NOTE: All names and some of the assigments were removed because of

.classified information
1. On Server 1 create an Active Directory domain named Kuku.tst
1.At first we need to prepare the Hyper V server for our project:
1.1 We change our Hyper-V server name to Hyper - V 1 by using the PowerShell command
Rename-computer NewName Hyper-V1 -Restart
1.2 Now we need to install the Hyper V role using server manager by going to the server
manager Add Roles and Features Hyper-V.
1.3 After we installed the Hyper-V Server Role we now need to make an External switch so
the VMs can communicate with other VMs and the clients. We do this by opening the
Hyper-V role and click on the Virtual Switch Manager, when the virtual switch
manager opens we can see 3 options:
External: The VMs can communicate with each other, with the physical server that
contains them and with other servers that are contained outside the physical server.
Internal: The VMs can communicate with each other and with the physical server
that contains them.
Private: The VMs can only communicate with each other.
Because we need the VMs to communicate with everyone on our network we need to
choose the External Switch. We will call it Ext Switch
1.4 Now we can make the servers we need (at this project we need 5) by doing the following:
first we go on the Hyper-V Server role and we click New Virtual Machine, at that point
a wizard pops up. We choose to store all our VMs on C:\Data\VMs.
Afterwards the wizard gives us 2 options: Generation 1 and Generation 2, because all of our
clients and servers are going to be with Windows Server 2012 and Windows 8, we can
choose Generation 2.
We configure all our servers as follow:
2024MB RAM
A VHDX (Newer version of Virtual Hard Disk): 40 GB
Connected to: Ext Switch .
We choose to install an operating system from a bootable image file and we finish the
Installation.
1.5 After we installed the Windows Server 2012 operating system we will now make an
Active Directory Domain named Kuku.tst on Server 1 by installing an Active Directory
Domain Services (or AD DS) and with that role we will create a new forest. After we
installed the AD DS role we will be able to see that theres a notice that asks us to
Promote this server to a Domain Controller (DC). We will see that we have an option to
create a new forest which we will because we dont have a forest. After we chose to create
a new forest we will call the Root domain Kuku.tst. In the Active Directory wizard we
can also and will install a DNS role.

2. Create Server 2
2.1 To create Server 2 we need to do exactly what we did to create Server 1. We go to the
Hyper-V server role on our Hyper-V server and click New Virtual Machine. , at that point a
wizard pops up. We choose to store all our VMs on C:\Data\VMs.
Afterwards the wizard gives us 2 options: Generation 1 and Generation 2, because all of our
clients and servers are going to be with Windows Server 2012 and Windows 8, we can
choose Generation 2.
We configure all our servers as follow:
2024MB RAM
A VHDX (Newer version of Virtual Hard Disk): 40 GB
Connected to: Ext Switch.
2.2 We choose to install an operating system from a bootable image file and we finish the
Installation. What we need to do thats different from the last section is that we need to join
this computer to the domain. We can do it buy right clicking on This PC on the start menu and
choose properties Advanced system settings Computer Name tab Change. At this
point you should specify the domain name you would like to join and fill in the credentials.
After I created all the firewall rules needed so the clients can connect to the server, I opend
the sysprep and activated it (do NOT forget to click on Generalize). This will make sure that
when Ill copy the VHD it wont copy the SID.
Now when Ill make the other servers the defaults I selected will be applied on them (the
Remote desktop connection, Firewall rules disable the paging file) by just copying and
pasting the VHD as another name.

3. Make the Active Directory structure and the users:

3.1 At first we need to get the users file from the human recourse in the company, in this case I
have made a file that contains a few hundred users, wrote a script that will create all of the OUs,
and using the CSV file Ive organized them in the correct OU.
3.2 The script I used for this is:
New-ADOrganizationalUnit -Name Finance -Path "DC=kuku,DC=tst"
New-ADOrganizationalUnit -Name Production -Path "DC=kuku,DC=tst"
New-ADOrganizationalUnit -Name Sales -Path "DC=kuku,DC=tst"
New-ADOrganizationalUnit -Name Architects -Path "DC=kuku,DC=tst"
New-ADOrganizationalUnit -Name IT -Path "DC=kuku,DC=tst"
New-ADOrganizationalUnit -Name Management -Path "DC=kuku,DC=tst"
Import-Module ActiveDirectory
Import-Csv "C:\Users\Administrator\Desktop\Project 1\Employes\Employes.csv" |
ForEach-Object {
$userPrincinpal = $_."samAccountName" + "@mydomain.com"
New-ADUser -Name $_.Name `
-Path $_."ParentOU" `
-SamAccountName $_."samAccountName" `
-UserPrincipalName $userPrincinpal `
-AccountPassword (ConvertTo-SecureString "Slipknot9!!" -AsPlainText -Force) `
-ChangePasswordAtLogon $false ` -Enabled $true}
4. Allow UserS1 to change the password of all the users in the Sales OU.
4.1 First we need to create a Delegate Control to the Sales OU. We add UserS1 as shown in
the exhibit:

Now we choose the Reset user password and force password change at next logon. This
will apply the task to UserS1.

5. Create a policy that will force a complex password using 8 digits and must be changed every
60 days
5.1 First we need to create a new Group Policy Object (GPO) that will be enforced to all the
domain. We go to the Group Policy Management Editor using the command gpmc.msc and
then we click the Computer Configuration Policies Windows Settings Security
Settings Account Policies Password Policy. In there you can find the policies that you
need to change. You change the Maximum password age to 60, The minimum password
length to 8 characters, and make sure that the Password must meet the complexity
requirements is Enabled.
5.2 In case of 3 failed attempts to log on during 30 minutes the account will be locked to 12
hours.
In the domain GPO we go to Computer Configuration Software Settings Security
Settings Account Policies Account lockout policy. In there we can find the Account
lockout threshold in there you configure how many attempts a user needs until its locked out
(3), the Account lockout duration configures how much the user remains locked before its
automatically opens again.
5.3 In the IT department the users must change their password every 30 days.
In the Active Directory Administrative Center you choose your domain and go to the system
container. After this you choose the Password Settings Container and you make the PSO as
shown in the exhibit:

You make a PSO using AD AC because if you create a new GPO for the IT ou it will only
apply for the computers on that OU and the local users of those computers and not the domain
users that are in the Active Directory.
6. There will be a DFS Namespace named \\kuku.tst\Share that the files will point to
D:\Data\Share of Server1 and Server2
6.1 At first we create a new share folder at C:/Data and then we go to the DFS Management
and create a new Namespace by right clicking on the DFS management and then click on
New Namespace, then, a wizard opens and asks us to choose the server that will host the
namespace. Then, we type the name for our namespace, this name will appear after the server
or domain name in the namespace. We choose the domain-based namespace and enable
windows 2008 serve mode like shown in the exhibit:

And then we create it. Now we have a new namespace.

6.2 After we made a new namespace we point it at the shared folder by right clicking on the
namespace. There we can see the list of all the shared folders in our domain. We choose our
folder in C:\Data\Share and add it to the namespace.
This is important to do because if you change the source of the file the name will still be the
same and users will not need to remember a new path.

7. Each user will have a folder that will be saved in \\kuku.tst\share\users\Username with a
quota of 10 GB

7.1 To do so we have to use the File Server Recourse Manager (FSRM) tool to first create the
templates to the quotas. You click on Quota Templates and create a new quota. In there you
create a 10 GB quota and save it.

Now, after we created the template we create a new quota by right clicking Quotas Create
Quota. After we did it we select a path for the quota and we select which quota template
should we use. In this case we will use the 10GB template that we made earlier.

now will have to make sure that when a user log on to a server or basically every machine on
the network it will automatically create a folder for him. We open the Group policy manager
using gpmc.msc. With the introduction of Windows 8 and Windows Server 2012 there is now
a new group policy setting called Set user home folder and is found under Computer
Configuration > Policies > Administrative Templates > System > User Profiles.

As we can see in the exhibit above we set the group policy on Enabled and choose the On the
network option in the location tab. The path we used is our network path.
7.2 As for divisions we do the same thing except we can make the folders manually and create
a 100GB Quota template.
8. All the FSMO roles will be transferred to Server2

To Transfer the FSMO roles first we need to divide it to 2 sections:

1: the Domain specific roles
2: the forest specific roles.
8.1 Transferring the Domain-Specific Roles: RID, PDC, and Infrastructure Master
1.

Click the domain controller which will be the new role holder, and then click OK.

2.

Right-click Active Directory Users and Computers icon, and then click Operation
Masters.

3.

In the Change Operations Master dialog box, click the appropriate tab (RID, PDC,
or Infrastructure) for the role you want to transfer.

4.

Click Change in the Change Operations Master dialog box.

5.

Click OK to confirm that you want to transfer the role.

6.

Click OK.

7.

Click Close to close the dialog box.

You need to do it for each tab.
8.2 Transferring the Forest specific roles will be done role by role and not all the roles at once like
the domain-specific roles.
8.3 Transferring the Domain Naming Master role:
1. On Server 2 go to Active Directory Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and then click Operation
Masters.
3. In the Change Operations Master dialog box, click Change
4. Click OK to confirm that you want to transfer the role.
5. Click OK.

8.3 Transferring the Schema master role:

1. At first we open the command- line tool and type in: regsvr32 schmmgmt.dll this will allow the
access to the Active Directory Schema.

2. Open MMC and add the Active Directory Schema snap-in

3. Right-click the Active Directory Schema icon, and then click Change
Domain Controller
NOTE: If you are not on the domain controller where you want to transfer
the role ,you need to take this step. It is not necessary if you are
connected to the domain controller whose role you want to transfer
4. Click Specify Domain Controller, type the name of the domain controller
that will be the new role holder, and then click OK.

5. Right-click Active Directory Schema, and then click Operation Masters.

6. In the Change Schema Master Dialog box, click Change.

9. Make the Control Panel and the CMD blocked for all of the Production users
9.1 To do so, we need to create a GPO that prohibits the access to the Control
Panel and the CMD and link it to the Production OU.
You go to the gpmsc.msc, right click on the production OU Create GPO in this
domain and link it here.

9.2 Now, right click on the GPO and click edit. In there we go to the following
path: User Configuration Policies Control Panel in there you can you find
the Prohibit access to Control Panel. Enable it and then go to the following path
User Configuration Policies System and there you can fine the Prevent
access to command prompt. Enable both of them and save it GPO.

10. Map Z:\\ drive to Kuku.tst\share\General and make sure that you can only save txt
files.
10.1 We right click on This PC and choose map a drive like shown in the Exhibit:

After we do so, we will get a window which in there we can map the drive and assign it a
latter. At our path we type \\kuku.tst\share\general and assign the latter Z:.

10.2 To make sure we can only save txt files we open the FSRM tool and then create a
Filescreen Template and mark to block all the types of file except txt files. Like shown in
the exhibit:

Then, we create a new file screen and choose our template and path which is
\\kuku.tst\share\General .

14. All the hosts must have 7.zip installed.

First we put the 7.zip installation on the shared network folder and then we open end edit
our main GPO. In there on the computer configuration Software. We right click on the
Software Installation New Package. In the path section you enter the path where the
software installation is in as shown in the exhibit:

15. \\Server3\PrinterX will be installed on every computer

After the successful installation of the Print Server go to the "Tools Menu" provided at the upper
right hand corner.

In the Tools Menu go to "Print Management" and click on it.

Now, In the Print Management Window go to the "Print Servers" option and expand it. It will
expand to show your Print Server, again expand this and you will find a "Printers" option available
at the bottom of this Print Server. Right-click on the "Printers" option to "Add Printer".

Now the Printer Wizard will be opened, first you must select the Installation Method. Click on
second option i.e. "Add a TCP/IP or Web Services Printer by IP Address or Host Name".

After selecting the second option click on the "Next" button.

Now you must provide the "Printer's Network Name or it's I.P Address".

In the "Type of Device" option you can either specify it is TCP/IP or use the Auto-detect option. As
you can see I chose the Auto-Detect option.
After providing the IP Address and Type of Device click on the "Next" Button.
Now the Printer's Name and Sharing Option will be opened. The Printer's name will be
automatically provided to you. Click on "Sharing" option if you want to share this Printer with many
users. If you choose to share this printer then you must provide the location and Share Name for
this printer and then click on the "Next" button.

Now your printer will be ready to install and all its information will be shown to you. Click on the
"Next" button after checking all the information for the last time. Clicking the Next Button will
install the printer.

Now your printer will be successfully installed. Click on the "Finish" button to finish the installation.

Now when you go to the Print Management Window you will see that your printer is installed.

After we installed the printer we create an Empty GPO called Printer. Then go to the printers tab and right
click on the new printer we just made and click Deploy with Group Policy.

Now this printer will be shown to all the users connected to your server and they don't need to
install the printer separately on their system.

16. Create a WDS server and import a boot image

16.1 First we need to install the Windows Deployment Services on Server 1 by using Add
Roles and Features from the server manager. We install the WDS role and make sure we
choose on the Active Directory WDS. Then we shut down Server 1.
Now, from our Hyper-V server we mount the VHD of Server 1 and add the Boot.wim and
Install.wim to the VHD.
NOTE: Make sure you delete the checkpoint if you have one.
We start Server 1 and then go to the WDS management role, right click on the install
images and choose Add install image, which will open us a wizard.

Click Next and then we will need to browse our Install.wim file as shown in the exhibit:

Now it asks us to select the images we want to add to the server such as:
Windows Server 2012 Standard
Windows Server 2012 Standard Core installation
Windows Server 2012 Datacenter
Windows Server 2012 Datacenter Core Installation.

We select the images that we want to be able to install on the server and click next.
After we do so it will check the integrity of our source and will finish the Wizard.

16.2 Now we need to do the same thing for out Boot.wim file.
We start Server 1 and then go to the WDS management role, right click on the Boot
images and choose Add boot image, which will open us a wizard.
We choose the location of our boot.wim file

Then the wizard will ask us to put a name and a description to the image file, I rather
carry on with the defaults as shown here:

We click next and the wizard shows us a summary of the installation. After we click next it
will check the integrity of our source file.
When it will say that the image is successfully added to our WDS server.

16.3 Now, because we have WDS roles and DHCP role on the same server, they both try
to work on port 67. Thats why the service stops. We need to configure WDS to stop
listening on port 67.
We can do so by following these steps:

1.
2.

Click Start, click Run, type wdsmgmt.msc, and then press OK.
In the Windows Deployment Services window, expand Servers, right-click the
WDS server name, and then click Properties.

3.

In the Server Properties dialog box, click the DHCP tab.

4.

Click to select the Do not listen on port 67 check box, and then click Apply.
After we finished with adding all the files we need we can see that the service is stopped
like shown here:

The little stop mark we see on the server icon says that the WDS Service is off and to
activate it we need to do it manually.
We go to the services windows using run command Services.msc and look for Windows
Deployment Services Server click it and click start.

If the service wont start we need to change the Registry key value to 0 buy going
through this path:
s
Now, the WDS will not listen to DHCP ports and will run correctly.
I checked it through the Event Viewer and saw the error code. The error code was 0x2740
which means that the WDS is still listening to DHCP port.

17. Create a new virtual machine and install OS with PXE.

17.1 We need to create a new Virtual machine Generation 1 and add a Legacy
Network Adapter.
Then in the BIOS we move up the Legacy network adapter so the server can boot from
PXE.
After it boots from PXE we install the OS regularly.
NOTE: Remember when the OS is installed to remove the legacy network adapter and
add a network adapter.
18. The RDS Servers will allow to activate Calc and mspaint as a remote app which can
be activated through Web
18.1 RDS simple deployment: we logged on to server 2 and added servers 3, 4 and 5.

18.2 using the management GUI selection add new roles and features and chose Remote
Desktop Services

Installation. We select standard deployment and then we select Session based desktop deployment.

Now, the wizard asks us to specify the server host of the RD Connection Broker which is Server 3 as
shown in the exhibit:

We click Next and then the wizard ask us to specify the host server that the RD Web Access will be
installed on. We just marked the Install the RD Web Access role service on the RD Connection Broker
Server

Now we need to select the servers from the server pool on which to install the RD Virtualization Host
role service. We chose server4 and Server5.

18.3 If this problem is showing that means that theres a pending reboot that wont start.

To solve this we need to go through the Registry to

HKEY-LOCAL-MACHINE\System\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations" and delete this value. (We need to do it on both of the
servers). Now just restart the servers and this should work.
18.4 Now we can see in the exhibit below that we got the RD Session host which is basically the
servers we connect to. Right click on the RD Session host and choose Create session Collection.

It will open up a wizard that will first tell us to add the name of our collection:

It will ask us to select the RD Session from the server pool to add the collection, we choose both
servers 4 and 5.

We select the groups that should have access to connect to the collection (Domain Users).
The next option will determine if you want to save the users profile on a shared folder / disk. For now
we will disable this option.

We click next then click Create. Now the session collection is being created.

Now we go to our Collection 1 tab and choose Publish remote app programs

Which will open up a wizard that will allow us to select the programs required:

We click next and publish.

Now, we open our Internet Explorer and type in the following URL:

https://server3/RDWeb (This is the web access we installed earlier).

Because we have no Certificate Authority you will be prompted through a lot of warnings that the site
is not secure, ignore the warnings and you will be prompted to a page which you can choose to run
Paint or Calculator.

19. The WSUS will update all the network with only one update to your choice
The procedures in this step describe how to:
Save and download information about your upstream server and proxy server.
Choose the language of the updates you want.
Choose the products for which you want to get updates.
Choose the classifications of updates you want.
1. You should have completed configuration of the upstream server and the proxy server in the
configuration wizard, and you should see the Connect to Upstream Server page.
2. Click the Start Connecting button, which will save and upload your settings and get
information about available updates.
3. While the connection is being made, the Stop Connecting button will be available. If there
are problems with the connection, click Stop Connecting, fix the problems, and restart the
connection.
4. After the download has completed successfully, click Next to go to the Choose Languages
page, or select a different page from the left panel.
Choose update languages
1. The Choose Languages page allows you to get updates from all languages or from a subset
of languages. Selecting a subset of languages will save disk space, but it is important to
choose all of the languages that will be needed by all of the clients of this WSUS server.
2. If you choose to get updates for only a few languages, select Download updates only in

these languages, and select the languages for which you want updates. Click Next to go to the
Choose Products page, or select a different page from the left panel.
Choose update products
1. The Choose Products page allows you to specify the products for which you want updates.
2. You may check product categories, such as Windows, or specific products, such as
Windows Server 2003. Selecting a product category will cause all of the products under it to
be selected. Click Next to proceed to the Choose Classifications page, or select a different
page from the left panel.
Choose the update classifications
1. The Choose Classifications page allows you to choose the update classifications you wish
to obtain. You can choose all the classifications or a subset of them.
2. Click Next to proceed to the Configure Sync Schedule page, or select a different page from
the left panel.
Configure the synchronization schedule
1. You will see the Set Sync Schedule page, which allows you to choose whether to perform
synchronization manually or automatically.
2. If you choose to synchronize manually on this server, you will have to initiate the
synchronization process from the WSUS administration console.
3. If you choose to synchronize automatically, the WSUS server will synchronize at specified
intervals. Set the time of the first synchronization and specify the number of synchronizations
per day you wish this server to perform. For example, if you specify that there should be four
synchronizations a day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00
A.M., 3:00 P.M., and 9:00 P.M.
After you have completed all of the above configuration steps, select the Finished page in the
configuration wizard. You can launch the WSUS Administration console by leaving the Launch
the Windows Server Update Services Administrations snap-in check box selected, and you can
start the first synchronization by leaving the Begin initial synchronization check box selected.
Note
You cannot save configuration changes that are made while the server is synchronizing. Wait
until synchronization is finished to make your changes.
20. Server 3 will hold a website with a picture of your choice.
20.1 We open the IIS server manager (Not the 6.0) and go to the following path as shown in the exhibit:

Now, open Internet Explorer and type the following URL: https://server3.kuku.tst .
This is our web site.

20.2 To change the picture in there we can go on to C:\inetpub\wwwroot and we can see two files. A
PNG Image called iis-85 and an HTML file called iisstart.
The first way we can change the picture of our website is to edit the picture and put a new picture.
The second way is to open the iisstart with notepad and change the values that the HTML file have.

21. Server3 will divide the sessions of server 4 and server 5 equally.
The RD Broker does that by default.
Remote Desktop Connection Broker (RD Connection Broker), formerly Terminal Services Session
Broker (TS Session Broker), is a role service that provides the following functionality:

Allows users to reconnect to their existing sessions in a load-balanced RD Session Host server
farm. This prevents a user with a disconnected session from being connected to a different
RD Session Host server in the farm and starting a new session.

Enables you to evenly distribute the session load among RD Session Host servers in a loadbalanced RD Session Host server farm.

Provides users access to virtual desktops hosted on RD Virtualization Host servers and to
RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop
Connection.

Kuku Backup Policy

Purpose

Documentation of Backup infrastructure, Backup and Recovery policy.

Introduction
Kuku Ltd is a growing Architecture Company based in lev Hagalil.
With the resent growth of the company the backup strategy was revisited.
Scope
The service was designed with disaster recovery and Archiving needs of the company
The data backups covers all systems managed by the IT department. Data held and managed on local
users systems (PC/Laptops/Tablets/Mobile) are not covered.
Every user is instructed to keep any business critical data on local network drives
provided by the IT team.
All staff are reminded that they are individually responsible for data held locally on their
devices.

Backup Policy
Full Backups of KukuLtd are preformed weekly and retained for 4 months on Disk based storage
system before being overwritten.
Incremental backups are preformed daily and retained for 1 month on Disk based storage system before
being overwritten, this insures faster restore time in case data is deleted or corrupted.
Backups are to run nightly unless specified otherwise.
Backups most be manually restored and cheeked at least ones in 6 months.
Backups are replicated to DR site.