installation
3. Creating Bootable Windows PE Media
4. Capturing the Installation to a Network Share
5. Deploying from a Network Share
To begin the deployment:
On the technician computer – insert Windows Automated Installation Kit into CD-ROM
drive and install by following on screen wizard. If it doesn’t start automatically browse to
the correct drive and click StartCD.exe.
Step 1 – Building Answer File
In this step we create an XML answer file using the Microsoft AIK on our technician
computer. This answer file will contain the answers to prompts usually given to a user when
they’re installing Windows, thus automating the process.
4
Laura Duggan
07314299
14/7/14
On technician computer insert Windows 7 product DVD into the CD-ROM drive, open
D:/sources and copy install.wim to your desktop.
Click the start button, and open Windows SIM by clicking Microsoft Windows AIK and then
Windows System Image Manager.
Click file and Select Windows Image, when the box opens, navigate to where you copied
install.wim on your desktop and click ok.
5
Laura Duggan
07314299
14/7/14
Click the version of Windows 7 you are installing, in this case Windows 7 Professional, when
prompted click yes to generate a catalog file, and ok to allow the correct permissions.
When the catalog file is generated, click on file and new answer file, a new blank answer file
template is automatically generated.
6
Laura Duggan
07314299
14/7/14
Next we will add and configure the settings we desire for our Windows installation to the
answer file, by clicking and expanding the components node to see the available settings,
folders are listed in alphabetical order.
Component
Microsoft-Windows-Deployment\Reseal
Microsoft-Windows-International-CoreWinPE\SetupUILanguage
Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition
Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\ModifyPartition
Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition
Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\ModifyPartition
Microsoft-Windows-Setup\ImageInstall\OSImage\InstallTo
Microsoft-WindowsSetup\DiskConfiguration\ImageInstall\OSImage\InstallFrom
Microsoft-Windows-Setup\UserData
Microsoft-Windows-Shell-Setup\OOBE
Configuration Pass
oobeSystem
windowsPE
windowsPE
windowsPE
windowsPE
windowsPE
windowsPE
windowsPE
windowsPE
oobeSystem
These settings will populate the centre answer file panel, click on each and enter the
corresponding values below.
Component
Value
Microsoft-Windows-International-Core-WinPE
InputLocale = en-US
SystemLocale = en-US
UILanguage = en-US
UserLocale = en-US
Microsoft-Windows-International-CoreUILanguage = en-US
WinPE\SetupUILanguage
Microsoft-Windows-Setup\DiskConfiguration
WillShowUi = OnError
Microsoft-Windows-Setup\DiskConfiguration\Disk
DiskID= 0
WillWipeDisk = true
7
Laura Duggan
07314299
14/7/14
Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition
Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition
Microsoft-WindowsSetup\DiskConfiguration\Disk\ModifyPartitions\ModifyPartitio
n
Microsoft-WindowsSetup\DiskConfiguration\Disk\ModifyPartitions\ModifyPartitio
n
Microsoft-Windows-Setup\ImageInstall\OSImage
Microsoft-Windows-Setup\ImageInstall\OSImage\InstallTo
Microsoft-Windows-Setup\ImageInstall\OSImage\InstallFrom
Microsoft-Windows-Setup\UserData
Microsoft-Windows-Setup\UserData\ProductKey
Microsoft-Windows-Deployment\Reseal
Microsoft-Windows-Shell-Setup\OOBE
Order = 1
Size = 300
Type = Primary
Extend = true
Order = 2
Type = Primary
Active = true
Format = NTFS
Label = System
Order = 1
PartitionID = 1
Format = NTFS
Label = Windows
Order = 2
PartitionID = 2
InstallToAvailablePartitio
n = false
WillShowUI = OnError
DiskID = 0
PartitionID = 2
Key = /IMAGE/NAME
Value = Windows 7
Professional
Accept EULA = true
Key = <your product key>
WillShowUi = OnError
ForceShutDownNow =
false
Mode = Audit
HideEULAPage = true
ProtectYourPC = 3
8
Laura Duggan
07314299
14/7/14
9
Laura Duggan
07314299
14/7/14
10
Laura Duggan
07314299
14/7/14
11
Laura Duggan
07314299
14/7/14
To validate your settings, click tools and validate answer file, check the messages panel to
see if there are any warnings or errors, and if there are none save your answer file as
autounattend.xml.
12
Laura Duggan
07314299
14/7/14
Copy your autounattend.xml to the root of an active NTFS USB key.
Step 2 – Building a reference installation
In this step we will build our reference installation of Windows 7 on our reference computer
using the answer file which we created in step 1.
On your reference computer place your Windows 7 installation disk in the CD/DVD drive and
your USB stick with the answer file on it in a USB port.
Turn on the computer and enter the BIOS to instruct it to boot from the CD/DVD drive if
necessary.
If the startup screen appears and doesn’t start automatically press shirt+f10 to bring up the
command prompt, to instruct it to find your autounattend.xml file and start unattended set
up enter setup.exe /unattend:<PathToAutoUnattend.xmlFile> and press enter.
Allow set up to auto complete.
When set up has finished you can check to see if your system has configured correctly as it’s
still in audit mode. If you’re happy with the configuration complete the system preparation
tool window which is on the desktop.
Select enter system out of box experience, tick the generalize checkbox, select shutdown
and click ok.
When sysprep finishes working you’re left with a working installation on your reference
computer which is now ready to be imaged.
13
Laura Duggan
07314299
14/7/14
Step 3 – creating bootable Windows PE media
In this step we create a bootable Windows PE RAM disk on a CD-ROM, this CD will then
allow us to start a PC for deployment, it boots directly into memory, thus creating a network
environment in which you can use the ImageX tool to copy our image.
On the technician computer click the start button, navigate to Windows AIK and right click
on deployment tools command prompt and select run as administrator.
A command prompt window will open, at the prompt enter copype.cmd <architecture>
<destination> with architecture being x86, amd64 or ia64 as required, and destination a
path to a local directory.
This copype.cmd script creates the directory structure and copies all the necessary files.
14
Laura Duggan
07314299
14/7/14
At the prompt type copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
to copy the base image to the \ISO\sources folder and rename it boot.wim.
Type copy “c:\program files\Windows AIK\Tools\x86\images.exe” c:\winpe_x86\iso\ to
copy ImageX into \winpe_x86\iso
Use oscdimig to create a Windows PE image (.iso) file by typing oscdimg -n bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso
When the .iso is created burn it to a CD-ROM. This is now a bootable Windows PE RAM CD
containing the ImageX tool.
Step 4 – capturing your installation onto a network share
In this step we create an image of the reference computer using our Windows PE CD and
ImageX, then we copy the image to a network share.
Back on your reference computer, insert your Windows PE disk and restart your computer.
If necessary change the boot order in the BIOS to boot from the Windows PE disk.
When Windows PE starts it launches a command prompt window.
15
Laura Duggan
07314299
14/7/14
At the prompt type E:\imagex.exe /capture C: C:\myimage.wim "my Win7 Install"
/compress fast /verify in order to grab an image of your reference installation using the
ImageX tool.
Connect to a network location using the net use command and the log in credentials to your
network share, with the syntax:
Net use n: \\server\share\
Create an Images folder and copy the image you’ve created earlier to it.
Step 5 – Deploying from a network share
In this step, we take the image of our reference computer which is on the network, and use
our Windows PE CD and ImageX to roll it out to destination computer(s)
On your destination computer, insert Windows PE disk and boot to it (by entering the BIOS
on restart and selecting to boot from CD-ROM)
A command prompt will launch, format the hard drive to be the same as that selected in
your imaged reference computer using the following commands:
diskpart
select disk 0
clean
create partition primary size=300
select partition 1
format fs=ntfs label="System"
assign letter=S
16
Laura Duggan
07314299
14/7/14
active
create partition primary
select partition 2
format fs=ntfs label="Windows"
assign letter=C
exit
Connect to your network share with the syntax:
Net use n: \\server\share\
Then copy your image using:
Copy N:\Images\myimage.wim C:
17
Laura Duggan
07314299
14/7/14
To apply the image to the destination computer’s hard drive type:
D:\imagex.exe /apply C:\myimage.wim 1 C:
Finally to initialise your boot config data and copy boot environment files, use BCDboot:
You now have a fully deployed installation of Windows 7 on your destination computer, and
are ready to deploy it across as many machines as required using the image which is stored
on your network share.
Task A2.
Microsoft Windows offers the ability to enforce full drive encryption, using a Virtual
Machine. Document the process of Implementing Bitlocker in the form of a user instruction
manual. During the process outline any options and or requirements which must be met in
order to setup same.
Encryption uses an algorithm to scramble information to render it unreadable to anyone
without a key, usually done to protect the security and privacy of a user’s files. Encryption
used correctly mitigates risk.
BitLocker is Microsoft’s drive level encryption which uses a trusted platform module (TPM)
chip built into the device to store cryptographic information including encryption keys. As
this TPM chip must be present for information stored on the drive to be unencrypted, it is
more secure from physical theft and software attacks. Without access to the TPM, drives
18
Laura Duggan
07314299
14/7/14
cannot just be removed and installed into another computer to access their content. (Paul,
2014)
Where it is not possible to have a TPM, such as in a virtual machine, encryption keys are
stored on a USB flash drive which must be present to unencrypt the encrypted drives. The
process of setting up BitLocker on a virtual machine without a TPM chip is outlined below.
(Microsoft, BitLocker Drive Encryption Overview, 2014)
Bitlocker protects data by encrypting the entire drive including the OS, Windows registry,
temporary files and the hibernation file. BitLocker is available on Windows Vista or 7
Ultimate, Vista or 7 Enterprise, 8.1 Pro or Enterprise, while also requiring that your machine
has at least two partitions, and has a TPM (or a USB key).
BitLocker’s main disadvantage is that it’s closed source, thus it is unknown if there have
really been no back doors put in by Microsoft having been put under pressure from various
US government programs, however for protection from a stolen PC or against petty
criminals, BitLocker should provide adequate protection. (Paul, 2014)
Adapted for VMWare from http://www.shulerent.com/2012/09/04/locking-down-a-virtualmachine-with-bitlocker/
*this operation is being carried out on a virtual machine, using a small hard drive on a USB
key to hold encryption keys.
To install BitLocker encryption on a machine, you need two USB flash drives – one to
permanently hold the encryption keys, so it will be needed for future use of your VM, and a
second USB flash drive to temporarily install the encryption key.
To begin, add a second drive to your VM. When your VM is powered off, click settings and
add new hard drive.
Create a new virtual disk and browse to your USB flash drive location, save the .vmdk file on
it and finish the wizard.
Turn on your virtual machine, open disk management by typing diskmgmt.msc
You will be prompted to initialize your new hard disk, click ok. And follow the wizard steps,
leaving the defaults in place.
19
Laura Duggan
07314299
14/7/14
When the new disk has been initialized, right click the unallocated space and select new
simple volume. Format the disk.
20
Laura Duggan
07314299
14/7/14
To enable BitLocker without a TPM the local group policy must be changed.
To access local group policy, click the start button and type mmc into the search bar. When
the Microsoft Management Console pops up, add a new local group policy snap in to your
console, follow the wizard to create it, and save it.
21
Laura Duggan
07314299
14/7/14
Navigate to operating system drives.
Click to open require additional authentication at startup.
22
Laura Duggan
07314299
14/7/14
Move the radio button to enable require additional authentication at startup, and ensure
that the allow BitLocker without a compatible TPM is selected.
Insert your second (temporary) USB flash drive, in this case F:
23
Laura Duggan
07314299
14/7/14
Open control panel, navigate to system and security and BitLocker drive encryption. Click on
turn on BitLocker for your required drives.
Allow Windows to check your system.
24
Laura Duggan
07314299
14/7/14
Click next through the rest of the wizard. And restart your computer when prompted.
Upon restart BitLocker will continue its installation process.
25
Laura Duggan
07314299
14/7/14
Choose require a startup key at every startup.
The next window shows your temporary USB flash drive, select it and click save.
26
Laura Duggan
07314299
14/7/14
Choose save the recovery key to a USB flash drive.
When the next screen appears do not click continue!
27
Laura Duggan
07314299
14/7/14
You need to copy your keys from the temp USB flash drive, to the small USB drive. To do
this, ensure that you can see hidden files.
To see hidden files, open control panel, click on appearance and personalisation, in folder
options, click on show hidden files and folders. Under the hidden files and folders section,
select the radio button labelled show hidden files, folders and drives. Remove checkboxes
label hide extensions for known file types and hide protected operating system files. Click
apply and ok.
Your temp USB flash drive should now contain two files.
Move these files to your small VM hard drive and return to the final encryption screen.
28
Laura Duggan
07314299
14/7/14
Click continue and restart your computer when prompted, upon restart you’ll see that
encryption is in progress.
Your machine is now protected by BitLocker encryption, when you boot it up with the
permanent USB flash drive you will see this message and it will boot normally.
29
Laura Duggan
07314299
14/7/14
Without the USB flash drive, your machine will not boot.
PART B
Task A
Using Virtual-box, VMware Workstation or similar you are to create several virtual machines:
 Three Servers with server 2008 or later installed:
- 2 of these servers are to be installed with Standard, Enterprise or Datacenter
edition using the full GUI install and named Server1 and Server2 accordingly.
- The third server is to be a Standard Server Core installation and named MSCore







One Client machine with Windows 7 or later installed and named Client1
Clone this Client Virtual Machine and rename the workstation Client2
Please use adequate sizes for the Hard Disk partitions on each of the Client Machines
Configure the servers with 200 GB hard disks. For the Operating System create a
partition of 60 GB accordingly.
RAM on all machines is to be 512 MB or greater depending on your amount of
available RAM
All passwords are to be Pa$$w0rd.
Give all machines a static IP address from the range 192.168.0.0/24.
IP Address – range 192.168.0.0/24 – table for later reference
30
Laura Duggan
07314299
14/7/14
Server1
Server 2
MS-Core
Client1
Client2
Subnet Mask
192.168.0.101
192.168.0.102
192.168.0.103
192.168.0.104
192.168.0.105
255.255.255.0
Windows Server 2008 comes in two releases – Windows Server 2008 (32bit or 64bit) and
Windows Server 2008 R2 (64bit only), with R2 being an updated version with a range of bug
fixes and new features.
Within Windows Server 2008 (and R2) there are four editions:
- Windows Server 2008 Standard
Directed at the SMB sector, usually used as a domain controller, file and print
server, DNS, DHCP server and application server.
- Windows Server 2008 Enterprise
Directed at larger companies running heavier apps ie SQL Server 2008
- Windows Server 2008 Datacenter
Directed at the large enterprise market, allows an unlimited number of virtual
machines with the single license.
- Windows Web Server 2008
For servers that run Windows IIS service.
(Windows, 2008)
Windows Server 2008 installation
To install Windows Server 2008:
Place the Windows Server 2008 installation disk in the CD-ROM drive of your machine and
power it up.
Follow the onscreen instructions to choose installation language, time and currency format
and keyboard or input method, click next.
31
Laura Duggan
07314299
14/7/14
Click install now and allow the installation process to run, when prompted enter your product key and click next.
For this full installation, select Windows Server 2008 Full Installation (with whichever version you are installing), and click next.
32
Laura Duggan
07314299
14/7/14
Read and accept the license terms and click next.
In the ‘which installation do you want’ click custom (advanced).
Create a 60GB partition using the wizard and highlight it to install Windows on, click next.
33
Laura Duggan
07314299
14/7/14
Allow the installation to complete itself; your machine will restart itself a few times during
this process. After rebooting, press ctrl+alt+delete to log in as administrator.
34
Laura Duggan
07314299
14/7/14
Change the administrator password to a complex alpha-numeric password.
After logging in the desktop appears and you can begin working on your server.
35
Laura Duggan
07314299
14/7/14
To change your computer’s name:
It is much easier to change your computer’s name before setting up Active Directory services; this will become the name by which the computer is known as on the network, so it is
best if it’s descriptive and human readable.
Click the start button, right lick on computer, click properties. When the system dialog box
opens click on change settings.
In computer name, type the new name of your computer. Click ok twice and restart your
computer for the changes to come into effect.
Static IPv4 Address:
In order to set up your server as an Active Directory Domain Controller it must have a statically assigned IP address.
As outlined in the table above, our IPv4 addresses are in the range 192.168.0.0/24, meaning
that they reserve 24bits for the network portion thus leaving us with 254 possible IPv4 addresses (192.168.0.1-255). This CIDR notation allows for more control over network size
than traditional classful IPv4 addressing.
36
Laura Duggan
07314299
14/7/14
To assign a static address, click the start button, open control panel and click on network
and sharing centre.
Click on Local Area Connection Status and properties.
Uncheck the IP6v checkbox, and double click on IPv4 to change its settings.
37
Laura Duggan
07314299
14/7/14
Click the ‘use the following IP address’ checkbox and manually enter your IP address, subnet
mask and DNS server address.
As this example shows the settings for Server1 (which will later become a domain controller
with DNS we use the loopback address of 127.0.0.1, on other machines on the network their
DNS will be 192.168.0.101).
Click on ok and apply to bind the settings. You can check they have been correctly applied
by running ipconfig in a command prompt.
Server Core Installation
Server Core provides a minimal environment for running specific sever roles, thus reducing
the maintenance and management requirements, alongside the potential attack surface. A
Server Core 2008 installation can support:
- Active Directory Domain Services
- Active Directory Lightweight Directory Services
- DHCP Server
- DNS Server
- File Services
- Hyper-V
- Print Services
38
Laura Duggan
07314299
14/7/14
- Streaming Media Services
- Web Server
While the 64 bit only R2 supports in addition:
- File services (including File Server Resource Manager)
- Web Server (including a subset of APS.NET)
Server core doesn’t include a graphical user interface (GUI) and requires initial configuration
using a command prompt. Once the server is set up, it can be managed locally using a command prompt, or remotely using a terminal server connection or the Microsoft Manag ement Console (MMC).
A server core installation is beneficial due to – reduced maintenance, as it only installs what
is necessary for a manageable server for the supported roles, reduced attack surface – due
to less applications running, reduced management – again due to less applications and services being installed, and finally there is less disk space required – it requires only 3.5GB of
disk space to install and 3GB for operations after installation. (Microsoft, Server Core Insta llation Option Getting Started Guide, 2009)
The disadvantages of a server core installation however it that due to the lack of a GUI if an
administrator isn’t very familiar with a TUI environment they can be that much harder to
maintain, while there are also less roles and features available.
To install server core, follow the steps outlined for the full installation, however on this
screen:
Select your version with (Server Core Installation)
When the installation has finished, click to log in as ‘other user’ and use user name ‘Admi nistrator’ leaving the password field blank. You’ll then be prompted to change the admin
password.
39
Laura Duggan
07314299
14/7/14
After logging in a command prompt will open to allow you to configure your server.
40
Laura Duggan
07314299
14/7/14
Task B
Please configure the following Forest settings:
 Server1 is to be a Domain Controller of a tree called MSCCONV.IPA
 Client 1 is to be a workstation member of MSCCONV.IPA
 Server2 is to be setup as a second domain controller of MSCCONV.IPA
 MS-Core is to be a member server of MSCCONV.IPA
Active Directory (AD) is the Windows OS directory service; it is designed to allow
coordination of network resources in a unified manner. It is a large database linked ta
number of network directories that serves as a single data store for quick access to users,
while also controlling access to users based on the security policy, which is laid down in AD.
Is allows for single sign on for users across network resources, while being a single point of
management for network resources.
AD provides:
- LDAP (lightweight directory access protocol) for accessing other directory
services.
- Security service which uses Kerberos based authentication to authenticate users
on the system.
- Hierarchical storage of organisational data in a central location
- The availability of data across multiple servers which update together
(Janssen, 2010)
AD contains information about objects, which are either resources – ie printers, or security
principals – ie user or computer accounts and groups. Each security principal is assigned a
unique SID (security identifier).
These objects are grouped into domains, with a single domain being held in a single
database, a domain therefore is a logical group of network objects that share the same AD
database.
A tree is one or more of these domains, while a forest is the largest possible structure, being
a collection of trees that share a ‘common global catalog, directory schema, logical structure
and directory configuration’. It is a security boundary which houses objects which are
inaccessible from outside.
(Wiki, Active Directory, 2014)
A domain controller is a server which has been configured with AD DS. It authenticates and
authorises all users and computers on the network, assigns and enforces security policies
and installs and updates software, hosts the global catalog and provides for replication
across the domain. Replication is how domain controllers keep in synch with changes made
to the global catalog.
To begin creating a domain, we need to run dcpromo on our first domain controller, dcpromo installs (and also removes) Active Directory Domain Services on s ervers.
41
Laura Duggan
07314299
14/7/14
Before running dcpromo, ensure that you have named your computer correctly, and that it
has a static IPv4 address – both as outlined in the previous section.
On server1, click the start button and type dcpromo into the search bar, click on it to open.
Allow it to check that your settings are correct.
Allow the wizard to run, and for this first domain controller choose ‘create a new domain in
a new forest’ and click next.
42
Laura Duggan
07314299
14/7/14
As this is the first domain in the forest it is known as the forest root domain, when naming it
you need to use a FQDN – a fully qualified domain name – in the format abc.xyz where the
.xyz is the top level domain name.
It is a good idea to avoid common internet TLDs (such as .com, .ie, .fr) to avoid confusion.
Name your forest root and click next.
43
Laura Duggan
07314299
14/7/14
You will then be prompted to set the forest functional level – this is the level that matches
the oldest version of the operating system running on any of your domain controllers (in this
case Windows Server 2008) Note that while you can raise the functional level at a later date,
you can never lower it.
As ADDS requires a DNS server, a warning box will appear as there is none currently set up,
as this is the first domain controller click yes to have the wizard create one automatically.
44
Laura Duggan
07314299
14/7/14
Next the wizard will prompt you to choose the locations of your database folder, log files
folder and SYSVOL folder.
SYSVOL is a shared folder containing information on Group Policy Objects between DCs, it
must be on an NTFS drive.
If possible – to optimize performance you can move the database and transaction log files to
different drives.
Select where you want them to be saved and click next.
Choose a Directory Services Restore Mode password, which is used for maintenance or restoration of Active Directory and click next.
45
Laura Duggan
07314299
14/7/14
A summary screen will pop up, review your settings and click next and allow it to run.
When your computer reboots ADDS will be installed and ready for use.
46
Laura Duggan
07314299
14/7/14
To add Server2 as a second Domain Controller:
Having only one domain controller is a huge risk as if it fails the entire network can go down
– for this reason it is important to add a second (or more) domain controller.
Ensure that your server has the correct name and IPv4 address settings and run dcpromo as
outlined above except:
On the ‘choose a deployment configuration’ screen choose existing forest and add controller to an existing domain. Click next.
When prompted enter the name of your domain (in this case MSCCONV) and use its administrator credentials to authenticate on the network.
47
Laura Duggan
07314299
14/7/14
Click next and choose the same settings as for Server1.
For added
redundancy
and to reduce the
load of DNS
requests on
Server1, allow DNS to
be installed
on Server2
also.
48
Laura Duggan
07314299
14/7/14
Click next to review your settings and allow the wizard to run and your server to restart. It is
then ready to be configured.
49
Laura Duggan
07314299
14/7/14
To add Client1 as a workstation member:
Once again ensure that its name and IPv4 (statically assigned) settings are correct.
From control panel, navigate to system properties, click on change computer
name/properties.
Select the domain radio box and enter your domain name.
Authenticate on your domain.
50
Laura Duggan
07314299
14/7/14
Restart your computer for the changes to take effect.
Repeat with Client2.
To add MS-Core as a member server:
Once again ensure that its name and IPv4 (statically assigned) settings are correct, to configure these on your server core installation:
IP address:
At the command prompt type netsh interface ipv4 show interfaces to see the details of
your connections, note the idx number of the one(s) you want to change.
To statically assign an ip address type netsh interface ipv4 set address name =”<idx number
from above>” source=static address=<your static ip> mask=<your subnet mask>
51
Laura Duggan
07314299
14/7/14
To statically assign your DNS server type netsh interface ipv4 add dnsserver “<its name>”
address=<its address> index=1
To check that the settings have applied correctly use the ipconfig command. (Morimoto,
2012)
To rename the machine use the netdom command:
Type netdom renamecomputer %computername& /namename:MS-Core
And press enter, select yes.
To have the changes take effect, restart your server by typing shutdown –r –t 0
To join it to the domain:
Type netdom join <computername> /domain:<domain name> /userd:<Administrator>
/password:* - don’t forget the second d in password.
Enter your password and reboot the server for the changes to take effect.
52
Laura Duggan
07314299
14/7/14
(Minasi, 2008)
All of your machines are now connected to the domain MSCCONV.IPA.
Task C
 Install 2 additional hard disks of 150 GB, on Server2 and configure them to:
 Using these disks, use one to Mirror the operating system disk
 Using the remaining available space available, Create a Spanned volume which is
to use all of the remaining free space on all disks.
Upon installation of new hard disks you must decide whether to set them up as MBR (ma ster boot record) or GPT (GUID Partition Table) disks. The distinction between the two lies in
how they manage partitions on the disk, however they both play the same role in governing
and providing information for the hard disk’s partitions.
MBR is the older standard, which remains in use today. It sits at the start of the disk and
contains information on how logical partitions are organised on the disk. MBR disks have a
number of disadvantages; they can only house four partitions of up to 2TB in size, while the
MBR at the start of the disk is the only place that holds partition information, so should it
get corrupted the entire hard disk will become unreadable.
GPT uses globally unique identifiers (GUID) to define partitions on the disk thus you can create up to 128 partitions on the disk, however in Windows they are only supported on the 64
bit version of Windows from XP onward. As we are using 32 bit Windows Server 2008 we
will use MBR disks.
(Oh, 2013)
After physically installing two new hard disk drives on Server1, power it on, click the start
button, and navigate to the server manager by right clicking on computer and clicking manage.
When server manager opens, click on storage and disk management (local view).
53
Laura Duggan
07314299
14/7/14
Disk 1 and disk 2 are your two new unformatted hard drives, right click on each in the lower
panel right click each and select to bring each online.
By mirroring the operating system disk we are setting up RAID (redundant array of
inexpensive/independent disks). RAID uses multiple drives to create data redundancy or to
improve performance (or both) depending on the level and type of RAID us ed.
RAID can be either hardware or software based, with hardware based RAID requiring an
external RAID controller which exists almost invisible to the OS, while software based RAID
is controlled by the OS which is responsible for all the drives. While hardware RAID is more
expensive to implement, it has less of an impact on the performance of the host OS than
software RAID, while it is more reliable as there are less chances of data corruption
occurring. (Differencebetween.net, 2014)
Within RAID there are levels 0-5 combining striping (writing data across an array of disks in
strips to speed up writing time), parity (error detection) and mirroring (copying data across
an array of disks for redundancy).
RAID 0 – just stripping, no redundancy or fault tolerance, but speeds up writing times.
RAID 1 – just mirroring, provides total redundancy in case one of the disks fails.
RAID 2-4 aren’t supported using software RAID on Windows.
RAID 5 – block level striping with distributed parity, allows for speed and fault tolerance.
(Wiki, RAID, 2014)
Thus mirroring our system partition will set up software based RAID 1 on our Server2. This
will give redundancy in the case that one of the drives should fail, and provide faster read
times but slower write times.
54
Laura Duggan
07314299
14/7/14
In order to mirror your system partition, it must be a dynamic disk, to make it a dynamic
disk – right click on it click ‘convert to dynamic disk’ and click ok through the wizard.
Dynamic disks have features that basic disks do not – they can create volumes that span
more than one disk and fault tolerant volumes.
A volume is a disk partition which is formatted with a valid file system, (either NTFS/FAT)
and is used by Windows to store files.
To mirror your system partition, right click on it in the lower half of the disk management
view and click ‘add mirror’, click on which ever disk you’d like to add the mirror to and click
add mirror.
The system will then synch files contained on the system partition to the new mirrored volume and will continue to do so as files are changed.
Simple volumes work on the premise that each disk is assigned its own drive letter and exist
independently of each other, whereas spanned volumes allow for space from more than
55
Laura Duggan
07314299
14/7/14
one drive to be combined to create a volume, thus using all the space available. The drawback of this however is that if there’s a problem somewhere on the spanned volume it’s
likely to be unreadable in its entirety.
To create a spanned volume with the rest of the space available, right click on the unal located space and click ‘new spanned volume’. Add in all the available disk space and click
through the wizard.
After formatting you’ll have one large volume spanning both your disks.
(Techtopia, 2011)
56
Laura Duggan
07314299
14/7/14
Task D
Within Active Directory, create the following organisational unit structure:
Parent OU called IPA containing:
◦ Two child OUs called Marketing and IT.
◦ IT OU to contain 2 sub OUs called Dublin and Belfast.
Identify any method of creating users via a TUI environment, outline advantages accordingly.
Using a method of your choice, Create 5 users in the IPA OU called user1 to user10
(first name only) using the default Pa$$w0rd.
Create 3 users in sales called user11 to user15, 3 users in Dublin called user16 to user18, and 2 users in Belfast called user19 and user20.
Users are not to change their passwords at first login and are to have 24 hour logins enabled, Monday to Friday only.
Configuring AD DS can be done using the GUI ‘Active Directory Users and Groups’ tool, or
the command line (mainly using DSAdd) if required – to allow scripting or if using a server
core installation.
Organisational Units are put in place to allow easier management of objects (users or
groups) within Active Directory. OUs allow for management through group policy, and also
to delegate their admin to respective department administrators where possible (for the
loss of passwords or account lockout etc).
OUs are often created to mimic the department structure of an organisation, and/or to create OUs which group users that have similar responsibilities (and therefore permissions).
Group Policy Objects are created and linked to sites, domains and OUs, thus to assign a GPO
to a set of users they are placed in an OU and the GPO is linked to the OU – this will be discussed further and implemented in the next section.
To create a new Organisational Unit:
Open server manager by clicking the start button, right clicking on computer and click on
manage.
57
Laura Duggan
07314299
14/7/14
Expand the roles menu to see ‘Active Directory Domain Services’ and right click on your domain, scroll to new and click organisational unit.
Enter the name of the OU and click ok.
To create child OUs, repeat the process, however right click on the parent OU and select
new then organisational unit.
Your OUs are then ready to be configured.
58
Laura Duggan
07314299
14/7/14
Identify any method of creating users via a TUI environment, outline advantages accor dingly.
The advantages of adding users in a TUI environment is that they can be added using scripts
thus semi-automating the process, for example using powershell and Windows Scripting
Host. However there are the drawbacks of a less-user friendly interface.
User accounts are objects which hold all the information that define a user, they are used
for authentication, granting access to processes and services, and to manage particular users’ access to resources.
To manually add users using the command prompt:
The basic syntax is DSAdd user DN
Where DN is the distinguished name used to uniquely identify each object in the directory.as assigned by LDAP (lightweight directory access protocol) thus allowing the directory to
be integrated with other services.
To create an object’s distinguished name its entire hierarchical path from object to the domain root is represented using:
CLASS
User/leaf object
Organisational unit
Domain
LDAP NOTATION
CN
OU
DC
DEFINITION
Common Name
Organisational Unit Name
Domain components, one
for each part of DNS name
So for example, an employee Katie who is in the Belfast OU in the IT OU in the
MSCCONV.IPA domain would have a DN of
CN=Katie,OU=Belfast,OU=IT,DC=MSCCONV,DC=IPA
Either without spaces, entirely encased in double quotes – “CN=Katie, OU=Belfast, OU=IT,
DC=MSCCONV, DC=IPA”
DSAdd user DN has the following options:
- Pwd: password
- Fn: first name
- Ln: last name
- Display: display name
- Disabled: disabled account
- Samid: SAMID name
- Upn: user principal name
- Mustchpwd: must change password as soon as they log on
So to add user named Katie to the Belfast OU in the IT OU in the MSCCONV.IPA domain,
with a password of Pa$$w0rd that she’d have to change at next log in the command would
be dsadd user “CN=Katie,OU=Belfast,OU=IT,DC=MSCCONV,DC=IPA” –disabled:no –pwd
Pa$$w0rd –mustchpwd yes
59
Laura Duggan
07314299
14/7/14
Using a method of your choice, Create 5 users in the IPA OU called user1 to user10
(first name only) using the default Pa$$w0rd
As the DSAdd method of adding users has been described in detail above I will demonstrate
adding users using the GUI interface. As our users have similar requirements – they have the
same password, they are not to change it on first login and they are to have 24 hour log in
Monday-Friday to simplify the process a user template account is made.
To make a user template account:
Open server manager by clicking the start button, right clicking on computer and clicking on
manage. When it opens, expand the roles menu until you see the Active Domain Users and
Computers area, right click on your IPA container and select add and new user.
Create the user template as the first user, with user1 as its first name and display name.
Click through the wizard unchecking the ‘change password on first log in’ and set the pas sword.
When the user is created, right click on it and select properties, when the properties interface opens, click on account and user hours.
60
Laura Duggan
07314299
14/7/14
Deselect the hours as necessary (in this case Saturday and Sunday 0.00-24.00) and click ok.
61
Laura Duggan
07314299
14/7/14
Click apply and ok.
After creating a user template in each container, right click on it and select copy, then
change the first name and display name as necessary to create as many users as required.
(Certfiication, 2003)
*Screenshots to show all users were successfully created
62
Laura Duggan
07314299
14/7/14
Should a user try and log in outside of the specified times this message will be shown.
User log on time availability can also be configured using Group Policy Objects,
which will be discussed further in the next section.
Task E







Group the users in each OU according to recommended security policies.
Prevent the users in the sales OU from being able to see the IT OU in Active Directory.
Create 3 group policies to achieve the following:
Forward my documents from Client2 to a folder on the root of C on Server2 called
User_Docs.
Prevent Belfast from accessing control panel. Please exclude user 20 from this policy.
Publish any MSI file of your choice from the C drive contents to all users in
Dublin.
AD group are similar to local groups in that they are used to collectively treat a group of objects in the same way. Active Directory Global Security Groups are created to organise our
users into groups, and then to assign permissions to these groups.
To reduce confusion and admin load, you should assign permissions to groups rather than to
users.
While two types of group exist – distribution and security, security groups can be used for
the functionality of both. Security groups can be used to assign permissions or rights to an
object or to a set of objects, thus by using security groups you can use Active Directory both
for authentication and authorization on the network via user accounts.
A number of default groups exist such as domain controllers, domain users, read-only domain controllers, cert publishers etc while you can create groups manually.
To best organise groups to assign rights and permissions, taking the example of our marketing department in the MSCCONV domain, instead of assigning each user in the department
rights, we can create a group _marketing, and for an administrator in the group we can create an admin_group_marketing thus allowing to delegate permissions accordingly.
In our IT department we can have an group_IT_belfast and a group_IT_dublin and should a
user move between the locations we can move the group they’re in and they’ll have the appropriate permissions applied to them. Similarly an admin_group_IT can be set up.
63
Laura Duggan
07314299
14/7/14
To create a group:
In server manager, right click on the containing OU and select new – group.
Name your group as required and click ok.
Select your users to add. Click ok to finish the wizard.
Repeat for other groups as required.
Prevent the users in the sales OU from being able to see the IT OU in Active Directory.
In server manager, click view and ensure that the ‘advanced features’ is checked.
64
Laura Duggan
07314299
14/7/14
Right click on the OU that you wish to restrict access to – in this case IT.
Remove ‘everyone’ as it also allows unauthorized users which poses security risks, click add
to find your marketing group.
Find the group and click ok, back in the IT properties screen, highlight the group_marketing
and click deny for read access. Without this read access objects will not be visible to them in
Active Directory.
65
Laura Duggan
07314299
14/7/14
Click apply and ok for your settings to take effect.
(Grillenmeier, 2012)
Group policy is edited using the Group Policy Management Console and the Group Policy
Management Editor thus being able to manage over 5,000 settings using Group Policy O bjects. These GPOs are containers for groups of setting that can be linked to organisational
units, user and computer accounts across as AD network, restricting and giving access to resources where necessary.
In the Group Policy Management Editor there is both computer configuration and user configuration. Computer configuration deals with machine-specific settings, while user configuration policies deals with user-specific settings like app configuration, folder redirection and
start menu management.
Prior to Windows Server 2008 all of a group policy needed to be applied to an OU, however
now all group policy preferences have item-level targeting, meaning that there can be exceptions to rules.
To open the Group Policy Management Console, click start, administrative tools and group
policy management.
For best practice in designing Group Policy Objects
66
Laura Duggan
07314299
14/7/14
Keep the GPO name consistent with OU names, ie. ‘Belfast Laptops’ rather than
‘laptops’
- Only create a new GPO when the scope is different.
- Disable user/computer settings if not in use
- Reuse GPOs where possible
(Burchill, 2010)
-
To begin setting up group policy objects, open the Group Policy Management Editor by cl icking the start button, navigating to administration tools and clicking Group Policy Manag ement Editor.
When it opens you’ll see a list of the default group policy objects which are in place.
To forward my documents from Client1 to a folder on Server1 called user_docs:
By automatically forwarding all documents which are saved on a client machine data is
stored centrally on the specified server, which reduces the amount of backups required.
First we need to set up a shared folder on the root of C, click the start button, click computer and click into C:, right click and choose new and folder.
Name the folder as appropriate (user_docs in this instance) and right click on it and click on
properties. Click on the sharing tab and advanced sharing.
67
Laura Duggan
07314299
14/7/14
Check the ‘share this folder’ checkbox and add a comment if desired. Click apply and ok.
68
Laura Duggan
07314299
14/7/14
Ensure that the NTFS permissions are correct under the security tab (full control for auth
users) and note the network path given for the share (in this instance \\SERVER1\user_docs)
Open group policy management by clicking start, navigating to administrative tools and
clicking on group policy management.
Find your domain on the left hand side of the console and right click on it, select ‘create a
GPO in this domain, and link it here’.
Name your GPO and click ok.
69
Laura Duggan
07314299
14/7/14
On the left hand side of the console click user configuration, windows settings, folder redirects and double click on documents.
In the dialog box, fill in the details of your desired redirect – in our case basic – redirect everyone’s folder to the same location, and with the target location as our shared folder crea ted earlier.
70
Laura Duggan
07314299
14/7/14
Click apply and ok.
Back in group policy management, click on your newly created policy to bring it into focus in
the central console.
In the security filtering pane, click add to add your client computer. Click on object types
and check the computer check box and click ok.
71
Laura Duggan
07314299
14/7/14
Type the name of your computer (in our case client1) and click ok.
Remove the everyone group from the security filtering pane.
Your GPO is now set up and ready for use. To test it you can save a file on client1 and check
the user_docs folder.
72
Laura Duggan
07314299
14/7/14
(Silva, 2008)
To create a group policy object to prevent users from accessing control panel:
To prevent users from changing settings on their local machines which may breach the sec urity of the network blocking access to the control panel is a good idea.
Open Group Policy Management by clicking the start button, administrative tools and clicking Group Policy Management.
Right click on your domain (in this case MSCCONV.IPA) and click on ‘create a GPO in this
domain and link it here’. Name your new GPO and click ok.
In the left pane, click on your new GPO and under security filtering click add.
Type the name of your group to which you wish to enforce the GPO and click ok.
73
Laura Duggan
07314299
14/7/14
Click to remove the authenticated users group.
To exclude User20 from the policy, click on the delegation tab, and click advanced.
74
Laura Duggan
07314299
14/7/14
Click add and find the user which you wish to exclude, alternatively you could create an excluded users group if there were more than one user to exclude, or this user would be likely
to change.
Under the list of security settings, click on advanced to pull up the advanced list.
75
Laura Duggan
07314299
14/7/14
The last entry is ‘apply group policy’, check the deny checkbox and click ok.
Your custom settings will be reflected in the delegation panel.
76
Laura Duggan
07314299
14/7/14
(Burchill, 2010)
To configure the GPO’s settings, right click on it in the left pane and click edit.
To block access to the control panel, navigate in the left pane to user configuration, policies,
administrative templates, control panel.
Double click on ‘prohibit access to the control panel.
77
Laura Duggan
07314299
14/7/14
Click the radio box beside enabled, click apply and ok.
Your group policy is now enabled, we can log in as a member of Belfast’s IT group to see
changes.
When a member of Belfast’s IT group (except User20) tries to open control panel, this message is displayed.
78
Laura Duggan
07314299
14/7/14
(Hamizi, 2013)
Publish any MSI file of your choice from the C drive contents to all users in Dublin.
An .msi file is a Microsoft installer file which allows software to be pushed out across the
network to specific users’ machines through group policy.
For this installation, we will publish Firefox to all users in Dublin.
To publish and MSI file:
First download the .msi file of your choice to your C: drive of the domain controller, in this
case we downloaded Firefox from here:
http://frontmotion.com/FMFirefoxCE/download_fmfirefoxce.htm
As it will be pushed out across the network, it needs to be in a shared folder. Create a
shared folder on the C: drive (in this case called ‘installations’), right click on it and select
properties, sharing, advanced sharing.
Tick the share this folder checkbox, add a comment and click ok.
79
Laura Duggan
07314299
14/7/14
Note the network path of the share and click apply and close.
Open group policy management by clicking the start button, administrative tools and group
policy management.
Right click on your domain and click ‘create a new GPO and link here’, name your GPO, and
in the security filtering panel remove authenticated users, and add group_dublin_it.
80
Laura Duggan
07314299
14/7/14
Right click on the policy in the left pane and click edit. When the group policy editor opens
up navigate to user configurations, policies, software settings and right click on software i nstallation.
81
Laura Duggan
07314299
14/7/14
Click on new and then package, and navigate to the network location of your .msi file.
When the deploy software box pops up, you can choose between published, assigned or advanced. Published automatically installs software, while assigned gives the user a choice.
82
Laura Duggan
07314299
14/7/14
Click into advanced to get more options.
Under the deployment tab, by checking the ‘uninstall the application when it falls out of the
scope of management’ the application will be uninstalled if the GPO is later removed.
Choose your deployment type and click ok.
83
Laura Duggan
07314299
14/7/14
Your GPO is now in place and when users next log in Firefox will automatically be installed.
To expedite this process for testing purposes, log in as a user in the Dublin IT group, open a
command prompt and type Gpupdate /force /boot /logoff and press enter. Your machine
will restart and install Firefox.
84
Laura Duggan
07314299
14/7/14
A small environment such as the one we’ve set up, where we know all users’ password and
can log in to check group policy is unlikely to exist in the real world; therefore it is important
to test group policy settings in other ways before pushing them out to users. To do this a
test environment can be set up, usually using virtual machines housed within a ‘test’ OU
that mimics a typical departmental OU with some test accounts.
Using the Group Policy Management Console you can make copies of GPOs by right clicking
on them, and choosing copy and paste. Then append them with ‘test’ and link them to the
test OU. From here you can log in to your test accounts and see what changes have been
made without causing problems for existing users or computers.
(Beckman, 2012)
Task F
 Setup the MS-Core server as a file server
 Configure MS-Core for Windows Remote administration.
 Access MS-Core from Client2 using remote desktop
A file server is a computer whose primary function is the storage of files for other
computers on the network. They are usually configured with hardware that is configured to
maximize their storing and sharing data, and have very basic i/O capabilities, thus a server
core installation is ideal for a file server. (Hansen, 2014)
To set up MS-Core (server core installation) as a file server:
On your server core installation, storage services will be pre-installed, this enables basic file
sharing and remote and local storage management, hence you are able to access hidden
and administrative shares.
(Berkouwer, 2013)
There are four other role services that can be installed on server core to add functionality to
the file services role:
- DFS Namespaces – allows grouping of shared folders on different servers in multiple sites as logically structured namespaces – each namespace appears as a single shared folder
- DFS Replication - allows you to synchronise folders on multiple severs across a
network.
- Services for Network File System – allows the transfer of files between Windows
Server 2008 and UNIX OS using NFS protocol
85
Laura Duggan
07314299
14/7/14
-
File Replication Service – allows synchronization with file servers that use FRS rather than the newer DFS replication service.
Server roles are managed on server core with the Oscetup command, with oslist showing a
list of server roles and optional features and whether they are installed or not.
To install the four services outlined above, type start /w ocsetup DFSN-Server && start /w
ocsetup DFSR-Infrastructure-ServerEdition && start /w ocsetup FRS-Infrastructure &&
start /w ocsetup ServerForNFSBase
To ensure they’ve been correctly installed type oclist |find “ installed”
And you’ll see a list of installed roles and services. Your file server can then be managed locally using the net use command, or remotely using MMC snap-ins on a full installation of
Windows Server or a Windows client machine.
(Tulloch, 2008)
Configure MS-Core for Windows Remote administration.
There is a multitude of ways to configure a Server Core installation for remote administration including:
- Remote Desktop
Microsoft Management Console (MMC) snap-ins and the Remote Server Administration Tool
- Windows Remote Shell
- Group Policy
86
Laura Duggan
07314299
14/7/14
Remote desktop administers a server core installation remotely in the exact same way as if
you were using the local console on the server. By default it is disabled, to enable it use the
scregedit.wsf, type: cscript %windir%\system32\scregdedit.wsf /ar 0
To check that it has been enabled type cscript %windir%\system32\scregedit.wsf /ar /v
A value of 0 is enabled, and a value of 1 is disabled. To later disable remote desktop, use the
original command except with /ar 1 at the end (cscript %windir%\system32\scregdedit.wsf
/ar 0)
A demonstration of how to connect to your server core installation is outlined in the next
section.
RSAT – Remote Server Administration Tools allows roles and features to be administered
remotely on a server core installation in the same way as you would administer then on a
full installation of Windows Server 2008, from either a full version of Windows Server 2008,
or a client machine running Windows Vista or higher.
To remotely manage a share using MMC:
On your server core installation type netsh advfirewall firewall set rule group=”Remote
Administration” new enable=yes
To allow remote administration access through the firewall.
On your domain controller, member server or client machine, click start and run, type mmc
into the box and press enter to open a new Microsoft Management Console.
Click file and add/remove snap-in, choose your snap-in, in this case ‘shared folders’ and
choose which computer in the domain you wish it to be for, in our case MS-Core.
87
Laura Duggan
07314299
14/7/14
Click ok and browse into your shared folders and shares, right click to create a new share
and follow the wizard.
Choose the folder to share and name it, click ok.
88
Laura Duggan
07314299
14/7/14
When the wizard finishes, you can see your new shared folder, and can manage all other
shares on your remote computer from here also.
89
Laura Duggan
07314299
14/7/14
To access MS-Core from Client1 using remote desktop:
On your client machine, open remote desktop connection by clicking the start button, typing
cmd into the search bar so a command prompt opens and typing mstsc.exe and pressing
enter.
When the remote desktop connection box opens, enter the IP address of the computer you
wish to connect to – in our case MS-Core which has an IP address of 192.168.0.103 and click
connect.
Authenticate by entering your username and password and click ok, and wait for your desktop to load up.
90
Laura Duggan
07314299
14/7/14
You can then administer your server in the same way as if you were sitting in front of it.
To logoff and return to the client desktop, type logoff and press enter.
91
Laura Duggan
07314299
14/7/14
(Tulloch, 2008)
Task G


Install DHCP on Server2 with the scope 192.168.0.110 to 192.168.0.160, default
mask and appropriate DNS address. Configure Client2 to obtain its address and
TCP/IP settings from DHCP.
If you disable DHCP services, what address will Client2 get?
DHCP – dynamic host configuration protocol , is a service that allows machines to obtain
their IP addresses and network settings automatically, which is used to simplify network
configuration as opposed to giving out static IP addresses manually to each machine.
The DHCP server will have a pool of IP addresses to assign from, and should a machine be
expecting an IP address from a DHCP server and not get one, it will self-assign an APIPA (automatic private IP addressing) address in the range 169.254.0.1 to 169.254.255.254, with a
default network mask of 255.255.0.0. When the DHCP server comes back online and is able
to service requests again, client machines will update their own addresses automatically
back into the normal range.
To configure a Windows Server 2008 machine as a DHCP server:
Open server manager by clicking the start button, administrative tools and server manager.
Click on roles and add roles, tick the DHCP server checkbox and click next.
92
Laura Duggan
07314299
14/7/14
Click next to select network connect bindings with the only option available.
Enter your preferred and alternate DNS server IP addresses (in this case 192.168.0.101 and
192.168.0.102) and click next.
93
Laura Duggan
07314299
14/7/14
Check the WINS is not required for applications on this network radio button and click next.
Click add new scope.
Choose the scope of your IP addresses to be assigned, alongside your subnet mask. *note
I’m using 192.168.0.110-160 rather than 192.168.0.100-150. And click ok.
Click next, click disable DHCPv6 stateless mode for this server as IPv6 addressing is not being
used in our domain.
94
Laura Duggan
07314299
14/7/14
Choose to use current credentials to authorize DHCP server in ADDS and click next.
Review and confirm your settings and click install.
95
Laura Duggan
07314299
14/7/14
Allow DHCP to set up and when it has finished it will display installation succeeded.
(Warren, 2008)
To configure client machine to obtain IP address and TCP/IP settings from DHCP:
To have your client obtain its IP address and TCP/IP settings from the DHCP server which is
set up on Server2, we need to change the settings from being statically assigned (in task 1)
to being assigned automatically.
To do this, open network and sharing centre by right clicking on the network icon, and click
on local area connection. Click on properties and double click on IPv4 settings.
Change the radio buttons to ‘obtain an IP address manually’ and ‘obtain DNS server address
automatically’, and click ok. Click ok again to bind settings.
To check that the client is getting its information from our DHCP server, click start and type
cmd to open a command prompt, to see network information type ipconfig and press enter.
We can see that we have been assigned 192.168.0.110 which is in the range we specified for
our DHCP server.
96
Laura Duggan
07314299
14/7/14
If you disable DHCP services, what address will Client2 get?
To disable the DCHP server:
On Server2, open server manager by clicking the start button, administrative tools and server manager. Navigate to roles and DHCP server, and click stop in the right hand pane.
97
Laura Duggan
07314299
14/7/14
Back on Client2, to release our adapter settings, type ipconfig /release and then press enter, then to renew them type ipconfig /renew and press enter.
Type ipconfig and press enter to see the new settings.
An APIPA address of 169.254.51.55 has been assigned.
Task H
Decommission Server 2 from the Active Directory system using a method which would be
used if the server became unbootable.
To demote a domain controller under normal circumstances (ie when it’s still bootable) you
use dcpromo, the same tool that promoted it to a domain controller in the first place. Before demoting a domain controller ensure that it’s not the sole source of your global catalog.
To demote a domain controller:
Click the start button and type run and press enter, when the open box pops up, type
dcpromo and click ok and next.
When the Active Directory Installation Wizard opens up click next, and on the Remove Active Directory page click next and follow the steps to complete the wizard. Your server is
now no longer a domain controller. (Microsoft, Demote a Domain Controller, 2005)
Should a domain controller become unbootable due to a hardware issue, to
decommission it:
These steps can also be used in the case that you try and use the method above and
dcpromo fails, or if you start to promote a DC and dcpromo fails. Both of these scenarios will
leave traces of metadata in the Active Directory which must be removed, especially if you
wish to add a new DC with the same name to AD DS.
98
Laura Duggan
07314299
14/7/14
From Microsoft Server 2008 it is possible to remove these NTDS settings automatically in
the GUI using Active Directory Users and Computers or Active Directory Sites and Services,
by right clicking on the Server to be removed, clicking delete and delete in the confirmation
pop up. (Microsoft, 2012) However the process below outlines in detail how to remove the
metadata manually should there still be traces of it left behind.
To begin, open a command prompt by clicking the start button and typing cmd.
To remove NTDS settings the ntdsutil tool is used, at the prompt type ntdsutil and press
enter, then metadata cleanup and enter, then connections and enter.
We then connect to a domain controller which is online and bootable, in this case connect
to server server1 and press enter.
When connected, type q and press enter.
At the metadata cleanup prompt, type select operation target and press enter, then list
domains and enter. A list of your domains will appear.
At the select operation target prompt, type select domain 0 (the number of your domain)
and press enter.
At the select operation target prompt, type list sites and press enter, a list of your available
sites will be populated, using their DNs.
At the select operation target prompt, type select site 0 (the number of your site) and press
enter.
99
Laura Duggan
07314299
14/7/14
At the select operation target prompt, type list servers in site and press enter, you will then
see a list of the domain controllers which exist in your domain at the present time.
At the select operation target prompt, type select server 1 (server NUMBER 1 being our
Server2, which we wish to remove).
You will be asked to confirm that you are removing the desired server, check that the details
are correct and click ok to continue.
Your progress will be shown, and when completed type q and press enter until you return to
a regular command prompt.
100
Laura Duggan
07314299
14/7/14
After the metadata about Server2 has been removed, you can then remove it from Active
Directory Sites and Services, (start – admin tools – Active Directory Sites and Services), open
sites, default-first-site-name and your server to be removed in the right pane.
Right click on its NTDS settings and click delete.
Click ok to delete the entry.
To ensure that all traces of Server2 are removed, we must check Active Directory Users and
Computers and our DNS settings.
Open Active Directory Users and Computers by clicking start, administrative tools and
ADUC.
101
Laura Duggan
07314299
14/7/14
In the domain, click on domain controllers and check that Server2 is no longer on the list.
To ensure that your DNS settlings are also correct, open DNS manager by clicking start,
administrative tools and DNS manager.
Navigate to Server1, forward lookup zones, _msdocs and properties, highlight
Server2.MSCCONV.ipa and click remove. Click apply and ok.
(Hashmi, 2012)
. (Petri, 2008)
Server2 has now been fully decommissioned from AD DS.
102
Laura Duggan
07314299
14/7/14
References
Beckman, K. (2012, January 31). Troubleshooting Group Policy - Part 2: Test and Deploy. Retrieved
July 14, 2014, from 4sysops.com: http://4sysops.com/archives/troubleshooting-grouppolicy-part-2-test-and-deploy/
Berkouwer, S. (2013, May 14). How to install File Services on Server Core. Retrieved July 13, 2014,
from 4sysops.com: http://4sysops.com/archives/how-to-install-file-services-on-server-core/
Burchill, A. (2010, July 27). Group Policy Design Guidelines - Part 2. Retrieved July 11, 2014, from
grouppolicy.biz: http://www.grouppolicy.biz/2010/07/best-practice-group-policy-designguidelines-part-2/
Burchill, A. (2010, May 19). How to exclude individual users or computers from a Group Policy Object.
Retrieved July 13, 2014, from grouppolicy.biz: http://www.grouppolicy.biz/2010/05/how-toexclude-individual-users-or-computers-from-a-group-policy-object/
Certfiication, P. I. (2003, November 3). Managing Users, Computers, and Groups. Retrieved July 11,
2014, from Pearson IT Certification:
http://www.pearsonitcertification.com/articles/article.aspx?p=101711&seqNum=2
Differencebetween.net. (2014). Difference Between Hardware RAID and Software RAID. Retrieved
July 14, 2014, from differencebetween.net:
http://www.differencebetween.net/technology/difference-between-hardware-raid-andsoftware-raid/
Grillenmeier, G. (2012, March 22). Hiding Data in Active Directory. Retrieved July 11, 2014, from
windowsitpro.vom: http://windowsitpro.com/active-directory/hiding-data-active-directory
Hamizi, M. (2013, July 16). Simple Guide: How to Prohibit access to control panel for domain users in
Server 2012. Retrieved July 13, 2014, from mizitechinfo.wordpress.com:
http://mizitechinfo.wordpress.com/2013/07/16/simple-guide-how-to-prohibit-access-tocontrol-panel-for-domain-users-in-server-2012/
Hansen, G. (2014, June 19). What is a file server? Retrieved July 13, 2014, from wisegeek.com:
http://www.wisegeek.com/what-is-a-file-server.htm
Hashmi, B. (2012, January 4). Cleaning metadata after a failed DC. Retrieved July 13, 2014, from
cloud-buddy.com: http://www.cloud-buddy.com/?p=919
Janssen, C. (2010). What does Active Directory mean? Retrieved July 14, 2014, from techopedia.com:
http://www.techopedia.com/definition/25/active-directory
Microsoft. (2005, January 31). Demote a Domain Controller. Retrieved July 13, 2015, from
technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc740017(v=ws.10).aspx
Microsoft. (2009, October 22). Server Core Installation Option Getting Started Guide. Retrieved July
9, 2014, from technet.microsoft.com: http://technet.microsoft.com/enus/library/cc753802(v=ws.10).aspx
Microsoft. (2010, October 13). Step by Step: Basic Windows 7 Deployment for IT Professionals.
Retrieved June 6, 2014, from technet.microsoft.com: http://technet.microsoft.com/engb/en%E2%80%90us/library/dd349348(v=ws.10).aspx
Microsoft. (2012, November 1). Clean Up Server Metadata. Retrieved July 13, 2014, from
technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc816907(WS.10)
103
Laura Duggan
07314299
14/7/14
Microsoft. (2014). BitLocker Drive Encryption Overview. Retrieved June 10, 2014, from
windows.microsoft.com: http://windows.microsoft.com/en-ie/windows-vista/bitlockerdrive-encryption-overview
Microsoft. (n.d.). Lite-Touch, High Volume Deployment. Retrieved June 15, 2013, from
technet.microsoft.com: http://technet.microsoft.com/enus/library/dd919179(v=ws.10).aspx
Minasi, M. (2008, May 28). Go Commando with Windows Server 2008's Server Core. Retrieved July
10, 2014, from windowsitpro.com: http://windowsitpro.com/windows/go-commandowindows-server-2008-s-server-core
Morimoto, R. (2012, October 10). Installing Windows Server 2008 and Server Core. Retrieved July 10,
2014, from informit.com:
http://www.informit.com/articles/article.aspx?p=1947698&seqNum=5
Oh, D. (2013, September 13). The Differences Between MBR and GPT. Retrieved July 14, 2014, from
maketecheasier.com: http://www.maketecheasier.com/differences-between-mbr-and-gpt/
Paul, I. (2014, May 30). A beginner's guide to BitLocker, Windows' built in encryption tool. Retrieved
June 11, 2014, from pcworld.com: http://www.pcworld.com/article/2308725/a-beginnersguide-to-bitlocker-windows-built-in-encryption-tool.html
Petri, D. (2008, January 8). Delete Failed DCs from Active Directory. Retrieved July 13, 2014, from
petri.com: http://www.petri.com/delete_failed_dcs_from_ad.htm
Rodriguez, M. (2011, March 2). How to Choose the Right Windows 7 Deployment Strategy. Retrieved
June 6, 2014, from blog.pluralsight.com: http://blog.pluralsight.com/windows-7deployment-strategy
Shuler, J. (2012, September 4). Locking down a Virtual Machine with BitLocker. Retrieved June 11,
2014, from shulerent.com: http://www.shulerent.com/2012/09/04/locking-down-a-virtualmachine-with-bitlocker/
Silva, P. d. (2008, January 29). Step-by-Step guide to Redirect Users Documents to Server Folder.
Retrieved July 11, 2014, from padmandesilva.wordpress.com:
http://padmandesilva.wordpress.com/2008/01/29/step-by-step-guide-to-redirect-users%E2%80%9Cmy-documents%E2%80%9D-to-server-folder-and-implement-disk-quota/
Techtopia. (2011, April 1). Mirroring Windows Server 2008 GBT and MBR Boot and System Disks.
Retrieved July 10, 2014, from techtopia.com:
http://www.techotopia.com/index.php/Mirroring_Windows_Server_2008_System_Disks
Tulloch, M. (2008). Windows Server 2008 Server Core Administrator's Pocket Consultant. Microsoft
Press.
Warren, S. (2008, April 29). How do I install and configure a DHCP server in Windows Server 2008?
Retrieved July 13, 2014, from techrepublic.com: http://www.techrepublic.com/blog/theenterprise-cloud/how-do-i-install-and-configure-a-dhcp-server-in-windows-server-2008/
Wiki. (2014). Active Directory. Retrieved July 14, 2014, from wikipedia.org:
http://en.wikipedia.org/wiki/Active_Directory
Wiki. (2014). RAID. Retrieved July 14, 2014, from wikipedia.org: http://en.wikipedia.org/wiki/RAID
Windows. (2008). Differences Between the Editions of Windows Server 2008. Retrieved July 9, 2014,
from social.technet.com:
104
Laura Duggan
07314299
14/7/14
http://social.technet.microsoft.com/wiki/contents/articles/3556.differences-between-theeditions-of-windows-server-2008.aspx
105