Windows server 2012 foundation srv r2 pl free. Investing in your success with Windows Server
In such situation, these default settings are not suitable because they do not allow to export the private key. Consequently, we will configure a new certificate template that will duplicate this template, and thus present the same characteristics as the original template but with the possibility to export the private key.
This section walks you through the deployment of the federation server on the ADFS1 computer with the following steps:. The certificate should have the following attributes:.
Note If you have not configured a new certificate template e. We will be later interested in the thumbprint of the newly issued certificate, i. Message Context Status The configuration completed successf DeploymentSucceeded Success. The following subsections describe each of these steps in the context of our test lab environment. We have previously modified group policy settings so that our test user accounts can log on locally on member servers.
We now need to apply the modified group policies. Computer Policy update has completed successfully. User Policy update has completed successfully. In addition, we need to add our test user accounts to the local group Remote Desktop Users so that they can open a remote desktop session on the virtual machine in Azure.
To add the test user accounts to the local group Remote Desktop Users , proceed with the following steps:. To configure the browser settings accordingly on the EDGE1 computer, proceed with the following steps:. If in your browser window you can see the federation server metadata without any SSL errors or warnings, your federation server is operational.
This displays the AD FS sign-in page where you can sign in with the domain credentials. Click Sign in to verify that the user is successfully and seamlessly authenticated thanks to the Windows Integrated Authentication. The default web site will require a SSL server certificate.
The certificate MUST have the following attributes:. You can instead use a SSL certificate issued from a public certification authority is required.
The exact method depends on the chosen public certification authority. Please refer to their instructions. To issue the SSL certificate with the test lab certification authority, proceed with the following steps:. Note If you haven't previously configured a new certificate template e.
To install and configure the Web Application Proxy role service, proceed with the following steps:. When prompted, enter the following credential in the dialog below and click OK :. To verify that you can successfully authenticate against the federation server on the Internet, proceed with the following steps:. Note If the SSL certificate used in the configuration has not been issued by a public certification authority, you will need to add the test lab certification authority LitwareADFS1-CA root certificate to the trusted root certification authorities of your user's store.
As before, this displays the AD FS sign-in page where you can sign in with the domain credentials. To add Windows Firewall exceptions for SQL Server ports, while still being logged on to the SQL1 computer with the previous remote desktop session, open an elevated Windows PowerShell command prompt if none, and run the following command:.
The role was added as part of the base configuration:. To provide high availability for the cluster, you must install additional cluster members. Setting properties on objects in the drive namespace is similar to using a wizard to specify configuration settings when installing a server role. This may take a few minutes. Note We choose to protect the AD RMS cluster key by using this option because it simplifies the configuration and does not require additional components.
You should be using a certificate provided by a third-party public certification authority CA so that it can be automatically trusted by all parties. This certificate should already be installed on the server so that you can select it as you proceed through the installation.
As depicted at the beginning of this document, this object is not used by the Mobile Device Extension. However, since such an object is typically registered in AD RMS deployment, we will do the same here.
It must be removed before you can establish the new SCP. Do you want to continue? To finalize the configuration of the newly installed AD RMS root cluster and fulfill the prerequisites of the Mobile Device Extension, proceed with the following steps:. However, there are the following problems with the site's security certificate: The name of the security certificate is not valid or does not match the name of the site.
The console opens up. From the console, you can configure trust policies, configure exclusion policies, and create rights policy templates. The base configuration is now complete with all the dependencies in place for the Mobile Device Extension. It is based on the "on-premises" test lab environment deployed in Azure as per previous sections.
This environment satisfies all the prerequisites for the Mobile Device Extension. Value ;. For Android devices:. For iPhone and iPad devices:. For Mac devices:. For Windows Phone devices:. For Windows RT devices:. As covered at the beginning of this document, we must create one or more DNS SRV records in the organization's domain or domains:.
As far as the former is concerned, since our fictitious organization litware Host offering this service. As far as the latter is concerned, in the chosen test topology for our test lab, i. This record has the following value:. For illustration purposes, we use the Go Daddy registrar in our Azure-based test lab environment.
In our illustration with GoDaddy. For our litware The Azure-based test lab environment uses a split brain DNS configuration. Thus, the above records enables a correct resolution whatever network the device is connected to. For organization that do not use such a DNS configuration, the optional next section illustrates how to locally declare these records. To create the discovery record on the local DNS on the DC1 computer, proceed with the following steps:. In our test lab environment's configuration, all the instructions below should be done on the ADRMS1 computer.
The installation of the Mobile Device Extension implies to download a file from the Internet and should consequently be authorized. To publish the Mobile Device Extension endpoints over the Internet, proceed with the following steps:. As this point, the semi-automated guided construction of the Azure-based test lab environment is complete. The Azure-based test lab environment enables to easily test the Mobile Device Extension endpoints from any supported devices connected on the Internet thanks to the above publication of the related endpoints over the Internet.
The section provides troubleshooting information for the Mobile Device Extension if needed your own Azure-based test lab environment. If you run into some specifics issues when testing of the Mobile Device Extension, you can turn on logging and then check the mobile device logs in the AD RMS database. At this stage, any call to the Mobile Device Extension are logged in the Mobile Device Extension logs to help you in troubleshooting the issue if any, and resolve it.
The Mobile Device Extension provides the following two tables to help investigate and troubleshoot client issues:. Field name. Data type. Example value. GUID of the trace entry. This helps in troubleshooting client issues. User who made the request. Their user email address is used to identify the user. Free form text that contains the message for the trace entry. Identifier that can tie the set of operations that are happening the same thread.
Type of the message of the trace entry. Supported types are. If the trace entry is not a call to the server, this is empty. GUID that identifies the client scenario the trace entry was written under. A client scenario cover zero or more call to the server. The source is the local clock on the server that served the call. The Client Performance Log table in the AD RMS database contains as its name indicates the performance logs in order to help understand the experience that the end users are having when using their mobile device s with RMS-enlightened applications.
UTC date and time in 24H format the trace entry was written. Name of the operation. Operations serve two purposes.
Operations can represent client scenarios, which cover zero or more calls to the server like Consume or Protect , and they can represent a specific call to the server.
In the case it represents a specific call to the server, the ClientCorrelationId field is set. In the case it represents a client scenario, the ClientCorrelationId is empty See below. In both cases, the ClientScenarioId field is set. Time it took to complete the operation in milliseconds. Placeholder for future network information for the RMS client.
This is empty. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases, you can click Continue in the UAC dialog box to grant this permission, or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators. To set UAC behavior of the elevation prompt for administrators, proceed with the following steps:.
To simulate an Android device, you can create a Linux virtual machine running on Hyper-V on your local machine to fully emulate an Android device thanks to the open source Android x86 project. Cloud References. Introduction Every day, information workers use email messages to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.
Organization of this paper To cover the aforementioned objectives, this document is organized in the following four sections: Overview of the Mobile Device Extension. Building a test lab environment. Use the RMS sharing app to consume protected text files in different formats including.
Use the RMS sharing app to consume protected image files including. Use the RMS sharing app to open any file that have been generically protected. Use other apps from software vendors who provide RMS-enlightened apps that support file types that natively support RMS. Android phones and tablets. Minimum version of Android 4. Windows Phone.
Minimum version of Windows Phone 8. Windows RT tablets. Windows 8 RT, Windows 8. The fully qualified name of the exception that caused the error. A descriptive message that explains the error. For the initial domain resolution, the user specifies their email address in the app. The RMS client calls the DNS service and queries for the service discovery record which corresponds to the user's email domain suffix.
Steps of the authentication process are explained in that section. Once the client has obtained an access token, it passes the token to the service discovery URL to which it tried to authenticate. The service discovery endpoint returns a list of rights management services publish license , end user license , and templates and corresponding endpoint URLs. These endpoints may be in the same RMS cluster i.
This may be done in the case where Licensing-Only clusters are deployed in the environment to handle different groups of users. The client contacts the URLs obtained in the previous step in order to obtain from the service the templates, and then the publishing license PL. The client authenticates and acquires PL in one operation. The RAC identifies a user in the context of a specific computer or device.
Consequently, there is no machine certificate either. The client builds the policy and gets the PL from the server. There is no CLC. This URL is specified in the publishing license. Steps in this authentication process are explained in that section. Once the client has obtained an access token it passes the token to the service discovery URL to which it tried to authenticate.
The service discovery endpoint returns the list of rights management services publish license , end use license , and templates and corresponding endpoint URLs is provided to the client in the response as described before. This may be done in the case where Trusted Publishing Domains are exchanged between RMS clusters to have one cluster handle the load for some or all users for content protected in another cluster.
The RMS client then makes a call to the endpoint discovered previously passing the access token in order to acquire an end use license EUL to open the content.
There is no SLC. The client authenticates and acquires EUL in one operation. There is neither RAC nor machine certificate. The RMS service finds out that the authentication has not happened yet.
It returns back an OAuth 2. In accordance to the OAuth 2. This call comprises the service endpoint the app wants to access, an app client identifier, and an app redirection URI in accordance with RFC The app gets the authorization code, and then does a post to the AD FS token endpoint to get an access token, passing the app client identifier, the redirection URI this just has to match up with what was sent previously and isn't used as a redirect , and the authorization code received in the previous step.
The RMS service validates the access token and if authorized responds to the request appropriately. Create the test lab environment and perform your needed testing and demonstration as quickly as possible. However, you should start your virtual machines in a specific order. Installing Azure PowerShell,. Open a browsing session and navigate to the Azure Downloads page. When prompted to run or save the. A User Account Control dialog brings up.
Click Yes. This launches the Web Installer Platform 5. Click Install and follow the online instructions to complete the installation. Click I Accept. The package is downloaded and installed.
Type the email address and click Continue. You're redirected to a Sign In page. Type the password associated with your account and click Sign in. Azure authenticates you, saves the credential information, and then closes the dialog. A message states that your subscription is now selected has the default subscription. Once connected to your default subscription, you can use the built-in Help system to list and get help about the cmdlets in the Azure PowerShell module.
To list the available cmdlets, run the following command:. Open an elevated Azure PowerShell command prompt, and run the following command:.
If the value returned is anything other than RemoteSigned , you need to change the value to RemoteSigned. If the WinRM service isn't running, start it with the following command:. If you started the WinRM service in step 2, run the following command to stop it:. Connect to the Internet to install updates, and access Internet resources in real time.
Remotely managed those using Remote Desktop connections by your computer that is connected to the Internet or your organization network. Create snapshots so that you can easily return to a desired configuration for further learning and experimentation.
A first subnet It is separated from a second subnet that hosts the corporate intranet resources. The computer on this subnet is EDGE1. A second subnet Download the script New-TestLabEnvironment.
Enter your email address and click Continue. Type the password associated with your account for your Azure trial subscription and click Sign in. You should now be connected to your default subscription.
Run the following command to deploy the base workloads in your subscription:. A Windows PowerShell credential required dialog brings up. Provide the administrator credentials you want to use. We will use throughout this walkthrough " AzureAdmin " for the username and " pass word1 " for the password. Create an affinity group to associate all the workloads to be deployed with.
Create an account storage to store the VHDs of the workloads as blobs. This action upgrades the AD DS schema as part of the domain controller creation. SQL Server will be installed later on this machine. The default web site on this machine will be later referred as to www. Sign in with your administrative credentials to your Azure subscription. Click Open.
A Remote Desktop Connection dialog brings up. Check Don't ask me again for connections to this computer and click Connect. Another Remote Desktop Connection dialog brings up. Check Don't ask me again for connections to this computer and click Yes.
In the console tree, select DC1. On the Action menu, click Properties. The DC1 Properties dialog brings up. Select the Forwarders tab. Ensure that Use rot hints if no forwarders are available is checked. From the above Windows PowerShell command prompt, type the following command to validate the resolution with the root hints:.
Open an elevated Windows PowerShell command prompt and run the following command to add an A record for adfs :. If it has not been created the output displays no information , run the following command to create the key:. Group Name Email Address Finance finance litware From the previous elevated Windows PowerShell command prompt, run the following command to create the various groups.
Run the following command to add email addresses to group objects :. Run the following command to add the user accounts to their appropriate groups:. Open an elevated command prompt if none, and run the following command:. Double-click the name of the forest, double-click Domains , and double-click the name of the domain. Right-click Default Domain Policy , and then click Edit. A Group Policy Management Editor window pops up. In the details pane, double-click Allow Logon Locally.
Check Define these policy settings , and then click Add User or Group. An Add User or Group dialog brings up. Under Enter the object names to select , type " janets; roberth; administrators ", click Check Names , and then click OK.
Close the Group Policy Management Editor window. Configuring an appropriate certificate template for SSL certificate optional. The Certification Authority console brings up. Right-click Certificate Templates and then click Manage. The Certificate Templates Console brings up. In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template.
A Properties of New Template dialog brings up. Leave unchecked Allow private key to be exported. We must ensure the domain computer accounts will have the ability to enroll for the template. To do so, click Add. Click Check Names , and then click OK. Ensure that the group is selected and then select the Allow checkbox that corresponds to the Enroll permission.
Under Template display name , type a name that you want to use for the template, for example, " SSL Certificates " in our configuration. Close the Certificate Templates console and return to the Certificate Authority console. In the console tree of the Certification Authority console, right-click Certificate Templates , click New , and then click Certificate Template to Issue.
An Enable Certificate Templates dialog brings up. Open an elevated Windows PowerShell command prompt, and run the following command:. Verify whether the SSL certificate has been imported by running the following command:. Open an elevated Windows PowerShell command prompt if none, and run the following command:.
Open an elevated Windows PowerShell command prompt, and run the following command to add Janet Schorr to the local group:.
Run the following command to add Robert Hatley to the local group:. An Internet Options dialog pops up. Click the Security tab, select the Local intranet zone, and then click Sites. A Local intranet dialog appears. Click Advanced. A Trusted sites dialog appears. You should replace litware Click Close , and then click OK. Verify that the security level for the zone is set to the default setting of Medium-low which enables Windows integrated authentication for Intranet zones.
Click OK to close the Internet Options dialog. Open a browsing session on ADFS1 and navigate to the federation service metadata endpoint, for example, in our configuration:. You can alternatively navigate to the metadata exchange endpoint, which offers an XML service description:. You can alternatively navigate to the AD FS sign-in page, for example in our configuration:. Open an elevated Windows PowerShell command prompt if none, and run the following command to add a SSL binding to the default web Site:.
Open a browsing session on your local computer and navigate to the AD FS sign-in page, for example in our configuration:. Click Sign in to verify that you can successfully be authenticated. Enter the following credential and the click Sign in :. Right-click the taskbar and select Task Manager. In Task Manager , from the File menu, select Run new task. A Connect to Server dialog pops up.
Right-click and select New Login. A Login — New dialog pops up. For Login Name , click Search. A Select User or Group dialog pops up. A Windows Security dialog pops up. Type "AzureAdmin" for the name of the account with " pass word1 " as password and click OK. Back in Login - New , in the navigation pane, select Server Roles. In Server roles , check sysadmin. While still being logged on to the SQL1 computer with the previous remote desktop session, in Task Manager , from the File menu, select Run new task , type in the following to open the Services console and then click OK :.
Right-click and select Properties. Run the following command to create a Windows PowerShell drive to represent the server we are provisioning:. Run the following command to securely store the cluster key password string in a variable and assign it to the AD RMS installation :. Run the following command to register the SCP connection point :. Repeat step 2 with adrms1 , adfs1 , sql1 , and then dc1.
Click YES. Once all the allocated resources will be deallocated, the status of the VMs will then change to Stopped Deallocated. Repeat step 5 in order with sql1 , adrms1 , and edge1. An issuance transform rule that sources from AD DS and passes through the following claims for the authenticated user:. An authorization rule that permits the issuance of the above claims for all users. Open a Windows PowerShell command prompt and run the following command to create the relying party trust named api.
From the previous Windows PowerShell command prompt, run the following command s :. One record for each email domain suffix that users will use, for example litware A Sign in dialog appears.
Enter your credentials and click Sign In. On the Domains page, find the domain name in which the service discovery records should be added, in our case litware The Domain Details page opens in a new tab in your browser. Click Add Record. An Add Zone Record dialog opens up. Scroll down to the SRV Service. You should see the two newly added SRV records. Open an elevated Windows PowerShell command prompt if none, and run the following commands:.
From the previous remote desktop connection, open a command prompt, navigate to the location of the. Run the following command to create a Windows PowerShell drive that represents the cluster hosted by the local computer:. Supported types are Error Warning Info. From the Start screen, type " secpol. In the console tree, open Local Policies , and then click Security Options. Select Elevate without prompting in the list , and then click OK. HTTP 1. Robert Hatley.
Suitable when you are deploying a small number of servers. Automatic activation. Suitable when you are deploying larger numbers of servers. Manual Activation With manual activation, you enter the product key, and the server contacts Microsoft. Alternatively, an administrator performs the activation over the phone or through a special clearinghouse website. You can perform manual activation from the Server Manager console by performing the following steps: 1.
Click the Local Server node. In the Windows Activation dialog box, enter the product key, and then click Activate. If a direct connection cannot be established to the Microsoft activation servers, details will display about performing activation using a website from a device that has an Internet connection, or by using a local telephone number.
Because computers running the Server Core installation option do not have the Server Manager console, you can also perform manual activation using the slmgr. Use the slmgr. You can perform manual activation using either the retail product key, or the multiple activation key. You can use a retail product key to activate only a single computer. However, a multiple activation key has a set number of activations that you can use.
Using a multiple activation key, you can activate multiple computers up to a set activation limit. OEM keys are a special type of activation key that are provided to a manufacturer and allow automatic activation when a computer is first powered on.
This type of activation key is typically used with computers that are running client operating systems such as Windows 7 and Windows 8. OEM keys are rarely used with computers that are running server operating systems. Performing activation manually in large-scale server deployments can be cumbersome. Microsoft provides a method of activating large numbers of computers automatically without having to enter product keys on each system manually.
Automatic Activation In previous versions of the Windows Server operating system, you could use KMS to perform centralized activation of multiple clients. When you install Volume Activation Services, you can also configure Active Directory based activation. Active Directorybased activation allows automatic activation of domain-joined computers. When you use Volume Activation Services, each computer activated must periodically contact the KMS server to renew its activation status.
You can use VAMT to generate license reports and manage client and server activation on enterprise networks. Configuring a Server Core Installation Performing post installation on a computer running the Server Core operating system option can be daunting to administrators that have not performed the task before. Instead of having GUI based tools that simplify the post-installation configuration process, IT professionals are faced with performing complex configuration tasks from a command-line interface.
The good news is that you can perform the majority of post-installation configuration tasks using the sconfig. Using this tool minimizes the possibility of making syntax errors when using more complicated command-line tools. You can use sconfig. To configure IP address information using sconfig. From a command-line command, run sconfig. Choose option 8 to configure Network Settings. Choose the index number of the network adapter to which you want to assign an IP address. Change Server Name You can change a servers name using the netdom command with the renamecomputer option.
You can change a servers name using sconfig. Choose option 2 to configure the new computer name. Type the new computer name, and then press Enter. Joining the Domain You can join a Server Core computer to a domain using the netdom command with the join option. For example, to join the adatum.
Note: Prior to joining the domain, verify that you are able to ping the DNS server by hostname. To join a Server Core computer to the domain using sconfig. To choose the Domain option, type D, and then press Enter. Type the name of the domain to which you want to join the computer.
Type the password associated with that account. You can also install a Windows role or feature using the Install-WindowsFeature cmdlet. Not all features are available directly for installation on a computer running the Server Core operating system. You can add a role or feature that is not directly available for installation by using the -Source parameter of the Install-WindowsFeature cmdlet.
You must specify a source location that hosts a mounted installation image that includes the full version of Windows Server You can mount an installation image using the DISM. If you do not specify a source path when installing a component that is not available and the server has internet connectivity, Install-WindowsFeature will attempt to retrieve source files from Windows Update. To do this, choose option 12 from within the sconfig. Note: You can add or remove the graphical component of the Windows Server operating system by using the Install-WindowsFeature cmdlet.
You can also use the dism. Introduction to Windows PowerShell Windows PowerShell is a command-line interface and task-based scripting technology that is built into the Windows Server operating system. Windows PowerShell simplifies the automation of common systems administration tasks. With Windows PowerShell, you can automate tasks, leaving you more time for more difficult systems administration tasks. In this lesson, you will learn about Windows PowerShell, and why Windows PowerShell is a critical piece of a server administrators toolkit.
This lesson describes how to use Windows PowerShells built-in discoverability features to learn how to use specific cmdlets and to find related cmdlets. Describe Windows PowerShell cmdlet syntax, and explain how to determine commands associated with a particular cmdlet. Describe common Windows PowerShell cmdlets used to manage services, processes, roles and features. Explain how to use Windows PowerShell. What Is Windows PowerShell? Windows PowerShell is a scripting language and command-line interface that is designed to assist you in performing day-to-day administrative tasks.
Unlike other scripting languages that were designed initially for another purpose, but have been adapted for system administration tasks, Windows PowerShell is designed with system administration tasks in mind.
An increasing number of Microsoft productssuch as Exchange Server have graphical interfaces that build Windows PowerShell commands. These products allow you to view the generated Windows PowerShell script so you can execute the task at a later time without having to complete all of the steps in the GUI.
Being able to automate complex tasks simplifies a server administrators job, and saves time. You can extend Windows PowerShell functionality by adding modules. For example, the Active Directory module includes Windows PowerShell cmdlets that are specifically useful for performing Active Directoryrelated management tasks. Windows PowerShell includes features such as tab completion, which allows administrators to complete commands by pressing the tab key rather than having to type the complete command.
Each noun has a collection of associated verbs. The available verbs differ with each cmdlets noun. Windows PowerShell parameters start with a dash. Each Windows PowerShell cmdlet has its own associated set of parameters. You can learn what the parameters are for a particular Windows PowerShell cmdlet by executing the following command: Get-Help CmdletName. You can determine which Windows PowerShell cmdlets are available by executing the Get-Command cmdlet. The Windows PowerShell cmdlets that are available depend on which modules are loaded.
You can load a module using the Import-Module cmdlet. Common Cmdlets for Server Administration As a server administrator, there are certain cmdlets that you are more likely to use. These cmdlets relate primarily to services, event logs, processes, and the ServerManager module running on the server. View the properties of a service. Creates a new service. Restarts an existing service. Resumes a suspended service. Configures the properties of a service.
Starts a stopped service. Stops a running service. Suspends a service. Displays events in the specified event log. Deletes all entries from the specified event log. Sets event log age and size limits. Creates a new event log and a new event source on a computer running Windows Server Removes a custom event log and unregisters all event sources for the log. Shows the event logs of a computer.
Allows you to write events to an event log. Provides information on a process. Starts a process. Stops a process. Waits for the process to stop before accepting input.
Attaches a debugger to one or more running processes. ServerManager Module The ServerManager module allows you to add one of three cmdlets that are useful for managing features and roles. These cmdlets are: Get-WindowsFeature.
View a list of available roles and features. Also displays whether the feature is installed, and whether the feature is available. You can only install an unavailable feature if you have access to an installation source.
Installs a particular Windows Server role or feature. The Add-WindowsFeature cmdlet is aliased to this command and is available in previous versions of Windows operating systems. Removes a particular Windows Server role or feature. It provides command completion functionality, and allows you to see all available commands and the parameters that you can use with those commands.
The ability to view cmdlet parameters ensures that you are aware of the full functionality of each cmdlet, and can create syntactically-correct Windows PowerShell commands.
The ISE also provides you with debugging tools that you can use to debug simple and complex Windows PowerShell scripts.
You can then determine which Windows PowerShell module you need to load to access a particular cmdlet. Demonstration: Using Windows PowerShell In this demonstration, you will see how to use Windows PowerShell to display the running services and processes on a server. Demonstration Steps Use Windows PowerShell to display the running services and processes on a server 1. View the cmdlets made available in the ServerManager module. At the command prompt, type Import-Module ServerManager.
View the cmdlets made available in the ServerManager module In the Commands pane, use the Modules drop-down menu to select the ServerManager module. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. Datum has recently deployed a Windows Server infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist and have recently accepted a promotion to the server support team. The marketing department has purchased a new web-based application. You need to install and configure the servers in the data center for this application. Objectives After completing this lab, you will be able to: Deploy Windows Server Configure Windows Server Server Core. Manage servers by using Server Manager. Manage servers with Windows PowerShell.
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in using the following credentials: a. Do not sign in until directed to do so.
You want to configure the server so that it will have the full GUI, as this will allow the application vendor to run support tools directly on the server, rather than requiring a remote connection. The first server you are installing for the new marketing application is for a SQL Server database. This server will have the full GUI to allow the application vendor to run support tools directly on the server.
The main tasks for this exercise are as follows: 1. Install the Windows Server server. Change the server name. Change the date and time. Configure the network and NIC teaming.
Add the server to the domain. Task 1: Install the Windows Server server 1. Accept the license terms, and then click Custom: Install Windows only advanced. Install Windows Server on Drive 0. Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes.
The virtual machine will restart several times during this process. Task 2: Change the server name 1. In Server Manager, on the Local Server node, click the randomly-generated name next to Computer name. Task 3: Change the date and time 1.
On the taskbar, click the time display, and then click Change date and time settings. Click Change Time Zone, and set the time zone to your current time zone. Click Change Date and Time, and verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom. Close the Date and Time dialog box. Task 4: Configure the network and NIC teaming 1. Right-click on the selected network adapters, and then click Add to New Team.
Refresh the console pane. Enter the following IP address information, then and click OK: o o o o 9. IP address: Task 5: Add the server to the domain 1. On the Computer Name tab, click Change.
Click the Domain option, and in the Domain box, enter adatum. Enter the following account details o o 6. In the System Properties dialog box, click Close. NET application. To minimize the operating system footprint and reduce the need to apply software updates, you have chosen to host the IIS component on a computer that is running the Server Core installation option of the Windows Server operating system.
To enable this, you will need to configure a computer that is running Windows Server with the Server Core installation option. Set computer name. Change the computers date and time.
Configure the network. Task 1: Set computer name 1. Click option 2 to select Computer Name. In the Restart dialog box, click Yes to restart the computer.
At the command prompt, type hostname, and then press Enter to verify the computers name. Task 2: Change the computers date and time 1. At the command prompt, type sconfig. To select Date and Time, type 9.
Click Change time zone, and then set the time zone to the same time zone that your classroom uses. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location.
Exit sconfig. Task 3: Configure the network 1. To configure Network Settings, type 8. Type the number of the network adapter that you want to configure. Type 1 to set the Network Adapter Address. Click static IP address configuration, and then enter the address At the Enter subnet mask prompt, type At the Enter default gateway prompt, type Type 2 to configure the DNS server address.
Set the preferred DNS server to Do not configure an alternate DNS server address. Verify network connectivity to lon-dc1. Task 4: Add the server to the domain 1. Type D to join a domain. At the Name of domain to join prompt, type adatum. At the prompt, click No. Restart the server. Results: After completing this exercise, you should have configured a Windows Server Server Core deployment, and verified the servers name. Create a server group. Deploy features and roles to both servers.
Review services, and change a service setting. Task 1: Create a server group 1. In the Server Manager console, click Dashboard, and then click Create a server group.
Click the Active Directory tab, and then click Find Now. In the Server group name box, type LAB Click LAB Task 2: Deploy features and roles to both servers 1.
Select the Windows Server Backup feature. Add the Windows Authentication role service, and then click Next. Select the Restart the destination server automatically if required check box, and then click Install.
Click Close. Click Windows Server Backup, and then click Next. Select the Restart the destination server automatically if required check box, click Install, and then click Close.
Task 3: Review services, and change a service setting 1. In the Command Prompt window, type the following command: netsh. Expand Services and Applications, and then click Services. Verify that the service is configured to use the Local System account. Configure the following service recovery settings: o o o o o First failure: Restart the Service Second failure: Restart the Service Subsequent failures: Restart the Computer. Reset fail count after: 1 days Reset service after: 1 minute.
Configure the Restart Computer option to 2 minutes, and then close the Service Properties dialog box. Results: After completing this exercise, you should have created a server group, deployed roles and features, and configured the properties of a service. Exercise 4: Using Windows PowerShell to Manage Servers Scenario The marketing application vendor has indicated that they can provide some Windows PowerShell scripts to configure the web server that is hosting the application.
You need to verify that remote administration is functional before running the scripts. Use Windows PowerShell to connect remotely to servers and view information. Use Windows PowerShell to remotely install new features. Task 1: Use Windows PowerShell to connect remotely to servers and view information 1.
Type Import-Module ServerManager. Type Get-WindowsFeature, and review roles and features. Review the most recent 10 items in the security log by typing the following command: Get-EventLog Security -Newest Task 2: Use Windows PowerShell to remotely install new features 1. Type import-module ServerManager. In the Untitled1. Save the script as InstallWins. Press the F5 key to execute InstallWins.
Results: After completing this exercise, you should have used Windows PowerShell to perform a remote installation of features on multiple servers. To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, switch to the Hyper-V Manager console. In the Revert Virtual Machine dialog box, click Revert.
Question: What tool can you use to determine which cmdlets are contained in a Windows PowerShell module? Question: Which role can you use to manage KMS? Troubleshooting Tip. The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups.
AD DS provides a searchable hierarchical directory, and provides a method for applying configuration and security settings for objects in the enterprise.
This module covers the structure of AD DS and its various components, such as forest, domain, and organizational units OUs. This module examines some of the choices that are available with Windows Server for installing AD DS on a server. Describe the purpose of domain controllers. Explain how to install a domain controller. AD DS domain controllers also host the service that authenticates user and computer accounts when they log on to the domain.
Because AD DS stores information about all of the objects in the domain, and all users and computers must connect to AD DS domain controllers when signing into the network, AD DS is the primary means by which you can configure and manage user and computer accounts on your network. This lesson covers the core logical components that make up an AD DS deployment.
Describe AD DS domains. Describe OUs and their purpose. Describe AD DS forests and trees, and explain how you can deploy them in a network. You need to understand the way the components of AD DS work together so that you can manage your network efficiently, and control what resources your users can access.
In addition, you can use many other AD DS options, including installing and configuring of software and updates, managing the security infrastructure, enabling Remote Access and DirectAccess, and certificate handling.
Physical Components AD DS information is stored in a single file on each domain controllers hard disk. The following table lists some of the physical components and where they are stored.
The file on each domain controller that stores the AD DS information. Host the global catalog, which is a partial, read-only copy of all the objects in the forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest. A special install of AD DS in a read-only form.
These are often used in branch offices where security and IT support are often less advanced than in the main corporate centers. Logical Components AD DS logical components are structures that you use to implement an Active Directory design that is appropriate for an organization. The following table describes some of the types of logical structures that an Active Directory database might contain.
Although the database is one file named NTDS. DIT, it is viewed, managed, and replicated as if it consisted of distinct sections or instances. These are called partitions, which are also referred to as naming contexts.
Defines the list of object types and attributes that all objects in AD DS can have. A logical, administrative boundary for users and computers. A collection of domains that share a common AD DS. A collection of users, groups, and computers as defined by their physical locations. Sites are useful in planning administrative tasks such as replication of changes to the AD DS database. An AD DS domain is a logical grouping of user, computer, and group objects for the purpose of management and security.
There are several types of objects that can be stored in the AD DS database, including user accounts. User accounts provide a mechanism that you can use to authenticate and then authorize users to access resources on the network. Each domain-joined computer must have an account in AD DS. This enables domain administrators to use policies that are defined in the domain to manage the computers. The domain also stores groups, which are the mechanism for grouping together objects for administrative or security reasonsfor instance, user accounts and computer accounts.
The AD DS domain is also a replication boundary. When changes are made to any object in the domain, that change is replicated automatically to all other domain controllers in the domain. An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins group, which both have full control over every object in the domain. Unless they are in the forest root domain, however, their range of control is limited to the domain.
Password and account rules are managed at the domain level by default. The AD DS domain provides an authentication center. All user accounts and computer accounts in the domain are stored in the domain database, and users and computers must connect to a domain controller to authenticate.
A single domain can contain more than 1 million objects, so most organizations need to deploy only a single domain. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest. What Are OUs? An organizational unit OU is a container object within a domain that you can use to consolidate users, groups, computers, and other objects.
GPOs are policies that administrators create to manage and configure computer and user accounts. The most common way to deploy these policies is to link them to OUs. To delegate administrative control of objects within the OU. You can use OUs to represent the hierarchical, logical structures within your organization.
For example, you can create OUs that represent the departments within your organization, the geographic regions within your organization, or a combination of both departmental and geographic regions.
You can use OUs to manage the configuration and use of user, group, and computer accounts based on your organizational model. Serves as the root container to the hierarchy. Builtin container. Stores a number of default groups. Users container. The default location for new user accounts and groups that you create in the domain. The users container also holds the administrator and guest accounts for the domain, and some default groups.
Computers container. The default location for new computer accounts that you create in the domain. Domain Controllers OU. The default location for the computer accounts for domain controller computer accounts. All the other containers are just folders. Hierarchy Design The design of an OU hierarchy is dictated by the administrative needs of the organization. The design could be based on geographic, functional, resource, or user classifications.
Whatever the order, the hierarchy should make it possible to administer AD DS resources as effectively and with as much flexibility as possible. For example, if all computers that IT administrators use must be configured in a certain way, you can group all the computers in an OU, and then assign a GPO to manage its computers. To simplify administration, you also can create OUs within other OUs. For example, your organization might have multiple offices, and each office might have a set of administrators who are responsible for managing user and computer accounts in their office.
In addition, each office might have different departments with different computer configuration requirements. In this situation, you could create an OU for the office that is used to delegate administration, and then create a department OU within the office OU to assign desktop configurations. Although there is no technical limit to the number of levels in your OU structure, for the purpose of manageability, limit your OU structure to a depth of no more than 10 levels.
Most organizations use five levels or fewer to simplify administration. Note that Active Directoryenabled applications can have restrictions on the OU depth within the hierarchy. These applications can also have restrictions on the number of characters that can be used in the distinguished name, which is the full Lightweight Directory Access Protocol LDAP path to the object in the directory.
A forest is a collection of one or more domain trees. A tree is a collection of one or more domains. The first domain that is created in the forest is called the forest root domain. The forest root domain contains a few objects that do not exist in other domains in the forest.
For example, the forest root domain contains two special domain controller roles, the schema master and the domain naming master. In addition, the Enterprise Admins group and the Schema Admins group exist only in the forest root domain. The Enterprise Admins group has full control over every domain within the forest.
The AD DS forest is a security boundary. This means that, by default, no users from outside the forest can access any resources inside the forest. It also means that administrators from outside the forest have no administrative access within the forest.
One of the primary reasons why organizations deploy multiple forests is because they need to isolate administrative permissions between different parts of the organization. This means that all domain controllers in the forest must share the same schema.
A second reason why organizations deploy multiple forests is because they must deploy incompatible schemas in two parts of the organization. The AD DS forest is also the replication boundary for the global catalog. This makes most forms of collaboration between users in different domains easier. For example, all Microsoft Exchange Server recipients are listed in the global catalog, making it easy to send mail to any of the users in the forest, even those users in different domains.
By default, all the domains in a forest automatically trust the other domains in the forest. This makes it easy to enable access to resources such as file shares and websites for all users in a forest, regardless of the domain in which the user account is located. It is sometimes referred to as the blueprint for AD DS. AD DS stores and retrieves information from a wide variety of applications and services. By standardizing how data is stored, AD DS can retrieve, update, and replicate data, while ensuring that the integrity of the data is maintained.
AD DS uses objects as units of storage. All object types are defined in the schema. Each time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data. Object definitions control both the types of data that the objects can store, and the syntax of the data. Using this information, the schema ensures that all objects conform to their standard definitions.
As a result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is the original source of the data.
Only data that has an existing object definition in the schema can be stored in the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema. In AD DS, the schema defines the following: Objects that are used to store data in the directory Rules that define what types of objects you can create, what attributes must be defined mandatory when you create the object, and what attributes are optional Structure and content of the directory itself.
You can use an account that is a member of the Schema Administrators to modify the schema components in a graphical form. Examples of objects that are defined in the schema include user, computer, group, and site. Among the many attributes are location, accountExpires, buildingName, company, manager, and displayName. The schema master is one of the single master operations domain controllers in AD DS.
Because it is a single master, you must make changes to the schema by targeting the domain controller that holds the schema master operations role. The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema operations master role holder, typically the first domain controller in the forest. Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should be made only when necessary.
Before making any changes, you should review the changes through a tightly-controlled process, and then implement them only after you have performed testing to ensure that the changes will not adversely affect the rest of the forest and any applications that use AD DS. Although you might not make any change to the schema directly, some applications make changes to the schema to support additional features. For example, when you install Exchange Server into your AD DS forest, the installation program extends the schema to support new object types and attributes.
Overview of Domain Controllers Because domain controllers authenticate all users and computers in the domain, domain controller deployment is critical to the correct functioning of the network. This lesson examines domain controllers, the logon process, and the importance of the DNS in that process. In addition, this lesson discusses the purpose of the global catalog. All domain controllers are essentially the same, with two exceptions. There are also certain operations that can only be performed on specific domain controllers called operations masters, which are discussed at the end of this lesson.
Lesson Objectives After completing this lesson, you will be able to: Describe the purpose of domain controllers. Describe the purpose of the global catalog. Describe the functionality of SRV records.
Explain the functions of operations masters. What Is a Domain Controller? Domain controllers host several other Active Directoryrelated services, including the Kerberos authentication service, which is used by User and Computer accounts for logon authentication, and the Key Distribution Center KDC. You can optionally configure domain controllers to host a copy of the Active Directory global catalog.
An AD DS domain should always have a minimum of two domain controllers. This way, if one of the domain controllers fails, there is a backup to ensure continuity of the AD DS domain services. When you decide to add more than two domain controllers, consider the size of your organization and the performance requirements.
Note: Two domain controllers should be considered an absolute minimum. When you deploy a domain controller in a branch office where physical security is less than optimal, there are some additional measures that you can use to reduce the impact of a breach of security.
One option is to deploy an RODC. You can configure the RODC to cache the passwords for users in the branch office. If an RODC is compromised, the potential loss of information is much lower than with a full read-write domain controller. Another option is to use Windows BitLocker Drive Encryption to encrypt the domain controller hard drive.
If the hard drive is stolen, BitLocker encryption ensures that there is a very low chance of a malicious user getting any useful information from it. Note: BitLocker is a drive encryption system that is available for Windows Server operating systems, and for certain Windows client operating system versions. BitLocker securely encrypts the entire operating system so that the computer cannot start without being supplied a private key and optionally passing an integrity check.
A disk remains encrypted even if you transfer it to another computer. What Is the Global Catalog? Within a single domain, the AD DS database contains all the information about every object in that domain. This information is not replicated outside the domain. For example, a query for an object in AD DS is directed to one of the domain controllers for that domain.
If there is more than one domain in the forest, then that query does not provide any results for objects in a different domain. To enable searching across multiple domains, you can configure one or more domain controllers to store a copy of the global catalog. The global catalog is a distributed database that contains a searchable representation of every object from all the domains in a multiple domain forest.
By default, the only global catalog server that is created is the first domain controller in the forest root domain. The global catalog does not contain all attributes for each object.
Instead, the global catalog maintains the subset of attributes that are most likely to be useful in cross-domain searches. These attributes might include firstname, displayname, and location. There are a variety of reasons why you might perform a search against a global catalog rather than a domain controller that is not a global catalog. For example, when an Exchange server receives an incoming email, it needs to search for the recipients account so that it can decide how to route the message.
By automatically querying a global catalog, the Exchange server is able to locate the recipient in a multiple domain environment. When a user logs on to their Active Directory account, the domain controller that is performing the authentication must contact a global catalog to check for universal group memberships before the user is authenticated. In a single domain, all domain controllers should be configured as holders of the global catalog; however, in a multiple domain environment, the infrastructure master should not be a global catalog server.
Which domain controllers are configured to hold a copy of the global catalog depends on replication traffic and network bandwidth. Many organizations are opting to make every domain controller a global catalog server. Question: Should a domain controller be a global catalog?
SRV records are records that specify information on available services, and are recorded in DNS by all domain controllers. By using DNS lookups, clients can locate a suitable domain controller to service their logon requests. If the logon is successful, the local security authority LSA builds an access token for the user that contains the security identifiers SIDs for the user and any groups of which the user is a member.
The token provides the access credentials for any process initiated by that user. Office Word uses the credentials in the users access token to verify the level of the users permissions for that file. Note: A SID is a unique number in the form of S, where: The first four blocks of letters and numbers S represents the type of ID The next three blocks of numbers are the number of the database where the account is stored usually the AD DS domain The last section is the relative ID RID , which is the part of the SID that uniquely identifies that account in the database.
Every user and computer account and every group that you create has a unique SID. They only differ from each other by virtue of the unique RID. Sites Sites are used by a client system when it needs to contact a domain controller. The client system then attempts to connect to a domain controller in the same site before trying elsewhere. Administrators can define sites in AD DS.
Sites usually align with the parts of the network that have good connectivity and bandwidth. For example, if a branch office is connected to the main data center by an unreliable wide area network WAN link, it would be better to define the data center and the branch office as separate sites in AD DS. If the SRV records are not entered in DNS correctly, you can trigger the domain controller to reregister those records by restarting the Net Logon service on that domain controller.
Although the logon process appears to the user as a single event, it is actually made up of two parts: The user provides credentials, usually a user account name and password, which are then checked against the AD DS database. If the user account name and the password match the information that is stored in the AD DS database, the user becomes an authenticated user and is issued a TGT by the domain controller.
At this point, the user does not have access to any resources on the network. A secondary process in the background submits the TGT to the domain controller and requests access to the local machine. The domain controller issues a service ticket to the user, who is then able to interact with the local computer.
At this point in the process, the user is authenticated to AD DS and logged on to the local machine. When a user subsequently attempts to connect to another computer on the network, the secondary process is run again, and the TGT is submitted to the nearest domain controller. When the domain controller returns a service ticket, the user can access the computer on the network, which generates a logon event at that computer. You do not see the transaction when the computer uses its computer account name and a password to log on to AD DS.
Once authenticated, the computer becomes a member of the Authenticated Users group. Although the computer logon process does not have any visual confirmation in the form of a GUI, there are event log events that record the activity. Additionally, if auditing is enabled, there are more events that are viewable in the Security Log of the Event Viewer. These records are crucial to the operability of AD DS, because they are used to find domain controllers for logons, password changes, and editing GPOs.
SRV records are also used by domain controllers to find replication partners. View the SRV records that are registered by domain controllers. These records provide alternate paths so that clients can discover them. What Are Operations Masters? Although all domain controllers are essentially equal, there are some tasks that can only be performed by targeting one particular domain controller.
For example, if you need to add an additional domain to the forest, then you must be able to connect to the domain naming master. Forest Operations Masters The following are single master roles found in a forest: Domain naming master. This is the domain controller that must be contacted when you add or remove a domain, or when you make domain name changes. Schema master. This is the domain controller where all schema changes are made.
To make changes you would typically log on to the schema master as a member of both the Schema Admins and Enterprise Admins groups. A user who is a member of both of these groups and who has the appropriate permissions could also edit the schema by using a script.
Whenever an object is created in AD DS, the domain controller where the object is created assigns the object a unique identifying number known as a SID. To ensure that no two domain controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain controller within the domain.
Infrastructure master. This role is responsible for maintaining inter-domain object references, such as when a group in one domain contains a member from another domain. In this situation, the infrastructure master is responsible for maintaining the integrity of this reference. For example, when you look at the security tab of an object, the system looks up the SIDs that are listed and translates them into names. In a multi-domain forest, the infrastructure master looks up SIDs from other domains.
The Infrastructure role should not reside on a global catalog server. The exception is when you follow best practices and make every domain controller a global catalog. In that case, the Infrastructure role is disabled because every domain controller knows about every object in the forest. PDC emulator master. The domain controller that holds the PDC emulator role is the time source for the domain.
The domain controllers that hold the PDC emulator role in each domain in a forest synchronize their time with the domain controller that has the PDC emulator role in the forest root domain. You set the PDC emulator in the forest root domain to synchronize with an external atomic time source.
The PDC emulator is also the domain controller that receives urgent password changes. If a users password is changed, the information is sent immediately to the domain controller holding the PDC emulator role. This means that if the user subsequently tried to log on and they were authenticated by a domain controller in a different location that had not yet received an update about the new password, the domain controller in the location to which the user tried to log on would contact the domain controller holding the PDC emulator role and check for recent changes.
Note: The global catalog is not one of the operations master roles. Question: Why would you make a domain controller a global catalog server? Installing a Domain Controller Sometimes you need to install additional domain controllers on your Windows Server operating system. It might be that the existing domain controllers are overworked and you need additional resources. Perhaps you are planning for a new remote office that requires you to deploy one or more domain controllers.
You also might be setting up a test lab or a backup site. The installation method that you use varies with the circumstances. This lesson examines several ways to install additional domain controllers.
Finally, it examines the process of upgrading a domain controller from an earlier Windows operating system to Windows Server Lesson Objectives After completing this lesson, you will be able to: Explain how to install a domain controller by using the GUI.
Explain how to install a domain controller on a Server Core installation of Windows Server Explain how to upgrade a domain controller by using Install from Media. Explain how to install a domain controller by using Install from Media.
If you attempt to run dcpromo. Note: The dcpromo. Until Windows Server , dcpromo. In Windows Server , this tool is replaced with Server Manager. When you run Server Manager, you can choose whether the operation is performed on the local computer, on a remote computer, or by members of a server pool. Then you add the AD DS role. A message to that effect displays in Server Manager. You can select the link to Promote this server to a domain controller, and then the Active Directory Domain Services Configuration Wizard runs.
You can then provide the information listed in the following table about the proposed structure. Required information Add a domain controller to an existing domain Add a new domain to an existing forest Add a new forest Specify the domain information for this operation Supply the credentials to perform this operation Description Choose whether to add an additional domain controller to a domain.
Create a new domain in the forest. Create a new forest. Supply information about the existing domain to which the new domain controller will connect. Enter the name of a user account that has the rights to perform this operation. Some additional information that you need to have prior to running the domain controller promotion is listed in the following table.
DIT, edb. Finally, you must restart to complete the installation. When the domain controller starts up, it is not running the AD DS services; instead, it is running as a member server in the domain. Once you install the AD DS binaries, you can complete the installation and configuration in one of the following four ways: In Server Manager, click the notification icon to complete the post-deployment configuration. This starts the configuration and setup of the domain controller.
You can upgrade the operating system on existing domain controllers that are running Windows Server or Windows Server R2. Alternatively, you can introduce Windows Server servers as domain controllers in a domain containing domain controllers that are running previous versions of Windows Server. Of the two, the second is the preferred method because when you finish, you have a clean installation on the server of the Windows Server operating system and the AD DS database.
You can achieve this by upgrading all of the existing domain controllers to Windows Server , or by introducing new domain controllers that are running Windows Server , and then phasing out the existing domain controllers. To perform an in-place upgrade of a computer that has the AD DS role installed, you must first use the command-line commands Adprep.