Task 1: Enable Windows Defender Credential Guard using Group Policy
1. Connect to SEA-SVR2 and, if needed, sign in as Contoso\Administrator with the password of
Pa55w.rd.
2. In the Type here to search text box next to the Start button, enter Group Policy Management.
3. In the list of results, select Group Policy Management.
4. In the Group Policy Management Console, expand Forest: Contoso.com, expand Domains,
expand Contoso.com, right-click or access the context menu for the IT Organizational Unit
(OU), and then select Create a GPO in this domain, and Link it here.
5. In the New GPO dialog box, in the Name text box, enter CredentialGuard_GPO, and then
select OK.
6. In the Group Policy Management window, under IT, right-click or access the context menu for
CredentialGuard_GPO, and then select Edit.
7. In the Group Policy Management Editor, browse to Computer Configuration\Policies\
Administrative Templates\System\Device Guard.
8. Select Turn On Virtualization Based Security, and then select the policy setting link.
9. In the Turn On Virtualization Based Security window, select the Enabled option.
10. In the Select Platform Security Level drop-down list, ensure that the Secure Boot and DMA
Protection entry is selected.
11. In the Credential Guard Configuration drop-down list, select the Enabled with UEFI lock
entry.
12. In the Secure Launch Configuration drop-down list, select the Enabled entry, and then select
OK.
13. Close the Group Policy Management Editor window.
14. Close the Group Policy Management Console window.
Task 2: Enable Windows Defender Credential Guard using the Hypervisor-
Protected Code Integrity (HVCI) and Windows Defender Credential Guard
hardware readiness tool
1. On SEA-SVR2, select Start, right-click or access the context menu for Windows PowerShell,
and then select Run as administrator.
2. To run the HVCI and Windows Defender Credential Guard hardware readiness tool, at the
Windows PowerShell command prompt, enter the following commands, and after each, press
Enter:
Set-Location -Path C:\Labfiles\Lab01\
.\DG_Readiness_Tool.ps1 -Enable -AutoReboot
3. Wait until the tool completes its run and, when prompted, in the You're about to be signed out
dialog box,select OK.
Note: The operating system will restart.
4. Once the restart completes, sign back into SEA-SVR2 as CONTOSO\Administrator, with the
password Pa55w.rd.
Task 1: Locate and reconfigure domain accounts with non-expiring passwords
1. On SEA-SVR2, select Start, right-click or access the context menu for Windows PowerShell,
and then select Run as administrator.
2. To list Active Directory-enabled user accounts with a non-expiring password, at the Windows
PowerShell command prompt, enter the following command and press Enter:
Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true}
3. Review the list of user accounts returned.
4. To enable password expiration for all user accounts in the result set, at the Windows PowerShell
command prompt, enter the following command and press Enter:
Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Set-ADUser -
PasswordNeverExpires $false
5. To verify the outcome, rerun the command from step 2 and notice that no results are returned.
Task 2: Locate and disable domain accounts that have not been used to sign in for
at least 90 days
1. To identify Active Directory user accounts that have not been used to sign in for at least 90 days,
at the Windows PowerShell command prompt, enter the following command and press Enter:
$days = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonTimeStamp -lt $days -and enabled -eq $true} -Properties
LastLogonTimeStamp
Note: In the lab environment, no results will be returned.
2. To disable Active Directory user accounts that have not been used to sign in for at least 90 days,
enter the following command and press Enter:
Get-ADUser -Filter {LastLogonTimeStamp -lt $days -and enabled -eq $true} -Properties
LastLogonTimeStamp | Disable-ADAccount
Implementing LAPS
Task 1: Prepare computer accounts for implementing LAPS (Local Administrator
Password Solution)
1. To create a designated OU and move the SEA-SVR1 computer account to it, On SEA-SVR2, at
the Windows PowerShell command prompt, enter the following command and press Enter:
New-ADOrganizationalUnit -Name "Seattle_Servers"
Get-ADComputer SEA-SVR1 | Move-ADObject –TargetPath
"OU=Seattle_Servers,DC=Contoso,DC=com"
2. To install LAPS, at the Windows PowerShell command prompt, enter the following command
and press Enter:
Msiexec /i C:\Labfiles\Lab01\LAPS.x64.msi
3. On the Welcome to the Local Administrator Password Solution Setup Wizard page of the
Local Administrator Password Solution Setup wizard, select Next.
4. On the End-User License Agreement page of the Local Administrator Password Solution
Setup wizard, select I accept the terms in the License Agreement, and then select Next.
5. On the Custom Setup page of the Local Administrator Password Solution Setup wizard, in
the drop-down menu next to Management Tools, select Entire feature will be installed on the
local hard drive, and then select Next.
6. On the Ready to install Local Administrator Password Solution page of the Local
Administrator Password Solution Setup wizard, select Install.
7. Once the installation completes, on the final page of the Local Administrator Password
Solution Setup wizard, select Finish.
8. To enable the Windows Defender Firewall with Advanced Security rule that allows incoming
Server Message Block (SMB) connections from other domain-joined servers, at the Windows
PowerShell command prompt, enter the following commands and, after each, press Enter:
$rule = Get-NetFirewallRule | Where-Object DisplayName -eq 'File and Printer Sharing (SMB-In)'
$rule | Set-NetFirewallRule -Profile Domain
$rule | Enable-NetFirewallRule
Note: This is required to Connect to SEA-SVR2 from SEA-SVR1 later in this lab.
Task 2: Prepare Active Directory for LAPS
1. To prepare the domain for LAPS, On SEA-SVR2, at the Windows PowerShell command prompt,
enter the following commands, and after each, press Enter:
Import-Module admpwd.ps
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -Identity "Seattle_Servers"
2. On SEA-SVR2, in the Type here to search text box next to the Start button, enter Group Policy
Management.
3. In the list of results, select Group Policy Management.
4. In the Group Policy Management Console, expand Forest: Contoso.com, expand Domains,
expand Contoso.com, right-click or access the context menu for the Seattle_Servers OU, and
then select Create a GPO in this domain, and Link it here.
5. In the New GPO dialog box, in the Name text box, enter LAPS_GPO, and then select OK.
6. In the Group Policy Management window, under Seattle_Servers, right-click or access the
context menu for LAPS_GPO, and then select Edit.
7. In the Group Policy Management Editor window, under Computer Configuration, expand the
Policies node, expand the Administrative Templates node, and then select LAPS.
8. Select the Enable local admin password management policy, and then select the policy
settings link.
9. In the Enable local admin password management window, select Enabled, and then select
OK.
10. Select the Password Settings policy, and then select the policy settings link.
11. In the Password Settings policy dialog box, select Enabled, and then configure Password
Length to 20.
12. Verify that the Password Age (Days) is configured to 30, and then select OK.
13. Close the Group Policy Management Editor.
Task 3: Deploy LAPS client-side extension
1. Switch to the console session to SEA-SVR1 and then, if needed, sign in as CONTOSO\
Administrator, with the password Pa55w.rd.
Note: You will be prompted to change your password, as a result of running in the previous
exercise the script that enables password expiration. Choose an arbitrary password and use it
throughout the remainder of the lab.
2. Once you sign in, to access the Windows PowerShell command prompt, at the SConfig menu
prompt, enter 15 and press Enter.
3. To install LAPS silently with the default settings, at the Windows PowerShell command prompt,
enter the following command and press Enter:
Start-Process msiexec.exe -Wait -ArgumentList '/i \\SEA-SVR2.contoso.com\c$\Labfiles\Lab01\
LAPS.x64.msi /quiet'
4. To trigger the processing of Group Policy that will apply LAPS settings locally, at the Windows
PowerShell command prompt, enter the following command and press Enter:
gpupdate /force
Task 4: Verify LAPS
1. Switch to the console session to SEA-SVR2.
2. Select Start. In the Start menu, select LAPS, and then select LAPS UI.
3. In the LAPS UI dialog box, in the ComputerName text box, enter SEA-SVR1, and then select
Search.
4. Review the Password and the Password expires values, and then select Exit.
5. Switch to the Windows PowerShell console and then, to verify the value of the password, at the
Windows PowerShell command prompt, enter the following command and press Enter:
Get-ADComputer -Identity SEA-SVR1 -Properties ms-Mcs-AdmPwd
6. Review the password assigned to SEA-SVR1 and note that it matches the one displayed in the
LAPS UI tool.
Note: The value of the password is, in this case, enclosed in a pair of braces.
Task 1: Install Failover Clustering
1. Connect to SEA-SVR2, and then, if needed, sign in as Contoso\Administrator with a password
of Pa55w.rd.
2. On SEA-SVR2, select Start, and then select Windows PowerShell (Admin).
3. To install the Failover Clustering server feature including the management tools on SEA-SVR1
and SEA-SVR2, at the Windows PowerShell command prompt, enter the following commands,
and after entering each command, press Enter:
Install-WindowsFeature –Name Failover-Clustering –IncludeManagementTools
Install-WindowsFeature -ComputerName 'SEA-SVR1.contoso.com' –Name Failover-Clustering –
IncludeManagementTools
Note: Wait for the installation process to complete. The installation should take about 1 minute.
4. To install iSCSI Target server role service on SEA-DC1, at the Windows PowerShell command
prompt, enter the following command and press Enter:
Install-WindowsFeature -ComputerName 'SEA-DC1.contoso.com' –Name FS-iSCSITarget-Server
–IncludeManagementTools
Note: Wait for the installation process to complete. The installation should take about 1 minute.
Task 2: Configure iSCSI virtual disks
Important: The lab uses SEA-DC1, which serves as an Active Directory Domain Services (AD DS)
domain controller to host shared iSCI storage for a Windows Server-based cluster. This is not meant to
represent in any way a recommended configuration but rather is done to simplify the lab configuration
and minimize the number of lab virtual machines. In any production environment, domain controllers
should not be used to host shared storage for failover clusters. Instead, such storage should be hosted on
highly available infrastructure.
1. On SEA-SVR2, select Start, and then select Windows PowerShell (Admin).
2. To establish a PowerShell Remoting session to SEA-DC1, in the newly opened Windows
PowerShell window, enter the following command and press Enter:
Enter-PSSession -ComputerName SEA-DC1.contoso.com
3. To create iSCSI virtual disks on SEA-DC1, on SEA-SVR2, in the PowerShell Remoting session
to SEA-DC1, enter the following commands, and after entering each command, press Enter:
New-Item -ItemType Directory C:\Storage -Force
New-IscsiVirtualDisk C:\Storage\disk1.VHDX –size 10GB
New-IscsiVirtualDisk C:\Storage\disk2.VHDX –size 10GB
New-IscsiVirtualDisk C:\Storage\disk3.VHDX –size 10GB
4. On SEA-SVR2, select Start, and then select Windows PowerShell (Admin).
5. To establish a PowerShell Remoting session to SEA-SVR1, in the newly opened Windows
PowerShell window, enter the following command, and then press Enter:
Enter-PSSession -ComputerName SEA-SVR1.contoso.com
Note: At this point, you should have three Windows PowerShell windows opened. You will use
the first one to run commands locally on SEA-SVR2, while using the other two to interact with
SEA-DC1 and SEA-SVR1. You can easily recognize each of them by identifying the PowerShell
prompt (for the second and third one, the prompt will contain [SEA-DC1.contoso.com] and
[SEA-SVR1.contoso.com] prefix, respectively).
6. To start the Microsoft iSCSI Initiator service on SEA-SVR2, at the Windows PowerShell
prompt providing access to the local session, enter the following commands, and after entering
each command, press Enter:
Start-Service -ServiceName MSiSCSI
Set-Service -ServiceName MSiSCSI -StartupType Automatic
7. To start the Microsoft iSCSI Initiator service on SEA-SVR1, switch to the Windows PowerShell
window hosting PowerShell Remoting session to SEA-SVR1, enter the following commands,
and after entering each command, press Enter:
Start-Service -ServiceName MSiSCSI
Set-Service -ServiceName MSiSCSI -StartupType Automatic
8. To create the Microsoft iSCSI Target on SEA-DC1, switch to the Windows PowerShell window
hosting PowerShell Remoting session to SEA-DC1, enter the following command, and then press
Enter:
New-IscsiServerTarget iSCSI-L03 –InitiatorIds “IQN:iqn.1991-05.com.microsoft:sea-
svr1.contoso.com","IQN:iqn.1991-05.com.microsoft:sea-svr2.contoso.com"
Exercise 2: Configuring a failover cluster
Task 1: Connect clients to the iSCSI targets
1. To mount the iSCSI disks on SEA-DC1, from SEA-SVR2, in the Windows PowerShell window
hosting PowerShell Remoting session to SEA-DC1, enter the following commands, and after
entering each command, press Enter:
Add-IscsiVirtualDiskTargetMapping iSCSI-L03 C:\Storage\Disk1.VHDX
Add-IscsiVirtualDiskTargetMapping iSCSI-L03 C:\Storage\Disk2.VHDX
Add-IscsiVirtualDiskTargetMapping iSCSI-L03 C:\Storage\Disk3.VHDX
2. To connect to the iSCSI Target hosted on SEA-DC1 from SEA-SVR2, switch to the Windows
PowerShell prompt providing access to the local session, enter the following commands, and
after entering each command, press Enter:
New-iSCSITargetPortal –TargetPortalAddress SEA-DC1.contoso.com
Connect-iSCSITarget –NodeAddress iqn.1991-05.com.microsoft:sea-dc1-iSCSI-L03-target
Get-iSCSITarget | fl
Note: Verify that after you run the last command, the value for the IsConnected variable is True.
3. To connect to the iSCSI Target hosted on SEA-DC1 from SEA-SVR1, switch to the Windows
PowerShell window hosting PowerShell Remoting session to SEA-SVR1, enter the following
commands, and after entering each command, press Enter:
New-iSCSITargetPortal –TargetPortalAddress SEA-DC1.contoso.com
Connect-iSCSITarget –NodeAddress iqn.1991-05.com.microsoft:sea-dc1-iSCSI-L03-target
Get-iSCSITarget | fl
Note: Verify that after you run the last command, the value for the IsConnected variable is True.
Task 2: Initialize the disks
1. To list the disks on SEA-SVR2, switch to the Windows PowerShell prompt providing access to
the local session, enter the following command, and then press Enter:
Get-Disk
Note: Ensure that the three iSCSI disks are listed with the Offline operational status. These
should be disks with numbers 1, 2, and 3.
2. To initialize the disks, at the Windows PowerShell prompt providing access to the local session,
enter the following commands, and after entering each command, press Enter:
Get-Disk | Where OperationalStatus -eq 'Offline' | Initialize-Disk -PartitionStyle MBR
New-Partition -DiskNumber 1 -Size 5gb -AssignDriveLetter
New-Partition -DiskNumber 2 -Size 5gb -AssignDriveLetter
New-Partition -DiskNumber 3 -Size 5gb -AssignDriveLetter
Format-Volume -DriveLetter E -FileSystem NTFS
Format-Volume -DriveLetter F -FileSystem NTFS
Format-Volume -DriveLetter G -FileSystem NTFS
Note: Verify the disk numbers match the previous command output before running the
commands. Verify that each command completed successfully.
Task 3: Create a failover cluster
1. To create a failover cluster, on SEA-SVR2, at the Windows PowerShell prompt providing access
to the local session, enter the following command, and then press Enter:
New-Cluster -Name SEA-CL03 -Node SEA-SVR2.contoso.com -StaticAddress 172.16.10.125
Note: The command should return the name of the newly created cluster (SEA-CL03).
2. To add SEA-SVR1 as another node to the newly created cluster, on SEA-SVR2, at the Windows
PowerShell prompt providing access to the local session, enter the following command, and then
press Enter:
Add-ClusterNode -Cluster SEA-CL03 -Name SEA-SVR1.contoso.com
Note: Verify that the command completed successfully.
Implementing Azure Backup
Scenario
While waiting for the replication of the nested VM to complete, implement Azure Backup of the
second Azure VM by using an Azure VM agent and Azure VM-level backup of the third Azure
VM.
The main tasks for this exercise are as follows:
Set up the Azure Recovery Services agent.
Schedule Azure Backup.
Perform an on-demand backup.
Perform file recovery by using Azure Recovery Services agent.
Task 1: Set up the Azure Recovery Services agent
Note: In general, the same vault can be used to implement Azure Site Recovery and
Azure Backup functionality. When choosing the Azure region to host the vault for the
purpose of disaster recovery and backup, you should take into account recovery
objectives, including the range of impact of a regional disaster as well as network
latency considerations. In this lab, you will use the same vault for site recovery and
backup to minimize the number of duplicate steps.
Note: To implement Azure Backup, you will be installing the Azure Recovery Services
agent on SEA-SVR2, which already serves as the Microsoft Azure Site Recovery
Provider. To eliminate dependency issues, you will start by uninstalling the existing
installation of Azure Recovery Services agent.
1. On SEA-SVR2, use the Settings app to uninstall Microsoft Azure Recovery Services Agent. > Note:
If you are getting an error message that says the installation has failed, then restart the VM and try
again.
2. On SEA-SVR2, in the Microsoft Edge window displaying the Azure portal, on the az801l05a-rsvault
Recovery Services vault blade, initiate Backup configuration with the following settings:
Settings Value
Where is your workload running? On-premises
What do you want to back up? Files and folders
3. From the az801l05a-rsvault |Backup blade, initiate the Prepare infrastructure procedure.
4. From the Prepare infrastructure blade, download Azure Recovery Services Agent to SEA-SVR2,
start the Microsoft Azure Recovery Services Agent Setup Wizard, disable the Microsoft Updates
option, and complete the installation with the default settings.
5. After the installation completes, start the Register Server Wizard.
6. Switch to the Microsoft Edge window displaying the Azure portal, and from the Prepare
infrastructure blade, download the vault credentials file to the local Downloads folder.
7. Switch back to the Register Server Wizard window, and when prompted to provide Vault
Credentials, point to the newly downloaded file.
8. On the Encryption Setting page of the Register Server Wizard, generate passphrase and store it in
the local Documents folder.
9. Review the Microsoft Azure Backup warning and proceed to complete the registration. This will
automatically open the Microsoft Azure Backup console.
Note In a production environment, you should store the passphrase file in a secure
location other than the server being backed up.
Task 2: Schedule Azure Backup
1. On SEA-SVR2, in the Microsoft Azure Backup console, schedule backup with the following settings
(leave others with their default values):
Settings Value
Items to back up C:\Windows\System32\drivers\etc\hosts
Backup Schedule Daily at 4:30 AM
Retention Policy default
Initial Backup type default
Task 3: Perform an on-demand backup
Note The option to run backup on demand becomes available after you create a
scheduled backup.
In the Microsoft Azure Backup console, initiate an on-demand backup with the default settings.
Switch to the Microsoft Edge window displaying the Azure portal, browse back to the
az801l05a-rsvault Recovery Services vault blade and display Backup items.
From the az801l05a-rsvault | Backup items blade, browse to the Backup Items (Azure Backup
Agent) blade and verify that there is an entry referencing drive C of sea-svr2.contoso.com.
Task 4: Perform file recovery by using Azure Recovery Services agent
1. On SEA-SVR2, open File Explorer, browse to the C:\Windows\System32\drivers\etc\ folder and
delete the hosts file.
2. Switch to the Microsoft Azure Backup window and start Recover Data Wizard with the following
settings (leave others with their default values):
Settings Value
Restore target This server (sea-svr2.contoso.com)
Restore items Individual files and folders
Select the volume C:\
Note Wait for the mount operation to complete. This might take about 2 minutes.
3. On the Browse And Recover Files page, note the drive letter of the recovery volume, select
Browse, and review the tip regarding the use of Robocopy.
4. On SEA-SVR2, start Command Prompt.
5. From the Administrator: Command Prompt window, run the following to copy and restore the
hosts file to the original location (replace <recovery_volume> with the drive letter of the
recovery volume you identified earlier):
robocopy <recovery_volume>:\Windows\System32\drivers\etc C:\
Windows\system32\drivers\etc hosts /r:1 /w:1
6. From the Administrator: Command Prompt window, run the following to verify that the file has
been restored:
dir C:\Windows\system32\drivers\etc\hosts
7. Switch back to the Recover Data Wizard and unmount the mounted backup file.