Microsoft Official

Course
20410A
Installing and Configuring
Windows Server® 2012
Welcome!

Thank you for taking our training. We’ve worked together with our Microsoft Certified
Partners for Learning Solutions and Microsoft IT Academies to bring you a world-class
learning experience, including:

Microsoft Certified Trainers + Instructors. Your instructor is a premier technical and

instructional expert who meets ongoing certification requirements.

Customer Satisfaction Guarantee. Our Certified Partners for Learning Solutions offer a
satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of today’s experience. We value your feedback!

Certification Exam Benefits. After training, consider taking a Microsoft Certification exam.
Independent research by IDC concluded that 75% of managers believe certifications are
important to team performance*. Ask your instructor about available exam promotions
and discounts.

We wish you a great learning experience and ongoing career success!

* IDC, Value of Certification: Team Certification and Organizational Performance, November 2006
Introduction

• Name
• Company affiliation
• Title/function
• Job responsibility
• Windows 8 experience
• Your expectations for the course
Course Material

Course Companion Content on the

Course Handbook http://www.microsoft.com/learning/
companionmoc website

A succinct classroom learning guide Searchable, easy-to-navigate digital

that provides critical technical content with integrated premium
information to optimize your on-line resources designed to supplement
the Course Handbook.
in-class learning experience.
Student Course files required for the labs
and demonstrations.
Module Content
Labs Supplemental Course Content
Module Reviews and Takeaways Student Course Files
Lab Answer Keys

http://www.microsoft.com/learning/
 How to Use the Course Material

Course Companion Content on the

Course Handbook http://www.microsoft.com/learning/companionmoc
website

• Use the handbook content as the primary • Use the Companion Content as your extended
resource for reference during the class. learning resource on the job.
• Use the troubleshooting tips and best practices
in the Module Reviews and Takeaways section as
on-the-job references. For this version of the Courseware on
Prerelease Software (Windows 8 Release
In this version of the Courseware on Preview and Windows Server 2012 Release
Prerelease Software (Windows 8 Release Candidate (RC)):
Preview and Windows Server 2012 Release
Candidate (RC)):
• The course content and labs on features that are • The Companion Content will be published when
not included or complete in the prerelease the next (B) version of the course is released.
software may be missing or incomplete.
• Students who attend the current class can
• The Office PowerPoint slides may have fewer download the Companion Content when the
graphics or animations that visually aid in next (‘B) version of the course is released.
illustrating the key learning points.
• The course may contain typographical errors and
other minor editorial issues.

http://www.microsoft.com/learning/
Facilities

• Class hours
• Building hours
• Parking
• Restrooms
• Meals
• Phones
• Messages
• Smoking
• Recycling
Microsoft Learning Program

20410A: Installing and Configuring Windows

Server® 2012

20411A: Administering Windows Sever® 2012

20412A: Configuring Advanced Windows

Server® 2012 Services

http://www.microsoft.com/learning/
Microsoft Certification Program

Exam number Core exam for the Elective exam for

and title following track the following track
70-410: Installing
Microsoft Certified
and Configuring
Solutions
Windows Server®
Associate (MCSA)
2012

http://www.microsoft.com/learning/
About This Course

Audience
• The primary audience for this course is Information
Technology (IT) Professionals who have good Windows
operating system knowledge and experience and want
to acquire the skills and knowledge necessary to
implement the core infrastructure services in an
existing Windows Server 2012 environment.

• The secondary audience consists of those seeking

certification in the 70-410, Installing and Configuring
Windows Server 2012 exam.
About This Course

• Course Prerequisites
Before attending this course, students must have:
• A good understanding of networking fundamentals
• An understanding and experience configuring security and
administration tasks in an Enterprise environment
• Experience supporting or configuring Windows clients
• Good hands-on Windows Client experience with Windows Vista,
Windows 7, or Windows 8.

Students would benefit from having some previous Windows Server

experience.
About This Course
• Course Objectives
After completing this course, students will be able to:
• Install and configure Windows Server 2012
• Describe Active Directory Domain Services
• Manage Active Directory Domain Services objects
• Automate Active Directory Domain Services administration
• Implement TCP/IPv4
• Implement DHCP
• Implement DNS
• Implement IPv6
• Implement local storage
• Share files and printers
• Implement Group Policy
• Use Group Policy objects to secure Windows servers
• Implement server virtualization with Hyper-V
Course Outline

• Module 1: Deploying and Managing Windows

Server 2012
• Module 2: Introduction to Active Directory
Domain Services
• Module 3: Managing Active Directory Domain
Services Objects
• Module 4: Automating Active Directory Domain
Services Administration
• Module 5: Implementing IPv4
• Module 6: Implementing DHCP
Course Outline (continued)

• Module 7: Implementing DNS

• Module 8: Implementing IPv6
• Module 9: Implementing Local Storage
• Module 10: Implementing File and Print Services
• Module 11: Implementing Group Policy
• Module 12: Securing Windows Servers Using
Group Policy Objects
• Module 13: Implementing Server Virtualization
with Hyper-V
Introduction to A. Datum Corporation

• In the labs throughout this course, you will

work for A. Datum Corporation.
• A. Datum has recently deployed a Windows
Server 2012 infrastructure with Windows 8
clients. As you complete the labs, you will
configure this infrastructure.
 Virtual Machine Environment
Virtual machine Used as:
A domain controller running Windows Server 2012 in the Adatum.com
20410A-LON-DC1
domain.
A member server running Windows Server 2012 in the Adatum.com
20410A-LON-SVR1
domain.
A stand-alone server running Windows Server 2012 that will be used
20410A-LON-SVR2
for joining domains and initial configuration.
A blank virtual machine on which students will install Windows Server
20410A-LON-SVR3
2012.
A member server running Windows Server 2012 in the Adatum.com
20410A-LON-SVR4
domain. This server will be located on a second subnet.
A bootable VHD for running Windows Server 2012 as the host for
20410A-LON-HOST1
Hyper-V.

20410A-LON-CORE A standalone server running Windows Server 2012 Server Core.

A router that is used for network activities that require a separate

20410A-LON-RTR
subnet.
A client computer running Windows 8 and Microsoft Office 2010 SP1 in
20410A-LON-CL1
the Adatum.com domain.
A client computer running Windows 8 and Office 2010 SP1 in the
20410A-LON-CL2
Adatum.com domain that is located in a second subnet.
Demonstration: Using Hyper-V Manager

In this demonstration, you will learn how to:

• Open Hyper-V Manager
• Navigate the various sections/panes within Hyper-V Manager:
• Virtual machines, snapshots, and actions: server-specific and virtual
machine-specific
• Identify the virtual machines used in the labs for this course
• Take a snapshot and apply a snapshot
• Connect to a virtual machine
• Start and log on to a virtual machine
• Switch between the full screen and window modes
• Revert to the previous snapshot
• Shut down a virtual machine
• Understand the difference between shut down and turn off
• Close Hyper-V Manager
Microsoft Official Course
®

Module 1

Deploying and Managing Windows

Server 2012
Module Overview

• Windows Server 2012 Overview

• Overview of Windows Server 2012 Management
• Installing Windows Server 2012
• Post-Installation Configuration of Windows Server
2012
• Introduction to Windows PowerShell
Lesson 1: Windows Server 2012 Overview

• On Premises Servers
• What Is Cloud Computing?
• Options for Windows Server 2012
• What Is Server Core?
• Windows Server 2012 Roles
• What Are the Features of Windows Server 2012?
On Premises Servers

Servers Resources provided to clients

Clients
What Is Cloud Computing?

Types of cloud services:

• IaaS
• PaaS
• SaaS

Public clouds have multiple tenants

Private clouds have a single tenant:
• Is usually on premises
• Is highly automated
• Uses System Center 2012 to provide automation
and self-service
• Requires minimal direct configuration once it is set
up
Options for Windows Server 2012

Windows Server 2012 editions:

• Windows Server 2012 Standard edition

• Windows Server 2012 Enterprise edition

• Windows Server 2012 Datacenter edition

• Windows Server 2012 Foundation

edition

• Windows Web Server 2012 edition

• Windows Server 2012 HPC edition

What Is Server Core?

Server Core
• Is a more secure, less resource-intensive installation
option
• Can be converted to the full version of Windows
Server 2012
• Is the default installation option for Windows Server
2012
• Is managed locally using sconfig.cmd
• If you enable remote management:
• You will rarely need to log on locally
• You may not miss the graphic user interface
Windows Server 2012 Roles

Functions:
• Web Server
• Domain Controller
• Certificate Server

Roles are:
• Made up of role services components that provide
additional functionality associated with the role
• In Server Manager 2012, console servers with a
similar role are grouped together
• Role deployment also includes the configuration of
dependencies
What Are the Features of Windows Server 2012?

Features:
• Are components that support the server such as
Windows Server Backup or Failover clustering
• Usually do not provide a service directly to clients on
the network

Keep in mind the following points:

• Roles can have features as dependencies
• Features on demand are features that need to be
installed using mounted image as a source
Lesson 2: Overview of Windows Server 2012
Management

• What Is Server Manager?

• Administrative Tools
• Demonstration: Using Server Manager
• Configuring Services
• Configuring Remote Management
What Is Server Manager?

You can use Server Manager to:

• Manage multiple servers on a network
from one console

• Add roles and features

• Launch Windows PowerShell sessions

• View events

• Perform server configuration tasks

Administrative Tools

Administrative tools:
• Active Directory Administrative Center
• Active Directory Users and Computers
• DNS console
• Event Viewer
• Group Policy Management
• IIS Manager
• Performance Monitor
• Resource Monitor
• Task Scheduler
Demonstration: Using Server Manager

In this demonstration, you will see how to:

• Log on to Windows Server 2012 and view the Windows Server
2012 desktop
• Add a feature by Using the Add Roles and Features Wizard
• View role-related events

• Run the Best Practice Analyzer for a role

• List the tools available from Server Manager

• Restart Windows Server 2012

Configuring Services
Configuring Remote Management

When deciding to use Remote Management, consider

that:
• You are more likely to manage a server remotely
than by locally logging on
• Remote Management allows you to use consoles,
command-line utilities, or Windows PowerShell to
perform remote management tasks
• Remote Desktop allows you to log on to a server
locally, from across the network
Lesson 3: Installing Windows Server 2012

• Installation Methods
• Installation Types
• Hardware Requirements for Windows Server 2012
• Installing Windows Server 2012
Installation Methods
Windows Server 2012 deployment method
options include:

Optical disk USB

media

Windows
Deployment
Services
Installation Types
Hardware Requirements for Windows Server
2012

Windows Server 2012 has the following minimum

hardware requirements:

• Processor architecture x86-64

• Processor speed 1.4 GHz

• Memory (RAM) 512 MB

• Hard disk drive space 32 GB

• More hard disk drive space is needed if the

server has more than 16 GB of RAM
Installing Windows Server 2012
Lesson 4: Post-Installation Configuration of
Windows Server 2012

• Overview of Post-Installation Configuration

• Configuring Server Network Settings
• How to Join the Domain
• Performing Offline Domain Join
• Activating Windows Server 2012
• Configuring a Server Core Installation
Overview of Post-Installation Configuration
Configuring Server Network Settings
How to Join the Domain

Information necessary for a

domain join:
• Domain name
• Account with
permission to join
computer to domain
Performing Offline Domain Join

Process for performing an offline join:

1. If the user who is performing the offline domain join is not an
administrator, then appropriate rights must be delegated
2. To provision the computer account
object and create the binary file, run djoin on the domain
controller

3. Transfer the binary file with domain

information to client computer system
hard disk drive
4. To load the binary file, in the destination computer, run djoin
5. Restart the client computer

Windows Server
2012
Activating Windows Server 2012
Configuring a Server Core Installation
Lesson 5: Introduction to Windows PowerShell

• What Is Windows PowerShell?

• Windows PowerShell Cmdlet Syntax
• Common Cmdlets for Server Administration
• What Is Windows PowerShell ISE?
• Demonstration: Using Windows PowerShell ISE
• Demonstration: Using Windows PowerShell
What Is Windows PowerShell?
Windows PowerShell Cmdlet Syntax

Windows PowerShell Cmdlet

Syntax:
• Get-Help -Noun
NounName
• Get-Help -Verb
VerbName
• Help CmdltName
• Get-Command
Common Cmdlets for Server Administration

• Service Cmdlets
• Use the Service noun

• Event Log Cmdlets

• Use the Eventlog noun

• Process Cmdlets
• Use the Process noun

• ServerManager Module
• Allows the WindowsFeature noun
What Is Windows PowerShell ISE?
Demonstration: Using Windows PowerShell ISE

In this demonstration, you will see how to:

• Use Windows PowerShell ISE to import the
ServerManager module
• View the cmdlets made available in the ServerManager
Module
• Use the Get-WindowsFeature cmdlet from Windows
PowerShell ISE
Demonstration: Using Windows PowerShell

In this demonstration, you will see how to use

Windows PowerShell to view:
• Running services
• All service-related commands
• All running processes
• All process-related commands
Lab: Deploying and Managing Windows Server
2012
• Exercise 1: Deploying Windows Server 2012
• Exercise 2: Configuring Windows Server 2012 Server
Core
• Exercise 3: Managing Servers
• Exercise 4: Using Windows PowerShell to Manage
Servers
Logon Information
Virtual Machine 20410A-LON-DC1
20410A-LON-SVR3
20410A-LON-CORE
User Name Adatum\Administrator
Password Pa$$w0rd
Estimated Time:40 minutes
Lab Scenario

• A. Datum is a global engineering and manufacturing company with a

head office based in London, England. An IT office and a data center
are located in London to support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
• You have been working for A. Datum for several years as a desktop
support specialist. In this role, you visited desktop computers to
troubleshoot application and network problems. You have recently
accepted a promotion to the server support team. As a new member
of the team you help to deploy and configure new servers and services
into the existing infrastructure based on the instructions given to you
by your IT manager.
• The marketing department has purchased a new web-based
application. You need to install and configure the servers for this
application in the data center. One server has a graphic interface and
the second server is configured as Server Core.
Lab Review

• What IP address range is used by the computers in

the lab?
• Why must you set the DNS server address prior to
joining the domain?
• Besides sconfig.cmd, what other tool can you use
to rename a computer running the Server Core
operating system?
Module Review and Takeaways

• Review Questions
• Common Issues and Troubleshooting Tips
Microsoft Official Course
®

Module 2

Introduction to Active Directory

Domain Services
Module Overview

• Overview of AD DS
• Overview of Domain Controllers
• Installing a Domain Controller
Lesson 1: Overview of AD DS

• Overview of AD DS
• AD DS Domains
• What are OUs?
• What Is an AD DS Forest?
• What Is the AD DS Schema?
Overview of AD DS

AD DS is composed of both physical and logical components

Physical Components Logical Components

• Data store • Partitions

• Domain controllers • Schema

• Global catalog server • Domains

• Read-Only Domain • Domain trees

Controller (RODC)
• Forests

• Sites

• Organizational units (OUs)

AD DS Domains

• AD DS requires one or more domain controllers

• All domain controllers hold a copy of the domain
database which is continually synchronized
hronized

• The domain is the context

within which Users, Groups,
and Computers are created
• “Replication boundary”
• An administrative center for
configuring and managing
objects
• Any domain controller can
authenticate any logon in
the domain
What are OUs?

• Organizational Units
• Objects
• Users
• Computers
• OUs
• Containers that can be used
to group objects within a
domain
• Create OUs to:
• Delegate administrative
permissions
• Apply Group Policy
What Is an AD DS Forest?

Forest Root
Domain

Tree Root
Domain
adatum.com

fabrikam.com

atl.adatum.com
What Is the AD DS Schema?

The Active Directory Schema acts as a blueprint for AD DS by

defining the following Attributes and Object classes:

• Attributes • Classes
• objectSID • User
• sAMAccountName • Group
• location • Computer
• manager • Site
• department
Lesson 2: Overview of Domain Controllers

• What Is a Domain Controller?

• What Is the Global Catalog?
• The AD DS Logon Process
• Demonstration: Viewing the SRV Records in DNS
• What Are Operations Masters?
What Is a Domain Controller?

Domain Controllers
• Servers that perform the AD DS role:
• Host the Active Directory database (NTDS.DIT) and
SYSVOL
(replicated between domain controllers)
• Kerberos KDC service performs authentication
• Other Active Directory services
• Best practices:
• Availability: At least two in a domain
• Security: Server Core, RODC and BitLocker
What Is the Global Catalog?

Schema
• Global catalog:
Configuration § Hosts a partial attribute set for
Domain A
other domains in the forest
§ Supports queries for objects
Schema throughout the forest
Configuration Schema

Domain A Configuration

Domain B
Domain B

Global catalog
Server Schema

Configuration

Domain B
The AD DS Logon Process

The AD DS Logon Process:

1. User Account is
authenticated to DC1
2. DC returns Ticket Granting DC1
Ticket (TGT) back to client
3. Client uses TGT to apply for
access to WKS1
4. DC grants access to WKS1
5. Client uses TGT to apply for
access to SVR1
WKS1 SVR1
6. DC returns access to SVR1
Demonstration: Viewing the SRV Records in DNS

• In this demonstration, you will see how to use

DNS Manager to view SRV records
What Are Operations Masters?

• In any multimaster replication topology, some operations

must be single master
• Many terms are used for single master operations in AD
DS
• Operations master (or operations master roles)
• Single master roles
• Operations tokens
• FSMOs
• Roles
• Domain
• Forest
• RID
• Domain naming
• Infrastructure
• Schema
• PDC Emulator
Lesson 3: Installing a Domain Controller

• Installing a Domain Controller by Using a GUI

• Installing a Domain Controller on a Server Core
Installation of Windows Server 2012
• Upgrading a Domain Controller
• Installing a Domain Controller by Using IFM
Installing a Domain Controller by Using a GUI
Installing a Domain Controller on a Server Core
Installation of Windows Server 2012
Use the dcpromo /unattend:”D:\answerfile.txt” command to
perform the unattended installation. The following is an
example of text from the answer file:
[DCINSTALL]
UserName=<The administrative account in the domain of the new domain controller>
UserDomain=<The name of the domain of the new domain controller>
Password=<The password for the UserName account>
SiteName=<The name of the AD DS site in which this domain controller will reside>
This site must be created in advance in the Dssites.msc snap-in.
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=<The fully qualified domain name (FQDN) of the domain in
which you want to add an additional domain controller>
DatabasePath="<The path of a folder on a local volume>"
LogPath="<The path of a folder on a local volume>"
SYSVOLPath="<The path of a folder on a local volume>"
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=<The password for an offline administrator account>
RebootOnCompletion=yes
Upgrading a Domain Controller

Options to upgrade AD DS to Windows Server 2012:

• In place upgrade (from Windows Server 2008 or Windows
Server 2008 R2)
• Benefit: Except for the prerequisite checks, all the files and
programs stay in place and there is no additional work
required
• Watch for: May leave legacy files and DLLs
• Introduce a new Windows Server 2012 server into the domain
and promote it to be a DC
• This option is the usually the preferred choice
• Good: Provides a new server with no accumulated files and
settings
• To watch for: May need additional work to migrate users’ files
and profile settings
• Both options require that the schema is at the Windows Server
2012 level
Installing a Domain Controller by Using IFM
Lab: Installing Domain Controllers

• Exercise 1: Installing a Domain Controller

• Exercise 2: Installing a domain controller by using IFM

Logon Information

Virtual Machines 20410A-LON-DC1 (start first)

20410A-LON-SVR1
20410A-LON-RTR
20410A-LON-SVR2

User Name adatum\administrator

Password Pa$$w0rd

Estimated Time:60 minutes

Lab Scenario

• A. Datum is a global engineering and manufacturing

company with a head office based in London, England. An
IT office and a data center are located in London to
support the London location and other locations.
• A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
• You have been asked by your manager to install a new
domain controller in the data center to improve logon
performance.
• You have been asked also to create a new domain
controller for a branch office by using IFM.
Lab Review

• Why did you use Server Manager and not

dcpromo.exe when you promoted a server to be
a domain controllerdcpromo.exe?
• What are the three operations masters found in
each domain?
• What are the two operations masters that are
present in a forest?
• What is the benefit of performing an IFM install of
a domain controller?
Module Review and Takeaways

• Review Questions
Microsoft Official Course
®

Module 3

Managing Active Directory Domain

Services Objects
Module Overview

• Managing User Accounts

• Managing Group Accounts
• Managing Computer Accounts
• Delegating Administration
Lesson 1: Managing User Accounts

• AD DS Administration Tools
• Creating User Accounts
• Configuring User Account Attributes
• Creating User Profiles
• Creating User Accounts with User Account
Templates
• Demonstration: Managing User Accounts by Using
Active Directory Users and Computers
AD DS Administration Tools

To manage AD DS objects, you can use the following graphical

tools:

• Active Directory Administration snap-ins

• Active Directory Administrative Center

You can also use the following command-line tools:

• Active Directory Module in Windows PowerShell

• Directory Service commands

Creating User Accounts
Configuring User Account Attributes
Creating User Profiles
Creating User Accounts with User Account
Templates
A user account template is an account with
common properties that are already configured

User account templates take advantage of similarity

between user accounts

You can create new user accounts by creating user account

templates:
• Create several typical users that reflect various groups
within your organization
• Copy the user account that is the most similar to the new
account that you want to create
• Modify the account attributes such as name, email
address, and logon name
Demonstration: Managing User Accounts by
Using Active Directory Users and Computers
In this demonstration, you will see how to:
• Open Active Directory Users and Computers
• Delete a user account
• Create a template account
• Create a new user account from a template
• Modify the user account properties
• Rename the user account
• Move the user account
Lesson 2: Managing Group Accounts

• Group Types
• Group Scopes
• Implementing Group Management
• Default Groups and Special Identities
• Demonstration: Managing Groups
Group Types

• Distribution groups
• Used only with email applications
• Not security-enabled (no SID);
cannot be given permissions

• Security groups
• Security principal with an SID;
can be given permissions
• Can also be email-enabled
 Group Scopes
Members Members Can be
Members from from domain from trusted assigned
Group scope
same domain in same external permissions to
forest domain resources
Local U, C, U, C, U, C, On the local
GG, DLG, UG GG, UG GG computer only
and local users

Domain Local U, C, U, C, U, C, Anywhere in the

GG, DLG, UG GG, UG GG domain

Universal U, C, U, C, N/A Anywhere in the

GG, UG GG, UG forest

Global U, C, N/A N/A Anywhere in the

GG domain or a trusted
domain

U User
C Computer
GG Global Group
DLG Domain Local Group
UG Universal Group
Implementing Group Management

• Identities (users or computers)

mputers)
are members of
• Global groups
that collect members based
on those members' roles,
les,
which are members of
• Domain Local groups
that provide
management
of some kind, such
as management of
resource access,
which are:
• Assigned Access to a resource

• In a multidomain forest: IGUDLA, where U is Universal.

Default Groups and Special Identities

Windows Server provides two additional groups:

• Default groups
• The default groups that provide administrative privileges should
be managed carefully:
• They typically have broader privileges than are necessary for
most delegated environments
• They often apply protection to their members

• Special identities
• Groups for which membership is controlled by the operating
system
• The importance of these special identities is that you can use
them to provide access to resources based on the type of
authentication or connection, rather than the user account
Demonstration: Managing Groups

In this demonstration, you will see how to:

• Create a new group
• Add members to the group
• Add a user to the group
• Change the group type and scope
Lesson 3: Managing Computer Accounts

• What Is the Computers Container?

• Specifying the Location of Computer Accounts
• Controlling Permissions to Create Computer
Accounts
• Computer Accounts and Secure Channels
• Resetting the Secure Channel
What Is the Computers Container?
Specifying the Location of Computer Accounts

• Best practice is to create OUs for

computer objects
• Servers
• Typically subdivided by server role
• Client computers
• Typically subdivided by region
• Divide OUs:
• By administration
• To facilitate configuration with Group
Policy
Controlling Permissions to Create Computer
Accounts
Computer Accounts and Secure Channels

• Computers have accounts

• sAMAccountName and password
• Used to create a secure channel between the computer and
a domain controller
• Scenarios where a secure channel can be broken
• Reinstalling a computer, even with same name, generates a
new SID and password
• Restoring a computer from an old backup, or rolling back a
computer to an old snapshot
• Computer and domain disagree about what the password is
Resetting the Secure Channel

• Do not simply remove a computer from the

domain and rejoin
• Creates new account: new SID, lost group memberships
• Options for resetting the secure channel
• Active Directory Users and Computers
• DSMod
• NetDom
• NLTest
• Windows PowerShell
Lesson 4: Delegating Administration

• AD DS Permissions
• Effective AD DS Permissions
• Demonstration: Delegating Administrative Control
AD DS Permissions
Effective AD DS Permissions

Permissions assigned to you and your groups cumulate

Best practice is to assign permissions to groups, not to

individual users
In the event of conflicts:
• Deny permissions override Allow permissions
• Explicit permissions override Inherited permissions
• Explicit Allow overrides Inherited Deny

To evaluate effective permissions, you can use:

• The Effective Permissions tab
• Manual analysis
Demonstration: Delegating Administrative
Control
In this demonstration, you will see how to:
• Delegate a standard task

• Delegate a custom task

• View AD DS permissions resulting from these delegations

Lab: Managing Active Directory Domain Services
Objects
• Exercise 1: Delegating Administration for a Branch Office
• Exercise 2: Creating and Configuring User Accounts in AD
DS
• Exercise 3: Managing Computer Objects in AD DS

Logon Information

Virtual Machines 20410A-LON-DC1

20410A-LON-CL1
User Name Administrator
Password Pa$$w0rd

Estimated Time:60 minutes

Lab Scenario

• A. Datum is a global engineering and manufacturing company with a

head office based in London, England. An IT office and a data center
are located in London to support the London office and other
locations. A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
• You have been working for A. Datum for several years as a desktop-
support specialist. In this role, you visited desktop computers to
troubleshoot application and network problems. You have recently
accepted a promotion to the server support team. One of your first
assignments is configuring the infrastructure service for a new branch
office.
• To begin deployment of the new branch office you are preparing
AD DS objects. As part of this preparation, you need to create an OU
for the branch office and delegate permission to manage it. Then you
need to create users and groups for the new branch office. Finally, you
need to reset the secure channel for a computer account that has lost
connectivity to the domain in the branch office.
Lab Review

• What are the options for modifying the attributes of new and existing
users?
• What types of objects can be members of global groups?

• What types of objects can be members of domain local groups?

• What are the two credentials that are necessary for any computer to
join a domain?
Module Review and Takeaways

• Review Questions
• Best Practices
• Real-world Issues and Scenarios
• Tools
Microsoft Official Course
®

Module 4

Automating Active Directory

Domain Services Administration
Module Overview

• Using Command-line Tools for Administration

• Using Windows PowerShell for Administration
• Performing Bulk Operations with Windows
PowerShell
Lesson 1: Using Command-line Tools for
Administration

• Benefits of Using Command-Line Tools for

Administration
• What Is Csvde?
• What Is Ldifde?
• What Are DS Commands?
Benefits of Using Command-Line Tools for
Administration

Command-line tools allow you to automate AD DS

administration
Benefits of using command-line tools:
• Faster implementation of bulk operations
• Customized processes for AD DS administration
• AD DS administration on server core
What Is Csvde?
Export

• CSVDE.exe

Filenamec.sv AD DS
Import

Use CSVDE to export objects to a .csv file:

• –f filename
• -d RootDN
• -p SearchScope
• -r Filter
• -l ListOfAtrributes
Use CSVDE to create objects from a .csv file:
Csvde –i –f filename –k
What Is Ldifde?
Export

• LDIFDE.exe

Filename.ldf AD DS

Import

Use ldifde to export objects to a LDIF file:

• –f filename
• -d RootDN
• -r Filter
• -p SearchScope
• -l ListOfAttributes
• -o ListOfAttributes
Use ldifde to create, modify, or delete objects:
ldifde –i –f filename –k
What Are DS Commands?

• Windows Server 2012 includes command-line tools that

are suitable for use in scripts.
• Examples:
• To modify the department of a user account, type:
Dsmod user “cn=Joe Healy,ou=Managers,dc=adatum,dc=com” –dept IT

•To display the email of a user account, type:

Dsget user “cn=Joe Healy,ou=Managers,dc=adatum,dc=com” –email

• To delete a user account, type:

Dsrm “cn=Joe Healy,ou=Managers,dc=adatum,dc=com”

•To create a new user account, type:

Dsadd user “cn=Joe Healy,ou=Managers,dc=adatum,dc=com”
Lesson 2: Using Windows PowerShell for
Administration

• Using Windows PowerShell Cmdlets to Manage

Users
• Using Windows PowerShell Cmdlets to Manage
Groups
• Using Windows PowerShell Cmdlets to Manage
Computer Accounts
• Using Windows PowerShell Cmdlets to Manage
OUs
Using Windows PowerShell Cmdlets to Manage
Users

Cmdlet Description
New-ADUser Creates user accounts
Set-ADUser Modifies properties of user accounts
Remove-ADUser Deletes user accounts
Set-ADAccountPassword Resets the password of a user account
Set-ADAccountExpiration Modifies the expiration date of a user account
Unlock-ADAccount Unlocks a user account after it has become
locked after too many incorrect login attempts
Enable-ADAccount Enables a user account
Disable-ADAccount Disables a user account

New-ADUser “Joe Healy” –AccountPassword (Read-Host –

AsSecureString “Enter password”) -Department IT
Using Windows PowerShell Cmdlets to Manage
Groups
Cmdlet Description
New-ADGroup Creates new groups.
Set-ADGroup Modifies properties of groups.
Get-ADGroup Displays properties of groups.
Remove-ADGroup Deletes groups.
Add-ADGroupMember Adds members to groups.
Get-ADGroupMember Displays membership of groups.
Remove-ADGroupMember Removes members from groups.
Add-ADPrincipalGroupMembership Adds group membership to objects.

Get-ADPrincipalGroupMembership Displays group membership of objects.

Remove-ADPrincipalGroupMembership Removes group membership from an object.

New-ADGroup –Name “CustomerManagement” –Path

“ou=managers,dc=adatum,dc=com” –GroupScope Global –
GroupCategory Security
Add-ADGroupMember CustomerManagement –Members “Joe Healy”
Using Windows PowerShell Cmdlets to Manage
Computer Accounts
Cmdlet Description
New-ADComputer Creates new computer accounts
Set-ADComputer Modifies properties of computer accounts
Get-ADComputer Displays properties of computer accounts
Remove- Deletes computer accounts
ADComputer
Test- Verifies or repairs the trust relationship
ComputerSecureCha between a computer and the domain
nnel
Reset- Resets the password for a computer account
ComputerMachinePa
ssword
Cmdlet Description
New-ADComputer –Name LON-SVR8 –Path
“ou=marketing,dc=adatum,dc=com –Enabled $true

Test-ComputerSecureChannel -Repair
Using Windows PowerShell Cmdlets to Manage
OUs
Cmdlet Description
New-ADOrganizationalUnit Creates organizational units
Set-ADOrganizationalUnit Modifies properties of organizational
units
Get-ADOrganizationalUnit Views properties of organizational units
Remove-ADOrganizationalUnit Deletes organizational units
New-ADOrganizationalUnit Creates organizational units

Set-ADOrganizationalUnit Modifies properties of organizational

units
Get-ADOrganizationalUnit Views properties of organizational units

New-ADOrganizationalUnit –Name Sales –Path

“ou=marketing,dc=adatum,dc=com” –
ProtectedFromAccidentalDeletion $true
Lesson 3: Performing Bulk Operations with
Windows PowerShell

• What Are Bulk Operations?

• Demonstration: Using Graphical Tools to Perform
Bulk Operations
• Querying Objects with Windows PowerShell
• Modifying Objects with Windows PowerShell
• Working with CSV Files
• Demonstration: Performing Bulk Operations with
Windows PowerShell
What Are Bulk Operations?

• A bulk operation is a single action that changes

multiple objects

• You can perform bulk operations by using:

• Graphical tools
• Command-line tools
• Scripts
• The process for performing a bulk operation is:
• Define a query
• Modify the objects defined by the query
Demonstration: Using Graphical Tools to
Perform Bulk Operations

In this demonstration, you will see how to:

• Create a query for all users
• Configure the Company attribute for all users
• Verify that the Company attribute has been modified
Querying Objects with Windows PowerShell

Show all the properties for a user account:

Parameter Description
Get-ADUser Administrator –Properties *
SearchBase Defines the AD DS path to begin searching.

SearchScope
Show all the userDefines at what
accounts inlevel
thebelow the SearchBase
Marketing a search should
organizational unit be
and all its
subcontainers: performed.
ResultSetSize Defines how many objects to return in response to a query.
Get-ADUser –SearchBase “ou=Marketing,dc=adatum,dc=com”
Properties Defines which object properties to return and display.
–SearchScope subtree
Show all of the user accounts with a last logon date older than a specific
Operator Description
date:
-eq Equal to
Get-ADUser-ne
–Filter ‘lastlogondate
Not equal to –lt “January 1, 2012”’
-lt Less than
Show all of the -le
user accounts Less
in the
thanMarketing
or equal to department that have a last
logon date older than a specific date:
-gt Greater than
Get-ADUser-ge Greater than or
–Filter ‘lastlogondate equal
–lt to
“January 1, 2012” –and
department -like Uses wildcards for pattern matching
–eq “Marketing”’
Modifying Objects with Windows PowerShell

• Use the pipeline operator (|) to pass a list of objects to a

cmdlet for further processing
Get-ADUser –Filter ‘company –eq “$null”’ | Set-ADUser –
Company “A. Datum”

Get-ADUser –Filter ‘lastlogondate –lt “January 1, 2012”’ |

Disable-ADAccount

Get-Content C:\users.txt | Disable-ADAccount

Working with CSV Files

The first line of a .csv file defines the names of the

columns
FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing
A foreach loop processes the contents of a .csv that have
been imported into a variable
$users=Import-CSV C:\users.csv
Foreach ($i in $users) {
Write-Host “The first name is: $i.FirstName”
}
Demonstration: Performing Bulk Operations with
Windows PowerShell

In this demonstration, you will see how to:

• Perform bulk operations at a Windows PowerShell
prompt
• Use a Windows PowerShell script to create user accounts
from a .csv file
Lab: Automating AD DS Administration by Using
Windows PowerShell
• Exercise 1: Creating User Accounts and Groups by Using
Windows PowerShell
• Exercise 2: Using Windows PowerShell to Create User
Accounts in Bulk
• Exercise 3: Using Windows PowerShell to Modify User
Accounts in Bulk

Logon Information
Virtual Machines 20410A-LON-DC1
20410A-LON-CL1
Adatum\Administrator
Pa$$w0rd
User Name
Password

Estimated Time:45 minutes

Lab Scenario

• A. Datum Corporation is a global engineering and manufacturing

company with a head office based in London, England. An IT office
and a data center are located in London to support the London
location and other locations. A. Datum has recently deployed a
Windows Server 2012 infrastructure with Windows 8 clients.
• You have been working for A. Datum for several years as a desktop
support specialist. In this role, you visited desktop computers to
troubleshoot application and network problems. You have recently
accepted a promotion to the server support team. One of your first
assignments is configuring the infrastructure service for a new branch
office.
• As part of configuring a new branch office, you need to create user
and group accounts. Creating multiple users with graphical tools is
inefficient, so, you will be using Windows PowerShell.
Lab Review

• By default, are new user accounts enabled or

disabled when you create them by using the New-
ADUser cmdlet?
• Which file extension is used by Windows
PowerShell scripts?
Module Review and Takeaways

• Review Questions
Microsoft Official Course
®

Module 5

Implementing IPv4
Module Overview

• Overview of TCP/IP
• Understanding IPv4 Addressing
• Subnetting and Supernetting
• Configuring and Troubleshooting IPv4
Lesson 1: Overview of TCP/IP

• The TCP/IP Protocol Suite

• Protocols in the TCP/IP Suite
• TCP/IP Applications
• What Is a Socket?
The TCP/IP Protocol Suite

TCP/IP Protocol Suite

Application
HTTP FTP SMTP DNS POP3 SNMP

Transport TCP UDP

ARP IGMP
Internet IPv4 IPv6
ICMP

Network Token Frame

Ethernet Ring Relay ATM
Interface
Protocols in the TCP/IP Suite
OSI TCP/IP TCP/IP Protocol Suite

Application HTTP DNS

Presentation Application FTP POP3

SMTP SNMP
Session

Transport Transport TCP UDP

ARP IGMP
Network Internet IPv4 IPv6
ICMP

Data Link
Network Token Frame
Ethernet ATM
Interface Ring Relay
Physical
TCP/IP Applications

Some common application layer protocols:

• HTTP
• HTTPS
• FTP
• RDP
• SMB
• SMTP
• POP3
What Is a Socket?

• A socket is a combination of IP address,

transport protocol, and port
TCP/IP Protocol Suite

HTTP (80) SMTP (25)

HTTPS (443) DNS (53)

POP3 (110) FTP (21)

TCP/UDP

IPv4 IPv6
Lesson 2: Understanding IPv4 Addressing

• IPv4 Addressing
• Public and Private IPv4 Addresses
• How Dotted Decimal Notation Relates to Binary
Numbers
• Simple IPv4 Implementations
• More Complex IPv4 Implementations
IPv4 Addressing
An IPv4 configuration identifies a computer to other computers on a network

IP Address Subnet 1
68.2.180
192.168.2.180
255.255.255.0
55.255.0
IP Address
192.168.2.181
255.255.255.0

Default gateway defines

the preferred router
IP Address
192.168.2.182 IP Address
255.255.255.0 192.168.1.200
255.255.255.0

Dotted decimal
IP Address
representation
192.168.1.201
of the address 255.255.255.0
and subnet mask IP Address
192.168.1.202
Subnet 2 255.255.255.0
Public and Private IPv4 Addresses

Public Private

• Required by devices and • Nonroutable on the

hosts that connect directly Internet
to the Internet
• Can be assigned locally by
• Must be globally unique organization
• Routable on the Internet • Must be translated to
• Must be assigned by access the Internet
IANA/RIR
How Dotted Decimal Notation Relates to Binary
Numbers

8-Bit Octet
Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0

27 26 25 24 23 22 21 20

128 64 32 16 8 4 2 1

Decimal Value
Simple IPv4 Implementations

Network Host ID
Class A (/8) ID
Large Network 0
w x y z

Network ID Host ID
Class B (/16)
Medium Network 10
w x y z

Network ID Host ID
Class C (/24)
Small Network 110
w x y z
 More Complex IPv4 Implementations

172.16.16.0/22
172.16.17.1

172.16.17.0/24
172.16.16.1/20
172.16.20.0/22 172.16.17.254

172.16.24.0/22 172.16.18.0/24

172.16.28.0/22
Lesson 3: Subnetting and Supernetting

• How Bits Are Used in a Subnet Mask

• The Benefits of Using Subnetting
• Calculating Subnet Addresses
• Calculating Host Addresses
• Discussion: Creating a Subnetting Scheme for a
New Office
• What Is Supernetting?
How Bits Are Used in a Subnet Mask

Class B Address with Subnet

Number of Subnets 32
2
8
128
64
16
4
0
254

Network ID Subnet ID Host ID

1 0

Number of Hosts 65,534

32,512
16,256
4,064
8,128
508
254
2,032
1,016
The Benefits of Using Subnetting

When you subdivide a network into subnets, you create a unique ID for
each subnet derived from the main network ID

By using subnets, you can:

• Use a single network address across multiple locations

• Reduce network congestion by segmenting traffic

• Overcome limitations of current technologies

Calculating Subnet Addresses

When determining subnet addresses you should:

• Choose the number of subnet bits based on the number of

subnets required
• Use 2n to determine the number of subnets available from n bits

For five locations, the following three subnet bits are required:
• 5 locations = 5 subnets required
• 22 = 4 subnets (not enough)
• 23 = 8 subnets
Calculating Host Addresses

When determining host addresses you should:

• Choose the number of host bits based on the number of

hosts that you require on each subnet
• Use 2n-2 to determine the number of hosts that are
available on each subnet

For subnets with 100 hosts, seven host bits are required:

• 26-2 = 62 hosts (not enough)

• 27-2 = 126 hosts
Discussion: Creating a Subnetting Scheme for a
New Office

• How many subnets are required?

• How many bits are required to create that number of
subnets?
• How many hosts are required on each subnet?
• How many bits are required to allow that number of
hosts?
• What is an appropriate subnet mask to meet these
needs?
What Is Supernetting?

• Supernetting combines multiple small networks into a larger

network
• The networks that you are combining must be contiguous
• The following table shows an example of supernetting two class C
networks.

Network Range
192.168.00010000.00000000/24 192.168.16.0-192.168.16.255

192.168.00010001.00000000/24 192.168.17.0-192.168.17.255

192.168.00010000.00000000/23 192.168.16.0-192.168.17.255
Lesson 4: Configuring and Troubleshooting IPv4

• Configuring IPv4 Manually

• Configuring IPv4 Automatically
• IPv4 Troubleshooting Tools
• The Troubleshooting Process
• What Is Network Monitor?
• Demonstration: How to Capture and Analyze
Network Traffic by Using Network Monitor
Configuring IPv4 Manually

Interface name Local Area Connection

Static IP address 10.10.0.10
Subnet mask 255.255.0.0
Default gateway 10.10.0.1

Example using the netsh command-line tool

Netsh interface ipv4 set address name="Local Area
Connection" source=static addr=10.10.0.10
mask=255.255.0.0 gateway=10.10.0.1

Example using PowerShell cmdlets

Set-NetIPAddress –InterfaceAlias “Local Area Connection” –
IPv4Address 10.10.0.10 -PrefixLength 16
New-NetRoute –InterfaceAlias “Local Area Connection”-
DestinationPrefix 0.0.0.0/0 -NextHop 10.10.0.1
Configuring IPv4 Automatically

IPv4 Static Configuration IPv4 DHCP Client

DHCP Server with

IPv4 Scope

IPv4 DHCP Client IPv4 Router

IPv4 Troubleshooting Tools

You can use these tools to troubleshoot

IPv4:
• Ipconfig
• Ping
• Tracert
• Pathping
• Telnet
• Netstat
• Resource Monitor
• Windows Network Diagnostics
• Event Viewer
The Troubleshooting Process

• Identify the scope of the problem

• Use tracert to identify the network path between
hosts
• Use ipconfig to verify the network configuration is
correct
• Use ping to see if the remote host responds
• Use an application to test the service on a remote host
• Use ping to see if the default gateway responds
What Is Network Monitor?
Demonstration: How to Capture and Analyze
Network Traffic by Using Network Monitor

In this demonstration, you will see how to:

• Capture network traffic with Network Monitor
• Analyze the captured network traffic
• Filter the network traffic
Lab: Implementing IPv4

• Exercise 1: Identifying Appropriate Subnets

• Exercise 2: Troubleshooting IPv4

Logon Information

Virtual Machine 20410A-LON-DC1

20410A-LON-RTR
20410A-LON-SVR2
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 45 minutes

Lab Scenario
A. Datum has an IT office and data center in London which
supports the London location and other locations. They
have recently deployed a Windows 2012 Server
infrastructure with Windows 8 clients. You have recently
accepted a promotion to the server support team. One of
your first assignments is configuring the infrastructure
service for a new branch office.
After a security review, your manager has asked you to
calculate new subnets for the branch office to support
segmenting network traffic. You also need to troubleshoot a
connectivity problem on a server in the branch office.
Lab Review

Why is variable length subnetting required in this lab?

Which Windows PowerShell cmdlet can you use to view the local
routing table of a computer instead of using route print?
Module Review and Takeaways

• Review Questions
• Best Practices
• Common Issues and Troubleshooting Tips
• Tools
Microsoft Official Course
®

Module 6

Implementing DHCP
Module Overview

• Installing a DHCP Server Role

• Configuring DHCP Scopes
• Managing a DHCP Database
• Securing and Monitoring DHCP
Lesson 1: Installing a DHCP Server Role

• Benefits of Using DHCP

• How DHCP Allocates IP Addresses
• How DHCP Lease Generation Works
• How DHCP Lease Renewal Works
• What Is a DHCP Relay Agent
• DHCP Server Authorization
• Demonstration: Adding the DHCP Server Role
Benefits of Using DHCP
DHCP reduces the complexity and amount of administrative work by
using automatic TCP/IP configuration

• Manual TCP/IP Configuration • Automatic TCP/IP Configuration

• IP addresses are entered • IP addresses are supplied

manually automatically
• IP address could be entered • Correct configuration
incorrectly information is ensured
• Communication and network • Client configuration is updated
issues can result automatically
• Frequent computer moves • A common source of network
increase administrative effort problems is eliminated
How DHCP Allocates IP Addresses

DHCP Client2:
Non-DHCP Client: IP configuration
Static IP from DHCP server
configuration

Lease Renewal

Lease Generation

DHCP Server
DHCP Client1: DHCP
Database
IP configuration
from DHCP server
IP Address1: Leased to DHCP Client1
IP Address2: Leased to DHCP Client2
IP Address3: Available for lease
How DHCP Lease Generation Works

DHCP
Server2

DHCP
Server1 DHCP
Client

1 DHCP
DHCPclient
clientbroadcasts
broadcastsaaDHCPDISCOVER
DHCPDISCOVERpacket
packet

2 DHCP
DHCPservers
serversbroadcast
broadcastaaDHCPOFFER
DHCPOFFERpacket
packet

3 DHCP
DHCPclient
clientbroadcasts
broadcastsaaDHCPREQUEST
DHCPREQUESTpacket
packet

4 DHCP
DHCPServer1
Server1broadcasts
broadcastsaaDHCPACK
DHCPACKpacket
packet
How DHCP Lease Renewal Works

DHCP
DHCP
Server2
Server2

DHCP
Client
DHCP Client
DHCP
DHCP
Server1
Server1

50%
50%of oflease
lease
87.5%
100% of
of
duration lease
lease
has
durationhas
duration
duration has
has
expired
expired
expired
expired

1 DHCP client sends a DHCPREQUEST packet

If1theDHCP
clientClient
fails tosends
renewa DHCPREQUEST
its lease,
it’s lease, after packet
after 50%
87.5%of of
thethe
lease
lease has
durationthen
expired, has expired,
the DHCP then
lease
thegeneration
DHCP leaseprocess
renewal starts
process
overwill
2 2DHCP
begin
again DHCP
with
againa Server1
Server1
after
DHCP87.5% sends
sends a thea DHCPACK
DHCPACK
clientofbroadcasting packet
packet
lease duration
a DHCPDISCOVER
has expired
What Is a DHCP Relay Agent?

A DHCP relay agent listens for DHCP broadcasts from DHCP

clients and then relays them to DHCP servers in different
subnets

DHCP Relay Agent DHCP Server

Unicast

Broadcast Broadcast
Subnet A Subnet B
Routers
(Non–RFC
1542
Compliant)
Client Client Client Client
DHCP Server Authorization

DHCP authorization registers the DHCP Server service in the Active

Directory domain to support DHCP clients
If DHCP
DHCP Server1
Server1 finds with
checks its IPthe
address on
domain
the list, thetoservice
controller obtainstarts and
a list of supports
authorized
DHCP clients
servers
Domain DHCP Server1
Controller
Authorized
Services DHCP
AD DS requests

DHCP Server2
DHCP Client Unauthorized
Does not service
DHCP
If DHCP Server2
Server2checks
does with the its
not find domain
IP address on DHCP requests
DHCP client receives IP address
the list, thetoservice
controller obtain does
listnot
aServer1 start and support
of authorized DHCP
from
DHCP authorized DHCP
serversclients
Demonstration: Adding the DHCP Server Role

In this demonstration, you will see how to install

and authorize the DHCP server role
Lesson 2: Configuring DHCP Scopes

• What Are DHCP Scopes?

• What Is a DHCP Reservation?
• What Are DHCP Options?
• How Are DHCP Options Applied?
• Demonstration: Creating and Configuring a DHCP
Scope
What Are DHCP Scopes?

A DHCP scope is a range of IP addresses that are

available to be leased
DHCP Server

LAN A LAN B

Scope A Scope B

Scope Properties
• Network ID • Lease duration • Scope name

• Subnet mask • Network IP • Exclusion range

address range
What Is a DHCP Reservation?

A DHCP reservation occurs when an IP address within a scope is set

aside for use with a specific DHCP client.

Workstation 1 File and Print

Server

Subnet A Subnet B

DHCP Server Workstation 2

IP Address1: Leased to Workstation 1

IP Address2: Leased to Workstation 2
IP Address3: Reserved for File and Print
Server
What Are DHCP Options?

DHCP options are values for common configuration

data that applies to the server, scopes, reservations, and
class options
Common scope options are:
• DNS Servers
• DNS Name
• Default Gateway
• WINS Servers
How Are DHCP Options Applied?

You can apply DHCP options at various levels:

• Server
• Scope
• Class
• Reserved client
Demonstration: Creating and Configuring a
DHCP Scope
In this demonstration, you will see how to:
• Create a DHCP Scope

• Configure scope options

Lesson 3: Managing a DHCP Database

• What Is a DHCP Database?

• Backing Up and Restoring a DHCP Database
• Reconciling a DHCP Database
• Moving a DHCP Database
 What Is a DHCP Database?

The DHCP database is a dynamic database that contains configuration

information

• The DHCP database contains DHCP configuration data such as:

• Scopes
• Address leases
• Reservations
• Windows Server 2008 stores the DHCP database in the
%Systemroot%\System32\Dhcp folder
• The DHCP database files include:
• Dhcp.mdb
• Dhcp.tmp
• J50.log and J50*.log
• Res*.log
• J50.chk
How a DHCP Database Is Backed Up and Restored

DHCP Offline
Server Storage
DHCP
DHCP Restore

Back up Restore

DHCP

Back up

Inthe
If theoriginal
event that
database
the server
is unable
hardware
to load,
fails,the
theDHCP
administrator
service
The administrator
DHCP service moves
automatically
a copy backs
of theupbacked
the DHCP
up
automatically
can restore therestores
DHCP database
from the only
backupfrom
directory
an offline
on storage
the
database
DHCP to the backup directory on the
database to an offline storage location local drive
local drive
location
Reconciling a DHCP Database

DHCP Detailed IP
Database address lease Compares and
information reconciles
inconsistencies in the
Registry Summary IP DHCP database
address lease
information

DHCP Server

Example

Registry DHCP database After Reconciliation

Client has IP address IP address 192.168.1.34 Lease entry is created in

192.168.1.34 is available DHCP database
Moving a DHCP Database

DHCP
Database

Backup
Media
DHCP
Database

Old DHCP
Server

New DHCP
Server
Lesson 4: Securing and Monitoring DHCP

• Preventing an Unauthorized Computer from

Obtaining a Lease
• Restricting Unauthorized, Non–Microsoft DHCP
Servers from Leasing IP Addresses
• Delegating DHCP Administration
• What Are DHCP Statistics?
• What Is DHCP Audit Logging?
• Discussion: Common DHCP Issues
Preventing an Unauthorized Computer from
Obtaining a Lease

To prevent an unauthorized computer from obtaining a

lease:

• Ensure that unauthorized users do not have

physical or wireless access to your network

• Enable audit logging for every DHCP server

on your network

• Regularly check and monitor audit log files

• Use 802.1X-enabled LAN switches or wireless

access points to access the network

• Configure NAP to validate users and security policy

compliance
Restricting Unauthorized, Non–Microsoft DHCP
Servers from Leasing IP Addresses
DHCP
Clients

Rogue DHCP
server

DHCP
Clients
Legitimate
DHCP
server

To eliminate an unauthorized DHCP server, you must locate it and then

either physically disable it or disable the DHCP service, to prevent it from
communicating on the network
Delegating DHCP Administration

To delegate who can administer the DHCP service:

• Limit the members of the DHCP Administrators group

• Add users who need read-only access to the DHCP console, to the
DHCP Users group

Account Permissions
DHCP Administrators Can view and modify any data about
group the DHCP server
Has read-only DHCP console access
DHCP Users group
to the server
What Are DHCP Statistics?

DHCP statistics are collected at either the server level

or the scope level

DHCP Server
What Is DHCP Audit Logging?

A DHCP audit log is a log of service-related events

Discussion: Common DHCP Issues

• Address conflicts
• Failure to obtain a DHCP address
• Address obtained from an incorrect scope
• DHCP database suffered data corruption or loss
• DHCP server has exhausted its IP address pool

10 minutes
Lab: Implementing DHCP

• Exercise 1: Implementing DHCP

• Exercise 2: Implementing a DHCP Relay (Optional
Exercise)

Logon Information
Virtual Machine 20410A-LON-DC1
20410A-LON-SVR1
20410A-LON-RTR
20410A-LON-CL1
20410A-LON-CL2
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 75 minutes

Lab Scenario
A. Datum Corporation has an IT office and data center in
London, which supports the London location and other
locations as well. A. Datum have recently deployed a
Windows 2012 Server infrastructure with Windows 8 clients.
You have recently accepted a promotion to the server
support team. One of your first assignments is to configure
the infrastructure service for a new branch office. As part of
this assignment, you need to configure a DHCP server that
will provide IP addresses and configuration to client
computers. Servers are configured with static IP addresses
and do not use DHCP.
Lab Review
What is the DHCP scope used for?

How should you configure a computer in order to

receive an IP address from the DHCP server?

Why do you need MAC address for a DHCP server

reservation?

What information do you need to configure on a

DHCP relay agent?
Module Review and Takeaways

• Review Questions
• Best Practices
• Tools
Microsoft Official Course
®

Module 7

Implementing DNS
Module Overview

• Name Resolution for Windows Clients and Servers

• Installing and Managing a DNS Server
• Managing DNS Zones
Lesson 1: Name Resolution for Windows Clients
and Servers

• What Are Computer Names?

• What Is DNS?
• DNS Zones and Records
• How Internet DNS Names Are Resolved
• What Is Link-Local Multicast Name Resolution?
• How a Client Resolves a Name
• Troubleshooting Name Resolution
What Are Computer Names?

Name Description

• Up to 255 characters long

• Can contain alphabetic and numeric

characters, periods, and hyphens
• Part of FQDN
Host name
• Represent a single computer or group
of computers
• 15 characters used for the name

• 16th character identifies service

NetBIOS name • Flat namespace

What Is DNS?

DNS can be used to:

• Resolve host names to IP addresses

• Locate domain controllers and global catalog

servers

• Resolve IP addresses to host names

• Locate mail servers during email delivery

DNS Zones and Records

A DNS zone is a specific portion of DNS namespace

that contains DNS records
Zone types:
• Forward lookup zone
• Reverse lookup zone
Resource records in forward lookup zones include:
• A, MX, SRV, and CNAME

Resource records in reverse lookup zones include:

• PTR, NS, and SOA
How Internet DNS Names Are Resolved

Microsoft.com
DNS server

.com DNS server

What is the IP address
of Root DNS server
www.microsoft.com?

Local DNS server

207.46.230.219
Workstation
What Is Link-Local Multicast Name Resolution?

LLMNR is an additional method for name

resolution that does not use DNS or WINS
• LLMRN is IPv6 specific
• Works only on Windows Vista or newer Windows
operating systems
• Network Discovery must be enabled
• Can be controlled via Group Policy
How a Client Resolves a Name

1. Local Host Name

7. Lmhosts File

2. DNS Resolver
Cache / Hosts file 6. Broadcast
content

3. DNS Server 5. WINS Server

4. NetBIOS Name Cache

Troubleshooting Name Resolution

• Common utilities for troubleshooting name

resolution are:
• Nslookup
• Dnscmd
• Dnslint
• Ipconfig
• DNS Server Monitoring

• Always clear DNS resolver cache before

troubleshooting
• Use the hosts file for troubleshooting purposes
• Isolate problem
Lesson 2: Installing and Managing a DNS Server

• What Are the Components of a DNS Solution?

• What Are Root Hints?
• What Are DNS Queries?
• What Is Forwarding?
• How DNS Server Caching Works
• How to Install the DNS Server Role
• Demonstration: Installing the DNS Server Role
What Are the Components of a DNS Solution?

Root “.”

Resource
Record

.com

Resource
Record
.edu
DNS Resolvers DNS Servers DNS Servers on the Internet
What Are Root Hints?

Root hints contain the IP addresses for DNS root servers

Root (.) Servers

DNS Servers
Root Hints

com
DN
DNS Server

Client microsoft
What Are DNS Queries?
An iterative query directed to a DNS server may be
A DNS query is a request
answered for name
with a referral toresolution thatserver
another DNS is directed to a
DNS server
Local DNS server Iterative query Root hint (.)
• Queries are recursive or iterative
Ask .com
A recursive query is sent to a DNS
• DNS clients and DNS servers initiate server and requires
queries
a complete answer .com
• DNS servers are authoritative or nonauthoritative for a namespace
mail1.contoso.com
• An authoritative DNS server for the namespace will either:
• Return the requested IP address
• Return an authoritative “No” contoso.com
Database
• A nonauthoritative DNS server for the namespace will either:
• Check its cache 172.16.64.11
• Use forwarders
DNS client client Local DNS server
• Use root hints
 What Is Forwarding?

AConditional
forwarder is a DNS server
forwarding designated
forwards to using
requests resolvea external
domain or
name condition
offsite DNS domain names
All Iterative
other DNS domains
query
Forwarder Root hint (.)
Local DNS ISP DNS
Ask .com

.com

contoso.com
Local DNS server client
Client contoso.com DNS
computer
How DNS Server Caching Works

DNS server cache

Host name IP address TTL
ServerA.contoso.com 131.107.0.44 28 seconds

ServerA is at
Where’s
131.107.0.44
ServerA?

ServerA
Client1
ServerA
Where’sis at
Client2 131.107.0.44
ServerA?
How to Install the DNS Server Role

• DNS Server Installation Methods

• Server Manager
• Active Directory Domain Services Installation Wizard

• Tools available to manage DNS Server

• DNS Manager Snap-In
• Server Manager
• DNS Manager console (dnsmgmt.msc)
• DNSCmd command-line tool
• Remote Server Administrative tools
Demonstration: Installing the DNS Server Role

In this demonstration, you will see how to:

• Install a second DNS server
• Configure forwarding
Lesson 3: Managing DNS Zones

• What Are DNS Zone Types?

• What Are Dynamic Updates?
• What Are Active Directory-Integrated Zones?
• Demonstration: Creating an Active Directory–
Integrated Zone
What Are DNS Zone Types?

Zones Description

Primary Read/write copy of a DNS database

Secondary Read-only copy of a DNS database

Copy of a zone that contains only

Stub
records used to locate name servers
Active
Zone data is stored in AD DS rather
Directory–
than in zone files
integrated
What Are Dynamic Updates?
DHCP Client service registers 1. Client sends Start of
records for client Authority (SOA) query
• During client startup
• If new/changed IP address 2. DNS server returns SOA
(fixed/DHCP) on any network resource record
connection
3. Client sends dynamic update
• If ipconfig /registerdns is run
request(s) to identify the
primary DNS server

1 2 3 4 5 6 7 4. DNS server responds

that it can perform update
5. Client sends unsecured
update to DNS server
6. If zone permits only secure
updates, update is refused

Resource
7. Client sends secured
DNS Server
Records update to DNS server
What Are Active Directory-Integrated Zones?
• DNS zone data is stored in AD DS
• Allows multimaster writes to zone
• Replicates DNS zone information by using AD DS
replication
• Leverages efficient replication topology
• Uses efficient Active Directory replication processes:
Incremental updates
• Enables secure dynamic updates
• Security: Can delegate zones, domains, contoso.com
resource records • hqdc01
• filesvr01
• desktop101
zone
Demonstration: Creating an Active Directory–
Integrated Zone

In this demonstration, you will see how to:

• Create an Active Directory-integrated zone
• Create a record
• Verify replication to a second DNS server
Lab: Implementing DNS

• Exercise 1: Installing and Configuring DNS

• Exercise 2: Creating Host Records in DNS
• Exercise 3: Managing the DNS Server Cache

Logon Information
Virtual Machine 20410A-LON-DC1
20410A-LON-SVR1
20410A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 45 minutes

Lab Scenario

A. Datum Corporation has an IT office and data center in

London, which supports the London location and other
locations. A. Datum has recently deployed a Windows 2012
Server infrastructure with Windows 8 clients. You need to
configure the infrastructure service for a new branch office.
Your manager has asked you to configure the domain
controller in the branch office as a DNS server. You have
also been asked to create some new host records to
support a new application that is being installed. Finally, you
need to configure forwarding on the DNS server in the
branch office to support Internet name resolution.
Lab Review

Can you install DNS server role on the server that is not a
domain controller? If yes, are there any limitations?

What is the common way to handle Internet names

resolution on local DNS?

How can you browse the content of DNS resolver cache on

DNS Server?
Module Review and Takeaways

• Review Questions
• Best Practices
• Common Issues and Troubleshooting Tips
• Tools
Microsoft Official Course
®

Module 8

Implementing IPv6
Module Overview

• Overview of IPv6
• IPv6 Addressing
• Coexistence with IPv4
• IPv6 Transition Technologies
Lesson 1: Overview of IPv6

• Benefits of IPv6
• Differences Between IPv4 and IPv6
• IPv6 Address Space
Benefits of IPv6

Benefits of IPv6 include:

• Larger address space
• Hierarchical addressing and routing infrastructure
• Stateless and stateful address configuration
• Required support for IPsec
• End-to-end communication
• Prioritized delivery
• Improved support for single-subnet environments
• Extensibility
 Differences Between IPv4 and IPv6
IPv4 IPv6

Source and
32 bits (4 bytes) in length 128 bits (16 bytes) in length
destination addresses

IPsec support Optional Required

Broadcast ARP Request frames ARP Request frames replaced with

Address Resolution resolve IPv4 address to link layer multicast Neighbor Solicitation
address messages

Manages local subnet

IGMP IGMP replaced with MLD messages
group membership

Replaced with ICMPv6 Router

Router Discovery ICMP Router Discovery Solicitation and Router
Advertisement messages

Uses a link-local scope, all-nodes

Sends traffic to all nodes on a
Broadcast addresses multicast address instead of an
subnet
IPv6 broadcast address

Can be configured manually, by

Configured manually or through
Configuration using DHCP, or router
DHCP
advertisements

Uses host (A) resource records in Uses IPv6 host (AAAA) resource
Resource records DNS to map host names to IPv4 records in DNS to map host names
addresses to IPv6 addresses
IPv6 Address Space

[0010][1111][0011][1011]
• 128-bit address in binary:
8 4 2 10010000000000001000011011011100000000000000000000010111
[0 0 1 0]1001110110000001010101010000000001111111111111110001010
001001110001011010
0+0+2+0=2
• 128-bit address divided into 16-bit blocks:
[1 1 1 1]00100000000000010000110110111000 0000000000000000
8+4+2+1=F00101111001110110000001010101010 0000000011111111
1111111000101000 1001110001011010
[0 0 1 1]
• Each 16-bit block converted to HEX (base 16):
0+0+2+1=3
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
[1 •0 Further
1 1] simplify by removing leading zeros:
8+0+2+1=B2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

= 2F3B
Lesson 2: IPv6 Addressing

• IPv6 Prefixes
• Unicast IPv6 Address Types
• Zone IDs
• Address Autoconfiguration for IPv6
• Demonstration: Configuring IPv6 Client Settings
 IPv6 Prefixes

Prefix binary Prefix hexadecimal Fraction of the

Allocation
value value address space
Reserved 0000 0000 - 1/256

Global unicast
001 2 or 3 1/8
addresses
Link-local unicast
1111 1110 1000 FE8 1/1024
addresses

Unique local unicast

1111 1100 FD 1/256
addresses
Multicast addresses 1111 1111 FF 1/256

Prefixes are expressed in the same manner as CIDR notation

Unicast IPv6 Address Types

• Global unicast addresses

Global Unique Unicast Address

• Link-local unicast addresses

Link-Local Address
48 bits Unique local IPv6 Address
• Unique10local
bits
IPv6 unicast addresses
54 bits 64 bits
45 bits 16 bits 64 bits
81111
bits 1110 10 40 bits 000 . . . 00016 bits 64 bitsID
Interface

0011111 1110 Global Routing

RandomPrefix
sequence Subnet
SubnetIDID Interface
Interface ID ID
Format Prefix
all link-local IPs
Format
havePrefix
a prefix of FE8 Subnet bits for
Prefix managed
all unique local IPs organizations
by IANA
have a prefix of FD
Prefix assigned Client
to top-level ISPs interface ID
Zone IDs

• A zone ID:
• Is a unique identifier that is added to link-local
addresses
• Is based on the interface index
• Must be included when communicating with a link-
local address
• Examples:
• fe80::2b0:d0ff:fee9:4143%3
• fe80::94bd:21cf:4080:e612%2
 Address Autoconfiguration for IPv6
Check
Check
IfAdd for
for aaddress
Managed router
or Otheron theset,
conflicts
flag
3
2
4
1
5 Check
6 check the
prefixes
Derive
network router
Link-Local
usingDHCPv6 for prefixes
Address
neighbor solicitation
Autoconfigured IP Timeline
IPv6 Client

Valid

Tentative Preferred Deprecated Invalid

Time
Preferred Lifetime

Valid Lifetime
fe80::d593:e1e:e612:53e4%10
Router configuration information
Additional router prefixes

IPv6 DHCP Server

DHCPv6 information received
IPv6 Router
Demonstration: Configuring IPv6 Client Settings

In this demonstration, you will see how to:

• View IPv6 configuration by using IPconfig
• Configure IPv6 on LON-DC1
• Configure IPv6 on LON-SVR1
• Verify IPv6 communication is functional
Lesson 3: Coexistence with IPv4

• What Are Node Types?

• IPv4 and IPv6 Coexistence
• Demonstration: Configuring DNS to Support IPv6
• What Is IPv6 Over IPv4 Tunneling?
What Are Node Types?

IPv6 Only Node

IPv6 Network

IPv4/IPv6 Node

IPv4 Network

IPv4 Only Node

IPv4 and IPv6 Coexistence

Windows Server 2012 uses a dual IP layer

architecture that supports IPv4 and IPv6 in a single
protocol stack
DNS records required for coexistence are:
• Host (A) resource records for IPv4 nodes
• IPv6 host (AAAA) resource records
• Reverse lookup pointer (PTR) resource records for IPv4
and IPv6 nodes
Demonstration: Configuring DNS to Support
IPv6

In this demonstration, you will see how to:

• Configure an IPv6 host (AAAA) resource record for an
IPv6 address
• Verify name resolution for an IPv6 host (AAAA)
resource record
 What Is IPv6 Over IPv4 Tunneling?

IPv6 IPv4
Packet Packet
cket IPv6 over IPv4 tunneling
allows IPv6 to
communicate through an
IPv4 network

IPv6

IPv6 Packet

Extension Upper layer

IPv4 IPv6 header
headers protocol data unit

IPv4 Extension Upper layer

IPv6 header
header headers protocol data unit

IPv4 Packet
Lesson 4: IPv6 Transition Technologies

• What Is ISATAP?
• What Is 6to4?
• What Is Teredo?
• What Is PortProxy?
• Process for Transitioning to IPv6–Only
What Is ISATAP?
How ISATAP Tunneling Works

ISATAP Router
DNS Server
•• Advertises subnet prefixes
Address assignment that are assigned
and automatic totechnology
tunneling the logical ISATAP
for unicast
subnet on which
IPv6 traffic ISATAP
between hosts are
IPv6/IPv4 located
nodes across an IPv4 intranet
• ISATAP hosts use the advertised subnet prefixes to configure global
ISATAP Router
• ISATAP
ISATAPaddresses
addresses: IPv4-only IPv6-capable
intranet
• [64-bit unicast prefix]:0:5EFE:w.x.y.z – private network
• Forwards packets between ISATAP hosts and hosts on other IPv6
• [64-bit unicast prefix]:200:5EFE:w.x.y.z 3 – public
subnets (optional)
ISATAP Host
• Example: FE80::5EFE:192.168.137.133
1 2 1 DNS query for ISATAP
• The other subnets can be subnets in an IPv6-capable portion of the
• ISATAP treats an IPv4 infrastructure as a single link IPv4-encapsulated router
organization's
IPv4 traffic
network or the IPv6 Internet 2 solicitation
IPv6 tunneled IPv4-encapsulated router
with IPv4 3 advertisement
ISATAP Host
 What Is 6to4?
Field Value
IPv6 Source Address 2002:9D3C:5B7B:1::1
IPv6 host D
• Address assignment and IPv6 Destination
automatic tunneling Address
technology2002:836B:D231:2::3
for unicast
IPv6-only 6to4 relay
traffic between IPv6/IPv4
IPv6/IPv4
nodes across the IPv4 Internet
IPv4 Source Address 157.60.91.123
IPv4 Destination Address 131.107.210.49
• 6to4 address:
IPv6 Internet 6to4 router
2002:WWXX:YYZZ:Subnet_ID:Interface_ID
IPv6/IPv4

• 6to4 treats the IPv4 Internet as a single link IPv6 host C Site 2
IPv4 Internet IPv6/IPv4

IPv6 host B 6to4 router

IPv6/IPv4 IPv6/IPv4
Site 1

IPv6 host A
IPv6/IPv4
 What Is Teredo?
Components of Teredo
Teredo: Restricted NAT Tunneling
• Address-assignment and automatic tunneling technology for
IPv6 over IPv4 traffic
When How Teredo
Teredo
unicast works:
is behind
traffic a restricted
between NAT, nodes that
IPv6/IPv4 Teredoare
Server 1
located behind
Teredo Server 2
initial communication involves several
one or more IPv4 NATs on the IPv4 Internet
additional steps IPv6 or IPv6
1 Communicate with TeredoTeredo server
• 6to4 relies on public IPv4 address and host-IPv6 router functionality in
over IPv4 traffic
an edge device specific relay NAT
Restricted 2
1
2 Discover
Bubble the
packet to Teredo X
kind of NAT running at a given host 3
Client B IPv4
• Automatically adjusts behavior based on the type of the Internet
local
Bubble packet to
3 Establish Teredo
communications between Teredo clients
NAT
2 Server 2 X Teredo server
4
IPv6-only
1 host
NAT
Forwarded bubble packet
3 to Teredo Client B IPv4 Internet IPv6 Internet
Teredo relay
Bubble packet to Teredo Teredo 5 Restricted NAT X
4 Client A NAT XClient A
IPv6 traffic
Direct packet to Teredo
5 Client B
Teredo client Teredo Client B
What Is PortProxy?

PortProxy is a component that allows the proxying of the

following traffic:
• IPv4 to IPv4: TCP traffic to an IPv4 address is
proxied to TCP traffic to another IPv4 address
• IPv4 to IPv6: TCP traffic to an IPv4 address is
proxied to TCP traffic to an IPv6 address
• IPv6 to IPv6: TCP traffic to an IPv6 address is
proxied to TCP traffic to another IPv6 address
• IPv6 to IPv4: TCP traffic to an IPv6 address is
proxied to TCP traffic to an IPv4 address
Process for Transitioning to IPv6–Only

To transition from IPv4 to IPv6 you must:

• Update applications to support IPv6
• Update routing infrastructure to support IPv6
• Update devices to support IPv6
• Update DNS with records for IPv6
• Upgrade hosts to IPv4/IPv6 nodes
Lab: Implementing IPv6

• Exercise 1: Configuring an IPv6 Network

• Exercise 2: Configuring an ISATAP Router

Logon Information

Virtual Machine 20410A-LON-DC1

20410A-LON-RTR
20410A-LON-SVR2
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 30 minutes

Lab Scenario
A. Datum Corporation has an IT office and data center in
London, which support the London location and other
locations. They have recently deployed a Windows Server
2012 infrastructure with Windows 8 clients. You now need
to configure the infrastructure service for a new branch
office.
The IT manager at A. Datum has been briefed by several
application vendors about newly added support for IPv6 in
their products. A. Datum does not have IPv6 support in
place at this time. The IT manager would like you to
configure a test lab that uses IPv6. As part of the test lab
configuration, you also need to configure ISATAP to allow
communication between an IPv4 network and an IPv6
network.
Lab Review

Was IPv6 configured statically or dynamically in this lab?

Why did you not need to configure LON-DC1 with the

IPv4 address of the ISATAP router?
Module Review and Takeaways

• Review Questions
• Best Practices
Microsoft Official Course
®

Module 9

Implementing Local Storage

Module Overview

• Overview of Storage
• Managing Disks and Volumes
• Implementing Storage Spaces
Lesson 1: Overview of Storage

• Disk Types and Performance

• What Is Direct Attached Storage?
• What Is Network Attached Storage?
• What Is a SAN?
• What Is RAID?
• RAID Levels
Disk Types and Performance

Performance and Cost:

• As performance
increases, so does cost
SSD

SAS

Performance
SCSI

SATA

EIDE Cost
What Is Direct Attached Storage?

DAS disks are physically attached to the server

Advantages: Disadvantages:
• Easy to configure • Isolated because it is only
• Inexpensive solution attached to a single server
• Slower

Server with attached disks

What Is Network Attached Storage?

NAS is storage that is attached to a

NAS
dedicated storage device and accessed
through network shares

Advantages:
NAS Device
• Relatively inexpensive
• Easy to configure

LAN (Ethernet)
Disadvantages:
• Slower access times File-level access
(CIFS, NFS)
• Not an enterprise solution

NAS offers centralized storage at an

affordable price
File Server
What Is a SAN?

SANs offers higher availability with the most flexibility

Advantages:
• Fastest access times
Servers
• Easily expandable
• Centralized storage
• High level of redundancy
Switches

Disadvantages:
• More expensive
• Requires specialized skills
Storage Device

SANs can be implemented using Fibre Channel or iSCSI

What Is RAID?

RAID combines multiple disks into a single logical unit

to provide fault tolerance and performance

RAID provides fault tolerance by using:

• Disk mirroring
• Parity information

• RAID can provide performance benefits by spreading

disk I\O across multiple disks
• RAID can be configured using several different levels
• RAID should not replace server backups
RAID Levels
RAID 1+0
RAID0+1
6
RAID
RAID04
12
3
5
Each
Blockpair of striped
level disks is set
mirrored,
with then distributed
parity the mirrored disks
across
Each set of disks is striped, then the stripe set is mirrored
are
allstriped
disks
Block level
Block level Bit
striped
Striped level
set
set
striped
Byte striped
with
without
setstriped
level with
Mirrored set
parity with
parity
parity
set onparity
distributed
or
with
drives across all
mirroring
a dedicated
parity disks
disk
Lesson 2: Managing Disks and Volumes

• Selecting a Partition Table Format

• Selecting a Disk Type
• Selecting a File System
• What Is a Resilient File System?
• What Are Mount Points and Links?
• Demonstration: Creating Mount Points and Links
• Extending and Shrinking Volumes
Selecting a Partition Table Format

Use MBR for disks smaller 2 terabytes, and GPT for disks
larger 2 terabytes

MBR
• Standard Partition table format since early 1980s
• Supports a maximum of 4 primary partitions per drive
• Can partition a disk up to 2 terabytes

GPT
• GPT is the successor of MBR partition table format
• Supports a maximum of 128 partitions per drive
• Can partition a disk up to 18 exabytes
Selecting a Disk Type

Basic disks:
• Are disks initialized for basic storage
• Are the default storage for Windows

Dynamic disks:

• Can be modified without restarting Windows

• Provide several options for configuring volumes

Disk volume requirements include:

• A system volume for hardware-specific files that are required to

start the server
• A boot volume for the Windows operating system files
Selecting a File System

When selecting a file system, consider the differences

between FAT, NTFS, and ReFS
FAT provides:
• Basic file system • FAT32 to enable larger disks
• Partition size limitations • exFAT developed for flash
drives
NTFS provides:
• Metadata
• Security (ACLs and encryption)
• Auditing and journaling
ReFS provides:
• Backward compatibility support for NTFS
• Enhanced data verification and error correction
• Support for larger files, directories, volumes, etc.
 What Is a Resilient File System?
ReFS is a new file system that is built in to Windows Server 2012
• ReFS provides the following advantages:
§ Metadata integrity with checksums
§ Integrity streams with user data integrity
§ Allocation on write transactional model
§ Large volume, file, and directory sizes (2^78 bytes with 16-KB
cluster size)
§ Storage pooling and virtualization
§ Data striping for performance and redundancy
§ Disk scrubbing for protection against latent disk errors
§ Resiliency to corruptions with recovery
§ Shared storage pools across machines
What Are Mount Points and Links?
A mount point is a reference to a location on a disk that enables
operating system access to disk resources
Volume mount points enable you to mount volumes or disks as folders
rather than using drive letters
Use volume mount points when:
• You need to add disk space without changing the folder
structure
• You do not have drive letters available for creating new volumes
A link file is special type of file that contains a reference to another file
or directory
Link options:
• Symbolic file link (also known as soft link)
• Symbolic directory link (also known as directory junctions)
Demonstration: Creating Mount Points and Links

In this demonstration, you will see how to:

• Create a mount point and assign it to a folder
• Create a link between folders and see how it behaves
• Create a link for a file
Extending and Shrinking Volumes

• You can resize NTFS volumes from the operating system,

beginning with Windows Vista and Windows Server 2003
• When you want to resize a disk, consider the following:
• You can extend or shrink NTFS volumes
• ReFS volumes can only be extended
• FAT/FAT32/exFAT cannot be resized
• To extend, the free space has to be adjacent
• You can shrink a volume only up to immovable files
• Bad clusters on a disk will prevent you from shrinking a
volume
Lesson 3: Implementing Storage Spaces

• What Is the Storage Spaces Feature?

• Virtual Disk Configuration Options
• Advanced Management Options for Storage
Spaces
• Demonstration: Configuring Storage Spaces
What Is the Storage Spaces Feature?
Use storage spaces to add physical disks of any type and size
to a storage pool, and then create highly-available virtual
disks from it

To create a virtual disk, you need the Disk Drive

following:
• One or more physical disks Virtual Disk
• Storage pool that includes the disks
• Virtual drives that are created with disks from Storage Pool
the storage pool
• Disk drives that are based on virtual drives Physical Disks

Virtual drives are not virtual hard disks (VHDs); they should
be considered as a drive in Disk Manager
Virtual Disk Configuration Options

Feature Options
• Simple
Storage Layout • Two-way or three-way mirror
• Parity

Disk sector size • 512 or 512e

• Data store
Drive allocation • Manual
• Hot Spare

Provisioning schemes • Thin vs. fixed provisioning

Advanced Management Options for Storage
Spaces
• Basic Management for Storage Spaces is available in Server
Manager

• On disk failure:
§ Do not use chkdsk or scan disk
§ Remove the drive and add a new one

• Advanced Management requires Windows PowerShell

Windows PowerShell cmdlet Description

Get-StoragePool List storage pools
Repair-VirtualDisk Repair a Virtual Disk
Get-PhysicalDisk | List unhealthy physical disks
Where{$_.HealthStatus –ne “Healthy”}
Reset-PhysicalDisk Remove a physical disk from a storage
pool
Get-VirtualDisk | List physical disks used for a virtual
Get-PhysicalDisk disk
Demonstration: Configuring Storage Spaces

In this demonstration, you will see how to:

• Create a storage pool
• Create a virtual disk and a volume
Lab: Implementing Local Storage

• Exercise 1: Installing and Configuring a New Disk

• Exercise 2: Resizing Volumes
• Exercise 3: Configuring a Redundant Storage Space

Logon Information

Virtual Machine 20410A-LON-DC1

20410A-LON-SVR1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time:30 minutes

Lab Scenario

• A. Datum is a global engineering and manufacturing company with a

head office based in London, England. An IT office and a data center
are located in London to support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
• You have been working for A. Datum for several years as a desktop
support specialist. In this role, you visited desktop computers to
troubleshoot application and network problems. You have recently
accepted a promotion to the server support team. One of your first
assignments is configuring the infrastructure service for a new branch
office.
• Your manager has asked to add disk space to a file server. After
creating volumes, your manager has also asked you to resize those
volumes based on updated information he has been given. Finally, you
need to make data storage redundant by creating a 3-way mirrored
virtual disk.
Lab Review

• At a minimum, how many disks must you add to a storage

pool in order to create a three-way mirrored virtual disk?
• You have a USD-attached disk, four SAS disks, and one
SATA disk that are attached to a Windows Server 2012
server. You want to provide a single volume to your users
that they can use for file storage. What would you use?
Module Review and Takeaways

• Review Questions
• Best Practices
• Tools
Microsoft Official Course
®

Module 10

Implementing File and Print

Services
Module Overview

• Securing Files and Folders

• Protecting Shared Files and Folders using Shadow
Copies
• Configuring Network Printing
Lesson 1: Securing Files and Folders

• What Are NTFS Permissions?

• What Are Shared Folders?
• Permissions Inheritance
• Effective Permissions
• What Is Access-Based Enumeration?
• What Are Offline Files?
• Demonstration: Creating and Configuring a
Shared Folder
What Are NTFS Permissions?

NTFS permissions control access for files and folders on

NTFS-formatted storage volumes

NTFS Permissions:
• Are assigned to files or folders
• Can be allowed or denied
• Are inherited from parent folders

Permissions conflict precedence:

1. Explicitly assigned Deny

2. Explicitly assigned Allow

3. Inherited Deny
4. Inherited Allow
What Are Shared Folders?

Shared folders are folders that grant network access to their

contents

• Folders can be shared, but individual

files cannot

• You can manage shared folders:

• Through Server Manager
• In Windows Explorer
• By using Netsh from a command line
Permissions Inheritance

Inheritance is used to manage access to resources without

assigning explicit permissions to each object

By default, permissions are inherited in a

parent/child relationship

Blocking inheritance:
• You can block permission inheritance
• You can apply blocking at the file or folder level
• You can set blocking on a folder to propagate the new
permissions to child objects
Effective Permissions

When combining shared folder and NTFS permissions, the

most restrictive permission is applied
Example: If a user or group is given the shared folder
permission of Read and the NTFS permission of Write,
the user or group will only be able to read the file
because it is the more restrictive permission.

Both the share and the NTFS file and folder permissions
must have the correct permissions, otherwise the user or
group will be denied access to the resource
What Is Access-Based Enumeration?

Access-based enumeration allows an administrator to

control the visibility of shared folders according to the
permissions set on the shared folder

Access Based Enumeration is:

• Built into Windows Server 2012

• Available for shared folders

• Configurable on a per shared folder basis

 What Are Offline Files?

Offline file settings allow client computer to cache network files locally for
offline use when they are disconnected from the network
Demonstration: Creating and Configuring a
Shared Folder

• In this demonstration, you will see how to:

• Create a shared folder
• Assign permissions for the shared folder
• Configure access based enumeration
• Configure Offline Files
Lesson 2: Protecting Shared Files and Folders
using Shadow Copies

• What Are Shadow Copies?

• Considerations for Scheduling Shadow Copies
• Restoring Data from a Shadow Copy
• Demonstration: Restoring Data from a Shadow
Copy
What Are Shadow Copies?

Shadow copies:
• Allow access to previous versions of files
• Are based on tracking disk changes
• Disk space is allocated on the same volume
• When the space is full, older shadow copies
are removed
• Are not a replacement for backups

• Are not suitable for recovering databases

 Considerations for Scheduling Shadow Copies

• Default schedule is
7:00 A.M. and noon
• Create a shadow copy
schedule based on:
• Volume of changes
• Importance of changes
• Storage limitations
Restoring Data from a Shadow Copy

• Previous versions are accessible from the Properties window

of a file or folder
• Administrators can restore previous versions
directly on the server
• Users can restore previous versions over the network
• All users can:
• Restore a file or folder
• Copy a file or folder to an alternate location
• Browse previous versions to select the correct version
Demonstration: Restoring Data from a Shadow
Copy

• In this demonstration, you will see how to:

• Configure shadow copies
• Create a new file
• Create a shadow copy
• Modify the file
• Restore the previous version
Lesson 3: Configuring Network Printing

• Benefits of Network Printing

• What Is Enhanced Point and Print?
• Security Options for Network Printing
• Demonstration: Creating Multiple Configurations
for a Print Device
• What Is Printer Pooling?
• What Is Branch Office Direct Printing?
• Deploying Printers to Clients
Benefits of Network Printing

• Centralized management
• Simplified troubleshooting

• Lower total cost of ownership

• Listing in AD DS
What Is Enhanced Point and Print?

• Enhanced Point and Print uses the v4 driver model to

provide a simplified management structure for network
printer drivers
• Enhanced Point and Print provides the following benefits:
• Print servers do not need to store client print drivers
• Driver files are isolated, preventing file naming conflicts
• A single driver can support multiple devices
• Driver packages are smaller and install faster
• The print driver and the printer user interface can be
deployed independently
Security Options for Network Printing

• The default security allows everyone to:

• Print
• Manage their own print jobs
• The available permissions are:
• Print
• Manage this printer
• Manage documents
Demonstration: Creating Multiple Configurations
for a Print Device

• In this demonstration, you will see how to:

• Create a shared printer
• Create a second shared printer using the same port
• Increase printing priority for a high priority print queue
 What Is Printer Pooling?

Printer pooling combines multiple physical printers into a

single logical unit

A printer pool:
• Increases availability and scalability

• Requires that all printers use the same driver

• Requires that all printers are in the same location

What Is Branch Office Direct Printing?

Branch Office Direct Printing enables client computers to

print directly to network printers that are shared on a print
server Main Office

Print Server

Print request
Print redirect

Branch Office

Client computer Print job

Managed Printer
Deploying Printers to Clients

You can deploy printers to clients by using:

• Group Policy preferences

• GPO created by Print Management

• Manual installation
Lab: Implementing File and Print Services

• Exercise 1: Creating and Configuring a File Share

• Exercise 2: Configuring Shadow Copies
• Exercise 3: Creating and Configuring a Printer Pool

Logon Information
Virtual Machine 20410A-LON-CL1
20410A-LON-DC1
20410A-LON-SVR1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario

Your manager has recently asked you to

configure file and print services for the branch
office. This requires you to configure a new
shared folder that is used by multiple
departments, configure shadow copies on the
file servers, and configure a printer pool.
Lab Review

How does implementing access-based enumeration benefit the users of

the Data shared folder in this lab?

Is there another way you could recover the file in the shadow copy
exercise? What benefit do shadow copies provide in comparison?

In Exercise 3, how could you configure Branch Office Direct Printing if

you were in a remote location and did not have access to the Windows
Server 2012 GUI for the print server?
Module Review and Takeaways

• Review Questions
• Tools
Microsoft Official Course
®

Module 11

Implementing Group Policy

Module Overview

• Overview of Group Policy

• Group Policy Processing
• Implementing a Central Store for Administrative
Templates
Lesson 1: Overview of Group Policy

• Components of Group Policy

• What Are Multiple Local GPOs?
• Storage of Domain GPOs
• What Are Group Policies and Preferences?
• What Are Starter GPOs?
• Delegating Management of GPOs
• Demonstration: Creating and Managing GPOs
 Components of Group Policy

A Group Policy Object is a

A Group Policy setting defines a
collection of Group Policy settings
specific configuration change to
that can be applied to a user,
apply to a user or a computer
computer, or both, to enact changes
What Are Multiple Local GPOs?

Multiple Local Group Policies:

• Have a single computer configuration that applies to the
computer for all users who log on
• Have layers of user settings that can apply only to
individual users, not to groups
There are three layers of user configurations:
• Administrator

• Non-Administrator

• User-specific
Storage of Domain GPOs
What Are Group Policies and Preferences?

Group Policy preferences expand the range of

configurable settings within a GPO and:
• Are not enforced

• Enable IT pros to configure, deploy, and manage

operating system and application settings that were
not manageable by using Group Policy

Features of Group Policy Preferences:

• Create: Create a new item on the targeted computer

• Delete: Remove an existing item from the targeted computer

• Replace: Delete and re-create an item on the targeted computer

• Update: Modify an existing item on the targeted computer

What Are Starter GPOs?

A starter GPO:
• Has preconfigured administrative template settings upon which
new GPOs can be based
• Can be exported to .cab files
• Can be imported into other areas of the enterprise

Exported to Imported to
.cab file GPMC

.cab Load
Starter GPO
file .cab file
Delegating Management of GPOs

Delegation of GPO-related tasks allows the administrative

workload to be distributed across the enterprise

The following Group Policy tasks can be independently delegated:

• Creating GPOs
• Editing GPOs

• Managing Group Policy links for a site, domain, or OU

• Performing Group Policy Modeling analysis in a domain or OU

• Reading Group Policy Results data in a domain or OU

• Creating WMI filters on a domain

Demonstration: Creating and Managing GPOs

In this demonstration you will see how to:

• Create a GPO by using the GPMC
• Edit a GPO with the Group Policy Management Editor
• Use Windows PowerShell to create a GPO
Lesson 2: Group Policy Processing

• GPO Links
• Applying GPOs
• Group Policy Processing Order
• What Are the Default GPOs?
• GPO Security Filtering
• Discussion: Identifying Group Policy Application
• Demonstration: Using Group Policy Diagnostic
Tools
GPO Links

• To deliver settings to an object, a GPO must be linked to a

container
• Disabling a link removes the settings from the container
• Deleting a link does not delete the GPO
• GPOs can be linked to:
• Sites
• Domains
• OUs
• GPOs cannot be linked to:
• Users
• Groups
• Computers
• System containers
Applying GPOs

• When you apply GPOs, remember that:

• Computer settings apply at startup
• User settings apply at logon
• Polices refresh at regular, configurable intervals
• Security settings refresh at least every 16 hours
• Policies refresh manually by using:
• The Gpupdate command
• The Windows PowerShell cmdlet Invoke-
Gpupdate
• With the new Remote Policy Refresh feature in
Windows Server 2012, you can remotely refresh
policies
Group Policy Processing Order

GPO1

Group Policy Processing

Local Group Order
GPO2

Site

GPO3

GPO4

Domain

GPO5
OU

OU OU
What Are the Default GPOs?

There are two default GPOs:

• Default Domain Policy
• Used to define the account policies for the
domain:
• Password
• Account lockout
• Kerberos policies
• Default Domain Controllers Policy
• Used to define auditing policies
GPO Security Filtering

Apply Group Policy permissions

• GPO has an ACL (Delegation tab, click Advanced)
• Default: Authenticated Users have Allow Apply Group Policy
Scope only to users in selected global groups
• Remove Authenticated Users
• Add appropriate global groups
• Must be global groups (GPOs do not scope to domain local)
Scope to users except for those in selected groups
• On the Delegation tab, click Advanced
• Add appropriate global groups
• Deny Apply Group Policy permission
 Discussion: Identifying Group Policy Application

GPO4 configures GPO 1 GPO1 removes

Domain Root
power options access to registry
for servers tools and
configures power
GPO 4 options

Sales OU GPO 2 GPO2 locks down

Servers OU
desktops, removes
access to Control
Panel, and
Users OU configures
printers

GPO3 configures
power options for
Laptops OU client laptops
Demonstration: Using Group Policy Diagnostic
Tools

• In this demonstration you will see how to:

• Use the Gpupdate command-line tool to refresh Group
Policy
• Use the Gpresult command-line tool and output the
results to an HTML file
• Use the Group Policy Modeling Wizard
Lesson 3: Implementing a Central Store for
Administrative Templates

• What Is the Central Store?

• What Are Administrative Templates?
• How Administrative Templates Work
• Managed and Unmanaged Policy Settings
What Is the Central Store?

• The Central Store:

• Is a central repository for ADMX and ADML files
• Is stored in SYSVOL
• Must be created manually
• Is detected automatically by Windows operating systems and
Windows Server operating systems

ADMX files

Windows workstations Domain controller Domain controller

with SYSVOL with SYSVOL
What Are Administrative Templates?

Administrative Templates determine what settings

appear and how they are grouped in GPO Editor

.admx
x

.adml Registry
How Administrative Templates Work

• Policy settings in the

Administrative
Templates node make
changes to the
registry
• The setting Prevent
access to registry
editing tools will
change the value of
the HKLM\Software
\Classes\Regedit
Managed and Unmanaged Policy Settings

Administrative Templates
• Managed policy setting
• UI is locked; user cannot make a change to the setting
• Changes are made in one of four reserved registry keys
• Change and UI locks are released when the
user/computer falls out of scope
• Unmanaged policy setting
• UI is not locked
• Changes made are persistent: tattoos the registry
• Only managed settings are shown by default
• Set Filter Options to view unmanaged settings
Preferences
• Effects vary
Lab: Implementing Group Policy

• Exercise 1: Configuring a Central Store

• Exercise 2: Creating GPOs

Logon Information

Virtual Machine 20410A-LON-DC1

20410A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time:40 minutes

Lab Scenario

• A. Datum Corporation is a global engineering and

manufacturing company with a head office based in
London, England. An IT office and a data center are
located in London to support the London location and
other locations. A. Datum has recently deployed a
Windows Server 2012 infrastructure with Windows 8
clients.
• In your role as a member of the server support team, you
help to deploy and configure new servers and services into
the existing infrastructure based on the instructions given
to you by your IT manager.
• Your manager has asked you to create a central store for
ADMX files to ensure that everyone can edit GPOs that
have been created with customized ADMX files. You also
need to create a starter GPO that includes Internet
Explorer settings, and then configure a GPO that applies
GPO settings for the Marketing department and the IT
department.
Lab Review

• What is the difference between the .admx files and the

.adml files?
• The Sales Managers group should be exempted from
the desktop lockdown policy that is being applied to the
entire Sales OU. All sales user accounts and sales
groups reside in the Sales OU. How would you exempt
the Sales Managers group?
• What command can you use to force the immediate
refresh of all group policies on a client computer?
Module Review and Takeaways

• Review Questions
• Best Practices
• Common Issues and Troubleshooting Tips
• Tools
Microsoft Official Course
®

Module 12

Securing Windows Servers Using

Group Policy Objects
Module Overview

• Windows Security Overview

• Configuring Security Settings
• Restricting Software
• Configuring Windows Firewall with Advanced
Security
Lesson 1: Windows Security Overview

• Discussion: Identifying Security Risks and Costs

• Applying Defense-In-Depth to Increase Security
• Best Practices for Increasing Security
Discussion: Identifying Security Risks and Costs

• What are some of the risks and associated costs

to Windows-based networks?
Applying Defense-In-Depth to Increase Security

Defense-in-depth uses a layered approach to security

• Reduces an attacker’s chance of success
• Increases an attacker’s risk of detection

Data ACLs, EFS, backup/restore

procedures
Application Application hardening,
antivirus
Host Hardening, authentication,
update management
Internal Network
Network segments, IPsec
Perimeter Firewalls, Network Access
Quarantine Control
Physical Security
Guards, locks, tracking
Policies, Procedures, and devices
Awareness Security documents, user
education
Best Practices for Increasing Security

Some best practices for increasing security are:

• Apply all available security updates quickly

• Follow the principle of least privilege

• Restrict console login

• Restrict physical access

Lesson 2: Configuring Security Settings

• Configuring Security Templates

• Configuring User Rights
• Configuring Security Options
• Configuring User Account Control
• Configuring Auditing
• Configuring Restricted Groups
• Configuring Account Policy Settings
Configuring Security Templates

Security Templates categories:

• Account policies
• Local policies
• Event Log
• Restricted Groups
• System Services
• Registry
• File System

How Security Templates are distributed:

• Secedit.exe
• Security Template Snap-in
• Security Configuration Wizard
• Group Policy
• Security Compliance Manager
Configuring User Rights

User Rights Types:

• Privileges
• Logon Rights

Examples:
• Add workstations to a domain
• Allow log on locally
• Back up files and directories
• Change the system time
• Force shutdown from a remote computer
• Shut down the system
Configuring Security Options

Security Options settings:

• Administrator and Guest account names
• Access to floppy disk and CD/DVD drives
• Digital data signatures
• Driver installation behavior
• Logon prompts
• User account control

Examples:
• Prompt user to change password before expiration
• Do not display last user name
• Rename administrator account
• Restrict CD-ROM access to locally logged-on user only
Configuring User Account Control

UAC is a security feature that prompts the user for an

administrative user’s credentials if the task requires
administrative permissions
UAC enables users to perform common daily tasks as
non-administrators
Configuring Auditing

When you use security auditing to log security-related events,

remember that:
• You can find the security auditing logs in the event viewer
• You can configure security auditing according to your
company’s security regulations
Configuring Restricted Groups

Group Policy can control group membership:

• For any group on a local computer, by applying a GPO to the
OU containing the computer account
• For any group in AD DS, by applying a GPO to the
Domain Controller’s OU
Configuring Account Policy Settings

Account policies mitigate the threat of brute force

guessing of account passwords

Policies Default Settings

Password • Controls complexity and lifetime of passwords
• Max password age: 42 days
• Min password age: 1 day
• Min password length: 7 characters
• Complex Password: enabled
• Store password using reversible encryption: disabled
Account • Controls how many incorrect attempts can be made
lockout • Lockout duration: not defined
• Lockout threshold: 0 invalid logon attempts
• Reset account lockout after: not defined
Kerberos • Subset of the attributes of domain security policy
• Can only be applied at the domain level
Lab A: Increasing Security for Server Resources

• Exercise 1: Using Group Policy to Secure Member

Servers
• Exercise 2: Auditing File System Access
• Exercise 3: Auditing Domain Logons

Logon Information

Virtual Machine 20410A-LON-DC1

20410A-LON-SRV1
20410A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time:60 minutes

Lab Scenario

• A. Datum is a global engineering and manufacturing company with a

head office based in London, England. An IT office and a data center
are located in London to support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
• You have been working for A. Datum for several years as a desktop
support specialist. In this role, you visited desktop computers to
troubleshoot application and network problems. You have recently
accepted a promotion to the server support team. As a new member
of the team you help to deploy and configure new servers and services
into the existing infrastructure based on the instructions given to you
by your IT manager.
• Your manager has given you some security-related settings that need
to be implemented on all member servers. You also need to
implement file system auditing for a file share used by the Marketing
department. Finally, you need to implement auditing for domain
logons.
Lab Review

• What happens if you configure the Computer

Administrators group, but not the Domain Admins, to be
a member of the Local Administrators group on all the
computers in a domain?
• Why do you need to not allow local logon on some
computers?
• What happens when an unauthorized user tries to
access a folder that has auditing enabled for both
successful and unsuccessful access?
• What happens when you configure auditing domain
logons for both successful and unsuccessful logon
attempts?
Lesson 3: Restricting Software

• What Are Software Restriction Policies?

• What Is AppLocker?
• AppLocker Rules
• Demonstration: Creating AppLocker Rules
What Are Software Restriction Policies?

SRPs allow administrators to identify which

applications are allowed to run on client computers

SRPs can be based on the following:

• Hash
• Certificate
• Path
• Zone

SRPs are applied through Group Policy

What Is AppLocker?

AppLocker applies Application Control Policies in Windows

Server 2012 and Windows 8
AppLocker contains new capabilities and extensions that
reduce administrative overhead and help administrators
control how users can access and use files, such as .exe
files, scripts, Windows Installer files (.msi and .msp files),
and DLLs

Benefits of AppLocker:
• Controls how users can access and run all types of applications

• Allows the definition of rules based on a wide variety of variables

• Provides for importing and exporting entire AppLocker policies

AppLocker Rules

AppLocker defines rules based on file attributes such as:

• Publisher name
• Product name
• File name
• File version

Rule actions
• Allow or Deny conditions
• Enforce or Audit Only policies
Demonstration: Creating AppLocker Rules

In this demonstration, you will see how to:

• Create a GPO to enforce the default AppLocker
Executable rules
• Apply the GPO to the domain
• Test the AppLocker rule
Lesson 4: Configuring Windows Firewall with
Advanced Security

• What Is Windows Firewall with Advanced Security?

• Discussion: Why Is a Host-Based Firewall
Important?
• Firewall Profiles
• Connection Security Rules
• Deploying Firewall Rules
What Is Windows Firewall with Advanced
Security?
Windows Firewall is a stateful, host-based firewall that allows
or blocks network traffic according to its configuration

• Supports filtering for both incoming and outgoing traffic

• Used for advanced settings configuration
• IPsec protection settings integrated into Windows Firewall
• Allows rule configuration for various criteria
• Provides network location-aware profiles
• Can import or export policies

Firewall rules Windows

Internet
Server 2008
control inbound
and outbound
traffic Firewall LAN
Discussion: Why Is a Host-Based Firewall
Important?

• Why is it important to use a host-based firewall

such as Windows Firewall with Advanced
Security?
Firewall Profiles

Firewall profiles are a set of configuration settings that apply

to a particular network type

The firewall profiles are:

• Domain
• Public
• Private
Windows Server 2012 introduces the ability to have
multiple active firewall profiles
Connection Security Rules

Connection security rules:

• Authenticate two computers before they
begin communications
• Secure information being sent between
two computers
• Use key exchange, authentication, data integrity,
and data encryption (optionally)

How firewall rules and connection rules are

related:
• Firewall rules allow traffic through, but do not
secure that traffic
• Connection security rules can secure the traffic,
but only if a firewall rule was previously configured
Deploying Firewall Rules

You can deploy Windows Firewall rules:

• By using Windows Firewall with Advanced Security

• By using Group Policy

• By exporting and importing firewall rules

Lab B: Configuring AppLocker and Windows
Firewall

• Exercise 1: Configuring AppLocker® Policies

• Exercise 2: Configuring Windows Firewall

Logon Information

Virtual Machine 20417A-LON-DC1

20417A-LON-SVR1
20417A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated time: 60 minutes

Lab Scenario

• A. Datum is a global engineering and manufacturing company with a

head office based in London, England. An IT office and a data center
are located in London to support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
• You have been working for A. Datum for several years as a desktop
support specialist. In this role, you visited desktop computers to
troubleshoot application and network problems. You have recently
accepted a promotion to the server support team. As a new member
of the team, you help to deploy and configure new servers and
services into the existing infrastructure based on the instructions given
to you by your IT manager.
• Your manager has asked you to implement AppLocker to restrict non-
standard applications from running. He also has asked you to create
new Windows Firewall rules for any member servers running web-
based applications.
Lab Review

• You configured an AppLocker rule based on a

software path. How can you prevent users from
running the software if they move the folder that
contains the software?
• You would like to introduce a new application that
requires that specific ports are used. What
information do you need to configure Windows
Firewall with Advanced Security, and from what
source can you get it?
Module Review and Takeaways

• Review Questions
• Common Issues and Troubleshooting Tips
• Tools
Microsoft Official Course
®

Module 13

Implementing Server Virtualization

with Hyper-V
Module Overview

• Overview of Virtualization Technologies

• Implementing Hyper-V
• Managing Virtual Machine Storage
• Managing Virtual Networks
Lesson 1: Overview of Virtualization
Technologies

• Server Virtualization with Hyper-V

• What Is Windows Azure?
• Desktop Virtualization
• Presentation Virtualization
• Application Virtualization
Server Virtualization with Hyper-V

Benefits of server virtualization with Hyper-V:

• Invisible to users
• Guest machines can use different operating
systems
• More efficient use of hardware
• Service and application isolation
• Workload consolidation
• Simplifies server deployment
• virtual machine templates
• virtual machine self-service portals
What Is Windows Azure?

• Windows Azure is a cloud-based platform for

hosting virtual machines and applications
• You pay only for the resources that you use
• You can increase and decrease capacity
automatically and swiftly
• You can use Windows Azure to:
• host websites
• host production applications
• host virtual machines
• test proof-of-concept solutions
Desktop Virtualization

Desktop virtualization includes the following

technologies:
• Client (Local) Hyper-V
• MED-V
• VDI
Presentation Virtualization

Differences between desktop virtualization and

presentation virtualization
Desktop virtualization Presentation virtualization
Users are assigned their own
Users log on and run separate
virtual machines that are running a
sessions on the server
client operating system
The desktop and applications run The desktop and applications
within virtual machines run on the host server

Presentation virtualization technologies include:

• Remote Desktop Services
• Full Desktop with RDC
• Application using RemoteApp
• Remote Access through Remote Desktop Gateway
Application Virtualization

Benefits of App-V
Application isolation
• Applications that are not compatible with the
server’s operating system or with one another can
be run on the same server
Application streaming
• Application deployment is quicker because only those
parts of the application that are being used are
transmitted across the network to the client computer
Application portability
• Applications can follow users across multiple
computers, without requiring a traditional installation
on those client computers
Lesson 2: Implementing Hyper-V

• About Hyper-V
• Hardware Requirements for Hyper-V
• Virtual Machine Hardware
• Configuring Dynamic Memory
• Configuring Virtual Machine Integration Services
• Configuring Virtual Machine Start and Stop
Actions
• Hyper-V Resource Metering
About Hyper-V

Hyper-V
• Is the hardware virtualization role in Windows Server 2012
• Gives virtual machine guests direct access to the host's
hardware

Terminology
• Server also known as parent partition
• Virtual machines also known as child partitions

Compatible server operating systems

• Windows Server 2012 Full GUI
• Windows Server 2012 Server Core
• Windows Server 2012 Server Hyper Core
Hardware Requirements for Hyper-V

Factors to consider when planning hardware for servers

running Hyper-V:
• Processor characteristics
§ Musthave an x64 platform that supports SLAT and
Data Execution
• Processing capacity
• Memory
• Storage subsystem performance
• Network throughput (typically multiple NICs)
Virtual Machine Hardware

Virtual machines have You can add the following

the following simulated hardware to a virtual
hardware by default: machine:
• BIOS • SCSI Controller (up to
• Memory 4)
• Processor • Network Adapter
• IDE Controller 0 • Legacy Network
• IDE Controller 1 Adapter
• SCSI Controller • Fibre Channel adapter.
• Synthetic Network • RemoteFX 3D video
Adapter adapter
• COM 1
• COM 2
• Diskette Drive
Configuring Dynamic Memory
Dynamic memory settings for a virtual machine:

Startup RAM

Dynamic Memory

• Minimum RAM
• Maximum RAM

• Memory buffer

Memory weight
Configuring Virtual Machine Integration Services

Possible integration services:

• Operating system shutdown
• Time synchronization
• Data exchange
• Heartbeat
• Backup (volume snapshot)
Configuring Virtual Machine Start and Stop
Actions

Possible automatic start actions:

• Nothing

• Automatically start if it was running when the service stopped

• Always start this virtual machine automatically

Possible automatic stop actions:

• Save the virtual machine state

• Turn off the virtual machine

• Shut down the guest operating system

Hyper-V Resource Metering

Parameters that you can measure with resource

metering:
• Average GPU use
• Average physical memory use, including:
• Minimum memory use
• Maximum memory use
• Maximum disk space allocation
• Incoming network traffic for a network adapter
• Outgoing network traffic for a network adapter
Lesson 3: Managing Virtual Machine Storage

• What Is a Virtual Hard Disk?

• Creating Virtual Disk Types
• Managing Virtual Hard Disks
• Reducing Storage Needs with Differencing Disks
• Using Snapshots
What Is a Virtual Hard Disk?

A virtual hard disk is a special file format that

represents a traditional hard disk drive

VHDX format has the following benefits over the VHD

format:
• The disks can be larger (64 TB versus 2 TB)
• The disk is less likely to become corrupt
• the format supports better alignment when deployed to a large
sector disk.
• It allows larger block size for dynamic and differencing disks
Creating Virtual Disk Types

Dynamically expanding virtual hard disks

Fixed-size virtual hard disks

Pass-through disks

Differencing virtual hard disks

(These will be discussed later in this lesson)
Managing Virtual Hard Disks

Possible maintenance operations on virtual hard

disks:
• Convert from fixed to dynamic
• Convert from dynamic to fixed
• Convert from VHD to VHDX format
• Convert from VHDX to VHD format
• Shrink a dynamic virtual hard disk
• Expand a dynamic or fixed virtual hard disk
Reducing Storage Needs with Differencing Disks

• Differencing disks reduce space used by storage

at the cost of performance
• You can link multiple differencing disks to a
single parent disk
• You cannot modify parent disk
• You can use Inspect Disk tool to reconnect a
differencing disk to a missing parent
Virtual Machine Snapshots

• Point-in-time copy of a virtual machine

• Does not affect running state of a virtual machine
• Snapshot files:
• Virtual machine configuration .xml file
• Saved-state files
• Differencing disk (.avhd)
Lesson 4: Managing Virtual Networks

• What Is a Virtual Switch?

• Hyper-V Network Virtualization
• Managing Virtual Machine MAC Addresses
• Configuring Virtual Network Adapters
What Is a Virtual Switch?

Hyper-V on Windows Server 2012 supports three different types of

virtual switches:
External
Used to map a network to a specific network adapter or network
adapter team
Internal
Used to communicate between the virtual machines on the host and
between the virtual machines and the host itself
Private
Used to communicate between virtual machines, not between the
virtual machines and the host itself

VLAN IDs
Used to extend VLANs within the host's network switch to VLANS on
the external network
Hyper-V Network Virtualization

Blue
Red virtual Blue Red
virtual
machine network network
machine

Virtualization
Top of
rack
switches
Physical Physical
server network Servers

Network virtualization
Server virtualization
• Run multiple virtual networks on
• Run multiple virtual servers on a
a physical network
physical server
• Each virtual network operates as
• Each virtual server operates as if
if it is running as a physical
it is running as a physical server
network
Managing Virtual Machine MAC Addresses
Configuring Virtual Network Adapters

Properties of a network adapter:

• Virtual Switch
• VLAN ID
• Bandwidth Management

Advanced features of a network adapter:

• MAC address allocation
• DHCP Guard
• Router Guard
• Port Mirroring
• NIC Teaming

Hardware acceleration features of synthetic network adapters

• Virtual Machine Queue
• IPsec task offloading
• SR-IOV
Lab: Implementing Server Virtualization with
Hyper-V

• Exercise 1: Installing the Hyper-V Server Role

• Exercise 2: Configuring Virtual Networking
• Exercise 3: Creating and Configuring a Virtual
Machine
• Exercise 4: Using Virtual Machine Snapshots
Logon Information
Virtual Machine 20410A-LON-HOST1
User Name Administrator
Password Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario

A. Datum Corporation has an IT office and data center in

London, which supports the London location and other
locations. A. Datum has recently deployed a Windows
Server 2012 infrastructure with Windows 8 clients. Your
assignments is to configure the infrastructure service for a
new branch office.
To more effectively use the server hardware that is currently
available at branch offices, your manager has decided that
all branch office servers will run as virtual machines. You
must now configure a virtual network and a new virtual
machine for these branch offices.
Lab Review

What type of virtual network switch would you create if you wanted to
allow the virtual machine to communicate with the local area network
connected to the Hyper-V host?

How can you ensure that no one single virtual machine uses all available
bandwidth provided by the Hyper-V host?

What dynamic memory configuration task can you perform on a virtual

machine hosted on Hyper-V 3.0 that was not possible on Hyper-V 2.0?
Module Review and Takeaways

• Review Questions
• Common Issues and Troubleshooting Tips
• Best Practices
• Tools
Course Evaluation