Configuring Windows Server® 2012 Advanced Services: Advanced Active Directory Infrastructure
- 11/15/2013
Practice exercises
The goal of this section is to provide you with hands-on practice with the following:
Creating a forest trust
Configuring name suffix routing
Configuring selective authentication
Configuring UPN suffixes
Configuring a shortcut trust
To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are as described in the Introduction. You should ensure that you have a snapshot of these virtual machines that you can revert to at the end of the practice exercises.
Exercise 1: Prepare a domain controller to host a child domain with a contiguous namespace
In this exercise, you prepare CBR-DC to function as a domain controller for a child domain of the contoso.com domain. To complete this exercise, perform the following steps:
Power on SYD-DC and log in as contoso\don_funk with the password Pa$$w0rd.
Click the Tools menu in the Server Manager console, and click DNS.
In the DNS Manager console, expand SYD-DC and Forward Lookup Zones.
Verify that the following lookup zones are present as shown in Figure 1-15:
_msdcs.contoso.com
contoso.com
Figure 1-15 Verify the DNS configuration
Power on CBR-DC and sign on as Administrator with the password Pa$$w0rd.
In Server Manager, click the Local Server node.
In the Properties area, click 10.10.10.30 next to Ethernet.
In the Network Connections window, right-click Ethernet and click Properties.
In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Verify that the Preferred DNS Server is set to 10.10.10.10, as shown in Figure 1-16, click OK, and then click Close.
Figure 1-16 Verify the Internet Protocol (IP) address configuration
In the Server Manager console, click Manage and then click Add Roles and Features.
On the Before You Begin page of the Add Roles and Features Wizard, click Next three times.
On the Select Server Roles page, click the Active Directory Domain Services check box as shown in Figure 1-17.
On the Add Roles and Features Wizard, click Add Features.
Figure 1-17 Add the AD DS role
On the Select Server Roles page, click Next three times and click Install. When the installation completes, click Close.
Exercise 2: Create a child domain with a noncontiguous namespace
In this exercise, you configure CBR-DC to host the Canberra.contoso.com child domain. To complete this exercise, perform the following steps:
In the Server Manager console on CBR-DC, click the Notifications item and then click Promote This Server to a Domain Controller.
On the Deployment Configuration page, click Add a New Domain to an Existing Forest.
On the Select Domain Type drop-down menu, select Child Domain.
Click Select next to Parent Domain Name.
In the Windows Security dialog box, enter the user name contoso\don_funk, enter the password Pa$$w0rd, and click OK.
In the Select a Domain from the Forest dialog box, click contoso.com as shown in Figure 1-18 and then click OK.
Figure 1-18 Select the domain in the forest
In the New Domain Name text box enter the name Canberra as shown in Figure 1-19 and then click Next.
Figure 1-19 Configure the child domain
On the Domain Controller Options page, set the DSRM password as Pa$$w0rd in both the Password and Confirm Password dialog boxes and click Next.
On the DNS Options page, ensure that the settings match those in Figure 1-20 and click Next.
Figure 1-20 Configure the delegation credentials
On the additional options page, verify that the NetBIOS domain name is set to CANBERRA, click Next three times, and click Install.
After CBR-DC restarts, sign on as Canberra\Administrator with the password Pa$$w0rd.
Switch to SYD-DC. In the DNS console, expand the contoso.com zone and verify the presence of the canberra.contoso.com zone as shown in Figure 1-21.
Figure 1-21 Verify the DNS zone
Exercise 3: Prepare domain controller to host the wingtiptoys.com tree in the contoso.com forest
In this exercise, you prepare computer ADL-DC so that it can be promoted to a domain controller. To complete this exercise, perform the following steps:
Sign on to ADL-DC as Administrator with the password Pa$$w0rd.
In Server Manager, click the Local Server node.
In the Properties area, click 10.10.10.20 next to Ethernet.
In the Network Connections window, right-click Ethernet and click Properties.
In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Verify that the Preferred DNS server is set to 10.10.10.10 and then click OK. Click Close.
In the Server Manager console, click Manage and then click Add Roles and Features.
On the Before You Begin page of the Add Roles and Features Wizard, click Next three times.
On the Select Server Roles page, click the Active Directory Domain Services check box.
On the Add Roles and Features Wizard, click Add Features.
On the Select Server Roles page, click Next three times and click Install. When the installation completes, click Close.
Exercise 4: Promote domain controller for new tree in contoso.com forest
In this exercise, you promote ADL-DC to domain controller of a new domain tree in an existing Active Directory forest. To complete this exercise, perform the following steps:
In the Server Manager console on ADL-DC, click the Notifications item and then click Promote This Server to a Domain Controller.
On the Deployment Configuration page, click Add a New Domain to an Existing Forest.
On the Select Domain Type drop-down menu, click Tree Domain.
In the Forest Name text box, type contoso.com.
In the New Domain Name text box, type wingtiptoys.com.
Next to <No Credentials Provided>, click Change.
On the Windows Security dialog box, enter the user name as contoso\don_funk, enter the password as Pa$$w0rd, and click OK.
Verify that the Deployment Configuration page matches Figure 1-22 and then click Next.
Figure 1-22 Add a domain tree
On the Domain Controller Options page, enter the DSRM password Pa$$w0rd in both the Password and Confirm Password text boxes and then click Next.
On the DNS Options page, review the warning and click Next.
On the Additional Options page, verify that the NetBIOS name is set to WINGTIPTOYS as shown in Figure 1-23. Click Next three times and then click Install.
Figure 1-23 Verify the NetBIOS name
After the computer restarts, sign in as WINGTIPTOYS\Administrator with the password Pa$$w0rd.
Exercise 5: Prepare a domain controller to host a new forest
In this exercise, you configure MEL-DC so that it is able to host the new forest margiestravel.com. To complete this exercise, perform the following steps:
Sign on to MEL-DC as Administrator with the password Pa$$w0rd.
In Server Manager, click the Local Server node.
In the Properties area, click 10.10.10.40 next to Ethernet.
In the Network Connections window, right-click Ethernet and click Properties.
In the Ethernet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Verify that the Preferred DNS server is set to 10.10.10.10, click OK, and then click Close.
In the Server Manager console, click Manage and then click Add Roles and Features.
On the Before You Begin page of the Add Roles and Features Wizard, click Next three times.
On the Select Server Roles page, click the Active Directory Domain Services check box.
On the Add Roles and Features Wizard, click Add Features.
On the Select Server Roles page, click Next three times and then click Install. When the installation completes, click Close.
Exercise 6: Create new forest
In this exercise, you configure MEL-DC as the first domain controller in a new forest. To complete this exercise, perform the following steps:
In the Server Manager console on MEL-DC, click the Notifications item and then click Promote This Server to a Domain Controller.
On the Deployment Configuration page, click Add a new forest.
In the Root Domain Name textbox, type margiestravel.com as shown in Figure 1-24 and click Next.
Figure 1-24 Add a new forest
On the Domain Controller Options page, ensure that Domain Name System (DNS) server is selected and that you enter the DSRM password of Pa$$word twice as shown in Figure 1-25. Click Next twice.
Figure 1-25 The Domain Controller options page
On the Additional Options page, verify that the NetBIOS domain name is set to MARGIESTRAVEL, click Next three times, and then click Install.
After the server restarts, sign on as MARGIESTRAVEL\Administrator with the password Pa$$w0rd.
Exercise 7: Prepare to configure a forest trust relationship
In this exercise, you configure a forest trust relationship between the contoso.com forest and the margiestravel.com forest. To complete this exercise, perform the following steps:
While logged onto SYD-DC as contoso\don_funk, open the DNS Manager console from the Tools menu in the Server Manager console.
Right-click on Forward Lookup Zones and click New Zone.
On the Welcome to the New Zone Wizard page, click Next.
On the Zone Type page, click Stub Zone and ensure that the Store the Zone in Active Directory check box is selected as shown in Figure 1-26. Click Next.
Figure 1-26 Configure the zone type
On the Active Directory Zone Replication Scope page, click To All DNS Servers Running on Domain Controllers in this Forest: contoso.com and click Next.
In the Zone Name text box, enter margiestravel.com and click Next.
On the Master DNS Servers page, type the IP address 10.10.10.40 in the list of master servers as shown in Figure 1-27, click Next, and then click Finish.
Figure 1-27 Configure the stub zone master servers
On MEL-DC, ensure that you are signed in as MARGIESTRAVEL\Administrator with the password Pa$$w0rd.
Open the DNS Manager console from the Tools menu in the Server Manager console.
In the DNS Manager console, right-click Forward Lookup Zones and click New Zone.
On the Welcome to the New Zone Wizard page, click Next.
On the Zone Type page, click Stub Zone and ensure that the Store the Zone in Active Directory check box is selected. Click Next.
On the Active Directory Zone Replication Scope page, click To All DNS Servers Running on Domain Controllers in This Forest: margiestravel.com as shown in Figure 1-28. Click Next.
Figure 1-28 Configure the zone replication scope
On the Zone Name page, enter the name contoso.com in the Zone Name text box and click Next.
On the Master DNS Servers page, enter the IP address 10.10.10.10 in the Master Servers list as shown in Figure 1-29, click Next, and click Finish.
Figure 1-29 Configure the master DNS servers
Exercise 8: Begin creating a forest trust relationship
In this exercise, you configure the contoso.com side of a forest trust relationship between the contoso.com and margiestravel.com forests. To complete this exercise, perform the following steps:
On the Tools menu of the Server Manager console on SYD-DC, click Active Directory Domains and Trusts.
In the Active Directory Domains and Trusts console, right-click contoso.com and click Properties.
On the Trusts tab of the contoso.com Properties dialog box, shown in Figure 1-30, click New Trust.
Figure 1-30 Create the new trust
On the Welcome to the New Trust Wizard page, click Next.
On the Trust Name page, type margiestravel.com as shown in Figure 1-31, and click Next.
Figure 1-31 Set the trust name
On the Trust Type page, click Forest Trust as shown in Figure 1-32 and click Next.
Figure 1-32 Configure the trust type
On the Direction Of Trust page, click Two-Way and click Next.
On the Sides Of Trust page, click This Domain Only and then click Next.
On the Outgoing Trust Authentication Level page, click Forest-Wide Authentication as shown in Figure 1-33 and click Next.
Figure 1-33 Configure the trust authentication level
On the Trust Password page, type Pa$$w0rd in the Trust Password and Confirm Trust Password text boxes. Click Next three times.
On the Confirm Outgoing Trust page, click No, Do Not Confirm the Outgoing Trust and click Next.
On the Confirm Incoming Trust page, click No, Do Not Confirm the Incoming Trust, click Next, and click Finish.
Exercise 9: Complete the creation of the forest trust relationship between contoso.com and margiestravel.com
In this exercise, you configure the margiestravel.com side of a forest trust relationship between the contoso.com and margiestravel.com forests. To complete this exercise, perform the following steps:
In the Tools menu of the Server Manager console on MEL-DC, click Active Directory Domains and Trusts.
In the Active Directory Domains and Trusts console, right-click Margiestravel.com and click Properties.
On the Trusts tab of the margiestravel.com Properties dialog box, shown in Figure 1-34, click New Trust.
Figure 1-34 View the current trusts
On the Welcome to the New Trust Wizard page, click Next.
On the Trust Name page of the New Trust Wizard, type contoso.com in the Name text box and click Next.
On the Trust Type page, click Forest Trust and click Next.
On the Direction of Trust page, click Two-way as shown in Figure 1-35 and click Next.
Figure 1-35 Configure the direction of the trust
On the Sides of Trust page, click This Domain Only and click Next.
On the Outgoing Trust Authentication Level page, click Forest-Wide Authentication and click Next.
On the Trust Password page, enter Pa$$w0rd in the Trust Password and Confirm Trust Password text boxes. Click Next three times.
On the Confirm Outgoing Trust page, click Yes, Confirm the Outgoing Trust as shown in Figure 1-36, and click Next.
Figure 1-36 Confirm the outgoing trust
On the Confirm Incoming Trust page, click Yes, Confirm the Incoming Trust. In the User Name text box, type contoso\don_funk and in the Password text box type Pa$$w0rd as shown in Figure 1-37. Click Next.
Figure 1-37 Confirm the incoming trust
On the Completing the New Trust Wizard page verify that the trust is successfully created as shown in Figure 1-38 and click Finish. Click OK to close the margiestravel.com properties dialog box.
Figure 1-38 Confirm the trust creation
Exercise 10: Configure name suffix routing
In this exercise, you configure the forest trust between the margiestravel.com forest and the contoso.com forest so that name suffix routing is supported for the wingtiptoys.com domain tree. To complete this exercise, perform the following steps:
In the Active Directory Domains and Trusts console on MEL-DC, right-click margiestravel.com and click Properties.
On the Trusts tab of the margiestravel.com Properties dialog box click contoso.com in the Domains Trusted by This Domain (Outgoing Trusts) area, as shown in Figure 1-39, and then click Properties.
Figure 1-39 Editing the properties of trusts
On the Name Suffix Routing tab of the contoso.com Properties dialog box, click *.wingtiptoys.com and then click Enable as shown in Figure 1-40.
Figure 1-40 Configure name suffix routing
On the General tab of the contoso.com Properties dialog box, click Validate.
On the Active Directory Domain Services dialog box, click Yes, Validate the Incoming Trust by entering the user name contoso\don_funk and the password Pa$$w0rd, and click OK.
Click OK on the Active Directory Domain Services dialog box and then click Yes on the second Active Directory Domain Services dialog box.
Click OK to close the contoso.com Properties dialog box.
Click contoso.com on the list of Domains That Trust This Domain (Incoming Trusts) dialog box as shown in Figure 1-41 and then click Properties.
Figure 1-41 Trusts for the margiestravel.com domain
On the Name Suffix Routing tab of the contoso.com Properties dialog box verify that both *.contoso.com and *.wingtiptoys.com are enabled and then click OK.
Click OK to close the margiestravel.com Properties dialog box.
Exercise 11: Configure selective authentication
In this exercise, you configure selective authentication. You configure the trust to use selective authentication, create a user group in one forest, and create a computer account in the other forest. You then configure the computer account so that members of the user group in the trusted forest can authenticate when connecting to that computer. To complete this exercise, perform the following steps:
When signed on to SYD-DC as contoso\don_funk, click Active Directory Users and Computers on the Tools menu of the Server Manager console.
In Active Directory Users and Computers, right-click the Users container, click New, and click Group.
On the New Object – Group dialog box, enter the group name as Research, set the group scope to Universal as shown in Figure 1-42, and click OK.
Figure 1-42 Create a new universal group
On MEL-DC, right-click margiestravel.com in the Active Directory Domains and Trust console and click Properties.
On the Trusts tab of the margiestravel.com Properties dialog box, click contoso.com in the Domains That Trust This Domain (Incoming Trusts) list and click Properties.
On the Authentication tab of the contoso.com Properties dialog box, click Selective Authentication as shown in Figure 1-43.
Figure 1-43 Configure selective authentication
On the General tab of the contoso.com Properties dialog box, shown in Figure 1-44, click Validate.
Figure 1-44 Validate authentication
On the Active Directory Domain Services dialog box, click Yes, validate the incoming trust. Enter the user name as contoso\don_funk, enter the password as Pa$$w0rd, and then click OK twice.
Click Yes on the Active Directory Domain Services dialog box and then click OK twice to close the contoso.com Properties and margiestravel.com Properties dialog boxes.
Click Active Directory Users and Computers in the Tools menu of the Server Manager console.
Right-click the Computers node and click New and then click Computer.
In the New Object – Computer dialog box, enter the name SelectiveAuthRDP as shown in Figure 1-45 and click OK.
Figure 1-45 Create new computer object
Enabled Advanced Features on the View menu of the Active Directory Users and Computers console.
Right-click the SelectiveAuthRDP computer object and click Properties.
On the Security tab of the SelectiveAuthRDP Properties dialog box, shown in Figure 1-46, click Add.
Figure 1-46 Add a user
On the Select Users, Computers, Service Accounts, or Groups dialog box, click Locations.
On the Locations dialog box, click contoso.com as shown in Figure 1-47 and then click OK.
Figure 1-47 The Locations dialog box
In the Select Users, Computers, Service Accounts, or Groups dialog box, type Research, click Check Names, and click OK.
On the SelectiveAuthRDP Properties dialog box, click Research (Contoso\Research) and click Allowed to Authenticate (Allow) as shown in Figure 1-48. Click OK.
Figure 1-48 Configure Allowed to Authenticate permission
Exercise 12: Configure additional UPN suffixes
In this exercise, you configure additional UPN suffixes. To complete this exercise, perform the following steps:
When signed on to SYD-DC as contoso\don_funk, switch to the Active Directory Domains and Trusts console.
In the Active Directory Domains and Trusts console, right-click Active Directory Domains and Trusts and click Properties.
On the UPN Suffixes tab of the Active Directory Domains and Trusts dialog box, type contoso.internal in the Alternative UPN suffixes dialog box and then click Add as shown in Figure 1-49. Click OK.
Figure 1-49 Configure a UPN suffix
Exercise 13: Configure a shortcut trust
In this exercise, you configure a shortcut trust between the canberra.contoso.com domain and the wingtiptoys.com domain. To complete this exercise, perform the following steps:
Sign on to CBR-DC as canberra\administrator.
In the Server Manager console, click the Tools menu and then click DNS.
In the DNS Manager console, expand CBR-DC, right-click Forward Lookup Zones, and click New Zone.
On the Welcome to the New Zone Wizard page, click Next.
On the Zone Type page of the New Zone Wizard, click Stub Zone and ensure that Store the Zone in Active Directory (available only if the DNS server is a writable domain controller) is selected as shown in Figure 1-50 and click Next twice.
Figure 1-50 Create a stub zone
On the Zone name page, type wingtiptoys.com and click Next.
On the Master DNS Servers page, type 10.10.10.20 in the list of master DNS servers and press Enter as shown in Figure 1-51. Click Next and then click Finish.
Figure 1-51 Configure a master DNS server
In the Server Manager console, click the Tools menu and then click Active Directory Domains and Trusts.
In the Active Directory Domains and Trusts console, expand the contoso.com node, right-click canberra.contoso.com, and click Properties.
On the Trusts tab of the canberra.contoso.com Properties dialog box, show in Figure 1-52, click New Trust.
Figure 1-52 Create a new trust
On the Welcome to the New Trust Wizard page, click Next.
On the Trust Name page of the New Trust Wizard, type wingtiptoys.com and click Next.
On the Direction of Trust page, click Two-Way and click Next.
On the Sides of Trust page, click Both This Domain and the Specified Domain as shown in Figure 1-53 and click Next.
Figure 1-53 Configure trust sides
On the User Name and Password page, type wingtiptoys\administrator in the user name text box, type Pa$$w0rd in the password text box, and click Next three times.
On the Confirm Outgoing Trust page, click Yes, Confirm the Outgoing Trust as shown in Figure 1-54, and click Next.
Figure 1-54 Confirm the trust
On the Confirm Incoming Trust page, click Yes, Confirm the Incoming Trust and click Next.
Verify that the trust relationship was successfully created and click Finish.
Verify that the wingtiptoys.com trust is listed as a shortcut trust as shown in Figure 1-55 and then click OK.
Figure 1-55 Verify the trust type