1 00:00:10,810 --> 00:00:13,060 Lab securing AIDS. 2 00:00:14,000 --> 00:00:14,750 Scenario. 3 00:00:15,590 --> 00:00:21,260 The security team at a Dayton corporation has been examining possible security issues in the organization, 4 00:00:21,470 --> 00:00:23,120 focusing on ads. 5 00:00:24,020 --> 00:00:29,900 The security team is particularly concerned with ads, authentication and security of branch office 6 00:00:29,900 --> 00:00:31,010 domain controllers. 7 00:00:31,880 --> 00:00:38,060 You must help improve security and monitoring of authentication against the Enterprise's ads domain. 8 00:00:38,900 --> 00:00:44,300 Additionally, management at a datum has instituted a password policy, and you must enforce it for 9 00:00:44,300 --> 00:00:49,460 all user accounts and develop a more stringent password policy for security sensitive administrative 10 00:00:49,460 --> 00:00:49,970 accounts. 11 00:00:50,870 --> 00:00:56,270 It also is important that you implement an appropriate audit trail to help monitor authentication attempts 12 00:00:56,270 --> 00:00:57,530 within ads. 13 00:00:58,430 --> 00:01:04,580 The second part of your assignment includes deploying and configuring runs to support ADSL authentication 14 00:01:04,580 --> 00:01:05,720 within a branch office. 15 00:01:06,620 --> 00:01:11,780 Lastly, you should evaluate the usage of a group MSA by deploying it to the test server. 16 00:01:12,630 --> 00:01:13,500 Objectives. 17 00:01:14,370 --> 00:01:20,850 After completing this lab, you will be able to implement security policies for accounts, passwords 18 00:01:20,850 --> 00:01:22,200 and administrative groups. 19 00:01:23,070 --> 00:01:25,350 Deploy and configure in ROTC. 20 00:01:26,160 --> 00:01:28,500 Create and associate a group MSA. 21 00:01:29,360 --> 00:01:30,470 Exercise one. 22 00:01:30,590 --> 00:01:35,160 Implementing security policies for accounts, passwords and administrative groups. 23 00:01:36,050 --> 00:01:41,210 A data management has indicated that it is important that all management processes are as secure as 24 00:01:41,210 --> 00:01:43,610 possible to help prevent a security breach. 25 00:01:44,510 --> 00:01:49,490 The company's security and management teams have identified its business requirements with respect to 26 00:01:49,490 --> 00:01:51,710 account log ons and password security. 27 00:01:52,550 --> 00:01:58,070 In this exercise, you will define and implement the group policy settings to meet the company's requirements. 28 00:01:58,970 --> 00:02:05,930 Supporting Documentation A Data and GPO Strategy Proposal Requirements Overview. 29 00:02:06,710 --> 00:02:12,080 A datum has identified the following requirements regarding account log on and password policies. 30 00:02:12,980 --> 00:02:16,640 All users must use a password that is at least eight characters long. 31 00:02:17,480 --> 00:02:21,260 For IT administrators, the minimum length must be ten characters. 32 00:02:22,130 --> 00:02:25,580 Passwords for all users must be complex and stored securely. 33 00:02:26,420 --> 00:02:32,030 All users except IT administrators must change their password every 60 days or less. 34 00:02:32,910 --> 00:02:33,210 It. 35 00:02:33,330 --> 00:02:36,960 Administrators must change their password every 30 days or less. 36 00:02:37,830 --> 00:02:43,290 If users enter the wrong password more than five times within 20 minutes, their accounts must be locked. 37 00:02:44,200 --> 00:02:48,100 For normal users, accounts are unlocked automatically after one hour. 38 00:02:49,000 --> 00:02:53,800 For it, administrators, accounts must be locked after three incorrect password attempts. 39 00:02:54,700 --> 00:02:55,000 It. 40 00:02:55,120 --> 00:02:57,330 Administrator accounts are never unlocked. 41 00:02:57,340 --> 00:03:01,180 Automatically, an administrator must unlock the account. 42 00:03:02,050 --> 00:03:07,150 IT administrator accounts include all members of the IT group and the Domain Admins group. 43 00:03:08,020 --> 00:03:11,770 No users should be able to use at least ten of their previous passwords. 44 00:03:12,670 --> 00:03:17,620 The membership list for the local administrators group on all member servers must be limited to only 45 00:03:17,620 --> 00:03:21,760 the local administrator account, the domain admins group and the group. 46 00:03:22,610 --> 00:03:26,210 The Domain Admins group must include only the administrator account. 47 00:03:27,080 --> 00:03:31,850 The enterprise admins and schema admins groups must be empty during normal operations. 48 00:03:32,750 --> 00:03:38,030 Users must be added explicitly to these groups only when they need to perform tasks that require this 49 00:03:38,030 --> 00:03:39,560 level of administrative rights. 50 00:03:40,490 --> 00:03:45,620 Other built in groups such as account operators and server operators should contain no members. 51 00:03:46,520 --> 00:03:51,080 If users are added to one of these groups, they should be removed from the group automatically. 52 00:03:51,920 --> 00:03:56,810 All changes made to user objects and security groups in ads must be audited. 53 00:03:57,770 --> 00:03:58,550 Proposals. 54 00:03:59,450 --> 00:04:04,850 List the settings that you must configure to meet a Dayton's requirements regarding password policies 55 00:04:04,850 --> 00:04:05,900 and account lockout. 56 00:04:06,800 --> 00:04:13,160 Setting configuration for all users, configuration for it administrators. 57 00:04:14,030 --> 00:04:15,080 Enforce password. 58 00:04:15,080 --> 00:04:15,590 History. 59 00:04:16,490 --> 00:04:17,570 Maximum password. 60 00:04:17,570 --> 00:04:17,990 Age. 61 00:04:18,890 --> 00:04:19,340 Minimum. 62 00:04:19,340 --> 00:04:19,850 Password. 63 00:04:19,850 --> 00:04:20,240 Age. 64 00:04:21,170 --> 00:04:22,520 Minimum password length. 65 00:04:23,410 --> 00:04:24,490 Passwords must meet. 66 00:04:24,490 --> 00:04:25,900 Complexity requirements. 67 00:04:26,800 --> 00:04:29,350 Store password using reversible encryption. 68 00:04:30,190 --> 00:04:31,090 Account Lockout. 69 00:04:31,090 --> 00:04:31,690 Duration. 70 00:04:32,530 --> 00:04:32,950 Account. 71 00:04:32,950 --> 00:04:34,060 Lockout threshold. 72 00:04:34,950 --> 00:04:38,370 Reset account lockout counter after one. 73 00:04:38,730 --> 00:04:39,900 How can you configure that? 74 00:04:39,900 --> 00:04:44,490 IT administrators have different password and account lockout settings than regular users. 75 00:04:45,360 --> 00:04:51,270 Two How can you identify it administrators in terms of more restricted password and account lockout 76 00:04:51,270 --> 00:04:51,780 settings? 77 00:04:52,700 --> 00:04:53,180 Three. 78 00:04:53,480 --> 00:04:58,130 How can you meet the requirement to limit the membership list for the local administrators groups on 79 00:04:58,130 --> 00:05:03,560 all member servers to only the local administrator account, the domain admins group and the group? 80 00:05:04,460 --> 00:05:04,820 Four. 81 00:05:04,940 --> 00:05:09,980 How can you meet the requirement that the domain admins group must include only the administrator account 82 00:05:10,190 --> 00:05:15,200 and that the enterprise admins and schema admins groups must be empty during normal operations. 83 00:05:16,110 --> 00:05:16,590 Five. 84 00:05:16,920 --> 00:05:22,290 How can you meet the requirement that other built in groups such as account operators and server operators 85 00:05:22,290 --> 00:05:23,730 must not contain members? 86 00:05:24,630 --> 00:05:25,110 Six. 87 00:05:25,500 --> 00:05:29,430 How can you meet the requirement that you must audit all changes to ads? 88 00:05:30,340 --> 00:05:32,980 Task one identify the required settings. 89 00:05:33,880 --> 00:05:40,450 One Read the documentation provided to fill in the table of settings according to the requirements of 90 00:05:40,450 --> 00:05:41,590 a datum corporation. 91 00:05:42,460 --> 00:05:49,180 Three Answer the additional questions from the proposals document test to configure password settings 92 00:05:49,180 --> 00:05:50,080 for all users. 93 00:05:50,980 --> 00:05:58,780 One on ELO and DC one from server manager open the group policy management console to navigate to the 94 00:05:58,780 --> 00:06:05,080 default domain policy and then click edit three in the group policy management editor window. 95 00:06:05,290 --> 00:06:09,820 Navigate to computer configuration backslash policies backslash window settings. 96 00:06:09,820 --> 00:06:14,890 Backslash Security settings, backslash account policies and then select password policy. 97 00:06:15,750 --> 00:06:23,880 Four Configure the following policy settings enforce password history ten passwords remembered maximum 98 00:06:23,880 --> 00:06:32,730 password age 60 days minimum password age one days password must meet complexity requirements enabled. 99 00:06:33,590 --> 00:06:34,520 Password length. 100 00:06:34,760 --> 00:06:35,720 Eight characters. 101 00:06:36,620 --> 00:06:37,640 Store passwords. 102 00:06:37,640 --> 00:06:39,260 Using reversible encryption. 103 00:06:39,290 --> 00:06:39,980 Disabled. 104 00:06:40,890 --> 00:06:46,680 Five Select Account Lockout Policy and then define and configure the following policy settings. 105 00:06:47,550 --> 00:06:50,130 Account Lockout duration 60 Minutes. 106 00:06:51,030 --> 00:06:53,070 Accept the suggested value change. 107 00:06:53,950 --> 00:07:01,180 Account lockout threshold five invalid log on attempts to reset account lockout counter after 20 minutes 108 00:07:02,110 --> 00:07:07,610 six closed the group policy management editor window and the group policy management console. 109 00:07:08,440 --> 00:07:16,990 Task three Configure a PSL for IT Administrators one on ELO and DC, one from server manager open Active 110 00:07:16,990 --> 00:07:18,640 Directory Administrative Center. 111 00:07:19,500 --> 00:07:22,860 To navigate to a datum local backslash system. 112 00:07:22,860 --> 00:07:24,960 Backslash password settings container. 113 00:07:25,890 --> 00:07:26,370 Three. 114 00:07:26,610 --> 00:07:29,340 Create a new PSL with the following parameters. 115 00:07:30,210 --> 00:07:31,260 Name a datum. 116 00:07:31,260 --> 00:07:35,100 Administrators Password Settings precedence ten. 117 00:07:35,940 --> 00:07:39,180 Enforce minimum password length selected ten. 118 00:07:39,180 --> 00:07:41,130 Characters minimum password length. 119 00:07:42,030 --> 00:07:44,670 Enforced Password History selected ten. 120 00:07:44,670 --> 00:07:47,640 Passwords remembered password must meet. 121 00:07:47,640 --> 00:07:49,680 Complexity Requirements selected. 122 00:07:50,580 --> 00:07:54,150 Store password using reversible encryption not selected. 123 00:07:54,990 --> 00:07:57,750 Password age options enforced. 124 00:07:57,750 --> 00:08:03,300 Minimum password age selected user cannot change the password within days. 125 00:08:03,300 --> 00:08:06,540 One Enforce maximum password age. 126 00:08:06,660 --> 00:08:10,980 Selected user must change the password after days 30. 127 00:08:11,870 --> 00:08:19,820 Account Lockout Options enforce account lockout policy selected number of failed log on attempts allowed 128 00:08:19,850 --> 00:08:24,290 three reset failed log on attempts count after mince 20. 129 00:08:25,160 --> 00:08:29,600 Account will be locked out until an administrator manually unlocks the account. 130 00:08:30,530 --> 00:08:35,600 Four in the directly applies to section configure the so to apply to the IT group. 131 00:08:36,500 --> 00:08:36,980 Five. 132 00:08:37,250 --> 00:08:40,010 It will not work because it is not a global group. 133 00:08:40,860 --> 00:08:47,670 Open Windows PowerShell and then verified the IT group scope with the following command get aid group 134 00:08:47,670 --> 00:08:49,560 86. 135 00:08:49,800 --> 00:08:57,690 Modify the group scope by using the following command set aid group IT Group Scope Global seven in the 136 00:08:57,690 --> 00:09:02,310 directly applies to section, configure the PSU to apply to the following groups. 137 00:09:03,210 --> 00:09:03,740 I.t. 138 00:09:04,650 --> 00:09:05,640 Domain admins. 139 00:09:06,530 --> 00:09:06,860 Eight. 140 00:09:07,130 --> 00:09:09,680 Create the PSA nine. 141 00:09:09,680 --> 00:09:11,930 An Active Directory administrative center. 142 00:09:11,990 --> 00:09:15,200 Switch to the overview page and in the global search box. 143 00:09:15,200 --> 00:09:16,520 Search for Abbie Skinner. 144 00:09:17,390 --> 00:09:22,640 Use the view, result and password settings to verify that the ID datum administrative password settings 145 00:09:22,750 --> 00:09:24,170 PSA applies to A-B. 146 00:09:24,380 --> 00:09:25,640 He is in the IT group. 147 00:09:26,500 --> 00:09:26,950 Ten. 148 00:09:26,980 --> 00:09:30,010 Repeat Step nine to verify the user Adam Harms. 149 00:09:30,910 --> 00:09:35,410 He is not in an IT group and the default domain policy settings apply to him. 150 00:09:36,250 --> 00:09:43,780 11 Close Active Directory Administrative Center and Windows PowerShell task for implement administrative 151 00:09:43,780 --> 00:09:51,550 security policies one on low and DC one open Active Directory Administrative Center and create a top 152 00:09:51,550 --> 00:09:51,880 level. 153 00:09:52,000 --> 00:09:59,170 You name two datum servers to move L1 SDR one and L1 SDR two to the datum servers. 154 00:09:59,170 --> 00:10:06,310 Oh you three open the group policy management console and then create and link a policy named restricted 155 00:10:06,310 --> 00:10:09,060 administrators on member servers to the A datum servers. 156 00:10:09,070 --> 00:10:09,520 Oh you. 157 00:10:10,360 --> 00:10:10,720 Four. 158 00:10:10,720 --> 00:10:16,420 Edit the GPO to restrict the local administrators group to the administrator account, the domain admins 159 00:10:16,420 --> 00:10:17,950 group and the group. 160 00:10:18,870 --> 00:10:24,270 Five Switch to L0 and SVR one and refresh group policy six. 161 00:10:24,420 --> 00:10:30,510 Verify that the policy has applied to ELO and SVR one and has restricted the local administrators group. 162 00:10:31,390 --> 00:10:31,900 Seven. 163 00:10:32,140 --> 00:10:34,240 Switch back to low end DC one. 164 00:10:35,050 --> 00:10:35,410 Eight. 165 00:10:35,680 --> 00:10:38,140 Edit the default domain controllers policy. 166 00:10:39,010 --> 00:10:39,490 Nine. 167 00:10:39,550 --> 00:10:42,100 Configure the GPO with restricted groups. 168 00:10:42,960 --> 00:10:48,300 And the group's account operators and server operators and configure both to contain no members. 169 00:10:49,170 --> 00:10:52,080 Ten closed the group policy management console. 170 00:10:52,890 --> 00:10:59,730 Task five Implement administrative auditing one on ELO and DC one from server manager. 171 00:10:59,850 --> 00:11:06,840 Start the group policy management console to navigate to and edit the default domain controllers policy. 172 00:11:07,720 --> 00:11:08,230 Three. 173 00:11:08,440 --> 00:11:14,350 Configure the default domain controllers policy to enable success auditing of audit directory service 174 00:11:14,350 --> 00:11:18,190 changes under computer configuration backslash policies backslash. 175 00:11:18,190 --> 00:11:19,630 Windows Settings backslash. 176 00:11:19,630 --> 00:11:21,160 Security Settings backslash. 177 00:11:21,160 --> 00:11:23,260 Advanced Audit Policy configuration. 178 00:11:23,260 --> 00:11:24,790 Backslash audit policies. 179 00:11:24,790 --> 00:11:25,420 Backslash. 180 00:11:25,420 --> 00:11:26,410 RDS Access. 181 00:11:27,320 --> 00:11:33,350 For in the default domain controllers policy enables success auditing of audit security group membership 182 00:11:33,380 --> 00:11:39,050 under computer configuration backslash policies backslash windows settings backslash security settings 183 00:11:39,050 --> 00:11:44,870 backslash advanced audit policy configuration backslash audit policies backslash account management 184 00:11:45,770 --> 00:11:52,370 five In the default domain controllers policy enable the policy audit force audit policy subcategory 185 00:11:52,370 --> 00:11:58,670 settings Windows Vista or later to override audit policy category settings under computer configuration 186 00:11:58,670 --> 00:12:00,410 backslash policies backslash. 187 00:12:00,410 --> 00:12:02,750 Windows Settings backslash security settings. 188 00:12:02,750 --> 00:12:04,310 Backslash local policies. 189 00:12:04,310 --> 00:12:05,960 Backslash Security Options. 190 00:12:06,880 --> 00:12:11,350 Six at a command prompt to repudiate slash force and then press enter. 191 00:12:12,280 --> 00:12:19,090 Seven Open Active Directory users and computers and enable the advanced features view in the a date 192 00:12:19,090 --> 00:12:24,010 and icon properties dialog box under advanced security settings in auditing. 193 00:12:24,160 --> 00:12:29,680 Locate the success auditing entry for everyone with special access which applies to this object only. 194 00:12:30,510 --> 00:12:30,870 Eight. 195 00:12:31,020 --> 00:12:35,670 Open and change the auditing entry to apply to this object and all descendant objects. 196 00:12:36,600 --> 00:12:39,360 Nine Inactive Directory users in computers. 197 00:12:39,540 --> 00:12:42,450 Add the user Abbie Skinner to the Domain Admins group. 198 00:12:43,280 --> 00:12:49,430 Ten Locate the user Ada Russell in the marketing o you and then change her city from London to Birmingham. 199 00:12:50,270 --> 00:12:58,910 11 Open Event Viewer Go into the security log and then open the most recent event ID 4728 in the properties. 200 00:12:58,940 --> 00:13:04,190 Note that a date and backslash administrator has added a date and backslash Abbi to the domain admins 201 00:13:04,190 --> 00:13:04,610 groups. 202 00:13:05,510 --> 00:13:06,000 12. 203 00:13:06,020 --> 00:13:12,920 In event viewer open the most recent event ID 5136 and note that a date and backslash administrator 204 00:13:12,920 --> 00:13:20,180 has modified the user object C and equals ADA Russell and deleted the value London 13 move and opened 205 00:13:20,180 --> 00:13:25,640 the next event in the event property's details page and notice that a date and backslash administrator 206 00:13:25,640 --> 00:13:28,310 has modified Ada Russell and added the value. 207 00:13:28,310 --> 00:13:35,000 Birmingham 14 closed all open windows except for server manager results. 208 00:13:35,210 --> 00:13:40,490 After this exercise, you should have identified and configured the security policies for a datum. 209 00:13:42,840 --> 00:13:44,490 Exercise two scenario. 210 00:13:45,300 --> 00:13:51,690 In this exercise, you will configure the server l1 SDR one as an arrow DC in the distant branch office. 211 00:13:52,560 --> 00:13:58,680 To avoid travel costs, you decide to do the conversion remotely, working with a desktop support technician 212 00:13:58,680 --> 00:14:00,900 and the branches only one staff member. 213 00:14:01,810 --> 00:14:07,870 This user already has installed a Windows Server 2016 computer named L1 SVR one. 214 00:14:08,710 --> 00:14:14,290 You will stage a delegated installation of an arrow DC so that this administrative user can complete 215 00:14:14,290 --> 00:14:15,220 the installation. 216 00:14:16,030 --> 00:14:21,610 After the deployment is complete, you will configure a domain wide password replication policy and 217 00:14:21,610 --> 00:14:25,480 the password replication policy specific to L1 SVR one. 218 00:14:26,290 --> 00:14:34,510 The main tasks for this exercise are as follows one stage a delegated installation of an arrow DC to 219 00:14:34,540 --> 00:14:40,210 run the Active Directory Domain Services installation wizard on an arrow DC to complete the deployment 220 00:14:40,210 --> 00:14:40,810 process. 221 00:14:41,760 --> 00:14:42,270 Three. 222 00:14:42,480 --> 00:14:45,720 Configure the domain wide password replication policy. 223 00:14:46,610 --> 00:14:47,030 Four. 224 00:14:47,030 --> 00:14:51,470 Create a group to manage password replication to the branch office RDC. 225 00:14:52,340 --> 00:14:56,240 Five Evaluate the result and password replication policy. 226 00:14:57,120 --> 00:15:05,340 Task one stage, a delegated installation of an RDC preparation to Prestwich in RDC account. 227 00:15:05,580 --> 00:15:08,220 The computer name must not be in use in the domain. 228 00:15:09,060 --> 00:15:14,760 Therefore, you first need to remove L0 and SVR one from the domain by performing the following steps. 229 00:15:15,690 --> 00:15:17,790 One Remove L0 and SVR. 230 00:15:17,790 --> 00:15:22,050 One from the domain added to the Munich Work Group and then restart the server. 231 00:15:22,910 --> 00:15:26,780 To sign in as a username administrator. 232 00:15:27,630 --> 00:15:28,350 Password. 233 00:15:29,230 --> 00:15:29,740 Three. 234 00:15:30,010 --> 00:15:37,570 Switch to low and DC one four from server manager start active directory users and computers navigate 235 00:15:37,570 --> 00:15:46,300 to the added datum servers oyu and then delete L1 SVR one confirm the deletion stage a delegated installation 236 00:15:46,300 --> 00:15:53,710 of an arrow DC one Inactive directory sites and services create a new site named Munich and then assign 237 00:15:53,710 --> 00:15:54,340 it to default. 238 00:15:54,340 --> 00:16:01,060 Website link to start Active Directory Administrative Center and then navigate to the domain controllers. 239 00:16:01,060 --> 00:16:09,250 0u3 pre create an arrow DC account with the name l0 SVR one, which also should be a DNS server and 240 00:16:09,250 --> 00:16:10,330 a global catalog. 241 00:16:11,180 --> 00:16:15,440 For Delegate Nestor Fiore to install and administer the RDC. 242 00:16:16,300 --> 00:16:23,650 Five finished the recreation of the ROTC account tasked to run the Active Directory Domain Services 243 00:16:23,650 --> 00:16:27,610 installation wizard on an odyssey to complete the deployment process. 244 00:16:28,540 --> 00:16:28,990 One. 245 00:16:29,080 --> 00:16:33,190 Switch to l0 in SVR one from server manager. 246 00:16:33,220 --> 00:16:40,000 Start the ad rolls and features wizard to use the wizard to install Active Directory domain services 247 00:16:40,000 --> 00:16:41,650 on loan SVR one. 248 00:16:42,460 --> 00:16:45,400 Accept the installation of features and management tools. 249 00:16:46,330 --> 00:16:46,850 Three. 250 00:16:46,870 --> 00:16:51,760 When the installation is finished, click in the notification area of server manager to promote this 251 00:16:51,760 --> 00:16:53,470 server to a domain controller. 252 00:16:54,360 --> 00:16:58,770 Four Configure to add the server as a domain controller to an existing domain. 253 00:16:59,580 --> 00:17:02,160 Click Change and provide the following credentials. 254 00:17:03,030 --> 00:17:05,580 Username a date and backslash Nestor. 255 00:17:06,460 --> 00:17:07,150 Password. 256 00:17:08,050 --> 00:17:11,950 Five selected data CNN.com as the domain and then proceed. 257 00:17:12,820 --> 00:17:13,260 Six. 258 00:17:13,510 --> 00:17:18,640 Notice that the Active Directory Domain Services installation wizard finds the pre created account. 259 00:17:19,510 --> 00:17:24,700 Accept all further defaults in the wizard to use that account and then configure ads. 260 00:17:25,570 --> 00:17:31,030 Task three Configure the domain wide password replication policy one. 261 00:17:31,120 --> 00:17:35,050 Switch to ELO and DC one from server manager. 262 00:17:35,080 --> 00:17:41,590 Start Active Directory Administrative Center to make the IT group found in the ITU. 263 00:17:41,800 --> 00:17:45,160 A member of the denied ARO DC Password Replication Group. 264 00:17:46,030 --> 00:17:51,820 Note the members of the IT group have elevated permissions, so storing their password on an arrow DC 265 00:17:51,820 --> 00:17:53,170 would be a security risk. 266 00:17:54,030 --> 00:18:00,180 Therefore you add the IT group to the global deny list, which applies to every RDC in the domain. 267 00:18:01,020 --> 00:18:05,390 Task four Create a group to manage password replication to the branch office. 268 00:18:05,400 --> 00:18:10,440 RDC one Switch to server manager and from the tools menu. 269 00:18:10,620 --> 00:18:17,640 Start Active Directory users and computers to navigate to the users container and then create a new 270 00:18:17,640 --> 00:18:21,330 group named Unique Allowed RDC Password Replication Group. 271 00:18:22,230 --> 00:18:22,760 Three. 272 00:18:22,770 --> 00:18:24,600 Add on Cantrell to the new group. 273 00:18:25,490 --> 00:18:29,510 For an inactive directory administrative centre from the domain controllers. 274 00:18:29,720 --> 00:18:36,890 You view the properties for l0 and SVR one five in the extension section on the password replication 275 00:18:36,890 --> 00:18:37,760 policy tab. 276 00:18:38,000 --> 00:18:43,310 Configure the Munich allowed RDC password replication group to allow password replication. 277 00:18:44,120 --> 00:18:46,790 Close the properties for L0 and SVR one. 278 00:18:47,600 --> 00:18:51,770 Task five Evaluate the result and password replication policy. 279 00:18:52,640 --> 00:18:55,190 One Inactive Directory Administrative Center. 280 00:18:55,370 --> 00:18:57,560 Open the properties of L0 and SVR. 281 00:18:57,560 --> 00:19:02,270 One And then in the extension section on the password replication policy tab. 282 00:19:02,300 --> 00:19:03,170 Click Advanced. 283 00:19:04,070 --> 00:19:11,210 Note that this dialog box shows all accounts whose passwords are stored in the RDC to select accounts 284 00:19:11,210 --> 00:19:14,270 that have been authenticated to this read only domain controller. 285 00:19:14,450 --> 00:19:19,010 And then note that this only shows accounts that have the permissions and already have been authenticated 286 00:19:19,010 --> 00:19:20,150 by this RDC. 287 00:19:21,030 --> 00:19:21,540 Three. 288 00:19:21,600 --> 00:19:25,080 Click the resultant policy tab and then add on a Cantrell. 289 00:19:25,950 --> 00:19:34,370 Notice that on a Cantrell has a resultant policy of allow for close all open dialogue boxes results. 290 00:19:34,530 --> 00:19:38,610 After this exercise, you should have deployed and configured an RDC. 291 00:19:41,100 --> 00:19:47,760 Exercise three scenario you need to configure a group MSA to support a new web based application that 292 00:19:47,760 --> 00:19:48,720 is being deployed. 293 00:19:49,560 --> 00:19:54,270 Using a group MSA will help maintain the password security requirements for the account. 294 00:19:55,140 --> 00:19:57,750 The main tasks for this exercise are as follows. 295 00:19:58,620 --> 00:19:59,070 One. 296 00:19:59,190 --> 00:20:04,230 Create an associate in MSA to install a group MSA. 297 00:20:05,040 --> 00:20:05,850 Task one. 298 00:20:05,910 --> 00:20:09,300 Create an associate in MSA one. 299 00:20:09,300 --> 00:20:10,890 On L0 and DC one. 300 00:20:11,100 --> 00:20:18,660 Open the Active Directory module for Windows PowerShell console to create the CDS root key by using 301 00:20:18,660 --> 00:20:20,520 the ADD CDs root key complete. 302 00:20:21,420 --> 00:20:23,640 Make the effective time minus 10 hours. 303 00:20:23,820 --> 00:20:25,950 So the key will be effective immediately. 304 00:20:26,870 --> 00:20:27,380 Three. 305 00:20:27,590 --> 00:20:31,940 Create the new service account named web service for the host ELO and DC one. 306 00:20:32,780 --> 00:20:40,940 For associate the web service MSA with Ello and DC one five verified the group MSA was created by using 307 00:20:40,940 --> 00:20:49,060 the get add service account complete task to install a group MSA one on Ello and DC one. 308 00:20:49,070 --> 00:20:55,760 Install the web service service account by using the following command install add service account identity 309 00:20:55,760 --> 00:21:03,170 web service two from the tools menu and Server Manager Open Internet Information Services IRS Manager. 310 00:21:04,050 --> 00:21:04,590 Three. 311 00:21:04,710 --> 00:21:10,590 Expand low and DC one a data backslash administrator and then click application pools. 312 00:21:11,520 --> 00:21:16,080 Four in the default app pool actions pane in the advanced settings dialog box. 313 00:21:16,320 --> 00:21:20,640 Configure the default app pool to use the web service dollar account as the identity. 314 00:21:21,480 --> 00:21:26,490 Note that you can click the ellipsis by the identity name to add the web service dollar account as a 315 00:21:26,490 --> 00:21:27,360 custom account. 316 00:21:28,290 --> 00:21:28,750 Five. 317 00:21:28,800 --> 00:21:30,990 Stop and then start the application pool. 318 00:21:33,070 --> 00:21:34,750 Exercise three scenario.