A.2.1 Pro Domain 1: Active Directory Domain Services

You work as the IT administrator for a small business and are responsible for the corporate network. You have just installed Active Directory on a new Hyper-V guest server named CorpDC. You need to create an Active Directory organizational structure. The Active Directory structure will be based on the company's departmental structure. In this lab, your task is to create OUs on CorpDC as follows: Beneath the domain, create the following OUs: Accounting Admins Marketing Research-Dev Sales Servers Support Workstations Within the Sales OU, create the following OUs: Sales Managers TempSales Prevent accidental deletion of each OU you create.

1. Connect to the CorpDC virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to connect to the virtual server. c. Maximize the window for better viewing. 2. Create the OUs beneath the domain. a. From Server Manager, select Tools > Active Directory Users and Computers. b. Maximize the window for better viewing. c. Select CorpNet.local. d. Select the Create a new organizational unit in the current container icon from the menu bar. e. Enter the name of the OU. f. Make sure that Protect container from accidental deletion is selected to prevent the OU from being deleted. g. Select OK. h. Repeat steps 2c-2g for each additional OU. 3. Create the OUs beneath the Sales OU. a. From the left pane, select Sales. b. Select the Create a new organizational unit in the current container icon from the menu bar. c. Enter the name of the OU. d. Make sure that Protect container from accidental deletion is selected to prevent the OU from being deleted. e. Select OK. f. Repeat steps 3a-3e for each additional OU.

You work as the IT administrator for a small business and are responsible for the corporate network. You have just installed Active Directory on a new Hyper-V guest server named CorpDC. You have created an Active Directory structure based on the company's departmental structure. While creating the structure, you added an OU named Workstations in each of the departmental OUs. After further thought, you decide to use one Workstations OU for the company. As a result, you need to delete the departmental workstation OUs. In this lab, your task is to Delete the Workstations OUs from within the: Marketing OU Research-Dev OU Sales OU

1. Connect to the CorpDC virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to connect to the virtual server. c. Maximize the window for better viewing. 2. Delete the unneeded Workstation OUs. a. From Server Manager, select Tools > Active Directory Users and Computers. b. Maximize the window for better viewing. c. Select View > Advanced Features. d. Browse the Active Directory structure to the required OU. e. Right-click the OU and select Properties. f. Select the Object tab. g. Unmark Protect object from accidental deletion and then select OK. h. Right-click the OU again and select Delete. i. Select Yes to confirm deleting the OU. j. Repeat steps 2d-2i to delete the other OUs. k. Select View > Advanced Features again to turn off the advanced features view.

You are the IT administrator for a small corporate network. You recently added an Active Directory domain to the CorpDC server to manage network resources centrally. You now need to add user accounts in the domain. In this lab, your task is to create the following user accounts on CorpDC: Use the following user account naming standards and specifications as you create each account: Create the user account in the departmental OU corresponding to the employee's job role. User account name: First name + Last name Logon name: firstinitial + lastname with @CorpNet.local as the domain Original password: asdf1234$ (must change after the first logon) Configure the following for the temporary sales employee: Limit the logon hours to allow logon only from 8:00 a.m. to 5:00 p.m., Monday through Friday. Set the user account to expire on December 31st of the current year.

Access Active Directory Users and Computers on the CorpDC server. From Hyper-V Manager, select CORPSERVER. From the Virtual Machines pane, double-click CorpDC. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. Maximize the window for better viewing. Create the domain user accounts. rom the left pane, expand CorpNet.local. Browse to the appropriate OU. Right-click the OU and select New > User. In the First name field, enter the user's first name. In the Last name field, enter the user's last name. In the User logon name field, enter the user's logon name which should be the first letter of the user's first name together with their last name. (e.g. jsuarez) Select Next. In the Password field, enter asdf1234$. In the Confirm password field, enter asdf1234$. Make sure User must change password at next logon is selected and then select Next. Select Finish to create the object. Repeat steps 2b-2k to create the additional users. Modify user account restrictions for the temporary sales employee. Right-click Borey Chan and select Properties. Select the Account tab. Select Logon hours. From the Logon Hours dialog, select Logon Denied to clear the allowed logon hours. Select the time range of 8:00 a.m. to 5:00 p.m., Monday through Friday. Select Logon Permitted to allow logon. Select OK. Under Account expires, select End of. In the End of field, use the drop-down calendar to select 31 December of the current year. Select OK.

You are the IT administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server to manage network resources centrally. Organizational units in the domain represent departments. User and computer accounts are in their respective departmental OUs. Over the past few days, several personnel changes have occurred that require changes to user accounts. In this lab, your task is to use the following information to make the necessary user account changes on CorpDC: Mary Barnes from the Accounting Department has forgotten her password, and now her account is locked. Unlock the account. Reset the password: asdf1234$ Require a password change at the next logon. Mark Woods has been fired from the accounting department. Disable his account. Pat Benton is returning to the Research-Dev department from maternity leave. Her account is disabled to prevent logon. Enable her account. Andrea Simmons from the Research-Dev department has recently married Rename the account: Andrea Socko Change the last name: Socko Change the display name: Andrea Socko Change the user logon and the pre-Windows 2000 user logon name: asocko For all users in the Support OU (but not the SupportManagers OU), allow logon only to the Support computer.

Access Active Directory Users and Computers on the CorpDC server. From Hyper-V Manager, select CORPSERVER. From the Virtual Machines pane, double-click CorpDC. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. Maximize the window for better viewing. Unlock the Mary Barnes account. From the left pane, expand CorpNet.local. Select Accounting. Right-click Mary Barnes and select Reset Password. Enter asdf1234$ in the New password field. Enter asdf1234$ in the Confirm password field. Make sure the following are selected: User must change password at next logon Unlock the user's account Select OK. Select OK to confirm the changed. Disable the Mark Woods account. From the right pane, right-click Mark Woods and select Disable Account. Select OK to confirm the change Enable Pat Benton's account. From the left pane, select Research-Dev. From the right pane, right-click Pat Benton and select Enable Account. Select OK to confirm the change. Rename the Andrea Simmons account. Right-click Andrea Simmons and select Rename. Enter Andrea Socko and press Enter. This opens the Rename User dialog. Enter Socko in the Last name field. Replace the old logon name with asocko in the User logon name field. Select OK. Configure user account restrictions. From the left pane, select Support. From the right pane, press Ctrl and select both the Tom Plask and Janice Rons users to edit multiple users at the same time. Right-click the highlighted user accounts and select Properties. Select the Account tab. Select Computer restrictions. Select Log On To. Select The following computers. In the Computer name field, type Support. Select Add. Select OK. Select OK.

You are the IT Administrator for the CorpNet.local domain. You are in the process of implementing a group strategy for your network. You have decided to create global groups as shadow groups for specific departments in your organization. Each global group will contain all users in the corresponding department. In this lab, your task is to: Create the following global security groups on the CorpDC server in their corresponding OUs: Add all user accounts in the corresponding OUs and sub-OUs as members of the newly created groups.

Access Active Directory Users and Computers on the CorpDC server. From Hyper-V Manager, select CORPSERVER. From the Virtual Machines pane, double-click CorpDC. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. Maximize the window for better viewing. From the left pane, expand CorpNet.local. Create the groups. Right-click the OU where the new group is to be added and select New > Group. In the Group name field, enter the name of the group. Make sure the following are selected:Group scope: GlobalGroup type: Security Select OK. Add users to the groups. In the right pane, right-click the user account(s) and select Add to a group.(Use the Ctrl or Shift keys to select and add multiple user accounts to a group at one time.) In the Enter the object names to select field, enter the name of the group. Select Check Names and verify that the object name was found. Select OK to accept the groups added. Select OK to acknowledge the change. If a sub-OU with users exist, double-click on the sub-OU and then repeat step 3. Do this for each sub-group.

You are the assistant IT administrator for a network with a single domain named PartnerCorp.xyz. Your company network has three domains, CorpNet.local, Branch1.CorpNet.local, and Branch2.CorpNet.local. Management has decided that the full cross-forest trust you created is too much of a security risk. However, the board of directors for PartnerNet still needs access to financial resources that are in the Branch1.CorpNet.local domain. Only the members of the Directors group should be allowed to access the domain. Other users at PartnerNet should not be able to access Branch1.CorpNet.local, and users in CorpNet should not be able to access the PartnerCorp.xyz domain. In this lab, your task is to create trust relationship(s) with the CorpNet network to meet the requirements specified in the scenario above. You are currently working at CampusServer1, which is a Hyper-V host. Domain controllers for the PartnerCorp.xyz domain run as guests on this server. Create both sides of the trust. As necessary, use the following usernames and passwords to connect to the destination domain: Any additional configuration required in the CorpNet.local forest beyond creating the trust relationship will be performed by administrators in their respective domains.

Access the CampusDC1 virtual server. From Hyper-V Manager, select CAMPUSSERVER1. Under Virtual Machines, double-click CampusDC1 to open the virtual server. Maximize the window for better viewing. Access the properties of the PartnerCorp.xyz domain. From Server Manager, select Tools > Active Directory Domains and Trusts. Maximize the window for better viewing. From the left pane, right-click PartnerCorp.xyz and select Properties. Create the new trust relationships. From the PartnerCorp.xyz properties dialog, select the Trusts tab. Select New Trust. Select Next to start the wizard. In the Name field, enter Branch1.CorpNet.local and select Next. Select One-way: incoming and then select Next. Select Both this domain and the specified domain, and then select Next. Enter Administrator in the User name field. In the Password field, enter 2ManyP@ssw0rds (0 is a zero), and then select Next. Select Selective authentication, and then click Next. Select Next to create the trust. Select Next to configure the new trust. Select Yes, confirm the incoming trust, and then click Next. Select Finish. Select OK on the SID filtering prompt. Select OK to close the domain properties dialog.

You are the IT administrator for a small corporate network. You have four domain controllers in your main location, CorpDC, CorpDC2, CorpDC3, and CorpDC4. During installation, CorpDC2 and CorpDC3 were not made global catalog servers, but now you need some additional global catalog servers. In this lab, your task is to designate CorpDC2 and CorpDC3 as global catalog servers.

Access the CorpDC server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC. Designate global catalog servers. From Server Manager, select Tools > Active Directory Users and Computers. From the left pane, expand and select CorpNet.local > Domain Controllers. From the right pane, right-click CorpDC2 and select Properties. From the General tab, select NTDS Settings. Select Global Catalog. Select OK to accept the new NTDS settings. Select OK to close the Server Properties dialog. Repeat steps 2c-2g to designate an additional global catalog server for CorpDC3.

You are the IT security administrator for a small corporate network. A group of desktop administrators needs administrative rights to all of the workstations in the domain. The workstations are located in the Workstations OU on CorpDC. In this lab, your task is to: Create a global security group named Desktop Admins in the Admins OU. (Members of the group will be added later.) Configure a restricted group policy in the WorkstationGPO object that adds the domain Desktop Admins group to the local Administrators group on all the workstations.

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to access the server. Create a group. From Server Manager, select Tools > Active Directory Users and Computers. From the left pane, expand CorpNet.local. Right-click the Admins and select New > Group. In the Group name field, enter Desktop Admins. Select OK. Close Active Directory Users and Computers. Create a restricted group. From Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Right-click WorkstationGPO and select Edit. Under Computer Configuration, expand Policies > Windows Settings > Security Settings. Right-click Restricted Groups and select Add Group. Select Browse. In the Enter the object names to select box, enter Desktop Admins and then select OK. Select OK to add the group. For This group is a member of, select Add. Enter Administrators (do not browse) and then select OK. Select OK.

You are the IT administrator of a large network. You need to create a starter GPO to use as a template, and then create a new GPO using that starter GPO. This needs to be completed on the CorpDC server. In this lab, your task is to: Enable the Administrative Templates central store by creating a Starter GPOs folder. Create a starter GPO named DNS Settings. Configure the DNS Settings policies: DNS Servers: State: Enable IP addresses: 192.168.0.11 and 192.168.10.11(Use a space to separate the two addresses.) Primary DNS Suffix: State: Enable DNS suffix: CorpNet.local Register PTR Records: State: Enabled Option: Register Dynamic Update: State: Enabled Turn off smart multi-home Name Resolution: State: Enabled(Enabling the policy turns off LLMNR. Create a new GPO named CommonGPO using the new starter GPO you created. Do not link the GPO at this time. Verify that the starter GPO settings were applied to the CommonGPO.

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to connect to the virtual server. Maximize the window for better viewing. Create a starter GPO folder. From Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. Expand Forest: CorpNet.local > Domains > CorpNet.local. Select Starter GPOs. From the right pane, select Create Starter GPOs Folder. Create a starter GPO. From the left pane, right-click Starter GPOs and select New. In the Name field, use DNS Settings for the name of the starter GPO and then select OK. Configure the starter GPO policies. Right-click DNS Settings and select Edit. Under Computer Configuration, expand and select Administrative Templates > Network > DNS Client. From the right pane, double-click the policy you want to edit. Select Enabled or Disabled for the setting. Configure additional parameters as required. Select OK. Repeat steps 4c-4f for each policy. Close the Group Policy Starter GPO Editor. Create a GPO using a starter GPO. From the left pane, expand Starter GPOs. Right-click DNS Settings and select New GPO From Starter GPO. Use the name of CommonGPO for the new GPO and then select OK. Verify the CommonGPO policy settings. From the left pane, select Group Policy Objects. From the right pane, right-click CommonGPO and select Edit. Maximize the window for better viewing. Under Computer Configuration, expand Administrative Templates > Network. Select DNS Client. Verify that the values set in the starter GPO have been applied to the new policy.

You work as the IT administrator for a small business and are responsible for the corporate network. You are increasing network security by implementing AppLocker. Your first step is to prevent applications from running on computers that are not located in the Windows directory or the Program Files directory. In addition, there is a custom call center application used by the support team. The call center application runs from C:\CallCenter\CallStart.exe and must be allowed to run. You also want future versions of the call center application to run without having to change any settings. In this lab, your task is to configure AppLocker in the WorkstationGPO on CorpDC as follows: Configure AppLocker to enforce executable rules. For AppLocker, create default executable rules to ensure you maintain access to: All files located in the Program Files folder. All files located in the Windows folder. Create an AppLocker rule using the following file attributes: Allow the Support group to run the call center software. Make sure the application is signed by the software publisher. Use C:\CallCenter\CallStart.exe as the reference file. Allow the rule to be applied to only the publisher of the file. Do not add exclusions to the rule.

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to connect to the virtual server. Maximize the window for better viewing. Enforce AppLocker rules for executable rules. From Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. From the left pane, expand Forest:CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Right-click WorkstationGPO and select Edit. Maximize the window for better viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Application Control Policies. Select AppLocker. From the right pane, select Configure rule enforcement. Under Executable rules, select Configured. Make sure Enforce rules appears in the drop-down list. Select OK. Create default executable rules. From the left pane, expand AppLocker. Right-click Executable Rules and select Create Default Rules. From the right pane, notice that the three default executable rules that allow the group Everyone access to the Windows and Program Files directories were created. Configure a Publisher rule and allow the Support group to run the call center software. From the left pane, right-click Executable Rules and select Create New Rule. Select Next. Make sure Allow is selected. For User or group, click Select. Enter Support for the required group and then select OK. Select Next. Make sure Publisher is selected and then select Next. For Reference files, select Browse. Browse to and select C:\CallCenter\CallStart.exe. Select Open. Slide the pointer from File version to Publisher and then select Next. Select Next. Select Create to accept the default name.Notice that the Publisher rule was created.

You work as the IT administrator for a small business and are responsible for the corporate network. You are working on improving the security of network resources. In this lab, your task is to add the following groups to the associated User Rights Assignment policy, located in the ServerGPO policy object, from the CorpDC server:

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to open the virtual server. Access the Group Policy Management Editor for the ServerGPO group policy object. From Server Manager, select Tools > Group Policy Management. Expand Forest:CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Right-click ServerGPO and select Edit. Maximize the window for better viewing. Configure the User Rights Assignments. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. Select User Rights Assignment. Double-click the policy you want to edit. Select Define these policy settings. Select Add User or Group. Enter the name of the group (or use Browse, if desired), and then select OK. Select OK. Repeat steps 3c-3g to define the remaining policy settings.

You are the IT administrator for a small corporate network. After a security review, you have decided to improve network security. In this lab, your task is to: Configure the following security policies on CorpDC using Group Policy. Disable the User Configuration portion of the GPO.This is required because all GPO settings in the SupportGPO are in the Computer Configuration portion.

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to access the server. Edit the Default Domain Policy security options. From Server Manager, select Tools > Group Policy Management. Maximize the window for easier viewing. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local. Right-click Default Domain Policy and select Edit. Maximize the window for easier viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. Select Security Options. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select Enabled or Disabled. Configure the values for the policy as needed. Select OK. Repeat steps 2h-2l to configure the additional policies. Close Group Policy Management Editor. Configure SupportGPO security options. From the Group Policy Management dialog, expand Support. Right-click SupportGPO and select Edit. Maximize the window for easier viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. Select Security Options. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select Enabled or Disabled. Configure the values for the policy as needed. Select OK. Repeat steps 3f-3j for additional policies. Close Group Policy Management Editor. Disable user settings in the SupportGPO. From the Group Policy Management console, expand Group Policy Objects. Right-click SupportGPO and select GPO Status > User Configuration Settings Disabled. Close the Group Policy Management window.

You are the IT administrator for a small corporate network. As your network grows, you need to delegate common administrative tasks. You have defined the following administrative roles: PasswordAdmins - can reset passwords for any user in the domain and force password change at next logon ComputerAdmins - can join computers to the domain GPOLinkAdmins - can manage GPO links for Accounting, Marketing, Research-Dev, Sales, and Support OUs In this lab, your task is to: Create the following global security groups in the Users container for each administrative role: PasswordAdmins ComputerAdmins GPOLinkAdmins Use the Delegation of Control wizard to delegate the necessary permissions at the correct level to each group. In the wizard, use the common tasks option for delegating control.

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to access the virtual server. Create a group. From Server Manager, select Tools > Active Directory Users and Computers. From the left pane, expand CorpNet.local. Right-click Users and select New > Group. In the Group name field, enter the name of the group. Make sure Global is selected as the group scope. Make sure Security is selected as the group type. Select OK. Repeat steps 2c-2g for the remaining groups. Delegate the necessary permissions. From the left pane, browse to CorpNet.local or the OU where you want to delegate control (such as Accounting or Marketing). Right-click CorpNet.local or the OU and select Delegate Control. Select Next to start the wizard. Select Add. In the Enter the object names to select field, enter the name of the group to be added. Select Check names and then select OK. Select Next. Select the task you want to delegate and then select Next. Select Finish. Repeat steps 3b-3i for each delegation.

You are the IT administrator for a growing corporate network. You want to make sure new users can log on to the network using any of the site's domain controllers as soon as possible after a user account is created. In this lab, your task is to: Connect to the CorpDC virtual server. Configure the NTDS Site Settings for the Main-Site with a replication schedule that replicates as often as possible per hour.

Access the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to connect to the server. Configure the NTDS Site Settings for the Main-Site. From Server Manager, select Tools > Active Directory Sites and Services. From the left pane, expand and select Sites > Main-Site. From the right pane, right-click NTDS Site Settings and select Properties. Select Change Schedule. With the schedule highlighted, select Four Times per Hour. Select OK to close the NTDS Site Settings dialog. Select OK to close the NTDS Site Settings Properties.

You are the IT administrator for a small corporate network. You must configure a password policy for the domain on the CorpDC server. In this lab, your task is to edit the Default Domain Policy and configure the account policy settings as follows: Configure the password polices. New passwords must be different from the previous 10 passwords. Users must change passwords every 90 days. Users cannot change a new password for at least 14 days. Passwords must be at least 10 characters long. Passwords must contain uppercase letter, lowercase letter, number, and symbol characters. Configure the account lockout policies. If 5 incorrect passwords are entered, lock the account. After a failed logon attempt, lock the account for 10 minutes. Keep accounts locked for 60 minutes and then unlock the account automatically.

Access the CorpDC virtual server. In Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to connect to the virtual server. Modify the password policies. From Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local. Right-click Default Domain Policy and select Edit. Maximize the window for better viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Account Policies. Select Password Policy. From the right pane, double-click the policy you want to edit. Make sure Define this policy setting is selected. Edit the value for the policy, and then select OK. Repeat steps 2h-2j for each policy. Modify account lockout policies. From the left pane, select Account Lockout Policy. From the right pane, double-click the policy you want to edit. Make sure Define this policy setting is selected. Edit the value for the policy and then select OK. Repeat steps 3b-4d for additional policies.

You are the IT administrator for a small corporate network. The Support department uses a call center application that runs from the network. They would like to make sure that all support computers have a shortcut to this application on the desktop for all users. In this lab, your task is to create a shortcut for all computers in the SupportGPO using the preference settings as follows: Action: Update Name: CallStart Target Type: File System Object Location: All Users Desktop Target Path: \\CorpFiles\CallCenter\CallStart.exe

Access the CorpDC virtual server. In Hyper-V Manager, select CORPSERVER. Under Virtual Machines, right-click CorpDC and select Connect. Open the SupportGPO in the Group Policy Management Editor. In Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. In the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Right-click SupportGPO and select Edit. Maximize the window for better viewing. Create a new shortcut policy. Under Computer Configuration, expand Preferences > Windows Settings. Right-click Shortcuts and select New > Shortcut. Enter CallStart in the Name field. Using the Location drop-down, select All Users Desktop. Enter \\CorpFiles\CallCenter\CallStart.exe in the Target path field. Select OK.

You are the IT administrator for a small corporate network. These are the four domain controllers at the main location: Lately, you have had some problems creating new user objects in the domain. You suspect that one of your domain controllers has an intermittent problem connecting to the network. All domain controllers are currently working, but you want to prevent future problems of this nature. In this lab, your task is to: Identify the operations master role that could cause the symptoms explained in the scenario. Transfer the correct operations master roles to the CorpDC2 domain controller.

Access the CorpDC2 server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC2. Transfer the master RID role. From Server Manager, select Tools > Active Directory Users and Computers. From the left pane, right-click CorpNet.local and select Operations Masters. From the RID tab, select Change. Select Yes to confirm the transfer. Select OK to acknowledge the transfer. Transfer the master PDC role. Select the PDC tab. Select Change. Select Yes to confirm the transfer. Select OK to acknowledge the transfer. Select Close.

You are the IT administrator for a small corporate network. You have noticed that several computer monitors are still on late at night, long after employees have left. You would like to use Group Policy to set consistent power options for computers throughout the company. All workstations are Windows 11 and reside in the Workstations OU. In this lab, your task is to configure the following Power Option policy settings in the WorkstationGPO policy: Set the policy Action to Update. Set the Balanced power plan as the active power plan for all workstations. Set the following advanced settings:

Access the CorpDC2 virtual server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC2 to access the server. Access the WorkstationGPO Power Option policy. From Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Right-click WorkstationGPO and select Edit. Maximize the window for better viewing. Start a new power plan. From the left pane, under Computer Configuration, expand Preferences. Expand Control Panel Settings. Right-click Power Options and select New > Power Plan (At least Windows 7). Configure your new power plan. From the Action drop-down list, make sure Update is selected. From the list of power plans, make sure Balanced is selected. Select Set as the active power plan. Expand Hard disk > Turn off hard disk after. Select On battery. In the On battery field, enter 60. Select Plugged in. In the Plugged in field, enter 120. Expand Display > Turn off display after. Select On battery. In the On battery field, enter 30. Select Plugged in. In the Plugged in field, enter 60. Select OK.

You are the IT administrator for a small corporate network. When you installed the CorpDC domain controller, you created a new domain in a new forest. Since then, you've added additional domain controllers. You would like to move some of the operation master roles to CorpDC3 to provide role separation. You are currently logged on to the CorpServer2 computer, which is the Hyper-V host for CorpDC3. In this lab, your task is to: Transfer the Relative ID (RID) master role to CorpDC3. Transfer the Primary Domain Controller (PDC) emulator role to CorpDC3.

Access the CorpDC3 virtual server. From Hyper-V Manager, select CORPSERVER2. Under Virtual Machines, double-click CorpDC3. Transfer the master RID role. From Server Manager, select Tools > Active Directory Users and Computers. From the left pane, right-click CorpNet.local and select Operations Masters. From the RID tab, select Change. Select Yes to confirm the transfer. Select OK to acknowledge the transfer. Transfer the master PDC role. Select the PDC tab. Select Change. Select Yes to confirm the transfer. Select OK to acknowledge the transfer. Select Close.

As your network has grown, you've added additional domains to the forest root domain. As a result, you would like to modify the operations master configuration on your network. You are currently logged on to the CorpServer2 computer, but you will complete these tasks using Hyper-V and the CorpDC4 server. In this lab, your task is to: Transfer the Domain Naming Master role from CorpDC to CorpDC4. Remove the global catalog from CorpDC.

Access the CorpDC4 server. From Hyper-V Manager, select CORPSERVER2. Under Virtual Machines, double-click CorpDC4. Transfer the Domain Naming Master role to CorpDC4. From Server Manager, select Tools > Active Directory Domains and Trusts. From the left pane, right-click Active Directory Domains and Trusts and select Operations Master. Select Change. Select Yes to confirm the transfer. Select OK to acknowledge the transfer. Select Close. Close the Active Directory Domains and Trusts dialog. Remove the global catalog from CorpDC. From Server Manager, select Tools > Active Directory Sites and Services. From the left pane, expand Sites > Main-Site > Servers > CorpDC. Right-click NTDS Settings and select Properties. Unmark Global Catalog. Select OK.

You are the IT security administrator for a small corporate network. You are using Group Policy to enforce settings for certain workstations on your network. You have prepared and tested a security template file that contains policies that meet your company's requirements. In this lab, your task is to configure Group Policy on CorpDC as follows: Create a GPO named Workstation Settings. Link the Workstation Settings GPO to the following OUs: The TempMarketing OU (in the Marketing OU) The TempSales OU (in the Sales OU) The Support OU Import security settings from the security template (ws_sec.inf) located in C:\Templates for the Workstation Settings GPO.

Access the CorpNet.local domain. From Server Manager, select Tools > Group Policy Management. Maximize the window for better viewing. Expand Forest: CorpNet.local > Domains > CorpNet.local. Create the Workstation Settings GPO and link it to the CorpNet.local domain. Right-click the Group Policy Objects OU and select New. In the Name field, use Workstation Settings and then select OK. Link OUs to the Workstation Settings GPO. Right-click the OU and select Link an Existing GPO. Under Group Policy Objects, select Workstation Settings and then select OK. Repeat step 3 to link the additional OUs. Import the ws_sec.inf security policy template. Expand Group Policy Objects. Right-click Workstation Settings and select Edit. Under Computer Configuration, expand Policies > Windows Settings. Right-click Security Settings and select Import Policy. Browse to the C:\Templates. Select ws_sec.inf and then click Open.

You are assisting the administrator of the PartnerCorp.xyz domain. The company has three main campus locations, Campus1, Campus2, and Campus3. All locations are connected to each other using wide area network (WAN) links. You have configured a site for each physical site location in Active Directory Sites and Services. You have also configured a site link for each WAN link. You need to customize Active Directory replication to accomplish the following goals: Replication between the Campus2 and Campus3 sites should use the 20 Mbps line only if one of the links to the Campus1 site is unavailable. In other words, Active Directory replication should use the site links from Campus3 to Campus1 and from Campus1 to Campus2. To reduce WAN traffic on the link, replication between Campus1 and Campus2 should only occur during the hours of 8:00 p.m. and 6:00 a.m. Monday through Friday. Replication is allowed during all hours on the weekend. Replication from Campus1 to Campus2, and from Campus1 to Campus3 should occur once per hour during the hours that replication is allowed. Replication between sites originating from the Campus1 site should only use CampusDC1. CampusDC4 should not be used for inter-site replication In this lab, your task is to customize replication as follows: For the Campus1-Campus2 site link, use the following settings: Cost: 110 Replication frequency: 60 minutes Replication schedule:Sunday: allow all dayMonday through Friday: allow 8:00 p.m. to 6:00 a.m.Saturday: allow all day For the Campus2-Campus3 site link, use the following settings: Cost: 300 Replication frequency: 175 minutes Replication schedule:Sunday through Friday: allow all daySaturday: allow 12:00 a.m. to 5:00 p.m. For the Campus1-Campus3, site link use the following settings: Cost: 110 Replication frequency: 60 minutes Replication schedule:Sunday through Friday: allow all daySaturday: allow 12:00 a.m. to 5:00 p.m. Designate CampusDC1 as the preferred bridgehead server for IP.

Configure inter-site replication. From Server Manager, select Tools > Active Directory Sites and Services. Maximize the window for better viewing. From the left pane, expand and select Sites > Inter-Site Transports > IP. From the right pane, right-click the site link and select Properties. In the Cost field, enter the cost. In the Replicate every field, enter the replication frequency. Select Change Schedule. Adjust the replication schedule as needed. Select OK to save the new schedule. Select OK to close the site link properties. Repeat steps 1d-1j to configure the additional site links. Designate the preferred bridgehead server. From the left pane, expand and select Campus1-Main-Site > Servers. From the right pane, right-click CampusDC1 and select Properties. Under Transports available for inter-site data transfer, select IP and then select Add. Select OK to save the changes.

You are the IT administrator for the CorpNet.local domain. You recently created a domain local distribution group named Managers in the Users container on CorpDC because department managers need to email other department managers. You created the group and added several individual user accounts as members of the group. Now you would like to use the group to assign permissions to company managers. In this lab, your task is to: Change the Managers group scope to Global. Change the Managers group type to Security.

Connect to the CorpDC virtual machine. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to open the virtual server. Configure the group named Managers. From Server Manager, select Tools > Active Directory Users and Computers. Maximize the window for easier viewing. In the left pane, expand CorpNet.local. Select Users. From the right pane, right-click Managers and select Properties. Under Group scope, select Universal. Select Apply. The Global option is now available for selection. Select Global. Under Group type, select Security. Select OK to apply the changes.

You are the IT administrator for the CorpNet.local domain. The CorpDC server is the domain controller. You are implementing a group strategy for your network. Managers in various departments need to send and receive emails between other department managers only. In this lab, your task is to: Create an Active Directory group account named Managers in the User folder. Configure the Managers group with a domain local group scope and a distribution group type. Add the following user accounts as members of the Managers group: Juan Suarez Mark Burnes Shelly Emery

Connect to the CorpDC virtual machine. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to open the virtual server. Create a domain local distribution group. From Server Manager, select Tools > Active Directory Users and Computers. Maximize the window for better viewing. From the left pane, expand CorpNet.local. Right-click Users and select New > Group. Enter Managers in the Group name field. From the Group scope pane, select Domain local. From the Group type pane, select Distribution. Select OK. Add user accounts to the Managers group. From the right pane, right-click Managers and select Properties. Select the Members tab. Select Add. In the Enter the object names to select field, enter the following including the semicolon:Juan Suarez; Mark Burnes; Shelly Emery Select Check Names and verify that the object names were found. Select OK to add the new group member. Select OK to apply the changes.

You have just completed the installation of two read-only domain controllers, Branch3-RODC and Branch4-RODC. To allow logon when the WAN link to these sites is down, you want to configure the password replication policy to cache passwords for users who are likely to be at those locations. To increase security, you do not want to cache passwords for users who shouldn't be at that site. You examine the users at each location and learn that: All members of the Sales team could use either the Branch3 or the Branch4 location. Only members of the Research-Dev team should use the Branch4 location. Mark Woods, a member of the Accounting department, will travel to both branches when performing audits. In this lab, your task is to configure the password replication policy for Branch3-RODC and Branch4-RODC to cache only the necessary passwords using the following parameters: Edit the Allowed RODC Password Replication Group group in the Users container. Add the following as members of the group: Sales group Mark Woods user account To allow caching of computer account passwords, add: All computer accounts in the Sales OU (Sales1 through Sales5). The Acct2 computer account from the Accounting OU. Edit the properties for the Branch4-RODC account. Configure the password replication policy as follows: Remove the group Allowed RODC Password Replication Group. Add the group Allowed RODC Password Replication Group to the policy again, but with Deny permissions. Add the Research-Dev group with Allow permissions. Add the Mark Woods user account with Allow permissions. Add the following computer accounts with Allow permissions to allow caching of computer account passwords From the Research OU: ResM1, ResM2, and ResM3 From the Accounting OU: Acct2

Connect to the CorpDC virtual machine. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to open the virtual server. Modify the group membership. From Server Manager, select Tools > Active Directory Users and Computers. Maximize the window for better viewing. From the left pane, expand and select CorpNet.local > Users. From the right pane, right-click Allowed RODC Password Replication Group and select Properties. Select the Members tab. Select Add. Select Object Types. From the Object Types pane, select Computers and Contacts. Make sure Users and Groups are selected; then select OK. In the Enter the object names to select field, enter Sales; Mark Woods; Acct2; Sales1; Sales2; Sales3; Sales4; Sales5 Select Check Names. Verify that all the names were found. Select OK to accept the names. Select OK to close the Password Replication Group Properties window. Deny the Allowed RODC Password Replication Group. In the left pane, select Domain Controllers. From the right pane, right-click Branch4-RODC and select Properties. Select the Password Replication Policy tab. Select Allowed RODC Password Replication Group. Select Remove. Select Yes. Select Add. Select Deny passwords for the account from replicating to this RODC; then select OK. In the Enter the object names to select box, enter Allowed RODC Password Replication Group. Select Check Names. Select OK to add the group. Add Allow permissions for the Branch4-RODC account. Select Add. Select Allow passwords for the account to replicate to this RODC; then select OK. In the Enter the object names to select box, enter Research-Dev; Mark Woods; Acct2; ResM1; ResM2; ResM3 Select Check Names. Select OK to add the new objects. Select OK to save your changes.

You are the IT administrator for a small corporate network. You have a branch site with about 50 employees that is connected to the main site with a WAN link. A single domain controller named BranchDC2 is configured in the branch location. Because the WAN link is slow and unreliable, you have not configured BranchDC2 as a global catalog server. You find that when the WAN link goes down, users at the branch location cannot log on to the network. Even when the WAN link is up, users complain that the logon process is slow. You want to minimize Active Directory traffic across the WAN link, but you also want to let branch users log on to the network even when the WAN link is down. In this lab, your task is to enable universal group membership caching in the branch office.

Connect to the CorpDC virtual machine. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC. Enable universal group membership caching in the branch office. From Server Manager, select Tools > Active Directory Sites and Services. From the left pane, expand and select Sites > Branch2-Site. From the right pane, right-click NTDS Site Settings and select Properties. Select Enable Universal Group Membership Caching. Select OK.

You are the IT administrator for the CorpNet.local domain. You are in the process of implementing a group strategy for your network. The CorpNet.local domain has a Support OU. All support employees in the domain have user accounts within the Support OU or within the Support sub-OUs. All support employees need access to the support department's shared folders and printers. Your group strategy must minimize administration when: Granting and removing resource access to support employees. Groups of other employees (such as managers) request access to support resources. Support resources are added or removed. Permissions to the resources need to be granted or removed. The recommended group strategy is to: Make user accounts members of global groups. Make global groups members of domain local groups. Assign permissions to the domain local groups. In this lab, your task is to implement a group strategy that meets the above requirements on CorpDC as follows: Create the following groups in the Support OU: Support Support Resources For each group, configure the appropriate group scope, group type, and membership based on the following information:

Connect to the CorpDC virtual machine. In Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to connect to the server. Create the group named Support. In Server Manager, select Tools > Active Directory Users and Computers. Maximize the window for better viewing. In the left pane, expand CorpNet.local. Right-click Support and select New > Group. Type Support in the Group name field. Under Group scope, make sure Global is selected. Under Group type, make sure Security is selected. Select OK. Create the group named Support Resources. Right-click Support and select New > Group. Type Support Resources in the Group name field. Under Group scope, select Domain local. Under Group type, make sure Security is selected. Select OK. Modify the membership for the Support group. From the right pane, right-click Support and then select Properties. Select the Members tab. Select Add. Select Advanced. Select Find Now. Under Search results, hold down the Ctrl key and select the users you need to add. Select OK to use the selected users or group. Select OK to add the new group members. Select OK to close the Properties dialog. Modify the membership for the Support Resources group. From the right pane, right-click Support Resources and then select Properties. Select the Members tab. Select Add. In the Enter the object names to select box, enter Support. Select OK to add the new group members. Select OK to close the Properties dialog.

You are the IT administrator for a small corporate network. The company has ordered several laptop computers for the Sales team. The laptops will arrive with Windows 11 pre-installed. You will need to add them to the domain. In this lab, your task is to: Create the following computer accounts in the Workstations OU of the CorpNet.local domain: Sales1 Sales2 Sales3 Sales4 Sales5

Connect to the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC to connect to the virtual server .Maximize the window for better viewing. Create computer accounts in the Workstations OU. From Server Manager, select Tools > Active Directory Users and Computers. Maximize the window for better viewing.Expand CorpNet.local. Right-click Workstations and select New > Computer.In the Computer name field, enter the computer name. Select OK. Repeat steps 2d-2f to create additional computer accounts.

You are assisting the administrator of the CorpNet.local domain. Your company has three office locations named Main, Branch1, and Branch2. All of the locations are connected to each other with wide area network (WAN) links. Domain controllers are installed for each location, but each domain controller is still located in the Default-First-Site-Name site. In this lab, your tasks is to: Rename the Default-First-Site-Name site to Main-Site. Create new sites for the branch offices using DEFAULTSITELINK as the site link object. Move the branch servers into their respective sites. Create a subnet for all the sites and choose the corresponding site object.

Connect to the CorpDC virtual server. From Hyper-V Manager, select CORPSERVER. Under Virtual Machines, double-click CorpDC to connect to the server. Maximize the window for better viewing. Rename the default site to Main-Site. From Server Manager, select Tools > Active Directory Sites and Services. From the left pane, expand Sites. Right-click Default-First-Site-Name and select Rename. Enter Main-Site. Create new sites for the branch offices. Right-click Sites and select New > New Site. Enter the site name. Select DEFAULTSITELINK as the site link. Select OK. Repeat steps 3a-3d to create the additional site. Move the branch servers into the correct sites. Expand Main-Site. Expand Servers. Right-click the server and select Move. Select the destination site and select OK. Repeat steps 4b-4d to move the remaining server. Create subnets for all three sites. Right-click Subnets and select New Subnet. In the Prefix field, enter the subnet address and prefix (for example, 192.168.40.0/24). Under Site Name, select a site for the new subnet. Select OK. Repeat steps 5a-5d for additional subnets.

You are the administrator for the CorpNet.local forest. Your network has the following domains: CorpNet.local, Branch1.CorpNet.local, and Branch2.CorpNet.local. Your company works closely with another company. Their network has a single domain named PartnerCorp.xyz. You need to let users in both forests access resources in both forests using the minimum number of trusts. Forest root trusts are transitive, meaning that the trust allows access to all child domains within the forest. In this lab, your task is to create a forest root trust between the CorpNet.local and PartnerCorp.xyz forests. Create a forest root trust using the following settings: Name of trust: PartnerCorp.xyz Trust type: Forest trust Direction of trust: Two-way Sides of trust: Domain only Outgoing trust authentication level: Forest-wide authentication Trust password: Trust@urF@r3st Do not confirm the trust. Create a forest root trust using the following settings: Name of trust: CorpNet.local Trust type: Forest trust Direction of trust: Two-way Sides of trust: Domain only Outgoing trust authentication level: Forest-wide authentication Trust password: Trust@urF@r3st Confirm the outgoing and incoming trust.

Create the trust from CorpNet.local to PartnerCorp.xyz. From Server Manager, select Tools > Active Directory Domains and Trusts. Right-click CorpNet.local and select Properties. Select the Trusts tab. Select New Trust. Select Next to start the wizard. Enter PartnerCorp.xyz as the target domain and then select Next. Select Forest trust and then select Next. Make sure Two-way is selected as the direction for the trust and then select Next. Make sure This domain only is selected and then select Next. Make sure Forest-wide authentication is selected and then select Next. In the Trust password field, enter Trust@urF@r3st as the password. In the Confirm trust password field, enter Trust@urF@r3st and then select Next. Select Next to create the trust. Select Next to verify the trusts. Select Next to use No, do not confirm the outgoing trust. Select Next to use No, do not confirm the incoming trust. Select Finish. Select OK. Create the trust from PartnerCorp.xyz to CorpNet.local. From the top left, select Domains. Under PartnerCorp.xyz, select CampusDC1. From Server Manager, select Tools > Active Directory Domains and Trusts. Right-click the PartnerCorp.xyz and select Properties. Select the Trusts tab. Select New Trust. Select Next to start the wizard. Enter CorpNet.local as the target domain and then select Next. Select Forest trust and then select Next. Make sure Two-way is selected as the direction for the trust and then select Next. Make sure This domain only is selected and then select Next. Make sure Forest-wide authentication is selected and then select Next. In the Trust password field, enter Trust@urF@r3st as the password. In the Confirm trust password field, enter Trust@urF@r3st and then select Next. Select Next to create the trust. Select Next to verify the trusts. Select Yes, confirm the outgoing trust, and then select Next. Select Yes, confirm the incoming trust, and then select Next. Select Finish. Select OK.

You are the IT administrator for a small corporate network. The company has a single Active Directory domain named CorpNet.local. You need to increase the domain's authentication security. You need to make sure that User Account Control (UAC) settings are consistent throughout the domain and in accordance with industry recommendations. In this lab, your task is to configure UAC settings in the Default Domain Policy on CorpDC as follows:

On CorpDC, access the CorpNet.local domain for Group Policy Management. From Hyper-V Manager, select CORPSERVER. Double-click CorpDC. From Server Manager, select Tools > Group Policy Management. Maximize the window for easy viewing. Expand Forest: CorpNet.local > Domains > CorpNet.local. Configure the UAC settings. Right-click Default Domain Policy and select Edit. Maximize the window for easier viewing. Under Computer Configuration, expand and select Policies > Windows Settings > Security Settings > Local Policies > Security Options. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select Enable or Disable as necessary. Edit the value for the policy as needed and then select OK. Repeat steps 2d-2g for each policy setting.

You are assisting the administrator for the PartnerNet.xyz domain. The company has three office locations, which are named Campus1, Campus2, and Campus3. All locations are connected to each other using wide area network (WAN) links (see exhibits). Domain controllers for each location have been installed, but each domain controller is still located in the Default-First-Site-Name site. In this lab, your task is to complete the following: Delete the Default-First-Site-Name site or rename it as one of the three sites in the table. Create and configure three sites and subnets as follows: Move the domain controllers into their applicable corresponding sites. Delete the DEFAULTIPSITELINK site link or rename and configure it as one of your three site links in the table. Create and configure three site links as follows:

Rename the default site. From Server Manager, select Tools > Active Directory Sites and Services. Maximize the window for better viewing. From the left pane, expand Sites. Right-click Default-First-Site-Name and select Rename. Enter Campus1-Main-Site and then press Enter. Create additional sites. From the left pane, right-click Sites and select New Site. In the Name field, enter the site name. Under Link Name, select DEFAULTIPSITELINK and then select OK. Repeat steps 2a-2c to create the additional site. Create subnets. From the left pane, right-click Subnets and select New Subnet. In the Prefix field, enter the subnet IP address followed by the prefix (example, 192.168.40.0/24). From the lower pane, select the site name that goes to the selected IP address and prefix. Select OK. Repeat steps 3a-3d to add the additional subnets. Move the servers into their correct sites. From the left pane, expand Campus1-Main_Site. Select Servers. From the right pane, right-click the server to move and select Move. Select the destination site name and then select OK. Repeat steps 4b-4d to move the additional servers. Rename and modify the site link properties. From the left pane, expand and select Inter-Site Transports > IP. From the right pane, right-click DEFAULTIPSITELINK and select Rename. Enter Campus1-Campus2 and then press Enter. From the right pane, right-click Campus1-Campus2 and select Properties. Under Sites in this site link, select Campus3-Site and then select Remove. Select OK Create the site links. From the left pane, right-click IP and select New Site Link. In the Name field, type the new site link name. Under Sites not in this site link, select the appropriate site(s). Select Add. Select OK. Repeat steps 6a-6e to create the additional site links.

You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon attempts and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO:

Using Group Policy Management, access CorpNet.local's Group Policy Objects > WorkgroupGPO. From Server Manager's menu bar, select Tools > Group Policy Management. Maximize the window for better viewing. Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Access the WorkstationGPO's Security Settings Local Policies. Right-click WorkstationGPO and select Edit. Maximize the window for better viewing. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies. Select Security Options. Modify Local Policies. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select the policy settings as required. Select OK. Select Yes to confirm changes as necessary. Repeat steps 3a - 3e for the additional policy setting. Modify the Event Log. From the left pane, select Event Log. From the right pane, double-click the Retention method for security log. Select Define this policy setting. Select Do not overwrite events. Select OK. Modify Advanced Audit Policy Configuration. From the left pane, expand Advanced Audit Policy Configuration > Audit Policies. Select the audit policy category. From the right pane, double-click the policy you want to edit. Select Configure the following audit events. Select the policy settings as required. Select OK. Repeat steps 5b-5f for additional policy settings.