BD350 HW

Windows: Active Directory and IIS

Due: 2006 December 8

Team number: _____

Names (this is a team assignment): ________________________________

Score:  _____ / 25

Active Directory (AD) - 20 points

*The Microsoft Windows Server 2003 Administrator's Companion, which is in the lab, has detailed information about this section of the assignment.  See chapters 9 and 10 for further information.  It can be checked out from the desk for an hour at a time.

1.      Make sure that your DC is in the Domain Server role and is also a file server.

2.      Install on the DC: Microsoft Group Policy Management Console from CD

3.      Create OUs (Organizational Units)

o        On your DC, under All Programs | Administrative Tools | Active Directory Users and Computers, do the following: 

§         Create one OU (Organizational Unit) called "TeamX" where X is your team number, and one OU called "Graders"

1.      Right click on the domain name | New | Organizational Unit

§         Within the first OU, create a group called "LocalTeam", and in the second OU, create a group called AssignmentGraders.  Each of these groups should be a security Group and have Global Group Scope. See screen shot 1

4.      Establish Group Policies for the new groups.

o        On your DC, from within Active Directory Users and Computers, right click on the TeamX OU and select properties.  Click the Group Policy Tab, and press the open button.  This will open up the Group Policy Management Console that you just installed. 

o        Notice that your new OU will appear under the domain name in the Management Console.

o        Now create a new Group Policy Object (GPO) and name it FolderRedirection.  (This GPO will not yet do folder redirection, but this sets up a policy object within which we may configure that.  This will be done in further steps below.)  Right click on Group Policy Objects | New | …

o        Right click on your TeamX OU, and select "Link to an Existing GPO".  Select the new FolderRedirection GPO that you just created.

o        Select your FolderRedirection GPO, and add a new security filter.  Add the LocalTeam group to this filter. See screen shot 2

o        Create a 2nd GPO for your TeamX OU, and name this one PasswordPolicy  (This GPO will not yet carry out any password policy, but this sets up a policy object within which we may configure that.  This will be done in further steps below.)

o        Link this new GPO and your TeamX OU like you did above, and set the security filter.

5.      Set up the Password Policy.

o        On your DC, in the Group Policy Management Console, right click on the PasswordPolicy GPO, and select Edit.

o        Under Windows Settings | Security Settings, you can set the Password policies for this OU.  Set maximum password age to 90 days, minimum password age to 30 days, and minimum password length to 6 characters.  Disable complexity requirements (note that this is a bad thing, but we do it just to make it easier for you on this assignment) and reversible encryption.  Leave password history enforcement undefined.

6.      Setup File Sharing.

o         Create a directory on your DC server called HomeFolders.

§         Under the Properties | Sharing tab, select Share This Folder, and give read and change permissions to "everyone". Under the Home Folder Security Tab | Advanced | Select both user entries, uncheck Allowed Inheritable Permissions, and click on Copy

§         Under the Properties | Security tab, make sure the only Groups or User Names listed are:  Administrators, CREATOR OWNER, and SYSTEM. See Screen Shot 3

o        Below you will create user accounts that use this shared folder.

7.      Enable My Documents redirection.

o        On your DC, open the Group Policy Management Console. Refer to Step 3 if you forgot how to open the GPM Console.

o        Edit your FolderRedirection Group Policy Object. Right click FolderRedirection | Edit

o        Under User Configuration | Windows Settings | Folder Redirection, right click on My Documents | Properties.

o        Select the Basic setting (at the top), and Redirect to the user's home directory for the target (on the bottom).

o        Uncheck the Grant Exclusive Rights... box under the Settings tab.  This will allow you to log in as an Administrator on the DC server and verify that files are being created in the correct location.

8.      Create users on your DC using Active Directory Users and Computers.

o        Create a user for each person in your team, with the user names being your last names, as well as a user for Dr. Hayne, with username "hayne", as well as a user called TA, with username "TeachingAssistant".  If you have two people on your team with the same last name then append the first letter of your first name to their account name.  Create a strong password for each of these users, and make a note of the passwords for Hayne and TeachingAssistant in your log.  Set the passwords for the users to "User can not change password", and "Password Never Expires."

§         Password must adhere to good password complexity rules

§         It is generally a bad idea to choose these password settings (“cannot change” and “never expires”)...  Why?

o        Add the users for your group to the LocalTeam group, and add the users hayne and TeachingAssistant to the AssignmentGraders group. Click on TeamX | right click LocalTeam | Properties | Members | Add Members | Find Now

o        Add all of these new users to the "Remote Desktop Group":  Active Directory Users and Computers | Bulletin | Remote | Properties | Members

o        For each user in the LocalTeam group, edit their profile under Active Directory Users and Computers by right clicking on the user and selecting properties.

o        Under profile, select Connect U: to \\YourDCServerName\HomeFolders\theUserName\  This will create a home directory for that user.  Make sure you put in the exact name of your DC server in place of "YourDCServerName", and the exact username in place of "theUserName". See Screen Shot 4

9.      Enable Quotas on the DC server. 

o        On the DC server, right click on the C drive and select the quotas tab.

o        Set the quota to 50 Mb.

10.  Configure your DC to identify port 5308 as its RDP (Remote Desktop) port, instead of the standard port 3389.  Do this by editing the registry key (Start -> Run -> Regedit) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber.  Right Click on "PortNumber", select Modify, select Decimal, and enter 5308.

Create Web Services – 5pts

1.      Log on to your DC server

2.      Open the Manage Your Server window and click add or remove a role.

o        Select Application Server

o        Enable additional tools if you like (not necessary)

o        Finish Installing

3.      Open IIS Manger and expand the tree on the left.

5.      Right click on Web Sites, and select New Web Site.

6.      Configure the New Site

o        Use HaynedomX (where X is your team number) as the description for the site.

o        Select the IP for your DC server as the one to use

o        Create a new directory under C:\www\ called teamX (where X is your team number), and use this as the path for the home directory

o        Use default permissions

7.      Create a new file called index.htm in the teamX folder you created above.

8.      In this file, write the name of each member of the team on a separate line.

o        This new website can be accessed from within your mini-network at http://YourDCIP/index.htm

o        Make sure you can see your webpage before proceeding.

 

Reboot your DC.

Check everything still works as it should!

SUBMIT:

·         Active Directory Writeup

1.      Make SURE you include your account names and passwords, so I can easily find and use them.  (In the real world you would NOT do this – you would NOT write your passwords down.  But for this class you will do this so I can easily grade your assignments.)

2.      Summarize what Active Directory is, and what security groups, distribution groups, OUs, GPOs are.  Summarize the various scopes that can exist for groups and the meaning of each.

3.      Summarize how you would determine what security groups, distribution groups, OUs and GPOs to have, and what scope to give each group.

E-MAIL ME:

1.      As a group:  Submit your write up as a Word file via e-mail by the due-date/time.  Name this file with your group number followed by the name of the topic it is about, i.e., 01-ActiveDirectory.doc

2.      Individually:  Peer Evaluations.  Let me know if you have any issues with your team members and how they have contributed.

SCREEN SHOTS

Note that these screen shots do not show everything described in each process above – they only show pieces of each process, so that you may more easily know where you should be working within Windows to make these configurations.  There may be additional tabs, or sub-windows, where you need to perform other configurations described above.

Screen Shot 1 – Create LocalTeam inside of OU

 

 

Screen Shot 2 – Adding security filter to GPO

 

Screen Shot 3 – Setting permissions for HomeFolder

 

Screen Shot 4 – Creating home directory for the user