IST346: Lab Last Update: 10/29/2010 3:32 PM
Lab – File Services
Overview
In this lab you will have to configure your newly setup Active Directory configuration (from the previous lab) to share files over the fauxco.com network. Throughout the process of this lab, you will create directory shares for
· User settings
· Individual files, or home directories
· Group shared files
Learning Objectives
Upon completion of this lab, you should be able to
· Configure the file services role on your Active Directory Domain Controller.
· Create Accounts and Groups in Windows Active Directory (or from the command line).
· Log-in to Active Directory bound computers to test roaming profiles, home directories and group shares.
Lab Breakdown
This lab consists of 5 parts:
- Lab overview and creating the accounts and groups
- Setup the file share on the Win2008 VM
- Configure the home directories for the user accounts.
- Test account and home directory access on your workstations, submit lab checker
- Try to setup the group shares.
NOTE: Your deliverable for this lab will be your lab checker script
Requirements
Before you start this lab you will need:
- These virtual machines,
- Win2008 (Windows Server 2008) – acting as a server
- Centos5 (Centos Linux 5) – acting as a server
- Win 7 (Windows 7) – acting as a workstation
- Startup the Win2008, Centos5 and Win7 virtual machines:
- Logon to Win2008dc as Administrator (the account with the most access on the Windows platform)
- Logon to Centos5 as root (the account with the most access on a *nix platform)
- Logon to Win7 as user (a non-privileged account)
- Remember, in all cases, the password is SU2orange!
Part 1 – Lab overview and Creating Active Directory Accounts / Groups
Overview
The goal of this lab is to install and configure your own file-sharing environment inside the fauxco.com virtual network. We’ve seen file sharing before, but this time you’ll do it right by leveraging the power of a Directory service – Microsoft Active Directory.
First you will create 4 domain user accounts and 2 domain groups, and add users to the appropriate groups. Then you will configure the win2008 server to function as a file server for the ad.fauxco.com domain. And finally you will test your configuration by logging on to the XP and Vista workstations at the domain users and making sure you can access the shared folders.
Creating Users and Groups in Active Directory
From your Win2008 Active Directory domain controller, create the following users in the Users folder using the Active Directory Users and Computers utility. (The previous lab explains where you can find this utility.) You can use the command line if you like.
1.a Create Users
Create these 4 users in the table below.
First Name / Last Name / User LogonBob / Enweave / benweave
Tally / Itupp / titupp
Oliver / Datasgon / odatasgo
Sara / Bellum / sbellum
HOW TO: Create a user:
· Right-click on the Users folder and select New à User
· Enter the First Name, Last Name and User Logon Name as specified in the table below.
· Set each user’s password to SU2orange!
· Un-check the “User must change password at next logon” box
· check the “password never expires box
When you’re done you should see this in the Users folder of the Active Directory Users and Computers utility:
1.b Create Groups
Next, use the same utility to create two global security groups: A global security group has global scope (in the directory) and is for security purposes (controlling access to resources).
Create these two groups, and then after you create them add the people listed as members of the group:
Group Name / Members of the Groupsales-group / Bob Enweave; Tally Itupp
service-group / Oliver Datasgon; Sara Bellum
HOW TO: Creating a group:
· Right click on the Users folder and select New à Group from the context menu.
· Enter the group name and select Global for group scope and Security for group type.
For example: (making the sales-group)
HOW TO: Adding users (or groups) to the group:
· Double-click on the group, click on the Members tab. Click the Add button.
· Enter the user names in the object names list, click Check Names to verify, and Ok to add.
For example:
1.c Check yourself!
Do you think you have got it right? Check yourself! Open a command prompt on the Win2008 virtual machine .
Let’s verify the user Tally Itupp is present: type Net user titupp
You should see the user information for Tally Itupp:
Active Directory records all sorts of “big brother-ish” stuff like when this user last logged in from. Well, it’s big brother to the foil hat wearing community. To SA’s it’s damn useful information.
You can figure out how to check the other users. Make sure they’re present. J
Let’s check the membership of the sales-group and type Net group sales-group
You should see the user logons for Bob and Tally:
You can figure out how to check the other group. J
Close the command prompt when you’re done.
Part 2 – Setting up File Services on Win2008
Now it’s time to setup file sharing for our users. For each user we would like:
1) A home directory share, viewable as the drive letter H: from any domain bound workstation. The H: drive represents the personal space for each users’ files.
2) A group directory share, viewable as the drive letter G: from any domain bound workstation. The G: drive represents a universal folder shared amongst all users and groups.
2.a Make sure the File Services role is configured.
By now you should be familiar with configuring roles on the Windows Server 2008 operating system. Make sure the File Services role is configured on the Win2008 virtual machine. If you don’t have it configured, do it now. Consult a previous lab, if you’re shaky on the details, but it should be fairly straightforward.
Note: If you see the file services role, then you’re all set! Move on….
2.b Create the folders
Open the C: drive on the Win2008 VM and create a Shares folder. Note: you might have a shares folder there from a previous lab. That’s okay, if you do just make these folders inside the shares folder:
The groups folder will be for the group shares, and the homes folder will be for the individual user home directories.
2.c Share out the Shares folder
Next share out the Share folder so that the Everyone security principal has read and write access. (Right click on folder names Shares, choose share…)
NOTE: Don’t be alarmed at this - we will secure the folders using file permissions in a later step.
Test to make sure the share works. Start à Run à \\win2008.ad.fauxco.com\shares Do you see the Share and Homes folders? (You might also see the winshare folder from a previous lab, too.)
Part 3 – Setting up Home Directories
In this next step we will use the file sharing from part two to enable home directores.
3.a Set the home directories for your users in ADUC.
Back in the Active Directory Users and Computers (ADUC) utility, set the home directory for each of the 4 users to their corresponding folder.
For example, for Tally Itupp (titupp) her share should be \\win2008.ad.fauxco.com\Shares\homes\titupp
The following dialog displays the location of this setting in ADUC:
Note: the ADUC utility will warn you regarding changing the permissions, click Yes
IMPORTANT: Repeat this process for all 4 users
User Name / Home Folder, Connect H: toBob Enweave / \\win2008.ad.fauxco.com\Shares\homes\benweave
Tally Itupp / \\win2008.ad.fauxco.com\Shares\homes\titupp
Oliver Datasgon / \\win2008.ad.fauxco.com\Shares\homes\odatasgo
Sara Bellum / \\win2008.ad.fauxco.com\Shares\homes\sbellum
PRO TIP: You can use the system variable %username% in place of the user’s account. For example \\win2008.ad.fauxco.com\Shares\homes\%username% this will make setting up the 4 users more of a copy-paste type operation.
2.b Verify your home directory configuration is working.
Next you must verify your configuration is working. This might take a while, but it’s an important step.
- Connect to your Win7 virtual machine.
- Log on as one of the 4 Active Directory users you created: benweave, titupp, odatasgo, or sbellum
- When the desktop appears, open My Computer.
- If you are set-up correctly you will see an H: drive see if you can copy or save a file to this drive.
- Repeat steps 1-4 using the other 3 Active Directory user accounts.
Be sure to log-on as each of the 4 users, or your lab check script checks for this! - Go back to your Win2008 domain controller. Open the c:\shares\homes folder – do you see the files you copied in each of the home directory folders for each user?
- If so, kudos. You’ve got it set-up correctly!
Part 4 – Running the Lab Checker Script.
This lab will be checked/ graded with a lab-checker script. You will download this script to your win2008 virtual machine and then run it. It will verify you have performed the steps outlined in the lab
- Make sure you are logged on to Win2008 as Administrator
- Next, download the lab checker script from the course website to your Documents folder.
- Run the script from the Powershell prompt by typing
cd documents and press ENTER then type:
.\L04.ps1
Or you can path it as follows:
.\Documents\L04.ps1
Part 5 – Challenge Yourself! Advanced file sharing – Group Shares
In this next part we will configure group shares for the sales and service teams. We will set these shares so everyone can read the folders but only members of the appropriate groups can write to the folders.
5.a NTFS file system Access Control List on the group folders.
From the Win2008 virtual machine
- Bring up the properties for the c:\shares\groups\sales folder. (Right-click on the folder and select Properties)
- Under the security tab, click Advanced. Then click Edit. If you’re in the right place, you should see this Dialog:
The permission inherits down, so we first need to block the interitable permissions. - Clear the checkbox titled Include inheritable permission from this object’s parent. You will see this dialog:
Since we would like to keep the existing permissions in place, but edit them, click the Copy button. - Keep clicking Ok until you’re back at the Security tab., Like so:
- Now click Edit to change the permissions.
- Click on the group AD\Users and click Remove to remove the group.
- Press the Add... button you will see the selection dialog:
- Enter sales-group, and click, Check Names to validate (this searches the directory for the object, making sure it exists), then click Ok.
- Back at the “Permission for Sales” dialog, give sales-group the following permissions Modify, Read, Write, List, and Read Execute permissions.
- Click Ok until the dialogs are dismissed. You’ve now set the Sales folder to only be writable by users in the sales-group congratulations
TODO: Repeat the above steps for the service folder and the service-group
5.b Test the shared folders
Next we will assign Now logon to Win7 as Administrator test your configuration.
- Logon as someone from the sales group (Bob for example).
- Click on Start à run and enter \\win2008x.ad.fauxco.com\shares\groups\ press ENTER
- Open the sales folder make sure you can write to the sales folder. But not the service folder.
- Repeat the process as someone from the service group (Oliver for example) and verify those settings, too.
Page 3