IST346: LabLast Update: 3/29/2010 2:16 PM

L08–File Services

Overview

In this lab you will have to configure your newly setup Active Directory configuration (from the previous lab) to share files over the fauxco.com network. Throughout the process of this lab, you will create directory shares for

  • User settings
  • Individual files
  • Group shared files

Learning Objectives

Upon completion of this lab, you should be able to

  • Configure the file services role on your Active Directory Domain Controller.
  • Create Accounts and Groups in Windows Active Directory (or from the command line).
  • Log-in to Active Directory bound computers to test roaming profiles, home directories and group shares.

Lab Breakdown

This lab consists of 5 parts:

  1. Lab overview and creating the accounts and groups
  2. Setup the file share on the Win2008 VM
  3. Configure the home directories for the user accounts.
  4. Test account and home directory access on your workstations, submit lab checker
  5. Try to setup the group shares.

NOTE: Your deliverable for this lab will be your lab checker script

Requirements

Before you start this lab you will need:

  1. Your PSD (Portable Storage Device) connected to a lab computer, or a computer running VMware Server 1.X / VMware Workstation 6.X (or higher).
  2. The VMNet8 virtual network configured to use NAT and the IP address space 192.168.80.X, which was configured in a previous lab.
  3. Active Directory Configuration, as completed in a previous lab.
  4. These virtual machines, from the VM Garden, on your PSD:
  5. Win2008x(Windows Server 2008) – acting as the Domain Controller / Directory server
  6. Winxp1 (Windows XP) – acting as a workstation
  7. Vista1 (Windows Vista) – acting as a workstation
  8. Power on the Win2008x virtual machine first, since the other virtual machines depend on it this need to come up first.
  9. When you see the logon screen on Win2008x, Power on all of the other virtual machines, but only log-on to Win2008x and Win2008 at this time.
  10. Logon as the user Administrator with password SU2orange!
  11. Here’s a diagram of what your network will look like, based on these roles. Notice we will set the Win2008 virtual machine to use a static IP address (we already set Win2008x in a previous lab). We need to do this because of the “golden rule of services” which we discussed in the previous lab.

Part 1 – Lab overview and Creating Active Directory Accounts / Groups

Overview

The goal of this lab is to install and configure your own file-sharing environment inside the fauxco.com virtual network. We’ve seen file sharing before, but this time you’ll do it right by leveraging the power of a Directory service – Microsoft Active Directory.

First you will create 4 domain user accounts and 2 domain groups, and add users to the appropriate groups. Then you will configure the win2008 server to function as a file server for the ad.fauxco.com domain. And finally you will test your configuration by logging on to the XP and Vista workstations at the domain users and making sure you can access the shared folders.

Creating Users and Groups in Active Directory

From your Win2008x Active Directory domain controller, create the following users in the Users folder using the Active Directory Users and Computers utility. (The previous lab explains where you can find this utility.) You can use the command line if you like.

Create Users and Groups

Create these 4 users in the table below. For each user, be sure to:

  • Set each user’s password to SU2orange!
  • Un-check the “User must change password at next logon” box
  • checkthe “password never expires box

First Name / Last Name / User Logon
Bob / Enweave / benweave
Tally / Itupp / titupp
Oliver / Datasgon / odatasgo
Sara / Bellum / sbellum

NOTE: To create a user, right click on the Users folder and select New  User from the context menu.

When you’re done you should see this in the Active Directory Users and Computers utility:

Create Groups

Next, use the same utility to create twoglobal security groups: A global secutiy group has global scope (in the directory) and is for security purposes. For example:

Create these two groups, and then after you create them add the people listed as members of the group

Group Name / Members of the Group
sales-group / Bob Enweave, Tally Itupp
service-group / Oliver Datasgon, Sara Bellum

NOTE: To create a group, right click on the Users folder and select New  Group from the context menu.

NOTE: To add users to a group, double-click on the group, click on the Members tab and add users through the GUI,

Check yourself!

Do you think you have got it right? Check yourself! Open a command prompt on the Win2008xvirtual machine and type Net group sales-group

You should see the user logons for Bob and Tally:

You can figure out how to check the other group.  Close the command prompt when you’re done.

Part 2 –Setting up File Services on Win2008x

Now it’s time to setup file sharing for our users. For each user we would like:

1)A home directory share, viewable as the drive letter H: from any domain bound workstation

2)A group directory share, viewable as the drive letter G: from any domain bound workstation

2.a Make sure the File Services role is configured.

By now you should be familiar with configuring roles on the Windows Server 2008 operating system. Make sure the File Services role is configured on the Win2008x virtual machine. If you don’t have it configured, do it now. Consult a previous lab, if you’re shaky on the details, but it should be fairly straightforward.

2.b Create the folders

Open the C: drive on the Win2008xVM and create a Shares folder. Inside the shares folder create the following folder structure:

The groups folder will be for the group shares, and the homes folder will be for the individual user home directories.

2.c Share out the Shares folder

Next share out the Share folderso that theEveryonesecurity principal has read and write access. (Right click on folder names Shares, choose share…) NOTE: Don’t be alarmed at this - we will secure the folders using file permissions in a later step.

Test to make sure the share works. StartRun\\win2008x.ad.fauxco.com\shares Do you see the Share and Homes folders? (You might also see the exam1 folder, too.)

Part 3 – Setting up Home Directories

In this next step we will use the file sharing from part two to enable home directores.

3.a Set the home directories for your users in ADUC.

Back in the Active Directory Users and Computers (ADUC) utility, set the home directory for each of the 4 users to their corresponding folder.

For example, for Tally Itupp (titupp) her share should be \\win2008x.ad.fauxco.com\Shares\homes\titupp

The following dialog displays the location of this setting in ADUC:

Note: the ADUC utility will warn you regarding changing the permissions, click Yes

IMPORTANT: Repeat this process for all 4 users

User Name / Home Folder, Connect H: to
Bob Enweave / \\win2008x.ad.fauxco.com\Shares\homes\benweave
Tally Itupp / \\win2008x.ad.fauxco.com\Shares\homes\titupp
Oliver Datasgon / \\win2008x.ad.fauxco.com\Shares\homes\odatasgo
Sara Bellum / \\win2008x.ad.fauxco.com\Shares\homes\sbellum

2.b Verify your home directory configuration is working.

Next you must verify your configuration is working.

  1. Select one of your workstation virtual machines winxp1 or vista1.
  2. Log on as one of the 4 Active Directory users you created.
  3. When the desktop appears, open My Computer.
  4. If you are set-up correctly you will see an H: drive see if you can copy or save a file to this drive.
  5. Repeat steps 1-4 using the other 3 Active Directory user accounts.
    Be sure to log-on as each of the 4 users, or your lab check script checks for this!
  6. Go back to your Win2008 domain controller. Open the c:\shares\homes folder – do you see the files you copied in each of the home directory folders for each user?
  7. If so, kudos. You’ve got it set-up correctly!

Part 4 –Running the Lab Checker Script.

This lab will be checked/ graded with a lab-checker script. You will download this script to your win2008 virtual machine and then run it. It will verify you have performed the steps outlined in the lab

  1. First you must use the features tool in Server Manager to install powershell. If you can’t figure this out, then you can watch this short video.
  2. After you get powershell configured, you need to enable it to run unsigned scripts. Click on Windows Powershell in the Windows start menu. This will open the powershell command prompt.
  3. From the powershell prompt, type Set-ExecutionPolicy Unsrestricted and press ENTER. This is a one-time configuration.
  4. Next, download the lab checker script from the course website to your Documents folder.
  5. Run the script from the Powershell prompt by typing
    cd documents
    ./L08-Check.ps1

Part 5 – Challenge Yourself! Advanced file sharing – Group Shares

In this next part we will configure group shares for the sales and service teams. We will set these shares so everyone can read the folders but only members of the appropriate groups can write to the folders.

5.a NTFS file system Access Control List on the group folders.

From the Win2008 virtual machine

  1. Bring up the properties for the c:\shares\groups\sales folder.
  2. Under the security tab, click Advanced. Then click Edit. The permission inherits down, so we first need to block the interitable permissions.
  3. Clear the checkbox titled Include inheritable permission from this object’s parent. You will see this dialog:

    Since we would like to keep the existing permissions in place, but edit them, click the Copy button.
  4. Keep clicking Ok until you’re back at the Security tab. Now click Edit to change the permissions.
  5. Remove the group User, and add sales-group, giving Modify, Read, List, and Read / Execute permissions.
  6. Click Ok until the dialogs are dismissed. You’ve now set the Sales folder to only be writable by users in the sales-group
  7. Repeat steps 1-6 for the service folder and the service-group

5.b Test your configuration

Now use a workstation operating system, like Winxp1 or vista1 to test your configuration.

  1. Logon as someone from the sales group (Bob for example) and make sure you can ONLY write to the \\win2008x.ad.fauxco.com\shares\groups\sales folder.
  2. Repeat the process as someone from the service group (Oliver for example) and verify those settings, too.

Page 1