M I C R O S O F T 20410D L E A R N I N G Installing and Configuring Windows Server® 2012 P R O D U C T MCT USE ONLY STUDENT USE PROHIBITED O F F I C I A L Installing and Configuring Windows Server® 2012 MCT USE ONLY STUDENT USE PROHIBITED ii Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product Links may be provided to third party sites Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites Microsoft is not responsible for webcasting or any other form of transmission received from any linked site Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein © 2014 Microsoft Corporation All rights reserved Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies All other trademarks are property of their respective owners Product Number: 20410D Part Number: X19-55618 Released: 04/2014 MCT USE ONLY STUDENT USE PROHIBITED MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you Please read them They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items If so, those terms apply BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT If you comply with these license terms, you have the rights below for each license you acquire DEFINITIONS a “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time b “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center c “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware d “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee e “Licensed Content” means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content f “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program g “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware h “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy Program i “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status j “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies k “MPN Member” means an active Microsoft Partner Network program member in good standing MCT USE ONLY STUDENT USE PROHIBITED l “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware m “Private Training Session” means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer n “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT o “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines USE RIGHTS The Licensed Content is licensed not sold The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content 2.1 Below are five separate sets of use rights Only one set of rights apply to you a If you are a Microsoft IT Academy Program Member: i Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices You may not install the Microsoft Instructor-Led Courseware on a device you not own or control ii For each license you acquire on behalf of an End User or Trainer, you may either: distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, MCT USE ONLY STUDENT USE PROHIBITED vii you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and ix you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware b If you are a Microsoft Learning Competency Member: i Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices You may not install the Microsoft Instructor-Led Courseware on a device you not own or control ii For each license you acquire on behalf of an End User or Trainer, you may either: distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x you will only provide access to the Trainer Content to Trainers MCT USE ONLY STUDENT USE PROHIBITED c If you are a MPN Member: i Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices You may not install the Microsoft Instructor-Led Courseware on a device you not own or control ii For each license you acquire on behalf of an End User or Trainer, you may either: distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x you will only provide access to the Trainer Content to Trainers d If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices You may also print one (1) copy of the Microsoft Instructor-Led Courseware You may not install the Microsoft Instructor-Led Courseware on a device you not own or control e If you are a Trainer i For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content You may not install or use a copy of the Trainer Content on a device you not own or control You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session MCT USE ONLY STUDENT USE PROHIBITED ii You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement For clarity, any use of “customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content 2.2 Separation of Components The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices 2.3 Redistribution of Licensed Content Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft 2.4 Third Party Notices The Licensed Content may include third party code tent that Microsoft, not the third party, licenses to you under this agreement Notices, if any, for the third party code ntent are included for your information only 2.5 Additional Terms Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY If the Licensed Content’s subject matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the other provisions in this agreement, these terms also apply: a Pre-Release Licensed Content This Licensed Content subject matter is on the Pre-release version of the Microsoft technology The technology may not work the way a final version of the technology will and we may change the technology for the final version We also may not release a final version Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology b Feedback If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback You will not give feedback that is subject to a license that requires Microsoft to license its technology, technologies, or products to third parties because we include your feedback in them These rights survive this agreement c Pre-release Term If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”) Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control MCT USE ONLY STUDENT USE PROHIBITED SCOPE OF LICENSE The Licensed Content is licensed, not sold This agreement only gives you some rights to use the Licensed Content Microsoft reserves all other rights Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways Except as expressly permitted in this agreement, you may not: • access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content, • alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content, • modify or create a derivative work of any Licensed Content, • publicly display, or make the Licensed Content available for others to access or use, • copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party, • work around any technical limitations in the Licensed Content, or • reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation RESERVATION OF RIGHTS AND OWNERSHIP Microsoft reserves all rights not expressly granted to you in this agreement The Licensed Content is protected by copyright and other intellectual property laws and treaties Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content EXPORT RESTRICTIONS The Licensed Content is subject to United States export laws and regulations You must comply with all domestic and international export laws and regulations that apply to the Licensed Content These laws include restrictions on destinations, end users and end use For additional information, see www.microsoft.com/exporting SUPPORT SERVICES Because the Licensed Content is “as is”, we may not provide support services for it TERMINATION Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control LINKS TO THIRD PARTY SITES You may link to third party sites through the use of the Licensed Content The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site 10 ENTIRE AGREEMENT This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements 11 APPLICABLE LAW a United States If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort MCT USE ONLY STUDENT USE PROHIBITED b Outside the United States If you acquired the Licensed Content in any other country, the laws of that country apply 12 LEGAL EFFECT This agreement describes certain legal rights You may have other rights under the laws of your country You may also have rights with respect to the party from whom you acquired the Licensed Content This agreement does not change your rights under the laws of your country if the laws of your country not permit it to so 13 DISCLAIMER OF WARRANTY THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT 14 LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00 YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law It also applies even if Microsoft knew or should have known about the possibility of the damages The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franỗais EXONẫRATION DE GARANTIE Le contenu sous licence visé par une licence est offert « tel quel » Toute utilisation de ce contenu sous licence est votre seule risque et péril Microsoft n’accorde aucune autre garantie expresse Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, dadộquation un usage particulier et dabsence de contrefaỗon sont exclues LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US Vous ne pouvez prétendre aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices Cette limitation concerne: • tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et • les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur MCT USE ONLY STUDENT USE PROHIBITED Elle s’applique également, même si Microsoft connaissait ou devrait conntre l’éventualité d’un tel dommage Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas votre égard EFFET JURIDIQUE Le présent contrat décrit certains droits juridiques Vous pourriez avoir d’autres droits prévus par les lois de votre pays Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas Revised July 2013 Securing Windows Servers by Using Group Policy Objects  Task 2: Run gpupdate Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd Point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box, type cmd, and then press Enter At the command prompt, type the following command, and then press Enter: gpupdate /force Close the Command Prompt window, and then sign out from LON-CL1  Task 3: Sign in to LON-CL1 with an incorrect password • Sign in to LON-CL1 as Adatum\Adam with the password password This password is intentionally incorrect to generate a security log entry that shows that an unsuccessful sign-in attempt has been made  Task 4: Review event logs on LON-DC1 On LON-DC1, in Server Manager, click Tools, and then click Event Viewer In the Event Viewer window, expand Windows Logs, and then click Security Review the event logs for following message: “Event ID 4771 Kerberos pre-authentication failed Account Information: Security ID: ADATUM\Adam”  Task 5: Sign in to LON-CL1 with the correct password Sign in to LON-CL1 as Adatum\Adam with the password Pa$$w0rd This password is correct, and you should be able to sign in successfully as Adam Sign out of LON-CL1  Task 6: Review event logs on LON-DC1 MCT USE ONLY STUDENT USE PROHIBITED L12-70 Switch to LON-DC1 In the Server Manager window, click Tools, and then click Event Viewer In the Event Viewer window, expand Windows Logs, and then click Security Review the event logs for the following message: “Event ID 4624 An account was successfully logged on New Logon: Security ID: ADATUM\Adam”  Task 7: Prepare for the next lab • To prepare for the next lab, leave the virtual machines running Results: After completing this exercise, you will have enabled domain logon auditing MCT USE ONLY STUDENT USE PROHIBITED Installing and Configuring Windows Server® 2012 L12-71 Lab B: Configuring AppLocker and Windows Firewall Exercise 1: Configuring AppLocker Policies  Task 1: Create an OU for client computers Switch to LON-DC1 In Server Manager, click Tools, and then click Active Directory Users and Computers In Active Directory Users and Computers, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit In the New Object - Organizational Unit window, type Client Computers, and then click OK  Task 2: Move LON-CL1 to the Client Computers OU On LON-DC1, in Active Directory Users and Computers, in the navigation pane, click Computers container In the details pane, right-click LON-CL1, and then click Move In the Move window, click Client Computers, and then click OK  Task 3: Create a Software Control GPO and link it to the Client Computers OU On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management In the Group Policy Management Console, go to Forests: Adatum.com\Domains\Adatum.com Right-click Group Policy Objects, and then click New In New GPO window, in the Name text box, type Software Control, and then click OK In the right-hand pane, right-click Software Control, and then click Edit In the Group Policy Management Editor window, go to Computer Configuration\Policies \Windows Settings\Security Settings\Application Control Policies\AppLocker Under AppLocker, right-click Executable Rules, and then click Create Default Rules Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules In the navigation pane, click AppLocker, and then in the right-hand pane, click Configure rule enforcement 10 In the AppLocker Properties dialog box, under Executable rules, select the Configured check box, and then from the drop-down menu, select Audit only 11 Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK 12 In the Group Policy Management Editor window, go to Computer Configuration\Policies \Windows Settings\Security Settings 13 Click System Services, and then double-click Application Identity 14 In the Application Identity Properties dialog box, click Define this policy setting 15 Under Select service startup mode, click Automatic, and then click OK 16 Close the Group Policy Management Editor window Securing Windows Servers by Using Group Policy Objects 17 In the Group Policy Management Console, right-click Client Computers, and then click Link an Existing GPO 18 In the Select GPO window, in the Group Policy Objects list, click Software Control, and then click OK  Task 4: Run gpupdate Switch to LON-CL1 Point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box, type cmd, and then press Enter In the Command Prompt window, type following command, and then press Enter: gpupdate /force Close the Command Prompt window Point to the lower-right corner of the screen, and then click the Settings charm when it appears Click Power, and then click Restart  Task 5: Run app1.bat in the C:\CustomApp folder Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd Point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box, type cmd, and then press Enter At the command prompt, type following command, and then press Enter: gpresult /R Review the result of the command, and ensure that Software Control is displayed under Computer Settings, Applied Group Policy Objects If Software Control is not displayed, restart LON-CL1, and then repeat steps through Point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box, type cmd, and then press Enter At the command prompt, type the following command, and then press Enter: C:\CustomApp\app1.bat  Task 6: View AppLocker events in an event log MCT USE ONLY STUDENT USE PROHIBITED L12-72 On LON-CL1, point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box type eventvwr.msc, and then press Enter In the Event Viewer window, expand Application and Services Logs, expand Microsoft, expand Windows, and then expand AppLocker Click MSI and Scripts, and then review event log 8005 that contains the following text: %OSDRIVE%\CUSTOMAPP\APP1.BAT was allowed to run If no events are displayed, ensure that the Application Identity service has started, and then try again MCT USE ONLY STUDENT USE PROHIBITED Installing and Configuring Windows Server® 2012 L12-73  Task 7: Create a rule that allows software to run from a specific location On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management In the Group Policy Management Console, expand the Group Policy Objects node, right-click Software Control, and then click Edit In the Group Policy Management Editor window, go to Computer Configuration\Policies \Windows Settings\Security Settings\Application Control Policies\AppLocker Right-click Script rules, and then click Create New Rule On the Before You Begin page, click Next On the Permissions page, click Allow, and then click Next On the Conditions page, click Path, and then click Next On the Path page, in Path, type the path %OSDRIVE%\CustomApp\app1.bat, and then click Next On the Exception page, click Next 10 On the Name and Description page, in Name, type Custom Application Rule, and then click Create  Task 8: Modify the Software Control GPO to enforce rules In the Group Policy Management Editor window, in the navigation pane, click AppLocker, and then in the right-hand pane, click Configure rule enforcement In AppLocker Properties dialog box, under Executable rules, select the Configured check box, and then from drop-down menu, click Enforce rules Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK Close the Group Policy Management Editor window  Task 9: Verify that an application can still be run Switch to LON-CL1 Point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box type cmd, and then press Enter In the Command Prompt window, type the following command, and then press Enter: gpupdate /force Close the Command Prompt window Point to the lower-right corner of the screen, and then click the Settings charm when it appears Click Power, and then click Restart Sign in to LON-CL1 as Adatum\Tony with the password Pa$$w0rd Point to the lower-right corner of the screen, and then click the Search charm when it appears 10 In the Search box, type cmd, and then press Enter 11 In the Command Prompt window, type following command, and then press Enter: C:\customapp\app1.bat Securing Windows Servers by Using Group Policy Objects  Task 10: Verify that an application cannot be run MCT USE ONLY STUDENT USE PROHIBITED L12-74 On LON-CL1, on the taskbar, click the File Explorer icon In File Explorer, in the navigation pane, click Computer In the Computer window, double-click Local Disk (C:), double-click the CustomApp folder, rightclick app1.bat, and then click Copy In the CustomApp window, on the navigation pane, right-click the Documents folder, and then click Paste In the Command Prompt window, type C:\Users\Tony\Documents\app1.bat, and then press Enter Verify that applications cannot be run from the Documents folder, and that the following message is displayed: “This program is blocked by Group Policy For more information, contact your system administrator.” Close all open windows, and then sign out from LON-CL1 Results: After completing this exercise, you will have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder Exercise 2: Configuring Windows Firewall  Task 1: Create a group named Application Servers Switch to LON-DC1 In the Server Manager window, click Tools, and then click Active Directory Users and Computers In Active Directory Users and Computers, in the navigation pane, right-click the Member Servers OU, click New, and then click Group In the New Object – Group window, in Group Name, type Application Servers, and then click OK  Task 2: Add LON-SVR1 as a group member In Active Directory Users and Computers, in the navigation pane, click the Member Servers OU, and in the details pane, right-click Application Servers group, and then click Properties In the Application Server Properties dialog box, click the Members tab, and then click Add In Select Users, Computers, Service Accounts or Groups, click Object Types, click Computers, and then click OK In the Enter the object names to select box, type LON-SVR1, and then click OK In the Application Server Properties dialog box, click OK  Task 3: Create a new Application Servers GPO On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management In the Group Policy Management Console, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New In the New GPO window, in Name, type Application Servers GPO, and then click OK In the Group Policy Management Console, right-click Application Servers GPO, and then click Edit MCT USE ONLY STUDENT USE PROHIBITED Installing and Configuring Windows Server® 2012 L12-75 In the Group Policy Management Editor window, go to Computer Configuration\Policies \Windows Settings\Security Settings\Windows Firewall with Advanced Security Click Windows Firewall with Advanced Security - LDAP://CN={GUID} In the Group Policy Management Editor window, click Inbound Rules Right-click Inbound Rules, and then click New Rule In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next 10 On the Program page, click Next 11 On the Protocol and Ports page, in the Protocol type list, click TCP 12 In the Local port list, click Specific Ports, in the text box type 8080, and then click Next 13 On the Scope page, click Next 14 On the Action page, click Allow the connection, and then click Next 15 On the Profile page, clear both the Private and Public check boxes, and then click Next 16 On the Name page, in the Name box, type Application Server Department Firewall Rule, and then click Finish 17 Close the Group Policy Management Editor window  Task 4: Link the Application Servers GPO to the Member Servers OU On LON-DC1, in the Group Policy Management Console, right-click Member Servers OU, and then click Link an Existing GPO In the Select GPO window, in the Group Policy objects list, click Application Servers GPO, and then click OK  Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group On LON-DC1, in the Group Policy Management Console, click Member Servers OU Expand the Member Servers OU, and then click the Application Servers GPO link In the Group Policy Management Console message box, click OK In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove In the Confirmation dialog box, click OK In the details pane, under Security Filtering, click Add In the Select User, Computer, or Group dialog box, type Application Servers, and then click OK  Task 6: Run gpupdate on LON-SVR1 Switch to LON-SVR1, and then sign in as Adatum\Administrator with the password Pa$$w0rd Point to the lower-right corner of the screen, and then click the Search charm when it appears In the Search box, type cmd, and then press Enter In the Command Prompt window, type the following command, and then press Enter: gpupdate /force Close the Command Prompt window Restart LON-SVR1, and then sign back in as Adatum\Administrator with the password Pa$$w0rd Securing Windows Servers by Using Group Policy Objects  Task 7: View the firewall rules on LON-SVR1 Switch to LON-SVR1 In Server Manager, click Tools, and then click Windows Firewall with Advanced Security In the Windows Firewall with Advanced Security window, click Inbound rules In the right-hand pane, verify that the Application Server Department Firewall Rule that you created earlier by using Group Policy is configured Verify that you cannot edit the Application Server Department Firewall Rule, because it is configured through Group Policy Results: After completing this exercise, you will have used Group Policy to configure Windows Firewall with Advanced Security to create rules for application servers  Prepare for the next module MCT USE ONLY STUDENT USE PROHIBITED L12-76 When you finish the lab, revert the virtual machines to their initial state by performing the following steps: On the host computer, start Hyper-V® Manager In the Virtual Machines list, right-click 20410D-LON-DC1, and then click Revert In the Revert Virtual Machine dialog box, click Revert Repeat steps and for 20410D-LON-SVR1 and 20410D-LON-CL1 MCT USE ONLY STUDENT USE PROHIBITED L13-77 Module 13: Implementing Server Virtualization with Hyper-V Lab: Implementing Server Virtualization with Hyper-V Exercise 1: Installing the Hyper-V Role onto a Server  Task 1: Install the Hyper-V role onto a server On LON-HOST1, in Server Manager, click Local Server In the Properties pane, click the IPv4 address assigned by DHCP, IPv6 enabled link In the Network Connections dialog box, right-click the network object, and then click Properties In the Properties dialog box, click Internet Protocol Version (TCP/IPv4), and then click Properties In the Properties dialog box, on the General tab, click Use the following IP address, and then configure the following: o IP Address: 172.16.0.31 o Subnet mask: 255.255.0.0 o Default gateway: 172.16.0.1 On the General tab, click Use the following DNS server addresses, and then configure the following: o Preferred DNS server: 172.16.0.10 Click OK to close the Properties dialog box In the Properties dialog box of the network object, click Close Close the Network Connections dialog box 10 In the Server Manager console, from the Manage menu, click Add Roles and Features 11 In the Add Roles and Features Wizard, on the Before you begin page, click Next 12 On the Select installation type page, click Role-based or feature-based installation, and then click Next 13 On the Select destination server page, ensure that LON-HOST1 is selected, and then click Next 14 On the Select server roles page, select Hyper-V 15 In the Add Roles and Features Wizard, click Add Features 16 On the Select server roles page, click Next 17 On the Select features page, click Next 18 On the Hyper-V page, click Next 19 On the Virtual Switches page, verify that no selections have been made, and then click Next 20 On the Virtual Machine Migration page, click Next 21 On the Default Stores page, review the location of the Default Stores, and then click Next MCT USE ONLY STUDENT USE PROHIBITED L13-78 Implementing Server Virtualization with Hyper-V 22 On the Confirm installation selections page, click Restart the destination server automatically if required 23 In the Add Roles and Features Wizard, review the message regarding automatic restarts, and then click Yes 24 On the Confirm Installation Selections page, click Install After a few minutes, the server restarts automatically Ensure that you restart the machine from the boot menu as 20410D-LON-HOST1 The computer will restart several times  Task 2: Complete the Hyper-V role installation, and verify the settings Sign in to LON-HOST1 by using the account Administrator with the password Pa$$word When the installation of the Hyper-V tools is complete, click Close to close the Add Roles and Features Wizard In the Server Manager console, click the Tools menu, and then click Hyper-V Manager In the Hyper-V Manager console, click LON-HOST1 In the Hyper-V Manager console, in the Actions pane, with LON-HOST1 selected, click Hyper-V Settings In the Hyper-V Settings for LON-HOST1 dialog box, click the Keyboard item Verify that the Keyboard is set to the Use on the virtual machine option In the Hyper-V Settings for LON-HOST1 dialog box, click the Virtual Hard Disks item Verify that the location of the default folder to store Virtual Hard Disk files is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, and then click OK Results: After completing this exercise, you should have installed the Hyper-V role onto a physical server Exercise 2: Configuring Virtual Networking  Task 1: Configure the external network In the Hyper-V Manager console, click LON-HOST1 From the Actions menu, click Virtual Switch Manager In the Virtual Switch Manager for LON-HOST1 dialog box, click New virtual network switch Ensure that External is selected, and then click Create Virtual Switch In the Virtual Switch Properties area, enter the following information, and then click OK: o Name: Switch for External Adapter o External Network: Mapped to the host computer’s physical network adapter (This varies depending on the host computer.) In the Apply Networking Changes dialog box, review the warning, and then click Yes  Task 2: Create a private network In Hyper-V Manager click LON-HOST1 and from the Actions menu, click Virtual Switch Manager Under Virtual Switches, click New virtual network switch Under Create virtual switch, click Private, and then click Create Virtual Switch MCT USE ONLY STUDENT USE PROHIBITED Installing and Configuring Windows Server® 2012 L13-79 In the Virtual Switch Manager dialog box, in the Virtual Switch Properties section, configure the following settings, and then click OK: o Name: Private Network o Connection type: Private network  Task 3: Create an internal network In Hyper-V Manager click LON-HOST1, and from the Actions menu, click Virtual Switch Manager Under Virtual Switches, click New virtual network switch Under Create virtual switch, click Internal and then click Create Virtual Switch In the Virtual Switch Manager dialog box, in the Virtual Switch Properties section, configure the following settings, and then click OK: o Name: Internal Network o Connection type: Internal network  Task 4: Configure the MAC address range In Hyper-V Manager, click LON-HOST1 and from the Actions menu, click Virtual Switch Manager Under Global Network Settings, click MAC Address Range On MAC Address Range settings, configure the following values, and then click OK: o Minimum: 00-15-5D-0F-AB-A0 o Maximum: 00-15-5D-0F-AB-EF Close the Hyper-V Manager console Results: After completing this exercise, you should have configured virtual switch options on a physically deployed Windows Server 2012 server that is running the Hyper-V role Exercise 3: Creating and Configuring a Virtual Machine  Task 1: Create differencing virtual hard disks On the taskbar, click the File Explorer icon Expand This PC, expand drive E, expand Program Files, expand Microsoft Learning, and then expand Base Note: The drive letter may depend upon the number of drives on the physical host computer In the Base folder, verify that the Base14A-WS12R2.vhd hard disk image file is present Click the Home tab, and then click the New Folder icon twice to create two new folders Right-click each folder, and then rename the folders as follows: o LON-GUEST1 o LON-GUEST2 Close File Explorer In the Server Manager console, click Tools, and then click Hyper-V Manager In the Hyper-V Manager console, in the Actions pane, click New, and then click Hard Disk In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next On the Choose Disk Format page, click VHD, and then click Next 10 On the Choose Disk Type page, click Differencing, and then click Next 11 On the Specify Name and Location page, specify the following details, and then click Next: o Name: LON-GUEST1.vhd o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\ Note: The drive letter may depend upon the number of drives on the physical host computer 12 On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning\Base\ Base14A-WS12R2.vhd, and then click Finish 13 On the desktop, on the taskbar, click the Windows PowerShell® icon MCT USE ONLY STUDENT USE PROHIBITED L13-80 Implementing Server Virtualization with Hyper-V 14 At the Windows PowerShell prompt, type the following command to create a new differencing virtual hard disk to be used with LON-GUEST2, and then press Enter: New-VHD "E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd" -ParentPath "E:\Program Files\Microsoft Learning\Base\ Base14A-WS12R2.vhd" 15 Close Windows PowerShell 16 In the Hyper-V Manager console, in the Actions pane, click Inspect Disk 17 In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click LON-GUEST2.vhd, and then click Open 18 In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base\ Base14A-WS12R2.vhd as a parent, and then click Close  Task 2: Create virtual machines In Hyper-V Manager click LON-HOST1 and from the Actions pane, click New, and then click Virtual Machine In the New Virtual Machine Wizard, on the Before You Begin page, click Next On the Specify Name and Location page, click Store the virtual machine in a different location, enter the following values, and then click Next: o Name: LON-GUEST1 o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\ Note: The drive letter may depend upon the number of drives on the physical host computer On the Specify Generation page, select Generation 1, and then click Next MCT USE ONLY STUDENT USE PROHIBITED Installing and Configuring Windows Server® 2012 L13-81 On the Assign Memory page, enter a value of 1024 MB, select the Use Dynamic Memory for this virtual machine option, and then click Next On the Configure Networking page, for the connection, click Private Network, and then click Next On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk Click Browse, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\LON-GUEST1.vhd, click Open, and then click Finish On the desktop, on the taskbar, click the Windows PowerShell icon At the Windows PowerShell prompt, type the following command to create a new virtual machine named LON-GUEST2, and then press Enter: New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath "E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd" -SwitchName "Private Network" 10 Close Windows PowerShell 11 In the Hyper-V Manager console, click LON-GUEST2 12 In the Actions pane, under LON-GUEST2, click Settings 13 In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Start Action, and set the Automatic Start Action to Nothing 14 In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Stop Action, and set the Automatic Stop Action to Shut down the guest operating system 15 Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box  Task 3: Enable resource metering On the taskbar, click the Windows PowerShell icon At the Windows PowerShell prompt, enter the following commands to enable resource metering on the virtual machines, pressing Enter at the end of each line: Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2 Results: After completing this exercise, you should have deployed two separate virtual machines by using a sysprepped virtual hard disk file as a parent disk for two differencing virtual hard disks Exercise 4: Using Virtual Machine Checkpoints  Task 1: Deploy Windows Server 2012 in a virtual machine In the Hyper-V Manager console, click LON-GUEST1 In the Actions pane, click Start Double-click LON-GUEST1 to open the Virtual Machine Connection Window In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, perform the following steps: o On the Settings page, click Next to accept the Region and Language settings o On the Settings page, click I accept o On the Settings page, type the password Pa$$w0rd twice, and then click Finish MCT USE ONLY STUDENT USE PROHIBITED L13-82 Implementing Server Virtualization with Hyper-V In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, from the Action menu, click CTRL+Alt+Delete Sign in to the virtual machine by using the account Administrator and the password Pa$$w0rd On the virtual machine, in the Server Manager console, click Local Server, and then click the randomly assigned name next to the computer name In the System Properties dialog box, on the Computer Name tab, click Change In the Computer Name field, type LON-GUEST1, and then click OK 10 In the Computer Name/Domain Changes dialog box, click OK 11 Click Close to close the System Properties dialog box 12 In the Microsoft Windows dialog box, click Restart Now  Task 2: Create a virtual machine checkpoint Sign in to the LON-GUEST1 virtual machine by using the Administrator account and the password Pa$$w0rd In the Server Manager console, click the Local Server node, and verify that the name of the computer is set to LON-GUEST1 In the Virtual Machine Connection window, from the Action menu, click Checkpoint In the Checkpoint Name dialog box, type the name Before Change, and then click Yes  Task 3: Modify the virtual machine In the Server Manager console, click Local Server, and then next to Computer name, click LON-GUEST1 In the System Properties dialog box, on the Computer Name tab, click Change In the Computer Name field, type LON-Computer1, and then click OK In the Computer Name/Domain Changes dialog box, click OK Close the System Properties dialog box In the Microsoft Windows dialog box, click Restart Now Sign back in to the LON-GUEST1 virtual machine by using the Administrator account and the password Pa$$w0rd In the Server Manager console, click Local Server, and then verify that the server name is set to LON-Computer1 MCT USE ONLY STUDENT USE PROHIBITED Installing and Configuring Windows Server® 2012 L13-83  Task 4: Revert to the existing virtual machine checkpoint In the Virtual Machine Connection window, from the Action menu, click Revert In the Revert Virtual Machine dialog box, click Revert In the Server Manager console, in the Local Server node, in the Virtual Machines list, verify that the Computer Name now is set to LON-GUEST1  Task 5: View resource metering data On LON-HOST1, on the taskbar, click the Windows PowerShell icon To retrieve resource metering information, at the Windows PowerShell prompt, enter the following command, and then press Enter: Measure-VM LON-GUEST1 Note the average central processing unit (CPU), average random access memory (RAM), and total disk usage figures Close the Windows PowerShell window Results: After completing this exercise, you should have used virtual machine checkpoints to recover from a virtual machine misconfiguration  Revert the virtual machines After you finish the lab, restart the computer in Windows Server 2012 by performing the following steps: On the taskbar, click the Windows PowerShell icon At the Windows PowerShell command prompt, type the following command, and then press Enter: Shutdown /r /t From the Windows Boot Manager, select Windows Server 2012 MCT USE ONLY STUDENT USE PROHIBITED ... Deploying and Managing Windows Server 2012 Lesson 1: Windows Server 2012 Overview 1-3 Lesson 2: Installing Windows Server 2012 1-14 Lesson 3: Post-Installation Configuration of Windows Server 2012. .. Describe Windows Server 2012 • Install Windows Server 2012 • Perform post-installation configuration of Windows Server 2012 • Describe the management tools available in Windows Server 2012 • Perform... Installing and Configuring Windows Server 2012 1-5 For more information about the differences between Windows Server 2012 R2 editions, download the Windows Server 2012 R2 Products and Editions