Skip to content

System Admistration

Creating a Test Windows network

Labs for System Administration
Learn Windows Sysadmin

Construct a closed network

Create two networks/VLANs (desktops and servers)

Install Windows Server (VM or standard hardware dealer's choice) GUI Mode.

Set up firewall

Set up the server as a basic router between the two networks. You'll need 2 NICs to accomplish this (NOTE: unless you have a really good reason for this, you will never do this in a production environment. But because this is a lab situation in VMware workstation and because the product does not support routing between networks, you'll need to put something in place very basic. Windows routing will get the job done and will be on an MCP exam)

Install another server, single NIC on the server VLAN

Create your first active directory domain controller. Install this in GUI mode

Create and setup the Domain Controller

  1. Create an OU (Organizational Unit) for your workstations
  2. Create an OU for your users
  3. Create an OU for groups
  4. From now on, any new computer or new user account must go into their respective OU.

DO NOT MOVE THE DOMAIN CONTROLLERS FROM THE DOMAIN CONTROLLER OU.

Test AD replication

Run command to test AD Replication:

repadmin /replsummary

Set up DNS

  1. Check out DNS and setup a reverse look up zone if not setup.
  2. Check out DNS. Records can get old and out of date and will screw up name to ip resolution. Make it so that scavenging happens automatically.
  3. (Optional) Block facebook.com via windows DNS. Resolve to loopback address. Test this via cmd to make sure it resolves as expected.

Set up DHCP

  1. Setup DHCP on Domain Controller
  2. Set up a scope to hand out IPs for the Desktop VLAN. Make it so that this DHCP scope will be able to give endpoints the information they need networking wise to join a domain
  3. Install a Windows 7 or newer PC on the desktop VLAN.
  4. Get an IP and join that desktop to the domain.
  5. Configure DHCP clustering. Click here for instruction to setup DHCP clustering Load balancing or failover is your choice. Now test it.

Setting up Users

  1. Create a non-domain admin account in AD. Fill out the whole profile once the account is created. Click here for instruction to setup Limited Domain Admin Account
  2. Login with regular AD user and if needed admin user to install software.
  3. Create another non-admin account as the local admin on that computer.
  4. Review the attributes of that account in AD. You'll need advanced features for this.
  5. Add users to their appropriate groups

Permissions Mounted Folders

  1. Install RAST (Remote Server Administration Tools) on the desktop
  2. Find the Flexible Single Master Operation (FSMO) roles using NetDOM /query FSMO
  3. Split the FSMO roles between the servers and keep forest level and domain level roles together.
  4. Use one domain controllers, create a file shared with administrators and the second non admin account.
  5. Create another folder and give only the AD group you created permissions.
  6. Use group policy to map both shares as network drives as a computer policy to the desktops.
  7. Login to the desktop as the first domain user. Check for the network drive. If not debug with gpresult. (You should get access denied)
  8. Login as the second domain user check the mapped drive. (You should get access granted)
  9. Check a user in the group to access the second drive. (You should get access granted)
  10. Check a non-admin workstation. (You should get access denied)
  11. Add the non-admin workstation account without logging off and check. (You should get access denied)
  12. Logoff and Log back on and check. (You should get access granted)
  13. Remove the share from the domain controller.

File Permissions

  1. Create another two servers and join it to the domain as member servers.
  2. Install DFS and File server roles/features on both servers.
  3. Create two file share on the servers with the same folder name.
  4. Create files on both servers with different names. (i.e server1 will have "TextDoc01", server2 will have "TextDoc02" in their shares).
  5. Create a DFS name space. Add those shares to the name space.
  6. On a domain joined work station, navigate to the DFS namespace you created. You should be able to see both files.
  7. Create a DFS Replication group with two way replication. (Both files should be on both servers).
  8. Change a file and check the other server for the change. (you can shut down the file servers for now if you want or use them for the next step)

Test

  1. Create another server, join it to the domain, install Windows Deployment Service (WDS).
  2. Change the second file server into a Windows Server Update Service (WSUS).
  3. Configure WDS so that you can PXE boot to it on the network. Make any required changes to routing and DHCP if need be.

Make a base image and setup updates

  1. Make a base image with sysprep and upload an image to WDS for PXE deployment.
  2. Test the image with a PXE boot when you turn it on, have it install the OS from here.
  3. Configure WSUS so that you will only download Security updates for the desktop and server OS's ( highly recommend that you do not download any updates if you have access to the internet from this server)
  4. Create server and workstation group in WSUS.
  5. Create a new group policy and add workstations into the WSUS workstation group that points to WSUS for updates and stops automatically downloading updates.
  6. Read up on approving and pushing updates since the current assumption is that there are no updates to be pushed in this enclosed test network since there is no internet access to download them. I believe there is a way to manually add updates to WSUS but I'm a bit foggy on that. Research it.
  7. Create a new group policy and add server into the WSUS workstation group that points to WSUS for updates and stops automatically downloading updates.

Create and list users in powershell

  1. Create a new AD user via powershell.
New-ADUser -Name "Jack Robinson" -GivenName "Jack" -Surname "Robinson" -SamAccountName "J.Robinson" -UserPrincipalName "[email protected]" -Path "OU=Managers,DC=enterprise,DC=com" -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true
  1. Create a new AD group via powershell.
NEW-ADGroup name Finance groupscope Global path OU=Offices,DC=Contoso,DC=local
  1. Print a list of all domain users and computers in powershell, names only
Get-ADComputer -Filter * -Properties * | Select -Property Name,DNSHostName,Enabled,LastLogonDate
Get-ADUser -Filter * -SearchBase "dc=domain,dc=local" | select Name,SID
  1. Remove a user account from AD using powershell
Remove-LocalUser -Name "AdminContoso02"
  1. Add a user to a group using powershell
Add-ADGroupMember -Identity SvcAccPSOGroup -Members AdminContoso02
  1. Provision new AD users via a CSV in powershell
$Users = Import-Csv -Delimiter "," -Path "C:\Userlist-sn.csv"            
foreach ($User in $Users)            
{            
    $Displayname = $User.Firstname + " " + $User.Lastname            
    $UserFirstname = $User.Firstname            
    $UserLastname = $User.Lastname            
    $OU = "$User.OU"            
    $SAM = $User.SAM            
    $UPN = $User.Firstname + "." + $User.Lastname + "@" + $User.Maildomain            
    $Description = $User.Description            
    $Password = $User.Password            
    New-ADUser -Name "$Displayname" -DisplayName "$Displayname" -SamAccountName $SAM -UserPrincipalName $UPN -GivenName "$UserFirstname" -Surname "$UserLastname" -Description "$Description" -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path "$OU" -ChangePasswordAtLogon $false PasswordNeverExpires $true -server domain.loc            
}