INSTALL/CONFIGURE WINDOWS DEPLOYMENT

SERVICES
1. On MS1, Install the Windows Deployment Services Role with the
Deployment Server and Transport Server role services.
2. Open Windows Deployment Services console.
3. Expand Servers, right click on the WDS Server and select Configure
Servers.
4. On the Install Options page, select Integrated with Active Directory
option and configure as follows:
a. Select E:\RemoteInstall as the Remote Installation Folder Location.
b. Ensure Respond only to known client computers is selected.
c. Uncheck Add images to the server now as we will do this later.
5. View your configurations, go to the properties of your WDS server in the
Windows Deployment Services console. You can make changes here if necessary.
6. If not already started, start the WDS Services on your WDS Server.

CONFIGURE DHCP SERVER WITH CUSTOM

OPTION
1. On DC1, create a DHCP Scope named Office for the 192.168.100.0/24 network with
the following options:
a. Inclusion range: 192.168.100.1 192.168.100.254
b. Exclusion ranges: 192.168.100.1 192.168.100.99 and 192.168.100.254
c. DNS Server Option: 192.168.100.10
d. Gateway Scope Option: 192.168.100.254
e. Dont forget to authorize your server and activate your scope
Create a new option type as follows: (Right click on IPv4 and select Set Predefined
Options)
a. Name: PXE Client
b. Data Type: String
c. Code: 060
3. Configure 060 PXE Client Server Option as follows:
a. String value: your FQDN of your WDS Server ie. YourlastnameMS1.yourlastname.ca

ADD BOOT IMAGE/CREATE AN IMAGE FILE

1. On MS1, Install the Windows Assessment and Deployment Kit (ADK). Installation
file found under Software Library on the courses main page.
2. To save space, remove the ADK setup files from MS1 after you have successfully
installed ADK.

Create Unattended File

1. Create a folder named Deployment on E Drive of MS1.

2. Open Windows System Image Manager (Search the start menu)
3. Under Tools, select Create Distribution Share and select the folder created in Step
2 of this task.
4. Copy install.wim from your DVD ROM to E:\ on your MS1.
5. Select File then Select Windows Image.
6. Select Install.wim file (E:\install.wim) and click Open.
7. Select Windows Server 2012 SERVERDATACENTER and click OK.
8. If prompted to create a catalog file, click Yes
9. Click File then select New Answer File
10. Select $OEM% Folders from the Deployment Share
11. Expand Components, then right click on amd64_Microsoft-Windows-ShellSetup_... and select Add Settings to Pass 4 specialize
12. Change the ProductKey to W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
13. Validate the answer file by clicking Tools -> Validate Answer File
14. Create the Configuration Set by clicking Tools -> Create Configuration Set.
Location: \\...MS1\REMINSTall .

Deploy using an Unattend File

1. Open Windows Deployment Services console.
2. Open the properties of your WDS Server.
3. In the Client tab, select the Enable Unattended installation checkbox and click
Browse corresponding to your processor architecture of the client computer.
4. Locate your unattend file and click open. Click OK to close the properties dialog
box.
5. Open the properties of your install image.
6. Check the Allow image to install in unattended mode checkbox.
7. Click Select File and locate your unatted file, click OK, then OK again to close the
dialog box.

PERFORM AN UNATTENDED INSTALL USING WDS

3. Boot the virtual machine, take note of the GUID shown next to the clients MAC
address. You will need this number in the next step.
4. Prestage a computer for WDS:
a. Install the Active Directory Users and Computers RSAT (AD DS and AD LDS Tools) on
MS1.
b. Open Active Directory Users and Computers on MS1 and Create a Computer Object
as follows:
i. Type in the computer name: yourlastname-WSUS
ii. Click next, if you do not see next, make sure you are using Active Directory Users and
Computers from MS1 with WDS installed.
iii. Check this is a managed computer and enter the GUID of your client machine
collected in Step 3. Remove the - when entering the GUID and click next
iv. Check, the following remote installation server and enter the FQDN of your MS1
server ie. yourlastname-ms1.yourlastname.ca, click next then finish.
c. Reboot your client machine, press F12 when prompted during the boot sequence.
d. Go through the onscreen instructions. Be sure to select Server 2012 R2 Server
Datacenter edition.
e. Once installation is complete, configure the following settings:
i. Hostname: yourlastname-WSUS

ii. IP: 192.168.100.21/24

iii. Gateway: 192.168.100.254
iv. Preferred DNS: 192.168.100.10
v. Join to your domain

CONFIGURING AUTOMATIC UPDATES VIA GPO

9. Edit the WSUS GPO, expand Computer Configuration / Policies / Administrative
Templates / Windows Components and select Windows Updates.
10. Configure the following settings:
a. Enable Windows Update Power Management to automatically wake up the system to
install updates.
b. Configure Automatic Updates: Auto download and schedule the install for 3:00am
c. Allow Automatic Updates Immediate Installation
d. Turn On Recommended Updates-Via Automatic Updates for both critical and
recommended patches
e. Enable No auto-restart with logged on users for scheduled automatic updates
installations

DEPLOYING/CONFIGURING WSUS
1. On your WSUS server, install Windows Update Services role with the following
settings:
a. Do not select Store updates in the following location * Note, this is for our lab
environment as we do not wish to download a copy of updates to our virtual machines.
2. From WSUS server, open Windows Server Update Services console
3. You will be prompted to complete the WSUS Installation, click Run to complete the
setup, then Close.
4. Go through the configuration wizard using the following options:
a. Uncheck: Yes, I would like to join the Microsoft Update Improvement Program
b. Synchronize from Microsoft Update (Note: as you deploy more WSUS servers, this is
where you can define different WSUS upstream servers, also, this is where you can
define if this is a replica server or autonomous)
c. Connect to Upstream Server
d. Ensure only Windows Server 2012 R2 patches are selected
e. Leave defaults for classifications page
f. Synchronize manually
g. Check Begin Initial Synchronization and click finish.

CONFIGURING WSUS COMPUTER GROUPS

1. Within Update Services Console, Expand Computers
2. Right click on All Computers and select Add Computer Group
3. Add the following Computer Groups:
a. Domain Controllers
b. Member Servers
c. IT
d. Marketing
e. Production

To enable Windows features

1. Enable a specific feature in the image. You can use the /All argument to enable all of
the parent features in the same command. For example, type:
2. Dism /online /Enable-Feature /FeatureName:TFTP /All
To service an offline image, specify the location of the mounted image directory. For
example, type:
Dism /Image:C:\test\offline /Enable-Feature /FeatureName:TFTP /All
3. Optional: Get the status of the feature you have enabled. For example, type:
4. Dism /online /Get-FeatureInfo /FeatureName:TFTP
If the status is Enable Pending, you must boot the image in order to enable the
feature entirely.

To mount an image
1. Open a command prompt with administrator privileges. If you are using a version of
Windows other than Windows 8, use the Deployment Tools Cmd Prompt installed with
the ADK or navigate to the DISM directory on your local computer.
2. Mount the image.
Dism /Mount-Image /ImageFile:C:\test\images\myimage.wim /index:1
/MountDir:C:\test\offline

To commit changes to an image

1. At the command prompt, type:
Dism /Commit-Image /MountDir:C:\test\offline
Unmount the image.
Dism /Unmount-Image /MountDir:C:\test\offline /commit

MICROSOFT MANAGEMENT CONSOLE (MMC)

1. Edit the Default Domain Policy to allow inbound remote management traffic
2. Navigate to Computer Configuration / Policies / Windows Settings / Security
Settings / Windows Firewall with Advanced Security and select Windows
Firewall with Advanced Security / Inbound Rules
3. Create the following Predefined Inbound Rules
a. COM+ Network Access
b. Remote Event Log Management
4. Close the policy and remember to update group policy on each server
5. On MS1, open MMC by running mmc from the run dialog box or command line.
6. Click File then Add/Remove Snap-in
7. Add Event Viewer for both the local machine and DC1

8. Add Services for both the local machine and DC1

9. Save your MMC Console on your Desktop as Tool Kit

MANAGING SERVICES
1. This is a discovery task geared towards familiarizing yourself with typical tasks for
managing services.
2. Using your Tool Kit mmc console, select Services for DC1
3. Locate Print Spooler
4. Make note of the following:
a. Startup types
b. Service status
c. Log On
d. Recovery including recovery options
e. Dependencies

USING EVENT VIEWER

4. To forward DC1 events to MS1 follow the steps below:
a. On DC1, open a command prompt with elevated rights
b. Type in winrm quickconfig
c. Add Network Service account as a member of the Event Log Readers security
group on DC1. Reboot DC1 before continuing.
d. Add MS1 to the local administrators group by entering in the following command: net
localgroup Administrators yourlastname-MS1$@yourlastname.ca /add
e. On MS1, open a command prompt with elevated rights
f. Run: wecutil qc, press y to configure the service to start delayed-automatically
g. Ensure Remote Event Log Management inbound firewall rules have applied.
h. In Event Viewer on MS1, Right click on Subscriptions and select Create
Subscription
i. Name the subscription Servers
j. Select Collector initiated and click on Select Computer Groups to specify DC1
k. Click Select Events, check Critical, Warning, Error and Informational
l. Drop down Event logs and select System logs
Click OK until finished, view your forwarded events after 15 - 20 minutes of system
runtime.

MANAGING PERFORMANCE
1. To show NP Pool and Paged Pool for all processes in Task Manager, follow the steps
below:
a. Open task manager (CTRL+ALT+DEL then select Task Manager)
b. Select More details, if more details is not shown.
c. Select the Details tab, Right click on a column -> Select Columns. Check Paged
Pool and NP Pool.
2. To identify the highest current CPU usage, follow the steps below:
a. Server Manager -> Tools -> Resource Monitor
b. In the CPU tab, click on the CPU column to sort in order of current CPU usage.
3. Using Performance Monitor to create an alert, do the following:

a. Open performance Monitor Server Manager -> Tools -> Performance Monitor
b. Expand Data Collector Sets, right click User Defined folder and choose new ->
Data Collector Set.
c. Name the collector set Alerts, select Create Manually (Advanced) and click Next
d. Choose Performance Counter Alert and click Next
e. Add Performance Counter for %Processor Time (Total) and alert when above 70 and
click Finish
f. Under User Defined, click on Alerts and double click on your Data collector set
(DCS). Select Alert Action tab and check Log an entry in the applications event
log
4. Explore Task Manager, Resource Monitoring and Performance Monitor.

INSTALL AND CONFIGURE DFS NAMESPACES

1. On MS1, Install DFS Namespaces server role [File and Storage Services / File and
iSCSI Services]
2. Open DFS Management within Server Manager
3. Right click on Namespaces and select New Namespace
a. On the Namespace Server page, enter in MS1
b. Name your namespace Teams
c. On the Namespace Type, select domain-based namespace and ensure Enable
Windows Server 2008 mode is checked.
d. Create your name space.
4. Create a share on MS1 for each department, create an associate global security group
for each department. Grant your department modify permissions to each respective
share. (Remember best practices for share permissions and folder permissions, it is safe
to assume you leave administrators and system accounts with full control and remove
other accounts)
5. Add a DFS folder for each department [IT, Marketing, Production and Sales]
a. In DFS Manager, select your namespace in the left pane, in the actions pane select
New Folder
b. Click Add type in the UNC share for the folder.
c. Repeat for each team

MANAGING SECURITY AND CONFIGURING DFS

REPLICATION
1. In DFS Management, right click on your Teams namespace and select Properties.
a. Under the Advanced tab, select Enable access-based enumeration for this
namespace.
2. On your WSUS server, create a folder for each team [IT, Marketing, Production and
Sales]. Share these folders using the same file and share permissions as defined for each
respective teams share on MS1.
3. Install DFS Replication Server Role on MS1 and WSUS. [File and Storage Services /
file and iSCSI Services]
4. Open DFS Management.
5. Right click on Replication and select New Replication Group.
a. Select Multipurpose replication group
b. Name the group Team Shares
c. Add both MS1 and WSUS servers to the list of members.

d. Select Full Mesh

e. Make MS1 the Primary member
f. Add each of the team folders created on MS1 to the list of folders to replicate.
g. For each local path (IT, Marketing etc) select your WSUS server and click Edit
i. Select Enable
ii. Browse to the respective shared folder location on WSUS server. Click OK
iii. Repeat G for each replicated folder.
iv. Click no to create a replication group as we already did this step.
h. Create replication group.
6. Select the Teams name space, click on IT in the center pane, and then select Add
Folder Target from the Actions pane.
7. Add the UNC path of the share on WSUS server.
8. Repeat 6 & 7 for each folder.
9. Create a file in one of the teams DFS share. Verify the file was copied to both servers
local folder.
View the staging area [Shared Folder\DfsrPrivate\Staging] and Conflict and Deleted
Folder [Shared Folder\DfsrPrivate\ConflictandDeleted]. Note Uncheck Hide protected
operating system files from the folder view. Also note, ConflictandDeleted only exists
should a conflict occur.

To enable Reliability Monitor data collection by using the GUI:

1.

Click Start, click in the Start Search box, type taskschd.msc, and then press ENTER. If you
are prompted for an administrator password or confirmation, type the password or provide
confirmation.
Alternatively, you can open the Task Scheduler snap-in from within Server Manager. In the
Server Manager tree pane, expand Configuration, and then go on to step 2.

2.

In the navigation pane, expand Task Scheduler Library, expand Microsoft,

expand Windows, and then clickRAC.

Right-click RAC, point to View, and then either click Show Hidden Tasks, or verify that it is selected.

RESOLUTION
To resolve this issue, follow these steps:
Click Start, type Task Scheduler in the Search box, and then click Task Scheduler.
Enable the trigger that regularly starts the RacTask task.
In Task Scheduler, expand Task Scheduler Library, expand Microsoft, and then
expand Windows.
Right-click RAC, click View, and then click to select the Show Hidden Tasks command.
Note If the Show Hidden Tasks command is already selected, go to step 2c.
Double-click RacTask.
In the RacTask Properties dialog box, click the Triggers tab.
On the Triggers tab, double-click the One time trigger.
In the Edit Trigger dialog box, click to select the Enabled option, and then click OK.
In the RacTask Properties dialog box, click OK.
Close Task Scheduler.

Update a registry setting.

Click Start, type Regedit in the Search box, and then click Regedit.
In Registry Editor, set the value of the following registry entry to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\WMI\WMIEnable
Restart the computer.

USING DISK QUOTAS

1. On MS1, install File Server Resource Manager role [File and Storage Services/File
and iSCSI Services]
2. From Server Manager, open File Server Resource Manager
3. Create a template:
a. Expand Quota Management and right click on Quota Templates and select Create
Quota Template
b. Name the quota Team Folders
c. In Space limit section, type in 1GB and select hard quota.
d. Click Add under Notification Thresholds
i. Select the Report tab and check Generate reports
ii. Check Quota Usage from the Select reports to generate
iii. Click OK
e. Click OK to save template
4. Apply the template to the folder
a. In File Server Resource Manager, under Quota Management node, click the
Quota Templates node.
b. Right click on the template you wish to use and click on Create Quota from
Template
c. Enter the path of your team shares
d. Click Create
5. To Monitor Quota use, expand the Quota Management node in FSRM and select
Quotas, the results will be shown in the center pane

FILE SCREENING
1. Create a file group:
a. In FSRM, expand the File Screening Management node and select the File Groups
node.
b. Right click on File Groups and select Create File Group.
c. Name the group Our Office Docs
d. Add to the inclusion list: *
e. Add to the exclusion list: *.docx, *.pptx, *.pdf and *.txt
f. Click OK to create the file group.
2. Create a file screen using our file group we created:
a. In FSRM, Expand the File Screening Management node and select File Screens
b. Right click on File Screens and select Create File Screen
c. Enter the path of your team folders
d. Select Define custom file screen properties
e. Set screening type to Active Screening
f. Select the Our Office Docs file group
g. Click the Report tab and select Generate reports and select File Screening Audit
h. Click OK until all dialog boxes are closed. Select Save the custom file screen
without creating a template and click OK.

3. Test out the file screening by creating various document types and copying them to
your team folders.

FILE MANAGEMENT TASKS

1. In FSRM, select the File Management Tasks node
2. Right click on File Management Tasks node and select Create File Management
Tasks
3. Name the task: Team Files Expire
4. Under the Scope tab, add each team folder to the list of folders to be included in the
scope.
5. On the Actions tab, select File Expiration and set the directory to E:\Expired
6. Under the Condition tab, check Days since file was last accessed and set it to 90
days.
7. On the Schedule tab, schedule the task to run daily at 9:00pm

ENCRYPT/DECRYPT FOLDER/FILES USING EFS

1. Create a folder on C Drive of MS1 named Temp
2. Encrypt a file/folder:
a. Right click on the Temp folder and select Properties
b. Under the General tab, click Advanced
c. Select Encrypt contents to secure data checkbox.
d. Click OK until the properties dialog box closes.
3. Create a text file and enter a message, save the file in your temp folder.
4. Login as a different user and see if you can open the file. Is this what you expected?
5. Decrypt a folder:
a. Login as the user you encrypted the folder as
b. Right click on the Temp folder, select Properties
c. Under the General tab, click Advanced
d. Clear the checkbox for Encrypt contents to secure data
e. Click OK until the properties dialog box closes.
6. Delete the Temp folder once complete.

SHARING FILES PROTECTED WITH EFS

1. Create 3 users and add them to the IT security group.
2. We need to create certificates for each user, this is automatically done when a user
encrypts a file/folder.
a. For each of the 3 users you created, login to MS1
b. Create a folder (any file)
c. Encrypt the folder
d. Delete the folder
3. Right click on the IT folder and select Properties
4. On the General tab, click Advanced and check Encrypt contents to secure data.
Click OK and close the dialog box.
5. Create a text file in your IT shared folder with a message in it.
6. Go into properties of the file you created and select Advanced, click Details and
click Add
7. Add the two of the three users you created who are members of the IT team. Note,

you cannot use security groups here.

8. Click OK until the dialog properties box closes.
9. Login as each of the users you created and see if you can access the files content.
Are the results what you expected?
10. Can you do this for a folder or just an existing file? What are the drawback to this?

EFS RECOVERY AGENT

1. On DC1, install Active Directory Certificate Authority role. Once added,
Configure Active Directory Certificate Services, Include Certification Authority
then accept all the default settings.
2. Create a user named Recovery and make the user a member of the Domain
Admins security group. *Note, it is not a good practice in production to name a user
account in a way that an attacker could know what the role of the account is. But in our
labs this will be okay.
3. Login to your DC as your Recovery user.
4. Add the Recovery user as a member of the Domain Admins security group.
5. Login to your domain as Recovery and open up Group Policy Management
Console
6. Edit the Default Domain Policy
7. Expand Computer Configuration\Policies\Windows Settings\Security
Settings\Public Key Policies and right click on Encrypting File System and select
Create Data Recovery Agent.
8. Click Encrypting File Systems and view the certificates that are displayed.
9. Remove Administrator as a Recovery Agent; Remove Recovery Agent from
Domain Admin group.
10. Update Group Policy on DC1 and MS1.
11. Test your configuration:
a. Create a folder on MS1 as a user other than the recovery user.
b. Encrypt the folder using EFS
c. In the folder properties, view the details of the EFS settings. You should see your
recovery user object as a recovery agent.
d. You can delete this test folder when complete.

ENCRYPTING FILES WITH BITLOCKER

1. Install the BitLocker Drive Encryption Feature on MS1.
2. We do not have TPM in vmware workstation, so we will use a workaround. *Note, do
not use this workaround in production, use TPM or a USB Boot key as outlined in your
text instead. This is a good workaround for our lab environment.
a. Shutdown MS1
b. Add a virtual floppy disk and create a floppy disk image named TPM.
c. Ensure the floppy disk is connected at startup
d. Boot MS1 and enter the BIOS
e. Change the boot order so Removable Devices is last in the list.
f. Save configuration and reboot MS1.
g. Reboot MS1
h. Run GPEDIT.MSC (Edit the local policy)
i. Expand Computer Configuration/Administrative Templates/Windows
Components/BitLocker Drive Encrpytion/Operating System Drives
i. Require Additional Authentication at Startup: Enabled

1. Allow Bitlocker without compatible TPM: Checked

2. Configure TPM startup PIN: Allow startup PIN with TPM
3. Configure TPM startup key: Allow startup key with TPM
4. Configure TPM startup key and PIN: Allow startup key and PIN with TPM
j. Format your floppy drive (A:) with a FAT file system.
k. In Control Panel, open System and Security then select BitLocker Drive
Encryption
l. Next to C: select Turn on BitLocker.
i. Select Enter a Password and specify a password.
ii. Save the recovery key on A: drive and click next.
iii. Select Encrypt used disk space only and click next.
iv. Continue and Restart You may be asked to disconnect any DVD ROMs in this case,
disconnect your virtual DVD ROM. Once complete, de-encrypt the drive.
(pages 146-147 storage reports)
161-163 backup certificates
180-202 for chapter 7
HOMEWORK CHALLENGE #2 - RECOVER DFS DATABASE (126-127)
True false cmd
(page 49-51,59 for wsus client side targeting)