Advanced Active Directory Infrastructure for Windows Server 2012 R2 Services

  • 4/29/2014

Practice exercises

The goal of this section is to provide you with hands-on practice with the following:

  • Creating a forest trust
  • Configuring name suffix routing
  • Configuring selective authentication
  • Configuring UPN suffixes
  • Configuring a shortcut trust

To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises.

Exercise 1: Prepare a domain controller to host a child domain with a contiguous namespace

In this exercise, you prepare CBR-DC to function as a domain controller for a child domain of the contoso.com domain. To complete this exercise, perform the following steps:

  1. Power on SYD-DC and log in as contoso\don_funk with the password Pa$$w0rd.
  2. Click the Tools menu in the Server Manager console, and click DNS.
  3. In the DNS Manager console, expand SYD-DC and Forward Lookup Zones.
  4. Verify that the following lookup zones are present as shown in Figure 1-15:

    • _msdcs.contoso.com
    • contoso.com
    FIGURE 1-15

    FIGURE 1-15 Verify the DNS configuration

  5. Power on CBR-DC and sign on as Administrator with the password Pa$$w0rd.
  6. In Server Manager, click the Local Server node.
  7. In the Properties area, click 10.10.10.30 next to Ethernet.
  8. In the Network Connections window, right-click Ethernet and click Properties.
  9. In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  10. Verify that the Preferred DNS Server is set to 10.10.10.10, as shown in Figure 1-16, click OK, and then click Close.

    FIGURE 1-16

    FIGURE 1-16 Verify the Internet Protocol (IP) address configuration

  11. In the Server Manager console, click Manage and then click Add Roles And Features.
  12. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
  13. On the Select Server Roles page, click the Active Directory Domain Services check box as shown in Figure 1-17.

    FIGURE 1-17

    FIGURE 1-17 Add the AD DS role

  14. On the Add Roles And Features Wizard, click Add Features.
  15. On the Select Server Roles page, click Next three times and click Install. When the installation completes, click Close.

Exercise 2: Create a child domain with a contiguous namespace

In this exercise, you configure CBR-DC to host the Canberra.contoso.com child domain. To complete this exercise, perform the following steps:

  1. In the Server Manager console on CBR-DC, click the Notifications item and then click Promote This Server To A Domain Controller.
  2. On the Deployment Configuration page, click Add A New Domain To An Existing Forest.
  3. On the Select Domain Type drop-down menu, select Child Domain.
  4. Click Select next to Parent Domain Name.
  5. In the Windows Security dialog box, type the user name contoso\don_funk, type the password Pa$$w0rd, and click OK.
  6. In the Select A Domain From The Forest dialog box, click Contoso.com as shown in Figure 1-18 and then click OK.

    FIGURE 1-18

    FIGURE 1-18 Select the domain in the forest

  7. In the New Domain Name text box, type the name Canberra as shown in Figure 1-19 and then click Next.

    FIGURE 1-19

    FIGURE 1-19 Configure the Child Domain

  8. On the Domain Controller Options page, set the DSRM password as Pa$$w0rd in both the Password and Confirm Password dialog boxes and click Next.
  9. On the DNS Options page, ensure that the settings match those in Figure 1-20 and click Next.

    FIGURE 1-20

    FIGURE 1-20 Configure the delegation credentials

  10. On the Additional Options page, verify that the NetBIOS domain name is set to CANBERRA, click Next three times, and click Install.
  11. After CBR-DC restarts, sign on as Canberra\Administrator with the password Pa$$w0rd.
  12. Switch to SYD-DC. In the DNS console, expand the contoso.com zone and verify the presence of the canberra.contoso.com zone as shown in Figure 1-21.

    FIGURE 1-21

    FIGURE 1-21 Verify the DNS zone

Exercise 3: Prepare domain controller to host the wingtiptoys.com tree in the contoso.com forest

In this exercise, you prepare computer ADL-DC so that it can be promoted to a domain controller. To complete this exercise, perform the following steps:

  1. Sign on to ADL-DC as Administrator with the password Pa$$w0rd.
  2. In Server Manager, click the Local Server node.
  3. In the Properties area, click 10.10.10.20 next to Ethernet.
  4. In the Network Connections window, right-click Ethernet and click Properties.
  5. In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  6. Verify that the Preferred DNS server is set to 10.10.10.10 and then click OK. Click Close.
  7. In the Server Manager console, click Manage and then click Add Roles And Features.
  8. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
  9. On the Select Server Roles page, click the Active Directory Domain Services check box.
  10. On the Add Roles And Features Wizard, click Add Features.
  11. On the Select Server Roles page, click Next three times and click Install. When the installation completes, click Close.

Exercise 4: Promote domain controller for new tree in contoso.com forest

In this exercise, you promote ADL-DC to domain controller of a new domain tree in an existing Active Directory forest. To complete this exercise, perform the following steps:

  1. In the Server Manager console on ADL-DC, click the Notifications item and then click Promote This Server To A Domain Controller.
  2. On the Deployment Configuration page, click Add A New Domain To An Existing Forest.
  3. On the Select Domain Type drop-down menu, click Tree Domain.
  4. In the Forest Name textbox, type contoso.com.
  5. In the New Domain Name textbox, type wingtiptoys.com.
  6. Next to <No Credentials Provided>, click Change.
  7. On the Windows Security dialog box, type the user name as contoso\don_funk, type the password as Pa$$w0rd, and click OK.
  8. Verify that the Deployment Configuration page matches Figure 1-22 and then click Next.

    FIGURE 1-22

    FIGURE 1-22 Add a domain tree

  9. On the Domain Controller Options page, type the DSRM password Pa$$w0rd in both the Password and Confirm Password text boxes and then click Next.
  10. On the DNS Options page, review the warning and click Next.
  11. On the Additional Options page, verify that the NetBIOS name is set to WINGTIPTOYS as shown in Figure 1-23. Click Next three times and then click Install.

    FIGURE 1-23

    FIGURE 1-23 Verify the NetBIOS name

  12. After the computer restarts, sign in as WINGTIPTOYS\Administrator with the password Pa$$w0rd.

Exercise 5: Prepare a domain controller to host a new forest

In this exercise, you configure MEL-DC so that it is able to host the new forest margiestravel.com. To complete this exercise, perform the following steps:

  1. Sign on to MEL-DC as Administrator with the password Pa$$w0rd.
  2. In Server Manager, click the Local Server node.
  3. In the Properties area, click 10.10.10.40 next to Ethernet.
  4. In the Network Connections window, right-click Ethernet and click Properties.
  5. In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  6. Verify that the Preferred DNS server is set to 10.10.10.10, click OK, and then click Close.
  7. In the Server Manager console, click Manage and then click Add Roles And Features.
  8. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
  9. On the Select Server Roles page, click the Active Directory Domain Services checkbox.
  10. On the Add Roles And Features Wizard, click Add Features.
  11. On the Select Server Roles page, click Next three times and then click Install. When the installation completes, click Close.

Exercise 6: Create new forest

In this exercise, you configure MEL-DC as the first domain controller in a new forest. To complete this exercise, perform the following steps:

  1. In the Server Manager console on MEL-DC, click the Notifications item and then click Promote This Server To A Domain Controller.
  2. On the Deployment Configuration page, click Add A New Forest.
  3. In the Root Domain Name textbox, type margiestravel.com as shown in Figure 1-24 and click Next.

    FIGURE 1-24

    FIGURE 1-24 Adding a new forest

  4. On the Domain Controller Options page, ensure that Domain Name System (DNS) server is selected and that you type the DSRM password of Pa$$word twice as shown in Figure 1-25. Click Next twice.

    FIGURE 1-25

    FIGURE 1-25 The Domain Controller Options page

  5. On the Additional Options page, verify that the NetBIOS domain name is set to MARGIESTRAVEL, click Next three times, and then click Install.
  6. After the server restarts, sign on as MARGIESTRAVEL\Administrator with the password Pa$$w0rd.

Exercise 7: Prepare to configure a forest trust relationship

In this exercise, you configure a forest trust relationship between the contoso.com forest and the margiestravel.com forest. To complete this exercise, perform the following steps:

  1. While logged onto SYD-DC as contoso\don_funk, open the DNS Manager console from the Tools menu in the Server Manager console.
  2. Right-click Forward Lookup Zones and click New Zone.
  3. On the Welcome To The New Zone Wizard page, click Next.
  4. On the Zone Type page, click Stub Zone and ensure that the Store The Zone In Active Directory check box is selected as shown in Figure 1-26. Click Next.

    FIGURE 1-26

    FIGURE 1-26 Configure the zone type

  5. On the Active Directory Zone Replication Scope page, click To All DNS Servers Running On Domain Controllers In This Forest: contoso.com and click Next.
  6. In the Zone Name text box, type margiestravel.com and click Next.
  7. On the Master DNS Servers page, type the IP address 10.10.10.40 in the list of master servers as shown in Figure 1-27, click Next, and then click Finish.

    FIGURE 1-27

    FIGURE 1-27 Configure the stub zone master servers

  8. On MEL-DC, ensure that you are signed in as MARGIESTRAVEL\Administrator with the password Pa$$w0rd.
  9. Open the DNS Manager console from the Tools menu in the Server Manager console.
  10. In the DNS Manager console, right-click on Forward Lookup Zones and click New Zone.
  11. On the Welcome To The New Zone Wizard page, click Next.
  12. On the Zone Type page, click Stub Zone and ensure that the Store The Zone In Active Directory check box is selected. Click Next.
  13. On the Active Directory Zone Replication Scope page, click To All DNS Servers Running On Domain Controllers In This Forest: Margiestravel.com as shown in Figure 1-28. Click Next.

    FIGURE 1-28

    FIGURE 1-28 Configure the zone replication scope

  14. On the Zone Name page, type the name contoso.com in the Zone Name textbox and click Next.
  15. On the Master DNS Servers page, type the IP address 10.10.10.10 in the Master Servers list as shown in Figure 1-29, click Next, and click Finish.

    FIGURE 1-29

    FIGURE 1-29 Configure the master DNS servers

Exercise 8: Begin creating a forest trust relationship

In this exercise, you configure the contoso.com side of a forest trust relationship between the contoso.com and margiestravel.com forests. To complete this exercise, perform the following steps:

  1. On the Tools menu of the Server Manager console on SYD-DC, click Active Directory Domains And Trusts.
  2. In the Active Directory Domains And Trusts console, right-click Contoso.com and click Properties.
  3. On the Trusts tab of the Contoso.com Properties dialog box, shown in Figure 1-30, click New Trust.

    FIGURE 1-30

    FIGURE 1-30 Create the new trust

  4. On the Welcome To The New Trust Wizard page, click Next.
  5. On the Trust Name page, type margiestravel.com as shown in Figure 1-31, and click Next.

    FIGURE 1-31

    FIGURE 1-31 Set the trust name

  6. On the Trust Type page, select the Forest Trust option as shown in Figure 1-32 and click Next.

    FIGURE 1-32

    FIGURE 1-32 Configure the trust type

  7. On the Direction Of Trust page, click Two-Way and click Next.
  8. On the Sides Of Trust page, click This Domain Only and then click Next.
  9. On the Outgoing Trust Authentication Level page, click the Forest-Wide Authentication option as shown in Figure 1-33 and click Next.

    FIGURE 1-33

    FIGURE 1-33 Configure the trust authentication level

  10. On the Trust Password page, type Pa$$w0rd in the Trust Password and Confirm Trust Password text boxes. Click Next three times.
  11. On the Confirm Outgoing Trust page, click No, Do Not Confirm The Outgoing Trust and click Next.
  12. On the Confirm Incoming Trust page, click No, Do Not Confirm The Incoming Trust, click Next, and click Finish.

Exercise 9: Complete the creation of the forest trust relationship between contoso.com and margiestravel.com

In this exercise, you configure the margiestravel.com side of a forest trust relationship between the contoso.com and margiestravel.com forests. To complete this exercise, perform the following steps:

  1. In the Tools menu of the Server Manager console on MEL-DC, click Active Directory Domains And Trusts.
  2. In the Active Directory Domains And Trusts console, right-click Margiestravel.com and click Properties.
  3. On the Trusts tab of the Margiestravel.com Properties dialog box, shown in Figure 1-34, click New Trust.

    FIGURE 1-34

    FIGURE 1-34 View the current trusts

  4. On the Welcome To The New Trust Wizard page, click Next.
  5. On the Trust Name page of the New Trust Wizard, type contoso.com in the Name text box and click Next.
  6. On the Trust Type page, click Forest Trust and click Next.
  7. On the Direction Of Trust page, click Two-Way as shown in Figure 1-35 and click Next.

    FIGURE 1-35

    FIGURE 1-35 Configure the direction of the trust

  8. On the Sides Of Trust page, click This Domain Only and click Next.
  9. On the Outgoing Trust Authentication Level page, click Forest-Wide Authentication and click Next.
  10. On the Trust Password page, type Pa$$w0rd in the Trust Password and Confirm Trust Password text boxes. Click Next three times.
  11. On the Confirm Outgoing Trust page, click Yes, Confirm the Outgoing Trust as shown in Figure 1-36, and click Next.

    FIGURE 1-36

    FIGURE 1-36 Confirm the outgoing trust

  12. On the Confirm Incoming Trust page, click Yes, Confirm The Incoming Trust. In the User Name text box, type contoso\don_funk and in the Password text box type Pa$$w0rd as shown in Figure 1-37. Click Next.

    FIGURE 1-37

    FIGURE 1-37 Confirm the incoming trust

  13. On the Completing The New Trust Wizard page verify that the trust is successfully created as shown in Figure 1-38 and click Finish. Click OK to close the Margiestravel.com Properties dialog box.

    FIGURE 1-38

    FIGURE 1-38 Confirm the trust creation

Exercise 10: Configure name suffix routing

In this exercise, you configure the forest trust between the margiestravel.com forest and the contoso.com forest so that name suffix routing is supported for the wingtiptoys.com domain tree. To complete this exercise, perform the following steps:

  1. In the Active Directory Domains and Trusts console on MEL-DC, right-click Margiestravel.com and click Properties.
  2. On the Trusts tab of the Margiestravel.com Properties dialog box, click Contoso.com in the Domains Trusted By This Domain (Outgoing Trusts) area, as shown in Figure 1-39, and then click Properties.

    FIGURE 1-39

    FIGURE 1-39 Editing the properties of trusts

  3. On the Name Suffix Routing tab of the Contoso.com Properties dialog box, click *.wingtiptoys.com and then click Enable as shown in Figure 1-40.

    FIGURE 1-40

    FIGURE 1-40 Configure the Name Suffix Routing

  4. On the General tab of the Contoso.com Properties dialog box, click Validate.
  5. On the Active Directory Domain Services dialog box, click Yes, Validate The Incoming Trust by entering the user name contoso\don_funk and the password Pa$$w0rd, and click OK.
  6. Click OK on the Active Directory Domain Services dialog box and then click Yes on the second Active Directory Domain Services dialog box.
  7. Click OK to close the Contoso.com Properties dialog box.
  8. Click Contoso.com on the list of Domains That Trust This Domain (Incoming Trusts) dialog box as shown in Figure 1-41 and then click Properties.

    FIGURE 1-41

    FIGURE 1-41 Trusts for the margiestravel.com domain

  9. On the Name Suffix Routing tab of the Contoso.com Properties dialog box verify that both *.contoso.com and *.wingtiptoys.com are enabled and then click OK.
  10. Click OK to close the Margiestravel.com Properties dialog box.

Exercise 11: Configure selective authentication

In this exercise, you configure selective authentication. You configure the trust to use selective authentication, create a user group in one forest, and create a computer account in the other forest. You then configure the computer account so that members of the user group in the trusted forest can authenticate when connecting to that computer. To complete this exercise, perform the following steps:

  1. When signed on to SYD-DC as contoso\don_funk, click Active Directory Users And Computers on the Tools menu of the Server Manager console.
  2. In Active Directory Users And Computers, right-click the Users container, click New, and click Group.
  3. On the New Object – Group dialog box, type the group name as Research, set the group scope to Universal as shown in Figure 1-42, and click OK.

    FIGURE 1-42

    FIGURE 1-42 Create a new universal group

  4. On MEL-DC, right-click Margiestravel.com in the Active Directory Domains And Trust console and click Properties.
  5. On the Trusts tab of the Margiestravel.com Properties dialog box, click Contoso.com in the Domains That Trust This Domain (Incoming Trusts) list and click Properties.
  6. On the Authentication tab of the Contoso.com Properties dialog box, click Selective Authentication as shown in Figure 1-43.

    FIGURE 1-43

    FIGURE 1-43 Configure selective authentication

  7. On the General tab of the Contoso.com Properties dialog box, shown in Figure 1-44, click Validate.

    FIGURE 1-44

    FIGURE 1-44 Validate authentication

  8. On the Active Directory Domain Services dialog box, click Yes to validate the incoming trust. Enter the user name as contoso\don_funk, type the password as Pa$$w0rd, and then click OK twice.
  9. Click Yes on the Active Directory Domain Services dialog box and then click OK twice to close the Contoso.com Properties and Margiestravel.com Properties dialog boxes.
  10. Click Active Directory Users And Computers in the Tools menu of the Server Manager console.
  11. Right-click the Computers node and click New and then click Computer.
  12. In the New Object – Computer dialog box, type the name SelectiveAuthRDP as shown in Figure 1-45 and click OK.

    FIGURE 1-45

    FIGURE 1-45 Create new computer object

  13. Enabled Advanced Features on the View menu of the Active Directory Users And Computers console.
  14. Right-click the SelectiveAuthRDP computer object and click Properties.
  15. On the Security tab of the SelectiveAuthRDP Properties dialog box, shown in Figure 1-46, click Add.

    FIGURE 1-46

    FIGURE 1-46 Add a user

  16. On the Select Users, Computers, Service Accounts, Or Groups dialog box, click Locations.
  17. On the Locations dialog box, click Contoso.com as shown in Figure 1-47 and then click OK.

    FIGURE 1-47

    FIGURE 1-47 The Locations dialog box

  18. In the Select Users, Computers, Service Accounts, Or Groups dialog box, type Research, click Check Names, and click OK.
  19. On the SelectiveAuthRDP Properties dialog box, click Research (Contoso\Research) and click the Allow check box next to the Allowed To Authenticatepermission as shown in Figure 1-48. Click OK.

    FIGURE 1-48

    FIGURE 1-48 Configure Allowed to authenticate permission

Exercise 12: Configure additional UPN suffixes

In this exercise, you configure additional UPN suffixes. To complete this exercise, perform the following steps:

  1. When signed on to SYD-DC as contoso\don_funk, switch to the Active Directory Domains And Trusts console.
  2. In the Active Directory Domains And Trusts console, right-click Active Directory Domains And Trusts and click Properties.
  3. On the UPN Suffixes tab of the Active Directory Domains And Trusts dialog box, type contoso.internal in the Alternative UPN suffixes dialog box and then click Add as shown in Figure 1-49. Click OK.

    FIGURE 1-49

    FIGURE 1-49 Configure a UPN suffix

Exercise 13: Configure a shortcut trust

In this exercise, you configure a shortcut trust between the Canberra.contoso.com domain and the wingtiptoys.com domain. To complete this exercise, perform the following steps:

  1. Sign on to CBR-DC as canberra\administrator.
  2. In the Server Manager console, click the Tools menu and then click DNS.
  3. In the DNS Manager console, expand CBR-DC, right-click Forward Lookup Zones, and click New Zone.
  4. On the Welcome To The New Zone Wizard page, click Next.
  5. On the Zone Type page of the New Zone Wizard, click Stub Zone and ensure that the Store The Zone In Active Directory (Available Only If The DNS server Is A Writable Domain Controller) check box is selected as shown in Figure 1-50 and click Next twice.

    FIGURE 1-50

    FIGURE 1-50 Create a stub zone

  6. On the Zone name page, type wingtiptoys.com and click Next.
  7. On the Master DNS Servers page, type 10.10.10.20 in the list of master DNS servers and press Enter as shown in Figure 1-51. Click Next and then click Finish.

    FIGURE 1-51

    FIGURE 1-51 Configure a master DNS server

  8. In the Server Manager console, click the Tools menu and then click Active Directory Domains And Trusts.
  9. In the Active Directory Domains And Trusts console, expand the Contoso.com node, right-click Canberra.contoso.com, and click Properties.
  10. On the Trusts tab of the Canberra.contoso.com Properties dialog box, show in Figure 1-52, click New Trust.

    FIGURE 1-52

    FIGURE 1-52 Create a new trust

  11. On the Welcome To The New Trust Wizard page, click Next.
  12. On the Trust Name page of the New Trust Wizard, type wingtiptoys.com and click Next.
  13. On the Direction Of Trust page, click Two-Way and click Next.
  14. On the Sides Of Trust page, click Both This Domain And The Specified Domain as shown in Figure 1-53 and click Next.

    FIGURE 1-53

    FIGURE 1-53 Configure trust sides

  15. On the User Name And Password page, type wingtiptoys\administrator in the user name text box, type Pa$$w0rd in the password text box, and click Next three times.
  16. On the Confirm Outgoing Trust page, click Yes, Confirm The Outgoing Trust as shown in Figure 1-54, and click Next.

    FIGURE 1-54

    FIGURE 1-54 Confirm the trust

  17. On the Confirm Incoming Trust page, click Yes, Confirm The Incoming Trust and click Next.
  18. Verify that the trust relationship was successfully created and click Finish.
  19. Verify that the Wingtiptoys.com trust is listed as a shortcut trust as shown in Figure 1-55 and then click OK.

    FIGURE 1-55

    FIGURE 1-55 Verify the trust type